KVKK
BLACK GROUP TEXTILE TRADE LIMITED COMPANY
PERSONAL DATA PROTECTION, PROCESSING AND PRIVACY POLICY
1. Introduction
Black Group Tekstil Ticaret Limited Şirketi (hereinafter referred to as Black Fashion) makes every effort to act in accordance with all legislation regarding the protection of personal data. Within the framework of this Black Group Tekstil Ticaret Limited Şirketi Personal Data Protection, Processing and Privacy Policy, the principles adopted by our company in the execution of personal data processing activities and the basic principles adopted in terms of the compliance of our company's data processing activities with the regulations in the Personal Data Protection Law No. 6698 are explained, and thus our Company ensures the necessary transparency by informing the relevant persons. With the full awareness of our responsibility in this context, your personal data is processed and protected within the scope of this Policy. Black Fashion, which is the data controller with this Policy, aims to inform the relevant person.
1.1. Definitions
For the purposes of the law, the following definitions will be taken into account:
a . Personal Data: Any information relating to an identified or identifiable natural person;
b. Processing of Personal Data: Any operation performed on Personal Data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of Personal Data, in whole or in part, by automatic means or non-automatic means provided that it is part of any data recording system;
c. Special Personal Data: Data regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data;
d. Data Controller: Any natural or legal person who determines the purposes and means of processing Personal Data and is responsible for the establishment and management of the data recording system;
e. Data Processor: A third party natural or legal person who processes Personal Data on behalf of Black Fashion based on the authority granted by it;
f. Relevant Person: The natural person whose Personal Data is processed;
g. Data Recording System: The recording system in which Personal Data used by Black Fashion is structured and processed according to certain criteria;
h. Board: Personal Data Protection Board;
i. Institution: Personal Data Protection Authority;
j. Law: It refers to the Personal Data Protection Law No. 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677.
2. Principles Regarding the Processing of Personal Data
2.1. Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation
2.1.1 Processing in Accordance with Law and Fairness
Black Fashion acts in accordance with the principles brought by legal regulations and the general rule of trust and honesty in the processing of personal data. Within this framework, personal data is processed to the extent and limited to the business activities of our company.
2.1.1 Ensuring Personal Data is Accurate and Up-to-date Where Necessary
Black Fashion takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the period it is processed and establishes the necessary mechanisms to ensure the accuracy and up-to-dateness of personal data for certain periods.
2.1.2 Processing for Specified, Clear and Legitimate Purposes
Black Fashion clearly states the purposes for which personal data is processed and processes it in line with its business activities and for purposes related to these activities.
2.1.3 Being Relevant, Limited and Proportionate to the Purpose of Processing
Black Fashion collects personal data only in the nature and to the extent required by its business activities and processes it limited to the specified purposes.
2.1.4 Preservation for the Period Required by the Relevant Legislation or for the Purpose for which they are Processed
Black Fashion stores personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the legal legislation applicable to the relevant activity. In this context, our Company first determines whether a period is stipulated in the relevant legislation for the storage of personal data, and if a period is specified, it complies with this period. If there is no legal period, personal data is stored for the period required for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the relevant person and with the specified destruction methods.
2.2. Conditions for Processing Personal Data
Unless the relevant person gives explicit consent, the basis for personal data processing may be only one of the conditions specified below, or more than one condition may be the basis for the same personal data processing activity. If the processed data is special personal data, the conditions set out in heading 2.3 (Processing of Special Personal Data) of this policy shall apply.
2.2.1 Explicit Consent of the Relevant Person
One of the conditions for processing personal data is the explicit consent of the relevant person. The explicit consent of the relevant person must be related to a specific subject, based on information and expressed with free will. In the event that the personal data processing conditions listed below are met, personal data may be processed without the need for the explicit consent of the relevant person.
2.2.2 Explicitly Provided in Laws
If the personal data of the relevant person is clearly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, the existence of this data processing condition can be mentioned.
2.2.3 Failure to Obtain Explicit Consent of the Person Concerned Due to Actual Impossibility
If the processing of personal data is necessary to protect the life or physical integrity of a person who is unable to give his consent due to a de facto impossibility or whose consent cannot be validated, or of another person, the personal data of the relevant person may be processed.
2.2.4 Directly Related to the Establishment and Execution of the Contract
This condition may be deemed to be fulfilled if the processing of personal data is necessary, provided that it is directly related to the establishment or performance of a contract to which the relevant person is a party.
2.2.5 Fulfillment of the Company's Legal Obligations
Personal data of the relevant person may be processed if processing is necessary for our company to fulfill its legal obligations.
2.2.6 Publication of Personal Data by the Relevant Person
If the relevant person has made his/her personal data public, the relevant personal data may be processed limitedly for the purpose of making it public.
2.2.7 Data Processing is Necessary to Establish or Protect a Right
If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the relevant person may be processed.
2.2.8 Data Processing is Necessary for the Legitimate Interest of the Company
Personal data of the relevant person may be processed if data processing is mandatory for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the relevant person.
2.3. Processing of Special Personal Data
Sensitive Personal Data may be processed by the company in accordance with the principles set out in this policy, by taking all necessary administrative and technical measures, including the methods to be determined by the board, and if the following conditions are met:
2.3.1 Special personal data, other than health and sexual life, may be processed without the explicit consent of the relevant person if it is clearly provided for in the laws, in other words, if there is an explicit provision regarding the processing of personal data in the law governing the relevant activity. Otherwise, the explicit consent of the relevant person will be obtained for the processing of such special personal data.
