REBUL JCR COSMETICS MARKETING JOINT STOCK COMPANY
POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
CONTENTS
Policy on the Protection and Processing of Personal Data 3
SECTION ONE: GENERAL INFORMATION ABOUT THE POLICY 3
SECTION TWO: CLASSIFICATION OF PERSONAL DATA 5
SECTION THREE: DATA SUBJECT GROUPS AND DATA CATEGORIES 6
SECTION FOUR: PROCESSING OF PERSONAL DATA 8
SECTION FIVE: TRANSFER OF PERSONAL DATA 13
SECTION SIX: METHOD AND LEGAL BASIS FOR COLLECTING PERSONAL DATA 17
SECTION SEVEN: DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA 20
SECTION EIGHT: MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA 21
SECTION NINE: RIGHTS OF DATA SUBJECTS 24
SECTION TEN: PERSONNEL RESPONSIBLE FOR POLICY COMPLIANCE 27
SECTION ELEVEN: UPDATES AND CHANGES 28
POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
SECTION ONE: GENERAL INFORMATION ABOUT THE POLICY
1. Introduction
As REBUL JCR COSMETICS MARKETING JOINT STOCK COMPANY ("Company"), acting as a "data controller" under Law No. 6698 on the Protection of Personal Data ("Law"), we prioritize the processing of personal data of individuals associated with our Company, including our customers, consumers, website users, and employees, in accordance with the Law and related regulations. We are also committed to ensuring the effective exercise of the rights of data subjects whose data is processed. All procedures regarding the processing, storage, and transfer of personal data of all data subjects we engage with during our activities are carried out in accordance with this Policy on the Protection and Processing of Personal Data ("Policy"). Protecting personal data and respecting the fundamental rights and freedoms of individuals whose data is collected is the core principle of this Policy.
2. Purpose of the Policy
The primary purpose of this Policy is to establish the methods we follow for processing, storing, transferring, and deleting or anonymizing the personal data shared with our Company by data subjects during commercial, social responsibility, and similar activities, as specified under the principles of the Law. This Policy aims to ensure full compliance with the applicable legislation in all personal data processing and protection activities carried out by our Company and to safeguard the rights of personal data subjects arising from the legislation.
3. Scope of the Policy
The scope of this Policy includes the personal data of all data subjects we engage with during our activities, such as our employees, visitors, business contacts, business partners, customers, potential customers, suppliers, and users of our website.
The protection of personal data only applies to the data of natural persons. Information belonging to legal entities that does not include data related to identifiable natural persons is excluded from the protection of personal data under the Law. Therefore, this Policy does not apply to data belonging to legal entities.
4. Definitions
The terms used in this Policy are defined as follows:
5. Enforcement of the Policy
This Policy was approved by the Company’s Board of Directors and entered into force on April 7, 2018. If changes to the Policy are necessary, the relevant provisions will be updated accordingly. Any amendments made to the Policy are incorporated immediately into the text, and explanations regarding these changes are specified in Section Eleven of this Policy.
SECTION TWO: CLASSIFICATION OF PERSONAL DATA
1. Personal Data
Personal data includes any information relating to an identified or identifiable natural person. In accordance with the legislation, the term "personal data" used in this Policy also encompasses special categories of personal data.
2. Special Categories of Personal Data
Special categories of personal data include information about an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
SECTION THREE: DATA SUBJECT GROUPS AND DATA CATEGORIES
1. Categorization of Personal Data
The Company processes personal data under the categories listed below, in accordance with Article 10 of the Law, by informing the relevant data subjects. This section also specifies the types of data subjects to whom the personal data in these categories relate, as governed by this Policy.
CATEGORIZATION OF PERSONAL DATA
CATEGORY
DESCRIPTION
Identity Information
Information processed automatically or non-automatically as part of a data recording system, such as name-surname, national ID number, nationality, marital status, date of birth, ID photocopy, social security number, signature, driver’s license details, etc.
Contact Information
Information such as phone number, address, email, and social media account that is processed automatically or non-automatically as part of a data recording system.
Family and Close Relations
Information about the personal data subject’s family members and relatives, processed in relation to our products and services or to protect the Company’s and the data subject’s legal interests.
Financial Information
Information created based on the legal relationship established with the personal data subject, such as financial and salary details, credit risk reports, premium lists, debt information, bank details, monthly salary slips, and insurance premium payment details.
Performance and Career Development Information
Information processed to measure the performance and plan the career development of employees or individuals working with the Company, such as training participation forms, hours and duration of training, exam results, promotion evaluations, performance reports, disciplinary investigation records, annual leave records, resignation letters, application forms, resumes, etc.
