CLARIFICATION ON THE PROCESSING OF PERSONAL DATA

İDEA Moda Konf.San.Ve Tic.Ltd Şti, which operates under the brand of BİRELİN, has the title of "data controller" within the scope of the Personal Data Protection Law (KVKK) numbered 6698. This text has been prepared in order to provide clarification on personal data processing activities carried out in accordance with Article 10 of KVKK.

What Are Your Personal Data Processed?

Your personal data are collected by our Company through different channels and on the basis of legal reasons to comply with the legislation and Company policies in order to carry out our activities. Your personal data may be processed and transferred; In accordance with the basic principles stipulated by KVKK and within the personal data processing conditions and purposes specified in Articles 5 and 6 of the KVKK, for the purposes stipulated under this clarification text.  In this context, the following personal data are processed.

Identity information (name-surname, place of birth, date of birth, age, RT ID number, etc.), contact information (e-mail address, telephone number, mobile phone number, address), technical, administrative, legal and commercial Personal data processed in order to ensure our company’s and related party’s security (e.g. information such as the website password that shows that the transaction associated with the personal data owner and that person is authorized to perform that transaction), personal data processed in order to manage the commercial, technical and administrative risks of our company (eg. IP address, Mac ID etc.) and financial information regarding payment and health records for our employees are processed within the scope of personal data.

Reasons for Personal Data Processing:

Your personal data collected; In accordance with the basic principles stipulated by KVKK and within the personal data processing conditions and purposes specified in Articles 5 and 6 of the KVKK, for the following purposes:

1. To be able to execute works and transactions as a result of contracts and protocols signed
2. To ensure the fulfillment of legal obligations as compulsory or required by legal regulations.
3. To carry out human resources processes.
4. To provide corporate communication.
5. To ensure the security of the institution,
6. To be able to perform statistical studies.
7. To be in contact with real / legal persons who have a business relationship with the institution.
8. To issue legal reports.
9. For obligation to prove as evidence in future legal disputes

Our Personal Data Collection Method

Your personal data is collected with non-automatic means, on condition to be part of fully or partially automated data recording system. We would like to state that permission is obtained for all kinds of personal data transactions, except where the relevant legislation allows processing (including transfers) without express consent from the person concerned, and that unauthorized processing is not performed.

To Whom and For What Purpose the Processed Personal Data Can Be Transferred

Your personal data collected; In accordance with the basic principles stipulated by KVKK and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the KVKK, for the following purposes; can be transferred to our business partners, suppliers, legally authorized public institutions and private persons by our institution:

• To be able to execute works and transactions as a result of contracts and protocols signed
• To ensure the fulfillment of legal obligations as compulsory or required by legal regulations.
• Carrying out the necessary works by the relevant business units and carrying out related business processes,
• Planning and execution of the services and business strategies provided by our institution,
• Ensuring the legal, technical and commercial business security of our institution and the persons who are in business relations with our institution,
• Following op of finance, accounting and legal affairs.

Personal Data Retention Period

Although no period has been determined for the storage of personal data within the scope of the KVKK, it is essential that personal data are kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed, in accordance with general principles. Our company makes an assessment based on the legislation in force regarding each data processing process and the purpose of the process in order to determine the retention periods in accordance with the aforementioned principle. In this respect, our Company keeps personal data at least for the period required by legal obligations and in any case until the relevant statute of limitations expires. Our company anonymizes, deletes, or destroys personal data in accordance with the Law, when the purpose of processing the relevant personal data is eliminated within the scope of any process, including the expiration of the aforementioned periods. Within the scope of the law, anonymization is defined as "Making personal data unrelated to an identified or identifiable real person in any way, even by matching it with other data" and our Company's anonymization activities are carried out in accordance with the applicable legislation.

Your Rights as Data Subject and Exercise of Rights

As a data subject in accordance with Article 11 of KVKK; you have right to;

(a) to learn whether your personal data has been processed,

(b) To demand information in case the personal data has been processed,

(c) To learn the purpose of processing personal data and whether they are used in accordance with their purpose, (ç) To know the third parties to whom personal data are transferred in land or abroad

e) To request correction of your personal data in case your data is incomplete or incorrectly processed,

f) To request the deletion or destruction of your personal data within the conditions stipulated in article 7 of the Law,

(f) to request notification of the circumstance to third parties to whom personal data are transferred, in case of correction or deletion / destruction of data

(g) To make objection in the event of an occurrence of an unfavorable result in case your personal data is processed exclusively by means of automated systems,

 (ğ) To claim for your loss in case you have damages because your personal data has been processed in illegal manner.

You are required to submit your requests regarding the implementation of the KVKK in writing personally or through a notary or other methods determined by the Personal Data Protection Board to our Institution. The requests included in your application will be finalized as soon as possible, within thirty days at the latest, from the date the request is received and depending on the nature of the request and will be notified to you in writing or electronically by our institution. Our company reserves the right to charge a fee on the fee schedule (if any) determined by the Personal Data Protection Board regarding the requests. You may forward your applications related with your rights listed above by using KVKK Application Form accessible at [email protected] address, mersis no:0470056793900011.

Protection of Your Data

In order to prevent unlawful processing of your personal data, to prevent unauthorized access to personal data and to ensure the protection of personal data, our Institution or the relevant institution has taken the necessary precautions according to the nature of the information and transaction, in the systems and internet infrastructure, within the technological possibilities and cost elements, with appropriate technical and administrative methods. Our institution conducts internal audits within the scope of Article 12 of the KVKK. Necessary information has been provided to our data processing personnel within the scope of KVKK, and studies are carried out to raise awareness on the protection of personal data. 

It is respectfully announced to the entire IDEA family.

IDEA MODA KONF. SAN VE TIC. LTD ŞTI

PERSONAL DATA PROCESSING, PROTECTION and PRIVACY

POLICY

PREPARED BY                       : Human Resources

APPROVED BY                      : COMPANY DIRECTOR

VERSION HISTORY

INDEX

                                                                                                                                   Page

1. PURPOSE AND SCOPE ..................................................................................................3

2. DEFINITIONS ............................................................................................................... 3

3. IMPLEMENTATION OF THE POLICY AND RESPONSIBILITIES ............................................4

4. ESSENTIALS OF THE POLICY  ..........................................................................................4

1. FUNDAMENTAL PRINCIPLES ADOPTED BY IDEA ……………….……………………………………………4

2. PERFORMING PERSONAL DATA PROCESSING ACTIVITY IN ACCORDANCE WITH KVKK……5

3. PERFORMING PERSONAL DATA TRANSFERS IN ACCORDANCE WITH KVKK ……………………7

4. ENSURING THE SECURITY OF PERSONAL DATA ……………………………………………………………..7

1. Administrative Measures to be Taken ……………………………………………………………………..7
2. Technical Measures to be Taken ……………………………………………………………………………..8
3. Conducting Audit Activities Regarding the Protection of Personal Data …………………..8
4. Measures in Case of Unlawful Disclosure of Personal Data ………………………………………8

5. OBLIGATIONS RELATED TO PERSONAL DATA PROCESSING ACTIVITY ………………………………..8

1. Obligation to Register with the Data Controllers Registry (VERBIS)  …………………………9
2. Obligation to Inform Data Subject ……………………………………………………………………………9
3. Obligation to Collect and Transfer Personal Data Legally………………………………………….9
4. Obligation to Ensure the Security of Personal Data ………………………………………………….9
5. Obligation to Fulfill the Resolutions Taken by the KVK Board …………………………………..9
6. Obligation to Response Data Subjects’ Applications …………………………………………………9

E- PUBLISHING AND STORING THE POLICY ……………………………………………………………………………..10

F- UPDATING THE POLICY ………………………………………………………………………………………………………..10

1. PURPOSE AND SCOPE

Due to the fact that the legal order is one of the cornerstones of social life, IDEA complies with the general rules of law since its establishment and makes maximum effort to protect the rights and interests of individuals. İDEA with its Processing, Protecting and Confidentiality Policy (“İDEA KVKK Policy”), defines the basic principles regarding the compliance of IDEA activities with the regulations stipulated in the Personal Data Protection Law Numbered 6698 (“KVK Law”), and the things that İDEA is required to fulfill are put forward.

