sadsad x
asdasd
Personal Data Processing and Protection Policy
PERSONAL DATA PROCESSING AND PROTECTION POLICY

1 - INTRODUCTION

Protection of personal data Bross Tekstil San. Ve Tic. A. Yako Tekstil San. Ve Foreign Trade Inc. and Innovatech Otomasyon Sistemleri San. Ve Tic. A.Ş (hereinafter referred to as the 'Company') is among the most important priorities of the Company and the principles adopted in the conduct of Personal Data processing activities carried out by our Company within the framework of ISBU, Personal Data Protection and Processing Policy ("Policy") and our Company's Data The basic principles adopted in terms of compliance of processing activities with the regulations in the Personal Data Protection Law No.6698 ('Law') are explained and thus our Company provides the necessary transparency by informing personal data owners. With full awareness of our responsibility within this scope, your personal data are processed and protected within the scope of this Policy.

1.1 Scope

This Policy; Employees of our company and employee candidates who are other than those who are fully or partially

The activities carried out by the Company regarding the protection of personal data of our employees are managed under the Policy of Protection and Processing of Personal Data of Employees, which is written in line with the principles in this Policy, for our Employee Candidates, and.

1.2 Purpose

The main purpose of the ISBU Policy is to inform our suppliers, the institutions we cooperate with and the employees and officials of these institutions, as well as third parties whose personal data is processed by our Company, about our processes regarding the collection, storage, processing, sharing and transfer of Personal data by our Company.
The basic principle of our company is to ensure transparency in the processing of personal data, to raise awareness, to specify the rights and responsibilities of all related parties.

2- DEFINITIONS

Explicit Consent: Consent on a specific subject, based on information and declared with free will,

Anonymous Rendering: Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching other data,

Relevant Person: Real person whose personal data is processed,

Personal Data: All kinds of information regarding an identified or identifiable natural person,

Special Categories of Personal Data: Data on race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, through fully or partially automatic means of personal data or non-automatic means provided that it is a part of any data recording system, Any transaction performed on data such as classification or prevention of use,

Board: Personal Data Protection Board,

Authority: Personal Data Protection Authority,

Data Processor: Real or legal person who processes personal data on behalf of the data controller based on the authority given by him,

Data Recording System: A recording system in which personal data are structured and processed according to certain criteria,

Data Supervisor: Real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

3- PRINCIPLES OF PERSONAL DATA PROCESSING

1-Processing of Personal Data in Accordance with Law and Integrity Rules

The company processes personal data in accordance with the law and honesty rules and on the basis of proportionality.

2-Taking Necessary Precautions To Keep Personal Data Accurate And Up-To-Date When Required

The Company takes all necessary technical and administrative measures to ensure that the Personal Data is complete, accurate and up-to-date during the processing of Personal Data, and updates the relevant personal data in case the data processor requests changes to the personal data within the scope of the Law regulations.

3-Processing of Personal Data for Specific, Clear and Legitimate Purposes

Before the processing of personal data, the Company determines the purpose for which personal data will be processed. In this context, the relevant persons whose data is processed are enlightened and their express consent is obtained when necessary.

4-Being Connected, Limited and Measured for the Purpose of Processing Personal Data

The Company processes personal data only in exceptional circumstances within the scope of the Law (Law Article 5.2 and Article 6.3) or for the purpose within the scope of the explicit consent obtained from the person whose data is processed (Article 5.1 and Article 6.2 of the Law) and in accordance with the principle of proportionality. The Data Controller processes the personal data in a way that is suitable for the realization of the specified purposes and refrains from processing Personal Data that are not related to the realization of the purpose or are not needed. In this context, personal data are processed to the extent and limited to the business activities of our Company.

5-Retaining Personal Data for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which it is Processed

The company retains personal data for as long as necessary and for the period stipulated in the relevant legislation, in accordance with the purpose for which they are processed.

Personal data are deleted, destroyed or anonymized after the period required by the purpose of personal data processing expires. In this case, third parties to whom the Company transfers personal data are also provided to delete, destroy or anonymize the personal data.

The Company and its authorized persons are responsible for the operation of the deletion, destruction and anonymization processes. The Company establishes the necessary technical and administrative procedures for the work to be carried out within this scope.

4- ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

4.1 Conditions of Processing Personal Data

Apart from the explicit consent of the personal data owner, the basis of the personal data processing activity can be only one of the following conditions, or more than one condition can be the basis of the same personal data processing activity. In case the processed data is personal data of special nature, the conditions under the heading "Processing of Special Qualified Personal Data" of this Policy will be applied.