Special Categories of Personal Data
Data specified in Article 6 of the Law, including health insurance, medical reports, health declarations, pregnancy status, occupational disease records, pre-employment medical examination forms, daily patient complaints, medications used, biometric data, criminal records, religious beliefs, lists of fasting individuals, psychotechnical documents, etc.
Educational Information
Information such as educational background, certificate copies, and diploma copies that is processed automatically or non-automatically as part of a data recording system.
Visual and Auditory Data
Information processed automatically or non-automatically as part of a data recording system, such as photographs, audio recordings, and camera recordings.
Other Information
Miscellaneous data such as vehicle details, company computer IP information, web browsing activity, hobbies, discharge certificates, military service details, employment contracts, assignment forms, card access system logs, work hours, license photocopies, supplier company employment forms, and disciplinary investigation records.
A detailed table specifying the personal data categories and types of personal data processed for each data subject category mentioned above is included below.
CATEGORIZATION OF PERSONAL DATA
DATA SUBJECT CATEGORY RELATED TO THE PERSONAL DATA
Personal Data Category
Data Subject Category
Identity Information
Customer, supplier, job applicant, employee, company representative, visitor, employees of institutions we collaborate with, third party
Contact Information
Customer, supplier, job applicant, employee, company representative, visitor, employees or representatives of institutions we collaborate with, third party
Family and Close Relations
Job applicant, employee
Financial Information
Customer, employee, supplier, employees, shareholders, and representatives of institutions we collaborate with
Performance and Career Development Information
Job applicant, employee, employees of institutions we collaborate with
Educational Information
Job applicant, employee
Special Categories of Personal Data
Job applicant, employee, company representative
Visual and Auditory Data
Customer, employee, supplier, visitor
Other Information
Customer, job applicant, employee, company representative, visitor, supplier, employees, shareholders, and representatives of institutions we collaborate with, third party
SECTION FOUR: PROCESSING OF PERSONAL DATA
1. General Principles for Processing Personal Data
Personal data is processed by our Company in compliance with the procedures and principles outlined in the Law and this Policy. The Company adheres to the following principles when processing personal data:
2. Conditions for Processing Personal Data
The Company does not process personal data without the explicit consent of the data subject. However, personal data may be processed without consent under the following circumstances:
3. Conditions for Processing Special Categories of Personal Data
The Company does not process special categories of personal data without the explicit consent of the data subject. However, personal data related to health and sexual life may be processed without consent under certain conditions, such as:
The Company ensures compliance with the adequate safeguards specified by the Personal Data Protection Board when processing special categories of personal data.
1. Our Purposes for Processing Personal Data
The personal data collected by the Company is processed for the purposes listed below, in accordance with the personal data processing conditions specified in Articles 5 and 6 of the Law. If the processing activity related to the specified purposes does not meet any of the conditions outlined in the Law, the explicit consent of the data subject is obtained by the Company for the relevant processing activity.
For ensuring the execution of the Company’s human resources policies:
For ensuring the legal and commercial security of the Company and individuals in a business relationship with the Company:
For determining and implementing the Company’s commercial and business strategies:
SECTION FIVE: TRANSFER OF PERSONAL DATA
1. Conditions for Transferring Personal Data
As a Company, we adhere to the provisions of the Law and the decisions and regulations issued by the Personal Data Protection Board when transferring personal data. Except for exceptional cases specified in the legislation, personal data and special categories of personal data are not transferred to other natural or legal persons without the explicit consent of the data subject. However, personal data may be transferred without explicit consent in the following cases:
2. Conditions for Transferring Personal Data Abroad
As a rule, personal data is not transferred abroad without the explicit consent of the data subject. However, in cases where one of the exceptions outlined in Article 2 of Section Four of this Policy applies, personal data may be transferred abroad under the following conditions:
3. Purposes for Transferring Personal Data and Third Parties to Whom Data May Be Transferred
Personal data may be transferred for the following purposes:
For ensuring the execution of the Company’s human resources policies:
For ensuring the legal and commercial security of the Company and individuals in a business relationship with the Company:
For determining and implementing the Company’s commercial and business strategies:
Personal data may be transferred to:
Transfers are conducted in accordance with the principles and rules set forth in this Policy.
4. Personal Data Envisaged for Transfer to Foreign Countries
The Company does not transfer any personal data to third parties residing abroad during its operations.
SECTION SIX: METHOD AND LEGAL BASIS FOR COLLECTING PERSONAL DATA
1. Method and Legal Basis for Collecting Personal Data
Personal data is collected by our Company through technical and procedural methods implemented across various channels such as our website, registration forms, and physical platforms, or through verbal, written, or electronic means. This is done either partially or fully automatically or via non-automated methods that form part of a data recording system. The collection of personal data is carried out based on applicable legislation, contracts, requests, commercial practices, and principles of good faith. It is intended to provide commercial services to you, conduct commercial activities, fulfill the legal obligations of our Company, execute the requirements of our business relationship with you, and protect our mutual rights, while respecting the fundamental rights and freedoms of personal data subjects.
