Personal Data Policy


FERSKNIT

DATA SECURTY AND DESTRUCTION POLICY


PURPOSE AND SCOPE

 

The purpose of this Data Security and Destruction Policy ("Policy") is to determine the accurate identification of all personal data obtained by Aliye Feryal Revanbahş ("FERSKNIT") both domestically and internationally in accordance with the obligations required under the Law on the Protection of Personal Data No. 6698 ("PDPL") and to define how company practices will be conducted.


This Policy will be applied in activities conducted by FERSKNIT regarding the processing, protection, and destruction of all personal data in accordance with the provisions stipulated in the PDPL and relevant legislation. This Policy will not be applied to legal entities and data concerning legal entities in any way.

 

DEFINITIONS

"Personal Data": Personal data is any kind of information related to an identified or identifiable natural person that determines or can be associated with the identity of that person.

"Sensitive Personal Data": Data related to individuals' race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, dress, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

"Data Subject / Relevant Person": Refers to the individuals whose personal data is processed.

"Institution": Personal Data Protection Authority

"Board": Personal Data Protection Board

"Destruction": Deletion, destruction, and anonymization of personal data.

"Company": FERSKNIT

"Policy": Refers to this Data Security and Destruction Policy.

"Data Controller": Refers to the natural or legal person responsible for determining the purposes and methods of processing personal data and establishing and managing the data recording system.

PRINCIPLES RELATED TO THE PROCESSING AND PROTECTION OF PERSONAL DATA

FERSKNIT undertakes to process personal data in accordance with the Law on the Protection of Personal Data and relevant legal regulations.


FERSKNIT will take necessary measures to ensure the accuracy and integrity of personal data as required by the purpose of data collection, and when the relevant individuals make corrections or changes to their personal data, FERSKNIT will update such information.

 

Personal Data Processing Conditions

FERSKNIT does not process personal data without the explicit consent of the data subject. However, the processing of personal data without obtaining the consent of the data subjects is possible in the presence of one of the following situations:

-If data processing is provided for in the laws.

-If data processing is necessary for the performance of a contract.

-In case of urgent situations such as the life or physical integrity of the data subjects or another person.

-If it is necessary for FERSKNIT to fulfill a legal obligation.

-If the personal data has been made public by the data subject themselves.

-If data processing is necessary for the establishment, use, or protection of a right.

-If the processing of the data is mandatory for the legitimate interests of FERSKNIT, provided that it does not harm the fundamental rights and freedoms of the data subjects.


General Principles for the Processing of Personal Data:

-Personal data is processed in compliance with relevant legal rules and the principle of fairness.

-Ensuring the accuracy and timeliness of personal data.

-Personal data is processed for specific, explicit, and legitimate purposes.

-Personal data is relevant, limited, and proportionate to the purposes for which they are processed.

-FERSKNIT adheres to the time periods prescribed in the relevant legislation for the retention of data. If there is no valid reason for the further retention of personal data, the data is deleted, destroyed, or anonymized.

 


The Purpose of Processing Personal Data

Execution of information security processes

-Conducting activities in compliance with legislation

-Execution of loyalty processes related to the company/products/services

-Tracking and execution of legal affairs

-Execution of communication activities

-Maximizing the benefits of products and services for Data Subjects and customizing them according to their requests, needs, and desires,

-Contacting individuals/entities involved in business relationships,

-Providing information to authorized institutions and organizations in accordance with the legislation

-Execution of financial and accounting affairs

-Ensuring the highest level of data security

-Contacting Data Subjects who submit requests and complaints and managing the requests and complaints,

-Receiving and evaluating suggestions for the improvement of business processes

-Execution of product/service procurement processes

-Execution of after-sales support services for products/services

-Execution of product/service sales processes

-Execution of customer relationship management processes

-Execution of advertising/campaign/promotion processes

-Execution of contract processes

-Tracking of requests/complaints

These processing activities are carried out in compliance with the personal data processing conditions specified in Articles 5 and 6 of the Law on Protection of Personal Data ("KVKK"). If the processing activities related to the aforementioned purposes do not meet any of the conditions envisaged under the KVKK, explicit consent from the relevant individual is obtained by FERSKNIT regarding the processing activity.

Processing and Transfer of Special Categories of Personal Data

Sensitive Personal Data, which is sensitive under the scope of the KVKK, is not processed or transferred without the explicit consent of the data subject.

 

Obligation to Inform

FERSKNIT informs the data subjects about the following issues when processing personal data:

(i) The identity of the data controller and, if any, their representative,

(ii) The purpose of processing personal data,

(iii) To whom and for what purpose personal data will be transferred,

(iv) The method and legal basis of personal data collection,

(v) The rights of the data subject regarding the processing of their personal data.


