PERSONAL DATA PROCESSING, STORAGE AND DISPOSAL POLICY

1.INTRODUCTION

As Soletex Teknik Tekstil Sanayi ve Ticaret Anonim Şirketi (“Company”), we are in a legal relationship limited to the field of activity of our company; to all persons, including customers, dealers, potential customers, suppliers, service providers, managers and employees, business partners, company partners, company employees, employee candidates, trainees, visitors, employees of public institutions and organizations, private law legal entities, and related third parties. We attach great importance to the processing and protection of all personal data belonging to us in accordance with the Law on the Protection of Personal Data No. 6698 (“KVKK”). For this purpose, our company takes the necessary administrative and technical measures in accordance with the legal regulations and the decisions taken.

The Convention on the Protection of Individuals Against Automatic Processing of Personal Data of the Council of Europe, No. 108, which was opened for signature in Strasbourg on January 28, 1981 and entered into force on October 1, 1985, was signed by our country on January 28, 1981. This contract was published in the Official Gazette dated 17 March 2016 and numbered 29656 and included in our domestic law. Accordingly, the Law on the Protection of Personal Data (“KVKK”) was published in the Official Gazette dated 07.04.2016 and entered into force. It is regulated by the General Data Protection Regulation / Regulation (GDPR) within the scope of the legislation of the European Union (EU) on the protection of personal data.

Personal Data Protection and Processing, Storage and Disposal Policy and its annexes, prepared within the scope of the Personal Data Protection Law No. 6698 and the relevant legislation; It has been prepared by Soletex Teknik Tekstil Sanayi ve Ticaret Anonim Şirketi, in the capacity of data controller, within the scope of the Law on the Protection of Personal Data No. 6698 (“Law”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

  1. PURPOSE

The Personal Data Retention and Disposal Policy (“Policy”) has been prepared in order to determine the procedures and principles to be followed regarding the storage and destruction activities carried out by our Company.

In line with the basic principles written below, in order to complete the compliance process with this policy text prepared by our company and the Personal Data Protection Law; personal data of the above-mentioned persons; The decisions published by the KVK Institution, the principles it has determined, and the T.R. It is aimed to be processed in accordance with the Constitution, International Conventions, the Law on the Protection of Personal Data No. 6698 and the relevant legislation, and to use the rights of the relevant persons effectively. Work and transactions regarding the storage and destruction of personal data are carried out in accordance with this policy.

  1. SCOPE

Our customers, dealers, potential product or service buyers, suppliers, service providers, managers and employees, business partners, company partners, company employees, employee candidates, trainees, visitors, employees of public institutions and organizations and private law legal entities, and personal data of relevant third parties; This policy is within the scope of this policy, and this policy is applied in all recording environments where personal data processed by our company with automatic or non-automatic means and in company activities for personal data processing.

  1. ABBREVIATIONS AND DEFINITIONS

Open Consent:

Consent on a particular subject, based on information and expressed with free will.

Buyer Group:

Natural or legal person category to whom personal data is transferred by the data controller

Anonymization:

Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Worker:

Our company includes its employees

Employee Candidate:

Those who apply for a job by filling out the job application form using the internet page or coming to the workplace in person

Electronic environment:

Environments where personal data can be created, read, changed and written with electronic devices

Non-Electronic Media:

All written, printed, visual etc. other than electronic media. other environments

Service Provider:

Real or legal person providing services within the framework of a certain contract with the company

Related User:

Except for the person or unit responsible for technical storage, protection and backup of the data, they are the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.

Relevant Person/Personal Data Owner:

It refers to the real person whose personal data is processed.

Destruction:

Deletion, destruction or anonymization of personal data.

Personal Data Processing Inventory:

The personal data processing activities carried out by the data controllers depending on their business processes, the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group, and the maximum storage period required for the purposes for which the personal data is processed, transfer to foreign countries. anticipated personal

The inventory they detailed by explaining the data and the measures taken regarding data security

Recording Media:

Any environment where personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system.

Personal Data:

Any information relating to an identified or identifiable natural person.

Processing of Personal Data:

Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.

Anonymization of Personal Data:

Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Deletion of Personal Data:

Deletion of personal data; making personal data inaccessible and unusable for Relevant Users in any way.

Destruction of Personal Data:

The process of making personal data inaccessible, irretrievable and unusable by anyone in any way.

