1. Introduction

As AYDINLI HAZIR GIYIM SAN. TIC. A.Ş ("Company"), we attach utmost importance to the processing and protection of personal data in accordance with the Law 6698 on the Protection of Personal Data ("Law"), and we proceed accordingly in all our planning and activities. With this in mind, we present this Personal Data Processing and Protection Policy ("Policy") to inform you about the details of our personal data processing processes.


For the purposes of this Policy, the following definitions shall apply:


Personal Data : All information relating to an identified or identifiable natural person.

Private Personal Data : hatalı

Processing of Personal Data : Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making available, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.

Data Subject/Data Owner : The natural person whose personal data is processed by the company, including an employee, customer, business partner, stakeholder, authority, candidate for recruitment, visitors, company customers, potential customers and third persons and others.

Data Registry System : The registry system which the personal data is registered into through being structured according to certain criteria.

Controller : The natura lor legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.

Processor : The natural or legal person who processes personal data on behalf of the controller upon his authorization.

Explicit Consent : Freely given, specific, informed consent.

Anonymizing : Rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data.

Law : The Law 6698 on the Protection of Personal Data.

KVK Council : Personal Data Protection Council.

Destruction : Deletion, elimination or anonymization of personal data and ending processing there of.

1.2. Purpose of the Policy

The purpose of this policy is to ensure the sustainability of the Company's "principle of conducting company activities in a transparent manner", to disclose the systems for processing and protecting personal data in accordance with the law, and to inform the data subjects, including Company Stakeholders, Company Officials, Company, Business Partners, Employees, Candidate Employees, Visitors, Company and Group Company Customers, Potential Customers and Third Parties. Whose personal data are processed by our company accordingly.

1.3. Data Subjects

1) Company Stakeholder : The natural persons who are the stakeholder of the company.

2) Natural Person Business Partner : The natural persons with whom the Company has any business relationship.

3) Stakeholder, Official, Employee of Company's Business Partners : All natural persons, including employees, stakeholders and officials of natural and legal persons (such as business partners, suppliers) with whom the Company has any business relationship.

4) Company Official : The natural persons who are the member of the company's board of directors and other persons authorized.

5) Employee/Intern : The natural persons who perform services in the company with an employment contract.

6) Candidate Employee : The natural persons who have applied to the company for a position by any means or have submitted CV and related information to the Company's review.

7) Company Customer : The natural persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.

8) Potential Customer : The natural persons who have requested or been interested in using the Company's products and services, or may interest, have been evaluated in accordance with the commercial practices and bona fides, and have the potential to turn into customers.

9) Visitor : A natural person who visits physical sites owned by the Company for various purposes or the one who visits web sites of the company for any purpose.

10) Third Parties : Natural persons excluding the Data Subject categories mentioned above and Company employees.

1.4. Management Structure in accordance with the Company's Policy on the Processing and Protection of Personal Data

A "Personal Data Protection Committee- ("KVK Committee")" has been established by the Company to ensure the necessary coordination within each Company to ensure and maintain compliance with the personal data protection regulations. This Committee is responsible for the execution and improvement of the systems established to ensure uniformity among company departments and to ensure that the activities carried out comply with the personal data protection regulation. In this regard, the main duties of the KVK Committee are as follows :

  • To prepare and enforce basic policies regarding the protection and processing of in-house personal data,
  • To decide on how to implement and control the policies regarding the protection and processing of in-house personal data, and within this framework, to make internal assignments and to ensure coordination,
  • To determine the issues that need to be done in order to ensure compliance with the Personal Data Protection Law ("KVKK") and the relevant regulations; to oversee and coordinate the implementation,
  • To increase awareness within the Company and in cooperation with institutions on the protection and processing of personal data,
  • To determine the risks that may occur in the personal data processing activities of the Company and to ensure that the necessary measures are taken; offer suggestions for improvement,
  • To arrange and implement trainings on the protection of personal data and the implementation of policies,
  • To decide on the applications of the data subjects,
  • To coordinate the execution of information and training activities to ensure that the data subjects are informed about personal data processing activities and legal rights of the company,
  • To prepare and enforce changes in the basic policies regarding the protection and processing of personal data,
  • To follow the developments and regulations on the protection of personal data; to advise senior management on what should be done in Company operations in accordance with these developments and regulations,
  • To manage relations with the Authority and the Board.


