PERSONAL DATA PROTECTION AND PROCESSING POLICY

 

 

INTRODUCTION

1. Purpose and Scope of the Policy

1. Law No. 6698 on the Protection of Personal Data ("Law") entered into force on April 7, 2016 and this Personal Data Processing and Protection Policy ("Policy") aims to ensure the compliance of Akeramos Kültür Sanat Faaliyetleri Limited Şirketi ( "the Company") with the Law and to determine the principles to be followed by the Company in fulfilling its obligations regarding the protection and processing of personal data.

The Policy determines the conditions for processing personal data and sets out the main principles adopted by the Company in the processing of personal data. In this context, the Policy covers all personal data processing activities carried out by the Company within the scope of the Law, the owners of all personal data processed by the Company and all personal data processed by the Company.

Issues regarding the processing of personal data of Company employees are not covered by this Policy and are separately regulated in the Policy on Processing and Protection of Employee Personal Data.

 

Definitions of terms used in the Policy are provided in Annex 1.

 

2. Enforcement and Amendment

The Policy has been published on the Company's website and made available to the public. In case of any conflict between the legislation in force, particularly the Law, and the regulations set forth in this Policy, the provisions of the legislation shall apply.

The Company reserves the right to make changes to the Policy in line with legal regulations. The current version of the Policy can be accessed from the Company website at www.anemoiaofficial.com 

 

2. ACTIVITIES CARRIED OUT BY OUR COMPANY

• Conducting finance and accounting activities
• Conducting e-commerce activities
• Conducting sales and marketing activities
• Conducting Human Resources activities
• Conducting corporate communication activities

 

3. DATA SUBJECTS, DATA PROCESSING PURPOSES AND DATA CATEGORIES FOR THE PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY OUR COMPANY

1. Data Subjects

Data subjects within the scope of the Policy are all natural persons other than Company employees whose personal data are processed by the Company. In this context, the categories of data subjects are as follows:

DATA SUBJECT CATEGORIES			EXPLANATION
	Employee Candidate	Natural persons who apply for a job by sending a CV to the Company or by other means
	Intern	Real persons doing internship in the company
	Working Family	Family members of employees working in the company
	Customer Officer / Customer	Authorized representatives of legal entity customers or the natural person customer itself
	Corporate Customer	Legal entities receiving goods or services
	Potential Customer	Natural or legal persons likely to purchase goods and services online or in stores
	Supplier Employee	Employees of companies from which the company purchases products or services
	Supplier Officer	Authorized representatives of companies from which the company purchases products or services
	Shareholder	Real persons who are shareholders/partners of the Company
	Board of Directors	The company's board of directors
	Third Person	Natural persons other than the above-mentioned categories of data subjects and Company employees
	Visitor	Third parties entering the company premises
	Web Visitor	People visiting the website

 

The categories of data subjects are specified for general information sharing purposes. The fact that the data subject does not fall within the scope of any of these categories does not eliminate the nature of the data subject as stated in the Law.

2. Purposes of Processing Personal Data

Your personal data and sensitive personal data may be processed by the Company for the following purposes in accordance with the personal data processing conditions in the Law and the relevant legislation:

• Execution of Information Security Processes
• Execution of Employee Candidate / Intern / Student Selection and Placement Processes
• Execution of Activities in Compliance with the Legislation
• Execution of Finance and Accounting Affairs
• Execution of Company / Product / Service Loyalty Processes
• Follow-up and Execution of Legal Affairs
• Execution of Communication Activities
• Planning Human Resources Processes
• Execution of Occupational Health / Safety Activities
• Receiving and Evaluating Suggestions for Improving Businesş  Processes
• Execution of Finance and Accounting Affairs
• of Logistics Activities
• Execution of Goods / Service Procurement Processes
• Execution of Goods / Services After Sales Support Services
• Execution of Goods / Service Saleş  Processes
• Execution of Customer Relationship Management Processes
• Execution of Activities for Customer Satisfaction
• Organization and Event
• of Advertising / Campaign / Promotion Processes
• of Contract Processes
• Tracking Requests / Complaints
• Execution of Marketing Processes of Product Services
• Providing Information to Authorized Institutions and Organizations
• Creating and Tracking Visitor Records

