PERSONAL DATA PROTECTION POLICY AND INFORMATION NOTICE
General Information on the Protection of Personal Data As AKACAN HOLDİNG A.Ş. (hereinafter referred to as “AKACAN HOLDİNG”), we attach great importance to the collection, storage, and processing of your personal data in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”). In this respect, we undertake that we will carry out all necessary activities for compliance with the legislation regarding the processing and protection of personal data; that we will be transparent about the processing and sharing of personal data; and that we will ensure the security of your data to the maximum extent. With this AKACAN HOLDİNG Policy on the Processing and Protection of Personal Data, the fundamental principles are set out in line with the purpose stated above and, within this scope, AKACAN HOLDİNG’s obligations are determined.
Pursuant to Article 10 of the Law and in line with your satisfaction, we ensure the necessary transparency by informing personal data subjects about the methods of collection of their personal data, purposes of processing, parties with whom the data is shared, legal grounds, and your rights.
While serving as guidance for the implementation of the regulations introduced by the Law, this PDPL Policy aims to ensure that AKACAN HOLDİNG conducts the processing, storage, and sharing of personal data with due care. The protection of personal data is among AKACAN HOLDİNG’s most important priorities; therefore, we take the necessary precautions to act in accordance with the Law and other applicable legislation in force and make every effort to safeguard your personal data.
All organs and departments of AKACAN HOLDİNG are responsible for ensuring compliance with this PDPL Policy.
Definitions:
Explicit consent: Consent given freely, based on information, and relating to a specific matter,
Data subject: The real person whose personal data is processed,
Personal data: Any information relating to an identified or identifiable real person,
Processing of personal data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of the data, wholly or partially by automatic means or by non-automatic means provided that it is part of a data recording system,
Data processor: The real or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller,
Data controller: The real or legal person who determines the purposes and means of processing personal data and who is responsible for establishing and managing the data recording system,
AKACAN HOLDİNG acts as the data controller within the scope of the “Law” regarding the processing of personal data.
Application of the PDPL Policy and Relevant Legislation
With respect to the processing and protection of personal data, the applicable legal regulations in force shall primarily apply. In the event of any inconsistency between the legislation in force and this Policy, our Company accepts that the legislation in force shall prevail. This PDPL Policy concretizes the rules introduced by the relevant legislation within the scope of the Company’s practices.
3.1. Our Obligation Regarding the Security of Personal Data:
As AKACAN HOLDİNG, pursuant to Article 12 of the Law, we take all necessary technical and administrative measures, and we conduct or have conducted audits, to ensure an appropriate level of security and to prevent the unlawful disclosure, access, transfer, or any other security deficiencies relating to personal data.
In the event of unlawful disclosure of personal data, the measures stipulated in the Law must be taken.
3.2. Administrative Measures:
Our Company should provide periodic awareness trainings to raise awareness among employees regarding the protection of personal data. In the event of transferring personal data, it should be undertaken through the contracts executed that the receiving party will take all necessary measures to protect personal data and that the measures taken will be implemented. The actions required to ensure compliance of personal data processing activities with the Law should be determined. While making this determination, the processes carried out by the Company should be examined in detail. After identifying the necessary actions to ensure compliance with the Law as mentioned above, these practices should be regulated and concretized through internal policies.
3.3. Technical Measures:
Measures should be taken by making use of technological opportunities for the protection of personal data; the measures taken should be kept up to date in line with developing technology; and the software and systems established to implement the measures taken should be improved. (Cybersecurity monitoring of the systems where your personal data is kept is carried out regularly by technically employed personnel. While the security of the environments containing your personal data is ensured by the said software and systems, unauthorized access to your personal data has been prevented.) Expert personnel should be employed for technical matters. Periodic audits should be carried out to check whether the measures operate as required. Access authorization should be limited to authorized employees who are connected with and required for the purpose of processing personal data.
3.4. Audit Activity:
The measures stated in this PDPL Policy and the measures taken in practice regarding the protection and security of personal data should be audited periodically.
3.5. Measures to be Taken in Case of Unlawful Disclosure of Personal Data:
If the personal data being processed is obtained unlawfully by unauthorized persons, the relevant situation should be notified to the PDPL Board and the relevant data subjects without delay. A mechanism necessary for making such notification should be designed.
3.6. Protection of Special Categories of Personal Data:
The Law attributes special importance to certain personal data due to the risk that unlawful processing may cause victimization or discrimination. Such data are listed in Article 6 of the Law and include data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. We act with sensitivity in the protection of such special categories of personal data; the technical and administrative measures taken for the protection of personal data are implemented with due care by AKACAN HOLDİNG, and necessary and sufficient measures are taken as stated in the Law and other legislation.