Law:

Law No. 6698 on Protection of Personal Data

Board:

Personal Data Protection Board

Organisation:

Personal Data Protection Authority

Personal Data Contact Person:

For real and legal persons residing in Turkey, by the data controller, for natural and legal persons residing in Turkey, by the representative of the data controller, regarding the obligations under the Law and secondary regulations to be issued based on this Law, to ensure communication with the Authority. natural person declared during registration

Special Qualified Personal Data:

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data

Periodic Disposal:

The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all of the personal data processing conditions in the Law are eliminated.

Policy:

Personal Data Processing, Storage and Disposal General Policy

Company:

Soletex Technical Textile Industry and Trade Joint Stock Company

Data Processor:

The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

Data Recording System:

The registration system in which personal data is processed and structured according to certain criteria.

Data Controller:

The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

Data Controllers Registry Information System:

Data controllers can access the Registry, which they will use in their application to the Registry and other related procedures, Information system created and managed by the Presidency.

VERBIS:

Data Controllers Registry Information System

Regulation:

Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017

  1. DISTRIBUTION OF RESPONSIBILITY AND DUTIES

In accordance with the KVK Law No. 6698 and the relevant legislation, in order to ensure the necessary coordination within the company within the scope of ensuring, maintaining and maintaining compliance with the personal data protection legislation, the Company Data Contact Person has been determined, his duties and responsibilities have been defined, necessary decisions have been taken and notified to the relevant persons. In order to ensure data security in all environments where personal data is processed, in order to implement the technical and administrative measures taken within the scope of this policy, to increase the training and awareness of the relevant unit employees, to prevent the illegal processing and access of personal data, and to ensure that personal data is stored in accordance with the law, and administrative measures are carried out by the data contact person and the responsible units.

  1. ENVIRONMENTS WHERE PERSONAL DATA IS RECORDED

Personal data kept by our company, servers-server, software used, personal computers, mobile devices such as phones, tablets, optical disks, personal data kept in electronic media such as removable memories and paper, job application forms, contracts between the company and third parties, manual Data recording systems, questionnaires, personal data kept in written, printed and visual media are recorded in non-electronic physical media such as unit cabinets and archive rooms. It is stored securely in accordance with the KVK Law No. 6698 and the relevant legislation and international data security principles. Your personal data is processed by our company as the subject of any processing performed on your personal data by obtaining, recording, storing, changing, rearranging, automatically or non-automatically provided that it is a part of any data recording system.

  1. PROCESSING OF PERSONAL DATA AND GENERAL PRINCIPLES

7.1. Privacy Policy

As explained in this policy, the data of both employees and all persons who have personal data in connection with our company are confidential. Within the scope of this policy and the measures taken, no one can use, reproduce, copy, transfer to others the data of individuals for any other purpose, except for the cases specified in the law, and cannot be used for purposes other than those determined by the policies.

7.2. Basic Principles

Personal Data processed by our company are processed in accordance with the principles set forth in Article 4 of the KVK Law No. 6698. The Company processes Personal Data in accordance with the procedures and principles stipulated in the law, in accordance with the principles written below in the processes of processing, protection, deletion and destruction.

  • Compliance with the law and honesty rules.
  • Being accurate and up-to-date where necessary.
  • Processing for specific, explicit and legitimate purposes.
  • Being relevant, limited and proportionate to the purpose for which they are processed.
  • To be kept for the period required by the legislation or for the purpose for which they are processed.
  1. PERSONAL DATA PROCESSING CONDITIONS

Personal data processed by our company are processed in accordance with Article 5 of the Law No. 6698. Personal data cannot be processed without the explicit consent of the person concerned. However, in the presence of one of the principles we have stated below, it is possible to process personal data without seeking the explicit consent of the person concerned.

  • Explicitly stipulated by law. principle of legality
  • It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally recognized. actual impossibility.
  • It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract. Performance of the contract.
  • It is mandatory for the data controller to fulfill its legal obligation. Legal obligation.
  • The person concerned has been made public by himself. publicity.
  • Data processing is mandatory for the establishment, exercise or protection of a right. Difficulty.
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. Legitimate interest.
  1. CONDITIONS FOR PROCESSING SPECIAL QUALITY PERSONAL DATA

Special Quality Personal Data processed by our company are processed in accordance with Article 6 of the Law No. 6698. Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are of special nature. is personal data.