Highlighted data collection methods, purposes, and activities include the following:
a) Monitoring Activities Using Cameras at Building and Facility Entrances and Within Premises
Our Company conducts camera surveillance activities to improve the quality and reliability of services, ensure the safety of the Company, customers, and other individuals, and protect the interests of customers regarding the services they receive.
i. Legal Basis for Camera Surveillance
The camera surveillance activities conducted by our Company are carried out in compliance with applicable legal regulations and statutory provisions.
ii. Conducting Camera Surveillance in Compliance with Personal Data Protection Law
Our Company adheres to the provisions of the Personal Data Protection Law (KVKK) while conducting camera surveillance for security purposes. Camera surveillance activities are carried out at our buildings and facilities to ensure security, in line with the purposes specified by law and the personal data processing conditions listed in the GDPR.
iii. Notification of Camera Surveillance Activities
In compliance with Article 10 of the GDPR, personal data subjects are informed about camera surveillance activities. The aim is to prevent harm to the fundamental rights and freedoms of personal data subjects, ensure transparency, and provide proper notification. For this purpose, the Policy is published on our Company’s website (online policy arrangement), and notices regarding surveillance are posted at the entrances of monitored areas (on-site notification).
iv. Purpose and Scope of Camera Surveillance
In accordance with Article 4 of the GDPR, personal data is processed in a manner relevant, limited, and proportional to its purpose. The use of surveillance cameras is strictly confined to the purposes outlined in this Policy, with the number, placement, and timing of cameras limited to what is necessary to achieve security objectives. Areas where monitoring could lead to excessive intrusion into privacy (e.g., restrooms) are not subject to surveillance.
v. Ensuring the Security of Collected Data
In compliance with Article 12 of the GDPR, technical and administrative measures are taken to ensure the security of personal data obtained through camera surveillance, as outlined in this Policy.
vi. Access and Sharing of Collected Data
Digital recordings are accessed and stored by a limited number of Company employees. Live footage can only be viewed by employees responsible for security and administrative tasks. Employees with access to recordings sign confidentiality agreements to affirm their commitment to data protection.
b) Tracking Guest Entries and Exits at Building and Facility Entrances
To ensure security and for the purposes outlined in this Policy, our Company processes personal data related to guest entries and exits at its buildings and facilities.
Personal data such as the names and surnames of guests visiting the Company’s premises are collected. Visitors are informed of this data collection via notices displayed or made accessible in the Company’s buildings or through other means. Data collected for monitoring guest entries and exits is processed solely for this purpose and recorded in a physical data recording system.
c) Internet Site Visitors
Our Company uses technical tools (e.g., cookies) on its websites to ensure that visitors use the site appropriately, provide customized content, and engage in online advertising activities. Internet activity within the site is recorded in alignment with these purposes.
SECTION SEVEN: DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
1. Deletion, Destruction, or Anonymization of Personal Data
Without prejudice to the provisions of other laws regarding the deletion, destruction, or anonymization of personal data, our Company deletes, destroys, or anonymizes personal data ex officio or upon the request of the data subject when the reasons requiring its processing no longer exist. Personal data is destroyed in such a way that it can no longer be used or retrieved under any circumstances. Accordingly, personal data is irretrievably deleted from the records in mediums such as documents, files, CDs, floppy disks, and hard drives. This refers to the destruction of the mediums where data is stored (e.g., documents, files, CDs, floppy disks, hard drives) in a way that the information cannot be retrieved or used again. This refers to making personal data incapable of being associated with an identified or identifiable natural person, even when matched with other data.
2. Retention and Disposal Period for Personal Data
The Company retains personal data for the period specified in the relevant legislation. If no retention period is stipulated in the legislation, personal data is processed for the duration required by the activity related to the processing and in accordance with the Company's practices and commercial customs. Once the processing purpose is fulfilled, the data is deleted, destroyed, or anonymized.
If the purpose of processing personal data has ended and the relevant retention periods stipulated by the legislation and the Company have also expired, personal data may be retained solely for the purpose of serving as evidence in potential legal disputes or for asserting or defending a related right. The retention period in such cases is determined based on the statute of limitations for asserting the right or examples of prior requests made to the Company on similar matters, even after the statute of limitations has passed. During this period, the retained personal data is not accessed for any other purpose and is only accessed when required in the relevant legal dispute. Once this period also expires, the personal data is deleted, destroyed, or anonymized.