3.7. Processing of Your Personal Data:
Your personal data may be processed by our Company, as the data controller, in the manner specified in the Law, provided that the processing conditions set forth in the Law exist. Where the legal conditions for processing do not arise, your explicit consent will be obtained for procedures requiring explicit consent; in cases permitted by legislation or where explicit consent is required, your personal data may be shared with third parties residing domestically or abroad, classified, and processed in other ways specified in the Law, provided that your explicit consent is obtained.
Principles Adopted in the Processing of Personal Data
The principles adopted by all organs and departments of AKACAN HOLDİNG while processing personal data are as follows: Acting in compliance with the law and the principles of good faith. Ensuring that personal data is accurate and, where necessary, kept up to date. Processing for specific, explicit and legitimate purposes. Being relevant, limited and proportionate to the purposes for which they are processed. Being retained for the period stipulated by the relevant legislation or required for the purpose for which they are processed.
Conditions for Processing Personal Data
5.1. While carrying out personal data processing activities, subject to compliance with the fundamental principles, we act in accordance with the conditions specified in Articles 5 and 6 of the Law and the Regulation on the Processing of Personal Health Data.
5.2. The conditions for processing personal data are set out below. Accordingly, as AKACAN HOLDİNG, we determine the existence of the following conditions regarding our personal data processing activities. The existence of one or more of these conditions constitutes the legal basis of personal data processing. If the conditions are not present, we do not carry out the personal data processing activity.
5.3. Explicit consent, as explained in the Definitions section above, is the consent expressed freely by the data subject upon being informed about the processing of their personal data. This consent must be given after the data subject has been informed and must be based entirely on their free will. Where other personal data processing conditions described below exist, data may be processed even if the personal data subject does not have explicit consent.
Inability to Obtain Explicit Consent Due to De Facto Impossibility If the data subject is unable to express consent due to de facto impossibility or if the consent is not legally valid, personal data may be processed to protect the life or physical integrity of the data subject or another person.
Directly Related to the Establishment or Performance of a Contract If processing personal data is necessary and directly related to the establishment or performance of a contract to which the data subject is a party, this condition shall be deemed fulfilled.
Fulfilling the Company’s Legal Obligation If processing is mandatory for our Company to fulfill its legal obligations, the data subject’s personal data may be processed.
Making Personal Data Public by the Data Subject If the data subject has made their personal data public, such personal data may be processed in a limited manner for the purpose of making it public.
Necessity of Processing for the Establishment, Exercise or Protection of a Right If processing is mandatory for the establishment, exercise or protection of a right, the data subject’s personal data may be processed.
Necessity of Processing for Our Legitimate Interests Provided that it does not harm the fundamental rights and freedoms of the data subject, personal data may be processed if processing is mandatory for our Company’s legitimate interests.
5.4. Special categories of personal data are processed by taking all necessary administrative and technical measures in accordance with the principles set forth in this PDPL Policy and within the methods to be determined by the PDPL Board. Since the Law sets special conditions for such data, special categories of personal data may be processed under the following conditions:
Special categories of personal data other than health and sexual life may be processed without seeking explicit consent if clearly stipulated in laws; otherwise, explicit consent will be obtained. Special categories of personal data relating to health and sexual life may be processed without seeking explicit consent by persons under confidentiality obligation or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing; otherwise, explicit consent will be obtained.
Recording of Telephone Calls
As a result of your calls with AKACAN HOLDİNG, your contact details, voice recordings, and personal data you state therein are processed for the purposes of ensuring legal and commercial security; recording, examining and responding to notifications such as requests, suggestions, satisfaction, complaints, objections; planning and execution of business activities and operational processes; conducting correspondence activities; fulfilling legal rights and obligations; ensuring service quality and continuity; and transaction security.
Your personal data is collected verbally via the voice recording method through AKACAN HOLDİNG’s switchboard system and stored. Your personal data is processed based on the legal ground in Article 5/2-(f) of the Law, namely “processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject”.
Transfer of Personal Data
Personal data may be transferred to third parties if the data subject has explicit consent. However, even if the data subject does not have consent, personal data may be transferred to third parties by taking the measures prescribed by the Board and by showing the utmost care and diligence, if one or more of the following conditions exist: The relevant activities for transferring personal data are clearly stipulated in laws, The transfer of personal data by the Company is necessary and directly related to the establishment or performance of a contract, The transfer of personal data is mandatory for our Company to fulfill its legal obligation, Provided that personal data has been made public by the data subject, it may be transferred by our Company in a limited manner for the purpose of making it public, The transfer of personal data is mandatory for the establishment, exercise or protection of rights of the Company, the data subject or third parties, The transfer of personal data is mandatory for the Company’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject, It is mandatory to protect the life or physical integrity of the person or another person who is unable to express consent due to de facto impossibility or whose consent is not legally valid. Personal data may be transferred to foreign countries announced by the Board as having adequate protection (“Foreign Country with Adequate Protection”) where the conditions listed in this article exist. For foreign countries that are not among the Foreign Countries with Adequate Protection but where the data controller undertakes adequate protection in writing or where the Board has granted permission (“Foreign Country Where the Data Controller Undertakes Adequate Protection”), personal data may be transferred.
