The procedures and principles adopted and to be applied by GÖKÇAĞ KUMAŞCILIK INDUSTRY AND TRADE INCORPORATED COMPANY within the scope of the disclosure obligation of the data controller to comply with the Law on the Protection of Personal Data No. 6698 published in the Official Gazette dated 07.04.2016 and numbered 29677 and the relevant legal regulations are regulated by this Policy.
Regarding the personal data processed by the company; the principles of processing personal data, the purposes, and conditions of personal data processing, the transfer of personal data in the country and abroad, the destruction of personal data, and the rights of data owners over the processed personal data are stated below.
The Company will act in line with the procedures and processes outlined in this Policy in processing, use, transfer, and destruction of the data by complying with the LPPD and other relevant regulations and ensuring that personal data complies with the Law and other relevant regulations.
Explicit Consent: It refers to content on a specific subject, based on the information and expressed with free will.
Anonymization: It refers to making personal data that cannot be associated with an identified or identifiable natural entity under any circumstances, even by matching with other data.
Recipient Group: It refers to the natural or legal entity category to which personal data is transferred by the data controller.
Direct Identifiers: It refers to identifiers that directly reveal, disclose, and distinguish the person with whom they are in a relationship on their own.
Indirect Identifiers: It refers to identifiers that directly reveal, disclose, and distinguish the person with whom they are in a relationship when they are combined with other identifiers.
Relevant User: It refers to people who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller and except the people or units responsible for technical storage, protection, and backup of data.
Destruction: It refers to the deletion, destruction, or anonymization of personal data.
Blackening: It refers to the process of scratching, painting, and blurring all of the personal data in such a way that it cannot be associated with an identified or identifiable natural entity.
Recording Medium: It refers to any medium in which personal data is processed wholly or partially automatically or non-automatically provided that it is a part of any data recording system.
Personal Data: It refers to any information relating to an identified or identifiable natural entity.
Processing of Personal Data: It refers to all kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classification or prevention of use of personal data by fully or partially automatic or non-automatic means.
Personal Data Owner: It refers to a natural entity whose personal data is processed.
Board: It refers to the Personal Data Protection Board.
Masking: It refers to processes such as deleting, scratching, painting, and starring certain areas of personal data in a way that cannot be associated with an identified or identifiable natural entity.
Sensitive Personal Data: It refers to race, ethnic origin, political view, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions, and security measures, and biometric and genetic data.
Periodic Destruction: It refers to the deletion, destruction, or anonymization process that will be carried out at repetitive intervals and specified in the personal data storage and destruction policy when all the conditions for processing personal data in the law are eliminated.
Registry: It refers to the registry of data controllers kept by the Presidency of the Personal Data Protection Authority.
Deletion: It refers to the process of making personal data inaccessible and unusable for the relevant users in any way.
Destruction: It refers to the process of making personal data inaccessible, unrecoverable, and unusable by anyone in any way.
Data Processor: It refers to the natural or legal entity that processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Controller: (GÖKÇAĞ KUMAŞCILIK INDUSTRY AND TRADE INCORPORATED COMPANY) It refers to the natural or legal entity that determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
According to Article 4 of the LPPD, which regulates the procedures and principles regarding the processing of personal data, our Company engages in personal data processing activities within the framework of the procedures and principles listed below.
1. Compliance with Law and Honesty
Our Company processes personal data according to LPPD and other laws and regulations that are obligatory to comply.
2. Being Accurate and Up-to-Date
Our Company fulfills the necessary procedures, takes technical and administrative measures to prevent changes in the personal data provided by the data owner without any permission, and updates personal data when requested by the data owner when there is a change in the processed data.
3. Processing for Specific, Explicit, and Legitimate Purposes
Personal data processed by the Company is processed in line with the declared processing purpose and limited to the declared purpose.
4. Being Associated, Limited to, and Measured for Processing Purpose
Our Company does not process personal data that does not overlap with the business, transactions and activities carried out or is not required within the scope of these activities, and beyond the purpose of processing.