Personal Data can be collected and processed by the Company directly from the data subject in electronic or physical media within the scope of the business, legal, contractual relationship or otherwise established relationship between the Company and the data subject; within the framework of the purposes stated in detail below and based on the reasons for compliance with the law as specified in pint 2 of Article 5 of the Law No. 6698 or in the absence of such a reason, based on explicit consent. The details in this regard are specified in the clarification texts prepared separately for each data subject and presented to the data subjects in physical and electronic environments (Clarification Texts in stores and website, clarification texts for the Suppliers/ Business Partners, Clarification Texts for clarification text, Clarification Text for Visitors, etc.). At least one of the following is regarded as the legal basis for data processing.

  • It is clearly provided for by the laws which the Company is subject to,
  • Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process the personal data of the parties to the contract in order to provide the requested products and services or to fulfill the requirements of the concluded contracts,
  • It is mandatory for the Company to be able to perform his legal obligations,
  • The data concerned is made available to the public by the data subject himself,
  • Data processing is mandatory for the establishment, exercise or protection of any right pursuant to the regulations and in-house operations,
  • It is mandatory for the legitimate interests of the Company, provided that this processing shall not violate the fundamental rights and freedoms of the data subject,
  • Explicit consent of the data subject.


3.1. Personal Data Categories

In line with the Company's legitimate and lawful personal data processing purposes, personal data in the following categories are processed based on one or more provisions of the personal data processing specified in Article 5 of the Law, the general principles specified in the Law, primarily the principles specified in Article 4 regarding the processing of personal data for periods specified in this Policy by complying with the principles set forth in Article 4 of the Law on personal data processing and general provisions of the Law and obligations stipulated under the law and the data subjects are informed accordingly pursuant to Article 10 of the Law. In addition to the general definitions of the personal data processed in these categories, a description is given about what information they cover.


Identification : Any information of the identified or identifiable natural person such as name-surname, Turkish citizenship number, place of birth, date of birth, gender, identity card and passport number, tax number, Social Security number, etc.

Contact Information : Information such as telephone number, address, e-mail address, fax number, etc., of the identified or identifiable natural person.

Personnel Information : All kinds of personal data processed for the purpose of obtaining the information that will form the basis of the personal rights of natural persons who work as the personnel in accordance with the employment contract executed with the company.

Education and Professional Information : All information related to the employees, candidates, customers, and potential customers' work history and educational background.

Location Information : Information identifying the location of the Data Subject while using the Company vehicles within the framework of the operations carried out by the Company's business departments; GPS location data.

Information about Process Security : Information of the data subject such as IP address, computer password, internet access records.

Information about the security of physical venue : Personal data regarding the video recordings and documents taken at the entrance to the physical venues of the company, during the stay in the physical venue; and recordings taken at the security point, etc.

Financial Information : Personal data related to information, documents and records of all kinds of financial operations depending on the type of legal relationship the Company has established with the Data Subject, and data such as bank account number, IBAN number, credit card information, asset data, income information.

Private Personal Data : Data specified in Article 6 of the Law and the processing and protection of which is subject to more specific provisions (i.e., health data, biometric data, etc.).

Audio/Visual Information : Information consisting of photographs and camera recordings, audio recordings obtained through the call center of an identified or identifiable natural person.

Legal Proceedings Information : Data processed within the scope of determination and follow-up of the Company's legal receivables and rights, performance of its debts and legal obligations.

Customer Information : Information such as records for the use of products and services, and the customer's instructions and requests for the use of products and services.

Marketing Information : Personal data processed for the marketing of products and services by customizing them in line with the personal habits and interests of the data Subjects, and reports and evaluations created as a result of these processing results.

