Discounts on Selected Global Brands
Complete Your Style with the Sun!
Discounts on Selected Global Brands
Complete Your Style with the Sun!
  • 0

BATI OPTİK ANONİM ŞİRKETİ


POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

1. INTRODUCTION

1.1 Introduction

1.2 Scope

1.3 Implementation of the Policy and the Personal Data Protection Law (KVKK)

1.4 Enforcement of the Policy

 

2. MATTERS REGARDING THE PROTECTION OF PERSONAL DATA

2.1 Ensuring the Security of Personal Data

2.2 Protection of Special Categories of Personal Data

2.3 Increasing Awareness of Business Units Regarding the Protection and Processing of Personal Data and Their Supervision

 

3. MATTERS REGARDING THE PROCESSING OF PERSONAL DATA

3.1 Processing of Personal Data in Accordance with the Principles Prescribed by Legislation

3.2 Conditions for Processing Personal Data

3.3 Processing of Special Categories of Personal Data

3.4 Informing the Personal Data Owner

3.5 Processing of Data Processed by XXX Companies by XXX

3.6 Transfer of Personal Data

 

4. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND PURPOSES OF PROCESSING

 

5. STORAGE AND DESTRUCTION OF PERSONAL DATA

 

6. RIGHTS OF PERSONAL DATA SUBJECTS AND EXERCISE OF THESE RIGHTS

6.1 Rights of the Data Subject

 

7. SPECIAL CASES IN WHICH PERSONAL DATA ARE PROCESSED

7.1 Personal Data Processing Activities at Building and Facility Entrances, Within Company Premises, and Website Visitors

7.2 Camera Monitoring Activities Conducted at the Entrances and Within the Premises of “BATI OPTIK ANONİM ŞİRKETİ”

7.3 Monitoring of Guest Entries and Exits at the Entrances and Within the Premises of “BATI OPTİK ANONİM ŞİRKETİ”

 

8. MEASURES REGARDING THE SECURITY OF PERSONAL DATA

 

1. INTRODUCTION

Introduction

The protection of personal data is among the top priorities of “BATI OPTIK ANONİM ŞİRKETİ” (“Company”) as it is a fundamental human right. In order to safeguard the right to personal data protection, the Company makes every effort to comply with all legislation in force. Within the scope of this “BATI OPTIK ANONİM ŞİRKETİ Personal Data Protection and Processing Policy” (“Policy”), the principles adopted in the conduct of personal data processing activities by our Company and the fundamental principles adopted to ensure compliance of our data processing activities with the provisions of the Personal Data Protection Law No. 6698 (“Law”) are explained, thereby ensuring transparency by informing the data subjects. With full awareness of this responsibility, your personal data are processed and protected within the scope of this Policy.

Scope

The “BATI OPTIK ANONİM ŞİRKETİ” (“COMPANY”) Personal Data Processing and Protection Policy (“Policy”) has been prepared with the aim of regulating the processing of personal data within the framework of relevant legislation and protecting fundamental rights and freedoms, primarily the right to privacy guaranteed by the Constitution.

While preparing the “Policy”, the primary principle was to identify, within the COMPANY’s organizational chart, which units collect what data, why they collect such data, and why there is a need to transfer these data to third parties, in order to understand the COMPANY’s personal data processing procedures. When incorporating the requirements of the relevant legislation into the “Policy”, efforts were made to personalize the content and clearly explain in simple language which data the COMPANY collects, why it collects them, and why it processes them, in line with the sensitivity required in the protection of personal data. Additionally, it is aimed to take necessary administrative and technical measures to protect data privacy within and outside the COMPANY organization, and to inform and enlighten the individuals whose data are processed.

All real persons whose data are processed by the COMPANY fall within the scope of the “Policy”.

