Ferah

PDPL

Document Namemi:FERAH KONFEKSIYON SAN.VE TUR TIC.A.S. Policy on Protection and Processing of Personal Data
Effective Date:15/06/2020

1. Policy on Protection and Processing of Personal Data

1.1. Introduction

We, FERAH KONFEKSIYON SAN.VE TUR. TIC.A.S.(the “Company”), attach maximum importance to legally process and protect personal data in accordance with the Law no. 6698 on the Protection of Personal Data (the “Law”), and act elaborately in all our planning and activities. With this awareness, we present this Policy on Processing and Protection of Personal Data (“Policy”) to your information in order to fulfill the obligation of explanation within the scope of Article 10 of the Law and to inform all administrative and technical measures we have taken within the scope of processing and protection of personal data.

1.2. Purpose of the Policy

The main purpose of this Policy is to make explanations about the systems for the processing and protection of personal data in accordance with law and the purpose of the Law, and within this context, to inform the persons, especially the Stakeholders and Officials of the Company, our Business Partners, Suppliers, Employees of the Suppliers, Legal Persons from which we Procure Services, our Employee Candidates, our Visitors, Customers of the Company, Potential Customers, and Third Parties, whose personal data is processed by our Company. Thus, it is aimed to ensure full compliance with the legislation for the processing and protection of personal data performed by our Company and to protect all rights of the owners of personal data arising from the legislation on personal data.

1.3. Scope of the Policy and Personal Data Owners

This Policy has been prepared either by automated, or non-automatic means, provided that it is part of any data recording system, for persons, especially the Stakeholders and Officials of the Company, our Business Partners, Suppliers, Employees of the Suppliers, Legal Persons from which we Procure Services, our Employee Candidates, our Visitors, Customers of the Company, Potential Customers, and Third Parties, whose personal data is processed by our Company, and it shall be applied for these persons. This Policy shall in no way be applied to legal entities and legal entity data as already required by the Law.

Our Company informs such Personal Data Owners about the Law by publishing this Policy on its website. “Policy on Processing of Personal Data for Employees” shall be applied for the employees of our Company. This Policy shall not apply in case the data is not included as “Personal Data” within the scope specified below or if the Personal Data processing activity carried out by our Company is not performed by the means mentioned above.

Stakeholder of the Company:They are the real person Stakeholders of the Company.
Real Person Business Partner of the Company:They are the real persons with whom the Company has any business relationship.
Stakeholder, Official and Employee of Business Partners of the Company:They are all the natural persons, including employees, stakeholders and officials of real and legal persons (such as business partners, suppliers) with whom the Company has any business relationship.
Employee Candidate:They are the real persons who have made job application to the Company in any way or who have allowed the Company to review their resumes and related information.
Employee:They are the real persons who have an employment contract with the Company within the scope of the Labor Law.
Customers of the Company:They are the real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.
Potential Customer:They are the real persons who have requested or had an interest in using the products and services of the Company or who have been assessed that they could have this interest in accordance with the commercial customs and good faith rules.
Visitor:They are all the real persons who access the physical premises of the Company or visit the websites for various purposes.
Third Party:They are other real persons who do not fall within the scope of the Policy on the Protection and Processing of Personal Data prepared for Company Employees and into any personal data owner category in this Policy.
Supplier’s Authorized Person:They are the authorized persons of the main employer or sub-employer we work with.
Supplier’s Employees:Refers to the employees of the main employer or sub-employer we work with who have employment contracts.

1.4. Definitions

The concepts included in this Policy shall have the following meanings:

Our Company:FERAH KONFEKSİYON SAN VE TUR TİC AŞ.
Personal Data:Any information related to the person whose identity is identified or identifiable.
Private Personal Data:Data with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are private data.
Processing of Personal Data:All kinds of operations performed on data such as obtaining, recording, storing, maintaining, altering, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the using of Personal Data through fully or partially automated or non-automatic means provided that it is part of any data recording system.
Personal Data Owner/Relevant Person:Refers to the Stakeholders and Employees of the Company, Business Partners of the Company, Company Officials, Employee Candidates, Visitors, Customers of the Company, Potential Customers, Third Parties and persons whose personal data are processed by the Company.
Data Recording System:Refers to the recording system where personal data are structured and processed based on certain criteria.
Data Officer:Real or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system.
Data Operator:A real or legal person who processes personal data on behalf of the data officer basing on the authority given by him/her.
Explicit Consent:Consent with regard to a specific subject, based on information and expressed in free will.
Anonymization:Making data, which was previously associated with a person, in no way to be associated with an identified or identifiable natural person, even by matching with other data.
Law:Refers to the Law No. 6698 on the Protection of Personal Data.
KVK Board:Personal Data Protection Board.

1.5. Enforcement of the Policy

This Policy, which entered into force on the date of publication by the Company, shall be published on the Company website (www.ferah.com) and made available to the relevant persons upon the request of Personal Data Owners.

