{ "type": "identify", "data": { "id":"None", "user": { "email": "d41d8cd98f00b204e9800998ecf8427e", "signupDate": "", "gender": "", "permission": "no" } } }
{ "type": "pageViewed", "data": "" }
{ "type": "gtmStart" }

Kargo Takibi

Kişisel Verilerin Korunması Politikası

REBUL JCR COSMETICS MARKETING JOINT STOCK COMPANY


POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA


  • March 1, 2022 -

CONTENTS


Policy on the Protection and Processing of Personal Data 3


SECTION ONE: GENERAL INFORMATION ABOUT THE POLICY 3


  1. Introduction 3
  2. Purpose of the Policy 3
  3. Scope of the Policy 4
  4. Definitions 4
  5. Enforcement of the Policy 5


SECTION TWO: CLASSIFICATION OF PERSONAL DATA 5


  1. Personal Data 5
  2. Special Categories of Personal Data 5


SECTION THREE: DATA SUBJECT GROUPS AND DATA CATEGORIES 6


  1. Categorization of Personal Data 6


SECTION FOUR: PROCESSING OF PERSONAL DATA 8


  1. General Principles in Processing Personal Data 8
  2. Conditions for Processing Personal Data 9
  3. Conditions for Processing Special Categories of Personal Data 10
  4. Our Purposes for Processing Personal Data 11


SECTION FIVE: TRANSFER OF PERSONAL DATA 13


  1. Conditions for the Transfer of Personal Data 13
  2. Conditions for the Transfer of Personal Data Abroad 14
  3. Our Purposes for Transferring Personal Data and Third Parties to Whom Data May Be Transferred 14
  4. Personal Data to Be Transferred to Foreign Countries 17


SECTION SIX: METHOD AND LEGAL BASIS FOR COLLECTING PERSONAL DATA 17


  1. Method and Legal Basis for Collecting Personal Data 17


SECTION SEVEN: DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA 20


  1. Deletion, Destruction, or Anonymization of Personal Data 20
  2. Retention and Disposal Period for Personal Data 20


SECTION EIGHT: MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA 21


  1. Technical Measures Taken to Ensure Personal Data Security 21
  2. Administrative Measures Taken to Ensure Personal Data Security 22
  3. Measures to Be Taken in Case of Unauthorized Disclosure of Personal Data 23
  4. Monitoring of Measures Taken to Protect Personal Data 23
  5. Enhancing Employee Awareness and Supervision Regarding the Protection and Processing of Personal Data 23


SECTION NINE: RIGHTS OF DATA SUBJECTS 24


  1. Informing the Data Subject 24
  2. Rights of the Data Subject 24
  3. Cases Where the Data Subject Cannot Exercise Their Rights 25
  4. Exercising the Data Subject’s Rights 26
  5. Procedures and Timeframes for the Company’s Responses to Applications 26
  6. The Data Subject's Right to File a Complaint with the Personal Data Protection Board 27


SECTION TEN: PERSONNEL RESPONSIBLE FOR POLICY COMPLIANCE 27


SECTION ELEVEN: UPDATES AND CHANGES 28


POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA


SECTION ONE: GENERAL INFORMATION ABOUT THE POLICY


1. Introduction

As REBUL JCR COSMETICS MARKETING JOINT STOCK COMPANY ("Company"), acting as a "data controller" under Law No. 6698 on the Protection of Personal Data ("Law"), we prioritize the processing of personal data of individuals associated with our Company, including our customers, consumers, website users, and employees, in accordance with the Law and related regulations. We are also committed to ensuring the effective exercise of the rights of data subjects whose data is processed. All procedures regarding the processing, storage, and transfer of personal data of all data subjects we engage with during our activities are carried out in accordance with this Policy on the Protection and Processing of Personal Data ("Policy"). Protecting personal data and respecting the fundamental rights and freedoms of individuals whose data is collected is the core principle of this Policy.

2. Purpose of the Policy

The primary purpose of this Policy is to establish the methods we follow for processing, storing, transferring, and deleting or anonymizing the personal data shared with our Company by data subjects during commercial, social responsibility, and similar activities, as specified under the principles of the Law. This Policy aims to ensure full compliance with the applicable legislation in all personal data processing and protection activities carried out by our Company and to safeguard the rights of personal data subjects arising from the legislation.

3. Scope of the Policy

The scope of this Policy includes the personal data of all data subjects we engage with during our activities, such as our employees, visitors, business contacts, business partners, customers, potential customers, suppliers, and users of our website.

The protection of personal data only applies to the data of natural persons. Information belonging to legal entities that does not include data related to identifiable natural persons is excluded from the protection of personal data under the Law. Therefore, this Policy does not apply to data belonging to legal entities.

