TAÇ AMBALAJ SAN. TİC. A.Ş. (COMPANY) PERSONAL DATA PROCESSING INVENTORY AND PERSONAL DATA PROTECTION POLICY
1. INTRODUCTION
As the data controller, protecting the personal data of employees, customers, and other real persons associated with Taç Ambalaj San. Tic. A.Ş. (“Taç Ambalaj” “Company”) is of great importance. The purpose of this Policy and other written policies within the Company, which govern the processes of processing and protecting personal data, is to ensure that the personal data of our employees, active and potential customers, and third parties are processed and protected in accordance with the law. In this context, necessary administrative and technical measures are taken by the Company to process and protect personal data in accordance with Law No. 6698 and relevant legislation. This Policy explains the fundamental principles adopted by the Company for personal data processing processes as outlined below:
2. PURPOSE AND SCOPE OF THE POLICY
The Company’s KVKK Policy has been prepared to inform employees and customers about the processes and principles of processing, use, sharing, scoring, classification, and storage of personal data such as “name-surname, company name, mobile phone number, partially anonymized card number, orderIdNo, IP number, system ID, customerId, system customer code, credit card number, card CVV, card expiration date,” obtained within the scope of receiving payments using a virtual POS, through forms completed during the registration stage in accordance with the contract approved by the user, pursuant to Article 5/2-c of Law No. 6698. This Policy contains provisions regarding the principles of processing personal data of data owners by Taç Ambalaj San. Tic. A.Ş. in accordance with the order of regulations in KVKK and applies to the employees and customers within the Company.
3. ENFORCEMENT OF THE POLICY
This Policy, prepared by the Company, came into force on .... date. This Policy is published on the Company’s website (www.tacambalaj.com) and is made available to relevant persons upon request of personal data owners.
4. DEFINITIONS
The important definitions used in the Company’s KVKK Policy are provided below:
ABBREVIATIONDEFINITIONExplicit Consent: | Consent expressed freely based on being informed about a specific subject.
Communiqué on Procedures and Principles to be Followed in Fulfilling the Obligation to Inform: | The Communiqué on Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, published in the Official Gazette dated 10 March 2018 and numbered 30356, which came into force.
Relevant User | Persons who process personal data within the data controller organization or on behalf of the data controller under authority and instructions, excluding the person or unit responsible for the technical storage, protection, and backup of the data.
Destruction | Deletion, destruction, or anonymization of personal data.
Periodic Destruction: | Deletion, destruction, or anonymization carried out ex officio at recurring intervals as stated in the personal data retention and destruction policy, in case all conditions for processing personal data under the Law are no longer applicable.
Law/KVKK: | Law No. 6698 on the Protection of Personal Data.
Recording Medium: | Any medium where personal data are processed, whether fully or partially automated or non-automated, as part of any data recording system.
Personal Data: | Any information relating to an identified or identifiable natural person.
Processing of Personal Data: | Any operation performed on personal data, whether fully or partially automated or non-automated, including obtaining, storing, recording, preserving, reorganizing, disclosing, transferring, receiving, making accessible, classifying, or preventing the use of such data.
Anonymization of Personal Data: | Making personal data unidentifiable to any specific or identifiable natural person, even when matched with other data.
Deletion of Personal Data: | Making personal data completely inaccessible and unusable for the relevant Users.
Destruction of Personal Data: | Making personal data completely inaccessible, unrecoverable, and unusable by anyone.
Board | Personal Data Protection Board.
Special Categories of Personal Data: | Data concerning a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Data Owner/Relevant Person: | The natural person whose personal data are being processed.
Data Controller: | The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data Processor: | The natural or legal person who processes personal data on behalf of the data controller based on authority granted by the controller.
Regulation | Regulation on Data Controllers Registry.
Under the KVK Law, the Company will hold the status of data controller and will be registered in the VERBİS system. According to Article 1, paragraph 1 of the Regulation: "Data controller obligations of legal entities established in Turkey under the scope of the Law are fulfilled by the organ authorized to represent and bind the legal entity or by the person(s) specified in the relevant legislation. The organ authorized to represent the legal entity may assign one or more persons regarding the obligations to be fulfilled in the implementation of the Law."
In accordance with Articles 367, 371, and 553 of the Turkish Commercial Code (TCC) and other relevant provisions, the Company has established a management structure for the management and representation of the Company. The Company Management determines the details and limits of duties and responsibilities of authorized persons, specifying clearly reporting lines, the organizational structure, and the working principles of the Board of Directors. These persons authorized by the Board within the limits set by the relevant TCC articles are responsible for actions and transactions carried out within their authority under the TCC, Turkish Civil Code (TBK), and Turkish Penal Code (TCK).