With the implementation of IDEA KVK Policy regulations in our campuses, the data security principles adopted by IDEA will be made sustainable.

IDEA KVK Policy has been prepared as a guide for the implementation of the regulations set forth in the KVK Law and the relevant legislation.  Personal data belonging to IDEA employees, candidates for employees, visitors, and employees of third parties, institutions or organizations with whom they are in contact as service providers and personal data of other third parties are within the scope of this Policy and all records where personal data owned or managed by IDEA are processed and all activities related with processing of such date are subject this Policy.

B. DEFINITIONS

The terms used in the legislation and also in the IDEA KVK Policy are listed below.

1. Personal Data: All kinds of information pertaining to an identified or identifiable real person.
2. Sensitive Personal Data: Individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
3. Data subject / Relevant Person: The real person whose personal data is processed. For example; employees, customers
4. Explicit Consent: A consent based on information on a particular subject, which is stated with free-willed and in informed manner in advance.
5. Processing of Personal Data: Any action taken on the data, such as blocking, obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or using personal data through fully or partially automatic means or non-automatic means provided that they are part of any data recording system.
6. Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.
7. Anonymizing: Making personal data unrelated to a certain or identifiable natural person under any circumstances, even by matching other data.
8. Law on Protection of Personal Data: Personal Data Protection Law No.6698, dated 24 March 2016, published in the Official Gazette dated April 7, 2016 and numbered 29677.
9. KVK Board: Personal Data Protection Board.
10. KVK Institution: Personal Data Protection Institution.

3. IMPLEMENTATION OF THE POLICY AND RESPONSIBILITIES

Legal Consultancy will be a source of advice and a guide in the implementation of the procedures, standards and training activities prepared in accordance with the IDEA KVK Policy. All personnel and related third parties throughout IDEA are obliged to comply with IDEA's KVK Policy and to cooperate with HR in preventing risks / dangers.

All personnel of IDEA are responsible for observing compliance with IDEA KVK Policy.

4. ESSENTIALS OF THE POLICY

1. FUNDAMENTAL PRINCIPLES ADOPTED BY HR

İDEA embraces the following basic principles are adopted in order to comply with and maintain compliance with personal data protection legislation:

1. Personal data includes all kinds of information that belongs to the person and enables the identification of the person, and therefore, its protection constitutes the superior benefit of the data subject. We should act with the awareness that it is an obligation to pay attention to the data subjects’ right to know which data is processed for what purpose and whether the data is transferred or not.
2. We conduct data processing activities in accordance with the law and the rule of integrity.
3. We should ensure that the personal data processed are correct and, when necessary, up-to-date, and if the data is incorrect, it should be corrected / updated.
4. Personal data are processed only for specific, explicit and legitimate purposes and to the extent required by the processing purpose. With the assumption of future use, excessive data should not be processed, and the rights of the data subjects and the purpose of the processing should be considered together.
5. We retain all personal data only for the period required by the relevant legislation or for the purpose for which they are processed. In particular, the time limit arising from Article 138 of the Turkish Penal Code and Articles 4 and 7 of the KVK Law are observed. IDEA deletes, destroys, or anonymizes personal data in the event that the period stipulated in the legislation is expired or the reasons requiring the processing of personal data disappear.

2. PERFORMING PERSONAL DATA PROCESSING ACTIVITIES IN ACCORDANCE WITH KVKK

While carrying out the processing activities of personal data, we must act in accordance with the data processing conditions specified in Articles 5 and 6 of the KVK Law and the Regulation on the Processing of Personal Health Data, provided that they comply with the basic principles. The following stages are followed respectively in data processing;

1. The data subject should be enlightened. Clarification should be made before obtaining consent (signature) in cases where explicit consent is required to process data, and before starting data processing in cases where explicit consent (signature) is not required, and it should be explained which data will be processed and why. In cases of data processing by taking camera images, written warning signs should be placed where necessary.

2. It should be determined whether the data processing conditions exist or not, in the absence of the conditions, we should not perform the personal data processing activity. In the following cases, the existence of data processing conditions is recognized, and no consent is required: 

• It is clearly stipulated in the law (for example, it is mandatory to obtain the identity information of the employee due to the obligation to report to SSI)
• Provided that it is directly related to the establishment or execution of a contract, it is necessary to process personal data belonging to the parties of the contract (for example, it is necessary to obtain the name and surname of the seller and the bank account information to pay for the purchased product).
• In cases where it is obligatory for the data controller to fulfill his legal obligation, it is made public by the person concerned, data processing is mandatory for the establishment, use or protection of a right, and data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data controller, personal data can be processed.
• Except for the above cases or during the processing of "sensitive data", EXPRESS CONSENT MUST BE TAKEN.

3. It is necessary to limit the amount of data to be processed to "as much as necessary" and not to process more data than necessary for each processing purpose.

4. Within the scope of the processing of personal data, IDEA personnel must comply with the Turkish Penal Code, KVK Law and other relevant legislation and the rules set forth in the IDEA KVK Policy, especially the Constitution of the Republic of Turkey.

Within the scope of these explanations, in IDEA, personal data processing activities shall be carried out in accordance with the terms and purposes of Article 5 and Article 6 of the KVK Law and for the following purposes;

Personal date of customers and business partners;

• Data processing due to contractual relationship; Personal data belonging to the business partner (to the business partner’s official if the business partner is a legal person) and any contractual relationship made with the third party real and legal persons (if the business partner is a legal person) for commercial business purposes, without the need for separate consent, the establishment of the contract, can be processed for establishment, implementation and termination of the contract. Personal data can be processed before and during the contract establishing stage in order to prepare an offer, to prepare a purchase form or to meet the requests of the Personal Data Subject regarding the implementation of the contract.

Personal data of the Customer (Customer and potential Customer) can be processed by obtaining the explicit consent of natural persons.

• Data processing activities carried out due to the legal obligation of IDEA or explicitly stipulated in the law; Personal data may be processed without further consent, in case the processing is clearly stated in the relevant legislation or in order to fulfill a legal obligation determined by the legislation. The type and scope of data processing must be necessary for the legally permitted data processing activity and must comply with the relevant legal provisions.
• Processing data in accordance with the legitimate interest of IDEA; Personal data can also be processed without requiring additional consent when necessary for a legitimate interest of IDEA. Legitimate interests are usually legitimate (eg collecting receivables) or economic (eg avoiding contract breaches) interests.

Personnel data;

• Processing of Personal Data for employment relationship; Personal Data is processed without further consent, if necessary for the establishment, implementation and termination of the employment contract. When starting the employment relationship, the Personal Data of the candidates are processed. In case the candidate is rejected, information about the candidate is kept for the appropriate data retention period for the next selection stage, and at the end of this period, they are deleted, destroyed, or anonymized.
• Data processing activities carried out due to the legal obligation of IDEA or explicitly stipulated in the law; Personal data of employees may be processed without further consent, in case the processing is clearly stated in the relevant legislation or in order to fulfill a legal obligation determined by the legislation.
• Processing of data in accordance with legitimate interest; Personal Data of the Employee can also be processed without consent when required by a legitimate interest of IDE. (eg filing, exercising or defending legal rights or evaluating the IDEA). In personal cases where employees' interests need to be protected, personal data are not processed for legitimate interests purposes. It is determined whether there are interests that require protection before data is processed. When the employee data is processed based on the legitimate interest of IDEA, it is examined whether the processing is reasonable or not. It is checked that the legitimate interest of IDEA in taking this control measure does not violate a right of the relevant employee that needs to be protected, and it is applied when it is reasonable only.