It is regulated by the law that it is forbidden to process sensitive personal data without the explicit consent of the person concerned. Accordingly, without the express consent of the person concerned, Private Qualified Personal

Data cannot be processed. However, as written in the article of the law; 6/1 of the Law. Personal data other than health and sexual life listed in the paragraph may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws.

Personal data related to health and sexual life can only be;

  • Protection of public health,
  • Preventive medicine,
  • Execution of medical diagnosis, treatment and care services,
  • For the purpose of planning and managing health services and its financing,
  • By persons or authorized institutions and organizations under the obligation to keep secrets.

It can be processed without seeking the explicit consent of the person concerned. In the processing of personal data of special nature, our company is processed in accordance with the law numbered 6698 and the relevant legislation, and also by taking adequate measures determined by the Board.

  1. PROCESSING AND COLLECTING PERSONAL DATA AND LEGAL REASON

Your personal data; Filling in oral, written or electronic forms, creating personal files, establishing and performing contracts, processing financial and social rights, accounting information, purchasing, marketing, planning, export, import, quality and processing of data within the scope of corporate development activities , visiting company buildings and attachments, website, calling our call services, using face recognition system, using closed-circuit video camera recording system, fully or partially automated via our website, social media accounts, e-mail, telephone communication channels, or It is collected by non-automatic means, provided that it is part of any data recording system.

Your personal data; As a rule, it is processed based on the explicit consent of the person concerned. In addition, provided that it is directly related to the establishment or performance of contracts between our company and third natural and legal persons, it is necessary to process the personal data of the parties to the contract, it is necessary for the company to fulfill its legal obligations, the personal data has been made public by the data subject himself, Data processing is mandatory for the establishment, use or protection of the data subject, provided that it does not harm the fundamental rights and freedoms of the data subject, data processing is mandatory for the legitimate interests of the data controller, and it is clearly envisaged in the laws, based on the legal reasons, Articles 5 and 6 of the Law, the Obligation of Disclosure. 5/1-h. It is processed and collected in accordance with the article.

  1. PRINCIPLES ON PERSONAL DATA STORAGE AND DISPOSAL

Personal data processed by this policy created by our company; are stored and destroyed in accordance with the relevant legislation, procedure and law. Detailed explanations for storage and disposal are below.

determined.

11.1. Storage of Personal Data

The processing of personal data is defined in Article 3 of the Law No. 6698, Article 4 regulates that the processed personal data should be related to the purpose for which they are processed, limited and measured, and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation. The conditions for processing personal data are listed in the articles. Detailed explanations regarding this are written above in this policy text, and within the scope of company activities, personal data is stored by taking administrative and technical measures for the required period of time in accordance with the relevant legislation or in accordance with our processing purposes.

11.2. Legal Reasons to Keep Personal Data

With this policy, personal data processed within the scope of our company's activities are kept and stored for the period written in the relevant legislation. Personal data is kept as long as the written storage periods and the statute of limitations for the crimes stipulated in the laws, within the scope of the above-mentioned and company activities, within the framework of the periods stipulated in the laws to which the persons are subject and within the framework of the secondary regulations. Within the scope of the activities of our company, the statute of limitations stipulated in the legislation to which the company is subject, and the disputes that may occur or may occur with third parties with whom the company is in legal contact, taking into account the corporate memory of the company and its commercial business and activities, the legitimate interests of the company and the relevant data owners, except for the periods stipulated in the laws. Taking into account the establishment and performance processes of the contracts to be made or to be made, the retention and destruction periods of personal data are determined by this policy as an institutional decision.

11.3. Processing Purposes Requiring Retaining Personal Data

Your personal data is processed within the scope of company activities in accordance with the 4th, 5th, 6th articles of the Law and the relevant legislation for the following purposes:

  • In terms of customers, maintaining commercial business processes, ensuring customer satisfaction, fulfilling customer requests and complaints, performing payment transactions, maintaining advertising, marketing and campaign activities, presenting our products and services to customers, potential customers and business partners, in this context, fulfilling our legal obligations,
  • Execution of the company's finance and accounting, administrative, legal, technical business processes in terms of customers, suppliers, business partners, recommending our products and services, customer, portfolio management, improving product and service quality, communication, auditing, control, risk management, advertising, carrying out campaign activities,
  • To make necessary notifications to courts, arbitral tribunals, mediators, judicial authorities, relevant public institutions and organizations, to fulfill legal obligations, in accordance with legal regulations,
  • In terms of employees, employee candidates; Planning and executing human resources processes, fulfilling job application processes, creating personal files for employees, fulfilling financial, accounting, administrative and financial obligations, fulfilling the job placement processes of the employee candidate, performing the intern placement and internship processes of the interns, company wages determining the policy,
  • Making and performing the contracts that the company has made or will make with its customers, potential customers, suppliers, service providers, employees and consultants with whom it has legal relations, and related third parties,
  • The company's obligation to prove as evidence in legal disputes with third parties,
  • To ensure the communication and communication with the real and legal persons with whom the company has legal relations, to ensure the corporate quality of the company, to ensure the transaction security of the related persons, to use our website regarding company activities, to provide communication through company contact information,
  • Ensuring the control of the company's buildings and annexes, physical security, company building entrances and exits,
  • Making and following sales transactions related to our products and services, performing operations related to the management of the shipment process, developing the products and services offered, continuing corporate development activities,
  • Providing export and import business related to our products and services, performing and tracking domestic and international sales transactions, management of the shipment process, customs procedures, foreign trade processes,
  • The employment contract with the employees, within the scope of the company's benefit, ensuring attendance and control through face recognition systems within the scope of the personnel attendance control system, monitoring of the personnel's attendance processes.

11.4. Reasons Requiring Destruction of Personal Data

Personal data; It is deleted, destroyed or anonymized by the company in accordance with the procedures and principles stipulated in the policy, law and regulation, upon the request of the person concerned, for the reasons stated below, by filling out the application form. According to this;

  • In the event that the purpose for which personal data is to be processed or stored by the Company no longer exists.
  • Changing or repealing the provisions of the relevant legislation, which is the basis for the processing of personal data.
  • In cases where the processing of personal data by the company is done only on the condition of explicit consent, the person concerned withdraws their explicit consent.
  • In accordance with Article 11 of the KVK Law No. 6698, the application of the person concerned regarding the deletion and destruction of their personal data within the scope of their right to apply to the company is accepted by the KVK Institution.
  • In cases where the KVK Institution rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the Law No. 6698; If a complaint is made to the KVK Board and this request is found appropriate by the KVK Board.
  • In accordance with the relevant legal regulation, the maximum period for keeping the personal data has passed and there is no reason to keep the personal data.
  1. TECHNICAL AND ADMINISTRATIVE MEASURES REGARDING THE STORAGE AND DISPOSAL OF PERSONAL DATA

Within the scope of the regulations determined by this policy, for the safe and proper storage of personal data, prevention of unlawful processing and access, prevention of data leaks and destruction of personal data in accordance with the law, Article 6 of the Law on Protection of Personal Data No. 6698. According to the article “Adequate measures determined by the Board must also be taken in the processing of personal data of special nature.” The following technical and administrative measures are taken by the company as the data controller within the framework of the necessary adequate measures determined and announced by the KVK Board in order to ensure the security of the Personal Data specified in the 12th article of the same law.

12.1. Technical Measures:

It has been announced by the Personal Data Protection Authority at https://www.kvkk.gov.tr ​​and the necessary measures are taken by the company as the data controller regarding the technical measures announced by the KVK Authority. KVKK Technical Measures Analysis Report has been prepared by the “Information Processing Unit” and the necessary technical measures and the necessary precautions to be taken have been determined. As a result of on-site and real-time analyzes regarding information security, risks and threats that will affect the continuity of information systems have been identified and are constantly monitored. Necessary measures are taken for the physical security of our company's information systems equipment, software and data. Accordingly, the technical measures taken are stated as written below.

  • Network security and application security are provided.
  • Closed system network is used for personal data transfers via network.
  • Security measures within the scope of procurement, development and maintenance of information technology systems

is taken.

  • There are disciplinary regulations that include data security provisions for employees.
  • Periodic training and awareness activities on data security for employees

is done.

  • Institutional policies have been prepared on access, information security, use, storage and destruction.

and implementation has begun.