3.2. General Principles for Processing of Personal Data

Personal data is processed by the Company in compliance with the procedures and principles set forth in the Law and this Policy :

  • Personal data is processed in accordance with lawfulness and conforming with rules of bona fides.
  • It is ensured that Personal Data is accurate and up-to-date. In this context, whether the source from which the data are obtained is certain, the accuracy is confirmed, and it needs to be updated is taken into consideration.
  • Personal data is processed for specific, explicit and legitimate purposes. Being legitimate means that the Personal Data processed by the Company is related to and necessary for the work it has done or the service it has provided.
  • Personal Data is processed to achieve the purposes determined by the Company, and the processing of Personal Data that is not relevant to the realization of the purpose or is not needed is avoided. It limits the processed data only to what is necessary for the realization of the purpose. Personal Data processed in this context are relevant, limited and proportionate to the purposes for which they are processed.
  • If is stipulated by relevant legislation, these periods are complied with; otherwise, it retains the Personal Data only for the period necessary for the purpose for which they are processed. In the event that there is no valid reason for further retention of Personal Data, the said data is deleted, destroyed or anonymized.

3.3. Purposes of Processing of Personal Data

Personal data is processed by the Company for the purposes listed below in accordance with the data processing law and principles. The existence of the following purposes may vary for each Data Subject.

The personal data obtained are processed by the Company according to the nature of the work, within the scope of the personal data processing provisions specified in Article 5 and 6 of the Personal Data Protection Law and for the purposes listed below :

3.3.1. Purposes of Processing Personal data by the Company


Performing In-house Operations and Human Resources, Management of Personnel Processes

1. Establishment and Performing Business Activities

2. Planning, Auditing and Performing Information Security Processes

3. Event Management

4. Fulfillment of Legislative Obligations for Employees

5. Follow-up of Finance and Accounting Affairs

6. Planning and Performing Occupational Health and Safety Processes

7. Planning and Performing Human Resources Processes

8. Planning and Performing Business Activities

9. Planning and Performing Business Continuity Activities

10. Planning and Performing Corporate Communication Activities

11. Planning and Performing Logistics Activities

12. Planning and Performing Production and Operation Processes

13. Performing Audit and Security Activities

14. Creating and Tracking Visitor Records

15. Providing Physical Venue Security

16. Providing Information to Authorized Persons, Institutions and Organizations

17. Ensuring the Security of Data Controller Operations

18. Providing Internet Access and Providing Access Security

19. Retaining and Saving The Information Pursuant to The Relevant Legislation

Customer Related Processes/Operations and Marketing Activities

1. Planning and Carrying out Purchasing Goods and Services, Planning and Sales Processes

2. Planning and Carrying out After Sales Support Services

3. Planning and Performing Sales and Marketing Processes of Products and Services

4. Follow-up of Contract Processes and Legal Requests

5. Carrying out Finance and Accounting Affairs

6. Planning and Carrying out Customer Relationship Management Processes

7. Carrying out Advertising, Promotion and Marketing Activities

8. Carrying out Activities for Customer Satisfaction

9. Ensuring Physical Venue Security

10. Follow-up of Requests / Complaints

11. Fulfillment of Legal Obligations

12. Carrying out Legal Processes

13. Carrying out Communication Activities and Sending Commercial Electronic Messages

14. Establishment of Membership Agreements

15. Information and Transaction Security

16. Planning and Performing the Processes of Establishing and Increasing Loyalty to the Products and Services Offered by the Company

17. Planning and Carrying out Market Research Activities for Sales and Marketing of Products and Services

18. Providing Information to Authorized Institutions and Organizations

Financial Operations

1. Banking and Insurance Transactions

2. All Payment and Collection Transactions

3. Finance and Accounting Transactions

4. Investment Processes

5. Financial Leasing Operations

6. E-invoice and E-archive Operations

7. Operations regarding Tax Legislation

8. Retention of information in accordance with the relevant legislation; copying, backing up to prevent loss of information; checking the consistency of information