3. PERFORMING PERSONAL DATA TRANSFERS IN ACCORDANCE WITH KVKK

In the personal data transfers to be carried out by IDEA (actively sharing personal data with third parties or making personal data accessible to third parties), the personal data transfer conditions regulated in Articles 8 and 9 of the KVK Law should be complied with. Data on Individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data is deemed as sensitive data.

• It is clearly stipulated in the laws (for example, it is mandatory to notify the employee's identity information to the SSI due to the SSI legislation).
• Provided that it is directly related to the establishment or execution of a contract, it is necessary to process personal data belonging to the parties of the contract (for example, it is necessary to obtain the name and surname of the seller and the bank account information to pay for the purchased product).
• In cases where it is obligatory for the data controller to fulfill his legal obligation, it is made public by the person concerned, data processing is mandatory for the establishment, use or protection of a right, and data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data controller, personal data can be transferred (for example,  it is obligatory to obtain the health report of the worker in legal periods and transfer this data to the accounting personnel).
• Personal data cannot be transferred abroad without the express consent of the person concerned.

4. ENSURING THE SECURITY OF PERSONAL DATA

IDEA should take all necessary precautions according to the nature of the data to be protected, within the bounds of possibility, in order to prevent the unlawful disclosure and transfer of personal data, unauthorized access to personal data, or any security deficiencies that may occur in other ways. In this context, administrative and technical measures should be taken, an audit system should be established within IDEA and a process should be implemented in the KVK Law in case of unlawful disclosure of personal data.

1. Administrative Measures Taken to Ensure the Legal Processing and Transfer of Personal Data and to Prevent Unauthorized Access to Personal Data are as follows :

• İDEA educates and raises awareness of its employees regarding the protection of personal data.
• In cases where personal data are subject to transfer, provisions are added to the contracts concluded with the persons to whom the personal data are transferred, stating that the party to whom the personal data is transferred shall fulfill its obligations to ensure data security. In this context, it is undertaken that the transferred party shall take all necessary measures to protect personal data and ensure that these measures are implemented in their own organizations.
• The processes carried out by the factory and workplaces are examined in detail, and the personal data processing activities carried out within the scope of the process are determined for each unit. In this context, the steps to be taken to ensure that the data processing activities carried out be in conformity with the personal data processing conditions stipulated in the KVK Law are determined.

2. Technical Measures Taken to Ensure the Legal Processing and Transfer of Personal Data and to Prevent Unauthorized Access to Personal Data are as follows :

• Regarding the protection of personal data, technical measures have been taken as far as technology allows, and the measures taken should be updated and improved in parallel with the developments.
• Expert personnel are employed for technical matters.
• Inspections should be carried out at regular intervals for ensuring the implementation of the measures taken.
• Software and systems that will ensure security are updated.
• Access authorization to personal data being processed by the personnel is limited to the relevant IDEA employee in line with the specified processing purpose.

3. Conducting Audit Activities Regarding the Protection of Personal Data

Compliance, functioning and effectiveness of technical measures, administrative measures and practices taken by IDEA within the scope of protection and security of personal data with the relevant legislation, policies, procedures, and instructions are audited by the Company Director. The audit can also be carried out by external audit firms. The results of the auditing activities carried out are reported to the Company Director and relevant function managers. It is the primary responsibility of the process owners to follow up the actions planned regarding the audit results in a regular manner. Without being limited to the results of the audit, the activities that will ensure the development and improvement of the measures taken regarding the protection of data are carried out by the relevant unit.

4. Measures to be Taken in Case of Unlawful Disclosure of Personal Data. IDEA, in case the personal data it is processing are obtained by unauthorized persons illegally, should immediately inform the KVK Board and the relevant data subject. Simultaneously, the IDEA Data Breach Notification Procedure should be applied.

5. OBLIGATIONS RELATED TO PERSONAL DATA PROCESSING ACTIVITY

IDEA must comply with the obligations stipulated by the KVK Law for data controllers.

a. Obligation to Register with the Data Controllers Registry (VERBIS): The information to be submitted to the Data Controllers Registry in the registration application is as follows:

         1. Identity information and addresses of the data controller and its representative, if any

2. Purposes of personal data processing

3. Information about groups of data subject persons and the categories of personal data processed of these persons,

4. Persons or groups of persons to whom personal data can be transferred to,

5. The maximum retention period required by the purpose of processing of personal data,

6. Measures taken to ensure the security of the personal data processed.

2. Obligation to Inform Data Subject: The information to be submitted to the data owners within the scope of the informing obligation is as follows:

1. Identity of the data controller and its representative, if any,

2. For what purpose personal data will be processed,

3. To Whom and For What Purpose the Processed Personal Data Can Be Transferred

4. The Method and Legal Grounds of Collecting Personal Data

5. Rights of the data subject listed in Article 11 of the KVK Law

3.   Obligation to Collect and Transfer Personal Data Legally: The data subject should be informed on which data is processed for what purpose and whether the data is transferred or not, and the collected data should be processed in accordance with the law and integrity rule. Personal data are processed only for specific, explicit and legitimate purposes and to the extent required by the processing purpose, and it should be ensured that it is accurate and up to date. In case the reason for processing the processed data has disappeared, necessary internal systems for the deletion, anonymization or destruction of the data should be established.

4. Obligation to Ensure the Security of Personal Data: In order for the data subject not to experience any loss of rights, IDEA should take all necessary technical and administrative measure to prevent unlawful processing of personal data, to prevent unauthorized access to personal data, and to ensure the appropriate level of security in order to preserve personal data. It is obliged to carry out the necessary inspections within the scope of the operation of mechanisms to ensure data security.

5. Obligation to Fulfill the Resolutions Taken by the KVK Board:  IDEA must act in accordance with the decisions taken by the KVK Board, which is the executive body of the KVK Institution, in order to ensure that personal data are processed in accordance with fundamental rights and freedoms.

6. Obligation to Response Data Subjects’ Applications: İDEA in capacity of data controller, must finalize the written requests of the data subjects regarding their personal data as soon as possible and within thirty (30) days at the latest, depending on the nature of the request.

Personal data subject can apply to the data controllers and make a request on the following issues related to them:

1. You have right to learn whether your personal data has been processed,
2. To demand information in case your personal data has been processed,
3. To learn the purpose of processing your personal data and whether they are used accordingly,
4. To know the third parties in which your personal data is transferred in land or abroad,
5. To request correction of your personal data in case your data is incomplete or incorrectly processed,
6. To request the deletion or destruction of your personal data within the conditions stipulated in article 7 of the Law,
7. to request notification of the circumstance to third parties to whom personal data are transferred, in case of correction or deletion / destruction of data
8. To make objection in the event of an occurrence of an unfavorable result in case your personal data is processed exclusively by means of automated systems,
9. To claim for your loss in case you have damages because your personal data has been processed in illegal manner.

E- PUBLISHING AND STORING THE POLICY 

The policy document is published in two different media as wet signed (printed paper) and electronically, and disclosed to the public on the website. The printed paper copy is also kept in the file BY THE DATA CONTROLLER.