  • The authorizations of employees who have a change in duty or quit their job in this field are removed.
  • Current anti-virus systems are used.
  • Firewalls are used.
  • Signed contracts include data security provisions.
  • Personal data security policies and procedures have been determined.
  • Personal data security issues are reported quickly.
  • Personal data security is monitored.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  • The security of environments containing personal data is ensured.
  • Personal data is reduced as much as possible.
  • Personal data is backed up and the security of the backed up personal data is also ensured.
  • User account management and authorization control system is implemented and these are also followed.
  • In-house periodic and/or random audits are conducted and made.
  • Log records are kept without user intervention.
  • Existing risks and threats have been identified.
  • Protocols and procedures for special quality personal data security have been determined and implemented.
  • Intrusion detection and prevention systems are used.
  • Cyber ​​security measures have been taken and their implementation is constantly monitored.
  • Periodic audit of data processing service providers on data security is provided.
  • Awareness of data processing service providers on data security is ensured.

12.2. Administrative Measures:

Necessary administrative measures have been taken by the company as the data controller regarding the administrative measures announced by the Personal Data Protection Board. Within the scope of compliance with the Law on the Protection of Personal Data No. 6698, the Company took the necessary institutional decisions, fulfilled the obligations under the law, and created and announced policies that needed to be published. According to this;

  • 5/1 of the Regulation. Personal data is processed based on the Personal Data Processing Inventory, which is required to contain the matters and information specified in the relevant legislation and which are mandatory to be regulated. Personal Data Processing Inventory has also been created by our company and is updated periodically.
  • Clarification and Information Texts were created, the application form was prepared and published on the website. Confidentiality and Cookie Policy has been established. The personal data processing, storage and destruction policy is determined, published on the website and implemented by the data contact person within the company.
  • Necessary training and awareness activities have been initiated in order to improve the qualifications of employees, to prevent unlawful processing of personal data, to prevent illegal access to personal data, and to ensure the protection of personal data. A KVK Data Contact Person has been appointed, and his/her powers and responsibilities have been determined.
  • Studies have been initiated to fulfill the requirements for storage and destruction of personal data. Necessary actions have been taken to ensure compliance with the KVK Law, company contracts and texts containing personal data are scanned and brought into compliance with KVKK.
  1. EXPLANATIONS ON DISPOSAL TECHNIQUES OF PERSONAL DATA

As written in the policy and personal data inventory created by our company, personal data at the end of the period stipulated in the relevant legal legislation regarding the processed personal data or the required storage period for the purpose for which they are processed; It is destroyed by the authorized units of the company spontaneously or upon the application of the relevant personal data owner to our company, in accordance with the KVK Law No. 6698 and the provisions of the relevant legislation, with the methods and techniques specified below.

13.1. Deletion of Personal Data

  • Personal Data on the Server with Data Recording Media: For the personal data on the servers, the period of which has expired, the system administrator removes the access authorization of the relevant users and deletes them.
  • Personal Data in Electronic Media: Personal data in electronic media, which require storage, are rendered inaccessible and non-reusable for other employees (relevant users) except the database administrator.
  • Personal Data in the Physical Environment: Personal data kept in the physical environment are rendered inaccessible and non-reusable in any way, except for the unit manager responsible for the document archive, for those whose period of time has expired. Also, above

The process of blackening by drawing/painting/erasing in a way that cannot be read is also applied.

  • Personal Data in Portable Media: Personal data kept in flash-based storage media, which require storage, are encrypted by the system administrator and only the system administrator is authorized to access them, and are stored in secure environments with encryption keys.

13.2. Destruction of Personal Data

  • Personal Data in the Physical Media: Personal data in the paper media, which need to be kept, are irreversibly destroyed in the paper clipping machines.
  • Personal Data in Optical-Magnetic Media: The physical destruction of the personal data in optical media and magnetic media, such as melting, burning or turning into powder, is applied. In addition, magnetic media is passed through a special device, and the data on it is rendered unreadable by exposing it to a high magnetic field.

13.3. Anonymization of Personal Data

Anonymization of personal data means that even when personal data is matched with data belonging to other 3rd parties, the identity of the person concerned is removed from being specific or identifiable, and making it impossible to contact a real person in any way. For personal data to be anonymized; personal data is rendered unable to be associated with an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the personal data by the data controller or third parties and/or matching the data with other data.

  1. PERSONAL DATA STORAGE AND DISPOSAL TIMES

Regarding the personal data being processed by the “Company” within the scope of company activities; Personal data-based retention periods for all personal data within the scope of activities carried out depending on processes are in the "Personal Data Processing Inventory", and storage periods on the basis of data categories are recorded in VERBIS; Process-based retention periods are determined in the “Personal Data Retention and Disposal Policy”.