 

3. Personal Data Categories

Your personal data categorized below are processed by the Company in accordance with the personal data processing conditions set out in the Law and the relevant legislation:

 

PERSONAL DATA CATEGORIZATION	EXPLANATION
Identity Information	All information about the identity of the person in documents such as driver's license, identity card, residence card, passport, lawyer ID, marriage certificate and title, license plate
Contact Information	Information for contacting the data subject such as phone number, address, e-mail
Personnel	Personal data that is the basis for the formation of employees' personal rights (all kinds of information and documents that must be included in the personal file by law and workplace policies) Payroll information, Disciplinary investigation, Employment document records, Property declaration information, CV information, Performance evaluation reports, Body knowledge, personality and leadership test results for PPE to be distributed within the scope of occupational health and safety activities
Process Security	Your personal data processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities
Customer Transaction	Information obtained and produced about the relevant person as a result of our commercial activities and the operations carried out by our business units within this framework
Financial Information	Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by our company with the personal data owner,
Professional Experience	Data on the experience of individuals who have applied to become an employee of our company or who have been evaluated as employee candidates in line with the human resources needs of our company in accordance with the commercial custom and honesty rules or who are in a working relationship with our Company
Audiovisual Recordings	Data relating to photographs or video recordings processed by the Company based on consent
Marketing	Data obtained as a result of surveys, marketing activities, cookie records, etc.
Health	Any health information relating to an identified or identifiable natural person.
Sensitive Data	Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures and personal data of special nature. Special categories of personal data other than those listed above are not processed.

4. PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA

1. Principles Regarding the Processing of Personal Data

Your personal data is processed by the Company in accordance with the personal data processing principles set out in Article 4 of the Law. These principles must be complied with for each personal data processing activity:

• Processing of personal data in accordance with the law and good faith; The Company acts in accordance with the laws, secondary regulations and general principles of law in the processing of your personal data; It attaches importance to processing personal data limited to the purpose of processing and taking into account the reasonable expectations of data owners.
• Accuracy and timeliness of personal data; The Company pays attention to whether your personal data processed by the Company is up to date and to carry out the relevant checks. In this context, data subjects are given the right to request correction or deletion of their inaccurate and outdated data.
• Processing of personal data for specific, explicit and legitimate purposes; The Company determines the purposes of data processing before each personal data processing activity and ensures that these purposes are not unlawful.
• Personal data being relevant, limited and proportionate to the purpose for which it is processed; Data processing activity by the Company is limited to the personal data required to fulfill the purpose of collection and necessary steps are taken to ensure that personal data not related to this purpose are not processed.
• Retention of personal data for the period required by the legislation or processing purposes; Personal data are deleted, destroyed or anonymized by the Company after the purpose of processing personal data disappears or upon expiration of the period stipulated in the legislation.

1. Conditions Regarding the Processing of Personal Data

Your personal data is processed by the Company in the presence of at least one of the personal data processing conditions specified in Article 5 of the Law. Explanations regarding these conditions are given below:

• In cases where the explicit consent of the personal data owner does not exist in the absence of other data processing conditions, in accordance with the general principles under title 3.1., the personal data of the data owner can be processed by the Company with the free will of the data owner, having sufficient information about the personal data processing activity, in a manner that leaves no room for doubt and only if the data owner gives consent limited to that transaction.
• Personal data may be processed by the Company without the explicit consent of the data subject if the personal data processing activity is explicitly stipulated in the laws. In this case, the Company will process personal data within the framework of the relevant legal regulation.
• In the event that the explicit consent of the data subject cannot be obtained due to actual impossibility and personal data processing is mandatory, personal data belonging to the data subject who is unable to disclose his consent or whose consent cannot be validated by the Company will be processed in the event that personal data processing is mandatory to protect the life or physical integrity of the data subject or a third person.
•  the personal data processing activity is directly related to the establishment or performance of a contract, personal data processing activity will be carried out if it is necessary to process personal data belonging to the parties of the contract established or already signed between the data subject and the Company.
• In the event that it is mandatory to carry out personal data processing activities in order to fulfill the legal obligation of the data controller, the Company processes personal data in order to fulfill its legal obligations stipulated under the applicable legislation.
• If the data owner has made his/her personal data public, personal data that have been disclosed to the public in any way by the data owner and made publicly available to everyone as a result of publicization may be processed by the Company limited to the purpose of publicization, even without the explicit consent of the data owners.
• In  event that personal data processing is mandatory for the establishment, exercise or protection of a right, the Company may process the personal data of the data subject without the explicit consent of the data subjects within the scope of the obligation.
• Provided that it does not harm the fundamental rights and freedoms of the data subject, personal data may be processed by the Company  data processing is mandatory for the legitimate interests of the data controller, provided that the balance of interests of the Company and the data subject is observed. In this context, in the processing of data based on legitimate interest, the Company first determines the legitimate interest to be obtained as a result of the processing activity. It evaluates the possible impact of the processing of personal data on the rights and freedoms of the data subject and performs the processing activity if it is of the opinion that the balance is not disturbed.

4. Conditions Regarding the Processing of Sensitive Personal Data

Article 6 of the Law specifies a limited number of special categories of personal data. These are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

The Company may process special categories of personal data in the following cases by ensuring that additional measures determined by the Personal Data Protection Board are taken:

The second paragraph of Article 6 of the Law on the Protection of Personal Data dated 24/3/2016 and numbered 6698 has been repealed and the third paragraph has been amended as follows. Accordingly, as of June 1, 2024, sensitive personal data;

• Explicit consent of the person concerned,
• Explicitly stipulated in the law
• It is necessary for the protection of the life or bodily integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, himself/herself or someone else,
• It is related to the personal data made public by the data subject and is in accordance with the will of the data subject to make it public,
• It is mandatory for the establishment, exercise or protection of a right
• It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation to keep secrets or authorized institutions and organizations,
• It is mandatory for the fulfillment of legal obligations in the areas of employment, occupational health and safety, social security, social services and social assistance,
• Foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties; It can be processed if it is intended for current or former members and members or persons who are in regular contact with these organizations and formations.

Prior to June 1, 2024, sensitive personal data were processed under the following conditions.  

• Processing of sensitive personal data other than health and sexual life can be processed if the data subject gives explicit consent or if it is explicitly stipulated by law.
• Personal data relating to health and sexual life can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the data subject.

5. TRANSFER OF PERSONAL DATA

In accordance with the additional regulations listed in Articles 8 and 9 of the Law and determined by the Personal Data Protection Board, the Company may transfer personal data domestically or abroad if the conditions for the transfer of personal data are met.

• Transfer of personal data to third parties domestically,

Your personal data may be transferred by the Company in the presence of at least one of the data processing conditions specified in Articles 5 and 6 of the Law and explained under Title 3 of this Policy and provided that the basic principles regarding the data processing conditions are complied with.

Legal Grounds for the Transfer of Personal Data

• Explicitly stipulated in the law.
• It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
• Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract.
• It is mandatory for the data controller to fulfill its legal obligation.
• It has been made public by the person concerned.
• Data processing is mandatory for the establishment, exercise or protection of a right.
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

• Transfer of personal data to third parties abroad,

Personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 of the Law exists and there is a qualification decision on the country, sectors within the country or international organizations to which the transfer will be made.