2.3.2 Personal data of a special nature regarding health and sexual life may be processed without explicit consent by persons or authorized institutions and organizations under a confidentiality obligation for the purposes of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing. Otherwise, the explicit consent of the relevant person will be obtained for the processing of such personal data.
2.4. Informing the Relevant Person
Black Fashion, in accordance with Article 10 of the law and secondary legislation, informs the relevant persons. In this context, Black Fashion, as the data controller, informs the relevant persons about who processes personal data, for what purposes, with whom it is shared and for what purposes, by what methods it is collected and the legal reason, and the rights of data owners within the scope of processing their personal data.
2.5. Transfer of Personal Data
Black Fashion may transfer the personal data and special personal data of the relevant person to third parties (third party companies, official and private authorities, third real persons) established in the country by taking the necessary security measures in line with the purposes of processing personal data in accordance with the law. In this regard, our company acts in accordance with the regulations stipulated in Article 8 of the law.
2.5.1. Transfer of Personal Data
Even if the person concerned does not give explicit consent, if one or more of the conditions specified below are met, personal data may be transferred to third parties resident in the country by the company, taking all necessary security measures, including the methods prescribed by the board.
The relevant activities regarding the transfer of personal data are clearly prescribed by law, and the transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,
The transfer of personal data is mandatory for our Company to fulfill its legal obligations,
Transfer of personal data by our company for the purpose of making it public, provided that it has been made public by the relevant person,
The transfer of personal data by the company is mandatory for the establishment, exercise or protection of the rights of the company or the relevant person or third parties,
It is mandatory to transfer personal data for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of the relevant person,
If it is necessary for a person who is unable to give his consent due to a physical impossibility or whose consent is not legally valid, to protect his own life or the physical integrity of another person.
2.5.2. Transfer of Special Personal Data
Sensitive personal data may be transferred by our company in accordance with the principles set forth in this policy, by taking all necessary administrative and technical measures, including the methods to be determined by the board, and in the presence of the following conditions:
Personal data of a special nature, other than health and sexual life, may be processed without the explicit consent of the relevant person if it is clearly provided for in the laws, in other words, if there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, the explicit consent of the relevant person will be obtained.
Personal data of a special nature regarding health and sexual life may be processed by persons or authorized institutions and organizations under a confidentiality obligation, without seeking explicit consent, for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing. Otherwise, the explicit consent of the relevant person will be obtained.
2.6. Personal Data That Can Be Processed
The purpose of Black Fashion is the entirety of the purposes specified in the trade registries. Personal data that may be collected and processed regarding employees, relatives of employees, candidate employees, interns, supplier employees and supplier authorities, direct or indirect real person shareholders/partners, potential product and service buyers, customers and other third parties in relation to the purpose of Black Fashion are listed below and this list may be expanded in line with the purposes of Black Fashion:
• Identity data,
• Communication data,
• Location data,
• Personal information data,
• Data within the scope of legal transactions,
• Customer transaction data,
• Physical space security data,
• Data within the scope of transaction security,
• Data within the scope of risk management,
• Data within the scope of healthy execution of financial transactions,
• Data within the scope of professional experience,
• Data within the scope of marketing operations,
• Visual and audio recording data,
• Race and ethnicity data,
• Clothing and appearance data,
• Health data,
• Data regarding criminal convictions and security measures,
2.7. Purposes of Processing Personal Data
Black Fashion undertakes to process personal data for commercial partners only within the framework of the purposes and bases specified below, with the exceptions set out in Article 5(2)(c) of the KVKK;
• Implementation of Information Security Processes
• Conducting the Selection and Placement Processes of Employee Candidates / Interns / Students
• Conducting the Application Process of Employee Candidates
• Implementation of Employee Satisfaction and Loyalty Processes
• Fulfillment of Employment Contract and Legislative Obligations for Employees
• Conducting Employee Benefits and Side Benefits Processes
• Conducting Training Activities
• Execution of Access Permissions
• Ensuring Physical Space Security
• Conducting Finance and Accounting Affairs
• Conducting Loyalty Processes to Company / Products / Services
• Conducting Assignment Processes
• Monitoring and Execution of Legal Affairs
• Conducting Communication Activities
• Planning Human Resources Processes
• Conducting / Supervising Business Activities
• Conducting Occupational Health / Safety Activities
• Carrying out Business Continuity Activities
• Carrying out logistics activities
• Execution of Goods / Services Purchasing Processes
• Execution of Goods / Services Sales Processes
• Execution of Goods / Services Production and Operation Processes
• Execution of Customer Relationship Management Processes
• Carrying out activities aimed at customer satisfaction
• Conducting Marketing Analysis Studies
• Conducting Advertising / Campaign / Promotion Processes
• Implementation of Risk Management Processes
• Carrying out storage and archive activities
• Execution of Contract Processes
• Tracking of Requests / Complaints
• Ensuring the Security of Movable Goods and Resources
• Execution of Supply Chain Management Processes
• Implementation of the Wage Policy
• Carrying out marketing processes for products / services
• Ensuring the Security of Data Controller Operations
• Foreign Personnel Work and Residence Permit procedures
• Conducting Talent / Career Development Activities
• Providing Information to Authorized Persons, Institutions and Organizations
• Carrying out management activities
• Creating and Tracking Visitor Records
3. Principles Regarding the Protection of Personal Data
3.1 Ensuring Personal Data Security
In accordance with Article 12 of the law, the company takes the necessary measures according to the nature of the data to be protected in order to prevent unlawful disclosure, access, transfer or other security deficiencies that may occur in personal data. In this context, our company takes administrative measures and carries out or has audits carried out to ensure the necessary level of security in accordance with the guidelines published by the board.