When necessary regarding the said storage periods; Necessary updates are made by the Data Contact Person. Ex officio deletion, destruction or anonymization of personal data whose storage period has expired is also performed by the Data Contact Person within the scope of the designated authority, duties and responsibilities. Process-Based Personal Data Retention and Disposal Periods are listed in the appendix.

  1. DATA RESPONSIBLE LIABILITY TO LIGHTEN

Pursuant to Article 10 of the Law, as a data controller; All necessary technical and administrative measures have been taken in order to prevent the illegal processing of personal data, to prevent illegal access to personal data, and to ensure the protection of personal data. For this purpose, our customers, potential product or service buyers, suppliers, service providers, managers and employees, business partners, company partners, company employees, employee candidates, trainees, visitors, public institutions and organizations and employees of private law legal entities, for this purpose. Necessary policies and clarification text have been prepared to cover personal data of the relevant third parties.

In accordance with the aforementioned disclosure obligation, the information that must be notified to the personal data owners is as follows:

  1. Identity of the data controller and its representative, if any,
  2. The purpose for which personal data will be processed,
  3. To whom and for what purpose the processed personal data can be transferred,
  4. The method and legal reason for collecting personal data,
  5. Application and other rights listed in Article 11 of the KVK Law. You can review the Clarification Text prepared by our company as the data controller, pursuant to the provisions of the Article 10 of the Law on the Protection of Personal Data No. 6698 (“Law”) and the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Clarify.
  6. RIGHTS OF PERSONAL DATA OWNER (RIGHT OF APPLICATION)

Within the scope of Article 11 of the Personal Data Protection Law No. 6698 "regulating the rights of the data subject", an "APPLICATION FORM" has been prepared by our company as the data controller in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller. You can review the application form on the company website.

16.1. Right of Application of Personal Data Owner

 Pursuant to Article 11 of the Law; everyone, by applying to the data controller, in relation to himself;

  1. Learning whether personal data is processed or not,
  2. If personal data has been processed, requesting information about it,
  3. To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  4. Knowing the third parties to whom personal data is transferred in the country or abroad,
  5. Requesting correction of personal data in case of incomplete or incorrect processing,
  6. Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVKK,
  7. Requesting the notification of the third parties to whom the personal data has been transferred, in case of correction, deletion or destruction of personal data,
  8. Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
  9. It has the right to demand the compensation of the damage in case of loss due to the unlawful processing of personal data.

16.2. Procedure, duration and principles of Data Controller's Response to Applications

KVK Law No. 6698 13/1. In accordance with the article, you must submit your applications to our company in writing or through the above-mentioned methods determined by the KVK Institution, in order to exercise your above-mentioned rights. Our company will conclude your requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board will be charged. In case the application is caused by the fault of the data controller, the fee collected is returned to the relevant person.

16.3. Right of Personal Data Owner to Complain to the Board

In cases where the application is rejected, the answer given is insufficient or the application is not answered in due time; The data subject may file a complaint with the Board within thirty days from the date of learning the answer of the data controller and in any case within sixty days from the date of application. Pursuant to Article 13 of the Law, a complaint cannot be made before the remedy is exhausted.

  1. CIRCUMSTANCES WHERE THE PERSONAL DATA OWNER CANNOT ASSESS THE RIGHTS (EXCEPTIONS)

28/1 of the KVK Law No. 6698. Pursuant to Article 16, the matters written below are excluded from the scope of application of the law (exceptions), and personal data owners cannot claim their rights listed in Article 16 above.

  • Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
  • Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
  • Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  • Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

28/2 of the KVK Law No. 6698. Article 10 of this law, which regulates the obligation to inform the data controller, in accordance with the purpose and basic principles of this law, Article 11, which regulates the rights of the data subject, with the exception of the right to demand the compensation of the damage, and Article 16, which regulates the obligation to register in the Data Controllers Registry. does not apply in the following cases:

  • The processing of personal data is necessary for the prevention of crime or for criminal investigation.
  • Processing of personal data made public by the person concerned.
  • The processing of personal data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law.
  • The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
  1. PERIODIC DISPOSAL AND AUDIT PERIOD OF PERSONAL DATA

The periods for ex officio deletion, destruction or anonymization of personal data are regulated in Article 11 of the Regulation as written below. According to this; The data controller, who has prepared a personal data storage and destruction policy, deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises. The time interval for periodic destruction is determined by the data controller in the personal data retention and destruction policy. This period cannot exceed six months in any case. The data controller, who is not obliged to prepare a personal data storage and destruction policy, deletes, destroys or anonymizes personal data within 6 months following the date of deletion, destruction or anonymization of personal data. In addition, the necessary audits will be carried out by the members of the personal data committee and the data controller, not exceeding six months. The Personal Data Protection Board may shorten the periods specified in the regulation in the event that irreparable or impossible damages arise and there is a clear violation of the law.