4. Definitions

The terms used in this Policy are defined as follows:

  • Explicit Consent: Consent that relates to a specific issue, is informed, and is given freely.
  • Anonymization: The process of making personal data incapable of being associated with an identifiable natural person, even when combined with other data.
  • Data Subject: A natural person whose personal data is processed.
  • KEP (Registered Electronic Mail Address): A system that securely preserves commercial and legal correspondence and document sharing, ensuring the sender and recipient are accurately identified, and the content is tamper-proof, legally valid, and secure as conclusive evidence.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing of Personal Data: Any operation performed on personal data, wholly or partly, through automatic means or non-automatic means as part of any data recording system, such as obtaining, recording, storing, maintaining, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing its use.
  • Board: The Personal Data Protection Board.
  • Authority: The Personal Data Protection Authority.
  • Special Categories of Personal Data: Data regarding race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, association, foundation, or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
  • Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
  • Data Recording System: A recording system where personal data is processed based on specific criteria.
  • Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

5. Enforcement of the Policy

This Policy was approved by the Company’s Board of Directors and entered into force on April 7, 2018. If changes to the Policy are necessary, the relevant provisions will be updated accordingly. Any amendments made to the Policy are incorporated immediately into the text, and explanations regarding these changes are specified in Section Eleven of this Policy.

SECTION TWO: CLASSIFICATION OF PERSONAL DATA


1. Personal Data

Personal data includes any information relating to an identified or identifiable natural person. In accordance with the legislation, the term "personal data" used in this Policy also encompasses special categories of personal data.

2. Special Categories of Personal Data

Special categories of personal data include information about an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.



SECTION THREE: DATA SUBJECT GROUPS AND DATA CATEGORIES


1. Categorization of Personal Data

The Company processes personal data under the categories listed below, in accordance with Article 10 of the Law, by informing the relevant data subjects. This section also specifies the types of data subjects to whom the personal data in these categories relate, as governed by this Policy.

CATEGORIZATION OF PERSONAL DATA


CATEGORY

DESCRIPTION

Identity Information

Information processed automatically or non-automatically as part of a data recording system, such as name-surname, national ID number, nationality, marital status, date of birth, ID photocopy, social security number, signature, driver’s license details, etc.

Contact Information

Information such as phone number, address, email, and social media account that is processed automatically or non-automatically as part of a data recording system.

Family and Close Relations

Information about the personal data subject’s family members and relatives, processed in relation to our products and services or to protect the Company’s and the data subject’s legal interests.

Financial Information

Information created based on the legal relationship established with the personal data subject, such as financial and salary details, credit risk reports, premium lists, debt information, bank details, monthly salary slips, and insurance premium payment details.

Performance and Career Development Information

Information processed to measure the performance and plan the career development of employees or individuals working with the Company, such as training participation forms, hours and duration of training, exam results, promotion evaluations, performance reports, disciplinary investigation records, annual leave records, resignation letters, application forms, resumes, etc.

Special Categories of Personal Data

Data specified in Article 6 of the Law, including health insurance, medical reports, health declarations, pregnancy status, occupational disease records, pre-employment medical examination forms, daily patient complaints, medications used, biometric data, criminal records, religious beliefs, lists of fasting individuals, psychotechnical documents, etc.

Educational Information

Information such as educational background, certificate copies, and diploma copies that is processed automatically or non-automatically as part of a data recording system.

Visual and Auditory Data

Information processed automatically or non-automatically as part of a data recording system, such as photographs, audio recordings, and camera recordings.

Other Information

Miscellaneous data such as vehicle details, company computer IP information, web browsing activity, hobbies, discharge certificates, military service details, employment contracts, assignment forms, card access system logs, work hours, license photocopies, supplier company employment forms, and disciplinary investigation records.


A detailed table specifying the personal data categories and types of personal data processed for each data subject category mentioned above is included below.


CATEGORIZATION OF PERSONAL DATA

DATA SUBJECT CATEGORY RELATED TO THE PERSONAL DATA

Personal Data Category

Data Subject Category

Identity Information

Customer, supplier, job applicant, employee, company representative, visitor, employees of institutions we collaborate with, third party

Contact Information

Customer, supplier, job applicant, employee, company representative, visitor, employees or representatives of institutions we collaborate with, third party

Family and Close Relations

Job applicant, employee

Financial Information

Customer, employee, supplier, employees, shareholders, and representatives of institutions we collaborate with

Performance and Career Development Information

Job applicant, employee, employees of institutions we collaborate with

Educational Information

Job applicant, employee

Special Categories of Personal Data

Job applicant, employee, company representative

Visual and Auditory Data

Customer, employee, supplier, visitor

Other Information

Customer, job applicant, employee, company representative, visitor, supplier, employees, shareholders, and representatives of institutions we collaborate with, third party