5. Storing for Enough Period Recommended by Relevant Legislation or Required For the Processing Purpose
The processed personal data is stored for the required period due to the nature of the personal data processed or mentioned in the relevant legislation within the framework of LPPD, other relevant laws, and regulations.
According to Article 5 of the LPPD, sensitive personal data to be processed within the framework of company activities can be processed without the express consent of the owner in case one of the conditions exists.
Explicit consent of the data owner is obtained,
a)Expressly stipulated in the laws,
b)When the owner is unable to express their consent due to actual impossibility or necessary for the protection of the life or bodily integrity of the person or another person whose consent is not given legal validity,
c)Necessary to process the personal data of the parties to the contract unless it is directly related to the creation or execution of a contract,
d)Obligatory for the data controller to fulfill its legal obligation,
e)Data is made public by the owner,
f)Obligatory data processing for the transfer, use, or protection of a right,
g)Obligatory data processing is for the legitimate interests of the data controller unless it does not harm the fundamental rights and freedoms of the person.
According to Article 6 of the LPPD, sensitive personal data to be processed within the framework of company activities can be processed without the express consent of the owner in case one of the conditions exists.
a)Sensitive personal data will not be processed unless the explicit consent of the data owner is obtained,
b)Sensitive personal data may be processed without the explicit consent of the data owner in cases stipulated by the laws except for special categories of personal data regarding health and sexual life,
c)Sensitive personal data may be processed for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services, and financing even if it is about health or sexual life.
Identity Data: All kinds of information written on identity cards, including but not limited to name, surname, mother's name, father's name, place of birth, date of birth, marital status, religion, blood group, registered province, district, and neighborhood.
Contact Data: Contact data such as home phone number, mobile phone number, residential or other address information, e-mail address requested or given by the relevant person to be able to communicate with him or her.
Location Data: Location data of the person, etc.
Entity Data: Payroll information, disciplinary investigation, recruitment document records, property declaration information, resume information, performance assessment reports, etc.
Legal Transaction Data: Information in correspondence with judicial authorities, information in the case file, etc.
Customer Transaction Data: Call center records, Invoice, promissory note, check information, Information in box office receipts, Order information, Request information, etc.
Physical Media Security: Daily visit registration information of employees and visitors, camera records, etc.
Transaction Security: IP address information, website login, and logout information, password information, etc.
Risk Management: Information processed for the management of commercial, technical, administrative risks, etc.
Finance: Balance sheet information, financial performance information, credit and risk information, asset information, etc.
Professional Experience: Diploma information, attended courses, in-service training information, certificates, transcript information, etc.
Marketing: Shopping history data, survey, cookie records, information obtained through promotions, etc.
Video and Audio Recordings: Video and audio recording, etc.
Philosophical Belief, Religion, Sect, and Other Beliefs: Information on other beliefs, information on religious affiliation, information on philosophical belief, information on sectarian affiliation, etc.
Attire: Information on attire, etc.
Health Data: Information on disability, blood group information, personal health information, used device and prosthesis information, etc.
Criminal Conviction and Security Measures: Information on criminal convictions, information on security measures, etc.
Resume Data: Educational information written in the resume or requested by us or given by the person, school information about your education, certificate information, education status and information about training, etc.
Personal data can be processed automatically or manually in physical or digital media to fulfill the company's activities and obligations arising from the law.
The purpose and conditions of your processed data are listed below;
As GÖKÇAĞ KUMAŞCILIK INDUSTRY AND TRADE INCORPORATED COMPANY, we take all the necessary technical and administrative measures within the framework of the necessary technological infrastructure to ensure the security of your personal data, which we process within the framework of company activities, in line with LPPD and relevant legislation, and we take measures against data breaches, unauthorized access, data loss, unauthorized alteration of data and other threats, and carry out the necessary controls.
In this context, we identify current risks and threats, train our employees, and carry out awareness activities, and determine the policies and procedures regarding personal data security.
