Legal notice

POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

1. PURPOSE

As Erten Tekstil Ve Örme SAN. TİC. LTD. ŞTİ., our priority is to ensure that the personal data of natural persons—including our customers, consumers, suppliers, and employees—are processed in compliance with the Constitution of the Republic of Türkiye, the international conventions on human rights to which our country is a party, and especially Law No. 6698 on the Protection of Personal Data (“KVKK”), as well as other relevant legislation, and to enable data subjects to exercise their rights effectively.

Therefore, without limitation, we carry out all activities relating to the processing, storage, and transfer of personal data that we obtain during our operations—such as those of our employees, visitors, business contacts, business partners, customers, suppliers, consumers, and users visiting our website—in accordance with the Erten Shirt Policy on the Protection and Processing of Personal Data (“Policy”).

The protection of personal data and safeguarding the fundamental rights and freedoms of natural persons whose personal data are collected is a core principle of our policy on personal data processing. Accordingly, we conduct all our activities involving the processing of personal data with due regard to the right to privacy, confidentiality of communications, freedom of thought and belief, and the right to effective legal remedies.

To protect personal data, we implement all administrative and technical safeguards required by the nature of the relevant data, in line with legislation and current technology.

This Policy explains the methods we follow for the processing, storage, transfer, deletion, or anonymization of personal data shared during our commercial, social responsibility, and similar activities, within the framework of the principles set out in KVKK.

2. SCOPE

All personal data processed by the Company, including those of our customers, consumers, business contacts, business partners, employees, suppliers, potential customers, and third parties, fall within the scope of this Policy.

Our Policy applies to all activities related to the processing of personal data in systems owned or managed by the Company, and it has been prepared taking into account KVKK, other relevant legislation on personal data, and international standards in this field.

3. DEFINITIONS AND ABBREVIATIONS

This section briefly explains the special terms and expressions, concepts, abbreviations, etc. used in the Policy.

3.1. Company: (Erten Shirt)

3.2. Explicit Consent: Consent given for a specific matter, based on being informed and free will, in a clear manner leaving no room for doubt, and limited solely to that processing activity.

3.3. Anonymization: Rendering personal data such that it cannot, in any manner, be associated with an identified or identifiable natural person, even by matching it with other data.

3.4. Employee: Company personnel.

3.5. Data Subject (Relevant Person): The natural person whose personal data are processed.

3.6. Personal Data: Any information relating to an identified or identifiable natural person.

3.7. Special Categories of Personal Data: Data relating to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, dress and appearance, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

3.8. Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making accessible, classifying, or preventing its use, by fully or partially automated means or by non-automated means provided that it forms part of any data recording system.

3.9. Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

3.10. Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

3.11. PDP Board (KVK Board): Personal Data Protection Board.

3.12. PDP Authority (KVK Authority): Personal Data Protection Authority.

3.13. KVKK: Law on the Protection of Personal Data published in the Official Gazette dated 7 April 2016 and numbered 29677.

3.14. Policy: Erten Shirt Policy on the Protection and Processing of Personal Data.

4. ROLES AND RESPONSIBILITIES

E-Commerce Manager: The natural or legal person responsible for establishing and managing the data recording system and determining the purposes and means of processing personal data; the natural or legal person who processes personal data.

E-Commerce Specialist: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

5. LEGAL OBLIGATIONS

Pursuant to KVKK, our legal obligations as the data controller within the scope of protection and processing of personal data are listed below:

5.1. Our obligation to inform

When collecting personal data as the Data Controller, we are obliged to inform the Data Subject regarding:

  • For what purpose personal data will be processed,

  • Our identity and, if any, the identity of our representative,

  • To whom and for what purpose the processed personal data may be transferred,

  • The method and legal basis of data collection,

  • The rights arising from the law.

As a Company, we take care to ensure that this Policy, which is public, is clear, understandable, and easily accessible.

5.2. Our obligation to ensure data security

As the Data Controller, we take the administrative and technical measures prescribed in legislation to ensure the security of personal data under our control. Our obligations and measures regarding data security are detailed in Sections 9 and 10 of this Policy.

6. CLASSIFICATION OF PERSONAL DATA

6.1. Personal data

Personal data are any information relating to an identified or identifiable natural person.

The protection of personal data applies only to natural persons; information belonging to legal entities that does not contain information relating to a natural person is excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal entities.

6.2. Special categories of personal data

Special categories of personal data include data relating to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

7. PROCESSING OF PERSONAL DATA

7.1. Our principles for processing personal data

We process personal data in accordance with the principles set out below.

7.1.1. Processing in compliance with the law and good faith

We process personal data in a transparent manner, in compliance with the rules of good faith, and within the scope of our obligation to inform.