Legal, Technical and Administrative Activities

1. Planning and Carrying out Emergency Management Processes

2. Planning and Carrying out Occupational Health and Safety Processes

3. Following-up Legal Affairs

4. Providing Information to Authorized Organizations

5. Creating and Tracking Visitor Records

6. Planning and carrying out the Company's Production and Operational Risk Processes

7. Ensuring the Security of Company Operations

8. Ensuring the Security of Company Campuses and Facilities

9. Ensuring the Security of Movable Property and Resources

10. Planning and Carrying out Company Audit Activities

11. Planning and Carrying out the Activities of the Company in Compliance with the Relevant Legislation and Management of Information and Transaction Security Processes

Strategic Planning & Business Partners / Supplier Management

1. Performing Activities in Compliance with the Legislation

2. Performing Contract, Order, Supply Processes

3. Performing Finance and Accounting Affairs

4. Ensuring Physical Space Security

5. Performing of Logistics Activities

6. Managing Supply Chain Management Processes

7. Retention of information in accordance with the relevant legislation; copying, backing up to prevent loss of information; checking the consistency of information; taking the necessary technical and administrative measures for the security of our databases and information.

3.3.2. Purposes of the Company to Process Personal Data of the Data Subjects Company Customers

If the company engages with any customers during their visits to Pierre Cardin, US POLO and Cacharel websites, memberships to these websites, participation in loyalty programs, shopping, purchases made from physical stores, modification slips completed during store visits, product review forms and other forms; posts in telephone or e-mail correspondence, conversations with Customer Services on the phone, filled contact forms or any commercial or legal relationship, the company, depending on the relationship, collects and processes identity particulars (Name, Surname, Turkish citizenship number, Gender, Date of Birth), contact information (E-mail Address, Address and Telephone), data about the product purchased within the scope of the Company's field of activity, audio data recorded in the conversations with customer services, visual data taken with the security cameras in the store of the data subject within the scope of the contract, its performance, the establishment of a right and legitimate interests, in accordance with Point 2 of Article 5 of the Law.

In addition to this information, personal information about profession and marital status can also be collected in order to organize special campaigns for customers and to define special discounts within the scope of loyalty cards, but explicit consent is requested from the data subject for the processing of this data.

In addition, explicit consent of the data subject is requested for the purposes of using the personal data shared by the Customers who are willing to benefit from and aware of the products and service and advantages offered by AYDINLI, and making all kinds of electronic communications and other sending messages for special promotions, sales, marketing, questionnaires and similar.

In the event that no relationship is established with the data subject regarding the product or service, the above-mentioned data can only be processed with explicit consent for the following purposes.

The Company carries out data processing activities in accordance with the business relationship established with natural or legal persons regarding the products and services it offers.

  • Carrying out Goods / Services Purchasing, Production and Sales Processes
  • Executing After Sales Support Services, Production and Operation Processes
  • Carrying out Customer Relations Management Processes
  • Executing Activities for Customer Satisfaction
  • Ensuring Physical Venue Security
  • Carrying out Communication and Information Security Activities
  • Executing Activities in Compliance with the Legislation
  • Executing Finance and Accounting Affairs
  • Carrying out Company / Product / Services Loyalty Processes
  • Conducting Marketing Analysis Studies
  • Carrying out Advertising / Campaign / Promotion Processes
  • Executing Transactions and Activities within the Scope of Commercial / Contractual Relationship
  • Fulfilling Financial and Legal Obligations
  • Following up of Requests / Complaints
  • Fulfilling Legal Obligations
  • Providing Information to Authorized Persons, Institutions and Organizations
  • Executing Legal Processes
  • Engaging in Storing and Archiving Activities Potential Customers of the Company