Within this “Policy”, efforts have been made to provide customized information regarding data processed within the COMPANY’s organizational operations, data categorization, data recipient groups, legal grounds and methods of data collection, third-party data transfer groups, data processing periods, and data deletion periods. However, in cases where the COMPANY carries out or will carry out data processing activities beyond the current activities, it is possible to carry out such processing and provide necessary disclosure through a separate disclosure text, provided that the fundamental principles set forth in this Policy are followed. In such cases, the disclosure provided shall constitute an integral part of this “Policy” and cannot be claimed to be excluded from it. As a matter of fact, under Article 5 of the Communiqué on Principles and Procedures for Fulfillment of the Disclosure Obligation, disclosure may be made verbally, in writing, through audio recording, call centers, or by using physical or electronic environments.

Implementation of the Policy and KVKK Legislation

Regarding the processing and protection of personal data, the relevant legal provisions in force shall primarily apply. In the event of a conflict between the applicable legislation and the Policy, the Company accepts that the provisions of the legislation in force shall prevail. The Policy concretizes within the Company’s practices the rules established by the relevant legislation.

Enforcement of the Policy

The effective date of this Policy is 01.01.2020. The version issued by “BATI OPTİK ANONİM ŞİRKETİ” on xxx and updated on yyy has been renewed as of the effective date of this Policy.

This Policy is published on the website of “BATI OPTİK ANONİM ŞİRKETİ” (______________________________).

 

2. MATTERS REGARDING THE PROTECTION OF PERSONAL DATA

Ensuring the Security of Personal Data

In accordance with Article 12 of the Law, our Company takes the necessary measures, depending on the nature of the data to be protected, to prevent unlawful disclosure, access, transfer, or any other security deficiencies in personal data. In this context, our Company takes the necessary administrative measures and conducts or has conducted audits to ensure an adequate level of security in compliance with the guidelines issued by the Personal Data Protection Authority (“Authority”).

Protection of Special Categories of Personal Data

Certain types of personal data are assigned particular importance under the Law due to the risk of causing victimization or discrimination if processed unlawfully. These include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association/foundation/trade union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

“BATI OPTİK ANONİM ŞİRKETİ” handles the protection of special categories of personal data determined as “sensitive” by the Law with utmost care. In this context, the technical and administrative measures taken to protect personal data are implemented diligently for special category personal data, and necessary audits are carried out within “BATI OPTİK ANONİM ŞİRKETİ”.

Note: Detailed information on the technical and administrative measures taken during the processing of personal data can be found in section “8” of this Policy.

Increasing Awareness of Business Units Regarding the Protection and Processing of Personal Data and Their Supervision

“BATI OPTİK ANONİM ŞİRKETİ” conducts regular training to raise awareness and prevent the unlawful processing of personal data, unlawful access to personal data, and to ensure their secure storage.

Systems are established to ensure that “BATI OPTİK ANONİM ŞİRKETİ” employees develop awareness regarding personal data protection, and consultants are engaged when needed. In this regard, our Company ensures participation of employees in relevant training, seminars, and information sessions, particularly those prepared by the Personal Data Protection Authority, and updates its trainings in line with legislative changes.

3. MATTERS REGARDING THE PROCESSING OF PERSONAL DATA

Processing of Personal Data in Accordance with the Principles Prescribed by Legislation

Processing in Compliance with the Law and the Principle of Good Faith

“BATI OPTIK ANONİM ŞİRKETİ” acts in accordance with the principles introduced by legal regulations and the general principle of good faith when processing personal data. In this context, personal data are processed to the extent required by the Company’s business activities and limited to those activities.

Ensuring that Personal Data Are Accurate and Up to Date When Necessary

“BATI OPTIK ANONİM ŞİRKETİ” takes necessary measures to ensure that personal data remain accurate and up to date during the period they are processed, and establishes necessary mechanisms to ensure accuracy and currency at regular intervals.

Processing for Specific, Explicit, and Legitimate Purposes

“BATI OPTIK ANONİM ŞİRKETİ” clearly defines the purposes for which personal data are processed and processes such data in line with its business activities and for purposes related to these activities.

Being Relevant, Limited, and Proportionate to the Purpose for Which They Are Processed

“BATI OPTIK ANONİM ŞİRKETİ” collects personal data only to the extent required by its business activities and processes them in a manner limited to the specified purposes.