7.1.2. Ensuring personal data are accurate and, where necessary, up to date

We take necessary measures in our data processing procedures to ensure that processed data are accurate and up to date. We also enable the Data Subject to apply to us to update their data and correct any errors in processed data.

7.1.3. Processing for specific, explicit, and legitimate purposes

As a Company, we process personal data within our legitimate purposes that are clearly determined in scope and content, to continue our operations within the framework of legislation and the ordinary course of commercial life.

7.1.4. Being relevant, limited, and proportionate to the purpose of processing

We process personal data in a manner relevant, limited, and proportionate to the clearly and precisely determined purpose.

We avoid processing personal data that are irrelevant or not necessary to process. Therefore, unless required by law, we do not process special categories of personal data, or where processing is required, we obtain explicit consent for the matter.

7.1.5. Retention of personal data for the period prescribed by law and for the duration of our legitimate commercial interests

Many legal regulations require personal data to be retained for a certain period. Accordingly, we retain the personal data we process for the period prescribed in the relevant legislation or for as long as necessary for the purposes of processing.

When the retention period prescribed by legislation expires or the purpose of processing ceases to exist, we delete, destroy, or anonymize personal data. Our principles and procedures regarding retention periods are detailed in Article 9.1 of this Policy.

7.2. Our purposes for processing personal data

As a Company, we process personal data, without limitation, for purposes similar to those listed below:

  • Conducting our activities,

  • Providing customer support within the scope of contracts and service standards,

  • Identifying our customers’ preferences and needs and shaping/personalizing/updating the services to be provided accordingly,

  • Ensuring fulfillment of our legal obligations as required or mandated by legal regulations,

  • Conducting market research and statistical studies,

  • Surveys, contests, promotions, and sponsorships,

  • Organizing events,

  • Evaluating job applications,

  • Contacting persons who have a business relationship with the Company,

  • Marketing,

  • Compliance management,

  • Vendor/supplier management,

  • Advertising,

  • Legal reporting,

  • Invoicing.

7.3. Processing of special categories of personal data

Special categories of personal data are processed by us where explicitly prescribed by law and where the administrative and technical measures required by the PDP Board are taken, and where explicit consent exists, or where processing is mandated by legislation.

Since special categories of personal data related to health and sexual life may be processed by persons or authorized institutions and organizations under confidentiality obligations for purposes such as protection of public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing, we do not process such data except for our employees’ data. Such data belonging to our employees may be processed by persons prescribed by law.

7.4. Processing of personal data within the scope of other memberships

If you become a member of our website or one of our programs for purposes such as joining our programs, benefiting from our campaigns, being informed of the advantages we offer, etc., we collect your personal data through membership forms, process the personal data you share, and transfer them.

7.5. Processing of personal data collected through cookies on our website

We use cookies to improve the functioning and use of our website and to make the time you spend on our website more efficient and enjoyable. In addition, we use certain cookies to remember the preferences you make on our website, thereby providing you with an enhanced and personalized experience.

We may collect your personal data via cookies on our website and may process, transfer, and store the data we collect.

If you do not want your personal data to be collected and processed through cookies, you may reject the cookies on our website. We would like to remind you that if you reject cookies, our website may not function properly and disruptions may occur in the display or provision of goods and services.

For detailed information about the cookies we use on our website, you may review our “Cookie Policy”.

7.6. Exceptional cases where explicit consent is not required in processing personal data

We may process personal data without obtaining explicit consent in the exceptional cases arising from the law listed below:

  • Explicitly stipulated in the laws;

  • Necessary for processing the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract;

  • Necessary for the establishment, exercise, or protection of a right;

  • Necessary for our legitimate interests as the data controller, provided that it does not harm fundamental rights and freedoms.

The exceptional cases where special categories of personal data may be processed without the Data Subject’s explicit consent are stated in Article 7.3 of this Policy.

8. TRANSFER OF PERSONAL DATA

8.1. Domestic transfer of personal data

As a Company, we act in accordance with KVKK and the decisions and regulations issued by the PDP Board regarding the transfer of personal data.

Without prejudice to exceptional cases in legislation, personal data and special categories of personal data are not transferred by us to other natural persons or legal entities without the Data Subject’s explicit consent.

In the exceptional cases stipulated in KVKK and other legislation, data may be transferred to authorized administrative or judicial authorities or institutions/organizations within the limits set out in legislation even without the Data Subject’s explicit consent.

In addition, in the exceptional cases stipulated by legislation, personal data may be transferred without seeking explicit consent:

  • In the cases explained in Article 7.6 of the Policy,

  • In the cases listed in Article 7.3 of the Policy regarding special categories of personal data,

  • Provided that the measures prescribed by the PDP Board and relevant legislation are taken, special categories of personal data relating to the Data Subject’s health and sexual life may be transferred only to persons or authorized institutions and organizations under confidentiality obligations, for purposes such as protection of public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing.

