Privacy Policy
INTERNET PLATFORM LIGHTING TEXT
1. IDENTITY OF DATA SPEAKER
Albatros Foreign Trade and Marketing Ltd. Sti. (“Our Company”) has the title of data controller within the scope of the Personal Data Protection Law No. 6698 (“Law”) and carries out personal data processing activities in accordance with the regulations in the Law and other applicable legislation.
2. COLLECTION, PROCESSING AND PROCESSING PURPOSE OF PERSONAL DATA
Your personal data listed below are collected electronically and are processed for the purposes listed below:
Your personal data; It is processed for the purposes of providing our company's services, performing after-sales services, increasing customer satisfaction, evaluating and responding to complaints and suggestions, making statistical analyzes, fulfilling legal and regulatory requirements, providing necessary information in line with the requests and inspections of official authorities, and ensuring data security.
On the other hand, if you give your explicit consent, your identity and contact data will also be processed for promotional, e-mail newsletter sending and marketing purposes.
3. TRANSFER OF PERSONAL DATA
Your personal data, within the scope of the Law and other legislation and for the purposes described in article 2 of this Clarification Text, depending on the reason that requires it to be transferred and limited for this reason; Within the scope of the law and related regulations; It can be transferred to supervisory and regulatory public institutions and organizations (BTK, TurkStat, courts, banks, etc.), auditors, companies that provide software and hardware support services, and legally authorized private individuals such as lawyers.
On the other hand, our website servers Since it is located abroad, your personal data that you share with us through our website will be transferred abroad based on your express consent.
4. YOUR RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA
The rights of real persons whose personal data are processed are listed in Article 11 of the Law. If you, as a personal data owner, submit your requests regarding your rights listed in the relevant article of the Law, in accordance with the application procedures stipulated in the Communiqué on Application Procedures and Principles to the Data Controller, by providing your identity confirmation to the official address of our company, in person or through a notary public, as soon as possible, depending on the nature of your request, and will be finalized free of charge within thirty (30) days at the latest. However, if the transaction requires an additional cost, it may request the fee in the tariff determined by the Personal Data Protection Board.
EXPRESS CONSENT ON THE PROCESSING OF PERSONAL DATA
Clarification Text of my personal data that I have shared with your company As informed in . ; I consent to you contacting me for commercial communication, newsletter sending and advertising and promotional purposes regarding products and services.
SMS
Call
PERSONAL DATA PROTECTION AND PROCESSING POLICY
Version : 1
Date of Issue : 01.09.2022
1. PURPOSE
Albatros Foreign Trade and Marketing Ltd. Sti. (“Company”) and all its employees, T.C. regarding the protection of personal data. It undertakes to comply with the principles, decisions and rules brought by the Constitution and other applicable legislation, especially the Law on the Protection of Personal Data No. 6698, and to protect the rights of individuals whose data are processed by the Company. For this purpose, the Company has put into effect this Personal Data Protection and Processing Policy (“Policy”), which was written to be implemented and developed. is to establish control mechanisms in accordance with the law, to fulfill the legal obligations in the field of personal data protection, and to protect the interests of individuals in the best possible way.
2. SCOPE
Policy provisions cover company employees, sub-employees and interns who provide support services to all units of the Company, especially the Board of Directors. Any action that violates the Personal Data Protection Law No. 6698 or this Policy is considered within the scope of the relevant legislation and sanctions are applied accordingly.
Again, the Company's business partners, suppliers and all third parties working with the Company, who have or may have access to personal data, are invited to read and comply with this Policy.
3. DEFINITIONS
Explicit consent:
Anonymization of consent, based on information and free will, on a particular subject:
Personal means that the data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Contact Person:
Data for the communication to be established with the Institution regarding the obligations of the data controller The natural person notified by the responsible person during registration to the Registry,
Law:
Law on Protection of Personal Data No. 6698,
Personal data:
All kinds of information relating to an identified or identifiable natural person,
Personal Data Inventory:
The data controllers carry out depending on their business processes. personal data processing activities; The inventory they have created by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security,
Processing of personal data:
Obtaining, recording, storing, preserving, changing personal data completely or partially automatically or non-automatically provided that it is a part of any data recording system, all kinds of operations carried out on data such as reorganizing, explaining, transferring, taking over, making it available, classifying or preventing its use,
Authority:
Personal Data Protection Authority,
Board:
Personal Data Protection Board,
KVK Committee:
The structure consisting of real person or persons appointed by the data controller, who performs the administrative follow-up and coordination of the processes established within the scope of the Law,
KVK Commitment:
Document specifying the legal obligations of third parties with whom data is shared,
Registration:
Register of data controllers kept by the Institution,
Data Processor:
Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller, or legal person,
expresses.
4. RESPONSIBILITIES
The Company has the title of Data Controller in accordance with the Law. Everyone who is a company employee is responsible for the development and promotion of good practices in the processing of personal data within the Company and other obligations.
All employees of the Company who process personal data are responsible for complying with the Personal Data Protection legislation.
The Company is responsible for realizing the necessary notifications and trainings so that all its employees know their responsibilities in the field of personal data protection and have the necessary awareness. responsible for ensuring the accuracy and up-to-dateness of the data.
