Information Text Regarding Personal Data
CONTENTS
CHAPTER 1– INTRODUCTION
1.1. INTRODUCTION
1.2. PURPOSE OF THE POLICY
1.3. OBJECTIVE AND SCOPE
1.4. IMPLEMENTATION OF POLICY AND RELATED LEGISLATION
1.5. ENFORCEMENT OF THE POLICY
CHAPTER 2 - ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA
2.1. ENSURING THE SECURITY OF PERSONAL DATA
2.1.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data
2.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
2.1.3. Storing Personal Data in Secure Environments
2.1.4. Audit of Measures Taken for the Protection of Personal Data
2.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
2.2. PROTECTING THE RIGHTS OF THE DATA SUBJECT; CREATING CHANNELS TO TRANSMIT THESE RIGHTS TO OUR COMPANY AND EVALUATING THE REQUESTS OF DATA SUBJECTS
2.3. PROTECTION OF SPECIAL NATURE PERSONAL DATA
2.4. INCREASING AWARENESS AND SUPERVISION OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
2.5. INCREASING THE AWARENESS AND SUPERVISION OF BUSINESS PARTNERS AND SUPPLIERS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
CHAPTER 3 – ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA
3.1. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES SET FORTH IN THE LEGISLATION
3.2. PROCESSING OF PERSONAL DATA BASED ON ONE OR MORE OF THE PERSONAL DATA PROCESSING CONDITIONS SPECIFIED IN ARTICLE 5 OF THE PDPL AND LIMITED TO THESE CONDITIONS
3.3. INFORMATION AND ENLIGHTMENT OF PERSONAL DATA OWNERS
3.4. PROCESSING OF SPECIAL NATURE PERSONAL DATA
3.5. TRANSFER OF PERSONAL DATA
3.6. TRANSFER OF PERSONAL DATA ABROAD
4. CHAPTER 4 – CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PROCESSING PURPOSES AND STORAGE PERIOD
4.1. CLASSIFICATION OF PERSONAL DATA
4.2. PURPOSES OF PROCESSING PERSONAL DATA
4.3. STORAGE PERIOD OF PERSONAL DATA
5. CHAPTER 5 – CATEGORIZATION OF THE OWNERS OF PERSONAL DATA PROCESSED BY OUR COMPANY
6. CHAPTER 6 – THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERRED BY OUR COMPANY AND THE PURPOSES OF TRANSFER
7. CHAPTER 7 - PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW
Our company informs personal data owners about the personal data it processes in accordance with Article 10 of the Personal Data Protection Law.
7.1. PROCESSING OF PERSONAL DATA AND SPECIAL NATURE PERSONAL DATA
8. SECTION 8 – PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED AT BUILDINGS, FACILITIES, AND WITHIN BUILDINGS AND FACILITIES, AND WEBSITE VISITORS
8.1. CAMERA MONITORING ACTIVITY CONDUCTED AT THE ENTRANCES AND INSIDE THE LE MABELLE BUILDING AND FACILITY
8.2. MONITORING OF GUEST ENTRANCES AND EXITS AT AND WITHIN THE LE MABELLE BUILDING AND FACILITY ENTRANCES
8.3. STORAGE OF RECORDS REGARDING INTERNET ACCESS PROVIDED TO OUR VISITORS IN LE MABELLE BUILDINGS AND FACILITIES
8.4. WEBSITE VISITORS
CHAPTER 9 – CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
Although our Company has processed personal data in accordance with the relevant legal provisions as regulated in Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law, personal data is deleted, destroyed or anonymized based on our Company's own decision or upon the request of the personal data owner, if the reasons requiring processing are eliminated.
9.1. LE MABELLE'S OBLIGATION TO DELETE, DESTROY AND ANONYMIZE PERSONAL DATA
9.2. TECHNIQUES FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
10. CHAPTER 10 – RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY OF EXERCISE AND EVALUATION OF THESE RIGHTS
Our Company informs personal data owners of their rights in accordance with Article 10 of the Personal Data Protection Law, guides personal data owners on how to exercise these rights, and carries out the necessary channels, internal operations, administrative and technical arrangements in accordance with Article 13 of the Personal Data Protection Law to assess the rights of personal data owners and provide the necessary information to personal data owners.
10.1. RIGHTS OF THE DATA OWNER AND EXERCISE OF THESE RIGHTS
10.2. LE MABELLE'S RESPONSES TO APPLICATIONS
10.2.1. Our Company's Procedure and Timeframe for Responding to Applications
10.2.2. Information Our Company May Request from the Applicant Personal Data Owner
10.2.3. Our Company's Right to Reject the Application of the Personal Data Owner
11. CHAPTER 11 – RELATIONSHIP OF THE COMPANY’S PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES
12. CHAPTER 12 – COMPANY PERSONAL DATA PROTECTION AND PROCESSING POLICY GOVERNANCE STRUCTURE
ANNEX-1 DEFINITIONS
ANNEX-2 PROCESSING OF PERSONAL DATA OF EMPLOYEE CANDIDATES
Le Mabelle Textile Limited Company (hereinafter referred to as “Le Mabelle” or “Company”) is aware of the impact of the protection of personal data, which is a constitutional right, on the conduct of business relationships based on trust.
In this regard, our Company has made available to those concerned the Personal Data Processing and Protection Policy ("Policy"), which serves as a guide for our Company to fulfill its obligations regarding the protection and processing of personal data in accordance with the law.
Personal Data Protection Law No. 6698 (hereinafter referred to as the "PDPL Law") forms the basis for this Policy. Ensuring compliance with legal regulations regarding the protection of personal data, especially the PDPL Law, is among our Company's priorities.
In this context, Le Mabelle takes the necessary administrative and technical measures to protect personal data processed in accordance with relevant legislation. This Policy will provide detailed explanations of the fundamental principles Le Mabelle has adopted in the processing of personal data, as listed below:
Processing personal data in accordance with the law and rules of integrity,
Keeping personal data accurate and up-to-date when necessary,
Processing personal data for specific, clear and legitimate purposes,
Processing personal data in a way that is relevant, limited and proportionate to the purpose for which they are processed,
Keeping personal data for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed,
Enlightening and informing personal data owners,
Establishing the necessary system for personal data owners to exercise their rights,
Taking necessary measures to protect personal data,
Acting in accordance with the relevant legislation and the regulations of the Personal Data Protection Board when transferring personal data to third parties in line with the requirements of the processing purpose,
Demonstrating due sensitivity to the processing and protection of special personal data.
The main purpose of this Policy is to provide explanations regarding the personal data processing activities carried out by Le Mabelle in accordance with the law and the systems adopted for the protection of personal data, and to ensure transparency by informing the persons whose personal data are processed by our company, especially our customers, potential customers, job candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties.
By publishing this Policy, Le Mabelle aims to provide the necessary information regarding the personal data processing activities it carries out and thus to ensure that these activities are carried out in accordance with the legislation and in a transparent manner.
In addition to determining the conditions for processing personal data, the policy sets out the basic principles adopted by Le Mabelle in the processing of personal data.
The scope of this Policy includes all personal data of our customers, potential customers, job candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and other third parties, processed by automatic means or non-automatic means provided that it is part of any data recording system.
Issues regarding the protection and processing of personal data of Le Mabelle employees are within the scope of the Personal Data Processing and Protection Policy.
Relevant applicable legal regulations regarding the processing and protection of personal data will be the primary application. In the event of any inconsistency between the applicable legislation and the Policy, our Company acknowledges that the applicable legislation will prevail.
The policy was created by concretizing and organizing the rules set forth in relevant legislation within the scope of Le Mabelle practices. Our company is implementing the necessary systems and preparations to comply with the effective periods stipulated in the Personal Data Protection Law.