8.2. Transfer of personal data abroad

As a rule, personal data are not transferred abroad without the Data Subject’s explicit consent. However, where one of the exceptional cases set out in Articles 7.3 and 7.6 of this Policy exists, personal data may be transferred abroad without explicit consent only if the third parties located abroad:

  • Are located in countries declared by the PDP Board to have adequate protection; or

  • In case they are located in countries without adequate protection, the data controllers in Türkiye and in the relevant foreign country undertake in writing to provide adequate protection and the PDP Board’s permission is obtained.

Your personal data may be transferred to our business partners abroad and processed by our business partners and third parties for purposes such as providing you with better service, personalizing our website according to the needs and preferences of our customers, members and consumers, promoting our products and services, and enabling our search engines to remember your preferences, etc.

8.3. Institutions and organizations to whom personal data are transferred

Personal data, without limitation, may be transferred in accordance with the principles and rules explained above to:

  • Our suppliers,

  • Our business partners and business contacts,

  • Legally authorized public institutions and organizations,

  • Legally authorized private law persons,

  • Our shareholders.

8.4. Measures we take for lawful transfer of personal data

8.4.1. Technical measures

To protect personal data, without limitation, we:

  • Establish internal technical organization to ensure processing and storage of personal data in compliance with legislation,

  • Ensure that the security of databases where your personal data are stored is provided by our business partners,

  • Monitor and audit the processes of the established technical infrastructure,

  • Determine procedures for reporting the technical measures taken and audit processes,

  • Periodically update and renew technical measures,

  • Reassess risky situations and develop necessary technological solutions,

  • Use antivirus systems, firewalls, and similar software/hardware security products and establish security systems in line with technological developments,

  • Employ expert staff in technical matters or work with business partners that employ technical experts.

8.4.2. Administrative measures

To protect your personal data, without limitation, we:

  • Establish access policies and procedures for personal data within our Company, including company and affiliate employees,

  • Inform and train our employees on lawful protection and processing of personal data,

  • Record in the contracts we enter into with our employees and/or in the policies we create, the measures to be taken in cases where personal data are unlawfully processed by our employees,

  • Audit the personal data processing activities of the data processors we work with or the partners of such data processors.

9. RETENTION OF PERSONAL DATA

9.1. Retention of personal data for the period prescribed by the relevant legislation or necessary for the purpose of processing

We retain personal data for the period required by the purpose of processing, without prejudice to the retention periods prescribed in legislation.

Where we process personal data for more than one purpose, in the event that the purposes of processing cease to exist or there is no legal obstacle to deleting the data upon the Data Subject’s request, the data are deleted, destroyed, or retained by anonymization. Legislation provisions and PDP Board decisions are complied with in deletion, destruction, or anonymization.

9.2. Measures we take regarding retention of personal data

9.2.1. Technical measures

  • Establish technical infrastructure and audit mechanisms for deletion, destruction, and anonymization of personal data,

  • Take necessary measures to securely store personal data,

  • Employ staff with technical expertise,

  • Develop and implement business continuity and emergency plans against potential risks,

  • Establish security systems in line with technological developments for personal data storage areas.

9.2.2. Administrative measures

  • Create awareness by informing our employees about technical and administrative risks related to retention of personal data,

  • In cases where cooperation with third parties is required for storing personal data, include provisions in contracts with the companies to whom personal data are transferred regarding taking necessary security measures for protection and secure storage of transferred personal data.

10. SECURITY OF PERSONAL DATA

10.1. Our obligations regarding the security of personal data

To:

  • Prevent unlawful processing of personal data,

  • Prevent unlawful access to personal data,

  • Ensure lawful retention of personal data,

we take administrative and technical measures considering technological possibilities and implementation costs.

10.2. Measures we take to prevent unlawful processing of personal data

  • Conduct and commission necessary audits within our Company,

  • Train and inform our employees on lawful processing of personal data,

  • Evaluate our Company’s activities in detail for each business unit and process personal data based on the commercial activities of the relevant units as a result of this evaluation,

  • Include provisions in contracts with companies processing personal data where cooperation with third parties is involved, requiring such persons to take necessary security measures,

  • In case of unlawful disclosure of personal data or data leakage, notify the PDP Board and carry out the examinations and measures prescribed by legislation.