SECTION EIGHT: MEASURES TAKEN TO ENSURE PERSONAL DATA SECURITY
In compliance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to ensure an appropriate level of security to prevent unlawful processing of personal data, unauthorized access to data, and ensure its preservation. The Company conducts or has conducted the necessary audits within this scope.
1. Technical Measures Taken for Personal Data Security
To ensure the security and preservation of personal data, including but not limited to:
2. Administrative Measures Taken for Personal Data Security
To protect personal data, including but not limited to:
3. Procedures to Follow in Case of Unauthorized Disclosure of Personal Data
In accordance with Article 12 of the Law, if personal data processed by the Company is unlawfully accessed by others, the Company notifies the affected data subject and the Personal Data Protection Board as soon as possible.
4. Monitoring Measures Taken to Protect Personal Data
The Company conducts or commissions audits to ensure compliance with Article 12 of the GDPR. The results of these audits are reported to the relevant department within the Company’s internal operations, and necessary activities are carried out to improve the measures.
5. Increasing Employee Awareness and Monitoring Regarding Personal Data Protection and Processing
To prevent unlawful processing of personal data, unauthorized access, and ensure the preservation of data, the Company organizes training sessions for existing and newly hired employees to raise awareness.
The outcomes of training sessions aimed at increasing employee awareness are reported to the Company. Participation in these training sessions, seminars, and briefings is evaluated, and necessary audits are conducted or commissioned. The Company updates and renews its training programs in line with updates to the relevant legislation.
SECTION NINE: RIGHTS OF THE DATA SUBJECT
1. Informing the Data Subject
Our Company informs data subjects during the acquisition of personal data in accordance with Article 10 of the Law. In this context, the identity of the Company’s representative, if any, the purposes of processing personal data, the recipients and purposes for which personal data may be transferred, the method and legal basis for collecting personal data, and the rights of the data subject are disclosed.
2. Rights of the Data Subject
In accordance with Article 11 of the Law, the Company informs individuals whose personal data is collected about the following rights:
3. Cases Where the Data Subject May Not Exercise Their Rights
Under Article 28 of the Law, data subjects cannot exercise the above rights in the following cases, and the processing of personal data in these cases falls outside the scope of the Law and this Policy:
4. Exercising the Rights of the Data Subject
Data subjects can submit their requests related to the rights listed in this Policy by providing identification information and documents through the following methods:
Submission Details:
Application Method
Address for Submission
Information to Include
In-person submission
REBUL JCR KOZMETIK PAZARLAMA ANONIM ŞIRKETI Huzur Mahallesi Sude Sokak No:5 Maslak/Sarıyer/İstanbul
"Request for Information Under the Personal Data Protection Law" on the envelope
By notary
info@atelierrebul.com
"Request for Information Under the Personal Data Protection Law" on the notification envelope
By secure electronic signature
info@atelierrebul.com
"Request for Information Under the Personal Data Protection Law" in the email subject line
5. Company’s Procedure and Timeframe for Responding to Applications
The Company responds to retranslatquests included in applications as soon as possible and within no more than 30 days, depending on the nature of the request. The Company reserves the right to request additional documents and information to verify identity and authority to eliminate legal risks associated with unlawful or incorrect data sharing. The Company accepts or rejects the request, providing its justification, and communicates its response in writing or electronically. If the request is accepted, the Company fulfills the requirement.
If the application exceeds 10 pages, a processing fee of 1 Turkish Lira per additional page will be charged, as stipulated under the "Communiqué on the Principles and Procedures for Applications to the Data Controller."
6. Data Subject’s Right to Lodge a Complaint with the Personal Data Protection Board
If an application is rejected, the response is deemed insufficient, or the application is not answered within the specified time, the data subject has the right to file a complaint with the Personal Data Protection Board within 30 days of learning the response and, in any case, within 60 days of the application.
SECTION TEN: PERSONNEL RESPONSIBLE FOR POLICY COMPLIANCE
Within the Company, a Personal Data Committee has been established by the decision of the Company’s senior management to manage this Policy and other related policies. The Personal Data Committee is authorized and responsible for ensuring that personal data of data subjects is stored and processed in accordance with the law, this Policy, and related policies. The main duties of this Committee are as follows:
SECTION ELEVEN: UPDATES AND CHANGES
The Company reserves the right to amend this Policy and other related policies in line with changes to the Law and related legislation, decisions of the Personal Data Protection Board, and/or developments in the sector or the field of information technology. Any changes to this Policy are immediately incorporated into the text, and explanations regarding the changes are specified in this section.
07/04/2018: The Policy on the Processing and Protection of Personal Data was approved and enacted by the Company’s Board of Directors.