3.2 Protection of Special Personal Data
The law has given special importance to certain personal data due to the risk of causing victimization or discrimination when processed illegally. These data include data on race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Black Fashion acts with sensitivity in protecting special personal data that are determined as special by law and processed in accordance with the law. In this context, the technical and administrative measures taken by Black Fashion to protect personal data are meticulously implemented in terms of special personal data and the necessary controls are provided within Black Fashion.
3.3 Raising Awareness and Supervision on the Protection and Processing of Personal Data
Black Fashion organizes the necessary training for business units to increase awareness on preventing the unlawful processing of personal data, unlawful access to personal data, and ensuring the protection of personal data.
Black Fashion updates and renews the training of its employees in parallel with the updating of the relevant legislation on the protection of personal data.
4. Storage and Destruction of Personal Data
Our company stores personal data for the period required for the purpose for which they are processed and in accordance with the minimum periods stipulated in the legal legislation governing the relevant activity. In this context, our company first determines whether a period is stipulated in the relevant legislation for the storage of personal data and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data is stored for the period required for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the relevant person and with the specified destruction methods.
| Data Category | Data Retention Period |
| 1- Identity | Minimum 1 month, maximum 10 years |
| 2- Communication | Minimum 1 month, maximum 10 years |
| 3- Location | 2 Years |
| 4- Personality | 10 years |
| 5- Legal Procedure | 10 years |
| 6- Customer Transaction | 10 years |
| 7- Physical Space Security | Minimum 2 weeks, maximum 60 days |
| 8- Transaction Security | 1 month |
| 9- Risk Management | 10 years |
| 10- Finance | 10 years |
| 11- Professional Experience | Minimum 1 month, maximum 10 years |
| 12- Marketing | 10 years |
| 13- Visual and Audio Recordings Minimum | Minimum 1 month, maximum 10 years |
| 14- Race and Ethnicity | Minimum 1 month, maximum 10 years |
| 15- Attire and Clothing | Minimum 1 month, maximum 10 years |
| 16- Health Information | 10 years |
| 17- Criminal Conviction and Security Measures | 10 years |
5. Relevant Person and Exercise of These Rights
5.1. Rights of the Data Subject
Personal data owners have the following rights:
a . Learning whether personal data is being processed,
b . Requesting information regarding the processing of personal data,
c . To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
d . To know the third parties to whom personal data is transferred domestically,
e . To request correction of personal data if they are processed incompletely or incorrectly and to request notification of the action taken to third parties to whom personal data has been transferred,
f . To request the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the Law and other relevant laws, and to request that the action taken within this scope be notified to third parties to whom personal data has been transferred,
g . To object to the emergence of a result to the detriment of the person himself/herself, by means of analysis of the processed data exclusively through automatic systems,
h . To request compensation in case of damages due to unlawful processing of personal data.
5.2. Exercise of Rights by the Data Subject
In order for the relevant persons to exercise the rights specified, the persons must submit their requests in writing, together with the information that will enable the identification of the relevant persons in relation to the data, using the following communication channels:
Via e-mail to info@blackfashion.com.tr
Through a software or application developed for the application purpose
5.3. Company's Response to Applications
Our company takes the necessary administrative and technical measures to finalize the applications made by the relevant person in accordance with the law and secondary legislation.
If the relevant person submits his/her request regarding the rights set forth in section 5.1. (Rights of the Relevant Person) to our Company in accordance with the procedure, our Company will finalize the relevant request free of charge within the shortest time possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.
6. Precautions to Keep Personal Data Accurate and Up-to-Date
Black Fashion keeps personal data accurate and up-to-date using the following methods:
6.1. Technical Measures
Network security and application security are provided.
A closed system network is used in personal data transfers via the network.
Key management is implemented.
Security measures are taken within the scope of information technology systems procurement, development and maintenance.
Security of personal data stored in the cloud is ensured.
An authority matrix has been created for employees.
Access logs are kept regularly.
Data masking measures are applied when necessary.
Current anti-virus systems are used.
Firewalls are used.
Personal data is backed up and the security of the backed up personal data is also ensured.
User account management and authorization control system is implemented and these are also monitored.
6.2. Administrative Measures
An authority matrix has been created for employees.
Institutional policies on access, information security, use, storage and destruction have been prepared and implemented.
The authorities of employees who change their duties or leave their jobs are removed in this area.
Confidentiality commitments are made.
Signed contracts include data security provisions.
Personal data security policies and procedures have been determined.
Personal data security is monitored.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
Personal data is reduced as much as possible.
Personal data security policies and procedures have been determined.
The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
Personal data is reduced as much as possible.
Protocols and procedures for the security of special personal data have been determined and implemented.
If sensitive personal data is to be sent via e-mail, it must be encrypted and sent using a KEP or corporate mail account.