F- UPDATING THE POLICY

The policy enters into force from the moment it is approved by the Company Director. This Policy is reviewed as needed and required sections are updated. The General Director has been authorized by the Board of Directors regarding the amendments to be made in the policy and how they will be put into effect. This Policy may be amended and put into effect with the approval of the Company Director. Implementation rules that will be regulated in accordance with this Policy, indicating how the issues specified in this Policy will be executed for certain subjects will be arranged as being added to the relevant regulations. The İDEA KVK policy has been made public by the Company on its website. In case of conflict with the legislation in force, especially the KVK Law, and the regulations included in this Policy, the provisions of the legislation shall be applicable.

IDEA MODA KONF. SAN VE TIC. LTD ŞTI

PERSONAL DATA RETENTION AND DESTRUCTION 

PROCEDURE

PREPARED BY                       : Human Resources

APPROVED BY                      : COMPANY DIRECTOR

1. PURPOSE AND SCOPE

Personal data of employees, employee candidates, employees of third parties, institutions, or organizations with whom they are in contact as customers and service providers, and personal data of other third parties are processed by İDEA

This procedure has been prepared as a guide in order to ensure that the retention and destruction processes of the data processed by IDEA in accordance with the law are carried out in accordance with the regulations in the Personal Data Protection Law No.6698 (“KVK Law”).

All departments of IDEA are responsible for complying with and observing this procedure prepared in accordance with IDEA Personal Data Retention and Destruction Policy (IDEA KVK Policy).

This procedure, prepared in accordance with the IDEA KVK Policy, will be a source of advice and guidance for Human Resources in the implementation of standards and training activities within IDEA. All personnel in İDEA MODA are obliged to comply with IDEA procedure and cooperate with Human Resources in preventing risks / dangers.

B. DEFINITIONS

The terms used in the legislation, IDEA KVK Policy and procedure are listed below.

• Personal Data: All kinds of information pertaining to an identified or identifiable real person.
• Sensitive Personal Data: Individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
• Biometric Data: One or more physical or behavioral characters that enable the identification or verification of the person, such as fingerprint, palm print, face, iris, retina, ear, voice, signature, gait, hand vein, body odor or DNA information.
• Data subject / Relevant Person: The real person whose personal data is processed. For example; Customers
• Explicit Consent: A consent based on information on a particular subject, which is stated with free-willed and in informed manner in advance.
• Processing of Personal Data: Any action taken on the data, such as blocking, obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or using personal data through fully or partially automatic means or non-automatic means provided that they are part of any data recording system.
• Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.
• Destruction: Deletion, destruction, or anonymization of personal data.
• Anonymizing: Making personal data unrelated to a certain or identifiable natural person under any circumstances, even by matching other data.
• Recording Media: All kinds of media, where personal data is processed fully or partially automated or part of any data recording system, provided that the non-automatic means of processing.
• The Board: Personal Data Protection Board. 

C. BASIC PRINCIPLES ADOPTED BY IDEA MODA IN THE PROTECTION OF PERSONAL DATA

Due to the fact that the legal order is one of the cornerstones of social life, IDEA complies with the general rules of law since its establishment and makes maximum effort to protect the rights and interests of individuals.

All employees, whether they are involved in data processing, protection, or transmission activities within the scope of IDEA activities, should adopt the basic principles listed below and act in accordance with these principles.

Personal Data is information that needs to be highly protected within the scope of human rights. Personal data includes all kinds of information that belongs to the person and enables the identification of the person, and therefore, its protection constitutes the superior benefit of the data subject. Therefore, care and attention must be paid to data collection, processing, transfer, storage and destruction stages, and maximum compliance with the information provided in both training and this procedure is required.

D. IMPLEMENTATION OF THE POLICY AND RESPONSIBILITIES

All units and employees of İDEA actively support the responsible departments of the policy in the appropriate implementation of the technical and administrative measures taken within the scope of the Policy, the training and awareness of the employees of the unit, their monitoring and continuous auditing, preventing the illegal processing of personal data, preventing unlawful access to personal data and personal data, and the units in charge of taking technical and administrative measures to ensure data security in all environments where personal data are processed in order to ensure legal retention.

The titles and job descriptions of those involved in the retention and destruction processes of personal data are as follows:

• Company Director                    : He/she is responsible for the employees to act in accordance with the policy and procedure.
• IT expert: He/she is responsible for providing the technical solutions needed in the implementation of the policy.
• Personnel of other units: They are responsible for the execution of the Policy in accordance with their duties.

5. STORAGE MEDIA

Personal data is stored securely in accordance with the law in the media listed below:

1. Non-electronic Media

1. Paper
2. Manual data recording systems (survey forms, visitor logbook) 
3. Written, printed and visual media

2. Electronic media

1. Servers (Domain, backup, e-mail, database, web, file sharing etc.);
2. Software (office software, Nebim, VCloud.)
3. Information security devices (firewall, intrusion detection and blocking, log file, antivirus, etc.)
4. Personal computers (Desktop, laptop);
5. Mobile Devices (phone, tablet, etc.);
6. Optical discs (CD, DVD, etc.)
7. Removable sticks (USB, Memory Card etc.)
8. Printer, scanner, copier

6. PRINCIPLES REGARDING THE RETENTION OF PERSONAL DATA

By IDEA; Personal data belonging to employees, candidates for employees, customers and employees of third parties, institutions or organizations with whom they are related as service providers are retained in accordance with the Law and are destroyed after being kept for the period stipulated in the relevant legislation or for the purpose for which they are processed.

1. 1. Processing Purposes Requiring Retention: IDEA retains the personal data it processes within the framework of its activities for the following purposes. Personnel will not process or store data that will not be used for these purposes.

1. To carry out human resources processes.
2. To provide corporate communication.
3. To ensure the security of the institution,
4. To be able to perform statistical studies.
5. To be able to execute works and transactions as a result of contracts and protocols signed
6. To ensure the fulfillment of legal obligations as compulsory or required by legal regulations.
7. To be in contact with real / legal persons who have a business relationship with the institution.
8. To issue legal reports.
9. For obligation to prove as evidence in future legal disputes

1. 2. Ensuring the Security of Personal Data

IDEA personnel should take all necessary precautions according to the nature of the data to be protected, within the bounds of possibility, in order to prevent the unlawful disclosure and transfer of personal data, unauthorized access to personal data, or any security deficiencies that may occur in other ways. In this context;

1. Administrative Measures are as follows:

• Before starting to process personal data, the obligation to inform the relevant persons must be fulfilled by the personnel.
• Personnel must perform data processing and transfer in accordance with the Personal Data Processing and Protection procedure.
• Personnel should immediately report any violations and vulnerabilities of administrative and / or technical security to the Company Manager or HR.

2. Technical Measures: Personnel will apply the following safety rules.

Mail Usage Rules

1. E-mail addresses [email protected] defined for employees should definitely be used for communication about workplace affairs.
2. Emails containing chain messages and any executable files attached to the messages should be deleted immediately when received and never forwarded to others.
3. Employees must prevent their messages from being read by unauthorized persons. Therefore, a password should be used, and hardware / software systems used for e-mail access should be protected against unauthorized access.
4. The users are responsible for the security of the password of the e-mail address defined to them by the employer and the legal proceedings arising from the e-mails sent. They are obliged to contact the authorities and inform them about the situation ss soon as they realize that the passwords have been intruded.
5. Employees who quit cannot use the corporate e-mail system. The user to whom a e-mail address is defined should notify the HR unit as soon as possible of the change in the workplace due to unit change, retirement or leaving the job.

Password Usage Rules

1. All user level passwords (eg, e-mail, web, desktop computer, etc.) must be changed at least every six months. Recommended changing period is every three months.
2. Passwords should not be attached to e-mail messages or any electronic form.