The data obtained directly from the data subject during visits to our website, Fashionalty (Loyalty Card) membership, shares in our Social Media Accounts, telephone or e-mail correspondence, calls/shares with Customer Services on the phone, requests, suggestions or complaints and business cards shared at exhibitions and events (data on the business card is regarded as made public) the identity particulars (Name, Surname, Date of Birth, Gender, Date of Birth) and contact number, E-mail address), profession and marriage date is processed based on EXPLICIT CONSENT in accordance with Article 5 of the Law. Also, the data is processed to inform the data subject about the products and services of our company, send electronic messages related to advertisements and campaigns, and offer a number of products specific to the data subject for the marketing purposes based on the consent of the data subject (for electronic commercial communication). Employees of the Company

As specified in the Law 6698 and to the extent permitted by the law, any document and information kept in the personnel file of the employee as per Article 75 of the Labor Law No. 4857 of the employees working within the company are regarded as personal data and are collected for the purposes of, including but not limited to, establishing the employment contract and fulfilling its requirements, proving the business relationship, recording information on wages and salaries, sending legal notifications to the Ministry of Finance, Ministry of Labor, Social Security Institution and all other institutions, implementation of occupational health and safety principles, fulfillment of legal obligations, determination of working conditions, management of services provided to employees within the company (food, shuttle bus, security, etc.), private health insurance policies, travel insurance, flight and hotel reservations for employees and their family members, opening bank accounts for salary payments, compulsory Individual Pension payments, social security premium payments, provision of scholarships offered to employees and following up procedures at the governmental offices.

Data processing purposes related to employees are given below :

  • Execution of Information Security Processes
  • Execution of Employee Satisfaction and Loyalty Processes
  • Fulfillment of Employment Contract and Legislative Obligations for Employees
  • Execution of Benefits and Processes for Employees
  • Conducting Audit / Ethical Activities
  • Conducting Training Activities
  • Execution of Access Authorizations
  • Execution of Activities in Compliance with the Legislation
  • Execution of Finance and Accounting Affairs
  • Providing Physical Venue Security
  • Execution of Assignment Processes
  • Follow-up and Execution of Legal Affairs
  • Planning of Human Resources Processes
  • Execution / Supervision of Business Activities
  • Execution of Occupational Health / Safety Activities
  • Receiving and Evaluating Suggestions for Improvement of Business Process
  • Carrying out activities for Business Continuity
  • Execution of Performance Evaluation Processes
  • Providing Information to Authorized Persons, Institutions and Organizations
  • Execution of Management Activities
  • Making Required Legal Notifications to Official Institutions, Benefiting from Incentives from Official Institutions, Notification to Relevant Authorities within the Scope of Inspections of Official Institutions
  • Execution of Human Resources Operations and Especially Personnel Activities
  • Ensuring Employee Supervision and Performing the Necessary Data Processing within the Scope of the Employer's Management Right Candidate Employees of the Company

As the data controller by the company processes and stores the particulars of the candidates received through the CVs submitted during job applications or the forms filled for that purpose (identity, contact, education, profession, wage, military status, employment history, references and any information obtained as a result of aptitude tests conducted through various departments to reveal the candidate's ability/performance) for 2 years in the automated systems or physical environments of the relevant company and in written format in order to establish a business relationship with the candidate employees. The aim here is to re-evaluate the candidate during this period and to keep them in the system for a certain period of time for a possible business relationship to be established. If a business relationship is not established with the candidate within this period, this data is destroyed in the first periodical destruction process at the end of the 2nd year. In case the candidate is recruited, this information is kept in the relevant personnel file.

If the company requires to obtain data on candidate’s health and criminal record, which are considered the information of special nature by the employee candidate in the application form, it must seek explicit consent of the employee candidate in order to process this information. The Company does not process any other special personal data of the candidates, except for the data of special nature in this text. For this reason, candidates are requested not to include this information in their resumes and application forms.

The general data processing purposes of employee candidates are listed below :

  • Carrying out Candidate Employees / Interns / Students Selection and Placement Processes
  • Carrying out Application Processes of Employee Candidates
  • Carrying out Human Resources Operations, Personnel Supply and Recruitment Processes
  • Ensuring Business Continuity, Conducting Business Activities and Ensuring Physical Space Security
  • Using the Data as Evidence in Disputes
  • Executing Management Activities Visitors of the Company

The company processes personal data, of the natural persons during their visits to the Company's facilities to ensure the safety of the visitors and the company, through visitors logs and recordings of the security cameras. This personal data is not shared with third parties in any way other than being mandatory for the performance of the contract, legal obligations and written requests of the public authority. Necessary legal warnings and notifications in this regard are stated at the workplace entrances and in the clarification text on the website.