In the absence of an adequacy decision, personal data may be transferred abroad by data controllers and data processors if one of the following appropriate safeguards is provided by the parties, provided that one of the conditions specified in Articles 5 and 6 exists, the person concerned has the opportunity to exercise his rights and to apply for effective legal remedies in the country where the transfer will be made:

• Existence of an agreement that does not constitute an international contract between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations in the nature of public institutions in Turkey, and the Board's authorization of the transfer.
• The existence of binding corporate rules approved by the Board and containing provisions on the protection of personal data, which companies within the group of undertakings engaged in joint economic activities are obliged to comply with.
• Existence of a standard contract announced by the Board, including data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data.
• Existence of a written undertaking containing provisions to ensure adequate protection and authorization of the transfer by the Board.

 

In the absence of an adequacy decision and if any of the appropriate safeguards described above cannot be provided, it may transfer personal data abroad only in the presence of one of the following cases, provided that it is incidental:

• The data subject's explicit consent to the transfer, provided that he/she is informed about the possible risks.
• The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.
• The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
• The transfer is necessary for an overriding public interest.
• The transfer of personal data is mandatory for the establishment, exercise or protection of a right.
• The transfer of personal data is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
• Transfer from a registry open to the public or persons with a legitimate interest, provided that the conditions for access to the registry are met in the relevant legislation and the person with a legitimate interest requests it.

 

The safeguards set forth in this Law shall also be provided by data controllers and data processors for subsequent transfers of personal data transferred abroad and transfers to international organizations and the provisions of this Article shall apply.

 

Without prejudice to the provisions of international conventions, personal data may be transferred abroad only with the permission of the Board after obtaining the opinion of the relevant public institution or organization in cases where the interests of Turkey or the person concerned would be seriously harmed.

Within the general principles of the Law and the data processing conditions in Articles 8 and 9, the Company may transfer data to the parties categorized in the table below:

 

SHARED PARTY CATEGORIZATION	SCOPE	PURPOSE OF TRANSFER
Legally Authorized Public Institutions and Organizations	Public institutions and organizations legally authorized to receive information and documents from the Company	Sharing personal data limited to the purpose of requesting information by the relevant public institutions and organizations
Private Law Natural/Legal Persons	Natural persons or private legal entities	Transferring data to a limited extent in order to provide the service
Suppliers	Natural persons or private legal entities	Transferring data to a limited extent in order to receive the service
Open to All	Social media press and media outlets	Consensual data transfer within the scope of legitimate interest

The Company carries out data transfer for the following purposes and based on legal grounds;

 

Objectives

 

• Execution of Finance and Accounting Affairs
• Execution of Communication Activities
• Planning Human Resources Processes
• Execution / Supervision of Business Activities
• Receiving and Evaluating Suggestions for Improving Businesş  Processes,
• of Logistics Activities
• of Advertising / Campaign / Promotion Processes
• Execution of Advertising Campaign Promotion Processes
• of Contract Processes
• Execution of Marketing Processes of Product Services
• Providing Information to Authorized Persons, Institutions and Organizations

 

Legal grounds

 

1. The personal data processing activity is clearly stipulated by law
2. The personal data processing activity is directly related to the establishment or performance of a contract
3. It is mandatory to carry out personal data processing activities in order to fulfill the legal obligation of the data controller
4. Processing of personal data is mandatory for the establishment, exercise or protection of a right
5. Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject

 

6. DISCLOSURE OF DATA SUBJECTS AND RIGHTS OF DATA SUBJECTS

According to Article 10 of the Law, data subjects must be informed about the processing of personal data before or at the latest at the time of processing personal data.  Pursuant to the relevant article, the necessary internal structure has been established to ensure that data subjects are informed in all cases where personal data processing activities are carried out by the Company as the data controller. In this context;

• Please refer to section 2.2 of the Policy for the purpose of processing your personal data.
• Please see Section 4 of the Policy for the parties to whom your personal data are transferred and the purpose of transfer.
• Please refer to sections 3.2 and 3.3 of the Policy to review the conditions for processing your personal data, which can be collected through different channels in physical or electronic environments.
• We would like to state that as a data subject, you have the following rights pursuant to Article 11 of the Law:

• Learn whether your personal data is being processed,
• Request information if your personal data has been processed,
• To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom your personal data is transferred domestically or abroad,
• To request correction of your personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,
• To request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the Law and other relevant laws, and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,
• To object if a result arises against you by analyzing the processed data exclusively through automated systems,
• To request compensation for damages in case you suffer damage due to unlawful processing of your personal data.