3. Passwords should not be shared with anyone else and should not be written on paper or electronic media.
4. Passwords must include lowercase and uppercase characters (eg, az, AZ), both digit and punctuation characters, as well as letters (eg 0-9,! '^ +% & / () =? _; *).
5. Passwords must have at least six alphanumeric characters.

6. It should not be a slang, dialect or technical word in any language.

7. Family names should not be used.

8. No password should be given to any person on the phone.

9. Password should not be typed in e-mail messages.

10. Passwords should not be shared with family members.

11. Passwords should not be given to colleagues when you are away from work.
12. A username and password should not be used on more than one computer.
13. Password cracking and guessing operations can be done periodically. In case the passwords are guessed or broken as a result of the security scan, the user will be asked to change their password.

Antivirus Policy

1. Licensed antivirus software of the workplace must be installed on the whole computer and its operation should not be prevented.
2. No user can uninstall the antivirus program from the system for any reason and cannot install any other antivirus software on the system.

Internet Usage Policy

1. No user will be allowed to use the services on the internet via peer-to-peer connection. (For example;KaZaA, iMesh, eDonkey, Gnutella, Napster, Aimster, Madster, FastTrak, Audiogalaxy, MFTP, eMule,Overnet, NeoModus, Direct Connect, Asquisition, BearShare, Gnucleus, GTK- Gnutella, LimeWire,Mactella, Morpheus, Phex, Qtella, Shareaza, XoLoX, OpenNap, WinMX. etc)
2. Chat programs such as Messenger, whatsapp etc. massaging and chat programs should not be used over network except for official conversations, and exchanging files over these chat programs should not be allowed.
3. Software that is not approved by the workplace cannot be downloaded over the Internet and this software cannot be installed or used on workplace systems.

General Usage Policy

1. In case the computer should be left unattended for a long time, the computer should be locked and the access of third parties to the information should be prevented.
2. Laptop computers should be more carefully protected against security breaches. Operating system passwords must be activated.
3. In case the company has a domain structure, it must be logged in. In this case, computers that are not connected to the domain should be removed from the local network, and information should not be exchanged between devices on the local network and such devices.
4. In case the laptop is stolen / lost, the Human Resources department should be informed as soon as possible.
5. All users are responsible for the security of their own computer system. The owner of the system is responsible for the attacks (eg electronic banking, e-mail with insult-politics content, user information, etc.) that may arise from these computers.
6. It should not be engaged in any actions that would disrupt network security (for example, if a person wants to access servers although he is not authorized) or network traffic (packetsniffing, packetspoofing, denial of service, etc.).
7. No port or network scanning should be performed.
8. Any activity that threatens the security of the network should be avoided. DoS attack, port-network scan, etc. should not be done.
9. Company information should not be transmitted to third parties outside the company.
10. No peripheral connection should be made on the users' personal computers without the consent of the HR unit.
11. It is forbidden to take device, software, and data outside the workplace without permission
12. It is forbidden to install and use programs that are of unknown origin (magazine CDs or programs downloaded from the internet, etc.), except for the software used by the company.
13. Unauthorized personnel are prohibited from seeing or obtaining confidential and sensitive information in the company.
14. Special attention should be paid to the confidentiality and privacy of corporate or personal data. Such data cannot be given to third parties and institutions in electronic or paper environment, without prejudice to the provisions of the relevant legislation in the workplace.
15. Personnel are responsible for the security of the corporate information on their desktop and laptop computers allocated to them and used for company works.
16. Personnel authorized by the HR department can access the employee's computer and perform security, maintenance, and repair operations on-site or remotely without notifying the user. In this case, authorized personnel providing remote maintenance and support services cannot view, copy, or change personal or corporate information on the personal computer.
17. There should be no computers and devices in the Network System (web hosting, e-mail service, etc.) in the form of a server without the knowledge of the HR unit in the company.
18. Network settings, user definitions, resource profiles etc. existing settings on computers should not be changed in any way, except for the responsible Human Resources personnel in the units and the relevant technical personnel.
19. Unlicensed programs should not be installed on computers in any way. The personnel who keeps the unlicensed software on their computers shall be responsible for this personally against the relevant laws.
20. Unless necessary, computer resources should not be shared, and if the resources are shared, the rules of password use must be observed.
21. When a problem occurs on the computer, it should not be intervened by unauthorized persons, and HR personnel should be notified.

1. 3. Retention Periods of Personal Data  

The retention periods of personal data based on processes are as follows. Following the expiration of this period, they are destroyed in the first periodic destruction period.

7. DESTRUCTION OF PERSONAL DATA

1. Causes Requiring Destruction: Personal data are deleted, destroyed or ex officio deleted, destroyed or anonymized by IDEA upon request of the person concerned in the following cases;

• The amendment or abolition of the relevant legislation provisions that form the basis of its processing,
• Disappearance of the purpose requiring the processing or retention of personal data,
• In cases where the processing of personal data takes place only on the basis of express consent, the person concerned withdraws his explicit consent,
• In accordance with Article 11 of the Law, the application made by IDEA regarding the deletion and destruction of personal data within the framework of the rights of the person concerned,
• In cases where the İDEA rejects the application made by the person concerned with the request for deletion, destruction or anonymization of his/her personal data, or in case his/her response is found to be insufficient or does not respond within the period stipulated in the Law; Making a complaint to the Board and approval of this request by the Board,
• Maximum period for the retention of personal data has passed, there are no conditions that would justify the retention of personal data for a longer period.

2. Destruction Techniques: At the end of the period stipulated in the relevant legislation or the retention period required for the purpose for which they are processed, the personal data is destroyed by İDEA, either on its own initiative or upon the application of the relevant person, using the following techniques in accordance with the provisions of the relevant legislation.

b.a. Deletion of Personal Data

• Personal Data on Servers; For those who have expired from the personal data on the servers, the system administrator (HR) removes the access authorization of the relevant users and deletes them.

• Personal Data in Electronic Environment: Those who have expired from personal data in electronic environment are made inaccessible and unavailable in any way for other employees (relevant users), except for the database manager (HR).

• Personal Data in Physical Environment: Personal Data It is made inaccessible and unavailable in any way for other employees, except for the department manager responsible for the document archive, for those who require the retention of personal data kept in a physical environment. In addition, the blackening process is also applied by scratching / painting / wiping it in an illegible way.

• Personal Data on Portable Media: Of the personal data kept in flash-based storage media, those that have expired are stored in secure environments with encryption keys, encrypted by the system administrator (HR) and the access authority is given only to the system administrator (HR).

b.b. Destruction of Personal Data

• Personal Data in Physical Environment: Those who have expired from the personal data in the paper environment, are irreversibly destroyed in the paper shredding machines.

• Personal Data on Optical / Magnetic Media: Physical destruction, such as melting, burning or pulverizing the personal data in optical media and magnetic media, is applied for those retained in optical and magnetic media and the term for retention is expired. In addition, magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.

b.c. Making Personal Data Anonymous

Personal data are rendered unrelated to a natural person whose identity is known or can be determined even by the use of appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of the data by the data controller or third parties and / or matching the data with other data.

3. Destruction Process and Periods

c.a. The process of ex officio deletion, destruction or anonymization for personal data whose retention periods have expired in IDEA is carried out by Human Resources.

c.b. Unless a contrary decision is taken by the Board, the appropriate method of ex officio deletion, destruction, or anonymization of personal data whose retention periods have expired in IDEA are selected. In case of destruction of personal data at the request of the person concerned, the appropriate method is selected and applied by explaining the reason.

c.c. Periodic destruction period : In accordance with Article 11 of the Regulation concerned with the Deletion, Destruction or Anonymization of Personal Data, IDEA performs periodic destruction in April and October every year.