2. PROCESSING AND TRANSFER OF PERSONAL DATA

2.1. General Principles on Processing Personal Data

Personal Data is processed by the Company in accordance with the procedures and principles stipulated in the Law and this Policy. The Company acts in accordance with the following principles while processing Personal Data:

  • Personal Data is processed pursuant to the relevant legal rules and the requirements of the good faith
  • It is ensured that Personal Data is accurate and up to date. In this context, issues such as determining the sources from which the data is obtained, verifying its accuracy and evaluating whether it needs to be updated are carefully taken into account.
  • Personal Data is processed for specific, explicit and legal purposes. The legitimacy of the purpose means that the Personal Data processed by the Company is associated with and necessary for the business it does or services it provides.
  • Personal Data is associated with the purpose in order to achieve the purposes determined by the Company, and the processing of Personal Data that is not related to the realization of the purpose or is not needed is avoided. It limits the processed data to only what is necessary for the achievement of the purpose. Personal Data processed within this scope is related, limited and consistent to the purpose for which they are processed.
  • If there is a stipulated period for the storage of data in the relevant legislation, it complies with these periods; otherwise, it stores Personal Data only for the period required for the purpose for which it was processed. In case there is no valid reason for further storage of Personal Data, such data is deleted, destroyed or anonymized.

2.2. Requirements for Processing Personal Data

The Company shall not process Personal Data without the explicit consent of the data owner. Personal Data can be processed “without seeking for the explicit consent of the data owner” in the event of the presence of one of the following conditions.

  • The Company may process Personal Data of Personal Data Owners, even without explicit consent, in cases clearly stipulated by the laws. For example, explicit consent is not required to fulfill the requirements of the legislation.
  • Personal Data may be processed without explicit consent in order to protect the life or body integrity of the persons, who are unable to disclose their consent due to actual impossibility or whose consent cannot be validated, or of another person. For example, in case where the consent of the person is not valid as s/he was unconscious or mentally ill, the Personal Data of the Personal Data Owner may be processed during medical intervention in order to protect the integrity of his/her life or body. In this context, data such as blood type, previous diseases and surgeries, medications used can be processed through the relevant health system.
  • Personal Data of the parties to the contract may be processed, provided that it is directly related to the conclusion or performance of a contract by the Company. For example, information such as account number and IBAN information of the creditor party can be obtained in order to make a payment in accordance with a contract made.
  • The Company may process Personal Data of Personal Data Owners, if it is obliged to fulfill its legal obligations as a data officer.
  • Personal Data, which is made public, in other words, disclosed to the public in any way by the Personal Data Owners, can be processed by the Company as the legal benefit that needs to be protected is removed.
  • The Company may process Personal Data of Personal Data Owners without seeking explicit consent in cases where data processing is necessary for the exercise or protection of a legal right.
  • The Company may process Personal Data of Personal Data Owners in cases where processing of Personal Data is mandatory for the provision of legitimate interests provided that the fundamental rights and freedoms of Personal Data Owners protected under the Law and Policy are not harmed. The Company shows the necessary sensitivity to comply with the basic principles regarding the protection of Personal Data and to protect the balance of interests of Personal Data Owners.

2.3. Requirements for Processing Private Personal Data

The Company shall not process Private Personal Data without the explicit consent of the concerned. However, Personal Data other than health and sexual life may be processed without the explicit consent of the relevant person in cases stipulated by the law. Personal Data on health and sexual life shall only be processed by the Company for the purpose of protecting public health, conducting preventive medicine, medical diagnosis and treatment and care services, health services, and planning and management of their financing, without seeking the explicit consent of the relevant person under conditions where we are under the obligation to keep confidential. The Company carries out the necessary actions to take adequate measures determined by the Board for the processing of Private Personal Data.

2.4. Requirements for Transferring Personal Data

Our Company may transfer Personal Data of Personal Data Owners and Private Personal Data to third parties in accordance with the Law by establishing the necessary privacy conditions and taking security measures in line with the purposes of processing Personal Data. Our Company acts in accordance with the regulations stipulated in the Law during the transfer of Personal Data. In this context, our Company may transfer Personal Data to third parties, based on one or more of the following Personal Data processing conditions specified in Article 5 of the Law and in a limited manner, in line with legitimate and lawful Personal Data processing purposes:

  • If there is explicit consent of the Personal Data owner;
  • If there is a clear regulation in the laws that Personal Data will be transferred, if it is mandatory for the protection of the life or body integrity of the Personal Data owner or anyone else, and
  • If the Personal Data owner is unable to disclose his/her consent due to actual impossibility or his/her consent is not legally valid,
  • If it is necessary to transfer Personal Data of the parties to the contract, provided that it is directly related to the conclusion or performance of a contract,
  • If Personal Data transfer is mandatory for our Company to fulfill its legal obligation,
  • If the Personal Data has been made public by the Personal Data owner,
  • If transfer of Personal Data is mandatory for the establishment, exercise or protection of a right,
  • If transfer of Personal Data is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the Personal Data owner.