  1. TERMS OF DELETING AND DESTRUCTION UPON THE APPLICATION OF THE RELATED PERSON

The periods of deletion and destruction of personal data upon the application of the person concerned are regulated as written below in Article 12 of the Regulation. According to this; If all the conditions for processing personal data have disappeared; The data controller deletes, destroys or anonymizes the personal data subject to the request. The data controller finalizes the request of the data subject within thirty days at the latest and informs the data subject. If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the data controller notifies the third party; ensures that the necessary actions are taken within the scope of this Regulation before the third party. If all the conditions for processing personal data have not been eliminated, this request may be rejected by the data controller by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the refusal is notified to the relevant person in writing or electronically within thirty days at the latest.

  1. PUBLISHING, STORING AND UPDATING THE POLICY

This policy, prepared by the company, is published in two different environments on the company's website www.soletex.com, with wet signature (printed paper) and electronically. The policy will be deemed to have been disclosed to the public when it is published on the website. The printed paper copy is kept in the KVK file by the Data Contact Person. This policy will be reviewed as needed, starting from the date of publication, once a year at the end of each year, within the scope of the authority and responsibilities of the designated data contact person, and the relevant sections will be updated as necessary.

  1. ENFORCEMENT AND REVOCATION OF THE POLICY

This policy, written above, will be deemed to have entered into force after it is published on the company's website www.soletex.com. If it is decided to repeal the policy with the approval of the data controller and the decision of the personal data contact person, the old copies of the policy with wet signatures are canceled and signed by the data contact person (with the cancellation stamp or by writing cancellation) and for at least 5 years by the personal data contact person. stored in the unit.

APPENDIX.1 Periods of Retention and Destruction of Personal Data on the Basis of Process

SOLETEX TEKNİK TEKSTİL SANAYİ VE TİCARET ANONİM ŞİRKETİ Adres : Işıktepe Osb Mah Kahverengi Cad. 3.Sokak No:3 Nilüfer Bursa Türkiye Telefon: +90 (224) 372 79 90 (Pbx) Fax: +90 (224) 372 79 60 E-posta: info@soletex.com Mersis No: 0773070904100001 V.D./No: Nilüfer / 7730709041 Ticaret Sicil No: 83356

ADDITIONAL. Periods of Retention and Destruction of Personal Data on the Basis of Process

 Process Storage Time Duration of Destruction
Managing Human Resources Processes10 Years from the expiry of the contract In the first periodic destruction period following the end of the storage period, at the latest 6 months
 Application process information of employee candidates2 years from the date of receipt of the request 30 days from the date of receipt of the request, if the request is evaluated negatively or withdrawn, and 2 years from the date of the first audit period, within 180 days at the latest, following the end of the retention period
 Customer, Supplier, Service Providers Transactions 10 years from the end of the contract and business relationship In the first inspection period following the end of the storage period, within 180 days at the latest
 Camera Recordings 7 days Within 30 days upon request, In the first inspection period following the end of the storage period, within 180 days at the latest
 Lead Transactions 2 Years In the first inspection period following the end of the storage period, within 180 days at the latest
 Contract Transactions 10 years from the end of the contract and business relationship In the first inspection period following the end of the storage period, within 180 days at the latest
 Company Communication Activities 10 years from the end of the contract and business relationship In the first inspection period following the end of the storage period, within 180 days at the latest
 Accounting and financial transactions 10 Years In the first inspection period following the end of the storage period, within 180 days at the latest
 Occupational Health and Safety Processes 15 years from the end of the contract and business relationship In the first inspection period following the end of the storage period, within 180 days at the latest
 Log Records, Internet and Network Access processes 2 Years In the first inspection period following the end of the storage period, within 180 days at the latest