SECTION FOUR: PROCESSING OF PERSONAL DATA


1. General Principles for Processing Personal Data


Personal data is processed by our Company in compliance with the procedures and principles outlined in the Law and this Policy. The Company adheres to the following principles when processing personal data:


  • Compliance with the Law and Good Faith Principles: Personal data is processed in accordance with legal rules and the requirements of good faith.
  • Accuracy and Keeping Data Up to Date: Personal data is ensured to be accurate and up to date. This includes verifying the accuracy of the sources from which the data is obtained, confirming its validity, and evaluating whether updates are required.
  • Processing for Specific, Explicit, and Legitimate Purposes: Personal data is processed for specific, clear, and lawful purposes. The legitimacy of the purpose implies that the personal data processed by the Company is related to and necessary for the work performed or services provided.
  • Data Processing Relevant, Limited, and Proportional to the Purpose: Personal data is processed in a manner relevant and proportional to the purposes defined by the Company. The Company avoids processing unrelated or unnecessary personal data and limits processing to what is essential for achieving the purpose.
  • Retention for the Necessary Duration: Personal data is retained for the period stipulated in the applicable legislation or for the time necessary for the purposes for which it was processed. When the reason for retaining personal data no longer exists, it is deleted, destroyed, or anonymized.



2. Conditions for Processing Personal Data


The Company does not process personal data without the explicit consent of the data subject. However, personal data may be processed without consent under the following circumstances:


  • Explicit Provisions in the Law: Personal data may be processed without consent if explicitly stipulated by the law. For example, under Article 230 of the Tax Procedure Law, the inclusion of the individual’s name on an invoice does not require their explicit consent.
  • Inability to Obtain Consent Due to Impossibility: Personal data may be processed without consent if it is necessary to protect the life or physical integrity of the person or another person when the data subject is unable to provide consent due to physical impossibility or lack of legal capacity. For instance, during a medical intervention to preserve life, personal data such as blood type or past medical records may be processed without explicit consent.
  • Necessity for Contract Formation or Execution: If personal data processing is directly related to the establishment or execution of a contract to which the data subject is a party, it may be processed without consent. For example, the account number of a creditor may be processed to facilitate payment under a contract.
  • Fulfillment of Legal Obligations: Personal data may be processed if it is necessary for the Company, as the data controller, to fulfill its legal obligations.
  • Public Disclosure by the Data Subject: If the data subject has made their personal data public, it may be processed without explicit consent.
  • Establishment, Exercise, or Protection of Legal Rights: Personal data may be processed if necessary for establishing, exercising, or protecting legal rights.
  • Legitimate Interests of the Data Controller: Personal data may be processed to meet the legitimate interests of the Company, provided that this does not infringe upon the fundamental rights and freedoms of the data subject. The Company is committed to maintaining a balance between its legitimate interests and the protection of personal data in accordance with the principles set forth in this Policy.



3. Conditions for Processing Special Categories of Personal Data


The Company does not process special categories of personal data without the explicit consent of the data subject. However, personal data related to health and sexual life may be processed without consent under certain conditions, such as:


  • For the protection of public health, preventive medicine, medical diagnosis, treatment, and care services.
  • For planning and managing health services and financing, provided confidentiality obligations are adhered to.

The Company ensures compliance with the adequate safeguards specified by the Personal Data Protection Board when processing special categories of personal data.




1. Our Purposes for Processing Personal Data

The personal data collected by the Company is processed for the purposes listed below, in accordance with the personal data processing conditions specified in Articles 5 and 6 of the Law. If the processing activity related to the specified purposes does not meet any of the conditions outlined in the Law, the explicit consent of the data subject is obtained by the Company for the relevant processing activity.