The Company has authorized all department managers, including the main authorized company manager, to be responsible for monitoring and coordinating all operations and transactions under the Law on Personal Data Protection and Personal Data Protection Board regulations. Each department manager is responsible for auditing whether the Relevant Users in their departments
İşte metnin İngilizce çevirisi:
5. PROCEDURES AND PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA
5.1. GENERAL PRINCIPLES REGARDING PROCESSING
The COMPANY processes personal data in accordance with the procedures and principles stipulated by the KVKK and other relevant legislation. Within this framework, the COMPANY fully complies with the following principles set out in the KVKK when processing personal data:
5.2. CONDITIONS FOR PROCESSING PERSONAL DATA
The KVKK regulates the conditions under which personal data can be processed, and the COMPANY processes personal data in accordance with these conditions. Except for the exceptions listed in the Law, personal data is processed only with the explicit consent of the data subject. In the following situations specified by law, personal data may be processed even without the data subject’s explicit consent:
The COMPANY pays special attention to the processing of special categories of personal data, which are considered more critical to protect. Such data is not processed without the explicit consent of the data subject unless sufficient measures determined by the Board are taken. However, special categories of personal data other than health and sexual life may be processed without explicit consent in cases provided by law. Health and sexual life-related data may be processed without consent only if sufficient measures are taken and for the following purposes:
5.3. METHODS OF COLLECTING AND PROCESSING PERSONAL DATA
The COMPANY processes personal data of natural persons in accordance with Articles 4, 5, and 6 of the KVKK and Articles 6, 7, 9, and 10 of the Regulation, based on a Personal Data Processing Inventory that includes the information listed below. Even if not explicitly titled in this Policy or the Data Deletion Policy, if the following information is included under this or subsequent headings, the relevant provisions will be considered part of the Personal Data Processing Inventory:
5.3.1. Groups of Data Subjects
Personal Data Subject Description
| COMPANY Employees/Customers | Authorized individuals among COMPANY employees, branch employees, and customers; authorized individuals among subcontractors who assist employees in fulfilling their obligations within the framework of COMPANY rules and legal requirements for production, export, and marketing security and order, as well as the actual employees appointed by these subcontractors.
5.3.2. Data Categorization
DATA CATEGORY DESCRIPTION OF DATA CATEGORY
| Identity Information | Data clearly related to a specific or identifiable natural person; processed partially or fully automatically, or manually as part of a data recording system; includes information about a person's identity such as full name, T.R. ID number, nationality, mother’s and father’s name, place of registration, other population registry data, place of birth, date of birth, gender, marital status, as well as documents such as driver’s license, ID card, passport, and other identifiers like tax number, social security number, signature, etc.
| Contact Information | Data clearly related to a specific or identifiable natural person; processed partially or fully automatically, or manually as part of a data recording system; includes phone number, address, email address, fax number, IP address, etc.
| Security Information | Data clearly related to a specific or identifiable natural person; processed partially or fully automatically, or manually as part of a data recording system; includes personal data collected through access to physical premises, during presence in the premises, such as camera recordings, vehicle plate information, security point logs, voice recordings of phone calls, and other related documentation.
| Special Categories of Personal Data | Data clearly related to a specific or identifiable natural person; processed partially or fully automatically, or manually as part of a data recording system; includes data listed in Article 6 of the KVKK (e.g., health data including blood type, biometric data, religion, and membership in associations).
| Request/Complaint Management Information | Data clearly related to a specific or identifiable natural person; processed partially or fully automatically, or manually as part of a data recording system; includes personal data related to all requests or complaints submitted to the COMPANY by customers, and the evaluation of such requests or complaints.
5.3.3. Purposes of Processing Personal Data
Personal data obtained by the COMPANY may be processed for the following purposes:
The above categories are for informational purposes, and additional categories may be added as necessary for the COMPANY to conduct its future commercial and operational activities. In such cases, the COMPANY will continue to update the relevant categories in related documents and inform data subjects promptly.
5.4. TRANSFER OF PERSONAL DATA TO DOMESTIC PARTIES
The COMPANY carefully complies with the conditions set forth in the KVKK regarding the sharing of personal data with third parties, without prejudice to other legal provisions. Personal data is not transferred to third parties without the explicit consent of the data subject. However, if any of the following conditions specified by the KVKK exist, personal data may be transferred without obtaining explicit consent from the data subject:
With sufficient precautions; for special categories of personal data other than health and sexual life, if legally prescribed, and for health and sexual life-related special categories of personal data:
personal data may be transferred without obtaining explicit consent.
The conditions specified in the legislation for processing special categories of personal data are also observed during such transfers.
5.5. TRANSFER OF PERSONAL DATA ABROAD
For transferring personal data abroad, explicit consent of the data subject is required pursuant to Article 9 of the KVKK. However, if conditions exist under which personal data (including special categories) may be processed without consent, personal data may be transferred abroad by the COMPANY without consent, provided sufficient protection exists in the foreign country. If the foreign country is not identified by the Board as having sufficient protection, personal data may only be transferred abroad if both the data controllers in Turkey and in the foreign country provide a written commitment for sufficient protection and with the approval of the KVKK Board.