Technical Measures to Ensure the Lawful Storage of Personal Data and the Prevention of Unlawful Processing and Access
Administrative Measures to Ensure the Lawful Storage of Personal Data and the Prevention of Unlawful Processing and Access
In addition to these, in line with the data security principles stipulated within the scope of LPPD, we also provide personal data minimization, establish the necessary confidentiality agreements with data processors, provide our employees with the necessary training to ensure the security of personal data and prevent violations, and besides electronic media, we take the necessary measures for the security of personal data stored in physical media.
Our Company may transfer the personal data of the persons concerned abroad in line with the law and the rules of good faith and adhering to the purposes of data processing. We act in line with Article 9 of LPPD in the transfer of personal data abroad.
Our Company may transfer the personal data of the persons concerned to third parties in line with the principles adopted in the processing of personal data. We pay attention to obtaining the consent of the person concerned in the transfer of personal data to third parties abroad.
If there is no explicit consent of the data owner, it is possible to transfer personal data abroad only if there is sufficient security in the country to which the data will be transferred or the data controller to whom the personal data will be transferred undertakes in writing to provide adequate security and with the permission of the Personal Data Protection Board.
Personal data in the category of identity, contact, location, customer transaction, finance, marketing data can be transferred to foreign countries declared to have adequate security by the Board.
This policy has been established to set forth the procedure regarding what will be the fate of the personal data, under which procedures and principles it will be deleted, destroyed, or anonymized upon the request of data owners whose personal data are processed with their explicit consent or when the purposes for processing and collecting personal data is not valid anymore.
The operations will be carried out in line with the procedures and principles specified in the "Regulation on the Deletion, Destruction or Anonymization of Personal Data".
All operations regarding the deletion, destruction, or anonymization of personal data are recorded and these records are kept for at least three (3) years, excluding other legal obligations.
Personal data is kept by us for the purpose and scope specified in this Policy and they are destroyed as a result of the termination of the relevant processes and the disappearance of the situations requiring the storage of personal data or the request of the person concerned or the decision of the Board.
1. Technical and Administrative Measures Taken for the Legal Destruction of Personal Data
Secure Deletion from Software: We delete the data processed by fully or partially automated means and stored in digital media and implement methods for the deletion of the data from the relevant software in a way to make it inaccessible and unusable in any way for the relevant users.
Deletion of Related Data in the Cloud System by a Deletion Command: Removing the access rights of the relevant user on the file or the directory where the file is located on the central server, deletion of related rows in databases with database commands, or deleting the data in flash media or portable media using appropriate software can be considered in this context.
However, if the deletion of personal data will result in the inaccessibility of other data within the system and makes them unable to use, personal data will also be deemed deleted if personal data is archived in a way that cannot be associated with the person concerned only if the following conditions are met.
Secure Deletion by an Expert: In some cases, our company may hire an expert for the deletion of personal data on its behalf. In this case, the personal data is securely deleted by the person who is an expert in this field, so that it cannot be accessed and reused in any way for the relevant users.
Blackening of Personal Data in Paper: It is the method of making personal data unreadable by using fixed ink and blackening it irreversibly and unreadable by technological solutions or removing the relevant personal data from the document by physically cutting to prevent the misuse of personal data or to delete the data requested to be deleted.
Destruction of Personal Data:
De-magnetization: It is a method of corrupting the data on it in an unreadable way by passing the magnetic media through special devices where it will be exposed to high magnetic fields.
Physical Destruction: Personal data can also be processed in non-automatic ways as a part of any data recording system. A system of physical destruction of personal data is implemented in a way that it cannot be used later on while destroying such data. Destruction of data in paper and electronic media must be carried out in this way since they cannot be destroyed in any other way.
Overwriting: Overwriting method refers to writing random data consisting of 0s and 1s at least seven times via magnetic media and rewritable optical media via special software.
Anonymization Methods That Do Not Ensure Value Distortion
Anonymization methods that do not provide value irregularity are the generalization, replacement of any personal data group, or the removal of a certain data or sub-data group from the group without making any changes or additions/removals to the stored personal data.
Variable Subtraction: The existing data set is anonymized by removing the “highly descriptive” ones with the method of extracting descriptive data from the variables in the data set created after the collected data were brought together.