In the first periodic destruction process following the date when the obligation to delete, destroy or anonymize personal data is emerged, personal data are deleted, destroyed or anonymized.

c.d. All transactions regarding the deletion, destruction and anonymization of personal data are recorded, and the said records are kept for at least 3 years, excluding other legal obligations.

c.e. Periods for deletion and destruction of personal data, if requested by the data subject: In case the person concerned requests the deletion or destruction of his/her personal data by applying to IDEA pursuant to Articles 11 and 13 of the Law;

• • • In case all the conditions for processing personal data have disappeared ; Within thirty days at the latest, the personal data subject to the request is deleted, destroyed or anonymized and the relevant person is informed.
    • In case all the conditions for processing personal data have disappeared and the personal data subject to the request is transferred to third parties , the request of the relevant person is notified to the third party; It is ensured that the necessary procedures are carried out within the scope of the Regulation on the Deletion, Destruction or Anonymization of Personal Data before the third party.
    • In case all the conditions for processing personal data are not eliminated; It is rejected within thirty days at the latest, with the explanation of the reason, and the response is notified to the relevant person in writing or electronically.

F- DISCIPLINARY PROVISIONS

The provisions of this procedure are in the form of an annex to the employment contract and the provisions regarding disciplinary practices and termination of the contract are applied in the "HR DIRECTIVE", which is an annex to the employment contract and received and signed by the personnel, for the personnel who do not comply with the rules of the procedure.          

G- UPDATING

This procedure, which is prepared in accordance with the IDEA Personal Data Processing, Protection and Privacy Policy (IDEA KVK Policy) and takes effect from the moment it is approved by the Company Director, is reviewed and the necessary sections are updated as needed. With the approval of the Company Director, this Procedure may be amended and put into effect. In case of conflict with the legislation in force, especially the KVK Law, and the regulations included in this Procedure, the provisions of the legislation are applied.

IDEA MODA KONF. SAN VE TIC. LTD ŞTI

PERSONAL DATA RETENTION - DESTRUCTION

POLICY

PREPARED BY                       : Human Resources

APPROVED BY                      : COMPANY DIRECTOR

VERSION HISTORY

INDEX

                                                                                                         Page number

A. PURPOSE AND SCOPE .....................................................................................3

B. DEFINITIONS .....................................................................................................3

3. IMPLEMENTATION OF THE POLICY AND RESPONSIBILITIES............................4

D. STORAGE MEDIA ................................................ ............................................ 4

1. Non-electronic media ………………………………………………………………………….4
2. Electronic media ………………………………………………………………………………….4

E. PRINCIPLES REGARDING THE RETENTION OF PERSONAL DATA…………………..5

1. Legal Reasons Requiring Retention……………….…………………………………….5
2.  Processing Purposes Requiring Retention…………………………………………..5
3. Ensuring the Security of Personal Data………………………………………………..5

1. Administrative Measures Taken …………………………………………………. 6
2. Technical Measures Taken ……………………………………………………………6

4. Retention Periods of Personal Data……………………………………………………..8

6. DESTRUCTION OF PERSONAL DATA……………………………………………………………9
   1. Causes Requiring Destruction………………………………………………………………9
   2. Destruction Techniques …………………………………………………………………….10

b.a. Deletion of Personal Data……………………………………………………………10

b.b. Destruction of Personal Data……………………………………………………….11

b.c. Anonymizing Personal Data………………………….………………………………11

1. 3. Destruction Process and Periods…………………………………………………………11

G- PUBLISHING AND STORING THE POLICY ……………………………………………………12

H- UPDATING THE POLICY ……………………………………………………………………………..12

1. PURPOSE AND SCOPE

IDEA MODA Retention-Disposal of Personal Data Policy ("IDEA MODA KVK Policy") has been prepared in order to determine the procedures and principles regarding the operations and transactions related to the retention and disposal activities carried out.

Personal data belonging to IDEA MODA employees, candidates for employees, visitors, and employees of third parties, institutions or organizations with whom they are in contact as service providers and personal data of other third parties are within the scope of this Policy and all records where personal data owned or managed by IDEA MODA are processed and all activities related with processing of such date are subject this Policy.

2. DEFINITIONS

The terms used in the legislation and also in the IDEA MODA KVK Policy are listed below.

1. Personal Data: All kinds of information pertaining to an identified or identifiable real person.
2. Sensitive Personal Data: Individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
3. Personal Data subject / Relevant Person: The real person whose personal data is processed. For example; Customers and employees.
4. Explicit Consent: A consent based on information on a particular subject, which is stated with free-willed and in informed manner in advance.
5. Processing of Personal Data: Any action taken on the data, such as blocking, obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or using personal data through fully or partially automatic means or non-automatic means provided that they are part of any data recording system.
6. Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.
7. Destruction: Deletion, destruction, or anonymization of personal data.
8. Anonymizing: Making personal data unrelated to a certain or identifiable natural person under any circumstances, even by matching other data.
9. Recording Media: All kinds of media, where personal data is processed fully or partially automated or part of any data recording system, provided that the non-automatic means of processing.
10. Receiver group: The category of natural or legal persons to whom personal data is transferred by the data controller,
11. Law on Protection of Personal Data: Personal Data Protection Law No.6698, dated 24 March 2016, published in the Official Gazette dated April 7, 2016 and numbered 29677.
12. KVK Board: Personal Data Protection Board.
13. KVK Institution: Personal Data Protection Institution.

3. IMPLEMENTATION OF THE POLICY AND RESPONSIBILITIES

All units and employees of the İDEA MODA actively support the responsible departments of the policy in the appropriate implementation of the technical and administrative measures taken within the scope of the Policy, the training and awareness of the employees of the unit, their monitoring and continuous auditing, preventing the illegal processing of personal data, preventing unlawful access to personal data and personal data, and the units in charge of taking technical and administrative measures to ensure data security in all environments where personal data are processed in order to ensure legal retention.

The titles and job descriptions of those involved in the retention and destruction processes of personal data are as follows:

• Company Director                    : He/she is responsible for the employees to act in accordance with the policy.
• HR Officer: He/she is responsible for providing the technical solutions needed in the implementation of the policy.
• Personnel of other units: He/she is responsible for the execution of the Policy in accordance with his duties.

4. STORAGE MEDIA

Personal data is stored securely in accordance with the law in the media listed below:

1. Non-electronic Media

1. Paper
2. Manual data recording systems (survey forms)
3. Written, printed and visual media

2. Electronic media

1. Servers (Domain, backup, e-mail, database, web, file sharing etc.);
2. Software (office software, Nebim, VCloud.)
3. Information security devices (firewall, intrusion detection and blocking, log file, antivirus, etc.) 
4. Personal computers (Desktop, laptop);
5. Mobile Devices (phone, tablet, etc.);
6. Optical discs (CD, DVD, etc.)
7. Removable sticks (USB, Memory Card etc.)
8. Printer, scanner, copier

5. PRINCIPLES REGARDING THE RETENTION OF PERSONAL DATA

By IDEA MODA; Personal data belonging to employees, candidates for employees, customers and employees of third parties, institutions or organizations with whom they are related as service providers are retained in accordance with the Law and are destroyed after being kept for the period stipulated in the relevant legislation or for the purpose for which they are processed.

