As CBF TEKSTİL VE DIŞ TŞCARET AŞ. , we meticulously store the personal data of our valued employees, business partners, service providers and all data subjects who have been in contact with us. All necessary technical and administrative measures have been taken by us in order to fulfill the liabilities are regulated by the Law on Protection of Personal Data No. 6698 (“LPPD“) regarding the protection of personal data properly and in a complete manner and, in all of our departments, the necessary policies to ensure that the employees act in accordance with said measures and liabilities were put in place. We share with you below our Policy for Protecting and Processing Personal Data put into effect at our company.
In this context; we would like to assure you that we shall comply with the relevant legislation and the aforementioned company policy with regards to the personal data shared with us and to kindly remind you that any personal data that may be shared with you is should also be stored in a manner up to high data security standards and for the same reason should not be shared with third parties without any legal grounds. As all suggestions and opinions shall be evaluated, all opinions shared with us are considered to be greatly important.
1. Purpose of the Policy for Protecting and Processing Personal Data
With the Policy for Protecting and Processing Personal Data herein (“Policy”), the intention is all regulations, measures and requirements deemed important in accordance with the LPPD Compliance Process to be adopted within CBF. Within this scope, this Policy have the qualifications to guide each individual within CBF on how to perceptibly implement the rules put forth by the LPPD and relevant legislation as well as to inform our employees, business partners, service providers and all data subjects who got in contact with us and left his/her personal data to us regarding our policies for the LPPD.
In this respect, the company carries out the necessary adjustments in order to comply with this Policy and periodically operates its internal audit mechanisms regarding compliance in order to ensure the continuity of compliance. All relevant regulations and internal audit mechanisms are prepared by CBF in accordance with the principles set forth under the LPPD and relevant legislation; CBF regulated and brought various directives and instructions as internal regulations into force within the scope of the protection of personal data. The aforesaid regulations are; The Policy for the Protection and Processing of Sensitive Personal Data, Policy for the Storage and Destruction of Personal Data, Directive on Emergency Situations, Directive Regarding the Duties and Powers of the Committee on Protection of Personal Data, Directive on the Methods to be Followed for the Applications Submitted Regarding Personal Data, Information Security Directives and Instruction on Filing and Archiving.
Consent given regarding a certain subject, based upon information and declared with free will.
A real person whose personal data is processed.
Deleting, destroying or anonymizing personal data.
The Law on the Protection of Personal Data, No: 6698
Any information relating to an identified or identifiable natural person
Anonymization of personal data
Rendering personal data by no means identified or identifiable with a natural person even by linking with other data.
Processing of personal data
Any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system
Deletion of personal data
The process of rendering the personal data inaccessible or unusable, under any circumstance, for the data subjects.
Destruction of personal data
The process of rendering the personal data inaccessible, irretrievable and unusable, under any circumstance, for everyone.
The Personal Data Protection Board
Policy for Protecting and Processing Personal Data
CBF TEKSTİL VE DIŞ TİCARET A.Ş.
Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.
3. Policy’s Application and Modification
This Policy is brought into force by the Board of Directors of CBF and its application is followed by the Committee on the Protection of Personal Data which is authorized by the Board of Directors / General Manager.
CBF has the right to modify the Policy and other internal regulations and documents organized in accordance with the Policy, provided that it is in compliance with the LPPD and the personal data is protected better in accordance with the Constitution and personal rights.
4. Policy’s Scope and Modification
This Policy herein aims to protect all personal data of our business partners, service providers, employees and customers or employees of the companies working with us or any other persons, processed through automatic or non-automatic manners provided that they are a part of any data recording system and includes provisions to ensure the said objectives. In this vein, CBF takes all necessary administrative and technical measures within the processing and protection of personal data, in the direction of the principles set forth in the LPPD and other legislation; necessary training are conducted with the purpose to raise the awareness of CBF employees; internal audit mechanisms are established and maintained; relevant compliance processes are maintained and necessary notifications and warnings are made to the Company employees or applicants and interns or intern applicants within the LPPD. This Policy determines the content and application procedures of these measures and actions. In this context, it has to be stated that CBF undertakes to comply with all the liabilities and obligations set forth by the LPPD.
5. Fundamental Rules Regarding the Processing of Personal Data
CBF processes personal data within the framework of the following principles and rules;
- Lawful and in good faith: The Company investigates the source of the personal data that it collects itself or receives from third parties and attaches importance to lawful acquisition of these in good faith.