4.1. KVK Committee:
The members of the KVK Committee are appointed by the Board of Directors, taking into account that they receive regular training and experience in the Law and secondary legislation and its applications, and report directly to the Board of Directors. The KVK Committee was established as the committee in charge of managing the personal data protection system, ensuring and documenting compliance with the Law and other relevant legislation, and is responsible to the Board of Directors in these matters.
4.2. KVK Committee Duties and Responsibilities:
5. APPLICATION PRINCIPLES
5.1. DATA PROCESSING PRINCIPLES
The company will comply with personal data protection legislation and data protection principles. The data processing principles adopted by the Company include:
All personal data processing activities must be carried out in accordance with the following data protection principles. The Company's policies and procedures aim to ensure compliance with these principles:
In this respect, the Company includes disclosure and privacy statements regarding the personal data processing activities it carries out, in the data collection channels and in the relevant forms. The areas where the notifications containing clear and understandable information about who and for what purposes are processed by the company are determined by taking the opinion of the KVK Committee. These notices include the following:
In the personal data inventory, the reasons/purposes for the processing of personal data are determined and personal data cannot be used for other than the stated purpose without any other legal justification or the explicit consent of the data owner. If conditions arise that require the use of a personal data for purposes other than those specified in the personal data inventory, this situation is reported to the KVK Committee by the relevant employee/unit/direction. The KVK Committee checks the suitability of the new purpose and, if necessary, ensures that the data owner is informed about the new purpose and new data processing activity.
Personal data; It must be processed to a limited extent, relevant and appropriate for the purposes for which it is processed, and must be accurate and up-to-date. The accuracy and up-to-dateness of data kept for a long time should be reviewed. The company is responsible for educating all employees on the correct and up-to-date collection and storage of data.
The KVK Committee should be informed about all data collection channels.
The accuracy and up-to-dateness of the data held regarding the employees It is the responsibility of the relevant employee.
Employees/customers/institutions and other relevant persons should inform the Company to update the processed personal data.
Personal data, data subject, only data processing If necessary for its purpose, it should be processed in a way that can be identified.
Backup of personal data, etc. In order to protect the rights and freedoms of individuals, in case of data security weakness or to be kept beyond the specified period due to the requirements, secure destruction methods determined by the Board are applied. If a longer period is required, the written approval of the KVK Committee is obtained.
All Company units that process Personal Data are responsible for complying with both the principles set forth above and the measures enforcing applicable data protection laws, and must be able to prove that they comply.
5.2. RISK ASSESSMENT
The company determines the risks associated with the processing of personal data types. Certain types of data processing activities; If it is likely to pose a high risk to personal rights and freedoms in line with its structure, context and purposes, the Company should manage potential risks by performing an impact analysis prior to data processing. A single assessment can be based on multiple data processing activities with similar risks. s approval is sought. If the KVK Committee deems it necessary, it receives the opinion of the Board on the subject.
5.3. OBTAINING EXPRESS CONSENT
In cases where the data subject is required by the Law and regarding certain data processing activities, the consent of the data subject, which is based on information and which reveals the will for data processing with free will, expressed with a written/oral statement or an explicit affirmative action. as express consent. Explicit consents are obtained in writing or systematically in a way that is suitable for proof. Explicit consent can always be withdrawn by the data owner.
If the data processing activity based on explicit consent will be continuous or repeated, the explicit consents obtained are checked. The up-to-dateness and accuracy of these explicit consents is the responsibility of the relevant unit. Explicit consent forms or other relevant proof tools regarding the data processing activity based on explicit consent are kept by the relevant unit.
5.4. DATA SECURITY
All employees are obliged to ensure that the data processed by the Company, which are under their responsibility, are kept secure and not disclosed to third parties unless they sign a confidentiality agreement.
Only those who need access to them should be able to access personal data.
The events that threaten the security of personal data are reported to the Board and the relevant person as soon as possible after they are definitively determined by the KVK Committee, and in any case, within 72 hours at the latest after learning of the event.
5.5. DATA SHARING
Personal data can only be shared with third parties in accordance with the law and equity. Accordingly, in order to share personal data, one of the following conditions is sought:
Personal data can only be transferred abroad provided that the above conditions are met and adequate protection is available in the destination country or the explicit consent of the data owner is obtained for this transfer.
In the transfer of personal data abroad, the list of countries with adequate protection determined by the Board is taken into account.
When it comes to the transfer of personal data abroad, the KVK Committee provides the necessary permissions and notifications to the Board in accordance with the Law and relevant legislation.
p>
All transactions regarding the sharing of personal data should be recorded in writing with their justifications. These records are audited periodically by the KVK Committee.
In case of a regular data sharing relationship without a legal basis or legal obligation, a KVK Commitment is made with the party in question, which determines the conditions for data sharing.
5.6. MANAGEMENT OF RECORDS
Personal data cannot be kept longer than necessary for the purposes of processing. The classification of records containing personal data and their retention periods are determined in accordance with the Personal Data Recording, Storage and Disposal Procedure. anonymized or deleted or destroyed.