  1. Carrying out our commercial and administrative activities.
  2. Sending all types of commercial electronic messages, especially SMS, voice, and/or other marketing messages, in accordance with Law No. 6563 on the Regulation of Electronic Commerce.
  3. Providing support services to customers within the framework of the contract and service standards.
  4. Identifying the preferences and needs of our customers and tailoring and updating the services provided to them accordingly.
  5. Fulfilling our legal obligations as required or mandated by legal regulations.
  6. Managing surveys, competitions, promotions, and sponsorship processes.
  7. Communicating with individuals in a business relationship with the Company.
  8. Advertising and marketing.
  9. Compliance management.
  10. Vendor/supplier management.
  11. Legal reporting.
  12. Invoicing.
  13. Planning and implementing the best human resources policies.
  14. Correctly planning, executing, and managing commercial partnerships and strategies.
  15. Ensuring the legal, commercial, and physical security of the Company and its business partners.
  16. Ensuring corporate functioning and planning and executing management and communication activities.
  17. Maximizing the benefit of products and services for data subjects and customizing suggestions based on their demands, needs, and preferences.
  18. Ensuring the highest level of data security.
  19. Creating databases.
  20. Developing services provided on the website and fixing errors occurring on the site.
  21. Communicating with data subjects who submit requests and complaints and managing such requests and complaints.
  22. Event management.
  23. Managing personnel recruitment processes.
  24. Supporting the recruitment processes and compliance with the relevant legislation for Group Companies.
  25. Planning and executing audit activities to ensure that Group Companies’ activities comply with the relevant legislation.
  26. Supporting the planning and execution of benefits and perks provided to senior executives of the Company and Group Companies.
  27. Assisting with corporate and partnership law transactions of Group Companies.
  28. Conducting and/or monitoring financial reporting and risk management processes.
  29. Conducting and/or monitoring the Company’s legal affairs.
  30. Carrying out activities to protect the Company’s reputation.
  31. Managing investor relations.
  32. Creating and tracking visitor logs.
  33. Planning and executing activities to ensure business continuity and operational management.
  34. Monitoring financial and/or accounting affairs.
  35. Providing information to authorized institutions as required by legislation.
  36. Planning and managing access privileges of business partners and/or suppliers.
  37. Planning and managing customer relationship management processes.
  38. Monitoring customer requests and/or complaints.
  39. Managing contract processes and/or legal demands.
  40. Planning and executing market research activities for the sales and marketing of services.
  41. Managing purchasing operations.
  42. Planning and executing processes to create and/or enhance loyalty to the Company’s products and/or services.


For ensuring the execution of the Company’s human resources policies:


  • Complying with occupational health and safety obligations and taking necessary measures.
  • Evaluating job applications in accordance with the Company’s human resources policies.
  • Fulfilling obligations arising from employment contracts and/or legislation for Company employees.
  • Managing employee onboarding and offboarding processes.
  • Evaluating compensation and performance processes.
  • Managing salaries and payrolls.
  • Planning and/or executing in-house training activities.

For ensuring the legal and commercial security of the Company and individuals in a business relationship with the Company:


  • Planning and executing operational activities to ensure that Company operations comply with procedures and/or relevant legislation.
  • Ensuring the security of the Company’s premises and/or facilities.
  • Ensuring the security of Company assets and/or resources.
  • Ensuring the security of Company operations.
  • Planning and executing emergency management processes.

For determining and implementing the Company’s commercial and business strategies:


  • Conducting social responsibility activities organized by the Company.
  • Managing in-house systems and application operations.

SECTION FIVE: TRANSFER OF PERSONAL DATA


1. Conditions for Transferring Personal Data

As a Company, we adhere to the provisions of the Law and the decisions and regulations issued by the Personal Data Protection Board when transferring personal data. Except for exceptional cases specified in the legislation, personal data and special categories of personal data are not transferred to other natural or legal persons without the explicit consent of the data subject. However, personal data may be transferred without explicit consent in the following cases:

  1. In situations specified in Article 2 of Section Four of this Policy.
  2. For special categories of personal data, in situations specified in Article 2 of Section Four of this Policy.
  3. With the necessary measures taken as stipulated by the Board and relevant legislation, special categories of personal data related to health and sexual life may be transferred without explicit consent to individuals or authorized institutions and organizations bound by confidentiality obligations, for purposes such as protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and financing.




2. Conditions for Transferring Personal Data Abroad

As a rule, personal data is not transferred abroad without the explicit consent of the data subject. However, in cases where one of the exceptions outlined in Article 2 of Section Four of this Policy applies, personal data may be transferred abroad under the following conditions:

  1. If the third party is located in a country deemed by the Board to provide adequate protection.
  2. If the third party is in a country without adequate protection, provided that the data controllers in Turkey and the foreign country commit to ensuring adequate protection in writing and the Board grants permission.




3. Purposes for Transferring Personal Data and Third Parties to Whom Data May Be Transferred

Personal data may be transferred for the following purposes:

  1. Carrying out commercial and administrative activities.
  2. Sending all types of commercial electronic messages, including SMS, voice, and other marketing messages, in accordance with Law No. 6563 on the Regulation of Electronic Commerce.
  3. Providing support services to customers within the scope of contracts and service standards.
  4. Identifying customer preferences and needs to shape and update services accordingly.
  5. Fulfilling legal obligations as required by regulations.
  6. Managing surveys, competitions, promotions, and sponsorships.
  7. Maintaining contact with individuals in a business relationship with the Company.
  8. Advertising and marketing.
  9. Compliance management.
  10. Vendor/supplier management.
  11. Legal reporting.
  12. Invoicing.
  13. Planning and implementing the best human resources policies.
  14. Planning, executing, and managing commercial partnerships and strategies.
  15. Ensuring the legal, commercial, and physical security of the Company and its business partners.
  16. Ensuring corporate functioning and planning and executing management and communication activities.
  17. Maximizing the benefit of services for data subjects and tailoring services to their demands, needs, and preferences.
  18. Ensuring the highest level of data security.
  19. Creating databases.
  20. Developing services provided on the website and fixing errors occurring on the site.
  21. Communicating with data subjects who submit requests and complaints and managing such requests and complaints.
  22. Event management.
  23. Managing personnel recruitment processes.
  24. Supporting recruitment processes and compliance for Group Companies.
  25. Planning and executing audit activities to ensure compliance with relevant legislation for Group Companies.
  26. Supporting the planning and execution of benefits and perks for senior executives of the Company and Group Companies.
  27. Assisting with corporate and partnership law transactions of Group Companies.
  28. Conducting and/or monitoring financial reporting and risk management processes.
  29. Conducting and/or monitoring the Company’s legal affairs.
  30. Carrying out activities to protect the Company’s reputation.
  31. Managing investor relations.
  32. Creating and tracking visitor logs.
  33. Planning and executing activities to ensure business continuity and operational management.
  34. Planning and executing dealership/authorized seller operations, customs operations, production, and/or operational processes.
  35. Monitoring financial and/or accounting affairs.
  36. Providing information to authorized institutions as required by legislation.
  37. Planning and executing corporate communication activities.
  38. Planning and managing supply chain and logistics activities.
  39. Planning and executing operational processes.
  40. Planning and managing access privileges for business partners and/or suppliers.
  41. Planning and managing customer relationship management processes.
  42. Monitoring customer requests and/or complaints.
  43. Managing contract processes and/or legal demands, including customer insurance processes.
  44. Planning and executing market research activities for the sale and marketing of services.
  45. Managing sales, after-sales operations, and purchasing operations.
  46. Planning and/or executing processes to create or increase loyalty to the services provided by the Company.


For ensuring the execution of the Company’s human resources policies:


  • Complying with occupational health and safety obligations and taking necessary measures.
  • Evaluating job applications in accordance with the Company’s human resources policies.
  • Fulfilling obligations arising from employment contracts and/or legislation for Company employees.
  • Managing employee onboarding and offboarding processes.
  • Evaluating compensation and performance processes.
  • Managing salaries and payrolls.
  • Planning and/or executing in-house training activities.


For ensuring the legal and commercial security of the Company and individuals in a business relationship with the Company:


  • Planning and executing operational activities to ensure compliance with Company procedures and/or relevant legislation.
  • Ensuring the security of the Company’s premises and/or facilities.
  • Ensuring the security of Company assets and/or resources.
  • Ensuring the security of Company operations.
  • Planning and executing emergency management processes.


For determining and implementing the Company’s commercial and business strategies:


  • Conducting social responsibility activities organized by the Company.
  • Managing in-house systems and application operations.


Personal data may be transferred to:


  1. Our suppliers.
  2. Our business partners and affiliates.
  3. Our subsidiaries and group companies.
  4. Authorized public institutions and organizations.
  5. Authorized private law entities.
  6. Our shareholders.


Transfers are conducted in accordance with the principles and rules set forth in this Policy.




4. Personal Data Envisaged for Transfer to Foreign Countries

The Company does not transfer any personal data to third parties residing abroad during its operations.

SECTION SIX: METHOD AND LEGAL BASIS FOR COLLECTING PERSONAL DATA


1. Method and Legal Basis for Collecting Personal Data

Personal data is collected by our Company through technical and procedural methods implemented across various channels such as our website, registration forms, and physical platforms, or through verbal, written, or electronic means. This is done either partially or fully automatically or via non-automated methods that form part of a data recording system. The collection of personal data is carried out based on applicable legislation, contracts, requests, commercial practices, and principles of good faith. It is intended to provide commercial services to you, conduct commercial activities, fulfill the legal obligations of our Company, execute the requirements of our business relationship with you, and protect our mutual rights, while respecting the fundamental rights and freedoms of personal data subjects.