In addition, special categories of personal data may be transferred by our Company, in accordance with the principles set forth in this Policy, by taking all necessary administrative and technical measures including the methods determined by the Board, and if the following conditions exist: Special categories of personal data other than health and sexual life may be processed without seeking explicit consent if clearly stipulated in laws; otherwise, explicit consent will be obtained. Special categories of personal data relating to health and sexual life may be processed without seeking explicit consent by persons under confidentiality obligation or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing; otherwise, explicit consent will be obtained.
In addition to the above, personal data may be transferred to Foreign Countries with Adequate Protection where any of the above conditions exist. If adequate protection does not exist, personal data may be transferred to Foreign Countries Where the Data Controller Undertakes Adequate Protection in line with the data transfer conditions stipulated in the legislation.
Method of Collecting Your Personal Data
“Personal data” means information belonging to a real person whose identity is identified or identifiable from the data we have, or to which we have access. Your personal data may be collected automatically or by non-automatic means provided that it is part of our data recording system when you visit and use our Website; when you use our electronic commerce marketplace services (“Our Services”) through our Website; when you create an account; when you fill in a form on our Website; when you change your account details; when you purchase goods and services; when you participate in dispute resolution; when you communicate with us or other users regarding Our Services; and when you participate in surveys.
Purposes of Processing Your Personal Data
9.1. Your collected personal data will be processed, within the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law, for the purposes of:
Providing you with AKACAN HOLDİNG products and services, fulfilling our obligations to you, preparing records and documents, complying with information retention, reporting, notification, tax and other obligations required by local and international legislation, Offering you special advantages and other benefits for sales and marketing activities to improve the quality of services and products, Contacting you to convey necessary information regarding these services and products due to information processing requirements, system structure and the necessity of IT support services, Complying with information retention, reporting and notification obligations required by official authorities or within the framework of laws, fulfilling the requirements of contracts and the legal obligations of AKACAN HOLDİNG to benefit from these services, Determining and implementing AKACAN HOLDİNG’s commercial and business strategies, and managing finance operations, communication, market research and social responsibility activities, purchasing operations (request, offer, evaluation, order, budgeting, contract), internal system and application management operations, and legal operations carried out by AKACAN HOLDİNG, Reviewing, evaluating and responding to requests received from official authorities or from you.
9.2. Recorded Personal Data includes the following:
Resume information (CV), TR Identification Number, Mobile phone number, E-mail address, Address information, Education status, Photograph, Disability, report, enforcement, alimony, etc. statuses.
9.3. While keeping your data, as stated in Article 4/2 of the Law, we declare and undertake that we will comply with the relevant laws and the principle of good faith and keep your data accurate and up to date where necessary. Please inform us without delay in case of any change.
Transfer of Processed Personal Data in Accordance with Data Transfer Conditions Your personal data cannot be transferred domestically or abroad without the explicit consent of the relevant person. Necessary measures are taken by us to ensure the minimum conditions set forth in Articles 8 and 9 of the Law. Your personal data collected may be transferred, limited to the realization of the purposes stated above, to: AKACAN HOLDİNG’s business partners, shareholders, affiliates, Persons or organizations permitted by the Turkish Commercial Code, Turkish Code of Obligations and other legislation, Public institutions and organizations authorized by law, administrative authorities and legal authorities, within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law.
Method and Legal Basis for Collecting Personal Data Your personal data is collected, limited to the existence of legal grounds such as performance of a contract, explicit stipulation in law, making your personal data public, necessity for the establishment, exercise or protection of a right granted to you, and necessity for the Company’s legitimate interest and for fulfilling its legal obligations without harming your fundamental rights and freedoms, in verbal, written or electronic media, or through other channels that may be established in the future, by AKACAN HOLDİNG, within the framework of legal legislation and for the purposes stated above.
Storage and Destruction of Personal Data
12.1 Personal data should be retained for the period required for the purpose for which it is processed and for the minimum period stipulated by the legislation governing the relevant activity. In this context, AKACAN HOLDİNG first determines whether a retention period is stipulated in the relevant legislation; if so, we comply with that period. If no legal regulation exists, personal data is retained for the period required by the purpose.
12.2. Personal data is destroyed at the end of the retention periods stipulated by legislation, when the reasons requiring processing cease to exist, or in accordance with the data subject’s application.
12.3. Even though it has been processed in accordance with the Law and relevant legislation, if the reasons requiring processing cease to exist, personal data shall be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the relevant person.