Retention for the Period Prescribed by Relevant Legislation or Necessary for the Purpose for Which They Are Processed

“BATI OPTIK ANONİM ŞİRKETİ” retains personal data for the duration required for the purpose of processing and for the minimum period prescribed by the applicable legislation. In this context, the Company first determines whether a retention period is stipulated in the relevant legislation and, if so, complies with this period. If no legal retention period exists, the data are retained for the duration required for the processing purpose. At the end of the determined retention periods, personal data are destroyed in accordance with periodic destruction periods or based on a data subject request, using the defined destruction methods (deletion, destruction, and/or anonymization).

 

Conditions for Processing Personal Data

Aside from obtaining explicit consent from the personal data subject, the legal basis for processing personal data may rely on one or more of the conditions listed below. If the processed data fall within the category of special categories of personal data, the conditions under Section 3.3 (“Processing of Special Categories of Personal Data”) of this Policy shall apply.

i. Explicit Consent of the Personal Data Subject

One of the legal bases for processing personal data is the explicit consent of the data subject. Such consent must relate to a specific subject, be based on informed decision-making, and be given freely.

If any of the conditions listed below apply, personal data may be processed without the explicit consent of the data subject.

ii. Explicitly Prescribed by Law

If the processing of personal data is explicitly stipulated in the relevant law—that is, if the law clearly contains a provision regarding the processing of such personal data—this condition shall apply.

iii. Impossibility of Obtaining Consent

If it is impossible to obtain the explicit consent of the data subject due to actual impossibility, or if the data subject’s consent would not be legally valid, the personal data of the individual may be processed if it is necessary to protect the life or physical integrity of that individual or another person.

iv. Direct Relevance to the Establishment or Performance of a Contract

If personal data processing is necessary for the establishment or performance of a contract to which the data subject is a party, this condition shall be deemed fulfilled.

v. Fulfillment of the Company’s Legal Obligations

If processing is necessary for our Company to fulfill its legal obligations, personal data may be processed.

vi. Personal Data Made Public by the Data Subject

If the data subject has made their personal data public, such data may be processed limited to the purpose of public disclosure.

vii. Necessity of Processing for the Establishment or Protection of a Right

If processing is necessary for the establishment, exercise, or protection of a right, personal data may be processed.

viii. Necessity of Processing for the Legitimate Interests of the Company

Provided that it does not harm the fundamental rights and freedoms of the data subject, personal data may be processed if it is necessary for the legitimate interests of the Company.

 

Processing of Special Categories of Personal Data

Special categories of personal data are processed by our Company in accordance with the principles set forth in this Policy, with all necessary administrative and technical measures (including those determined by the Authority) taken, and only under the conditions listed below:

(i) Special categories of personal data other than those relating to health and sexual life may be processed without explicit consent if their processing is explicitly prescribed by law. Otherwise, explicit consent must be obtained.

(ii) Special categories of personal data relating to health and sexual life may be processed without explicit consent for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of healthcare services and financing, by persons under confidentiality obligations or by authorized institutions and organizations. Otherwise, explicit consent must be obtained.

 

Informing the Data Subjects

“BATI OPTİK ANONİM ŞİRKETİ” informs personal data subjects in accordance with Article 10 of the Law and secondary legislation. In this context, the Company informs data subjects about:

  • the identity of the data controller,
  • the purposes of processing personal data,
  • the parties to whom personal data are transferred and purposes of such transfers,
  • the methods and legal grounds for collecting personal data,
  • and the rights of data subjects regarding the processing of their personal data.

 

Transfer of Personal Data

Our Company may transfer personal data and special categories of personal data to third parties (third-party companies, public and private authorities, third real persons) for lawful data processing purposes, while taking necessary security measures. In this regard, our Company acts in compliance with the provisions of Article 8 of the Law.