This Policy, issued by our Company, is dated September 1, 2022. If the entire Policy or certain articles are renewed, the effective date of the Policy will be updated.
The Policy is published on our Company's website ( www.lemabelle.com ) and is made available to the relevant persons upon request of personal data owners.
In accordance with Article 12 of the Personal Data Protection Law, our Company takes the necessary technical and administrative measures to prevent the unlawful processing of personal data it processes, to prevent unlawful access to data, and to ensure the preservation of data, and to ensure the appropriate level of security, and to carry out or have carried out the necessary audits within this scope.
- ENSURING THE SECURITY OF PERSONAL DATA
- Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data
Our company takes technical and administrative measures, in accordance with technological possibilities and implementation costs, to ensure that personal data is processed in accordance with the law.
The main technical measures taken by our company to ensure the lawful processing of personal data are listed below:
- Personal data processing activities carried out within our company are audited by established technical systems.
- The technical measures taken are periodically reported to the relevant party as required by the internal audit mechanism.
- Personnel knowledgeable in technical matters are employed.
The main administrative measures taken by our company to ensure the lawful processing of personal data are listed below:
- Employees are informed and trained about personal data protection law and the legal processing of personal data.
- All activities carried out by our company are analyzed in detail across all business units, and as a result of this analysis, personal data processing activities are revealed in terms of the commercial activities carried out by the relevant business units.
- The personal data processing activities carried out by our company's business units; the requirements to be fulfilled to ensure that these activities comply with the personal data processing conditions sought by Law No. 6698 are determined specifically for each business unit and the detailed activities it carries out.
- In order to ensure legal compliance requirements determined by our business units, awareness is raised and application rules are determined specifically for the relevant business units; the necessary administrative measures to ensure the control and continuity of these matters are implemented through in-company policies and training.
- The contracts and documents governing the legal relationship between our Company and employees include clauses that impose obligations not to process, disclose or use personal data, except for the Company's instructions and exceptions stipulated by law, and employee awareness is raised and audits are carried out on this issue.
Our company takes technical and administrative measures, taking into account the nature of the data to be protected, technological possibilities and implementation costs, to prevent the reckless or unauthorized disclosure, access, transfer or any other unlawful access of personal data.
The main technical measures taken by our company to prevent unlawful access to personal data are listed below:
- Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.
- Access and authorization technical solutions are implemented in accordance with legal compliance requirements determined on a business unit basis.
- The technical measures taken are periodically reported to the relevant parties as required by the internal audit mechanism, and the issues that pose a risk are re-evaluated and the necessary technological solutions are produced.
- Software and hardware including virus protection systems and firewalls are installed.
- Personnel knowledgeable in technical matters are employed.
The main administrative measures taken by our company to prevent unlawful access to personal data are listed below:
- Employees are trained on technical measures to prevent unlawful access to personal data.
- Personal data access and authorization processes are designed and implemented within the Company in accordance with business unit-based legal compliance requirements.
- Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of the Personal Data Protection Law and cannot use it for purposes other than those for which it was processed, and that this obligation will continue after they leave their job, and the necessary commitments are obtained from them in this regard.
- Provisions are added to the contracts concluded by our company with the persons to whom personal data is lawfully transferred, stating that the persons to whom personal data is transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.
Our company takes the necessary technical and administrative measures, in accordance with technological possibilities and implementation costs, to store personal data in secure environments and to prevent its destruction, loss or alteration for unlawful purposes.
The main technical measures taken by our company to store personal data in secure environments are listed below:
- Systems compatible with technological advancements are used to store personal data in secure environments.
- Personnel specialized in technical matters are employed.
- Technical security systems are established for storage areas, technical measures taken are periodically reported to the relevant parties as required by the internal audit mechanism, and risky issues are re-evaluated and the necessary technological solutions are produced.
- Backup programs are used in accordance with the law to ensure the safe storage of personal data.
The main administrative measures taken by our company to store personal data in secure environments are listed below:
- Employees are trained to ensure that personal data is stored securely.
- In the event that our company outsources services to the storage of personal data due to technical requirements, the contracts concluded with the relevant companies to which personal data is lawfully transferred shall include provisions stipulating that the persons to whom personal data is transferred shall take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.
Our Company conducts or commissions the necessary internal audits in accordance with Article 12 of the Personal Data Protection Law. The results of these audits are reported to the relevant department within the scope of the Company's internal operations, and necessary actions are taken to improve the measures taken.
Our company operates a system that ensures that, in the event that personal data processed in accordance with Article 12 of the Personal Data Protection Law is obtained by others through illegal means, this situation is notified to the relevant personal data owner and the Personal Data Protection Board as soon as possible.
If deemed necessary by the KVK Board, this situation may be announced on the KVK Board's website or by another method.
- PROTECTING THE RIGHTS OF THE DATA SUBJECT; CREATING CHANNELS TO TRANSMIT THESE RIGHTS TO OUR COMPANY AND EVALUATION OF THE REQUESTS OF DATA SUBJECTS
Our company carries out the necessary channels, internal operations, administrative and technical arrangements in accordance with Article 13 of the Personal Data Protection Law in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.
If personal data owners submit their requests regarding the rights listed below to our company in writing, our company will process the request as quickly as possible and within thirty days at the latest, depending on the nature of the request. However, if the process requires additional costs, our institution may charge the fee set by the Personal Data Protection Board.
If personal data subjects submit their requests regarding the rights listed below to our Company in writing, our Company will process the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the process requires additional costs, our Company will charge the fee set by the Personal Data Protection Board. Personal data subjects;
- Learning whether personal data is being processed,
- To request information regarding the processing of personal data,
- To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
- Knowing the third parties to whom personal data is transferred, either domestically or abroad,
- To request correction of personal data if it is processed incompletely or incorrectly and to request that the action taken in this context be notified to third parties to whom personal data has been transferred,
- To request the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of the Personal Data Protection Law and other relevant laws, and to request that the action taken within this scope be notified to third parties to whom personal data has been transferred,
- To object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
- In case of any damage caused by the unlawful processing of personal data, the person has the right to demand compensation for the damage.
More detailed information about the rights of data owners is included in Section 10 of this Policy.
With the Personal Data Protection Law, special importance and specialty have been given to certain personal data due to the risk of causing victimization or discrimination when processed unlawfully.
These data include data regarding race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Our Company is meticulous in protecting sensitive personal data, which is designated as "special" by the Personal Data Protection Law and processed in accordance with the law. In this context, our Company diligently implements the technical and administrative measures taken to protect personal data, and necessary controls are maintained within Le Mabelle.
Detailed information regarding the processing of special categories of personal data is included in Section 3 of this Policy.
Our company organizes the necessary training for business units to raise awareness about preventing the unlawful processing of personal data, unlawful access to data, and ensuring the preservation of data.
- INCREASING AWARENESS AND SUPERVISION OF BUSINESS PARTNERS AND SUPPLIERS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
Our institution provides necessary information to its business partners to prevent the unlawful processing of personal data, to prevent unlawful access to data, and to raise awareness about data protection. The agreements, protocols, and confidentiality agreements between business partners and the institution include references to the warnings and cautions required under Personal Data Protection Law (KVK) legislation.
Users authorized to access and process Personal Data are continuously trained and made aware of the necessity of security of information systems and networks and what they can do to increase security.
All users are aware that they are jointly responsible for the security of the information systems components and personal data they use.
In accordance with Article 20 of the Constitution and Article 4 of the Personal Data Protection Law, our company processes personal data in accordance with the law and principles of integrity; accurately and, where necessary, up-to-date; and for specific, clear, and legitimate purposes; and in a purpose-related, limited, and proportionate manner. Our company retains personal data for the period stipulated by law or required for the purpose of processing personal data.
