ECE MARBLE EXCLUSIVE
1.PURPOSE AND SCOPE
ECE MERMER TURİZM SANAYİ VE TİCARET LİMİTED ŞİRKETİ ("Company") Personal Data Processing and Protection Policy sets out the principles to be adopted by the Company regarding the protection and processing
of personal data and to be taken into account in practice.
The Policy aims to determine the framework of the compliance activities to be carried out specifically for the
Company and to ensure coordination in order to comply with the Personal Data Protection ("PDP") Law No. 6698
on the protection and processing of personal data. In this context, the aim is to continue to carry out the activities in accordance with the principles of compliance with the law, honesty and transparency adopted by
the Company since its establishment.
2. TARGET
With the Company's PDP Policy, it is aimed to establish the necessary systems in line with the goal of raising
awareness about the processing and protection of personal data in accordance with the law within the
Company and to establish the necessary order to ensure compliance with the legislation.
In this context, the Company's PDP Policy aims to guide the implementation of the regulations set forth by the
PDP Law and the relevant legislation.
3.DEFINITIONS AND ABBREVIATIONS
The important definitions used in the Company's PDP Policy are listed below:
| Term | Description |
|---|---|
| EXPRESS CONSENT | Consent on a specific issue, based on information and freely given. |
| ANONYMIZATION | Changing personal data in such a way that it loses its personal data characteristic and this situation cannot be reversed. Ex: Masking, aggregation, data corruption, etc. techniques to make personal data unrelated to a natural person. |
| CONTACT PERSON | The natural person whose personal data is processed. For example: Customers, employees, prospective employees. |
| PERSONAL DATA | Any information relating to an identified and identifiable natural person. Therefore, the processing of information relating to legal persons is not covered by the Law. For example: name-surname, TRKN, e-mail, address, date of birth, credit card number, bank account number, etc. |
| PERSONAL DATA OF SPECIAL NATURE | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive data. |
| PROCESSING OF PERSONAL DATA | Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. |
| DATA CONTROLLER | It refers to the natural or legal person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system). |
| DATA SUBJECT APPLICATION FORM | The application form to be used by the Relevant Person while using their applications regarding their rights under Article 11 of the KVK Law. |
| CONSTITUTION | Constitution of the Republic of Turkey dated November 7, 1982 and numbered 2709, published in the Official Gazette dated November 9, 1982 and numbered 17863. |
| KVK LAW | Law on the Protection of Personal Data dated March 24, 2016 and numbered 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677. |
| POLICY | Company Personal Data Protection and Processing Policy. |
| LIGHTING | Communiqué on the Procedures and Principles to be followed in the Fulfillment of the Disclosure Obligation, entered into force upon publication in the Official Gazette dated March 10, 2018 and numbered 30356. |
4. RESPONSIBILITIES
All our employees, stakeholders, guests, visitors and relevant third parties are obliged to cooperate in the
operation, activities and processes and implementation of the Company's KVK Policy throughout the Company and in the prevention of legal risks and imminent danger. All organs and departments of the Company are responsible for overseeing compliance with the Company's PDP Policy.
5. PROCEDURES AND PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA
5.1-GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
One of the issues of primary importance for the Company is to comply with the general principles stipulated in the legislation in the processing of personal data. In this context, the Company must act in accordance with the
principles listed below in the processing of personal data in accordance with the Constitution and KVK Law.
5.1.1. Engaging in Personal Data Processing Activities in Compliance with the Law and Good Faith
In accordance with Article 4 of the KVK Law, the Company should carry out personal data processing activities in
accordance with the law and honesty rules; accurate and up-to-date when necessary; for specific, clear and legitimate purposes; in a purpose-related, limited and measured manner.
In this context, the Company takes into account the proportionality requirements in the processing of personal data and should not use personal data except when required by the purpose.
5.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
The Company must ensure that the personal data it processes is accurate and up-to-date, taking into account
the fundamental rights of the Data Subject and its own legitimate interests; in this direction, it must take the
necessary measures and establish systems to ensure them.