 

Transfer of Personal Data

Even without the explicit consent of the data subject, personal data may be transferred to third parties if one or more of the conditions below are present, provided that necessary care is taken and all required security measures—including those set forth by the Authority—are implemented:

  • The transfer activity is explicitly prescribed by law,
  • The transfer is directly related and necessary for the establishment or performance of a contract,
  • The transfer is necessary for our Company to fulfill its legal obligations,
  • The data have been made public by the data subject, limited to the purpose of public disclosure,
  • The transfer is necessary for the establishment, exercise, or protection of the rights of the Company or the data subject or third parties,
  • The transfer is necessary for the legitimate interests of the Company, provided it does not harm the fundamental rights and freedoms of the data subject,
  • The transfer is necessary to protect the life or physical integrity of a person who is unable to give consent due to actual impossibility or whose consent would not be legally valid.

 

Transfer of Special Categories of Personal Data

Special categories of personal data may be transferred by our Company in accordance with the principles set forth in this Policy, with all necessary administrative and technical measures taken (including those determined by the Authority), and only under the following conditions:

(i) Special categories of personal data other than those relating to health and sexual life may be processed without explicit consent if explicitly prescribed by law. Otherwise, explicit consent must be obtained.

(ii) Special categories of personal data relating to health and sexual life may be processed without explicit consent for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of healthcare services and financing, by persons under confidentiality obligations or authorized institutions and organizations. Otherwise, explicit consent must be obtained.

4. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND PURPOSES OF PROCESSING

Within our Company, personal data are processed based on at least one of the personal data processing conditions set forth in Articles 5 and 6 of the Law, limited to the purposes of personal data processing of our Company, by informing the data subjects in accordance with Article 10 of the Law and secondary legislation, and in compliance with the general principles specified in the Law—primarily the principles listed in Article 4 regarding personal data processing. Detailed information on the categories of personal data processed and their descriptions can be found in Annex 3 of the Policy (“Annex 3 – Personal Data Categories”).

Detailed information regarding the purposes of processing the aforementioned personal data can be found in Annex 1 of the Policy (“Annex 1 – Purposes of Personal Data Processing”).

 

5. STORAGE AND DESTRUCTION OF PERSONAL DATA

Our Company retains personal data for the duration necessary to fulfill the purpose for which they are processed and in accordance with the minimum periods stipulated by the relevant legal regulations governing the activity concerned. In this context, our Company first determines whether a retention period is stipulated in the relevant legislation and, if such a period exists, complies with it. If no legal retention period is established, personal data are retained only for the period necessary for the purpose of processing. At the end of the determined retention periods, personal data are destroyed in accordance with periodic destruction timelines or upon request of the data subject, using the destruction methods defined (deletion and/or destruction and/or anonymization).

 

6. RIGHTS OF THE DATA SUBJECT

Rights of the Data Subject

Under the KVKK, you have the right to:

i. Learn whether your personal data are being processed,
ii. Request information if your personal data have been processed,
iii. Learn the purpose of processing your personal data and whether they are used in accordance with this purpose,
iv. Know the third parties to whom your personal data are transferred, domestically or abroad,
v. Request the correction of your personal data if they are incomplete or incorrectly processed,
vi. Request the deletion or destruction of your personal data within the framework of the conditions set forth in the KVKK,
vii. Request that the transactions carried out pursuant to subparagraphs (v) and (vi) be notified to third parties to whom your personal data have been transferred,
viii. Object to the emergence of a result against you arising from the analysis of your processed data exclusively through automated systems,
ix. Request compensation for damages if you suffer harm due to the unlawful processing of your personal data.

How Can You Exercise Your Rights?

By downloading the “application form” via the link (), you may complete it according to your request/complaint and send it to us via () or physically send the completed form by cargo/post to the address below:

MUAMMER AKAR MAH. İNÖNÜ CAD. HASAN BEY NO: 773
KARABAĞLAR / İZMİR

If you submit your request using one of the methods stated above, your request will be evaluated within 30 days at the latest in accordance with Article 13/2 of the KVKK, and you will be informed of the outcome. If your request is accepted, the necessary actions will be carried out immediately by the data controller, the COMPANY.