5.7. RIGHTS OF DATA OWNERS
Data owners have the following rights regarding data processing activities and records at the Company:
Application Procedure of the Data Owner
Data owners can apply to the Company for their requests regarding their rights listed above in accordance with the application procedures stipulated in the Communiqué on the Procedures and Principles of Application to the Data Controller.
In this case, the Company will conclude the request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on its nature. However, if the transaction requires an additional cost, the Company may request the fee in the tariff determined by the Board. The processes regarding the receipt, transmission and finalization of requests are carried out in accordance with the Procedure for Receiving, Evaluating and Responding to Data Subject Applications.
The right of access and contact information of data subjects are included in the notifications and the web address so that data subjects can direct their requests.
p>
All employees of the Company, regardless of their job description, are obliged to guide the data owners regarding the correct application method for the data subject access requests addressed to them. Company employees should be informed by the KVK Committee on how to act on requests from data owners.
Applications in this context;
6. EFFECTIVENESS AND KEEPING UPDATED
This Policy entered into force on 01.09.2022; The Law will be re-evaluated and updated if necessary by the KVK Committee at the beginning of each year in line with the relevant secondary legislation, Board Decisions and Company business processes. : 1
Date of Issue : 01.09.2022
This Procedure for Receiving, Evaluating and Responding to Applications of Data Owners (“Procedure”) is provided by Albatros Dış Ticaret ve Pazarlama Ltd. Şti. (the "Company"), to determine the procedures and principles regarding the business and transactions regarding the receipt, evaluation and response of the applications. business and transactions are carried out in accordance with this Procedure prepared by the Company in this direction.
1. DEFINITIONS
Law:
Law on Protection of Personal Data No. 6698
Board:
Personal Data Protection Board
Data Owner:
Natural person whose personal data is processed
Personal Data:
As long as it is within the scope of the law, any information regarding an identified or identifiable natural person
2. RECEIVING THE APPLICATION
2.1. Form of Application
Data Owners shall submit their applications to the Company contact person in writing in accordance with Article 13 of the Law, in order to obtain information about the personal data collected by the Company and to exercise their rights specified in Article 11 of the Law.
Accordingly, applications to be made by Data Owners can be made in writing as follows:
2.2. Content of the Application
In order for the Data Owner's requests to be evaluated, it will first be determined whether the Data Owner is the owner of the personal data processed by the Company. In this respect, the identity information of the Data Owner must be clearly and truthfully stated in the applications to be made to our Company within the scope of the Law.
For conditional requests, the Data Owner must provide the necessary information on how this condition is fulfilled and submit the documents to prove this claim to the Company.
Applications that are not received through the means specified in this Procedure, Data Owner's identity has been determined and If the information and/or documents required for the application within the scope of the Law are provided by the company, applications made through such means can be evaluated. Otherwise, the applications will be rejected due to violation of the procedure.
Applications that do not meet the qualifications specified in this article will be evaluated and the Data Owner will be contacted until the requested information is obtained; however, if the requested information and/or documents are not provided by the Data Owner, the Data Owner's application will be rejected due to irregularity.
3. OTHER CASES
3.1. Application Made by Proxy or Legal Representative
Applications to be made to the Company within the scope of the law can also be made by the representative or legal representative of the Data Owner, provided that the official document to prove it is submitted.
3.2. Application Fee
The Law stipulates that the Data Controller shall conclude the request submitted to him free of charge. However, it has been stated that if the transaction also requires a cost, it may be possible to make a fee in line with the principles to be determined by the Board. In this context, if finalizing the applications to the Company requires any additional costs, the Company may charge a fee from the Data Owner.
4. APPLICATION EVALUATION PROCESS
If it is determined that there are missing information and/or documents in the applications made by the Data Owner, this matter will be notified to the Data Owner. If the requested information and/or documents are not provided by the Data Owner, the Data Owner's application will be rejected due to irregularity.
In cases where it is not possible to respond to the Data Owner's application without sharing personal data belonging to third parties, the following three-step evaluation process will be applied by the Company:
In case it is not possible to finalize the application without sharing the data of the third party; first of all, it will be applied to obtain explicit consent from the Data Owner whose personal data has to be shared. If the third party does not consent to the sharing of their data, the application will be answered by completely extracting the information of the third party. In this way, personal data of third parties may also be shared if necessary.
5. EVALUATION TIMES OF APPLICATIONS
The requests of the Data Owner will be evaluated and finalized by the Company as soon as possible and within thirty (30) days at the latest. ) will be directed to the relevant department of the Company during the day; The investigations to be carried out by the department to which the application is directed will be concluded within a maximum of one (1) week.
6. ANSWERING APPLICATIONS
Applications made to the Company by the Data Owner are answered by the contact person appointed at the Company, and the following information is included in the responses to the applications:
Event records, documents and results related to the relevant application are stored in the electronic directory created on this subject. A copy of the written submission record is also stored in the archive.
7. EFFECTIVENESS AND KEEPING UPDATED
This Procedure has entered into force on 01.09.2022; The Law will be re-evaluated by the KVK Committee at the beginning of each year in line with the relevant secondary legislation, Board Decisions and Company business processes and updated if necessary.