Highlighted data collection methods, purposes, and activities include the following:




a) Monitoring Activities Using Cameras at Building and Facility Entrances and Within Premises

Our Company conducts camera surveillance activities to improve the quality and reliability of services, ensure the safety of the Company, customers, and other individuals, and protect the interests of customers regarding the services they receive.

i. Legal Basis for Camera Surveillance

The camera surveillance activities conducted by our Company are carried out in compliance with applicable legal regulations and statutory provisions.

ii. Conducting Camera Surveillance in Compliance with Personal Data Protection Law

Our Company adheres to the provisions of the Personal Data Protection Law (KVKK) while conducting camera surveillance for security purposes. Camera surveillance activities are carried out at our buildings and facilities to ensure security, in line with the purposes specified by law and the personal data processing conditions listed in the GDPR.

iii. Notification of Camera Surveillance Activities

In compliance with Article 10 of the GDPR, personal data subjects are informed about camera surveillance activities. The aim is to prevent harm to the fundamental rights and freedoms of personal data subjects, ensure transparency, and provide proper notification. For this purpose, the Policy is published on our Company’s website (online policy arrangement), and notices regarding surveillance are posted at the entrances of monitored areas (on-site notification).

iv. Purpose and Scope of Camera Surveillance

In accordance with Article 4 of the GDPR, personal data is processed in a manner relevant, limited, and proportional to its purpose. The use of surveillance cameras is strictly confined to the purposes outlined in this Policy, with the number, placement, and timing of cameras limited to what is necessary to achieve security objectives. Areas where monitoring could lead to excessive intrusion into privacy (e.g., restrooms) are not subject to surveillance.

v. Ensuring the Security of Collected Data

In compliance with Article 12 of the GDPR, technical and administrative measures are taken to ensure the security of personal data obtained through camera surveillance, as outlined in this Policy.

vi. Access and Sharing of Collected Data

Digital recordings are accessed and stored by a limited number of Company employees. Live footage can only be viewed by employees responsible for security and administrative tasks. Employees with access to recordings sign confidentiality agreements to affirm their commitment to data protection.



b) Tracking Guest Entries and Exits at Building and Facility Entrances

To ensure security and for the purposes outlined in this Policy, our Company processes personal data related to guest entries and exits at its buildings and facilities.

Personal data such as the names and surnames of guests visiting the Company’s premises are collected. Visitors are informed of this data collection via notices displayed or made accessible in the Company’s buildings or through other means. Data collected for monitoring guest entries and exits is processed solely for this purpose and recorded in a physical data recording system.




c) Internet Site Visitors

Our Company uses technical tools (e.g., cookies) on its websites to ensure that visitors use the site appropriately, provide customized content, and engage in online advertising activities. Internet activity within the site is recorded in alignment with these purposes.

SECTION SEVEN: DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA


1. Deletion, Destruction, or Anonymization of Personal Data

Without prejudice to the provisions of other laws regarding the deletion, destruction, or anonymization of personal data, our Company deletes, destroys, or anonymizes personal data ex officio or upon the request of the data subject when the reasons requiring its processing no longer exist. Personal data is destroyed in such a way that it can no longer be used or retrieved under any circumstances. Accordingly, personal data is irretrievably deleted from the records in mediums such as documents, files, CDs, floppy disks, and hard drives. This refers to the destruction of the mediums where data is stored (e.g., documents, files, CDs, floppy disks, hard drives) in a way that the information cannot be retrieved or used again. This refers to making personal data incapable of being associated with an identified or identifiable natural person, even when matched with other data.

2. Retention and Disposal Period for Personal Data

The Company retains personal data for the period specified in the relevant legislation. If no retention period is stipulated in the legislation, personal data is processed for the duration required by the activity related to the processing and in accordance with the Company's practices and commercial customs. Once the processing purpose is fulfilled, the data is deleted, destroyed, or anonymized.

If the purpose of processing personal data has ended and the relevant retention periods stipulated by the legislation and the Company have also expired, personal data may be retained solely for the purpose of serving as evidence in potential legal disputes or for asserting or defending a related right. The retention period in such cases is determined based on the statute of limitations for asserting the right or examples of prior requests made to the Company on similar matters, even after the statute of limitations has passed. During this period, the retained personal data is not accessed for any other purpose and is only accessed when required in the relevant legal dispute. Once this period also expires, the personal data is deleted, destroyed, or anonymized.


SECTION EIGHT: MEASURES TAKEN TO ENSURE PERSONAL DATA SECURITY


In compliance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to ensure an appropriate level of security to prevent unlawful processing of personal data, unauthorized access to data, and ensure its preservation. The Company conducts or has conducted the necessary audits within this scope.