Requests are processed free of charge as a rule; however, if fulfilling your request incurs a cost, the COMPANY may request a fee in accordance with Article 7 of the “Communiqué on the Principles and Procedures for Application to the Data Controller,” which states:
“If a written response is provided to the data subject’s application, no fee shall be charged for up to 10 pages. For each page exceeding 10 pages, a processing fee of 1 TL may be charged. If the response is provided in a recording medium such as CD or flash drive, the fee requested by the data controller shall not exceed the cost of the recording medium.”

 

7. SPECIAL CIRCUMSTANCES WHERE PERSONAL DATA ARE PROCESSED

Personal Data Processing Activities at Building and Facility Entrances and Within Company Premises, and Website Visitors

For the purpose of ensuring security, “BATI OPTİK ANONİM ŞİRKETİ” processes personal data within its buildings and facilities through security camera monitoring and the tracking of visitor entries and exits.

 

Camera Monitoring Activities Conducted at the Entrances and Within the Premises of “BATI OPTİK ANONİM ŞİRKETİ”

“BATI OPTİK ANONİM ŞİRKETİ” carries out camera monitoring activities in its buildings and facilities in accordance with the Law on Private Security Services and related legislation for the purpose of ensuring security. “BATI OPTİK ANONİM ŞİRKETİ” performs security camera monitoring activities in line with the purposes stipulated by applicable legislation and in compliance with the personal data processing conditions defined in the Law.

In accordance with Article 10 of the Law, “BATI OPTİK ANONİM ŞİRKETİ” informs data subjects regarding camera monitoring activities through multiple methods. In addition, in accordance with Article 4 of the Law, the Company processes personal data in a manner that is connected, limited, and proportionate to the purpose for which they are processed.

The purpose of the video surveillance activity conducted by “BATI OPTİK ANONİM ŞİRKETİ” is limited to the objectives listed in this Policy. Accordingly, the surveillance areas, number of security cameras, and timing of monitoring activities are implemented to the extent necessary to achieve security purposes, and limited to that purpose. Areas likely to cause interference with an individual’s privacy beyond security needs (e.g., restrooms) are not monitored.

Only a limited number of “BATI OPTİK ANONİM ŞİRKETİ” employees have access to live camera footage and digitally recorded video stored in electronic systems. Individuals with access to such footage are bound by confidentiality undertakings stating that they will keep the accessed data confidential.

 

Tracking of Visitor Entries and Exits Conducted at the Entrances and Within the Premises of “BATI OPTİK ANONİM ŞİRKETİ”

“BATI OPTİK ANONİM ŞİRKETİ” carries out personal data processing activities for the purpose of ensuring security and for the purposes stated in this Policy by tracking the entry and exit of visitors within its buildings and facilities.

Visitors entering “BATI OPTİK ANONİM ŞİRKETİ” premises are informed through texts displayed or otherwise made available at the Company premises when their name and surname are obtained. The data collected for the purpose of tracking visitor entries and exits are processed solely for this purpose, and such personal data are recorded in a data recording system in physical format.

8. MEASURES REGARDING THE SECURITY OF PERSONAL DATA

The “COMPANY,” with the awareness of responsibility that comes from being a well-established organization, exercises all reasonable care and diligence to ensure the confidentiality and security of the personal data it processes. In addition to complying with the requirements of the relevant legislation, the COMPANY also takes necessary technical and administrative measures at a reasonable level to ensure data privacy and security within the scope of Article 12 of the KVKK. These administrative and technical security measures aim to prevent unlawful processing of personal data, prevent unlawful access to personal data, and ensure that personal data are stored at an appropriate level of security.

If personal data are processed by another natural or legal person (data processor) on behalf of the COMPANY, the COMPANY shall take necessary steps to ensure that the above-mentioned measures are also adopted by such data processors.

In the event that personal data are unlawfully obtained by third parties, the COMPANY shall notify the data subjects, the Board, and other relevant public institutions and organizations in accordance with the provisions of the applicable legislation.

While taking measures for the security of personal data, the “Personal Data Security Guide (Technical and Administrative Measures)” published by the Board is taken into consideration.