7. Changes to the Personal Data Protection Policy
Black Fashion may make changes to this policy to the extent required by activities or legally required. The amended policy text will enter into force by being shared on the https://www.blackfashion.com.tr/ website. Black Fashion will also notify all relevant person groups via e-mail about the changes to be made.
BLACK GROUP TEXTILE TRADE LIMITED COMPANY
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
1. Introduction
1.1 Purpose
This Personal Data Storage and Destruction Policy has been prepared by Black Group Tekstil Ticaret Limited Şirketi (hereinafter referred to as “Black Fashion”) as the data controller, in accordance with the Law No. 6698 on the Protection of Personal Data, the Regulation on the Deletion, Destruction or Anonymization of Personal Data, which constitutes the secondary regulation of the law and entered into force upon publication in the Official Gazette dated October 28, 2017, and the relevant legislation, in order to determine the procedures and principles regarding the processes of storing, deleting, destroying and anonymizing personal data, to inform those whose personal data is processed by Black Fashion, and to fulfill the obligations under the law and relevant legislation.
In line with its basic principles, Black Fashion has prioritized the processing of all personal data belonging to its employees, relatives of employees, candidate employees, interns, supplier officials, supplier employees, direct or indirect real person shareholders/partners, potential product and service buyers, customers, visitors and other third parties in accordance with the Constitution of the Republic of Turkey, international agreements, the Law on the Protection of Personal Data No. 6698 and other relevant legislation, and ensuring that the relevant persons can effectively exercise their rights.
The work and operations regarding the storage and destruction of personal data are carried out in accordance with this Policy prepared by Black Fashion in this regard.
1.2 Scope
All personal data belonging to Black Fashion employees, employee relatives, employee candidates, interns, supplier officials, supplier employees, direct or indirect real person shareholders/partners, potential product and service buyers, customers, visitors and other third parties are within the scope of this Policy, and this Policy is applied to all recording environments owned or managed by Black Fashion where personal data is processed and to all activities related to the processing of personal data.
1.3 Abbreviations and Definitions
| Explicit Consent | It is consent regarding a specific subject, based on information and expressed with free will. |
| Anonymization | It is the process of making personal data in such a way that it cannot be associated with an identified or identifiable natural person in any way, even when matched with other data. |
| Buyer Group | It is the term that refers to the category of natural or legal persons to whom personal data is transferred by the data controller. |
| Worker | She is an employee of Black Fashion. |
| Electronic Media | These are environments where personal data can be created, read, changed and stored using electronic devices. |
| Non-Electronic Media | All written, printed, visual etc. media other than electronic media. |
| Supplier | A natural or legal person who provides goods and services to Black Fashion within the framework of a specific contract. |
| Contact Person | The natural person whose personal data is processed. |
| Related User | Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data. |
| Personal Data Processing Inventory | It is the inventory in which Black Fashion creates the personal data processing activities they carry out in connection with their business processes by relating them to the personal data processing purposes and legal reason, data category, transferred recipient group and data subject group, and details the maximum retention period required for the purposes for which personal data is processed, transfer to foreign countries, anticipated personal data and measures taken regarding data security. |
| Destruction | Deletion, destruction or anonymization of personal data. |
| Law | Personal Data Protection Law No. 6698 |
| Recording Environment | It is any environment where personal data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
|
Processing of Personal Data |
It is any operation performed on personal data, such as obtaining, recording, storing, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system. |
| Special Personal Data | Data regarding individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. |
| Periodic Destruction | It is the process of deleting, destroying or anonymizing personal data, which is specified in the personal data storage and destruction policy and will be carried out ex officio at recurring intervals, in the event that all the processing conditions of personal data specified in the law are eliminated. |
| Policy | Personal Data Storage and Destruction Policy |
| Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. |
| Data Recording System | It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. |
| Data Controller | It is a recording system in which personal data is structured and processed according to certain criteria. |
| Data Controllers Registry Information System | (VERBIS) It is an information system created and managed by the Personal Data Protection Authority, accessible via the internet, to be used by data controllers in applications to the Data Controllers Registry and other relevant transactions related to the Data Controllers Registry. |
| Regulations | Regulation on the Deletion, Destruction and Anonymization of Personal Data published in the Official Gazette dated 28 October 2017 |
| Internal Management Directive |
Black Fashion Company Board of Directors Internal Directive.
|
2. Distribution of Responsibilities and Duties
Black Fashion employees are obliged to comply with the rules set forth in this policy and to provide the necessary support to the units responsible for the processing of personal data. Company employees who process personal data act in accordance with the basic principles, personal data processing conditions and special personal data processing conditions while carrying out data processing activities.
In this regard, the responsible persons selected from the Personal Data Protection Committee members specified below, their units and their duties in the storage and destruction of personal data are explained in detail.
| Staff Title | Unit | Job description in the KVKK Process |
| Maryam Kabadayi | Human Resources | Management and control of compliance with the Personal Data retention period and the Personal Data destruction process |
| Text Oguzhan | Information Processing | Management and control of compliance with the Personal Data retention period and the Personal Data destruction process |
Table 1: Distribution of tasks in storage and destruction processes
The distribution of titles, units and job descriptions of those responsible for the storage and destruction of personal data is given in Table 1.