In accordance with Article 20 of the Constitution and Article 5 of the Personal Data Protection Law, our company processes personal data based on one or more of the conditions in Article 5 of the Personal Data Protection Law regarding the processing of personal data.
In accordance with Article 20 of the Constitution and Article 10 of the Personal Data Protection Law, our company informs personal data owners and provides the necessary information when personal data owners request information.
Our company acts in accordance with the regulations regarding the processing of special personal data in accordance with Article 6 of the Personal Data Protection Law.
Our company acts in accordance with the regulations stipulated in the law and set forth by the Personal Data Protection Board regarding the transfer of personal data, in accordance with Articles 8 and 9 of the Personal Data Protection Law.
Our Company acts in accordance with the principles set forth in legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our Company takes proportionality into account in the processing of personal data and does not use personal data for purposes other than those required.
Our company ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights and legitimate interests of personal data owners. It takes the necessary measures to this end. For example, Le Mabelle has established a system for personal data owners to correct and verify the accuracy of their personal data. Detailed information on this topic is provided in Section 10 of this Policy.
Our company clearly and precisely defines its legitimate and lawful purposes for processing personal data. Our company processes personal data only to the extent necessary for and in connection with the services it provides. The purposes for which personal data will be processed by our company are determined before any personal data processing activity begins.
Our company processes personal data in a manner that enables it to achieve its designated purposes and avoids processing personal data that is not relevant or necessary to achieve these purposes. For example, we do not process personal data to meet potential needs that may arise later.
- Preservation for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which they are Processed
Our Company retains personal data only for the period specified in relevant legislation or necessary for the purpose for which it is processed. In this context, our Company first determines whether relevant legislation stipulates a retention period for personal data. If so, it complies with this period. If no such period is specified, it retains personal data for the period necessary for the purpose for which it is processed. Upon expiration of this period or the elimination of the reasons requiring processing, our Company deletes, destroys, or anonymizes personal data. Our Company does not retain personal data for potential future use. Detailed information on this matter is provided in Section 9 of this Policy.
The protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted only by law, without prejudice to their essence, and solely for the reasons specified in the relevant articles of the Constitution. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases prescribed by law or with the individual's explicit consent. Accordingly, and in accordance with the Constitution, our Company processes personal data only in cases prescribed by law or with the individual's explicit consent. Detailed information on this subject is provided in Section 7 of this Policy.
In accordance with Article 10 of the Personal Data Protection Law, our Company provides information to data subjects when collecting personal data. In this context, we provide information on the identity of Le Mabelle and its representative, if any, the purposes for which personal data will be processed, to whom and for what purposes the processed personal data may be transferred, the method and legal basis for collecting personal data, and the rights of data subjects. Detailed information on this subject is provided in Section 10 of this Policy.
Article 20 of the Constitution establishes that everyone has the right to be informed about personal data concerning them. Accordingly, Article 11 of the Personal Data Protection Law lists the right to "request information" among the rights of personal data owners. In this context, our Company provides the necessary information when a personal data owner requests information, in accordance with Articles 20 of the Constitution and 11 of the Personal Data Protection Law. Detailed information on this subject is provided in Section 10 of this Policy.
Our company strictly abides by the regulations stipulated in the Personal Data Protection Law when processing personal data designated as "special categories" by the Personal Data Protection Law.
Article 6 of the Personal Data Protection Law identifies certain personal data as "special categories" if it is processed unlawfully and carries a risk of causing victimization or discrimination. This data includes data related to race, ethnicity, political views, philosophical beliefs, religion, sect, or other beliefs, appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data.
In accordance with the Personal Data Protection Law, our Company processes special personal data in the following cases, provided that adequate measures are taken, as determined by the Personal Data Protection Board:
- If the personal data owner has explicit consent, or
- If there is no explicit consent of the personal data owner;
- Special personal data, other than the health and sexual life of the personal data owner, in cases prescribed by law,
- Sensitive personal data regarding the health and sexual life of the personal data owner are processed only by persons or authorized institutions and organizations under an obligation of confidentiality for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.
Our Company may transfer personal data and special categories of personal data to third parties (third-party companies, group companies, third-party natural persons, and abroad) by taking the necessary security measures (See Section II/Heading 1) in line with the lawful purposes for processing personal data. In this regard, our Company complies with the regulations stipulated in Article 8 of the Personal Data Protection Law. Detailed information on this subject is provided in Section 6 of this Policy.
1. Transfer of Personal Data
Our company may transfer personal data to third parties in line with legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law listed below:
- If the personal data owner has explicit consent;
- If there is a clear regulation in the law regarding the transfer of personal data,
- If it is necessary to protect the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to give his consent due to actual impossibility or if his consent is not legally valid;
- If it is necessary to transfer personal data of the parties to a contract, provided that it is directly related to the establishment or execution of a contract,
- If personal data transfer is mandatory for our company to fulfill its legal obligations,
- If personal data has been made public by the personal data owner,
- If personal data transfer is mandatory for the establishment, exercise or protection of a right,
- If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
2. Transfer of Special Personal Data
Our company, by taking due care, necessary security measures (See Section 2/Heading 2.1) and taking adequate measures prescribed by the Personal Data Protection Board, may process the personal data of the personal data owner in line with legitimate and lawful personal data processing purposes in the following cases:
- If the personal data owner has explicit consent, or
- If there is no explicit consent of the personal data owner;
- Personal data of a personal nature other than the data subject's health and sexual life ( data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or unions, criminal convictions and security measures, as well as biometric and genetic data ), in cases stipulated by law,
- Sensitive personal data regarding the health and sexual life of the personal data owner may only be disclosed by persons or authorized institutions and organizations under a confidentiality obligation for the purposes of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing.
may be transferred to third parties.
6. TRANSFER OF PERSONAL DATA ABROAD
Our Company may transfer personal data and special categories of personal data to third parties by taking the necessary security measures (See Section 2/Heading 2.1) in accordance with its lawful personal data processing purposes. Our Company transfers personal data to foreign countries that have been declared adequately protected by the Personal Data Protection Board ("Foreign Countries with Adequate Protection") or, if inadequate protection is not provided, to foreign countries where the data controllers in Türkiye and the relevant foreign country have undertaken, in writing, to provide adequate protection and where the Personal Data Protection Board has granted its consent ("Foreign Countries with a Data Controller Undertaking Adequate Protection"). In this regard, our Company complies with the regulations stipulated in Article 9 of the Personal Data Protection Law. Detailed information on this subject is provided in Section 6 of this Policy.
Our company may transfer personal data to Foreign Countries Where Data Controllers Have Adequate Protection or Promise Adequate Protection, in line with legitimate and lawful personal data processing purposes, if the personal data owner has given their explicit consent, or if there is no explicit consent from the personal data owner, in the event of one of the following situations:
- If there is a clear regulation in the law regarding the transfer of personal data,
- If it is necessary to protect the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to give his consent due to actual impossibility or if his consent is not legally valid;
- If it is necessary to transfer personal data of the parties to a contract, provided that it is directly related to the establishment or execution of a contract,
- If personal data transfer is mandatory for our company to fulfill its legal obligations,
- If personal data has been made public by the personal data owner,
- If personal data transfer is mandatory for the establishment, exercise or protection of a right,
- If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
Our company may transfer the personal data owner’s special data to Foreign Countries Where the Data Controller Has Sufficient Protection or Promises Sufficient Protection, in line with the legitimate and lawful personal data processing purposes, by showing due care, taking the necessary security measures (See Section 2/Heading 2.1) and taking the adequate measures prescribed by the Personal Data Protection Board, in the following cases.
- If the personal data owner has explicit consent, or
- If there is no explicit consent of the personal data owner;
- Personal data of a personal nature other than the data subject's health and sexual life ( data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or unions, criminal convictions and security measures, as well as biometric and genetic data ), in cases prescribed by law,
- Sensitive personal data regarding the health and sexual life of the personal data owner may only be processed by persons or authorized institutions and organizations under a confidentiality obligation for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.