5.1.3. Processing for Specific, Explicit and Legitimate Purposes
The Company must process personal data for legitimate and lawful reasons and in connection with the activities
it carries out and to the extent necessary. The purpose for which personal data will be processed by the Company should be determined before the personal data processing activity begins.
5.1.4. Being relevant, limited and proportionate to the purpose for which they are processed
The Company processes personal data in a manner that is conducive to the achievement of the specified
purposes and should avoid processing personal data that is not related to the achievement of the purpose or is
not needed.
For example, personal data processing activities should not be carried out to meet needs that are likely to arise
later.
5.1.5. Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed
In accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the PDP Law, the Company must
retain the personal data it processes only for the period stipulated in the relevant legislation and laws or
required by the purpose of personal data processing.
In this context, the Company first determines whether a period of time is stipulated for the storage of personal
data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed.
Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the application of the Data Subject and with the specified destruction methods (deletion and/or destruction and/or anonymization).
Details are set out in the Personal Data Retention and Destruction Policy.
5.2. Terms of Processing of Personal Data
The KVKK regulates the conditions for the processing of personal data, and personal data are processed by the Company in accordance with the conditions mentioned below.
One of the conditions for processing personal data is the explicit consent of the Data Subject. Except for the
exceptions listed in the law, the Company processes personal data only by obtaining the explicit consent of the Data Subject. The explicit consent of the Data Subject must be related to a specific subject, based on information and free will. In the presence of the cases listed in the Law, personal data can be processed even without the explicit consent of the Data Subject.
In the presence of the following personal data processing conditions, personal data may be processed without
the explicit consent of the Data Subject.
I. Explicit Provision in the Laws
If the personal data of the Data Subject is explicitly stipulated in the law, in other words, if there is a clear
provision in the relevant law regarding the processing of personal data, the existence of this data processing
condition may be mentioned.
ii. Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility
The personal data of the Data Subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself/herself or another person.
iii. Direct Relevance to the Establishment or Performance of the Contract
Provided that it is directly related to the establishment or performance of a contract to which the Data Subject
is a party, this condition may be deemed to be fulfilled if the processing of personal data is necessary.
IV. Fulfillment of the Legal Obligation by the Data Controller
Personal data of the Data Subject may be processed if processing is mandatory for the Company to fulfill its
legal obligations.
V. Publicization of Personal Data by the Personal Data Subject
If the Data Subject has made his/her personal data public, the relevant personal data may be processed limited to the purpose of publicization.
VI. Data Processing is Mandatory for the Establishment or Protection of a Right
Personal data of the Data Subject may be processed if data processing is mandatory for the establishment, exercise or protection of a right.
VI. Data Processing is Mandatory for the Legitimate Interest of the Data Controller
Provided that it does not harm the fundamental rights and freedoms of the Personal Data Subject, the personal
data of the Data Subject may be processed if data processing is mandatory for the legitimate interests of the
Company.
5.3-Processing of Special Categories of Personal Data
Special sensitivity is shown by the Company in the processing of special categories of personal data, the protection of which is believed to be more critical for the Data Subject in various respects. In this context, provided
that adequate measures determined by the Board are taken, such data are not processed without the explicit
consent of the Data Subject. However, special categories of personal data other than data relating to health and
sexual life may be processed without the explicit consent of the Data Subject in cases stipulated by law. However, data relating to health and sexual life may be processed without explicit consent provided that
adequate measures are taken and in the presence of the reasons listed below.
Protection of public health,
Preventive Medicine,
Medical Diagnosis,
Carrying out treatment and care services,
Planning and management of health services and financing.
5.4 - TRANSFER OF PERSONAL DATA
Our Company may transfer the personal data and sensitive personal data of the Data Subject to third parties (official and private authorities, third real persons) by taking the necessary security measures in line with the
lawful personal data processing purposes. In this respect, the Company acts in accordance with the regulations stipulated in Article 8 of the Law. In the event that there are groups of persons with whom personal data is/may be shared, the relevant person is informed with a clarification text.
