Chamber of Commerce and Industry

  1. INTRODUCTION

The Law on the Protection of Personal Data No. 6698 (“KVKK”) regulates the protection of fundamental rights and freedoms of individuals in the processing of personal data, and the obligations of real and legal persons who process personal data and the procedures and principles they shall comply with. The purpose of this Personal Data Protection and Processing Policy (“Policy”), prepared in this direction, is for our company MARJES STUDIO INTERIOR E-COMMERCE LIMITED COMPANY to ensure compliance with the obligations regarding the PDPL (KVKK) regulations within the (“Company”).

In case of conflict between the KVK Law and other related legislation, and this Policy, the applicable legislation shall prevail.

  1. PURPOSE

This Policy has been prepared to protect individuals' fundamental rights and freedoms, primarily the right to privacy, in the processing of personal data, and to regulate the obligations of real and legal persons processing personal data, as well as the procedures and principles they will comply with.

The purpose of this Policy is to ensure and improve the Company's activities in compliance with the principles set forth in the Law on the Protection of Personal Data (KVKK) and to inform data subjects about their personal data.

  1. DEFINITIONS

The definitions used in this Policy are provided below:

Explicit consent
Informed consent based on specific subject matter and expressed with free will

Anonymize
The anonymization of personal data in such a way that it cannot, even by matching with other data, be associated with an identified or identifiable natural person in any way.

Customer
Natural persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company.

Lead
Natural persons evaluated in accordance with commercial custom and good faith who have requested or shown interest in using our products and services, or who may have such an interest.

Visitor
Real people who visit our company's websites

Personal health data
Any health information relating to an identified or identifiable natural person

Personal data
Any information relating to an identified or identifiable natural person

Processing of personal data
Any operation carried out on data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making accessible, or blocking, whether wholly or partially automatically or non-automatically as part of any data recording system.

KVK Law
Law No. 6698 on the Protection of Personal Data

KVK Board
Personal Data Protection Board

Vocational Training Institute
Personal Data Protection Authority

Special qualified personal data
Data concerning the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs of individuals, clothing and appearance, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data

Data processor
A natural or legal person processing personal data on behalf of the data controller, based on the authority granted by the data controller

Data subject
The natural person whose personal data is processed, considered as the “data subject” in the Law on Protection of Personal Data (KVKK - Kişisel Verilerin Korunması Kanunu).

Data Owner Application Form
Application form for data subjects whose personal data is processed within the company to exercise their rights as described in Article 11 of the Law on Protection of Personal Data.

Data controller
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data registry system.

Visitor
Natural persons who have physically entered the company's workplace for various purposes or who visit its websites

Data Controllers' Registry
Data Controllers Registry maintained by the Personal Data Protection Authority

Data Inventory
An inventory created and detailed by the company, associating the personal data processing activities it carries out with its business processes, with personal data processing purposes, the recipient groups to whom personal data is transferred, and the relevant data subject groups.

  1. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

Pursuant to Article 3 of the Law No. 6698 on the Protection of Personal Data (KVKK), any operation performed on personal data, such as obtaining, recording, storing, preserving, modifying, rearranging, disclosing, transferring, taking over, making accessible, classifying or preventing their use, whether in whole or in part automatically or by non-automatic means provided that it is part of any data recording system, falls within the scope of personal data processing.

The following principles must be adhered to in the processing of personal data:

Compliance with the law and ethical principles
Our company conducts personal data processing activities in compliance with the Constitution, the KVKK Law, and related legislation, in accordance with the law and principles of good faith.

To be accurate and up-to-date
Necessary administrative and technical measures are taken to ensure the accuracy and timeliness of personal data during the processing of personal data by our company.

Processed for specific, clear, and legitimate purposes
Our company clearly and precisely defines its legitimate purpose for processing personal data before commencing any personal data processing activities.

Being limited and proportionate in connection with the purpose for which they are processed
Our company processes personal data only to the extent necessary for the achievement of the specified purposes. Data processing activities are not carried out under the assumption that they may be used later.

kept for the period stipulated by the relevant legislation or necessary for the purposes for which they are processed
Our company stores personal data for a period limited to the duration foreseen in the KVKK Law and related legislation or required by the purposes of the data processing activity.