- CHAPTER 4 – CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PROCESSING PURPOSES AND STORAGE PERIOD
In accordance with Article 10 of the Personal Data Protection Law, our company informs the personal data owner of which personal data owner groups it processes, the purposes of processing the personal data of the personal data owner, and the retention periods upon request.
1. CLASSIFICATION OF PERSONAL DATA
In accordance with Article 10 of the Personal Data Protection Law, our Company processes personal data in the following categories, limited to the periods covered by this Policy, based on one or more of the personal data processing conditions specified in Article 5 of the Personal Data Protection Law, and in accordance with all obligations stipulated in the Personal Data Protection Law, particularly the principles stipulated in Article 4 of the Personal Data Protection Law regarding the processing of personal data. The data subjects to whom the personal data processed in these categories are related are also specified in Section 5 of this Policy.
PERSONAL DATA CLASS |
PERSONAL DATA CLASSIFICATION |
Identity Information |
All information that clearly belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of a data recording system; and included in valid official documents with photographs such as a driver's license, identity card, passport. |
Contact Information |
Information such as telephone number, address, e-mail, which clearly belongs to an identified or identifiable natural person and is processed partially or fully automatically or non-automatically as part of a data recording system. |
Location Data |
Information that clearly belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of a data recording system; and identifies the location of the personal data owner while using our products and services or while our employees and employees of institutions we collaborate with are using the Institution's vehicles. |
Customer Information |
Information that clearly belongs to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system; information obtained and produced about the relevant person as a result of our commercial activities and the operations carried out by our business units within this framework. |
Family Members and Relatives Knowledge |
Information about the family members and relatives of the personal data owner, which is clearly related to an identified or identifiable natural person and is included in the data recording system; information about the products and services we offer or to protect the legal interests of the Institution and the data owner. |
Customer Business Information |
Information that clearly belongs to an identified or identifiable natural person and is included in the data recording system; records regarding the use of our products and services, and the instructions and requests required for the customer to use the products and services. |
Physical Space Security Knowledge |
Personal data related to records and documents taken at the entrance to the physical location and during the stay in the physical location, which are clearly related to an identified or identifiable natural person and are included in the data recording system. |
Transaction Security Information |
Your personal data, which clearly belongs to an identified or identifiable natural person and is included in the data recording system, is processed to ensure our technical, administrative, legal and commercial security while carrying out our commercial activities. |
Risk Management Information |
Personal data that clearly belongs to an identified or identifiable natural person and is included in the data recording system; processed through methods used in accordance with generally accepted legal, commercial practices and the rule of integrity in these areas in order to manage our commercial, technical and administrative risks. |
Financial Information |
Personal data that clearly belongs to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system; Processed personal data related to information, documents and records showing all kinds of financial results created according to the type of legal relationship that the Institution has established with the personal data owner. |
Personal Information |
All kinds of personal data that clearly belong to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system; processed to obtain information that will form the basis for the establishment of the personal rights of our employees or natural persons who have a working relationship with the Institution. |
Candidate Employee Information |
Personal data that clearly belongs to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system; processed personal data related to individuals who have applied to become employees of the Institution or who have been evaluated as candidates for employment in line with the Institution's human resources needs in accordance with business practices and rules of integrity, or who have a working relationship with the Institution. |
Employee Process Information |
Personal data that clearly belongs to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system; processed in relation to any business-related transaction carried out by our employees or natural persons who have a business relationship with the Institution. |
Employee Performance and Career Development Information |
Personal data that clearly belongs to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system; processed for the purpose of measuring the performance of our employees or natural persons who have a working relationship with the Institution and planning and carrying out their career development within the scope of the Institution's human resources policy. |
Fringe Benefits and Rights Information |
Your personal data, which clearly belongs to an identified or identifiable natural person, is processed partially or fully automatically or non-automatically as part of the data recording system; to plan the fringe benefits and benefits we offer and will offer to employees or other natural persons who have a working relationship with the Institution, to determine the objective criteria for entitlement to these and to monitor entitlements to them. |
Legal Transactions and Compliance Information |
Your personal data, which clearly belongs to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system; processed within the scope of determining and pursuing our legal receivables and rights, fulfilling our debts, and complying with our legal obligations and the Institution's policies. |
Audit and Inspection Information |
Your personal data, which clearly belongs to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system; processed within the scope of the institution's legal obligations and compliance with the institution's policies. |
Special Personal Data |
Data clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system; Data regarding a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data are special personal data. |
Marketing Information |
Personal data that clearly belongs to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system; processed for the marketing of our products and services by customizing them in line with the usage habits, tastes and needs of the personal data owner, and the reports and evaluations created as a result of this processing. |
Request/Complaint Management Knowledge |
Personal data that clearly belongs to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system; related to the receipt and evaluation of any request or complaint directed to the Institution. |
Reputation Management Information |
Information collected for the purpose of protecting our company's commercial reputation, evaluation reports created accordingly, and information on the actions taken. |
Incident Management Information |
Personal data processed to take the necessary legal, technical and administrative measures against developing events to protect our company's commercial rights and interests and the rights and interests of our customers. |
Our company processes personal data limited to the purposes and conditions set forth in the second paragraph of Article 5 and the third paragraph of Article 6 of the Personal Data Protection Law No. 6698. These purposes and conditions are as follows:
-
(The Institution's activity regarding the processing of your personal data is clearly stipulated in the Laws and within the framework of its legal obligations arising from the relevant legislation.)
- The processing of your personal data by our Company is directly related to and necessary for the establishment or performance of a contract,
- The processing of your personal data is mandatory for our Company to fulfill its legal obligations,
- Provided that your personal data is made public by you, it will be processed by our Company in a limited way for the purpose of making it public,
- The processing of your personal data by our Company is necessary for the establishment, exercise or protection of the rights of our Company or you or third parties,
- It is necessary for our Company to process personal data for its legitimate interests, provided that it does not harm your fundamental rights and freedoms.
- If our company's personal data processing is necessary to protect the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to give his consent due to actual impossibility or legal invalidity,
- The processing of special personal data other than the health and sexual life of the personal data owner is prescribed by law,
- Sensitive personal data regarding the health and sexual life of the personal data owner are processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.
Your personal and sensitive personal data in accordance with the personal data processing conditions explained above.
It may be processed by Le Mabelle for the following purposes.