3. Recording Media
Personal data is stored securely by Black Fashion in accordance with the law in the environments listed in Table 2.
| Electronic media | Non-electronic media |
|
|
Table 2: Personal data storage environments
4. Explanations Regarding Storage and Destruction
Black Fashion acts in accordance with the following principles in the storage and destruction of personal data.
4.1 Explanations Regarding Storage
Article 4 of the Law states that personal data must be related, limited and proportionate to the purpose for which they are processed and must be stored for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed, while Articles 5 and 6 list the conditions for processing personal data.
Accordingly, within the framework of our activities, personal data is stored for a period of time that is subject to the relevant legislation and/or compatible with our processing purposes.
4.1.1 Legal Reasons Requiring Storage
Personal data processed by Black Fashion is stored for a period of time in accordance with the relevant legislation in its field of activity and/or in accordance with our processing purposes. In this context, personal data will be stored within the scope of the legislation listed below and other legislation that is in force or will come into force, including but not limited to those listed.
a . The Constitution of the Republic of Turkey
b . Turkish Code of Obligations No. 6098
c . Personal Data Protection Law No. 6698
d . Social Insurance and General Health Insurance Law No. 5510
e. Occupational Health and Safety Law No. 6331
f . Labor Law No. 4857
g . The remaining articles of the Labor Law No. 1475
h . Tax Procedure Law No. 213
i . Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes
j. Turkish Commercial Code No. 6102
It is stored for the retention periods prescribed by other applicable legislation, including but not limited to these laws.
4.1.2 Processing Purposes Requiring Storage
Personal data is stored securely in physical or electronic environments by Black Fashion, within the limits specified in the KVKK and other relevant legislation, especially for the purpose of continuing commercial activities, fulfilling legal obligations, planning and managing personnel processes, and managing legal disputes, especially litigation and enforcement proceedings.
Personal data is processed for the following purposes:
• Implementation of Information Security Processes
• Conducting the Selection and Placement Processes of Employee Candidates / Interns / Students
• Conducting the Application Process of Employee Candidates
• Implementation of Employee Satisfaction and Loyalty Processes
• Fulfillment of Employment Contract and Legislative Obligations for Employees
• Conducting Employee Benefits and Side Benefits Processes
• Conducting Training Activities
• Execution of Access Permissions
• Ensuring Physical Space Security
• Conducting Finance and Accounting Affairs
• Conducting Loyalty Processes to Company / Products / Services
• Conducting Assignment Processes
• Monitoring and Execution of Legal Affairs
• Conducting Communication Activities
• Planning Human Resources Processes
• Conducting / Supervising Business Activities
• Conducting Occupational Health / Safety Activities
• Carrying out Business Continuity Activities
• Carrying out logistics activities
• Execution of Goods / Services Purchasing Processes
• Execution of Goods / Services Sales Processes
• Execution of Goods / Services Production and Operation Processes
• Execution of Customer Relationship Management Processes
• Carrying out activities aimed at customer satisfaction
• Conducting Marketing Analysis Studies
• Conducting Advertising / Campaign / Promotion Processes
• Implementation of Risk Management Processes
• Carrying out storage and archive activities
• Execution of Contract Processes
• Tracking of Requests / Complaints
• Ensuring the Security of Movable Goods and Resources
• Execution of Supply Chain Management Processes
• Implementation of the Wage Policy
• Carrying out marketing processes for products / services
• Ensuring the Security of Data Controller Operations
• Foreign Personnel Work and Residence Permit procedures
• Conducting Talent / Career Development Activities
• Providing Information to Authorized Persons, Institutions and Organizations
• Carrying out management activities
• Creating and Tracking Visitor Records
4.2 Reasons Requiring Destruction
Personal data;
The request of the relevant person to delete or destroy his/her personal data within the framework of his/her legal rights is examined and deemed appropriate by the data controller,
In cases where personal data is processed only based on explicit consent, the person concerned must withdraw his/her consent,
Amendment or repeal of relevant legislative provisions that form the basis for the processing, storage and destruction of personal data,
The purpose requiring the processing or storage of personal data disappears,
Although the maximum period for which personal data must be stored has passed, there are no conditions requiring personal data to be stored for a longer period,
In cases where the data controller rejects the application made by the relevant person requesting the deletion, destruction or anonymization of his/her personal data, the response given is found insufficient or he/she does not respond within the period stipulated in the Law; in cases where a complaint is made to the Board and this request is found appropriate by the Board, the data will be deleted and/or destroyed or deleted and/or destroyed and/or anonymized by Black Fashion upon the request and depending on the request of the relevant person.
5. Technical and Administrative Measures
The technical and administrative measures we take as Black Fashion to store personal data securely and prevent unlawful processing and access are listed below, but are not limited to those listed.
5.1 Technical Measures
Network security and application security are provided.
A closed system network is used in personal data transfers via the network.
Key management is implemented.
Security measures are taken within the scope of information technology systems procurement, development and maintenance.
Security of personal data stored in the cloud is ensured.
An authority matrix has been created for employees.
Access logs are kept regularly.
Data masking measures are applied when necessary.
Current anti-virus systems are used.
Firewalls are used.
Personal data is backed up and the security of the backed up personal data is also ensured.
User account management and authorization control system is implemented and these are also monitored.
5.1. Administrative Measures
An authority matrix has been created for employees.
Institutional policies on access, information security, use, storage and destruction have been prepared and implemented.
The authorities of employees who change their duties or leave their jobs are removed in this area.