1. Technical Measures Taken for Personal Data Security


To ensure the security and preservation of personal data, including but not limited to:


  1. Organizing internal technical systems to process and store personal data in compliance with the legislation.
  2. Establishing technical infrastructure to secure databases where personal data is stored.
  3. Monitoring and auditing the processes of the established technical infrastructure.
  4. Defining procedures for reporting the measures taken and auditing processes.
  5. Periodically updating and renewing technical measures.
  6. Reviewing risky situations and producing necessary technological solutions.
  7. Using software and hardware security products such as antivirus systems and firewalls and implementing security systems that align with technological advancements.
  8. Conducting regular security scans to identify vulnerabilities in applications where personal data is collected and addressing the identified issues.
  9. Using lawful backup programs to ensure secure storage of personal data.
  10. Restricting access to environments where personal data is stored, allowing only authorized personnel to access data within the scope of its purpose, and logging access attempts to identify unauthorized access or attempts and notify relevant parties in real-time.
  11. Employing experts in technical matters.




2. Administrative Measures Taken for Personal Data Security


To protect personal data, including but not limited to:


  1. Establishing policies and procedures for personal data access for employees, including those of group companies and subsidiaries.
  2. Informing and training employees on the lawful protection and processing of personal data.
  3. Including provisions in employee contracts or policies specifying measures to be taken in case of unlawful processing of personal data.
  4. Including obligations in contracts and instructions signed with employees to prevent the unlawful processing, disclosure, or misuse of personal data and conducting audits to ensure compliance.
  5. Informing employees that their obligation not to disclose or misuse personal data they have learned continues after their employment ends and obtaining commitments from them.
  6. Including provisions in contracts with individuals to whom personal data is lawfully transferred, requiring them to take the necessary security measures and ensure compliance within their organizations.
  7. Defining the scope of personal data access based on employees’ roles and positions and regularly reviewing and limiting these authorizations.
  8. Following developments in information security, privacy, and personal data protection and taking necessary actions with legal and technical consultancy.
  9. Ensuring compliance with the Law and related regulations for data processors and other data controllers the Company collaborates with and providing appropriate guidance.




3. Procedures to Follow in Case of Unauthorized Disclosure of Personal Data


In accordance with Article 12 of the Law, if personal data processed by the Company is unlawfully accessed by others, the Company notifies the affected data subject and the Personal Data Protection Board as soon as possible.




4. Monitoring Measures Taken to Protect Personal Data


The Company conducts or commissions audits to ensure compliance with Article 12 of the GDPR. The results of these audits are reported to the relevant department within the Company’s internal operations, and necessary activities are carried out to improve the measures.




5. Increasing Employee Awareness and Monitoring Regarding Personal Data Protection and Processing


To prevent unlawful processing of personal data, unauthorized access, and ensure the preservation of data, the Company organizes training sessions for existing and newly hired employees to raise awareness. 


The outcomes of training sessions aimed at increasing employee awareness are reported to the Company. Participation in these training sessions, seminars, and briefings is evaluated, and necessary audits are conducted or commissioned. The Company updates and renews its training programs in line with updates to the relevant legislation.


SECTION NINE: RIGHTS OF THE DATA SUBJECT


1. Informing the Data Subject

Our Company informs data subjects during the acquisition of personal data in accordance with Article 10 of the Law. In this context, the identity of the Company’s representative, if any, the purposes of processing personal data, the recipients and purposes for which personal data may be transferred, the method and legal basis for collecting personal data, and the rights of the data subject are disclosed.



2. Rights of the Data Subject

In accordance with Article 11 of the Law, the Company informs individuals whose personal data is collected about the following rights:

  1. To learn whether their personal data has been processed.
  2. To request information if their personal data has been processed.
  3. To learn the purpose of processing personal data and whether it is used in accordance with the intended purpose.
  4. To know the third parties to whom their personal data has been transferred, domestically or abroad.
  5. To request correction of their personal data if it has been processed incompletely or inaccurately.
  6. To request the deletion or destruction of personal data under the conditions set forth in Article 7 of the Law.
  7. To request notification of the actions taken under subparagraphs (d) and (e) of Article 11 of the Law to third parties to whom the personal data has been transferred.
  8. To object to the processing of personal data that has been analyzed exclusively by automated systems, resulting in an outcome unfavorable to the data subject.
  9. To demand compensation for damages incurred due to the unlawful processing of personal data.




3. Cases Where the Data Subject May Not Exercise Their Rights

Under Article 28 of the Law, data subjects cannot exercise the above rights in the following cases, and the processing of personal data in these cases falls outside the scope of the Law and this Policy:

  1. If personal data is processed within the scope of activities involving the data subject or family members living in the same residence, provided it is not shared with third parties and complies with data security obligations.
  2. If personal data is processed for purposes such as research, planning, and statistics by anonymizing it for official statistics.
  3. If personal data is processed for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided it does not violate national defense, national security, public safety, public order, economic security, privacy, or personal rights, or constitute a crime.
  4. If personal data is processed within the scope of preventive, protective, and intelligence activities carried out by authorized public institutions and organizations for national defense, national security, public safety, public order, or economic security.
  5. If personal data is processed by judicial authorities or enforcement agencies for investigation, prosecution, trial, or execution procedures.
  6. Under Article 28/2 of the Law, in the following cases, data subjects cannot exercise the rights listed above except for the right to demand compensation for damages:


  1. If personal data processing is necessary to prevent the commission of a crime or for a criminal investigation.
  2. If personal data has been made public by the data subject themselves.
  3. If personal data processing is necessary for auditing or regulatory functions by authorized public institutions or public professional organizations within their legal authority.
  4. If personal data processing is necessary to protect the economic and financial interests of the State concerning budget, tax, and financial matters.