MAIN PURPOSES |
SUB-OBJECTIVES |
Planning and Execution of Le Mabelle's Human Resources Policies and Processes |
1 - Planning and Management of Side Benefits and Benefits for Employees Execution, 2 - Planning and Execution of Human Resources Processes, 3 - Execution of Personnel Recruitment Processes, 4 - Corporate Communication Activities for Employees or Planning or Execution of Corporate Social Responsibility or Non-Governmental Organization Activities in which Employees Participate. 5 - Planning and Developing Talent - Career Development Activities Execution 6 - Employment Contract and/or Legislation-Related Disputes for Company Employees Fulfillment of Obligations 7 - Planning and Execution of Internal Orientation Activities 8 - Planning and Execution of Personnel Exit Procedures 9 - Wage Management 10 - Internal Appointment, Promotion and Termination Processes Planning and Execution 11 - Employee Performance Evaluation Processes Planning and Tracking 12 - Monitoring Employees' Work Activities or Working Hours and / or Audit 13 - Employee Satisfaction and/or Loyalty Processes Planning and Execution 14 - Planning Employee Wage Increases 15 - Planning and Execution of Employees' Information Access Authorizations 16 - Foreign Personnel Work and Residence Permit Procedures 17 - Planning and Execution of Processes Regarding Support for the Urgent Medical Needs of Employees and Employee Relatives 18 - Planning and Execution of Processes Regarding Employees' Union Membership 19 - Implementation of Disciplinary Practices Regarding Employees and Follow-up 20 - Information on Employees of Legally Authorized Public Institutions To be given 21 - Execution and Monitoring of Employment and Personnel Processes 22 - Collecting Employees' Complaints, Requests or Suggestions and Evaluation 23 - Human Resources Required for Production and Organization Determining and Meeting Needs 24 - Planning and execution of personnel processes for subcontractor employees 25 - Human Resources Required for Production and Organization Determining and Meeting Needs 26 - Planning and/or Execution of In-Company Training Activities 27- Planning and Management of Organizations and Events |
Carrying out the necessary work and related business processes by our relevant business units to carry out the commercial activities carried out by Le Mabelle . |
1 - Monitoring of Finance and Accounting Affairs, 2 - Planning and Ensuring Business Continuity Activities Execution, 3 - Planning, Auditing and Execution of Information Security Processes, 4 - Creating and Managing Information Technologies Infrastructure, 5 - Planning and Execution of Corporate Communication Activities, 6 - Planning and Execution of Logistics Activities 7 - Business Partners and Suppliers' Access to Information Planning and Execution, 8 - Organization and event management, 9 - Planning and Execution of Business Activities, 10 - Planning and Execution of Supply Chain Management Processes, 11 - Planning and Execution of Corporate Governance Activities, 12 - Effectiveness/Efficiency and Appropriateness Analysis of Business Activities Planning and Execution of Realization Activities, 13 - Planning and Execution of Corporate Sustainability Activities, 14 - Planning and Monitoring of Building and/or Construction Works, 15 - Planning and Execution of Production and/or Operation Processes, |
Planning and Execution of Le Mabelle's Commercial and Business Strategies |
|
Our Business Units Perform Necessary Work and Execute Relevant Business Processes to Benefit the Relevant Persons from the Products and Services Offered by Le Mabelle |
1 - Monitoring of Contract Processes and/or Legal Requests, 2 - Planning and Sales Processes of Products and/or Services Execution, 3 - Planning and Execution of Customer Relationship Management Processes, 4 - Planning and/or Execution of After-Sales Support Services Activities, 5 - Collecting Customer Complaints, Requests and Suggestions and Evaluation 6 - Planning and Execution of Additional Services that Support Sales 7 - Planning and Execution of Loyalty and Campaign Management Processes, |
Planning and Execution of Activities Necessary to Recommend and Promote the Products and Services Offered by Le Mabelle to the Relevant People by Customizing Them According to Their Tastes, Usage Habits and Needs |
1 - Planning and/or Implementing Customer Satisfaction Activities Execution, 2 - Planning and Execution of Marketing Processes of Products and/or Services 3 - Planning and Execution of Market Research Activities for Sales and Marketing of Products and Services, 4 - Planning and/or Execution of Processes to Create and/or Increase Loyalty to the Products and/or Services Offered by the Company |
Ensuring the legal, technical and commercial-business security of Le Mabelle and the relevant persons who have a business relationship with Le Mabelle |
1 - Planning and Execution of Company Audit Activities, 2- Providing Information to Authorized Institutions Regarding Legislation, 3- Planning and/or implementing Occupational Health and/or Safety Processes Execution, 4- Planning and/or Execution of the Company's Production and/or Operational Risk Processes, 5- Following up on legal affairs, 6- Creating and Tracking Visitor Records, 7- Ensuring the Security of Company Campuses and/or Facilities, 8- Management and/or Control of Relations with Subsidiaries 9- Ensuring the Security of Company Operations, 10- Security of Company Fixed Assets and/or Resources Procurement, 11- Planning and/or Execution of the Company's Financial Risk Processes, 12- Planning and Execution of Necessary Operational Activities to Ensure That Company Activities Are Carried Out in Compliance with Company Procedures and/or Relevant Legislation, 13- Ensuring that the data is accurate and up-to-date. 14- Planning and Execution of Emergency Management Processes 15- Carrying out corporate and partnership law transactions |
If the processing carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Personal Data Protection Law, your explicit consent is obtained by Le Mabelle for the relevant processing.
Our company stores personal data for the period specified in relevant laws and regulations, if stipulated in these regulations.
If legislation does not specify how long personal data must be stored, personal data will be processed for the period required by our Company's practices and business practices, depending on the services our Company offers while processing that data, and will then be deleted, destroyed, or anonymized. Detailed information on this matter is provided in Section 9 of this Policy.
If the purpose of processing personal data has expired, and the retention periods specified by relevant legislation and the company have expired, personal data may be retained solely as evidence in potential legal disputes or to assert or defend a relevant right related to personal data. Retention periods are determined based on the statute of limitations for asserting the aforementioned right, as well as examples of previous requests submitted to our Company regarding the same matters despite the expiration of the statute of limitations. In such cases, stored personal data is not accessed for any other purpose and is only accessed when necessary in the relevant legal dispute. After the aforementioned period, personal data is deleted, destroyed, or anonymized.
Although our company processes the personal data of the personal data owner categories listed below, the scope of application of this Policy is limited to our customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties.
Our employees' activities regarding the protection and processing of personal data will be evaluated under the Le Mabelle Employees Personal Data Processing and Protection Policy.
While the categories of persons whose personal data are processed by our Company are within the scope specified above, persons outside these categories may also direct their requests to our Company within the scope of the Personal Data Protection Law; their requests will also be evaluated within the scope of this Policy.
The concepts of customer, potential customer, visitor, employee candidate, shareholder, board member, real persons in the institutions we cooperate with and third parties related to these persons within the scope of this Policy are clarified below.
Personal Data Owner Category |
Description |
Customer |
Real persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company. |
Potential Customer |
Natural persons who have requested or shown interest in using our products and services or who have been assessed in accordance with commercial practices and rules of integrity to be likely to have such interest. |
Visitor |
Natural persons who have entered the physical premises of our company for various purposes or visited our websites. |
Third Party |
Third party natural persons related to these persons (e.g. Guarantor, Companion, Family Members and relatives) or other natural persons not covered by this Policy and L e Mabelle Employees Personal Data Protection and Processing Policy, in order to ensure the security of commercial transactions between our Company and the above-mentioned parties or to protect the rights of the said persons and to provide benefits. |
Employee Candidate |
Natural persons who have applied for a job in our company by any means or have made their resume and related information available for review by our company. |
Company Shareholder |
Our company's shareholders are real persons. |
Company Official |
Members of our company's board of directors and other authorized real persons |
Employees, Shareholders and Officials of Institutions We Collaborate With |
Natural persons working in institutions with which our company has any kind of business relationship (such as, but not limited to, business partners, suppliers), including shareholders and officials of these institutions. |
The table below details the above-mentioned categories of personal data owners and the types of personal data processed for those within these categories.