Confidentiality commitments are made.
Signed contracts include data security provisions.
Personal data security policies and procedures have been determined.
Personal data security is monitored.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
Personal data is reduced as much as possible.
Personal data security policies and procedures have been determined.
The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
Personal data is reduced as much as possible.
Protocols and procedures for the security of special personal data have been determined and implemented.
If sensitive personal data is to be sent via e-mail, it must be encrypted and sent using a Kep or corporate mail account.
6. Personal Data Destruction Techniques
At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data are destroyed by Black Fashion ex officio or upon the application of the relevant person, again in accordance with the relevant legislation, using the techniques specified below.
For the destruction of Personal Data held by Black Fashion, the destruction methods within the scope of the Regulation include deletion, destruction and anonymization.
| Data Recording Environment | Explanation |
| Personal data on servers |
For personal data on the servers whose storage period has expired, the system administrator will delete the data by revoking the access rights of the relevant users.
|
| Personal Data in Electronic Environments | Personal data stored in electronic media, whose storage period has expired, is rendered inaccessible and non-reusable by any employees other than the database administrator. |
| Personal Data in the Physical Environment |
For personal data kept in a physical environment, the period requiring storage has expired and they are rendered inaccessible and non-reusable for all employees except for the unit manager responsible for the document archive. In addition, they are blackened by drawing/painting/erasing them so that they cannot be read.
|
| Personal Data on Portable Media |
Personal data kept in flash-based storage media, for which the period requiring storage has expired, are encrypted by the system administrator and stored in secure environments with encryption keys, with access authorization granted only to the system administrator.
|
Table 3 : Destruction of Personal Data
7. Storage and Destruction Periods
• Personal data processed by our Company within the scope of its activities are stored for the periods stipulated by law and for the statute of limitations, and the storage periods are generally as follows;
• The storage and destruction periods of personal data on a data basis are in the “Personal Data Processing Inventory”.
• Registration to Verbis based on data categories,
• On a process basis, it is listed as stated in the table below.
| PERIOD | STORAGE PERIOD | DESTRUCTION PERIOD |
| Keeping All Documents and Records Regarding Work Accidents | 10 Years from the date of the accident | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Keeping Records to Ensure Employees' Rights to the Social Security Institution | 10 Years from the date of leaving the job | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Keeping Documents and Records Regarding Training Activities Conducted Within the Scope of Occupational Health and Safety | 10 years from the date of leaving the job | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Signing an Employment Contract with Employees at the Time of Starting Work | 10 years from the date of leaving the job | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Collecting Samples of Diplomas and Certificates from Employees to Record Their Professional Experience | 10 years from the date of leaving the job | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Obtaining Health Reports of Employees | 10 Years | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Keeping Records of Disability Information, Blood Group Information, Personal Health Information, Device and Prosthesis Information Used | 10 Years | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
|
Disability Board Health Report |
10 Years | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Keeping Employee Resumes | 10 years from the date of leaving the job | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Keeping Records of Salary Payments and Payroll Information | 10 Years from the date of leaving the job | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Keeping Legal Documents and Records Regarding Wage Garnishments | 10 Years from the Conclusion of the Legal Procedure | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Other Legal Procedures | 10 Years from the Conclusion of the Legal Procedure | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Keeping Power of Attorney Records | 10 Years from the Conclusion of the Legal Procedure | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Keeping Documents and Records Regarding Employees' Leave Processes | 10 years from the date of leaving the job | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| The Process of Creating the Employee's Personal File | 10 years from the date of leaving the job | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Conducting the Resignation Process | 10 years from the date of leaving the job | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
|
Vehicle Usage Instructions and Embezzlement Process |
10 years | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Official Inspection Processes | 10 years | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Field Work Monitoring Processes | 10 years | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Traffic Fines Legal | 10 Years from the Conclusion of the Transaction | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Processes for Maintaining Personnel Lists | 10 years | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Staff Badge | 10 years | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Vehicle Accident Reports | 10 years | During the first periodic destruction period following the end of the storage period (In any case, it cannot exceed 6 months) |
| Mediation Activities Processes | 10 Years from the Conclusion of the Legal Procedure | |
| Contract Processes | 10 Years from the Conclusion of the Legal Procedure | |
| Education Processes | 10 years | |
| Insurance Processes | 10 years | |
| Premium Payment Processes | 10 years | |
| Customer Transaction Processes | 10 years |
Table 4: Table of storage and destruction periods based on processes
8. Periodic Destruction Period
Black Fashion has determined the periodic destruction period as 6 months.
9. Publication and Storage of the Policy
The policy is prepared in two different media: wet-signed (printed paper) and electronic. It is published on our website https://www.blackfashion.com.tr/. The printed copy is also kept in the Human Resources department.
10. Policy Update Period
The policy is reviewed as needed and necessary sections are updated. Updated versions are republished.
11. Enforcement of the Policy
Black Fashion may make changes to this policy to the extent required by activities or legally required. The amended policy text will enter into force upon sharing on the https://www.blackfashion.com.tr/ website. Black Fashion will also notify all relevant person groups via e-mail regarding the changes to be made.