5.4.1-TRANSFER OF PERSONAL DATA TO PERSONS IN THE COUNTRY
The Company carefully complies with the conditions regulated in the KVKK, without prejudice to the provisions of other laws, regarding the sharing of personal data with third parties. Within this framework, personal data are
not transferred by the Company to third parties without the explicit consent of the Data Subject. However, in the presence of one of the following conditions regulated by the KVKK, personal data may be transferred by the Company without obtaining the explicit consent of the Data Subject:
• Explicitly stipulated in the law,
• It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose
his/her consent due to actual impossibility or whose consent is not legally valid,
• Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process
personal data of the parties to the contract,
• It is mandatory for the data controller to fulfill its legal obligation,
• It has been made public by the Relevant Person himself/herself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not
harm the fundamental rights and freedoms of the Data Subject.
Provided that adequate measures are taken; it is stipulated in the laws in terms of personal data of special nature other than health and sexual life, and in terms of personal data of special nature related to health and sexual life,
• Protection of public health,
• Preventive medicine,
• Medical diagnosis,
• Carrying out treatment and care services,
• Your personal data may be transferred without obtaining explicit consent for purposes such as planning and
management of health services and financing.
In the transfer of special categories of personal data, the conditions specified in the terms of processing of such data are complied with.
5.4.2-TRANSFER OF PERSONAL DATA TO PERSONS ABROAD
Regarding the transfer of personal data abroad, the explicit consent of the Data Subject is sought in accordance
with Article 9 of the KVKK. However, in the presence of conditions permitting the processing of personal data,
including sensitive personal data, without the explicit consent of the Data Subject, the Company may transfer
personal data abroad without seeking the explicit consent of the Data Subject, provided that there is adequate protection in the foreign country to which the personal data will be transferred. If the country of transfer is not
determined by the Board among the countries with adequate protection,
The Company and the data controller/data processor in the relevant country shall undertake in writing to provide adequate protection.
In the event that there are groups of persons with whom personal data is/may be shared, the relevant person is
informed with a clarification text.
5.5 - DISCLOSURE OBLIGATION OF THE COMPANY
Within the scope of Article 10 of the KVKK and the Communiqué on the Procedures and Principles to be Followed
in Fulfillment of the Disclosure Obligation, the Data Subject must be informed before or at the latest during the
acquisition of personal data. The information that should be communicated to the Data Subject within the
framework of the said disclosure obligation are as follows:
Identity of the data controller and its representative, if any, and the purpose for which personal data will
be processed,
To whom and for what purpose the processed personal data may be transferred, the method and legal reason for collecting personal data,
Other rights listed in Article 11 of the LPPD.
In order to fulfill the disclosure obligation, the Company has prepared disclosure statements on the basis of the process
and the persons whose data are processed, to be submitted to the Data Subject within the scope of the above-
mentioned KVK provision.
On the other hand, within the framework of Paragraph 1 of Article 28 of the LPPD, the Company has no disclosure obligation in the cases listed.
• Processing of personal data by natural persons within the scope of activities related to themselves or their
family members living in the same residence, provided that personal data are not disclosed to third parties and
the obligations regarding data security are complied with,
• Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,
• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom
of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime,
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public
security, public order or economic security,
• Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions.
However, within the framework of Article 28(2) of the LPPD. Within the framework of Article 28(2) of the LPPD, the Company's disclosure obligation shall not be applicable in the following cases:
• Processing of personal data is necessary for the prevention of crime or criminal investigation,
• Processing of personal data made public by the Data Subject himself/herself,
• Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary
investigation or prosecution by the authorized and authorized public institutions and organizations and
professional organizations in the nature of public institutions based on the authority granted by law,
• Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.