10.2.1. Technical and administrative measures to prevent unlawful access to personal data

To prevent unlawful access to personal data, we:

  • Employ staff with technical expertise or work with business partners employing technically expert staff,

  • Periodically update and renew technical measures,

  • Establish access authorization procedures within our Company,

  • Determine procedures for reporting technical measures taken and audit processes,

  • Establish and periodically audit data recording systems used within our Company in compliance with legislation,

  • Develop emergency response plans and systems for potential risks,

  • Train and inform our employees on access and authorization regarding personal data,

  • Include provisions in contracts with companies providing access to personal data (where cooperation with third parties is involved for processing and storage activities) requiring such persons to take necessary security measures,

  • Establish security systems in line with technological developments to prevent unlawful access to personal data,

  • Where these activities are carried out through our business partners or where we work with business partners employing technically expert staff, ensure due diligence in such cooperation.

10.2.2. Measures we take in case of unlawful disclosure of personal data

We take administrative and technical measures to prevent unlawful disclosure of personal data and update them in accordance with our procedures. If we detect that personal data have been unlawfully disclosed without authorization, we establish systems and infrastructure in compliance with legislation to notify the Data Subject and the PDP Board.

Despite all administrative and technical measures, in the event of an unlawful disclosure, if deemed necessary by the PDP Board, this situation may be announced on the PDP Board’s website or by another method.

11. RIGHTS OF THE DATA SUBJECT

Within the scope of our obligation to inform, we inform the Data Subject and establish systems and infrastructure for such informing. We make the necessary technical and administrative arrangements for the Data Subject to exercise their rights regarding personal data.

The Data Subject has the right to:

  • Learn whether personal data are processed,

  • Request information if personal data have been processed,

  • Learn the purpose of processing personal data and whether they are used in accordance with their purpose,

  • Know the third parties to whom personal data are transferred domestically or abroad,

  • Request correction of personal data if they are processed incompletely or inaccurately,

  • Request deletion or destruction of personal data if the reasons requiring processing cease to exist,

  • Request notification of the correction, deletion, or destruction operations to third parties to whom personal data have been transferred,

  • Object to the occurrence of a result against them by analyzing processed data exclusively through automated systems,

  • Request compensation for damages if they suffer damage due to unlawful processing of personal data.

11.1. Exercise of rights regarding personal data

The Data Subject may submit their request regarding personal data by the method determined by the PDP Board (if a separate method is determined), or by sending it in writing with a wet signature to the address İkitelli Osb. Mah. Hürriyet Bulvarı Deparko Sitesi No:1/19 Başakşehir İSTANBUL / TÜRKİYE, or by sending it with a secure electronic signature to our registered email address erten@ertentekstil.com.
Center: İkitelli Osb. Mah. Hürriyet Bulvarı Deparko Sitesi No:1/19 Başakşehir İSTANBUL / TÜRKİYE

In the application to be made by the Data Subject to exercise the rights specified above, the request must be clear and understandable, related to the applicant’s own person, or if acting on behalf of another, specially authorized and such authorization must be documented; moreover, the application must include identity and address information, and documents verifying identity must be attached.

These requests must be made individually, and requests made by unauthorized third parties regarding personal data will not be evaluated.

11.2. Evaluation of the application

11.2.1. Time for responding to the application

Requests regarding personal data are concluded, depending on their nature, as soon as possible and in any case within 30 (thirty) days, free of charge, or in return for the fee in the tariff to be published by the PDP Board if the relevant conditions are met.

Additional information and documents may be requested during application or evaluation.

11.2.2. Our right to reject the application

Applications regarding personal data may be rejected with justification in cases where:

  • Personal data are processed for purposes such as research, planning, and statistics by being anonymized for official statistics,

  • Personal data are processed for artistic, historical, literary, or scientific purposes, or within freedom of expression, provided that it does not violate privacy or personal rights or constitute a crime,

  • Personal data have been made public by the Data Subject,

  • The application is not based on a justified reason,

  • The application contains a request contrary to relevant legislation,

  • The application does not comply with application procedure.

11.3. Procedure for evaluation of the application

In order for the response period specified in Article 11.2.1 to begin, the requests must be submitted in writing with a wet signature or via [electronically signed and KEP] or by other methods determined by the PDP Board, together with information and documents proving the identity of the applicant.

If the request is accepted, the relevant action is taken and notification is made in written or electronic form. If the request is rejected, the applicant is notified in written or electronic form with the reason explained.

11.4. Right to lodge a complaint with the Personal Data Protection Board

In cases where the application is rejected, the response is found insufficient, or no response is given within due time, the applicant has the right to lodge a complaint with the PDP Board within 30 (thirty) days from the date they learn of the response and in any case within 60 (sixty) days from the date of application.

12. PUBLICATION AND RETENTION OF THE DOCUMENT

This Policy is retained in two different media: printed paper and electronic form.

13. UPDATE PERIOD

This Policy is reviewed at least once a year and updated when necessary within the framework of the principles set out in the Documentation Management Procedure.

14. EFFECTIVE DATE

This Policy shall be deemed effective after it is published on the Company’s website