BLACK GROUP TEXTILE TRADE LIMITED COMPANY
CUSTOMER INFORMATION TEXT ON THE PROTECTION OF PERSONAL DATA
Topic 1
As Black Group Tekstil Ticaret Limited Şirketi (hereinafter referred to as Black Fashion), we attach importance to the security of your personal data and try to take all necessary security measures in this context. As the data controller, we process your personal data in accordance with the Personal Data Protection Law No. 6698 and the relevant legislation, within the scope of this Customer Information Text on the Protection of Personal Data and the Personal Data Protection, Processing and Privacy Policy.
1.1. Data Within the Scope of Explicit Consent
Black Fashion processes the following personal data of the customer in accordance with the relationship with the customer:
a . Identity information data
b. Contact information data
c. Legal transaction data
d. Customer transaction data
e . Data within the scope of physical space security
f . Data within the scope of risk management
g. Financial data
h . Marketing data
1.2. Processing Method, Legal Reason and Purpose of Personal Data
Customers' Personal Data is obtained physically and electronically within the scope of the contractual relationship with Black Fashion.
Personal data processed by the company is stored for a period of time in accordance with the relevant legislation in its field of activity and in accordance with our processing purposes. In this context, personal data will be stored within the scope of the following legislation, but not limited to those listed, and other legislation that is in force or will come into force.
a . The Constitution of the Republic of Turkey
b. Turkish Code of Obligations No. 6098
c. Personal Data Protection Law No. 6698
d . Social Insurance and General Health Insurance Law No. 5510
e . Occupational Health and Safety Law No. 6331
1.1 . Labor Law No. 4857
1.2. The remaining articles of the Labor Law No. 1475
1.3 Tax Procedure Law No. 213
1.4 . Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes
1.5. Turkish Commercial Code No. 6102
Personal Data collected during this process may be processed for the purposes of executing Black Fashion customer relations management processes, executing and auditing business activities, executing logistics activities, executing contract processes, executing risk management processes, executing finance and accounting activities, executing communication activities, executing goods/service purchasing processes, executing goods/service after-sales support services, executing goods/service sales processes, executing goods/service production and operation processes, executing activities aimed at customer satisfaction, executing supply chain management processes, executing storage and archive activities, executing marketing processes of products/services, providing information to authorized persons, institutions and organizations, executing marketing analysis studies, following up and conducting legal affairs, ensuring physical space security, creating and following up visitor records.
2. Transfer of Personal Data
3.1 Black Fashion may transfer Customer Personal Data to real persons or private law legal entities resident in the country, shareholders and business partners, suppliers, authorized public institutions and organizations for the purposes specified above.
2. Processing Period of Personal Data
3. Black Fashion keeps the Personal Data it processes accurate and up-to-date using technological methods. If the reasons requiring Black Fashion to process the data are eliminated, it will delete, destroy or anonymize the personal data ex officio or upon the Customer's request.
| 3.1.1. DATA CATEGORY | 4. DATA STORAGE PERIOD |
| 5. Identity | 6. Minimum 1 Month Maximum 10 Years |
| 7. Communication | 8. Minimum 1 month, maximum 10 years |
| 9. Legal Action | 10. 10 YEARS |
| 11. Customer Transaction | 12. 10 YEARS |
| 13. Physical Space Security | 14. Minimum 2 weeks Maximum 60 days |
| 15. Risk Management | 16. 10 YEARS |
| 17. Finance | 18. 10 YEARS |
| 19. Marketing | 20. 10 YEARS |
1. Customer Rights
You can submit your requests regarding your rights to us through the methods regulated in the relevant article of the Law. Your request will be finalized free of charge as soon as possible but within thirty (30) days at the latest. However, if the transaction requires an additional cost, we may request a fee in the tariff determined by the Board. The Customer has the following rights regarding Personal Data processed by Black Fashion:
a. To learn whether or not your personal data is being processed;
b. To request information regarding the processing of personal data;
c. To learn the purpose of processing of personal data and whether they are used in accordance with their purpose;
d. To learn about the third parties to whom personal data is transferred domestically;
e. To request correction of personal data if they are processed incompletely or incorrectly;
f. Request the deletion or destruction of personal data within the framework of KVKK article 7;
g. To request that the transactions carried out in accordance with Article 6.e and Article 6.f of this Declaration be notified to third parties to whom personal data has been transferred;
h. To object to the emergence of a result to his/her detriment as a result of the analysis of his/her processed personal data exclusively through automatic systems, and
i. To request compensation in case of damages due to unlawful processing of personal data.
In order to exercise the rights specified above, the Customer must submit their requests in writing to Black Fashion using any of the following communication channels, along with information that will allow their identity to be determined:
a. To info@blackfashion.com.tr, via e-mail;
b. Mail to etrade@blackfashion.com.tr or;
c. Through a software or application developed for application purposes.
2. Personal data may be processed without the explicit consent of the person concerned if one or more of the following conditions are present:
5.1 . The relevant activities regarding the transfer of personal data are clearly prescribed by law, the transfer of personal data by the Company is directly related to and necessary for the establishment or execution of a contract, and in the event of a contract between the parties, the processing of personal data belonging to the parties to the relevant contract is necessary,
5.2. The transfer of personal data is mandatory for the Company to fulfill its legal obligations,
3. Transfer of personal data by our Company for limited purposes, provided that it has been made public by the relevant person,
4. The transfer of personal data by the company is necessary for the establishment, exercise or protection of the rights of the company or the relevant person or third parties,
5. It is mandatory to transfer personal data for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of the relevant person.