2.4.1. Requirements for Transferring Personal Data Abroad

Our Company does not transfer the Personal Data and Private Personal Data of Personal Data Owners to third parties abroad for the purposes of processing Personal Data. The situation in the context of future projects regarding this is mentioned in 2.5.1 in the context of both Personal Data and Private Personal Data.

2.5. Requirements for Transferring Private Personal Data

The Company may transfer the Private Personal Data of Personal Data Owner to third parties in the following cases, in line with the legitimate and lawful Personal Data processing purposes, by showing the necessary care, taking the necessary security measures and taking the adequate precautions stipulated by the KVK Board:

(i) If the Personal Data Owner gives explicit consent, or

(ii) Without seeking the explicit consent of the Personal Data Owner in the presence of the following conditions;

  • Private Personal Data of the Personal Data Owner other than the health and sexual life (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, criminal conviction and data related to security measures, biometric and genetic data), can be processed in cases stipulated by law,
  • Private Personal Data of the Personal Data Owner concerning the health and sexual life of him/her can be processed by those persons or authorized institutions and organizations under the obligation to keep information confidential for the purpose of public health protection, conducting preventive medicine, medical diagnosis, treatment and care services, health services, and planning and management of their financing.

2.5.1. Transfer of Private Personal Data Abroad

Our Company does not transfer any of the personal data it has processed abroad for now. However, as required by the projects it will take in the future, the Company may transfer the Private Personal Data of the Personal Data Owner to foreign countries where the data officer has adequate protection or undertakes sufficient protection in the following cases, in line with the legitimate and lawful purposes of Personal Data processing, by making the relevant changes in accordance with the KVK Law and the Board decisions, showing the necessary care, taking the necessary security measures and taking the adequate precautions stipulated by the KVK Board:

(i) If the Personal Data Owner gives explicit consent, or

(ii) Without seeking the explicit consent of the Personal Data Owner in the presence of the following conditions;

  • Private Personal Data of the Personal Data Owner other than the health and sexual life (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, criminal conviction and data related to security measures, biometric and genetic data), can be processed in cases stipulated by law,
  • Private Personal Data of the Personal Data Owner concerning the health and sexual life of him/her can be processed by those persons or authorized institutions and organizations under the obligation to keep information confidential for the purpose of public health protection, conducting preventive medicine, medical diagnosis, treatment and care services, health services, and planning and management of their financing.

3. CLASSIFICATION OF PERSONAL DATA, PURPOSES OF PROCESSING AND TRANSFER, PERSONS TO WHOM IT WILL BE TRANSFERRED

3.1. Classification of Personal Data

PERSONAL DATA CATEGORIZATIONDESCRIPTION OF PERSONAL DATA CATEGORIZATION
Identity DataData that clearly belongs to an identified or identifiable real person, is processed partially or fully automatically, or non-automatically as part of the data recording system and contains information about the identity of the person; documents such as the driver’s license, identity card and passport containing the name and surname, national ID number, nationality information, mother’s and father’s name, place of birth, date of birth, and gender, and tax ID number, SSI number, signature information, vehicle plate, etc. information.
Communication DataInformation such as phone number, address, e-mail address, fax number, and IP address that clearly belongs to an identified or identifiable real person, is processed partially or fully automatically, or non-automatically as part of the data recording system.
Location DataData such as GPS location, travel data, etc. that clearly belongs to an identified or identifiable real person, is processed partially or fully automatically, or non-automatically as part of the data recording system and determines the location of the Personal Data Owner during the use of the products and services of the group companies within the frame of the operations carried out by the business units of the Company or the employees of the institutions the Company cooperates with while using the Company vehicles.
Transaction Security DataPersonal data processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Company while carrying out the activities of the Company. For example, IP address information, Internet site login and exit information, Password information, etc.
Data on Family Members and RelativesData that clearly belongs to an identified or identifiable real person, is processed partially or fully automatically, or non-automatically as part of the data recording system, and is about the family members (e.g. spouse, mother, father, children) and relatives of the Personal Data Owner, and other persons who can be accessed in case of emergency in order to protect the legal and other interests of the Company and the Personal Data Owner regarding the products and services offered by the group companies within the frame of the operations carried out by the business units of the Company.
Data on Physical Space SecurityData such as camera records, fingerprint records and records taken at the security point, etc. that clearly belongs to an identified or identifiable real person, is processed partially or fully automatically, or non-automatically as part of the data recording system, is related to the records and documents received during the entrance to the physical space and the stay in the physical space.
Financial DataData that clearly belongs to an identified or identifiable real person, is processed partially or fully automatically, or non-automatically as part of the data recording system, and is processed in relation to data, documents and records showing all kinds of financial results created according to the type of legal relationship established with the Personal Data Owner, and data such as bank account number, IBAN number, credit card information, financial profile, assets data, and income data.
Audio/Visual DataData that clearly belongs to an identified or identifiable real person, and is contained in photo and camera recordings (excluding the records included within the scope of Physical Space Security Data), audio recordings and papers that are copies of documents containing personal data.
Personal DataAny data that clearly belongs to an identified or identifiable real person, is processed partially or fully automatically, or non-automatically as part of the data recording system, and is processed to obtain information that will be the basis for the personal rights of real persons who have an employment relationship with the Company.
Legal Transaction DataData processed within the scope of the determination and follow-up of the legal receivables and rights of the Company, payment of its debts and its legal obligations.
Risk ManagementInformation processed for the management of commercial, technical and administrative risks, etc.
Private Personal DataData that clearly belongs to an identified or identifiable real person, is processed partially or fully automatically, or non-automatically as part of the data recording system, and specified in Article 6 of the Law (e.g. health data including blood type, biometric data, religion and membership association data).
Demand/Complaint Management DataData that clearly belongs to an identified or identifiable real person, is processed partially or fully automatically, or non-automatically as part of the data recording system, and is related to the receipt and evaluation of any request or complaint directed to the Company.