1-Obtaining the Explicit Consent of the Personal Data Owner

One of the conditions for processing personal data is the explicit consent of the data owner. The explicit consent of the personal data owner should be explained on a specific subject, based on information and free will.

2- Situations where Explicit Consent is not Required

Clearly Stipulated in Laws

If the personal data of the data owner is explicitly stipulated in the law, in other words, if there is an explicit provision regarding the processing of personal data in the relevant law, the existence of this data processing requirement may be mentioned.

Failure to Obtain Explicit Consent of the Relevant Person Due to Actual Impossibility

Personal data of the data owner may be processed if it is mandatory to process the personal data of the person who is unable to disclose his consent due to the actual impossibility or whose consent cannot be validated, or to protect the life or body integrity of another person.

Directly Related to the Establishment or Execution of the Contract

Provided that it is directly related to the establishment or performance of a contract to which the data owner is a party, this condition may be deemed fulfilled if it is necessary to process personal data.

Fulfilling the Company's Legal Obligation

Personal data of the data owner can be processed if processing is mandatory for our company to fulfill its legal obligations.

Making Personal Data Public by Personal Data Owner

If the data owner has made his personal data public, the relevant personal data may be processed in a limited way for the purpose of making it public.

When Data Processing is Mandatory for the Establishment or Protection of a Right

In the event that data processing is mandatory for the establishment, use or protection of a right, the personal data of the data owner may be processed.

When Data Processing is Mandatory for the Legitimate Interest of the Company

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if it is necessary for the legitimate interests of our Company.

4.2 Conditions for Processing Special Quality Personal Data

Your personal data of special nature are not processed by our Company.

5- TRANSFER OF PERSONAL DATA

5.1 Conditions for Transferring Personal Data

Our company may transfer personal data of personal data owners and special quality personal data to third parties in accordance with the Law by creating the necessary confidentiality conditions and taking security measures in line with the purposes of processing personal data. Our company acts in accordance with the regulations stipulated in the Law during the transfer of personal data. In this context, our Company, in line with the legitimate and legal personal data processing purposes, is based on one or more of the personal data processing conditions specified in Article 5 of the Law and in a limited way;

Personal Data to third parties:

If the Personal Data owner has explicit consent;

If there is an explicit regulation in the laws that personal data will be transferred,

If it is necessary for the protection of the life or body integrity of the personal data owner or someone else,

If the personal data owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid,

If it is necessary to transfer personal data belonging to the parties of the contract, provided that it is directly related to the establishment or performance of a contract,

If personal data transfer is mandatory for our company to fulfill its legal obligation,

If the personal data has been made public by the personal data owner,

If the transfer of personal data is mandatory for the establishment, use or protection of a right,

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, if the transfer of personal data is mandatory for the legitimate interests of our Company, it can be transferred.

5.1.1 Conditions for Transferring Personal Data Abroad

Our company does not transfer your personal and specific personal data abroad.




5.2 Conditions for the Transfer of Special Quality Personal Data

The Company, with due diligence, taking the necessary security measures and taking adequate precautions stipulated by the Board; In line with legitimate and legal personal data processing purposes, it can transfer the special quality personal data of the personal data owner to third parties in the following cases.

In case of explicit consent of the personal data owner

Without seeking the explicit consent of the personal data owner in the presence of the following conditions;

Personal data of special nature other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, criminal conviction and security measures and biometric and genetic data), in cases stipulated by law,

Personal data of special quality regarding the health and sexual life of the personal data owner, only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, persons or authorized institutions and organizations under the obligation to keep confidentiality. can be transferred by.

6-PURPOSE OF PROCESSING AND TRANSFERING PERSONAL DATA AND PERSONS TO WHICH WILL BE TRANSFERRED

6.1 Purposes of Processing and Transferring Personal Data

Personal data belonging to the employees of third parties, institutions or organizations with which the company is engaged as a service provider and visitors other than Employees, organization and execution of commercial activities, planning, auditing and execution of information security processes, event management, monitoring of finance and accounting works, planning and execution of human resources processes Planning and execution of business activities, planning and execution of business continuity activities, planning and execution of corporate communication activities, planning and execution of logistics activities, planning and execution of production and operation processes, conducting audit and security activities, creating and tracking visitor records, physical space security, providing information to authorized person institutions and organizations, ensuring the security of data controller operations, providing internet access and ensuring access security, which must be kept in accordance with the relevant legislation. retention of interests; copying and backing up in order to prevent information loss; ensuring the consistency of information is controlled; For these purposes, such as taking necessary technical and administrative measures for the security of our databases and information, following up legal affairs, ensuring the security of company premises and facilities, ensuring the security of movable goods and resources, planning and executing the sales and marketing processes of products and services, and managing supply chain management processes. are processed and transmitted, but to a limited extent.