  1. Terms and Conditions for Processing Personal Data

Our company may process personal data and special categories of personal data with the explicit consent of the data subject or without explicit consent in cases provided for in Articles 5 and 6 of the KVKK Law.

5.1. Processing of Personal Data

As a rule, our company processes personal data based on explicit consent. However, it carries out personal data processing activities without requiring explicit consent in accordance with the data processing conditions set forth in Article 5 of the KVKK Law:

  • Explicitly provided for in laws.

  • Situations where it is necessary for the protection of the life or bodily integrity of the person himself or another, when the person is unable to express their consent due to impossibility or when their consent is not legally recognized.

  • The processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the formation or performance of the contract.

  • It is mandatory for our company to fulfill its legal obligations.

  • The personal data has been made public by the data subject themselves.

  • Data processing being necessary for the establishment, exercise, or defense of a legal claim.

  • The processing of data is necessary for our Company's legitimate interests, provided that it does not prejudice the fundamental rights and freedoms of the data subject.

5.2. Processing of Special Categories of Personal Data

Our company acts in accordance with the data processing conditions set forth in Article 6 of the KVKK (Law on the Protection of Personal Data) when processing personal data specified as special categories, which carry the risk of discrimination if processed unlawfully. Furthermore, the necessary measures separately determined by the KVKK Board are also taken in the processing of special categories of personal data.

Processing of special categories of personal data without the explicit consent of the data subject is prohibited. However, special categories of personal data may be processed without the explicit consent of the data subject in the following cases:

Processing of Personal Health Data:
Personal health data,

  • To take sufficient measures foreseen by the Ministry of Health,

  • To act in accordance with general principles,

  • To be under an obligation of confidentiality

provided that one of the following conditions is met:

  • Written explicit consent of the personal data owner

  • Public health protection

  • Preventive medicine

  • Provision of medical diagnosis, treatment, and care services

  • Planning and management of healthcare services and financing

Processing of Special Categories of Personal Data Other Than Personal Health Data
The data within this scope can be processed with the express consent of the personal data owner or in cases provided for by law.

  1. Ensuring the Security and Privacy of Personal Data

Our company takes the necessary technical and administrative measures to prevent the unlawful processing and access of personal data, and to ensure the appropriate security level for the preservation of personal data, in accordance with Article 12 of the KVKK Law.

6.1. Technical Measures

Our company has taken the necessary technical and technological security measures to protect personal data and has placed personal data under protection against possible risks. Technical measures are taken in line with technological developments, and the measures taken are periodically updated and renewed.

Principal technical measures taken:

  • Providing network and application security

  • Security measures within the scope of procurement, development, and maintenance of information technology systems

  • Creating an authority matrix for employees

  • Regular maintenance of access logs

  • Revocation of powers for employees who are transferred or resign from their positions.

  • Using current anti-virus systems

  • Using firewalls

  • Tracking personal data security

  • Personal data backup and ensuring the security of backed-up personal data

  • Implementation and tracking of user account management and authorization control systems

  • Log records should be kept without user intervention

  • Use of intrusion detection and prevention systems

6.2. Administrative Measures

  • Training and awareness-raising of company employees regarding the KVK Law (KVKK - Law on the Protection of Personal Data)

  • In cases where personal data transfer is involved, including provisions on data security in the relevant contracts

  • Preparation of internal policies for compliance with the KVK Law

  • Appointment of a data controller representative and contact person responsible for the protection of personal data within the company (to the extent provided by law)

  • Restricting access to stored personal data to authorized personnel as required by the job description

  • In cases where personal data is obtained through unlawful means by others, this situation must be reported to the data subject and the Board as soon as possible.

  • To ensure the application of KVK Law provisions, necessary internal audits shall be conducted.

  • Signing a commitment letter containing confidentiality provisions with personnel

6.3. Measures to Be Taken in Case of Unauthorized Disclosure

In the event that personal data being processed is obtained by others through unlawful means despite the necessary security measures taken, our Company will notify the relevant data subject and the KVKK Board as soon as possible.