4. Exercising the Rights of the Data Subject

Data subjects can submit their requests related to the rights listed in this Policy by providing identification information and documents through the following methods:

  • By personally submitting a written request at the Company’s headquarters.
  • Through a notary.
  • By sending a request signed with a "secure electronic signature" as defined by the Electronic Signature Law No. 5070 to the Company’s registered email address (info@atelierrebul.com).


Submission Details:


Application Method

Address for Submission

Information to Include

In-person submission

REBUL JCR KOZMETIK PAZARLAMA ANONIM ŞIRKETI Huzur Mahallesi Sude Sokak No:5 Maslak/Sarıyer/İstanbul

"Request for Information Under the Personal Data Protection Law" on the envelope

By notary

info@atelierrebul.com

"Request for Information Under the Personal Data Protection Law" on the notification envelope

By secure electronic signature

info@atelierrebul.com

"Request for Information Under the Personal Data Protection Law" in the email subject line




5. Company’s Procedure and Timeframe for Responding to Applications

The Company responds to retranslatquests included in applications as soon as possible and within no more than 30 days, depending on the nature of the request. The Company reserves the right to request additional documents and information to verify identity and authority to eliminate legal risks associated with unlawful or incorrect data sharing. The Company accepts or rejects the request, providing its justification, and communicates its response in writing or electronically. If the request is accepted, the Company fulfills the requirement.

If the application exceeds 10 pages, a processing fee of 1 Turkish Lira per additional page will be charged, as stipulated under the "Communiqué on the Principles and Procedures for Applications to the Data Controller."




6. Data Subject’s Right to Lodge a Complaint with the Personal Data Protection Board

If an application is rejected, the response is deemed insufficient, or the application is not answered within the specified time, the data subject has the right to file a complaint with the Personal Data Protection Board within 30 days of learning the response and, in any case, within 60 days of the application.

SECTION TEN: PERSONNEL RESPONSIBLE FOR POLICY COMPLIANCE


Within the Company, a Personal Data Committee has been established by the decision of the Company’s senior management to manage this Policy and other related policies. The Personal Data Committee is authorized and responsible for ensuring that personal data of data subjects is stored and processed in accordance with the law, this Policy, and related policies. The main duties of this Committee are as follows:


  1. Preparing and submitting the fundamental policies related to the Protection and Processing of Personal Data for the approval of senior management and implementing them.
  2. Deciding on the implementation and monitoring of policies related to the Protection and Processing of Personal Data, making internal assignments, and ensuring coordination; submitting these decisions for senior management’s approval.
  3. Identifying necessary measures to ensure compliance with the Personal Data Protection Law and relevant legislation, submitting proposals for approval to senior management, overseeing implementation, and ensuring coordination.
  4. Increasing awareness within the Company and with institutions collaborating with the Company on the Protection and Processing of Personal Data.
  5. Identifying risks that may arise in personal data processing activities and ensuring necessary precautions are taken; submitting improvement proposals for senior management approval.
  6. Designing and ensuring the execution of training programs related to the protection of personal data and the implementation of policies.
  7. Making high-level decisions on applications submitted by personal data subjects.
  8. Coordinating informational and educational activities to inform personal data subjects about processing activities and their legal rights.
  9. Preparing and submitting changes to the fundamental policies on the Protection and Processing of Personal Data for senior management approval and implementing them.
  10. Monitoring developments and regulations related to the Protection of Personal Data and advising senior management on necessary actions within the Company.
  11. Coordinating relations with the Personal Data Protection Board and Authority.
  12. Carrying out other tasks assigned by senior management regarding the protection of personal data.




SECTION ELEVEN: UPDATES AND CHANGES


The Company reserves the right to amend this Policy and other related policies in line with changes to the Law and related legislation, decisions of the Personal Data Protection Board, and/or developments in the sector or the field of information technology. Any changes to this Policy are immediately incorporated into the text, and explanations regarding the changes are specified in this section.


07/04/2018: The Policy on the Processing and Protection of Personal Data was approved and enacted by the Company’s Board of Directors.