Record Subtraction: In the record subtraction method, the stored data is anonymized by subtracting data row records containing singularity among the data.
Regional Hiding: Hiding the relevant data provides anonymization in the regional hiding method if a single piece of data has a determinative feature because it creates a very rarely visible combination.
Lower and Upper Bound Coding: The values in a data group containing predefined categories are anonymized by determining a certain criterion and combining them in the lower and upper bound coding method
Generalization: A lot of data is aggregated with the data aggregation method and personal data are rendered incapable of being associated with any person.
Global Coding: A more general content is created than the content of personal data with the data derivation method and it is ensured that personal data cannot be associated with any person. For example, using ages instead of dates of birth or using region of residence instead of the full address.
Distortion Adding: Distortion adding is when the data is anonymized by adding some positive and negative deviations at the determined rate to the existing data in a data set where numerical data is predominant.
Micro Combining: All data is first arranged in a meaningful order and divided into groups in the micro combining method and anonymization is provided by replacing the relevant data in the current group with the value obtained by taking the average of the groups.
Data Exchange: The values of a variable are exchanged between the pairs selected from the stored data in the data exchange method.
During the execution of the above-mentioned operations, we have full compliance with the provisions of the LPPD, the Regulation, and other relevant legislation to ensure data security and take all necessary administrative and technical measures.
2. Periodic Destruction Process of Personal Data
Personal data within GÖKÇAĞ KUMAŞCILIK INDUSTRY AND TRADE INCORPORATED COMPANY will be checked at periodic intervals of six (6) months without prejudice to the legal rights arising from the law to justify the legitimate interest of the data controller, not destroying the data obtained within the statute of limitations or abusive periods and those which their processing conditions have been completely eliminated will be deleted, destroyed, or anonymized.
The destruction period of your job applications has been determined as 2 months.
On the date on which the obligation to delete, destroy or anonymize personal data arises, personal data will be deleted, destroyed, or anonymized in the first periodic destruction process.
Regarding the personal data processed within the scope of the activities of GÖKÇAĞ KUMAŞCILIK INDUSTRY AND TRADE INCORPORATED COMPANY, the data owner has the following rights by applying to GÖKÇAĞ KUMAŞCILIK INDUSTRY AND TRADE INCORPORATED COMPANY within the framework of your rights numbered in Article 11 of LPPD and Article 10 of the Regulation.
a)Learning whether personal data is processed or not,
b)If processed, requesting information about it,
c)Learning the purpose of processing personal data and whether they are used in line with the purpose,
d)Learning the third parties to whom personal data is transferred in the country or abroad,
e)If the personal data is incompletely or incorrectly processed, requesting correction of personal data,
f)Requesting the deletion or destruction of personal data in line with the conditions stipulated in Article 7 of the LPPD,
g)Requesting notification of the operations made according to the principles outlined in subparagraphs (e) and (f) to third parties to whom personal data has been transferred,
h)Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
i)Demanding compensation in case of any loss due to the unlawful processing of personal data.
In case the persons concerned exercise their rights listed above and apply to GÖKÇAĞ KUMAŞCILIK INDUSTRY AND TRADE INCORPORATED COMPANY on the issues mentioned above, the requests included in the application will be finalized within thirty (30) working days at the latest, depending on the nature of the request. The applicant will be notified about the results of the acceptance of the request or its rejection by explaining the reasons within this period.
Unless otherwise decided by the Board, the appropriate method of deletion, destruction, or anonymization of personal data will be chosen by GÖKÇAĞ KUMAŞCILIK INDUSTRY AND TRADE INCORPORATED COMPANY.
Regarding the processing of personal data, data owners can apply by filling out the form available on the website by using the appropriate method among the methods specified in the form
CONTACT INFORMATION
Contact KEP Address: [email protected]
Address: Çerkezköy Organize Sanayi Bölgesi Gazi Osman Paşa Mah. 5. Cad. No:20 Çerkezköy/Tekirdağ
Phone: (0282) 758 37 51
Fax: (0282) 758 37 49