⦁ INTRODUCTION
Protection of personal data is among the most important priorities of Esteestanbul Company (“Este Estanbul” or “Company”). The principles adopted in the conduct of personal data processing activities carried out by our Company and the basic principles adopted to ensure the compliance of our Company’s data processing activities with the regulations in the Personal Data Protection Law No. 6698 (“Law”) are set forth in this Policy and our Company ensures the required transparency by informing the owners of personal data.
Your personal data is processed and protected within the scope of this Policy with full awareness of our responsibility in this regard.
The activities carried out by our Company regarding the protection of personal data of our employees are managed under the Este Estanbul Employees Personal Data Protection and Processing Policy, which was entails paralleling guidelines with the principles in this Policy.
⦁ SCOPE
This Policy; relates to all personal data of persons other than our company’s employees, that are processed automatically or manually, provided that they are part of any data recording system. detailed information about the personal data owners in question can be viewed in the ANNEX 2 (“Annex 2- Personal Data Owners”) to this Policy.
⦁ IMPLEMENTATION OF THE POLICY AND APPLICABLE LEGISLATION
Applicable legal regulations in force on the processing and protection of personal data will be upheld at all times. In case of inconsistency between the current legislation and the Policy, our Company accepts that the applicable legislation will be complied with. The policy regulates the rules set forth by the applicable legislation by encompassing them within the Company practices.
⦁ ENFORCEMENT OF THE POLICY
This Policy, issued by our company, is dated 01.Nov.2019. The previous versions issued by the Company have been superseded as of the effective date of this Policy. In case all or certain articles of the Policy are amended, the effective date of the Policy will be updated.
SECTION 2 – ISSUES RELATING TO THE PROTECTION OF PERSONAL DATA
⦁
⦁ ENSURING THE SECURITY OF PERSONAL DATA
In accordance with Article 12 of the Law, our company takes the necessary measures according to the nature of the data to be protected in order to prevent the unlawful disclosure, access, transfer or security deficiencies that may occur in other ways. In this context, our Company takes administrative measures to ensure the required level of security in accordance with the guidelines published by the Personal Data Protection Board (“Board”), and carries out inspections or have such inspections conducted.
⦁ PROTECTION OF PRIVATE PERSONAL DATA
Special importance is attached to sensitive personal data under the Law due to the risk of causing victimization or discrimination when processed unlawfully. Such “special” personal data; includes data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, attire, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. The technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of sensitive Personal data and the necessary audits are provided within our Company as detailed in the Section 3.3 of this Policy.
⦁ RAISING AWARENESS OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA AND AUDITS
Our company provides necessary trainings to business units in order to prevent illegal processing of personal data, illegal access to data, and to raise awareness about data protection. Our company establishes necessary systems to raise awareness of current employees and newly recruited employees on the protection of personal data, and works with consultants, as needed. In line with this, our Company evaluates the participation in the applicable trainings, seminars and information sessions, and organizes new trainings in parallel with the changes in the applicable legislation.
SECTION 3 – ISSUES RELATING TO THE PROCESSING OF PERSONAL DATA
⦁
⦁ PROCESSING PERSONAL DATA IN ACCORDANCE WITH THE GUIDELINES SET FORTH IN THE LEGISLATION
⦁ Processing In Accordance With The Law and Integrity
Personal data is processed in accordance with the general rule of trust and honesty, without compromising the fundamental rights and freedoms of individuals. In this sense, personal data is processed to the extent and limited to the business activities of our Company.
⦁ Ensuring Personal Data Are Accurate and Up-to-Date When Necessary
Our company takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the period of processing, and establishes the necessary mechanisms to ensure the maintain the personal data accurate and up-to-date at certain periods.
⦁ Processing for Specific, Clear, and Legitimate Purposes
Our company clearly reveals the purposes of processing personal data and processes it within the scope of purposes related to these activities, in line with its business activities.
⦁ Relating to the Purpose for which they are Processed, Limited and Proportionate Processing
Our company collects personal data only in the quality and extent required by business activities and processes the data limited to the specified purposes.