- Accurate and up-to-date, when necessary: The Company attaches importance to the accuracy, up-to-datedness, non-containment of any false information of all the personal data within itself and finally, to immediately conduct necessary updates in the event that there are changes in the personal data, when the said changes are notified to itself.
- Processing for specific, explicit and legitimate purposes: The Company shall only process personal data by acquiring explicit written consent of the data subjects via consent forms in which the specific purpose and duration is indicated except for the situations listed in Article 5 of the LPPD, limited to the purposes set forth under the Policy. It does not process, use, or have third parties use the data other than for its own operational purpose.
- Proportionate, relevant and limited to the processing purposes: The Company uses personal data only to the extent that it is relevant and limited to the purpose for which they are processed and in proportion to what is necessary for its service.
- Stored only for the period provisioned by relevant legislation or necessary for the processing purpose: The Company stores the personal data it processes in accordance with the time periods as provided by the legislations for Labor Law, Work Health and Safety Law, Social Security Law, Turkish Commercial Law and other legislations and limited to the periods set forth in the Policy for the Storage and Destruction of Personal Data. However, when the abovementioned purposes or reasons which makes the storage lawful cease to exist, CBF deletes, destroyes or anonymizes the personal data. Personal data is subjected to the necessary processes in accordance with the procedures and rules set forth under the Policy for the Storage and Destruction of Personal Data.
6. Rights of the Data Subject Regarding the Processing of Personal Data
CBF attaches importance to the rights of the data subjects within the framework of compliance with the LPPD. Hereunder; the data subjects shall have the following rights with regards to the personal data processed by CBF in accordance with Article 11 of the LPPD, with the application form prepared by CBF and provided upon the request of the data subject, the data subjects shall have the right to request;
- To learn whether their personal data is processed or not,
- Relevant information in case their personal data has been processed,
- To learn the purpose for which their personal data has been processed and whether the personal data has been used in accordance with said purposes,
- To learn the third parties, domestic or abroad, to whom their personal data has been transferred,
- Correction of their personal data in the event that they have been processed inadequately or incorrectly,
- The deletion or destruction of their personal data within the framework provided by the LPPD,
- The notification of the transactions carried out in accordance with subparagraphs (4) and (5) to the third parties to whom personal data has been transferred,
- Objection to the results detrimental to themselves arising from the analysis of the processed personal data exclusively via automatic systems,
- Compensation for the damages that has occurred due to unlawful processing of personal data.
Applications that are received by our Company via the methods specified in our application form shall be responded to within 30 (thirty) days of the date that they reach our Company in accordance with Article 13, paragraph 2 of the LPPD and the reply shall be delivered to the data subject in writing or via electronic media. In the applications submitted to CBF in this manner, CBF shall act in compliance with the provisions of the Directive on the Methods to be Followed for the Applications Submitted Regarding Personal Data.
7. The Principle of Maximum Efficiency
In accordance with the maximum efficiency principle, the personal data processed by shall be processed CBF only to the extent it is necessary and adequate. In this direction; only the personal data listed under the Policy shall be collected for the reasons stipulated in Article 5 of the LPPD by us and the unnecessary personal data shall neither be collected nor processed nor stored. Most of the personal data processed by CBF is transferred to the Company’s information systems; and unnecessary data is not saved to the system within the scope of the Policy for the Storage and Disposal of Personal Data and is deleted, destroyed or anonymized. Such data may be used for statistical purposes.
8. Deletion, Destruction and Anonymization of Personal Data
Personal data is deleted, destroyed or anonymized, automatically or upon the request of the data subject upon the expiration of legally required durations, the finalization of judicial processes or the cease of existence of the lawfulness reasons of CBF in accordance with Article 5 and 6 of the LPPD in line with the Policy for the Storage and Disposal of Personal Data. The durations in which the personal data are disposed and the methods for these are indicated in the Policy for the Storage and Disposal of Personal Data.
9. Data Accuracy and Up to Datedness
The personal data stored in CBF’s systems are, as a rule, saved upon the declaration of the data subjects and in the manner of their declaration processed automatically or provided that they are a part of any data recording system, via non-automatic methods. CBF is not liable to investigate the accuracy of the data declared by its employees, business partners, customers, service providers, the customers of companies with which CBF is working as solution partners and/or other data subjects, who have come into contact with CBF. The personal data declared by the data subjects are considered accurate and up to date by CBF. The principle of personal data being accurate and up to date is one of the principles adopted by CBF and our company shall update the personal data it has processed in the light of the official documents it receives or upon the request of the data subject. We would like to state that notifications made by data subjects regarding the changes in their personal data to data controllers are important within the scope of providing compliance with the LPPD and keeping data up to date.