6. If the person is unable to give his consent due to a physical impossibility or if his consent is not legally valid, it is necessary to protect his own life or the physical integrity of another person.
7. Scope
This disclosure text covers the terms and conditions of the Personal Data Protection, Processing and Privacy Policy, which entered into force as of the date of publication by Black Fashion on its website.
BLACK GROUP TEXTILE TRADE LIMITED COMPANY
CONCERNED PERSON APPLICATION FORM
1.Application Method
You can submit your requests within the scope of your rights listed in Article 11 of the Law on the Protection of Personal Data No. 6698 to Black Group Tekstil Ticaret Limited Şirketi (hereinafter referred to as Black Fashion) through one of the methods explained below with this form in accordance with Article 13 of the Law and Article 5 of the Communiqué on the Procedures and Principles of Application to the Data Controller.
| APPLICATION METHOD | APPLICATION ADDRESS | INFORMATION TO BE SHOWN IN THE APPLICATION | |
| 1. Application in writing | Application in person with wet signature or through Notary | “Request for Information Within the Scope of the Personal Data Protection Law” will be written on the envelope/notification. | |
| 2. Application via Registered Electronic Mail (KEP) | By using the Registered Electronic Mail (KEP) address |
The subject of the e-mail will be written as "Information Request Within the Scope of the Personal Data Protection Law".
|
|
| 3. Application with the Electronic Mail Address in the System | By using the e-mail address registered in the Black Fashion system. | The subject of the e-mail will be written as "Information Request Within the Scope of the Personal Data Protection Law". | |
| 4. Application with an e-mail address that does not exist in the system | By using an e-mail address that does not exist in the Black Fashion system, including a mobile signature/e-signature. | The subject of the e-mail will be written as "Information Request Within the Scope of the Personal Data Protection Law". |
Your applications sent to us will be answered within thirty (30) days from the date your request reaches us, depending on the nature of the request, in accordance with the second paragraph of Article 13 of the Law. Our answers will be sent to you in writing or electronically in accordance with the provisions of Article 13 of the relevant Law.
2. Your Identity and Contact Information
Please fill in the fields below so that we can contact you and verify your identity.
| Name-Surname: | |
| Turkish Identity Number / Passport Number or Identity Number for Citizens of Other Countries: | |
| Residence Address / Workplace Address for Notification: | |
| Mobile Phone: | |
| Phone Number : | |
| Fax Number : | |
| Email Address: |
3. Please indicate your relationship with Black Fashion. (Customer, business partner,
(e.g. candidate employee, former employee, third party company employee, shareholder)
|
☐ Customer
☐ Visitor
|
☐ Business Partner
☐ Other
|
|
☐ My Former Employee
Years I Worked:
☐ Other:
|
☐ I shared my job application/resume
History:
☐ I am a Third Party Company Employee
Please provide information about the company you work for and your position:
|
| I would like to know if Black Fashion processes personal data about me | |
| If Black Fashion processes personal data about me, I request information about these data processing activities. | |
| If Black Fashion processes personal data about me, I would like to know the purpose of processing it and whether it is used in accordance with the purpose of processing. | |
| If my personal data is transferred to third parties at home or abroad, I want to know about these third parties. | |
| I think that my personal data has been processed incompletely or incorrectly and I want it to be corrected. | |
| For this requested item, the information/document that you think is incorrect or incomplete and that you want corrected, and the information/document that shows that your personal data is accurate and complete, must be sent to us as an attachment. | |
| Considering that the reasons for processing my personal data have been eliminated, I request that these data be destroyed by a suitable method (Deletion, Destruction, Anonymization). I would like my personal data, which I believe has been processed incompletely or incorrectly, to be corrected by the third parties to whom it has been transferred. |
|
| For this requested item, the information/document that you think is incorrect or incomplete and that you want corrected, and the information/document that shows that your personal data is accurate and complete, must be sent to us as an attachment. | |
| I would like my personal data, which I requested to be deleted, to be deleted by the third parties to whom it was transferred. | |
|
I believe that my personal data processed by Black Fashion has been analyzed exclusively through automated systems and that this analysis has resulted in a result that is detrimental to me. I object to this result.
|
4. Please specify your request within the scope of the Law and the personal data subject to the request in detail.
5. Attachments
If you have any documents that you would like to support your application, please specify them below and attach the relevant documents to this form.
6. Please select the method by which you will be notified of our response to your application.
☐ I want it sent to my address.
☐ I want it to be sent to my e-mail address.
(We will be able to respond to you faster if you choose the email method.)
☐ I want to receive it in person.
(In case of receipt by proxy, a notarized power of attorney or authorization document is required.)
This application form has been prepared to determine your relationship with Black Fashion and to determine your personal data processed by Black Fashion, if any, in full and to respond to your application correctly and within the legal period. In order to eliminate legal risks that may arise from unlawful and unfair data sharing and especially to ensure the security of your personal data, Black Fashion reserves the right to request additional documents and information (copy of ID card or driver's license, etc.) for identification and authorization. In the event that the information regarding your requests submitted within the scope of the form is not correct and up-to-date or an unauthorized application is made, Black Fashion does not accept liability for such incorrect information or requests arising from unauthorized applications. In addition, if it requires a cost, we reserve the right to request a fee in the amounts determined within the scope of the relevant legislation.
Applicant (Contact person)
Name Surname :
Application Date:
Signature :