 

You can submit your applications for your rights listed above to our Company by filling out the Data Owner Application Form, which you can access from www.anemoiaofficial.com .  Depending on the nature of your request, your applications will be finalized free of charge as soon as possible and within thirty days at the latest; however, if the transaction requires an additional cost, you may be charged a fee according to the tariff to be determined by the Personal Data Protection Board.

During the evaluation of applications, the Company first determines whether the person making the request is the real right holder or not. However, the Company may request detailed and additional information to better understand the request when deemed necessary.

Responses to data subject applications by the Company are notified to data subjects in writing or electronically. If the application is rejected, the reasons for rejection will be explained to the data subject with justification.

In the event that personal data are not obtained directly from the data subject; the Company carries out activities to inform the data subjects (1) within a reasonable period of time from the acquisition of personal data, (2) if personal data will be used for communication with the data subject, during the first communication, (3) if personal data will be transferred, at the latest during the first transfer of personal data.

 

7. DELETION, DESTRUCTION, ANONYMIZATION OF PERSONAL DATA

Pursuant to Article 7 of the Law, although it has been processed in accordance with the law, in the event that the reasons requiring its processing disappear, the Company deletes, destroys or anonymizes the personal data ex officio or upon the request of the data subject in accordance with the guidelines published by the Authority.

 

8. SCOPE OF THE LAW AND LIMITATIONS ON ITS APPLICATION

The following situations are excluded from the scope of the Law:

• Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that personal data are not disclosed to third parties and the obligations regarding data security are complied with.
• Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public safety, public order, economic security, privacy of private life or personal rights or constitute a crimȩ  .
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
• Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions.

In the cases listed below, disclosure to data subjects by the Company is not required and data subjects will not be able to exercise their rights set forth in the Law, except for their rights regarding the compensation of their damages:

• Processing of personal data is necessary for the prevention of a crime or for the investigation of a crime.
• Processing of personal data made public by the data subject himself/herself.
• Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
• Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.

 

 

ANNEX 1: DEFINITIONS

DEFINITION
Personal Data	Any information belonging to an identified or identifiable natural person.
Sensitive Personal Data	Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures and biometric data.
Personal Health Data	Any health information relating to an identified or identifiable natural person.
Data Subject/Related Person	Natural person whose personal data is processed
Processing of Personal Data	It is any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Open Consent	Consent on a specific subject, based on information and expressed with free will
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
Data Processor	Natural and legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller
Personal Data Processing Inventory	Inventory in which data controllers detail the personal data processing activities of ... that they carry out depending on their business processes by associating personal data processing purposes, data category, transferred recipient group and data subject group and by explaining the maximum time required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and measures taken regarding data security
KVK Law	Law No. 6698 on the Protection of Personal Data dated March 24, 2016
Constitution	Constitution No. 2709 of the Republic of Turkey
KVK Board	Personal Data Protection Board Authority
KVK Authority	Personal Data Protection Authority
Politics	Akeramos Kültür Sanat Faaliyetleri Limited Şirketi Personal Data Processing and Protection Policy
Company / Akeramos Kültür Sanat Faaliyetleri Limited Şirketi	Akeramos Kültür Sanat Faaliyetleri Limited Şirketi
Business Partners	Persons with whom the Company has established partnerships within the scope of contractual relations within the framework of its commercial activities.