Personal data can be collected through automated or non-automated means, verbally, in writing, or electronically.

 

Data Security

FERSKNIT takes technical and administrative measures in line with the Law on Protection of Personal Data and related legal regulations to securely store personal data, prevent unlawful processing and access to personal data, and ensure the lawful destruction of personal data.


FERSKNIT conducts and ensures necessary audits to enforce the implementation of the Policy. Any privacy and security vulnerabilities identified during the audits are promptly addressed.


As of the effective date of this Policy, we do not transfer data abroad.


RECORD KEEPİNG SYSTEMS

Electronic Environments:


-Servers (email, database, web, file sharing, etc.)

-Software (Office software, portal)

Physical Environments:

-Physical Filing 


STORAGE AND DISPOSAL OF PERSONAL DATA

The reasons requiring storage are as follows:

-Due to the direct relevance of personal data to the establishment and performance of contracts,

-For the purpose of establishing, using, or protecting a right,

-For the legitimate interests of FERSKNIT, provided that the fundamental rights and freedoms of individuals are not harmed,

-To fulfill any legal obligations of FERSKNIT,

-To meet the burden of proof in potential legal disputes,

-Where the storage of personal data is explicitly stipulated in the legislation,

-In cases where explicit consent of the data subjects is required for the storage activities.


Causes and Methods of Destruction

In accordance with the regulations, personal data is deleted, destroyed, or anonymized by FERSKNIT on its own initiative or upon request in the following cases:

-When it is necessary due to the amendment or repeal of the relevant legislation that constitutes the basis for the processing or storage of personal data,

-When the purpose requiring the processing or storage of personal data ceases to exist,

-When the conditions stipulated in Articles 5 and 6 of the KVK Law, which require the processing of personal data, no longer exist,

-In cases where the processing of personal data is based solely on the explicit consent requirement, if the data subject withdraws their consent,

-If the data subject's application for the deletion, destruction, or anonymization of personal data within the framework of the rights specified in Article 11 of the KVK Law is accepted by the data controller,

-If the data controller rejects the application submitted by the data subject for the deletion, destruction, or anonymization of personal data, if the response is found to be insufficient, or if the data controller fails to respond within the period specified in the KVK Law; if a complaint is filed with the Board and this request is found appropriate by the Board,

-When the maximum period requiring the storage of personal data has elapsed, but there is no condition justifying the storage of personal data for a longer period.

 

Deletion and Destruction of Personal Data

Personal data, although processed in accordance with the provisions of the Law on the Protection of Personal Data and relevant legislation, is deleted, destroyed, or anonymized by FERSKNIT in accordance with the Personal Data Protection Law if the reasons requiring its processing cease to exist based on FERSKNIT's own decision or if there is a request from the data subject in this regard.

In cases where FERSKNIT has the right or obligation to retain personal data in accordance with the relevant legislation, FERSKNIT reserves the right not to fulfill the data subject's request.


Anonimizing Personal Data

Anonymizing personal data refers to rendering the personal data unidentifiable or unattributable to any identifiable or identified natural person, even when matched with other data.

Periodic destruction processes commence for the first time on 1 DECEMBER 2019 and recur every 6 (six) months.


The Legal Rights of the Data Subject

FERSKNIT informs individuals about their rights when collecting personal data. The legal rights of individuals whose personal data is processed are as follows:


(a) To learn whether personal data is being processed,

(b) To request information if personal data has been processed,

(c) To learn the purpose of processing personal data and whether they are used in accordance with this purpose,

(d) To know the third parties to whom personal data is transferred domestically or abroad,

(e) To request the correction of personal data if it is incomplete or incorrectly processed,

(f) To request that the operations carried out pursuant to (d) and (e) be notified to the third parties to whom the personal data has been transferred,

(g) To object to the occurrence of a result against the individual's interests by exclusively analyzing the processed data through automated systems,

(h) To request the remedy of damages in case of any harm due to the unlawful processing of personal data.


Exercising the Rights of the Data Subject.

Individuals may convey their requests regarding their rights specified in this Policy to FERSKNIT through the communication addresses of FERSKNIT by mail, email, or registered letter with return receipt. The concerned individuals can contact FERSKNIT directly via info@fersknit.com to express their questions and requests.


If the data subject submits their request in accordance with the procedure regarding their rights set forth in this Policy, FERSKNIT will conclude the relevant request within the shortest time and at the latest within 30 (thirty) days free of charge, depending on the nature of the request. However, if the process incurs any additional costs, FERSKNIT will charge the fee specified in the tariff determined by the Board from the relevant parties.


FERSKNIT has the exclusive right to periodically reassess this Policy and make changes if necessary.