PERSONAL DATA CATEGORIZATION |
DATA SUBJECT CATEGORY TO WHICH THE RELEVANT PERSONAL DATA IS ASSOCIATED |
Identity Information |
Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of Institutions We Collaborate with, Third Parties |
Contact Information |
Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of Institutions We Collaborate with, Third Parties |
Location Data |
Customers, Employees, Employees of Institutions We Collaborate With |
Customer Information |
Customer |
Family Members and Relatives Information |
Customers, Visitors, Employee Candidates, Third Parties, Employees, Shareholders and Officials of Institutions We Collaborate With |
Customer Transaction Information |
Customer |
Physical Space Security Information |
Visitors, Company Officials, Employees, Shareholders and Officials of Institutions We Collaborate With |
Transaction Security Information |
Customers, Visitors, Third Parties, Company Officials, Employees, Shareholders and Officials of Institutions We Collaborate With |
Risk Management Information |
Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of Institutions We Collaborate with, Third Parties |
Financial Information |
Customer, Employee, Company Shareholder, Company Official, Company Shareholder, Employees, Shareholders and Officials of Institutions We Collaborate With |
Personnel Information |
Employees, Shareholders and Officials of Institutions We Collaborate With |
Candidate Employee Information |
Employee Candidates, Employees of Institutions We Collaborate With |
Employee Process Information |
Employees of Institutions We Collaborate With |
Employee Performance and Career Development Information |
Employees of Institutions We Collaborate With |
Fringe Benefits and Rights Information |
Employees of Institutions We Collaborate With |
Legal Procedures and Compliance Information |
Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of Institutions We Collaborate with, Third Parties |
Audit and Inspection Information |
Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of Institutions We Collaborate with, Third Parties |
Special Personal Data |
Customer, Employee Candidate, Company Shareholder, Company Official, Employees, Shareholders and Officials of Institutions We Collaborate With |
Marketing Knowledge |
Customer, Potential Customer |
Request/Complaint Management Information |
Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of Institutions We Collaborate with, Third Parties |
- SECTION 6 – THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERRED BY OUR COMPANY AND THE PURPOSES OF TRANSFER
Our company notifies the personal data owner about the groups of individuals to whom personal data is transferred in accordance with Article 10 of the Personal Data Protection Law.
In accordance with Articles 8 and 9 of the Personal Data Protection Law (See Section 3/Heading 3.5), our company may transfer customers' personal data to the following categories of persons:
- To business partners,
- To its suppliers,
- Advisors,
- To its shareholders,
- Community Companies
- Company officials,
- Legally Authorized public institutions and organizations
- To legally authorized private law persons
The scope of the above-mentioned persons to whom data is transferred and the purposes of data transfer are stated below.
Persons to whom data may be transferred |
Definition |
Purpose of Data Transfer |
Business Partner |
Parties with which Le Mabelle establishes business partnerships in carrying out its commercial activities |
Limited sharing of personal data to ensure the fulfillment of the purposes for which the business partnership was established |
Supplier |
Identifies the parties that provide services to Le Mabelle. |
Limited to the purpose of ensuring that our Company provides the services that are outsourced to our supplier and necessary for the performance of our Company's commercial activities. |
Advisor |
Identifies the parties that provide advice to Le Mabelle on a contractual basis. |
Limited to the purpose of ensuring that Le Mabelle is properly provided with the consultancy services necessary to carry out its activities. |
Our shareholders |
Our shareholders are authorized to design strategies and audit activities related to our Company's commercial activities in accordance with the relevant legislation. |
Limited to the design of strategies and auditing purposes regarding our Company's commercial activities in accordance with the relevant legislation. |
Community Companies |
Le Mabelle companies |
Le Mabelle group of companies commercial activities that require participation carrying out its activities limited to providing |
Company officials |
Le Mabelle board chairman and members and other authorized real persons |
According to the relevant legislation provisions Limited to the design of strategies for Le Mabelle’s commercial activities, ensuring their management at the highest level and for auditing purposes |
Legally Authorized Public Institutions and Organizations |
Public institutions and organizations authorized to receive information and documents from our Company in accordance with the relevant legislation. |
Limited to the purpose requested by the relevant public institutions and organizations within their legal authority. |
Legally Authorized Private Law Persons |
Private legal entities authorized to receive information and documents from our Company in accordance with the relevant legislation. |
Limited to the purpose requested by the relevant private legal persons within their legal authority. |
In the transfers made by our Company, we act in accordance with the matters regulated in Sections 2 and 3 of the Policy.
- CHAPTER 7 - PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW
Our company informs personal data owners about the personal data it processes in accordance with Article 10 of the Personal Data Protection Law.
The data subject's explicit consent is only one of the legal bases enabling the lawful processing of personal data. In addition to explicit consent, personal data may also be processed if one of the conditions listed below is met. While the basis for processing personal data may be only one of the conditions listed below, more than one of these conditions may also be the basis for the same personal data processing activity. If the data being processed constitutes sensitive personal data, the conditions set forth in Section 7.1.2 below apply.
Although the legal bases for the processing of personal data by our company vary, all personal data processing activities are carried out in accordance with the general principles set out in Article 4 of Law No. 6698 (See Section 3.1.).
One of the conditions for processing personal data is the data subject's explicit consent. The data subject's explicit consent must be specific, informed, and freely given.
Personal data processing activities (secondary processing ) other than the processing purpose for which personal data is obtained (primary processing) are subject to at least one of the conditions set out in (ii), (iii), (iv), (v), (vi), (vii) and (viii) of this heading; if one of these conditions is not present, our Company carries out these personal data processing activities based on the explicit consent of the personal data owner for these processing activities.
In order for personal data to be processed based on the explicit consent of the personal data owner, explicit consent is obtained from customers, potential customers and visitors through relevant methods.
- Clearly Provided in Laws
The data owner's personal data may be processed in accordance with the law if it is clearly provided for in the law.
If the processing of personal data is necessary to protect the life or physical integrity of the person or another person who is unable to give his consent due to a de facto impossibility or whose consent cannot be validated, the personal data of the data owner may be processed.
- Direct Interest in the Establishment or Execution of the Contract
Processing of personal data is possible if it is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract.
- The Company's Fulfillment of Its Legal Obligations
The personal data of the data owner may be processed if processing is necessary for our company to fulfill its legal obligations as the data controller.
If the data owner has made his/her personal data public, the relevant personal data may be processed.
If data processing is necessary for the establishment, exercise or protection of a right, the data subject's personal data may be processed.
Personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
Our company processes special personal data in the following cases, provided that the data owner does not give his/her explicit consent and that adequate measures are taken, as determined by the Personal Data Protection Board:
- Special personal data, other than the health and sexual life of the personal data owner, in cases prescribed by law,
- Sensitive personal data regarding the health and sexual life of the personal data owner may only be disclosed by persons or authorized institutions and organizations under a confidentiality obligation for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.
- SECTION 8 – PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED AT BUILDINGS, FACILITIES, AND WITHIN BUILDINGS AND FACILITIES, AND WEBSITE VISITORS
Personal data processing activities carried out by our company at building facility entrances and within the facility are carried out in accordance with the Constitution, Law No. 5188 on Private Security Services , Law No. 6698 on Personal Data Protection Law and other relevant legislation.
In order to ensure security, our Company carries out personal data processing activities in order to monitor guest entries and exits through security cameras in our Company buildings and facilities.
Our Company carries out personal data processing activities by using security cameras and recording guest entries and exits.
In this context, our Company acts in accordance with the Constitution, the Personal Data Protection Law and other relevant legislation.
In this section, explanations will be made regarding our Company's camera monitoring system and information will be provided on how personal data, privacy and fundamental rights of the individual are protected.
Within the scope of its security camera monitoring activities, our company aims to improve the quality of the service provided, ensure its reliability, ensure the safety of the company, customers and other persons, and protect the interests of customers regarding the service they receive.
The camera monitoring activity carried out by our company is carried out in accordance with the Private Security Services Law No. 5188 and the relevant legislation.
- Conducting Surveillance Activities with Security Cameras in Accordance with Personal Data Protection Law
Our company complies with the regulations in the Personal Data Protection Law when conducting camera surveillance activities for security purposes .
Our company carries out security camera monitoring activities in order to ensure the security of its buildings and facilities, for the purposes stipulated in the law and in accordance with the personal data processing conditions listed in the Personal Data Protection Law.
Our company informs the personal data owner in accordance with Article 10 of the Personal Data Protection Law .
In this way, it is aimed to prevent any harm to the fundamental rights and freedoms of the personal data owner and to ensure transparency and enlightenment of the personal data owner.