5.6 RIGHTS OF THE PERSON CONCERNED
Regarding the personal data processed by the Company in accordance with the principles set out in this Policy,
necessary measures have been taken to ensure that the rights granted to the Data Subject in Article 11 of the
KVKK are exercised. The rights in question are as follows:
a) Learn whether personal data is being processed,
b) Request information if their personal data has been processed,
c) To learn the purpose of processing personal data and whether they are used for their intended purpose,
d) To know the third parties to whom personal data are transferred domestically or abroad,
e) To request correction of personal data in case of incomplete or incorrect processing,
f) To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
g) Request notification of the transactions made pursuant to (e) and (f) above to third parties to whom personal data are transferred,
h) To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
i) In case of damage due to unlawful processing of personal data, to demand the compensation of the damage. Data Subjects may exercise their rights listed above by submitting the Data Subject application form available at https://ecemarble.com/. Detailed information about filling out the form or sending it to the Company is
included in this form. The Company will physically or electronically deliver the response to the relevant
applications to the Relevant Persons.
Depending on the nature of the request, the Company will finalize the request free of charge as soon as possible and within thirty (30) days at the latest. However, if the transaction requires an additional cost, the fee in the
tariff determined by the Board will be charged by the Company. In addition, the Company may request
additional information or documents from the applicants during the process of finalizing the requests of the
Relevant Person.
On the other hand, within the framework of Article 28, Paragraph 1 of the KVKK, the Data Subject cannot use the above rights listed in Article 11 of the KVKK in the following cases:
• Processing of personal data by natural persons within the scope of activities related to themselves or their
family members living in the same residence, provided that personal data are not disclosed to third parties and
the obligations regarding data security are complied with,
• Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,
• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom
of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime,
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public
security, public order or economic security,
• Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions.
However, within the framework of the second paragraph of Article 28 of the KVKK, the above rights listed in
Article 11 of the KVKK, except for the right to compensation for damages, will not be applicable in the following
cases:
• Processing of personal data is necessary for the prevention of crime or criminal investigation,
• Processing of personal data made public by the Data Subject himself/herself,
• Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary
investigation or prosecution by the authorized and authorized public institutions and organizations and
professional organizations in the nature of public institutions based on the authority granted by law,
• Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.
5.7-MEASURES TAKEN FOR DATA SECURITY
With the awareness of the importance of ensuring security in every aspect within the Company, the Company
must take the necessary technical and administrative measures to ensure the appropriate level of security in
order to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data and
to ensure the preservation of the data, in accordance with Article 12 of the KVK Law, and must carry out the necessary audits within this scope.
The Company must take the necessary technical and administrative measures, within the technological possibilities, to ensure that personal data is processed in accordance with the law.
5.7.1. Administrative Measures
• The Company shall conduct and have conducted the necessary audits in its own institution or organization in order to ensure the implementation of the provisions of the Law.
• In the event that the processed personal data is obtained by others through unlawful means, the Company
shall notify the relevant person and the Board as soon as possible.
• Regarding the sharing of personal data, the Company signs a framework contract with the persons with whom
personal data is shared or ensures data security with the provisions to be added to the contracts.
• The Company employs personnel who are knowledgeable and experienced in the processing of personal data and provides its personnel with the necessary training on the protection of personal data.
5.7.2. Technical Measures
• The Company employs knowledgeable and experienced persons to ensure data security and provides its
personnel with the necessary training on the protection of personal data.
• Performs the necessary internal controls within the scope of the established systems.
• Carries out risk analysis, data classification, IT risk assessment and business impact analysis within the scope of the established systems.
• Ensures that the technical infrastructure to prevent and/or monitor the leakage of personal data outside the organization is provided and the relevant matrices are created.
• It ensures that the authorizations of employees of information technology companies to access personal data are kept under control.
6-IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION
The relevant legal regulations in force regarding the processing and protection of personal data will primarily apply. In case of incompatibility between the legislation in force and the Policy, the Company accepts that the
legislation in force will be applied.
The Policy concretizes and regulates the rules set forth by the relevant legislation within the scope of Company
practices.
7. ENFORCEMENT AND UPDATING OF THE POLICY
The Policy will enter into force as of the date it is published on the Company website. The Policy is reviewed as needed and the necessary sections are updated.