 

Administrative Measures

• Establishment and operation of an information security management system within the Company,
• Signing of undertakings and confidentiality agreements with Company personnel and related parties,
• Conducting risk analyses on business processes,
• Creation of personal data inventories,
• Operation of information security policies and procedures,
• Organizing and evaluating training programs on information security and personal data processing activities,
• Ensuring that only authorized persons use Company computers and related devices to prevent unauthorized access,
• Reviewing activities through internal or independent audits,
• Creating records that provide objective evidence for actions carried out.

 

Technical Measures

• Identifying risks, threats, vulnerabilities, and any potential weaknesses in the Company’s information systems through penetration tests, and taking necessary precautions,
• Monitoring risks and threats that may affect the continuity of information systems through real-time analyses within the framework of information security incident management,
• Conducting access and user authorization of information systems via access and authorization matrices and corporate directory-based security policies,
• Testing any software change and/or update on test environments before implementation, identifying any security vulnerabilities, taking necessary precautions, and finalizing changes thereafter,
• Taking necessary measures to ensure the physical security of information systems hardware, software, and data belonging to “BATI OPTİK ANONİM ŞİRKETİ,”
• Establishing both hardware-based (e.g., access control systems allowing only authorized personnel into system rooms, physical protection of network switches, fire suppression systems, climate control systems, etc.) and software-based (e.g., firewalls, intrusion prevention systems, network access control, anti-malware systems, etc.) protections against environmental threats,
• Identifying risks that may lead to unlawful processing of personal data, taking appropriate technical precautions for such risks, and performing technical checks on the measures implemented,
• Creating access procedures within the Company and conducting reporting and analysis studies related to access to personal data,
• Taking measures to ensure that deleted personal data are inaccessible and cannot be reused by relevant users,
• Preparing necessary procedures for notifying the relevant person and the Board in the event that personal data are unlawfully obtained by others,
• Monitoring security vulnerabilities, installing appropriate security patches, and keeping information systems up to date,
• Using strong passwords in electronic environments where personal data are processed,
• Using secure logging systems in electronic environments where personal data are processed,
• Using data backup programs that ensure the secure storage of personal data,
• Restricting access to personal data stored in electronic or non-electronic media according to access principles,
• Encrypting access to the Company’s website using a secure protocol (HTTPS) with SHA 256 Bit RSA algorithm,
• Providing training to employees involved in processing special categories of personal data, signing confidentiality agreements, and defining the access authorities of users authorized to access such data,
• Implementing adequate security measures in the physical environments where special categories of personal data are processed, stored, and/or accessed, ensuring physical security and preventing unauthorized entry and exit,
• Taking necessary precautions against risks such as theft, loss, or unauthorized access when documents must be transferred via physical (paper-based) means, and sending such documents in “confidential” format.

 

ANNEX 1 – Definitions

Explicit Consent
Consent that relates to a specific issue, is based on informed decision-making, and is given with free will.

Company
“BATI OPTİK ANONİM ŞİRKETİ,” located at MUAMMER AKAR MAH. İNÖNÜ CAD. HASAN BEY NO: 773, KARABAĞLAR/İZMİR.

Cookie
Small files stored on users' computers or mobile devices that help store preferences and other information about the web pages they visit.

Authorized User
Persons who process personal data within the data controller’s organization or based on the authority and instructions received from the data controller, excluding those responsible solely for the technical storage, protection, and backup of data.

Destruction
Deletion, destruction, or anonymization of personal data.

Contact Person
A natural person residing in Türkiye who is notified to the Authority during registration to the Registry for communication with the Institution regarding the obligations of legal entities located in Türkiye and data controller representatives of foreign legal entities under the Law and the related secondary legislation.
(The Contact Person is not authorized to represent the Data Controller. As the name suggests, they are solely responsible for facilitating communication between the data controller, data subjects, and the Authority.)

Law / KVKK
The Law on the Protection of Personal Data No. 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677.

Recording Medium
Any environment in which personal data processed fully or partially through automated means, or through non-automated means that form part of a data recording system, are located.

Personal Data
Any information relating to an identified or identifiable natural person.