1. 1. Legal Reasons Requiring Retention: İDEA MODA retains personal data for periods prescribed by ;
1. Turkish Commercial Code No. 6102
2. Turkish Code of Obligations No. 6098
3. Social Insurance and General Health Insurance Law No. 5510,
4. Occupational Health and Safety Law No. 6331,
5. Labor Law No. 4857,
6. The Law on the Protection of Personal Data No. 6698;
7. Tax legislation and other secondary regulations in force pursuant to these laws.

2.  Processing Purposes Requiring Retention: IDEA MODA retains the personal data it processes within the framework of its activities for the following purposes.

1. To carry out human resources processes.
2. To provide corporate communication.
3. To ensure the security of the institution,
4. To be able to perform statistical studies.
5. To be able to execute works and transactions as a result of contracts and protocols signed
6. To ensure the fulfillment of legal obligations as compulsory or required by legal regulations.
7. To be in contact with real / legal persons who have a business relationship with the institution.
8. To issue legal reports.
9. For obligation to prove as evidence in future legal disputes

3. Ensuring the Security of Personal Data

IDEA MODA personnel should take all necessary precautions according to the nature of the data to be protected, within the bounds of possibility, in order to prevent the unlawful disclosure and transfer of personal data, unauthorized access to personal data, or any security deficiencies that may occur in other ways. In this context;

1. Administrative Measures Taken to Ensure the Legal Processing and Transfer of Personal Data and to Prevent Unauthorized Access to Personal Data are as follows :

• İDEA MODA educates and raises awareness of its employees regarding the protection of personal data.
• Confidentiality clause has been added to the contracts of the employees regarding the activities carried out by the institution.
• The disciplinary procedure to be applied to employees who do not comply with security policies and procedures has been prepared in the HR regulation and delivered to the personnel as an annex to their contract.
• Before starting to process personal data, the obligation to inform the relevant persons must be fulfilled by the institution.
• Personal data processing inventory has been prepared.
• In cases where personal data are subject to transfer, provisions were added to the contracts concluded with the persons to whom the personal data are transferred, stating that the party to whom the personal data is transferred shall fulfill its obligations to ensure data security. In this context, it is undertaken that the transferred party shall take all necessary measures to protect personal data and ensure that these measures are implemented in their own organizations.
• The security of physical media containing personal data is ensured.
• Internal audit is carried out.

2. Technical Measures Taken to Ensure the Legal Processing and Transfer of Personal Data and to Prevent Unauthorized Access to Personal Data are as follows:

• Regarding the protection of personal data, technical measures are being taken as far as technology allows, and the measures taken are being updated and improved in parallel with the developments.
• Expert personnel are employed for technical matters.
• Access authorization to personal data being processed by the personnel is limited to the relevant company personnel in line with the specified processing purpose.
• To ensure that the technical management activities of the server computer and data storage systems are carried out, within this scope;
  1. Ensuring technical management and documentation functions such as identifying user needs, procurement, installation, configuration, patching, capacity planning, performance adjustments, operation, backup, recovery from backups, etc. of server systems hardware used within the technical substructure of İDEA MODA and MS Windows Operating system that serves over these.
  2. Performing server user activation / de-activation, configuration and authorization works,
  3. Performing virtualization and virtualization performance optimization works on servers,
  4. Performing daily monitoring of storage systems that are integrated with servers or in a SAN / NAS structure, making occupancy / capacity plans, performing backup / recovery from backup,
  5. Performing system integration of the software and hardware of the server and storage systems, testing, quality control works, continuous control of the healthy operation of the commissioned hardware, operating system, or application modules, performing maintenance and operating activities such as correction / development / improvement / productivity increase,
  6. Performing daily monitoring of server systems and all services running on these systems, checking that all server hardware and services are in working condition, taking preventive and corrective measures for abnormally shut down servers or services, performing system logs configuration and control work,
  7. Preparing and updating basic end-user manuals on server hardware, operating systems, storage systems and application software, providing end-user training,
  8. Managing the top authorized access passwords of the server systems and ensuring their security,
  1. The processes of following up new technologies in the field of server hardware and operating systems and adapting them to the infrastructure of the institution are carried out.

• To fulfill the technical management activities of basic applications and protocols such as e-mail systems, Web Servers, SMTP, POP, IMAP, LDAP, FTP, SNMP, DNS, within this scope;

1. Performing technical management, operation, and documentation functions such as, user activation / de-activation / routing, configuration, patching, capacity planning, performance adjustments, backup, recovery from backups, etc. of the e-mail server system used within the technical infrastructure of İDEA MODA,
2. Fulfilling management / configuration and documentation functions of SMTP, POP, IMAP protocols serving in the infrastructure of e-mail systems,
3. Management of system users and configuration / management / backup / authorization of the LDAP protocol,
4. Performing operational works such as, FTP domain opening, DNS domain / sub-domain definition, etc.
5. Ensuring that the end-user requests that require identification such as E-mail, LDAP, FTP, DNS, etc. are fulfilled in accordance with the relevant procedures / policies and standards of İDEA MODA; Taking and implementing necessary measures to prevent non-standard, LDAP, E-mail, sub-domain definitions and data pollution,
6. Managing the top authorized access passwords of the application systems and ensuring their security,
7. Following up of new technologies in the field of e-mail servers and applications and adapting them to the infrastructure of the institution are carried out.

• To fulfill the technical management activities of database management systems, within this scope;
  1. Performing technical management and documentation functions such as, determining user needs of all database management systems such as Oracle/MS-SQL/MYSQL etc., procurement, installation, configuration, patching, capacity planning, performance adjustments, operation, backup, recovery from backups, etc. used within the technical infrastructure of İDEA MODA.
  2. Performing database SQL scripting works,
  3. Performing database user activation / de-activation, configuration and authorization works,
  4. Integration of the data structures of all systems within İDEA MODA, carrying out testing and quality control studies, ensuring data integrity. Taking precautions to prevent data duplication, continuous control of the healthy service of the data infrastructure, performing maintenance and operating activities such as correction / development / improvement / productivity increase,
  5. The processes of managing the most authorized access passwords of database management systems and ensuring their security are carried out.

4. Retention Periods of Personal Data  

The retention periods of personal data based on processes are as follows.

6. DESTRUCTION OF PERSONAL DATA

1. Causes Requiring Destruction: Personal data are deleted, destroyed or ex officio deleted, destroyed or anonymized by IDEA MODA upon request of the person concerned in the following cases;

• The amendment or abolition of the relevant legislation provisions that form the basis of its processing,
• Disappearance of the purpose requiring the processing or retention of personal data,
• In cases where the processing of personal data takes place only on the basis of express consent, the person concerned withdraws his explicit consent,
• In accordance with Article 11 of the Law, the application made by the institution regarding the deletion and destruction of personal data within the framework of the rights of the person concerned,
• In cases where the institution rejects the application made by the person concerned with the request for deletion, destruction or anonymization of his/her personal data, or in case his/her response is found to be insufficient or does not respond within the period stipulated in the Law; Making a complaint to the Board and approval of this request by the Board,
• Maximum period for the retention of personal data has passed, there are no conditions that would justify the retention of personal data for a longer period.

2. Destruction Techniques: At the end of the period stipulated in the relevant legislation or the retention period required for the purpose for which they are processed, the personal data is destroyed by İDEA MODA, either on its own initiative or upon the application of the relevant person, using the following techniques in accordance with the provisions of the relevant legislation.

b.a. Deletion of Personal Data

• Personal Data on Servers; For those who have expired from the personal data on the servers, the system administrator removes the access authorization of the relevant users and deletes them.

• Personal Data in Electronic Environment: Those who have expired from personal data in electronic environment are made inaccessible and unavailable in any way for other employees (relevant users), except for the database manager.