10. Confidentiality and Data Security
As CBF processes personal data in accordance with the principle of confidentiality and the right to privacy set forth under the Constitution as one of the fundamental rights and freedoms, and abides by the said principle and right in every stage of the data processing activity.
In light of said rule, only authorized persons within the Company may access the personal data within CBF. All necessary technical and administrative measures are taken by CBF in order to protect the collected personal data and to prevent it from being accessed by unauthorized persons and to prevent the data subjects from suffering. Within this scope, it is ensured that the software is in compliance with the standards, that all work relationships established with third parties are chosen carefully and that this Policy and other internal regulations are abided by within the company. Data protection agreements or protocols are established, in scope of the confidentiality principle, between the Company and the solution partners, business partners, service providers with whom reciprocal personal data transfers are made or with any real persons and legal entities to whom data is transferred regardless of the circumstances. Technical and Administrative measures taken for data security within the Company are regulated in the Information Security Directive and the Directive on Filing and Archiving along with this Policy.
11. Purposes of Personal Data Processing
CBF may only process personal data with the data subject’s explicit consent or the existence of the lawfulness reasons according to Article 5 of the LPPD as stated below:
- Explicitly stated by the laws.
- Mandatory in order to save the life or bodily integrity of a person or another’s who cannot declare consent because of physical impossibility or whose consent is not legally recognized.
- Provided that it is directly related to the establishment or execution of an agreement, the necessity of processing of personal data of the parties of the agreement.
- Mandatory in order for the data controller to fulfill legal obligations.
- Made public by the data subject himself/herself.
- Mandatory for the establishment, use or protection of a right.
- Mandatory for the legitimate interests of the data controller, provided that no harm comes to the fundamental rights and freedoms of the data subject.
Accordingly, personal data which are collected by CBF or transferred to CBF are stored for purposes such as;
- Protecting lawful legitimate interests of the real and legal persons that CBF is in business relationship with, determining the strategies of CBF,
- Determining the deficits in order to develop CBF’s business model,
- Examining and resolving the requests and complaints of the data subjects,
- Hiring, performance evaluation, preparing and keeping of personnel files, maintaining exit interview processes and maintaining other operational activities within the Company within the scope of planning and maintaining the Human Resources processes of CBF,
- Affixing cameras inside and within the environment of the Company, providing security,
- Training of the company employees within various and required subjects in relation with its subject of activity,
- Advertising of CBF’s projects and works, publishing of various interviews and photographs in websites and bulletin,
- CBF participating in fairs in relation to its works and collecting the contact information of various persons,
- Requests which CBF may face or information which it may need because of all the reasons indicated above
and may be processed within the lawfulness reasons that are indicated above or the explicit consent obtained from the data subject when needed.
12. Personal Data of Employees, Business Partners, Potential Business Partners, Service Providers and Solution Partners
CBF collects and processes certain personal data of employees, business partners, service providers and solution partners within the purposes indicated in Article 11 above. The aforesaid personal data is processed only in line with the purpose of the agreement, provided that said personal data is directly relevant to the establishment or execution of the agreements. Personal data is processed in accordance with the necessities of the execution of the agreement and the requirements of the service and are updated when necessary by contacting the data subject.
13. Data Transactions Conducted Due to The Branch’s Legal Liability or Explicit Legal Requirements
Personal data may be processed without acquiring additional consent if the processing is clearly set forth so under the relevant legislation or for the purpose of fulfilling a legal obligation as specified under the legislation. The kind and scope of data processing shall be necessary for the legal data processing activity and shall be in accordance with the relevant legal provisions.
14. Processing Sensitive Personal Data
As the data subject’s data regarding race, ethnic origin, political opinion, philosophical belief, religious sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, penal conviction and security measures and their biometric and genetic data are considered to be sensitive personal data within the scope of the LPPD; CBF acts in accordance with the necessary procedures and principles set forth by the LPPD. CBF further takes all adequate and necessary measures as specified by the Personal Data Protection Board. The matters relating to processing and protection of sensitive personal data are specified separately in detail in the Policy for the Processing and Protection of Sensitive Personal Data.