Personal data in the following categories are processed within the Company by informing the relevant persons in accordance with Article 10 of the Law, complying with the general principles specified in the Law, especially the principles specified in Article 4 regarding the processing of personal data and all obligations regulated in the Law, and limited to the subjects within the scope of this Policy, based on one or more of the personal data processing conditions specified in Article 5 of the Law and in a limited manner, in line with the legitimate and legal personal data processing purposes of the Company. It is also stated in this part which data owners the personal data processed in these categories are related to.

The type of Personal Data of the Personal Data Owners specified in article (1.3.) of Part 1 of the Policy is specified as follows:

Data Category – Data Subject Person Group

,

1-Identity
  • Employee Candidate
  • Employee
  • Shareholder/Partner
  • Intern
  • Supplier’s Authorized Person
  • Product or Service Purchaser
2-Communication
  • Employee Candidate
  • Employee
  • Shareholder/Partner
  • Intern
  • Supplier’s Authorized Person
  • Product or Service Purchaser
3-Location
  • Employee
4-Personal Information
  • Employee Candidate
  • Employee<
  • Intern
5-Legal Action
  • Employee
  • Shareholder/Partner
  • Supplier’s Authorized Person
  • Product or Service Purchaser
6-Customer Transaction
  • Potential Product or Service Purchaser
  • Supplier’s Authorized Person
  • Product or Service Purchaser
7-Physical Space Security
  • Employee Candidate
  • Employee
  • Shareholder/Partner
  • Potential Product or Service Purchaser
  • Intern
  • Supplier’s Authorized Person
  • Product or Service Purchaser
8-Transaction Security
  • Employee
  • Shareholder/Partner
11-Professional Experience
  • Employee Candidate
  • Employee
  • Intern
12-Marketing
  • Supplier’s Authorized Person
  • Product or Service Purchaser
13-Visual and Audio Records
  • Employee Candidate
  • Employee
  • Shareholder/Partner
  • Intern
  • Supplier’s Authorized Person
  • Product or Service Purchaser
21-Health Information
  • Employee Candidate
  • Employee
  • Intern
23-Criminal Convictions and Security Measures
  • Employee
24-Biometric Data
  • Employee

3.2. Purposes of Processing and Transferring Personal Data

Personal Data is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law in accordance with the law and the purpose of the Law, limited to the following purposes of the Company:

  • Planning and implementing human resources policies in the best way,
  • Correct planning, execution and management of commercial partnerships and strategies,
  • Ensuring the legal, commercial and physical security of itself and its business partners,
  • Ensuring corporate functioning, planning and execution of management and communication activities,
  • Providing the best use of the products and services for Personal Data Owners and recommending them according to their demands, needs and requests,
  • Ensuring the highest level of data security,
  • Establishing databases,
  • Improving the services offered on the website and eliminating the errors on the website,
  • Communicating with Personal Data Owners who have communicated their demands and complaints to it, and providing demand and complaint management,
  • Event management,
  • Management of relations with business partners or suppliers,
  • Execution of staff recruitment processes,
  • Supporting staff recruitment processes of Group Companies and their compliance with the relevant legislation,
  • Supporting the planning and execution processes of the fringe benefits and interests to be provided to it and its senior managers,
  • Supporting the realization of partnership law procedures,
  • Execution/follow-up of financial reporting and risk management processes,
  • Execution/follow-up of Company’s legal affairs,
  • Carrying out activities aimed at protecting its reputation,
  • Managing investor relationships,
  • Giving information to the authorized institutions based on the legislation,
  • Creating and tracking visitor records,
  • Carrying out management activities,
  • Ensuring the execution of the transactions to be performed in accordance with the contract,
  • Determination of risk factors
  • Execution of financial processes,
  • Achievement of goals such as marketing and customer satisfaction,
  • Implementation of Occupational Health and Safety measures and obligations,

If the processing activity carried out for the afore-mentioned purposes does not meet any of the conditions stipulated under the Law, your explicit consent shall be obtained by the Company regarding the relevant processing process.