  1. Purposes and Retention Periods for Processing Personal Data

7.1. Purposes of Processing Personal Data

Personal data is processed within our company for the purposes listed below:

  • Provision of after-sales support services

  • Execution of marketing processes for our company's products and services.

  • Planning and execution of surveys and similar customer satisfaction and corporate communication activities

  • Updating customer contact information

  • Updating customer relationships

  • To carry out the necessary work to benefit stakeholders from the products and services offered by our Company, including sales and marketing activities, and to execute the relevant business processes.

  • Carrying out communication activities

  • The use of your identity, communication, and customer transaction information in product and service direct marketing processes, profiling, and analysis activities

  • Sending commercial electronic messages, such as advertisements and promotions, to your contact information within the scope of your acceptance

7.2. Personal Data Retention Periods

Our company determines whether the relevant legislation provides for a period for the storage of personal data.

  • If a time period is stipulated in the legislation, that period shall be observed.

  • If a retention period is not foreseen, personal data shall be kept for as long as is necessary for the purposes for which it is processed.

  • Personal data whose processing purpose has ended and whose retention period has expired may be stored separately to the extent necessary as evidence in potential legal disputes.

  • Personal data is not stored indefinitely based on the possibility of future use.

  1. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Pursuant to Article 7 of the KVK Law, even if personal data has been processed in accordance with the relevant legislation, if the reasons requiring its processing cease to exist, the personal data shall be erased, destroyed, or anonymized by our Company ex officio or upon the request of the data subject.

The procedures and principles related to this matter are published in the KVKK Law and the Official Gazette dated 28.10.2017 and numbered 30224 Regulation on the Deletion, Destruction, or Anonymization of Personal Data’it will be carried out according to.

Following the date on which the obligation to delete, destroy, or anonymize personal data arises, our company in the first periodic destruction process, deletes, destroys, or anonymizes personal data.

The time interval for periodic purging for six months.

When a request is made to our company for the deletion or destruction of personal data;

  • If the conditions for processing personal data are no longer met, the personal data subject to the request shall be erased, destroyed, or anonymized. The request shall be finalized within a maximum of thirty days, and the requester shall be informed.

  • If the conditions for processing personal data have completely ceased and the personal data subject to the request has been transferred to third parties, this will be communicated to the third parties.

  • If the conditions for processing personal data have not entirely ceased to exist, the request may be rejected based on Article 13, Paragraph 3 of the KVKK (Law on the Protection of Personal Data), with the reason explained, and the rejection response shall be communicated in writing or electronically within thirty days at the latest.

8.1. Personal Data Deletion and Destruction Techniques

The deletion of personal data is the process of rendering personal data inaccessible and unusable by the relevant users in any way.

The destruction of personal data is the process of making personal data inaccessible, unrecoverable, and unusable by anyone in any way.

(Example: physically destroy, securely erase from software, securely erase by an expert...)

8.2. Techniques for Anonymizing Personal Data

This refers to making personal data, even when matched with other data, impossible to link to an identified or identifiable natural person in any way.

(Example: masking, data derivation, pseudonymization, aggregation, data shuffling...)

  1. THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED AND TRANSFER PURPOSES

The procedures and principles to be applied in personal data transfers are regulated in Articles 8 and 9 of the KVKK Law, and the personal data owner's personal data and special categories of personal data can be transferred to third parties domestically and abroad.

For the performance of company activities, personal data may be processed by the Company within the scope of the KVKK Law and other legislation, and may be shared with infrastructure providers, third parties from whom services are received, insurance companies, banks/financing companies and contracted institutions, real and legal persons with whom there is an agency relationship, business partners, and other third parties.

In any event, personal data, except in exceptional circumstances, shall be provided by the data subject It cannot be transferred without their explicit consent.

9.1. Transfer of Personal Data Within the Country

In accordance with Article 8 of the KVK Law, the transfer of personal data within the country is covered by this Policy. “Conditions for Processing Personal Data” is possible, provided that one of the conditions specified in the titled section is met.