Regarding the camera surveillance activity carried out by our Company, this Policy is published on our Company's website ( online Policy regulation ) and a notice stating that surveillance will be carried out is posted at the entrances of the areas where surveillance is carried out (on- site lighting ).
In accordance with Article 4 of the Personal Data Protection Law, our company processes personal data in a limited and proportionate manner, in connection with the purposes for which they are processed.
Our Company's purpose in conducting video camera surveillance is limited to the purposes listed in this Policy. Accordingly, the monitoring areas, number of security cameras, and the timing of monitoring are limited to and sufficient to achieve security objectives. Areas where privacy may be violated beyond security objectives (e.g., restrooms) are not subject to monitoring.
In accordance with Article 12 of the Personal Data Protection Law, our company takes the necessary technical and administrative measures to ensure the security of personal data obtained through camera surveillance. (See Section 2/Heading 2.1)
Detailed information regarding the retention period of personal data obtained through camera surveillance by our Company is included in Article 4.3 of this Policy, titled "Personal Data Retention Periods."
- Who Can Access the Information Obtained as a Result of Monitoring and To Whom This Information Is Transferred
Only a limited number of Le Mabelle employees have access to the recordings, which are digitally recorded and maintained. Live camera footage is monitored by outsourced security personnel . A limited number of individuals with access to the recordings sign a confidentiality agreement, pledging to maintain the confidentiality of the data they access.
- MONITORING OF GUEST ENTRANCES AND EXITS CONDUCTED AT THE ENTRANCES AND INSIDE OF LE MABELLE BUILDINGS AND FACILITIES
Our Company carries out personal data processing activities to monitor guest entries and exits in Le Mabelle buildings and facilities, to ensure security and for the purposes specified in this Policy.
Personal data owners are informed of this information through the collection of names and surnames of guests visiting Le Mabelle buildings, or through texts posted on the Company's premises or otherwise made accessible to guests. Data obtained for the purpose of tracking guest entries and exits is processed solely for this purpose, and the relevant personal data is physically recorded in the data recording system.
- STORAGE OF RECORDS REGARDING INTERNET ACCESS PROVIDED TO OUR VISITORS IN LE MABELLE BUILDINGS AND FACILITIES
To ensure security and for the purposes specified in this Policy, our Company may provide internet access to Visitors who request it during their stay in our Buildings and Facilities. In this case, log records related to your internet access are recorded in accordance with Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through Such Publications and the mandatory provisions of the legislation issued pursuant to this Law. These records are processed only upon request by authorized public institutions and organizations or to fulfill our legal obligations during internal audits.
Only a limited number of Le Mabelle employees have access to the logs obtained within this framework. Company employees with access to these records do so only for the purposes of requests from authorized public institutions and organizations or for auditing purposes, and they share them with legally authorized individuals. These limited number of individuals with access to these records declare, through a confidentiality agreement, that they will maintain the confidentiality of the data they access.
Our company records the internet movements within the site using technical means (e.g., cookies) to ensure that visitors to these sites visit the sites in accordance with their purposes, to display customized content to them, and to engage in online advertising activities.
Detailed explanations regarding the protection and processing of personal data regarding these activities carried out by our company are included in the “Le Mabelle's Personal Data Processing and Protection Policy on the Website, Information Security Policy” texts of the relevant websites.
Although our Company has processed personal data in accordance with the relevant legal provisions as regulated in Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law, personal data is deleted, destroyed or anonymized based on our Company's own decision or upon the request of the personal data owner, if the reasons requiring processing are eliminated.
As regulated in Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law, personal data may be deleted, destroyed, or anonymized at our Company's discretion or upon the request of the data subject, even if processed in accordance with relevant legal provisions, if the reasons requiring processing no longer exist. In this context, our Company fulfills its obligations through the methods described in this section.
- TECHNIQUES FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
- Techniques for Deletion and Destroying Personal Data
Our Company may delete or destroy personal data, even if it has been processed in accordance with relevant legal provisions, at its own discretion or upon the request of the data owner, if the reasons requiring processing no longer exist. The most commonly used deletion or destruction techniques by our Company are listed below:
- Physical Destruction
Personal data may also be processed non-automatically, provided it is part of a data recording system. When such data is deleted/destroyed, a system is implemented to physically destroy the personal data so that it cannot be used later.
- Secure Deletion Softare
When data processed by fully or partially automatic means and stored in digital environments is deleted/destroyed, methods are used to delete the data from the relevant software in a way that it cannot be recovered again.
- Sending to a Specialist for Secure Deletion
In some cases, Le Mabelle may engage a professional to delete personal data on its behalf. In this case, the personal data will be securely deleted/destroyed by the professional so that it cannot be recovered.
Anonymizing personal data refers to rendering personal data incapable of being linked to an identified or identifiable natural person, even when matched with other data. Our company may anonymize personal data when the reasons requiring processing of legally processed personal data no longer exist.
In accordance with Article 28 of the Personal Data Protection Law, anonymized personal data may be processed for purposes such as research, planning, and statistics. Such processing falls outside the scope of the Personal Data Protection Law, and the explicit consent of the data subject will not be required. Because anonymized and processed personal data falls outside the scope of the Personal Data Protection Law, the rights set forth in Section 10 of the Policy will not apply to this data.
The anonymization techniques most commonly used by our company are listed below.
Data masking is a method of anonymizing personal data by removing the basic identifying information of personal data from the data set.
Example: Transforming the personal data into a data set that makes it impossible to identify the personal data owner by removing information such as name, TR ID Number, etc. that enable the identification of the personal data owner. |
- Aggregation
With the data aggregation method, many data are aggregated and personal data is made unrelated to any person.
Example: Revealing that there are Z customers aged X without showing the ages of the customers one by one. |
- Data Derivation
With the data generation method, a more general content is created from the content of personal data and personal data is made unrelated to any person.
Example: Indicating ages instead of dates of birth; indicating the region of residence instead of the full address. |
- Data Shuffle (Data Shuffling, Permutation)
Data hashing method is used to break the connection between values and individuals by mixing the values in the personal data set.
Example: Changing the quality of voice recordings so that they cannot be associated with the data owner. |
- CHAPTER 10 – RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY OF EXERCISE AND EVALUATION OF THESE RIGHTS
Our Company informs personal data owners of their rights in accordance with Article 10 of the Personal Data Protection Law, guides personal data owners on how to exercise these rights, and carries out the necessary channels, internal operations, administrative and technical arrangements in accordance with Article 13 of the Personal Data Protection Law to assess the rights of personal data owners and provide the necessary information to personal data owners.
Personal data owners have the following rights:
- Learning whether personal data is being processed,
- To request information regarding the processing of personal data,
- To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
- Knowing the third parties to whom personal data is transferred, either domestically or abroad,
- To request correction of personal data if it is processed incompletely or incorrectly and to request that the action taken in this context be notified to third parties to whom personal data has been transferred,
- To request the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of the Personal Data Protection Law and other relevant laws, and to request that the action taken within this scope be notified to third parties to whom personal data has been transferred,
- To object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
- To request compensation in case of damages due to unlawful processing of personal data.
Since the following situations are excluded from the scope of the Personal Data Protection Law in accordance with Article 28 of the Personal Data Protection Law, personal data owners cannot assert their rights listed in Article 10.1.1. regarding these matters:
- Processing of personal data by making them anonymous with official statistics for purposes such as research, planning and statistics.
- Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
- Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
In accordance with Article 28/2 of the Personal Data Protection Law, personal data owners cannot assert their other rights listed in 10.1.1., except for the right to demand compensation for damages, in the following cases:
- Processing personal data is necessary for the prevention of crime or criminal investigation.
- Processing of personal data made public by the personal data owner.
- The processing of personal data is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law.
- The processing of personal data is necessary to protect the economic and financial interests of the State regarding budgetary, tax and financial matters.