In this regard, for the purpose of ensuring security by the Company and for other purposes specified in this Policy; visitors may be granted internet access by the Company if they request it during their visits in the building and facilities. These log records are subject to the Law 5651 and relevant regulations and are only shared with those concerned when requested by authorized public institutions and organizations or during audits to be carried out within the Company.

The purposes of data processing in this area are stated below:

  • Execution of Information Security Processes
  • Creating and Tracking Visitor Records
  • Ensuring Physical Venue Security
  • Providing Information to Authorized Persons, Institutions and Organizations
  • Ensuring the Security of Data Controller Operations
  • Providing Internet Access and Access Security
  • Execution of Audit and Security Activities Business Partners and Suppliers of the Company

Within the scope of the business activities carried out by the Company, personal information (Identity, contact data, financial data, Signature) of natural or legal persons, merchants and tradesmen with whom the company has business relations are processed. These personal data are processed for the establishment and performance of our contracts in accordance with the principles stipulated in Article 5 of the Law in the meaning of legal obligations and interests of the company. Personal data of the Suppliers and Business Partners are directly collected by the company in electronic environment.

Data processing purposes;

  • Carrying out Contract Processes
  • Carrying out Finance and Accounting Affairs
  • Executing and following up Responsibilities and Legal Processes Arising from the Legislation
  • Carrying out Company Internal Operations
  • Strategy Planning & Partners/Supplier Management
  • Ensuring Physical Space Security
  • Execution of Logistics Activities
  • Managing Supply Chain Management Processes
  • Retention of Your Information Required by Relevant Legislation
  • Copying and Backing Up for the Prevention of Information Loss
  • Controlling the Consistency of Your Information
  • Taking Necessary Technical and Administrative Measures for the Security of Our Databases and Information


4.1. Persons/Recipients to whom Personal Data will be transferred

The Company may transfer the personal data of the relevant persons within the scope of the Policy and in accordance with the principles set forth in the KVK Law, in particular Articles 8 and 9 of the KVK Law to the following groups of persons for the purposes specified in the table above :

  • To our suppliers and business partners for the supply or delivery of the goods and services offered to the relevant persons,
  • To our business partners, supplier companies, banks, financial institutions with whom we cooperate and/or receive services for the presentation, promotion and similar purposes of the goods,,
  • To agencies and organizations from which we receive services for the management of our website and social media accounts,
  • To lawyers, auditors, consultants and service providers,
  • To your attorneys, guardians and representatives authorized by you,
  • To Institutions or organizations authorized to request your personal data, such as regulatory and supervisory institutions, courts and enforcement offices, and persons designated by them,
  • To other third parties in accordance with the data transfer terms.

4.2. Purposes of Personal Data Transfer

Your Personal Data can be transferred to the persons in the following categories governed by the policy in accordance with the law for the following purposes:


Business Partner : Parties with whom the Company has established business partnerships to execute commercial activities, It can be used on a limited basis to establish the business partnership.

Supplier : Parties providing services to the Company on a contractual basis, in accordance with the Company's orders and instructions, It can be used on a limited basis to ensure that the services that the Company outsources from the supplier and that are necessary to carry out the Company's business activities such as as Banks, Insurance companies, Travel Agencies, Event Agencies, Service, Cargo, Training Companies, companies engaged for sending SMS and E-mail.

Affiliates : Companies in which the Company a shareholder,It can be used on a limited basis to ensure the execution of commercial activities that require the participation of the Company's affiliates.

Company Stakeholder :Company’s shareholders, It can be used on a limited basis to carry out the activities by the Company within the scope of companies act, event management and corporate communication processes.