9.2. Transfer of Personal Data Abroad

Pursuant to Article 9 of the Law on Protection of Personal Data (KVKK), if personal data is transferred abroad, one of the following conditions must be met:

  • declared by the country of transfer's KVKK Board Countries with adequate protection counted among

  • If adequate protection is not provided, data controllers in Turkey and in the relevant foreign country must establish adequate protection to commit in writing and the KVKK Board Finding permission

  1. Our company's illumination obligation

In accordance with Article 10 of the KVKK Law, our company informs personal data owners about the following matters during the collection of personal data:

  • The title of our Company as Data Controller

  • For what purpose will personal data be processed

  • To whom and for what purpose personal data that is processed can be transferred

  • Method and legal basis for collecting personal data

  • The rights of the data subject specified in the “Right to Apply” section of this Policy

  1. Rights of Personal Data Subjects and Exercising These Rights

In accordance with Article 13 of the Law on the Protection of Personal Data (KVKK), the evaluation of data subjects' rights and the provision of necessary information to data subjects are carried out through this Policy as well as the Data Subject Application Form.

Personal data owners can submit their complaints or requests regarding the processing of their personal data to our Company within the framework of the principles specified in the relevant form.

11.1. Right to Apply

Pursuant to Article 11 of the Law on the Protection of Personal Data (KVKK), every data subject may request the following from our Company regarding their personal data:

  • To know if your personal data is being processed

  • Request information about the processing of personal data if it has been processed

  • To learn the purpose for which your personal data is processed and whether it is used in accordance with its purpose

  • Learning about third parties to whom your personal data is transferred, either domestically or abroad

  • The right to request the correction of personal data if it has been processed incompletely or incorrectly, and to request that this correction be communicated to third parties to whom the personal data has been transferred.

  • Requesting the deletion, destruction, or anonymization of personal data when the reasons for its processing cease to exist, and requesting that this action be communicated to third parties to whom the personal data has been transferred.

  • Objecting to a decision that produces legal effects concerning the data subject or similarly significantly affects them, where that decision is based solely on automated processing, including profiling.

  • Requesting compensation for damages incurred due to the processing of personal data in violation of the KVK Law

11.2. Exclusions from the Scope of the Right to Apply

In accordance with Article 28 of the KVK Law, data subjects cannot exercise their rights in the following cases:

  • Processing of personal data by natural persons within the scope of activities relating exclusively to themselves or their family members living in the same household, provided that the personal data are not disclosed to third parties and that the obligations relating to data security are complied with.

  • Processing of your personal data for purposes such as research, planning, and statistics by anonymizing it with official statistics.

  • Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, private life, or personal rights, or constitute a criminal offense.

  • Processing of personal data by public institutions and organizations assigned duties and authorities by law for national defense, national security, public safety, public order, or economic security, within the scope of preventive, protective, and intelligence activities.

  • Processing of personal data by judicial authorities or enforcement bodies in relation to investigation, prosecution, trial, or execution proceedings.

Pursuant to Article 28, paragraph 2 of the Law on Protection of Personal Data (KVKK), data subjects cannot exercise their rights in the following cases, except for the right to demand compensation for damages:

  • Processing of personal data for the prevention of criminal offenses or criminal investigations

  • Processing of personal data that has been made public by the data subject

  • The processing of personal data, based on authorization granted by law, for the performance of supervisory or regulatory duties by authorized public institutions and organizations and professional organizations of a public nature, and when necessary for disciplinary investigation or prosecution

  • the processing of personal data is necessary for the protection of the State's economic and financial interests in matters of budget, tax, and finance

11.3. Response Procedure

In accordance with Article 13 of the Law on Protection of Personal Data (KVK Law), our Company, in response to the requests made by the personal data owner, will respond in the shortest time possible, and at the latest within 30 (thirty) days it will answer for free.

The data subject's request may be rejected in the following cases:

  • Infringing on the rights and freedoms of others

  • Requiring disproportionate effort

  • Information being public information

  • Jeopardizing the privacy of others

  • The existence of a circumstance that falls outside the scope of the Labor Law No. 4857

  1. The Adoption of Politics

This Policy has been prepared for approval by the Company's Board of Directors and will enter into force upon approval by the Board of Directors.

This Policy may be updated or renewed by the Company when deemed necessary. In case of revision, the most current version of the Policy will be made available on the Company's website.