3.3. Persons to whom Personal Data will be Transferred

Your Personal Data can be transferred to the following categories of persons managed by the Policy in accordance with the law and the purpose of the Law for the following purposes:

Persons to whom Data can be TransferredPurpose of Data Transfer
Legally Authorized Public Institutions and Organizations, Shareholders, Internal Audit Company,It can be transferred in a limited manner for the purpose requested by the relevant public institutions and organizations, shareholders, and internal audit company within their legal authority.
Legally Authorized Private Law PersonsIt can be transferred in a limited manner for the purpose requested by the relevant private law persons, such as banks, within the scope of their legal authority in accordance with the provisions of the legislation.

4. COLLECTION METHOD OF PERSONAL DATA AND ITS LEGAL BASIS, ITS DELETION, DESTRUCTION AND ANONYMIZATION, AND STORAGE PERIOD

4.1. Personal Data Collection Method and Its Legal Basis

Personal Data is collected in order to fulfill the responsibilities arising from the law completely and accurately within the framework of legislation, contract, demand and legal reasons, in order to realize the purposes stated in the Policy through various means such as call center, Company website and mobile applications via technical and other methods in all kinds of verbal, written and electronic media for the purpose of controlling compliance with Article 1 regulating the purpose of the Law and Article 2 regulating the scope of the Law, and is processed by the Company or data processors appointed by the Company.

4.2. Deletion, Destruction or Anonymization of Personal Data

Provided that the provisions of other laws regarding the deletion, destruction or anonymization of Personal Data are reserved, the Company deletes, destroys or anonymizes the Personal Data, either sua sponte or upon the request of the data owner, although it has processed them in accordance with the provisions of this Law and other laws. With deletion of Personal Data, these data are destroyed in a way that they cannot be used and retrieved in any way. Accordingly, Personal Data is deleted from the tools such as documents, files, CDs, floppy disks, hard disks, etc. in which they are recorded in a way that cannot be retrieved. Destruction of Personal Data, on the other hand, means the destruction of materials suitable for data storage such as documents, files, CDs, floppy disks, hard disks, etc. in which the data is recorded, so that the information cannot be retrieved and used. Anonymization of the data means making the Personal Data not to be associated with an identified or identifiable real person even if it is matched with other data.

4.3. Storage Period of Personal Data

The Company stores Personal Data for the period specified in this legislation, in case it is stipulated in the legislation. If a period is not regulated in the legislation regarding how long the personal data should be stored, Personal Data are processed for a period that requires processing in accordance with the Company’s practices and commercial life customs, depending on the activity carried out by the Company while processing that data, then they are deleted, destroyed or anonymized.

If the purpose of processing personal data has expired and the storage periods determined by the relevant legislation and the Company have come to an end, Personal data can only be stored in order to provide evidence in possible legal disputes or to assert the relevant right regarding the personal data or to establish a defense. For the establishment of the periods here, the storage periods are determined based on the time-out periods for the claiming of such right, and the examples in the requests made to the Company on the same issues before although the time-out periods have passed. In this case, the stored personal data is not accessed for any other purpose, but only accessed when it is required to be used in the relevant legal dispute. Here too, after the aforementioned period expires, personal data is deleted, destroyed or anonymized.

5. ISSUES ABOUT THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the Law, the Company takes the necessary technical and administrative measures for providing the appropriate security level in order to prevent illegal processing of Personal Data it processes, prevent illegal access to the data and ensure the maintenance of data, and carries out the necessary audits within this scope or has them carried out.

5.1. Ensuring the Security of Personal Data

5.1.1. Technical and Administrative Measures Taken to Ensure the Legal Processing of Personal Data

The Company takes technical and administrative measures according to technological facilities and cost of implementation to ensure that Personal Data is processed in accordance with the law.

(i) Technical Measures Taken to Ensure the Legal Processing of Personal Data

Main technical measures taken by the Company to ensure the legal processing of Personal Data are listed below:

  • Personal Data processing activities carried out within the Company are audited by established technical systems.
  • Technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
  • Well-informed staff on technical issues is employed.