Company Officials : Natural Persons authorized to sign, It can be used on a limited basis to design strategies for the company's commercial activities, ensure the highest level of management and to audit the processes.

Legally authorized public institutions and organization : Public institutions and organizations authorized to receive information and documents of the Company in accordance with the provisions of the relevant legislation, It can be used on a limited basis as may be requested by the relevant public institutions and organizations within their jurisdiction.

Legally authorized Private Persons : Private persons authorized to receive information and documents from the Company in accordance with the provisions of the relevant legislation, It can be used on a limited basis as may be requested by the legally authorized private persons.


Without prejudice to the provisions in other laws regarding erasure, destruction and anonymization personal data, the Company, shall erase, destruct or anonymize the personal data, ex officio or upon demand by the data subject, upon disappearance of reasons which required the process despite being processed under the provisions of this Law and other related laws.

The Company retains Personal Data for the period specified in this legislation, if stipulated. If a period of time is not regulated in the legislation regarding how long personal data should be stored, the Personal Data is processed for a period of time that requires it to be processed in accordance with the practices of the Company and the practices of the business life, depending on the activity carried out while processing that data. Pursuant to Article 7 of the Law, It is deleted, destroyed or anonymized ex officio or upon the demand by the data subject, in accordance with the guidelines published by the KVK (Personal Data Protection Council).

The Company has prepared and published a DESTRUCTION POLICY in which personal data destruction procedures are set forth. All destruction process is carried out in accordance with this policy.


The company, in accordance with Article 12 of the Law, takes all necessary technical and administrative measures to provide a sufficient level oof security in order to prevent unlawful processing, unlawful access to personal data and ensure the retention of personal data and conduct necessary inspections or have them conducted in the organization.

The Company takes technical and administrative measures according to technological possibilities and implementation cost in order to ensure that personal data is processed in accordance with the law.

6.1. Ensuring Personal Data Security

6.1.1. Technical and Administrative Measures Taken for Lawful Processing of the Personal Data

(i) Technical measures Taken for Lawful Processing of Personal Data

  • Access and authorization solutions are put into use within the framework of legal compliance requirements determined for each department within the company.
  • Access authorizations are limited and reviewed regularly.
  • The technical measures taken in accordance with the in-house operations are reported to the personnel authorized to access the databases, and the necessary technological solutions are produced by re-evaluating the risks.
  • Software and hardware including virus protection, security vulnerability and firewalls are installed.
  • Network security and application security are provided.
  • A closed system network is used for personal data transfers via the network.
  • Key management is implemented.
  • Technical personnel are employed.
  • All information systems, including the applications where personal data are collected, are regularly subjected to external impact tests to detect security vulnerabilities, and the flaws found are closed.
  • Personal data processing activities carried out within the company are regularly audited.
  • The technical measures taken are periodically reported to the committee in accordance with the internal audit mechanism.
  • An IT department has been established and qualified personnel are employed in this regard.
  • New technological developments are followed and technical measures are taken on systems, especially for cyber security, and the measures are periodically updated and renewed.
  • Personal data provisions are included the contracts the company executes with business partners and suppliers (contracts related to business activities that include personal data processing processes) or receives personal data protection undertakings in this regard.
  • The authorization of the company's employees is terminated in accordance with the law on the protection of personal data and the processing of personal data in accordance with the law
  • Current anti-virus systems are used.