Processing of Personal Data
Any operation performed on personal data, fully or partially through automated means, or through non-automated means that form part of a data recording system, such as obtaining, recording, storing, retaining, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing their use.

Anonymization of Personal Data
Rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even when matched with other data.

Deletion of Personal Data
Making personal data inaccessible and unusable for Relevant Users in any way.

Destruction of Personal Data
Rendering personal data inaccessible, unrecoverable, and unusable by anyone in any way.

Board
The Personal Data Protection Board.

Special Categories of Personal Data
Data relating to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Periodic Destruction
The process of deletion, destruction, or anonymization to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy, when conditions for processing personal data no longer exist.

Policy
The personal data protection policy created by the Company.

Data Processor
A natural or legal person who processes personal data on behalf of the data controller based on the authority granted.

Data Recording System
A system in which personal data are processed by being structured according to specific criteria.

Data Subject / Relevant Person
The natural person whose personal data are processed.

Data Controller
The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Regulation
Regulation on the Deletion, Destruction, or Anonymization of Personal Data.

Sources:
– Law on the Protection of Personal Data No. 6698
– Regulation on the Deletion, Destruction, or Anonymization of Personal Data
– Regulation on Data Controllers Registry
– Communiqué on the Principles and Procedures to Be Followed in Fulfilling the Obligation to Inform
– Communiqué on the Application Procedures and Principles to the Data Controller

EK 2 – Kişisel Veri İşleme Amaçları

PERSONAL DATA CATEGORY

CATEGORY DESCRIPTION

Identity Data
Personal data relating to the identity information of real persons shall be evaluated under this category. (name–surname, mother’s and father’s name, mother’s maiden name, date of birth, place of birth, marital status, Turkish ID number)

Contact Data
All types of personal data that may be used for communicating with individuals shall be evaluated under this category. (address number, e-mail address, contact address, registered electronic mail address (KEP), telephone number)

Location Data
Location information of individuals, etc.

Personnel File Data
Data included in the personnel files of Company employees within the scope of the relevant legislation (payroll information, disciplinary investigation, employment entry–exit document records, asset declaration information, leave information, CV information, diploma, maternity leave, incapacity report, military service, performance evaluation reports, and in applications of convicted individuals, criminal convictions and security measures records (criminal record), health information).

“Generally, the following documents are encountered in personnel files.

  1. Criminal record
  2. Family status declaration form
  3. Employment Certificate/Service Certificate
  4. “Fit to work” report for heavy and dangerous jobs
  5. Copy of diploma
  6. Maternity leave, fitness/unfitness reports, breastfeeding leave petitions
  7. Disability report for disabled employees, İŞKUR application registration document
  8. Documents showing military status for male employees
  9. İŞKUR application registration documents of former convicts or terror victims
  10. Copy of marriage certificate
  11. Employee consent letter for overtime work
  12. Document showing the employee’s consent to be temporarily transferred to another workplace
  13. If there is a justified termination, documents proving this situation, resignation petition or termination notice
  14. Release form
  15. Certificate of residence
  16. Employment contract
  17. All correspondence and records kept regarding the employee
  18. Document stating that the employee has been informed about occupational health and safety, professional risks, necessary measures, and legal rights and responsibilities
  19. Payrolls and payment-related documents belonging to the employee
  20. Employment entry and exit notifications
  21. Record and notice for unauthorized absence / late arrival
  22. Blood type card
  23. Severance and notice pay payrolls
  24. Copy of identity card
  25. Population registration sample
  26. Curriculum vitae
  27. Health report and periodic medical examination reports
  28. Photograph
  29. Health Report
  30. Letter from the Revenue Administration stating that tax reduction shall be applied for those benefiting from disability tax reduction
  31. Documents related to administrative procedures required in insurance incidents (work accident report, work accident notification, etc.)
  32. Inventory form for tools and equipment delivered, if any
  33. Petitions, forms, and schedules related to unpaid leaves and annual paid leave
  34. Training certificates received, if any
  35. Work permit for foreign employees

Education, Work, and Professional Life Data
All types of data relating to individuals’ education and working life shall be included under this category. (Education–Diploma–Certificate, Transcript, In-service Training Information)

Legal Transaction Data
Information in correspondence with judicial authorities, information in case files, etc.