(ii) Administrative Measures Taken to Ensure the Legal Processing of Personal Data

Main Administrative Measures taken by the Company to ensure the legal processing of Personal Data are listed below:

  • Employees are informed and trained on the law on the protection of Personal Data and the processing of Personal Data in accordance with the law.
  • All activities carried out by the Company are analyzed in detail specific to all business units, and Personal Data processing activities are revealed, specific to the activities carried out by the relevant business units as a result of this analysis.
  • Personal Data processing activities carried out by the business units of the Company and the requirements to be fulfilled in order to ensure compliance of these activities with the Personal Data processing requirements of the Law are determined specific to each business unit and the detailed activity it carries out.
  • In order to meet the legal compliance requirements determined on the basis of business units, awareness is created for relevant business units and implementation rules are determined, and necessary administrative measures are implemented through in-house policies and trainings to ensure the supervision of these issues and the continuity of implementation.
  • Records imposing the obligation not to process, disclose and use Personal Data, except for the Company’s instructions and exceptions imposed by law, are inserted in the contracts and documents that govern the legal relationship between the Company and the employees, and the awareness of employees on this issue is created and audits are carried out to fulfill the obligations arising from the Law.

5.1.2. Technical and Administrative Measures Taken to Prevent Illegal Access to Personal Data

The Company takes technical and administrative measures according to the nature of data to be protected, technological facilities and implementation cost to prevent the imprudent or unauthorized disclosure, access, transfer or other illegal access of Personal Data.

(i) Technical Measures Taken to Prevent Illegal Access to Personal Data

Main technical measures taken by the Company to prevent illegal access to Personal Data are listed below:

  • Technical measures in line with the developments in technology are taken, and the measures taken are periodically updated and renewed.
  • Technical solutions for access and authorization are implemented in accordance with the legal compliance requirements determined on the business unit basis.
  • Access authorizations are restricted and authorizations are regularly reviewed.
  • The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, and the necessary technological solutions are produced by re-evaluating the risky issues.
  • Software and hardware including virus protection systems and firewalls are installed.
  • Well-informed staff on technical issues is employed.
  • It is regularly subjected to security scans to detect security vulnerabilities in applications where Personal Data is collected. The vulnerabilities found are eliminated.

(i) Administrative Measures Taken to Prevent Illegal Access to Personal Data

Main administrative measures taken by the Company to prevent illegal access to Personal Data are listed below:

  • Employees are trained on technical measures to be taken to prevent illegal access to Personal Data.
  • Personal Data processing on the basis of business unit is designed and implemented within the Company to access and authorize Personal Data in accordance with legal compliance requirements.
  • Employees are informed that they shall not disclose the Personal Data they obtained to anyone in contrary to the provisions of the Law and shall not use them for purposes other than processing, and that this obligation shall continue after they leave the job, and the required commitments are taken from them accordingly.
  • Provisions indicating that the persons to whom the Personal Data is transferred will take the necessary security measures in order to protect the Personal Data and ensure that these measures will be followed in their own organizations are added to the contracts concluded by the Company with the persons to whom the Personal Data is transferred in accordance with the law.

5.1.3. Storage of Personal Data in Safe Environments

The Company takes the necessary technical and administrative measures according to technological facilities and cost of implementation to store Personal Data in safe environments and to prevent it to be destroyed, lost or altered with illegal purposes.

(i) Technical Measures Taken for the Storage of Personal Data in Safe Environments

The main technical measures taken by the Company for the storage of Personal Data in safe environments are listed below:

  • Systems suitable for technological developments are used to store Personal Data in safe environments.
  • Expert staff on technical issues is employed.
  • Technical security systems are established for storage areas, security tests and researches are carried out to detect security vulnerabilities on information systems, and existing or potential risks identified as a result of the tests and researches are eliminated. Technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
  • Backup programs are used in accordance with the law to ensure the safe storage of Personal Data.
  • By restricting access to data in the environments where Personal Data is stored, only authorized persons are allowed to access these data limited to the purpose of storing personal data, access to data storage areas where Personal Data is stored are logged and inappropriate access or access attempts are communicated to those concerned instantly.

(ii) Administrative Measures Taken for the Storage of Personal Data in Safe Environments

The main administrative measures taken by the Company for the storage of Personal Data in safe environments are listed below:

  • Employees are trained to ensure that Personal Data is stored in a safe manner.
  • Legal and technical consultancy services are obtained in order to follow the developments in the field of information security, privacy of private life and protection of personal data, and to take necessary actions.
  • In the event that an external service is procured by the Company due to technical requirements regarding the storage of Personal Data, provisions indicating that the persons to whom the Personal Data is transferred will take the necessary security measures in order to protect the Personal Data and ensure that these measures will be followed in their own organizations are added to the contracts concluded by the Company with the companies to which the Personal Data is transferred in accordance with the law.

5.1.4. Supervision of the Measures Taken for the Protection of Personal Data

The Company performs or have the necessary inspections been performed within itself in accordance with Article 12 of the Law. The results of these results are reported to the relevant department within the scope of the internal operation of the Company and necessary activities are carried out to improve the measures taken.