(ii) Administrative Measures Taken for Lawful Processing of Personal Data

  • Supervision and management of the departments within the company regarding personal data security are organized by the IT department. Awareness is created to meet the legal requirements of the business departments, and necessary administrative measures are implemented through in-house policies, procedures and trainings to ensure the continuity of the implementation and supervision of these issues.
  • The employment contracts and related documents between the company and the employees, including information about personal data and data security, are recorded and additional protocols are executed. In this regard, studies to create the necessary awareness for the employees are carried out.
  • For each department within the company, legal compliance, access to personal data and authorization processes within the company are implemented, taking into account the personal data processing processes. (Access authorizations to databases containing personal data are provided and controlled by the IT and ERP support departments.)
  • The Company is informed and trained in accordance with the developments in business practices within the business relationship.
  • All personal data processing activities carried out by the Company in accordance with the personal data inventory and its annexes, created by analyzing all business departments in detail.
  • Personal data processing activities carried out by the relevant departments of the company; the obligations to be fulfilled to ensure that these activities comply with the personal data processing requirements under the KVKK Law are subject to written policies and procedures by the relevant companies, and each business department has been informed accordingly and the points of special consideration have been determined.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • Physical environments containing personal data are secured against external risks (fire, flood, etc.).
  • Awareness of data processing service providers on data security is ensured.


7.1. The rights of the Data Subject pursuant to the Personal Data Protection Law

The Company informs you of your rights in accordance with Article 10 of the Law and it provides guidance on how to exercise these rights and carries out the necessary administrative and technical arrangements accordingly. Pursuant to Article 11 of the Law, the company informs the Data Subjects whose Personal Data is retained that he has right;

  • To learn whether his personal data are processed or not,
  • To request information if his personal data are processed,
  • To learn the purpose of his data processing and whether this data is used for intended purposes,
  • To know the third parties to whom his personal data is transferred at home or abroad,
  • To request the rectification of the incomplete or inaccurate data, if any,
  • To request the erasure or destruction of his personal data under the conditions laid down in Article 7,
  • To request notification of the operations carried out in compliance with sub-paragraphs (d) and (e) of Article 11 of the Law to third parties to whom his personal data has been transferred,
  • To object to the processing exclusively by automatic means, of his personal data, which leads to an unfavorable consequence for the data subject,
  • To request compensation for the damage arising from the unlawful processing of his personal data.

7.2. Use of Right by the Data Subject

Data Subjects may submit their requests regarding their rights listed in article (7.1.) of this Policy to the Company free of charge with identity documents, by filling out and signing the Application Form or by another written document of similar content, using the methods specified below or other methods determined by the KVK Board.

(i) After the application form is filled, a signed copy is delivered to the address of Eski London Asfaltı NO:92/1F 34535 Mimarsinan Büyükçekmece Istanbul by hand or by registered mail,(ii) After the application form is filled, a signed copy is forwarded to, through e-mail address previously notified to the company by the applicant and registered in the company systems ,(iii)After the application form is filled and signed with your “secure electronic signature” within the scope of Electronic Signature Law No. 5070, secure electronic signature form is forwarded to via registered e-mail.

In order for third parties to request an application on behalf of Data Subjects, a special power of attorney issued through a notary public must be presented on behalf of the applicant.

7.3. Procedure and Time to Respond to Applications

In case the Data Subject submits their requests regarding their Personal Data to the Company in writing (in accordance with the communiqué published by the KVK Board), the Company, as the data controller, carries out the necessary processes as soon as possible to ensure that it is finalized within thirty (30) days at the latest in accordance with Article 13 of the KVK Law, depending on the nature of the request.

The company may request information to determine whether the applicant is the owner of the Personal Data subject to the application within the scope of ensuring data security. The Company may also ask questions about the application of the Data Subject to ensure that the application is concluded accordingly.

In cases where application of the Data Subject possibly hinders the rights and freedoms of other persons, requires disproportionate effort, and the information is publicly available, the request may be rejected by the Data Controller by explaining the reason.


The Company reserves the right to make changes in this Policy and other related policies when there is any amendment in the law in accordance with the decisions of the KVK Board or in line with the developments in the sector or in the field of informatics.

Any amendments to this Policy are immediately processed in the text and explanations regarding the amendment are given at the end of the Policy.


02/04/2018 : The Policy on Processing and Protection of Personal Data has been published.

01/05/2021 : The Policy on Processing and Protection of Personal Data has been updated in the light of current developments.


Eski Londra Asfaltı NO:92/1F 34535 Mimarsinan Büyükçekmece Istanbul Türkiye

Telefon +90 (212) 863 46 80 pbx /

Mersis No: 278895437666139