6.2 Personal Data Categorization

Identity Data: Name-surname, TR identity number, date of birth, gender, nationality

Communication Data: Telephone number, e-mail address, REM address, address,

Transaction Security Information: Log records, IP address, website login-logout information, cookie records, shopping history information

Financial Information: Bank IBAN number

Audio-Visual Information: Camera recordings, voice recordings taken from call center calls

Legal Transaction Information: The data processed within the scope of the legal obligations of the company with the determination, follow-up and execution of the legal receivables and rights of the company.

Request / Complaint Management Information: Data regarding the receipt and evaluation of any request or complaint addressed to the company.

Other: Institution, title, license plate information

Physical Space Security: Company entry-exit times

6.3 Persons Persons to whom the data will be transferred

In accordance with Article 8 of the Company Law, the personal data of data owners managed by this Policy can be transferred to the following categories of persons:

Company suppliers,

Transport companies,

To the customs,

Cargo companies,

Consultants from outside the company,

7- METHOD OF COLLECTING PERSONAL DATA and LEGAL REASON

In order to control compliance with Article 1 regulating the purpose of the Law and Article 2 regulating the scope of the Law, personal data; in all kinds of verbal, written, electronic media; It is collected by technical and other methods in various ways such as the Company website, in order to fulfill the legal responsibilities arising from the law in a complete and correct manner, within the framework of legislation, contract, demand and optional legal reasons, and the data assigned by the Company or the Company. processed by the processors.

8- ANONYMIZING, DESTRUCTION AND DELETION OF PERSONAL DATA

Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymization of personal data, the Company deletes the personal data ex officio or upon the request of the data owner, even though the Company has processed in accordance with the provisions of this Law and other laws. destroys or anonymizes.

With the deletion of personal data, these data are destroyed in such a way that they cannot be used and retrieved in any way. Accordingly, personal data are deleted from tools such as documents, files, CDs, floppy disks, hard disks in which they are recorded in a way that cannot be recycled.

Destruction of personal data, on the other hand, refers to the destruction of materials suitable for data storage such as documents, files, CDs, floppy disks, hard disks in which the data are recorded so that the information cannot be retrieved and used.

By making the data anonym, it is meant to render the personal data inaccessible to an identified or identifiable natural person, even if they are matched with other data.




9- STORAGE OF PERSONAL DATA

The concept of processing personal data has been defined in Article 3 of the Law, it is stated in Article 4 that the processed personal data must be related, limited and measured for the purpose of processing and must be kept for the period stipulated in the relevant legislation or for the purpose for which they are processed, and in Article 5, the processing conditions of personal data are listed. Accordingly, within the framework of the Company's activities, personal data are stored for a period stipulated in the relevant legislation or suitable for our processing purposes.

10- ISSUES ON THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the protection of the data, and to carry out the necessary audits in this context, or has done.

10.1 Ensuring the Security of Personal Data

10.1.1. Technical and Administrative Measures Taken to Ensure the Legal Processing of Personal Data

The company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data are processed in accordance with the law.

1- Technical Measures Taken to Ensure the Legal Processing of Personal Data

The main technical measures taken by the company to ensure the legal processing of personal data are listed below:

Personal data processing activities carried out within the company are audited by established technical systems.

The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.

Knowledgeable staff on technical issues are employed.



2- Administrative Measures Taken to Ensure the Legal Processing of Personal Data

The main administrative measures taken by the company to ensure the legal processing of personal data are listed below:

Employees are informed and trained on the protection of personal data and the processing of personal data in accordance with the law.

All activities carried out by the company are analyzed in detail for all business units, and personal data processing activities are revealed, specific to the activities carried out by the relevant business units as a result of this analysis.

Personal data processing activities carried out by the business units of the Company; The requirements to be fulfilled in order to ensure that these activities comply with the personal data processing conditions required by the Law are determined by each business unit and the detail activity it carries out.

In order to meet the legal compliance requirements determined on the basis of the business unit, awareness is created for the relevant business units and implementation rules are determined; Necessary administrative measures are implemented through in-house policies and trainings to ensure the supervision of these issues and the continuity of the implementation.

In the contracts and documents that govern the legal relationship between the company and the employees, records that impose the obligation not to process, disclose and use personal data, except for the Company's instructions and the exceptions imposed by law, are placed, and the awareness of the employees on this issue is created and the obligations arising from the Law are fulfilled by conducting audits.



10.1.2. Taken Technical and Administrative Measures to Prevent Unlawful Access of Personal Data

The Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and implementation costs in order to prevent the imprudent or unauthorized disclosure of personal data, access, transfer or any other illegal access.