5.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

In case Personal Data processed in accordance with Article 12 of the Law is obtained illegally by others, the Company manages the system that enables the relevant Personal Data Owner and the KVK Board to be notified of this issue as soon as possible. If deemed necessary by the KVK Board, this may be announced on the website of the KVK Board or by any other method.

5.2. Protecting the Legal Rights of Personal Data Owners

The Company protects all legal rights of Personal Data Owners with the implementation of the Policy and the Law and takes all necessary measures to protect these rights. Detailed information about the rights of Personal Data Owners is given in the sixth part of this Policy.

5.3. Protection of Private Personal Data

The Law attaches special importance to certain Personal Data due to the risk of causing the victimization and/or discrimination of persons when processed illegally. These data are data with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. The Company pays utmost attention to the protection of private Personal Data determined as “private” by the law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of Personal Data are applied with the utmost care in terms of Private Personal Data and the necessary audits are provided within the Company on this issue.

6. RIGHTS OF THE PERSONAL DATA OWNER, EXERCISE AND EVALUATION OF RIGHTS

6.1. Enlightening of Personal Data Owner

The Company enlightens Personal Data Owners during the acquisition of Personal Data, in accordance with Article 10 of the Law. In this context, it enlightens about the identity of the Company representative, if any, the purpose for which Personal Data will be processed, to whom and for what purpose the processed Personal Data can be transferred, the method of Personal Data collection and its legal basis, and the rights of the Personal Data Owner.

6.2. Rights of the Personal Data Owner as per KVK Law

The Company informs you of your rights in accordance with Article 10 of the Law, provides guidance on how to exercise these rights and carries out the necessary internal functioning, administrative and technical regulations for all of these. In accordance with Article 11 of the Law, the Company enlightens the persons, whose Personal Data is collected, on their rights about;

  • Learning whether personal data is processed or not,
  • Requesting information on Personal Data if it has been processed,
  • Learning the purpose of processing Personal Data and whether they are used appropriately for this purpose,
  • Knowing the third parties to whom Personal Data is transferred at home or abroad,
  • Requesting correction of personal data if it is incompletely or improperly processed,
  • Requesting the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law,
  • Requesting that the transactions made pursuant to sub-paragraphs (d) and (e) of Article 11 of the Law to be notified to third parties to whom the Personal Data is transferred,
  • Objecting to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
  • Requesting the elimination of damages in case of loss due to the illegal processing of personal data.

6.3. Situations Where the Personal Data Owner Cannot Claim Its Rights

As the following cases are excluded from the scope of the Law in accordance with Article 28 of the Law, Personal Data Owners cannot claim their rights listed in Article (6.2.) of this Policy in the following cases:

  • Processing of Personal Data by real persons within the scope of activities related to him/her or his/her family members living in the same residence, provided that it is not given to third parties and obligations regarding data security are complied with.
  • Processing of Personal Data for purposes such as research, planning and statistics by making them anonymous with official statistics.
  • Processing of Personal Data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
  • Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
  • Processing of Personal Data by judicial or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to Article 28/2 of the Law, Personal Data Owners cannot claim their rights listed in Article (6.2.) of this Policy, except for the right to demand compensation, in the following cases:

  • The fact that processing of Personal Data is necessary for the prevention of crime or for criminal investigation.
  • Processing of Personal Data made public by the Personal Data Owner himself/herself.
  • That fact that processing of Personal Data is necessary for the execution of supervision or regulation duties and disciplinary investigation or prosecution by authorized and competent public institutions and organizations and professional organizations that have the nature of public institutions, based on the authority granted by law.
  • The fact that processing of Personal Data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial issues.

6.4. Exercising of the Rights by Personal Data Owner

Personal Data Owners may submit their requests regarding their rights listed in Article (6.2.) of this Policy to the Company free of charge by filling and signing the following Application Form with the information and documents that will identify their identities and with the methods specified below or by other methods determined by the KVK Board:

(i) Submission of a copy of the application form with wet signature to the (current address will be written) by hand or through a notary public after it is filled,

(ii) Filling out the application form and sending the secure electronically signed form to [email protected] by registered e-mail after you sign with your “secure electronic signature” within the scope of Electronic Signature Law No. 5070.

In order for the third parties to make an application request on behalf of the personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the applicant.

6.5. The Procedure and Duration of the Company to Respond to Applications

The Company finalizes the requests in the application free of charge, within thirty days at the latest, depending on the nature of the request. However, if such procedure requires a cost, the fee in the tariff determined by the KVK Board may be charged. The Company can either accept the request or refuse it by giving the reason, and notifies its response in writing or electronically. If the request in the application is accepted, the Company fulfills the request.

6.6. Personal Data Owner’s Right to Make Complaints to KVK Board

In case the application is refused, the response is found insufficient or the application is not responded on time, the data owner has the right to make a complaint to the KVK Board within thirty days from the date of learning the response, and in any case within sixty days from the date of application.