Obligations Regarding Personal Data Processing Activities
13.1. AKACAN HOLDİNG, as the data controller, must comply with the obligations stipulated for data controllers in the Law.
13.2. Unless we are among the real or legal persons exempted from registration by the Board, real and legal persons processing personal data must register with the Data Controllers Registry kept by the Presidency under the supervision of the Board.
13.3. Application for registration with the Data Controllers Registry is made by a notification containing the following:
- Identification and address information of the data controller and, if any, its representative.
- Purpose of processing personal data.
- Explanations regarding the group(s) of data subjects and the data categories belonging to these persons.
- Explanations regarding the recipient(s) or recipient groups to whom personal data may be transferred.
- Personal data intended to be transferred to foreign countries.
- Measures taken regarding personal data security.
- Maximum period required for the purpose for which personal data is processed.
13.4. In accordance with Article 10 of the Law and the Communiqué on the Procedures and Principles to be Followed in Fulfillment of the Obligation to Inform, data subjects must be informed before personal data is obtained. Under this obligation, the data subject should be informed about:
The identity of the data controller and, if any, its representative, Purpose of processing personal data, To whom and for what purpose processed personal data may be transferred, Method and legal basis of collecting personal data,
The rights of the data subject, namely:
- To learn whether personal data is processed,
- If personal data has been processed, to request information regarding this,
- To learn the purpose of processing personal data and whether they are used in accordance with the purpose,
- To know the third parties to whom personal data is transferred domestically or abroad,
- To request correction of incomplete or incorrect processing and to request that the transaction be notified to third parties to whom personal data is transferred,
- To request deletion or destruction of personal data within the scope of the stipulated conditions and to request that the transaction be notified to third parties to whom personal data is transferred,
- To object to the occurrence of a result against the person by analyzing the processed data exclusively through automated systems,
- To request compensation for damages in case of unlawful processing of personal data.
The necessary processes for such information should be carried out.
13.5. AKACAN HOLDİNG should take all administrative and technical measures, and perform necessary audits, to:
Prevent unlawful processing of personal data, Prevent unlawful access to personal data, and Ensure the preservation of personal data.
13.6. The data controller must act in accordance with the decisions of the PDPL Board, which is the executive body of the PDPL Authority.
13.7. Requests made to the data controller regarding matters in which data subjects may submit requests pursuant to Article 11 of the Law are responded to no later than 30 days in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller.
13.8. Based on Article 4 of the Law and this provision, as stated above in the Processing of Personal Data section of this PDPL Policy, personal data should be processed in accordance with the law and good faith, and the obtaining and transfer of personal data should be carried out lawfully.
13.9. Even though it has been processed in accordance with the Law and relevant legislation, if the reasons requiring processing cease to exist, personal data shall be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the relevant person.
Rights of the Data Subject Under Article 11 of Law No. 6698
14.1. If you submit your requests regarding your rights to AKACAN HOLDİNG through the methods set out below, AKACAN HOLDİNG will finalize the request as soon as possible and at the latest within thirty days, depending on the nature of the request. Up to ten pages of the response will be free of charge. If the response is provided on a recording medium such as CD or flash drive, the fee that may be requested by AKACAN HOLDİNG shall not exceed the cost of the recording medium. In this context, data subjects have the right to:
Learn whether personal data is processed, Request information if personal data has been processed, Learn the purpose of processing personal data and whether they are used in accordance with the purpose, Know the third parties to whom personal data is transferred domestically or abroad, Request correction of incomplete or incorrect processing and request that the transaction be notified to third parties to whom personal data is transferred, Request deletion or destruction of personal data if the reasons requiring processing cease to exist although it has been processed in accordance with the Law and other laws, and request that the transaction be notified to third parties to whom personal data is transferred, Object to the occurrence of a result against the person by analyzing the processed data exclusively through automated systems, Request compensation for damages in case of unlawful processing of personal data.
14.2. You may submit your request regarding the exercise of the rights stated above, pursuant to Article 13/1 of the Law and the Communiqué on the Procedures and Principles of Application to the Data Controller dated 10.03.2018 and numbered 30356, in Turkish and in writing, or via registered electronic mail (KEP), secure electronic signature, mobile signature, or by using the electronic mail address previously notified to AKACAN HOLDİNG and registered in our system. AKACAN HOLDİNG reserves the right to verify your identity before responding.
In your application;
- Your name, surname and, if the application is in writing, your signature,
- For citizens of the Republic of Türkiye, your TR ID Number; if you are a foreigner, your nationality, passport number or, if any, ID number,
- Your residence or workplace address for notification,
- If any, your electronic mail address for notification, telephone and fax number,
- Subject of your request,
must be included, and if any documents and information related to the subject should also be attached to the application.