Technical Measures Taken to Prevent Unlawful Access of Personal Data

The main technical measures taken by the company to prevent unlawful access to personal data are listed below:

Technical measures are taken in accordance with the developments in technology, the measures taken are periodically updated and renewed.

Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on the basis of the business unit.

Access authorizations are restricted and authorizations are regularly reviewed.

The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, and the necessary technological solutions are produced by re-evaluating the risks.

Software and hardware including virus protection systems and firewalls are installed.

Knowledgeable staff on technical issues are employed.

It is regularly subjected to security scans to detect security vulnerabilities in applications where personal data are collected. It is ensured that the gaps found are covered.




Administrative Measures Taken to Prevent Unlawful Access of Personal Data

The main administrative measures taken by the company to prevent unlawful access to personal data are listed below:

Employees are trained on technical measures to be taken to prevent illegal access to personal data.

Personal data processing on a business unit basis is designed and implemented within the Company to access and authorize personal data in accordance with legal compliance requirements.

Employees are informed that they cannot disclose the personal data they have learned to anyone in violation of the provisions of the Law and cannot use them for purposes other than processing, and that this obligation will continue after they leave their job, and in this direction, necessary commitments are taken from them.

Contracts concluded by the company with persons to whom personal data are legally transferred; Provisions are added that the persons to whom the personal data are transferred will take the necessary security measures to protect the personal data and ensure that these measures are followed in their own organizations.

10.1.3. Storing Personal Data in Safe Environments

The company takes the necessary technical and administrative measures according to the technological possibilities and implementation costs in order to keep personal data in secure environments and to prevent them from being destroyed, lost or changed for illegal purposes.

Technical Measures Taken for the Storage of Personal Data in Safe Environments

The main technical measures taken by the company for the storage of personal data in secure environments are listed below:

Systems suitable for technological developments are used to keep personal data in secure environments.

Expert personnel are employed in technical matters.

Technical security systems are established for storage areas, security tests and researches are carried out to detect security vulnerabilities on information systems, and existing or potential risks identified as a result of the tests and researches are eliminated. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.

In order to ensure the safe storage of personal data, backup programs are used in accordance with the law.

Access to the data is restricted to the environments where personal data are kept, and only authorized persons are allowed to access this data limited to the purpose of storing personal data, access to data storage areas where personal data is stored is logged and inappropriate access or access attempts are instantly communicated to those concerned.




Administrative Measures Taken for the Storage of Personal Data in Safe Environments

The main administrative measures taken by the company for the storage of personal data in secure environments are listed below:

Employees are trained to ensure that personal data is stored securely.

Legal and technical consultancy services are obtained in order to follow developments in the fields of information security, privacy of private life and protection of personal data and to take necessary actions.
In the event that an external service is received by the company due to technical requirements regarding the storage of personal data, contracts concluded with the relevant companies to which the personal data are transferred in accordance with the law; It includes provisions stating that persons to whom personal data are transferred will take necessary security measures in order to protect personal data and that these measures will be followed in their own organizations.

10.1.4. Supervision of the Measures Taken for the Protection of Personal Data

In accordance with Article 12 of the Law, the company carries out the necessary audits or has it done within its own structure. These audit results are reported to the relevant department within the scope of the internal operation of the Company and necessary activities are carried out to improve the measures taken.

10.1.5 Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

The Company operates the system that ensures that personal data processed in accordance with Article 12 of the Law are obtained by others illegally, and this situation is notified to the relevant personal data owner and the Board as soon as possible. If deemed necessary by the Board, this may be announced on the Board's website or by any other method.

10.2. Observing the Legal Rights of Personal Data Owners

The Company observes all legal rights of personal data owners with the implementation of the Policy and the Law and takes all necessary measures to protect these rights.

11-RIGHTS OF THE PERSONAL DATA OWNER

Rights of Personal Data Owner

Data Owner,

Learning whether personal data is processed,

If their personal data has been processed, to request information regarding this,

Learning the purpose of processing personal data and whether they are used appropriately for their purpose,

To know the third parties to whom personal data are transferred domestically or abroad,

To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data are transferred

Although it has been processed in accordance with the provisions of the Law and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons that require processing are eliminated, and to request notification of the transaction made within this scope to third parties to whom personal data has been transferred,

To object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,

It has the right to demand the compensation of the damage in case of damage due to the unlawful processing of personal data.

Request applications for the rights listed above regarding personal data can be submitted using the Data Owner Application Form available at www.bross.com.tr and www.brossocks.com. Our company will conclude the request free of charge as soon as possible and within thirty (30) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, we will charge the fee in the tariff determined by the Personal Data Protection Board.
Prepared by  T-Soft E-Commerce.