⦁ Retention for as Long as Required for the Purpose of Processing or as Stipulated in the Applicable Legislation
Our company keeps personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the applicable legislation. In this sense, our Company first determines whether a period is stipulated for maintaining personal data in the applicable legislation, and if a period is determined, the Company acts in accordance with this requirement. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is disposed of in accordance with the periodic destruction periods or by the application of the data owner and with the determined destruction methods (deletion and / or destruction and / or anonymization).
⦁ CONDITIONS FOR PROCESSING PERSONAL DATA
Except for the express consent of the personal data owner, the basis of the personal data processing activity may be only one of the conditions stated below, or more than one condition may be the basis of the same personal data processing activity. In case the processed data is sensitive personal data, the conditions in the 3.3 title of this Policy (“Processing of Sensitive Personal Data”) will be applied.
⦁ Explicit Consent of the Personal Data Owner
One of the conditions for the processing of personal data is the explicit consent of the data owner. The explicit consent of the personal data owner must be disclosed on a specific subject, based on information and free will. In the presence of the personal data processing conditions listed below, personal data can be processed without the need for the explicit consent of the data owner.
⦁ Explicitly Provided in Laws
If the personal data of the data owner is expressly stipulated in the law, in other words, if there is a clear provision in the applicable law regarding the processing of personal data, this data processing condition will be deemed to have been fulfilled.
⦁ Failure to Obtain the Explicit Consent of the Respective Person Due to Actual Impossibility
The personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to express his or her consent due to actual impossibility, or whose consent cannot be validated, in order to protect the life or physical integrity of the respective person or another person.
⦁ Direct Concern with the Establishment or Performance of the Contract
Provided that it is directly related to the conclusion or performance of a contract to which the data owner is a party to, this condition may be deemed to be fulfilled if the processing of personal data is necessary.
⦁ Fulfilling the Legal Obligations of the Company
The personal data of the data owner may be processed if the processing is necessary for our company to fulfill its legal obligations.
⦁ Publicizing the Personal Data of the Personal Data Owner
If the data owner has made his personal data public, the applicable personal data may be processed for the purpose of making it public.
⦁ Requirement of Data Processing for the Establishment or Protection of a Right
If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.
⦁ Obligatory Data Processing for the Legitimate Interest of Our Company
Provided that the fundamental rights and freedoms of the personal data owner are not harmed, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company.
⦁ PROCESSING OF SENSITIVE PERSONAL DATA
Sensitive personal data is processed by our Company in accordance with the principles set forth in this Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, in the presence of the following conditions:
⦁ Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data owner, provided that it is expressly stipulated in the law, in other words, if there is a clear provision in the applicable law regarding the processing of such personal data. Otherwise, the explicit consent of the data owner will be obtained.
⦁ Special categories of personal data regarding health and sexual life may be disclosed by persons or authorized agencies and organizations under the requirement of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, may be processed without consent. Otherwise, the explicit consent of the data owner will be obtained.
⦁ DISCLOSURE TO THE PERSONAL DATA OWNER
In accordance with Article 10 of the Law and the additional legislation, our Company informs the personal data owners about who, as the data controller, for what purposes their personal data is processed, for what purposes it is shared with whom, by what methods it is collected, the legal reason and the rights of the data owners as part of the processing of their personal data.
⦁ TRANSFER OF PERSONAL DATA
Our company can transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, group companies, third real persons) by taking the necessary security measures in line with the personal data processing purposes as stipulated by the law. Accordingly, our company acts in accordance with the regulations stipulated in Article 8 of the Law.
⦁ Transfer of Personal Data
Even without the explicit consent of the personal data owner, in case one or more of the conditions stated below are present, personal data may be transferred to third parties with due diligence by our Company, by taking all necessary security measures, including the methods prescribed by the Board.