• Personal Data in Physical Environment: Personal Data It is made inaccessible and unavailable in any way for other employees, for those who require the retention of personal data kept in a physical environment. In addition, the blackening process is also applied by scratching / painting / wiping it in an illegible way.

• Personal Data on Portable Media: Of the personal data kept in flash-based storage media, those that have expired are stored in secure environments with encryption keys, encrypted by the system administrator and the access authority is given only to the system administrator.

b.b. Destruction of Personal Data

• Personal Data in Physical Environment: Those who have expired from the personal data in the paper environment, are irreversibly destroyed in the paper shredding machines.

• Personal Data on Optical / Magnetic Media: Physical destruction, such as melting, burning, or pulverizing the personal data in optical media and magnetic media, is applied for those retained in optical and magnetic media and the term for retention is expired. In addition, magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.

b.c. Making Personal Data Anonymous

Personal data are rendered unrelated to a natural person whose identity is known or can be determined even by the use of appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of the data by the data controller or third parties and / or matching the data with other data.

3. Destruction Process and Periods

c.a. The process of ex officio deletion, destruction, or anonymization for personal data whose retention periods have expired in IDEA MODA is carried out by IT Coordination dept.

c.b. Unless a contrary decision is taken by the Board, the appropriate method of ex officio deletion, destruction, or anonymization of personal data whose retention periods have expired in IDEA MODA are selected. In case of destruction of personal data at the request of the person concerned, the appropriate method is selected and applied by explaining the reason.

c.c. Periodic destruction period: In accordance with Article 11 of the Regulation concerned with the Deletion, Destruction or Anonymization of Personal Data, IDEA MODA performs periodic destruction in April and October every year.

In the first periodic destruction process following the date when the obligation to delete, destroy or anonymize personal data is emerged, personal data are deleted, destroyed, or anonymized.

c.d. All transactions regarding the deletion, destruction and anonymization of personal data are recorded, and the said records are kept for at least 3 years, excluding other legal obligations.

c.e. Periods for deletion and destruction of personal data, if requested by the data subject: In case the person concerned requests the deletion or destruction of his/her personal data by applying to IDEA MODA pursuant to Articles 11 and 13 of the Law;

• • • In case all the conditions for processing personal data have disappeared ; Within thirty days at the latest, the personal data subject to the request is deleted, destroyed or anonymized and the relevant person is informed.
    • In case all the conditions for processing personal data have disappeared and the personal data subject to the request is transferred to third parties , the request of the relevant person is notified to the third party; It is ensured that the necessary procedures are carried out within the scope of the Regulation on the Deletion, Destruction or Anonymization of Personal Data before the third party.
    • In case all the conditions for processing personal data are not eliminated; It is rejected within thirty days at the latest, with the explanation of the reason, and the response is notified to the relevant person in writing or electronically.

G- PUBLISHING AND STORING THE POLICY

The policy document is published in two different media as wet signed (hard copy) and electronically, and disclosed to the public on the website. The printed paper copy is also kept in the file BY THE DATA CONTROLLER.

H- UPDATING THE POLICY

The policy enters into force from the moment it is approved by the Company Director. This Policy is reviewed as needed and required sections are updated. This Policy may be amended and put into effect with the approval of the Company Director. Implementation rules that will be regulated in accordance with this Policy, indicating how the issues specified in this Policy will be executed for certain subjects will be arranged as being added to the relevant regulations. The İDEA MODA KVK policy has been made public by the Company on its website. In case of conflict with the legislation in force, especially the KVK Law, and the regulations included in this Policy, the provisions of the legislation shall be applicable.

Our application addresses

Please fill in the form and send it to [email protected].

İDEA MODA KONF. SAN VE TİC.LTD ŞTİ
DATA SUBJECT APPLICATION FORM IN ACCORDANCE WITH ART. 11 OF KVK

1. INFORMATION OF THE APPLICANT

• Name-Surname                    :……………………………………………………………………………..
• R.T. Identification Number   : ……………………………………………………………………………..
• Mailing Address ……………………………………………………………………………..
• E-mail address ……………………………………………………………………………..
• Telephone Number: ……………………………………………………………………………..
• In case the applicant is a "parent / guardian or other legal representative", the data subject's Name-Surname ……………………………………………………………………………..

2. YOUR RELATIONSHIP WITH IDEA

☐ Customer                                   

☐ Commercial Relationship (Please specify the nature of the commercial relationship)                                                 

☐Former Personnel (Please specify date of your employment)    

☐ Job Application / Resume sharing (specify date)

☐ Other (please specify) ……………………………………

3. YOUR REQUEST

In accordance with the law, you can make a request on the following issues. Mark your request with X. Requests on other matters are not covered by this Law, therefore, we request you to convey requests on other matters to the relevant units. 

☐ I want to know whether your company is processing personal data about me. Personal Data Protection Law Art. 11/1 (a)

☐ If your company has processed personal data about me, I request information on this issue.  Personal Data Protection Law Art. 11/1 (b)

☐ If your company is processing personal data about me, I request information about the purpose of processing and whether they are used for their intended purpose. Personal Data Protection Law Art. 11/1 (c)

☐ If my personal data is transferred to third parties in land or abroad, I want to know these third parties. Personal Data Protection Law Art. 11/1 (ç)

☐ I believe that my personal data was incomplete or incorrectly processed and i request this circumstance be corrected. (If you have selected this option, write your personal data that you want corrected in the field below and send the documents showing correct and supplementary information as attachment. (Photocopy of identity card etc.) Personal Data Protection Law Art. 11/1 (d)

☐ Although my personal data has been processed in accordance with the provisions of the law and other related laws, I think that the reasons for processing have disappeared and within this framework, so, I request my personal data; Personal Data Protection Law Art. 11/1 (e)

☐ I request my personal data that I believe processed incompletely or incorrectly be corrected before third parties to whom my personal data has been transferred. (If you have selected this option, write your personal data that you want to be corrected in the field below and send the documents showing correct and supplementary information as attachment. (Photocopy of identity card etc.) Personal Data Protection Law Art. 11/1 (f)

☐ Although my personal data has been processed in accordance with the provisions of the law and other related laws, I think that the reasons for processing have disappeared and within this framework, so, I request my personal data be deleted before the third party to whom my personal data we transferred; Personal Data Protection Law Art. 11/1 (f)

☐ I believe that my personal data processed by your company are analyzed exclusively through automated systems, and as a result of this analysis, I may encounter a unfavorable consequence. I object to this conclusion. (Write the analysis result that you think is unfavorable to you in the field below and send the documents supporting your objection as attachment.)  Personal Data Protection Law Art. 11/1 (g)

☐ I suffered damages due to the illegal processing of my personal data. I demand compensation for this damage. (Write the subject of the violation in the field below and send the supporting documents as an attachment. Court decision, Board decision, Documents showing the amount of material damage, etc. ) Personal Data Protection Law Art. 11/1 (h)

Please specify your request, which you have marked above within the scope of the KVK Law, in detail below:

Please indicate if you have additional documents that you want to base your application on and send them to us as an attachment to your petition.

5- TO WHICH ADDRESS YOU WANT THE ANSWER TO BE SENT

☐ I request it to be sent to my mailing address.

☐ I request it to be sent to my e-mail address.

☐ I request to receive it by hand. (In case of receipt by proxy, a notarized power of attorney is required.)

İDEA always reserves the right to request additional information and documents certifying your identity in order to prevent unlawful sharing of your personal data with third parties and to ensure the security of your personal data.

I acknowledge, declare and undertake that the personal data I have shared with the Company in this application form are accurate and up-to-date, that I have not made unauthorized applications, and that I know that any legal and / or criminal liability that may arise otherwise will belong to me.

Name, Surname and Signature of the Applicant