5.6. RETENTION OF PERSONAL DATA
Personal data obtained is securely stored in physical or electronic media for a period necessary for the COMPANY to carry out its commercial activities. Within these activities, the COMPANY ensures compliance with the obligations stipulated in the KVKK and other relevant legislation. Except where longer retention is allowed or required by law, once the purpose of processing ends, personal data will be deleted, destroyed, or anonymized either ex officio by the COMPANY or upon request of the data subject via the attached form or other applicable technical means. Once deleted by these methods, data will be irretrievably destroyed. However, where the data controller has a legitimate interest, personal data may be retained without harming the fundamental rights and freedoms of data subjects until the general statute of limitations period under the Turkish Code of Obligations (ten years) expires. After this period, personal data will be deleted, destroyed, or anonymized according to the procedure above.
5.7. MEASURES TAKEN FOR DATA SECURITY
The COMPANY takes all necessary technical and administrative measures to ensure an adequate level of security for personal data. The measures foreseen in Article 12(1) of the KVKK are as follows:
5.7.1. Administrative Measures
5.7.2. Technical Measures
5.8. THE COMPANY'S OBLIGATION TO INFORM
In accordance with Article 10 of the KVKK, the COMPANY informs data subjects of their rights and guides them on how to exercise these rights. The COMPANY manages necessary channels, internal processes, administrative, and technical arrangements to evaluate the rights of data subjects and provide the required information in accordance with Article 13 of the KVKK. Under Article 10 of the KVKK, data subjects must be informed before or at the latest during the collection of personal data. The information to be provided includes:
To fulfill this obligation, the COMPANY has prepared data disclosure statements for each process and data subject. After providing these statements, explicit consent declarations have also been prepared for data processing activities and categories requiring explicit consent. These consent forms provide data subjects the right to choose whether their personal data may be processed by the COMPANY, in line with EU regulations supporting KVKK, and inform them of potential consequences if consent cannot be obtained.
However, under Article 28(1) of the KVKK, the COMPANY is not obliged to inform data subjects in the following cases:
Under Article 28(2) of the KVKK, the COMPANY's obligation to inform does not apply in the following cases:
5.9. RIGHTS OF THE DATA SUBJECT
The COMPANY ensures that the rights granted to data subjects under Article 11 of the KVKK are implemented regarding personal data processed in accordance with this Policy. These rights are:
a) To learn whether personal data is processed,
b) To request information if personal data has been processed,
c) To learn the purpose of processing and whether personal data is used in accordance with its purpose,
d) To know third parties to whom personal data is transferred domestically or abroad,
e) To request correction of incomplete or inaccurate personal data,
f) To request deletion or destruction of personal data under the conditions set forth in Article 7 of the Law,
g) To request notification of third parties to whom personal data has been transferred pursuant to (e) and (f),
h) To object to outcomes arising against the individual from the analysis of processed data solely through automated systems,
i) To request compensation for damages in case of unlawful processing of personal data.
5.9.1. Cases Where Data Subjects Cannot Exercise Their Rights
According to Article 28 of the KVKK, data subjects cannot exercise their rights in the following cases:
According to Article 28(2), except for the right to request compensation for damages, data subjects cannot exercise other rights in the following cases:
5.9.2. Exercising the Rights of Data Subjects
Data subjects may exercise their rights listed under section 5.9 by submitting a completed and signed Application Form (Annex-2) along with information and documents verifying their identity via the following methods or other methods determined by the Personal Data Protection Board:
(a) By email to www.tacambalaj.com,
(b) By registered mail, notary, or hand delivery to Akcaburgaz Mah. 3088 Sk. No:30/2 Esenyurt / Istanbul.
Third parties may apply on behalf of data subjects only with a special power of attorney issued via a notary.
5.9.3. Right to File a Complaint with the KVKK Board
Data subjects may file a complaint with the KVKK Board within thirty days from the date they learn of the COMPANY's response, and in any case within sixty days from the application date, if the application is rejected, the response is inadequate, or no response is given, pursuant to Article 14 of the KVKK.
5.10. THE COMPANY'S RESPONSE TO APPLICATIONS
5.10.1. Procedure and Timeframe
Upon receiving a proper application under section 5.9, the COMPANY will respond free of charge within thirty days depending on the nature of the request. If the KVKK Board imposes a fee, the applicant will be charged according to the Board's tariff.
5.10.2. Information Requested from Applicants
The COMPANY may request information to verify the applicant's identity as a data subject and may seek clarification regarding the content of the application.
5.10.3. Right to Reject Applications
The COMPANY may reject an application with justification in the following cases:
6. OTHER MATTERS
In case of inconsistency between this Policy and the KVKK or other legislation, the KVKK and related legislation will prevail. If changes occur in the Policy, the effective date and relevant articles will be updated accordingly.
7. REVISION AND WITHDRAWAL
If this Policy is revised or withdrawn, the revised version or new Policy will be published in relevant locations.
8. EFFECTIVE DATE
This Policy prepared by the COMPANY has been effective as of 01.09.2020.
9. EXECUTION
The execution of this Policy is the responsibility of the data controller and department managers appointed under the COMPANY's Internal Directive to follow and coordinate all procedures in accordance with the KVKK and Personal Data Protection Board regulations.
10. DISTRIBUTION
The Policy will be published on the COMPANY's website and intranet and announced to third parties, employees, and customers.
12. REFERENCE DOCUMENTS