Financial Data
Account, bank, and invoice information of individuals.

Audio-Visual Records
Audio/visual recordings kept for customer satisfaction purposes.

Digital Platform Usage Data
All types of personal data obtained as a result of tracking the activities of users in digital environments shall be classified under this category.

Special Categories of Personal Data
Health, Criminal Conviction–Security Measures.

 

ANNEX 4 – Personal Data Categories

 

PERSONAL DATA SUBJECT CATEGORY

CATEGORY DESCRIPTION

Company Personnel
Administrative personnel.

Board of Directors, Senate Members
Data of members taking part in the Company’s bodies and activities.

Third Parties Participating in Company Activities
Third persons included in company commissions, working groups, and organizations.

Guests of Company Activities
Real persons invited to Company organizations.

Participants of Company Activities
Persons participating in Company organizations.

Payment Addressee / Service Recipient
Third persons to whom payment must be made in Company activities.

Relatives of Company Employees
Company Employee’s Relative, persons residing in the same household, and dependents.

Potential Employees
Potential employees applying to work for the Company.

Supplier
Persons, institutions, or individuals associated with them who supply goods or services to the “COMPANY”.

Project Partner
Persons included in the projects carried out by the “COMPANY”.

Consultant
Persons, institutions, or individuals associated with them who provide external consultancy services to the “COMPANY”.

Potential Product and Service Purchaser, Product or Service Recipient
Persons who receive or may potentially receive the “COMPANY’s” products and services.

Other
Persons, institutions, or individuals associated with them who have established continuous or occasional, direct or indirect relations with the “COMPANY” outside the categories above.

 

ANNEX 5 – Third Parties to Whom Personal Data Are Transferred and Purposes of Transfer

“BATI OPTİK ANONİM ŞİRKETİ” may transfer the personal data of data subjects governed by this Policy to the following categories of persons in accordance with Articles 8 and 9 of the PDP Law:

(i) Business partners of “BATI OPTİK ANONİM ŞİRKETİ”,
(ii) Suppliers of “BATI OPTİK ANONİM ŞİRKETİ”,
(iii) Companies with whom data sharing is conducted
(iv) Legally authorized public institutions and organizations
(v) Legally authorized private legal persons

The scope of the persons mentioned above and the purposes of data transfer are stated below.

 

Persons to Whom Data May Be Transferred

Definition
Purpose of Data Transfer

Business Partner
Those parties with whom “BATI OPTİK ANONİM ŞİRKETİ” establishes a business partnership for the purpose of conducting commercial activities, carrying out various projects with XXX Companies, or receiving services. Banks, Pension and Aid Fund Foundation.

Limited to ensuring the fulfillment of the purposes for which the business partnership is established.

Supplier
Parties that provide services to “BATI OPTİK ANONİM ŞİRKETİ” on a contractual basis, in line with the instructions and orders of “BATI OPTİK ANONİM ŞİRKETİ” while conducting its commercial activities.
Limited to ensuring the provision of services to “BATI OPTİK ANONİM ŞİRKETİ” that are outsourced and necessary for the Company’s commercial activities.

Legally Authorized Public Institutions and Organizations
Public institutions and organizations legally authorized to obtain information and documents from “BATI OPTİK ANONİM ŞİRKETİ” in accordance with relevant legislation.
Limited to the purpose requested within the legal authority of the relevant public institution or organization.

Legally Authorized Private Legal Persons
Private legal entities legally authorized to obtain information and documents from “BATI OPTİK ANONİM ŞİRKETİ” in accordance with relevant legislation.
Limited to the purpose requested within the legal authority of the relevant private legal person.

 

ANNEX 6 – Identity of Data Controller

Data Controller: BATI OPTİK ANONİM ŞİRKETİ
Address: MUAMMER AKAR MAH. İNÖNÜ CAD. HASAN BEY NO: 773
KARABAĞLAR / İZMİR