Personal data owners may submit their requests regarding their rights listed under heading 10.1.1 of this section to the Company by filling out the “Data Owner Application Form” available at www.lemabelle.com and submitting it with a wet signature or secure electronic signature.
It is not possible for third parties to make requests on behalf of personal data owners.
In order for a person other than the personal data owner to make a request, there must be a special power of attorney issued by the personal data owner on behalf of the person who will make the application.
To exercise their rights, personal data owners must complete the "Data Subject Application Form Regarding Applications to be Made by the Relevant Person (Personal Data Subject) to the Data Controller Pursuant to Law No. 6698 on the Protection of Personal Data," linked above. This form also explains in detail the application method.
In accordance with Article 14 of the Personal Data Protection Law, if the application is rejected, the response is found insufficient or the application is not responded to in a timely manner, the personal data owner may file a complaint with the Personal Data Protection Board within thirty days from the date on which he/she learns of our Company's response and, in any case, within sixty days from the date of application.
If the personal data owner submits his/her request to our Company in accordance with the procedure in section 10.1.3 of this section, our Company will finalize the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.
However, if the transaction requires an additional cost, our Company will charge the applicant a fee in the tariff determined by the Personal Data Protection Board.
Our company may request information from the relevant person in order to determine whether the applicant is the owner of personal data.
Our company may ask questions to the personal data owner regarding their application in order to clarify the issues included in the personal data owner's application.
Our company may reject the applicant's application by explaining the reason in the following cases:
- Processing of personal data by making them anonymous with official statistics for purposes such as research, planning and statistics.
- Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
- Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
- Processing personal data is necessary for the prevention of crime or criminal investigation.
- Processing of personal data made public by the personal data owner.
- The processing of personal data is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law.
- The processing of personal data is necessary to protect the economic and financial interests of the State regarding budgetary, tax and financial matters.
- The request of the personal data owner may interfere with the rights and freedoms of other persons.
- Requests have been made that require disproportionate effort.
- The requested information is publicly available information.
- CHAPTER 11 – RELATIONSHIP OF THE COMPANY’S PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES
The Company has established fundamental policies regarding the protection and processing of personal data, which are related to the principles set forth in this Policy. These policies are also linked to the Company's core policies in other areas, ensuring harmonization between the Company's processes operating under different policy principles for similar purposes.
Our company has established a governance structure to ensure compliance with the regulations of the Personal Data Protection Law and to ensure the enforcement of the Personal Data Protection and Processing Policy.
A "Data Controller Representative" has been appointed, pursuant to a decision by the Company's senior management, to manage this Policy and other policies related to and related to this Policy (See Section 11) within the Company. The duties of the Data Controller Representative are set out below.
- To prepare basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect.
- To decide how the policies regarding the Protection and Processing of Personal Data will be implemented and audited, and to submit the matters of assigning internal tasks and ensuring coordination within this framework to the approval of the senior management.
- To determine the matters that need to be done to ensure compliance with the Personal Data Protection Law and relevant legislation and to submit the necessary actions to the approval of the senior management; to oversee their implementation and to ensure coordination.
- To raise awareness within the Company and the institutions with which the Company cooperates regarding the Protection and Processing of Personal Data.
- To identify risks that may arise in the company's personal data processing activities and to ensure that the necessary measures are taken; to submit improvement suggestions for approval to senior management.
- To design and ensure the execution of training on the protection of personal data and the implementation of policies.
- To decide on the applications of personal data owners at the highest level.
- To coordinate the execution of information and training activities to ensure that personal data owners are informed about personal data processing activities and their legal rights.
- To prepare changes to the basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect.
- To follow the developments and regulations regarding the Protection of Personal Data; to make recommendations to the senior management on what needs to be done within the Company in accordance with these developments and regulations.
- To coordinate relations with the Personal Data Protection Board and Institution.
- To carry out other duties assigned by the Company's senior management regarding the protection of personal data.
ANNEX-1 DEFINITIONS
Explicit Consent |
: |
Consent based on informed consent and expressed freely on a specific matter. |
Anonymization |
: |
It is the irreversible alteration of personal data in such a way that it loses its personal data character. For example, rendering personal data incapable of being associated with a natural person through techniques such as masking, aggregation, data corruption, etc. |
Employee Candidate |
: |
Natural persons who have applied for a job in our company by any means or have made their CV and related information available for review by our company. |
Employees, Shareholders and Officials of Institutions We Collaborate With |
: |
Natural persons working in institutions with which our company has any kind of business relationship (such as, but not limited to, business partners, suppliers), including shareholders and officials of these institutions. |
Processing of Personal Data |
: |
Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system. |
Personal Data Owner |
: |
Natural person whose personal data is processed. For example; customers and employees. |
Personal Data |
: |
Any information relating to an identified or identifiable natural person. Therefore, the processing of information relating to legal entities is not within the scope of the Law. For example, name-surname, Turkish ID No., e-mail, address, date of birth, credit card number, etc. |
Customer |
: |
Natural persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company. |
Special Personal Data |
: |
Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress code, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data are special data. |
Potential Customer |
: |
Natural persons who have requested or expressed an interest in using our products and services or who have been assessed in accordance with commercial practices and rules of integrity to be likely to have such an interest.
|
Company Shareholder |
: |
The shareholders of our company are real persons. |
Company Official |
: |
Member of our company's board of directors and other authorized real persons. |
Third Party |
: |
Third party real persons related to these persons (e.g. Guarantor, Companion, Family Members and relatives) in order to ensure the security of commercial transactions between our company and the above-mentioned parties or to protect the rights of the said persons and to provide benefits. |
Data Processor |
: |
A data controller is a natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. For example, a cloud computing company that stores our company's data, surveyors who have customers sign forms, a call center company that makes calls based on scripts , etc. |
Data Controller |
: |
The data controller is the person who determines the purposes and means of processing personal data and manages the place where data is systematically kept (data recording system). |
Visitor |
: |
Natural persons who have entered the physical premises of our company for various purposes or visited our websites. |
ANNEX-2 PROCESSING OF PERSONAL DATA OF EMPLOYEE CANDIDATES
PERSONAL DATA OWNER |
COLLECTION AND PROCESSING OF PERSONAL DATA |
EXERCISE OF RIGHTS AND APPLICATION |
Employee Candidate |
Personal data of employee candidates collected during the recruitment process and special personal data collected according to the nature of the job are processed by our Company for the purposes specified in Sections 4.2 and 7 of the Policy and listed below:
Personal data of employee candidates can be collected through the following methods and means:
|
Job candidates may also submit their requests regarding their rights arising from their data ownership to our Company using the method described in Section 10 of this Policy. |
DELIVERY / RECEIPT FORM
As Le Mabelle Tekstil Limited Şirketi, in accordance with the KVKK numbered 6698 and in the capacity of the Data Controller, I hereby declare that I have been informed of the necessary information regarding your personal data within the framework explained in this booklet; and that I have read, understood and been informed about the processing and transfer of these data within the scope and purposes specified in the "Le Mabelle-Personal Data Processing and Protection Policy Booklet" delivered to me by hand, and that they are transferred abroad, deleted, anonymized and otherwise processed and stored within this scope, and that I have read, understood and informed about the Le Mabelle Disclosure Text Pursuant to the Personal Data Protection Law numbered 6698 and the KVKK-POL Personal Data Processing and Protection Policy, and that I knowingly and willingly give my explicit consent to the aforementioned matters.
I Accept |
……………………………………………………………………………………… |
|
I do not accept |
……………………………………………………………………………………… |
Please declare that I have read and understood your handwriting and that I willingly give or do not give express consent.
Data Owner / Personnel |
||
Name and Surname |
: |
|
History |
: |
|
Signature |
: |