15. Personal Data of Our Employees
a. Data Processing for Work Relationship
As indicated in Article 11 of this Policy; the personal data of our employees, employee applicants, interns and intern applicants may be processed, without their consent, for the purpose of continuity of the work relationship and/or as necessary for work relationships and to the extent necessary within the scope of the regulations indicated in Article 5 (e) of this Policy. Even in such a situation, CBF ensures the protection and confidentiality of its employees’ personal data and shall take the necessary administrative and technical measures for the protection of such data.
CBF informs its employees regarding the data processing process and the protection of personal data whilst processing the personal data of its employees, prepares necessary approval forms, provides the necessary trainings to its employees and subjects its employees to periodic tests in relation to the LPPD.
b. Processing as per Legal Obligations
CBF may process the personal data of its employees without taking their consent in order to fulfill legal obligations set forth by the Labor Law, Social Security Law and Work Health and Safety Law, Turkish Commercial Law, Tax Procedure Law and other legislations, provided that the processing without the data subject’s consent is clearly set forth by the relevant legislation. This matter is limited to the obligations arising from the law.
c. Processing for the Benefit of the Employees
CBF may process personal data according to Article 5 of the LPPD without acquiring consent for transactions that are to the benefit of the employees such as trainings, private health insurance, phone subscriptions or travels. CBF may process the data of its employees regarding the disputes arising out of work relationships as well.
d. Processing Sensitive Personal Data
Personal data considered to be ‘sensitive’ within the scope of the LPPD may from time to time, be processed as required by the law and the specifications regarding the processing and protection sensitive personal data are set forth under the Policy for the Processing and Protection of Sensitive Personal Data.
e. Data Processed Via Automatic Systems
The personal data of the employees processed via automatic systems may be used for inter-company promotions and performance evaluations. The employees shall have the right to object to the results to their detriment in accordance with Article 11 of the LPPD and their application regarding their objection shall be made in compliance with the procedures within the company. The objections of the employees are also evaluated within the company.
f. Telecommunication and Internet
The computers, telephones, e-mail and other data recording devices assigned by CBF to its employees are assigned solely for work purposes. The employee may not use such devices assigned to them by the company for their personal affairs and communications, and all necessary information regarding this issue has been provided to the employees. The Company may control and audit all data within these devices. The employee undertakes not to store any data or information other than work on the computers, telephones and other devices assigned to them from the commencement of work and undertakes to encrypt these devices as necessary with the aim of protecting these devices.
16. Transfer of Personal Data, Domestic and Abroad
Personal data, within the scope of the abovementioned purposes and when necessary for CBF to fulfill its legal obligations, may be shared with our business partners, suppliers, training and fair organizers, private and public institutions and official authorities.
Personal data is shared in accordance with the regulations set forth under the Articles 8 and 9 of the LPPD and all necessary technical and administrative measures are taken during and following the sharing process in order to ensure data security.
In accordance with Article 8 of the LPPD, personal data may be transferred with the explicit consent of the data subject or without an explicit consent, in the existence of one of the situations mentioned above in Article 11 titled ‘Purposes of Personal Data Processing’.
In accordance with Article 9 of the LPPD, along with the abovementioned circumstances, the foreign country to which personal data is to be transferred shall have adequate protection. The countries with adequate protection are determined by the Personal Data Protection Board.
17. Transaction Security
All necessary technical and administrative measures are taken by CBF in order to protect the collected personal data and to prevent unauthorized persons from accessing such data and to protect data subjects from suffering. Within this scope, it is ensured that the software is in compliance with the standards, the third parties with whom business relationships are established are chosen carefully and that this Policy and other internal regulations are abided by within the company. The technical measures are indicated in detail in the Information Security Directives which is one of the Company’s internal regulations and the measures are constantly being renewed and developed.
CBF conducts the necessary internal and external audits regarding the protection of personal data and establishes necessary audit mechanisms for the protection of personal data. Board of Directors of the Company has established the Committee on Protection of Personal Data to provide compliance with the rules regarding the protection of personal data and inspection.
19. Notification of the Breaches
CBF, when a breach in relation to personal data is notified to it, immediately takes action in order to remedy such breach, by taking the Emergency Situations Directive into consideration. In the event of CBF causing a breach through its fault within the scope of the LPPD and the relevant legislation, CBF minimizes the damage of the data subject and compensates the damage. In the event that it is determined that personal data have been acquired by unauthorized persons from the outside, the Personal Data Protection Commission immediately notifies the Personal Data Protection Board of the situation in 72 hours after this situation is noticed.