7. MANAGEMENT STRUCTURE OF THE COMPANY AS PER THE POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

A Personal Data Committee has been established within the Company in accordance with the decision of the Company’s senior management to manage this Policy and other policies related to and in association with this Policy. Personal Data Committee is authorized and in charge of carrying out the necessary procedures for the storage and processing of the data of Personal Data Owners in accordance with the law, this Policy and other policies related to and in association with this Policy.

8. UPDATES, COMPLIANCE AND AMENDMENTS

8.1. Update and Compliance

The Company reserves the right to make amendments to this Policy and other policies related to and in association with this Policy in accordance with the decisions of the KVK Board or in line with the developments in the sector or data processing field due to the amendments to the Law.

The amendments to this Policy are immediately entered into the text and explanations regarding the amendments are described at the end of the Policy.

8.2. Amendments

Policy on Processing and Protection of Personal Data was published on 15.06.2020. There are no previous amendments.

CLARIFICATION TEXT FOR PROCESSING AND PROTECTION OF PERSONAL DATA

We, FERAH KONFEKSIYON SAN.VE TUR TIC.A.S.(the “Company”), attach importance to the processing and protection of all personal data belonging to all persons in relation to the Company, including those who benefit from our products and services, in accordance with the Law No. 6698 on Protection of Personal Data (“KVK Law”). As Data Officer, we process your personal data as explained below and within the limits prescribed by legislation.

Purposes of Processing and Transferring Personal Data

Personal Data is processed in accordance with the law and the purpose of the Law under personal data processing conditions specified in Articles 5 and 6 of the Law limited to the purposes of correct planning, execution and management of the Company’s human resources policies, commercial partnerships, management and communication activities and strategies, making the best use of its products and services by Personal Data Owners and making them private for their demands, needs and requests, providing the highest level of data security, improving the services offered on the website and eliminating the errors on the website, communicating with the Personal Data Owners who communicated their requests and complaints, and providing the management of requests and complaints, event management, providing information to the authorized organizations based on the legislation, and creating and tracking visitor records, and within the scope of the personal data transfer conditions specified in Articles 8 and 9 of the Law, it is acquired by the Company partners-business partners, successors and / or third parties / organizations determined by them, or shared with them, recorded and transferred to their electronic systems. If the processing activity carried out for the afore-mentioned purposes does not meet any of the conditions stipulated under the Law, your explicit consent is obtained by the Company regarding the relevant processing process.

Personal Data Collection Method and Its Legal Basis

Personal Data is collected in order to fulfill the responsibilities arising from the law completely and accurately within the framework of legislation, contract, demand and legal reasons, in order to realize the purposes stated in the Policy through various means such as call center, Company website and mobile applications via technical and other methods in all kinds of verbal, written and electronic media for the purpose of controlling compliance with Article 1 regulating the purpose of the Law and Article 2regulating the scope of the Law, and is processed by the Company or data processors appointed by the Company.

Rights of the Personal Data Owner as per KVK Law

The Company informs you of your rights in accordance with Article 10 of the Law, provides guidance on how to exercise these rights and carries out the necessary internal functioning, administrative and technical regulations for all of these. In accordance with Article 11 of the Law, the Company enlightens the persons, whose Personal Data is collected, about their rights to learn whether their Personal Data is processed, to request information if their Personal Data has been processed, to learn the purpose of processing Personal Data and whether they are used in accordance with their purpose, to know the third parties to whom Personal Data is transferred at home or abroad, to request the correction of Personal Data in case they were incompletely or incorrectly processed, to request the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law, to request the notification of the transactions carried out pursuant to sub-paragraphs (d) and (e) of Article 11 of the Law to the third parties to whom personal data is transferred, to object to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems, and to claim compensation in case of loss due to the illegal processing of personal data.

Personal Data Owners may submit their requests regarding their rights to the Company free of charge by filling and signing the Application Form, which can be accessed from the link below, with the information and documents that will identify their identity and the methods specified below or by other methods determined by the KVK Board:

(i) Submission of a copy of the application form with wet signature to Turgut Özal Mah. 68 Sok. No:42/B 34513 Esenyut / Istanbul by hand or through a notary public after it is filled,

(ii) Filling out the application form and sending the secure electronically signed form to [email protected] by registered e-mail after you sign with your secure electronic signature within the scope of Electronic Signature Law No. 5070.

(iii) They may submit their requests to the Company free of charge by filling and signing the following Application Form with the information and documents that will identify their identity and by the methods specified below or by other methods determined by the KVK Board: Submission of a copy of the application form with wet signature to Turgut Özal Mah. 68 Sok. No:42/B 34513 Esenyut / Istanbul by hand or through a notary public after it is filled, Filling out the application form and sending the secure electronically signed form to [email protected] by registered e-mail after you sign with your secure electronic signature within the scope of Electronic Signature Law No. 5070.

In order for the third parties to make an application request on behalf of the personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the applicant.

“Application Form Link”