⦁ The activities regarding the transfer of personal data are clearly stipulated in the laws,
⦁ The transfer of personal data by the Company is directly related to and necessary for the execution or performance of a contract,
⦁ The transfer of personal data is mandatory for our Company to fulfill its legal obligations,
⦁ Transfer of personal data by our Company in a limited manner for the purpose of making it public, provided that the personal data has already been made public by the data owner,
⦁ The transfer of personal data by the Company is mandatory for the execution, exercise or protection of the rights of the Company or the data owner or third parties,
⦁ It is obligatory to transfer personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner,
⦁ Being obligatory for the protection of life or bodily integrity of the person or another person, who is unable to express his or her consent due to actual impossibility or whose consent is not legally recognized. In addition to the above, personal data can be transferred to foreign countries that are declared to have sufficient protection by the Board (“Foreign Country Ensuring Sufficient Protection”) in the presence of any of the above conditions. In the absence of sufficient protection, it can be transferred to foreign countries where the data controllers in Turkey and the applicable foreign country undertake an adequate protection in writing in line with the data transfer conditions stipulated in the legislation and where the Board has the permission (“Foreign Country Where the Data Controller Warrants Sufficient Protection”).
⦁ Transfer of Private Personal Data
Sensitive Personal data may be transferred by our Company in accordance with the principles set forth in this Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:
- Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data owner, provided that it is expressly stipulated in the law, in other words, there is a clear provision in the applicable law regarding the processing of personal data. Otherwise, the explicit consent of the data owner will be obtained.
- Special categories of personal data regarding health and sexual life may be disclosed by persons or authorized agencies and organizations under the requirement of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, may be processed without consent. Otherwise, the explicit consent of the data owner will be obtained.In addition to the above, personal data may be transferred to a Foreign Country with Sufficient Protection in case of any of the above conditions. In the absence of sufficient protection, it can be transferred to Foreign Countries where the Data Controller Warrants Adequate Protection, in line with the data transfer conditions stipulated in the legislation.
SECTION 4 – CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND THE PURPOSE OF PROCESSING
At our Company, personal data is processed by informing the respective persons in accordance with Article 10 of the Law and the additional legislation, and in line with the personal data processing purposes of our Company, limited based on at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, in accordance with the general principles set forth in the Law of processing personal data, primarily the principles set forth in Article 4 of the Law.
SECTION – STORAGE AND DISPOSAL OF PERSONAL DATA
Our company keeps personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the applicable legislation. In this sense, our Company first determines whether a period is stipulated for maintaining personal data in the applicable legislation, and if a period is determined, the Company acts in accordance with this requirement. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is disposed of in accordance with the periodic destruction periods or by the application of the data owner and with the determined destruction methods (deletion and / or destruction and / or anonymization).
⦁ SECTION – RIGHTS OF PERSONAL DATA OWNERS AND THE EXERCISE OF THESE RIGHTS
⦁ RIGHTS OF PERSONAL DATA OWNER
Personal data owners have the following rights:
⦁ Requiring information as to whether personal data is processed or not,
⦁ Requiring information about the processing, if personal data has been processed,
⦁ Requiring information on the purpose of processing personal data and whether they are used in accordance with its purpose,
⦁ Requiring information on the third parties to whom personal data is transferred at home or abroad,
⦁ Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
⦁ Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist despite the fact that it has been processed in accordance with the provisions of the law and other applicable laws, and requesting that the transaction carried out within this scope be notified to the third parties to whom the personal data has been transferred,
⦁ Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automated systems,
⦁ Requesting compensation for the damage in case of loss due to unlawful processing of personal data.
⦁ EXERCISE OF THE RIGHTS OF PERSONAL DATA OWNER
Personal data owners may submit their requests regarding their rights listed in section 6.1 (“Personal Data Owner’s Rights”) to our Company using the methods determined by the Board. Accordingly, they will be able to benefit from the “Data Owner Application Form
⦁ OUR COMPANY’S RESPONSE TO APPLICATIONS
Our company takes the necessary administrative and technical measures to finalize the applications to be made by the personal data owner in accordance with the Law and additional legislation. In the event of a request, our Company will conclude the request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.