AKC MOBILYA FOREST PRODUCTS TOURISM CONSTRUCTION IMPORT EXPORT INDUSTRY AND TRADE LIMITED COMPANY
PERSONAL DATA PROCESSING AND PROTECTION POLICY
1. PURPOSE AND SCOPE
AKC Mobilya Forest Products Tourism Construction Import Export Industry and Trade Limited Company (“Company”), which has adopted utmost compliance with the legal framework as a principle throughout its history, also attaches great importance to the privacy of personal data and establishes the necessary systems to ensure full compliance with the legislation on the processing and protection of personal data.
This Personal Data Processing and Protection Policy (“PDPP Policy”) sets forth the principles adopted by our Company regarding the processing and protection of personal data. In this context, it aims to establish the system and order necessary to ensure compliance with personal data protection legislation in Company activities, to increase awareness within the Company, and to prevent unlawful processing or unauthorized access to personal data.
In line with the importance our Company places on the protection of personal data, the PDPP Policy defines the basic principles for ensuring compliance with the Law on the Protection of Personal Data No. 6698 (“LPPD”) in all Company activities and specifies the responsibilities to be fulfilled by our Company. The implementation of the PDPP Policy will ensure the sustainability of the data security principles adopted by the Company.
This Policy applies to all personal data processed fully or partially by automated means or by non-automated means that are part of a data recording system, belonging to employee candidates, employees, shareholders/partners, interns, customers, potential customers, suppliers, officials and employees of companies in cooperation, visitors (including online visitors to the website), and other data subjects.
2. ROLES AND RESPONSIBILITIES
Regulations, procedures, guidelines, standards, and training activities prepared in accordance with the PDPP Policy are implemented within our Company under the guidance of the Accounting Department, which acts as an advisory resource. The General Manager of the Company shall act as the Data Protection Officer (DPO). All Company employees and stakeholders are responsible for cooperating with the Accounting Department teams to ensure compliance with the PDPP Policy and to mitigate legal risks and imminent threats.
The duties of the Data Protection Officer include:
- Preparing and submitting for Board approval the fundamental policies and amendments related to the processing and protection of personal data,
- Determining how the implementation and audit of policies on the processing and protection of personal data will be carried out, making internal appointments and ensuring coordination (or submitting such matters to the Board for approval),
- Identifying actions necessary to ensure compliance with the LPPD and related regulations and submitting them to the Board for approval,
- Carrying out the necessary awareness activities within the Company and among business partners regarding personal data processing and protection,
- Identifying risks related to the Company’s personal data processing activities and ensuring that necessary precautions are taken, submitting improvement proposals to the Board for approval,
- Designing and executing training programs on the protection and implementation of personal data policies,
- Evaluating and responding to data subject applications,
- Monitoring developments and regulations related to personal data protection and advising the Board on necessary actions,
- Coordinating relations with the Data Protection Authority and Board,
- Carrying out other tasks assigned by the Board related to personal data protection.
3. POLICY PRINCIPLES
3.1. FUNDAMENTAL PRINCIPLES
Our Company adopts the following fundamental principles, which are also stated in the LPPD, to ensure and maintain compliance with the personal data protection legislation:
3.1.1. Processing personal data lawfully and in good faith
Our Company conducts personal data processing activities in accordance with the Constitution of the Republic of Türkiye, the personal data protection legislation, applicable laws, and the principles of honesty and good faith.
3.1.2. Ensuring the accuracy and up-to-dateness of processed personal data
Our Company ensures the accuracy and up-to-dateness of the personal data it processes by taking the necessary administrative and technical measures and managing relevant processes. It operates mechanisms to correct inaccurate personal data and confirm their accuracy when necessary.
3.1.3. Processing personal data for specific, explicit, and legitimate purposes
Our Company determines the legitimate and lawful purpose of processing personal data clearly and precisely. Personal data is processed only to the extent necessary and relevant for the services provided. The purpose of processing is determined before starting the data processing activity.
3.1.4. Processing personal data in a limited and proportionate manner, relevant to the intended purpose
Our Company processes personal data in connection with and to the extent necessary for the purposes defined. Data not related to or not required for the stated purposes is not processed. Likewise, data is not processed for hypothetical future needs.
3.1.5. Retaining personal data for the period stipulated by applicable legislation or required for the processing purpose
Our Company retains personal data only for the period required by applicable legislation or for the purpose for which it was collected. This includes compliance with time limits set by Contract Law, Labor Law, Commercial Law, Tax Law, and Occupational Health and Safety Law. When the period ends or the purpose for processing no longer exists, the data is deleted, destroyed, or anonymized.
3.2. PROCESSING PERSONAL DATA IN ACCORDANCE WITH LEGAL REQUIREMENTS
Our Company ensures that personal data processing activities comply with the basic principles listed above and the conditions outlined in Articles 5 and 6 of the LPPD and the Regulation on Processing Personal Health Data. Before processing, it checks whether the required conditions are met; if not, data processing does not proceed.
As per Article 20 of the Constitution and Articles 5 and 6 of the LPPD, personal data may be processed with the explicit consent of the data subject. However, explicit consent is only one legal basis. If any of the following conditions apply, personal data may also be processed without consent:
- Explicitly provided for by law,
- Necessary for the conclusion or performance of a contract,
- Required for the data controller to fulfill legal obligations,
- Made public by the data subject,
- Necessary for the establishment, exercise, or protection of a right,
- Necessary for the legitimate interests of the data controller, provided this does not violate the fundamental rights and freedoms of the data subject.
For special categories of personal data (as defined in Article 6 of the LPPD), additional conditions apply, such as:
- Explicit consent of the data subject,
- Explicitly provided for by law,
- Processing by a workplace physician for purposes of medical diagnosis and treatment.
All data processing activities are carried out in accordance with the Constitution, Turkish Penal Code, LPPD, and related legislation as well as this Policy.
3.3. TRANSFER OF PERSONAL DATA IN ACCORDANCE WITH THE CONDITIONS FOR TRANSFER
As with processing, the transfer of personal data generally requires the explicit consent of the data subject. However, where personal data can be processed without explicit consent under the LPPD, it may also be transferred without consent. Accordingly, our Company may transfer certain personal data to authorized institutions such as the Social Security Institution (SGK), contracted legal counsel, financial advisors, consultants, affiliated group companies, travel agencies, car rental companies, or suppliers.
All transfers are conducted in compliance with Article 8 of the LPPD, which governs the conditions for transferring personal data, including both domestic and, if applicable, international transfers.
3.4. ENSURING THE SECURITY OF PERSONAL DATA
Our Company takes all necessary measures, within technical and financial means, to prevent the unlawful processing, access, disclosure, or other security vulnerabilities of personal data, in accordance with the nature of the data to be protected.
The following administrative and technical measures are applied:
3.4.1. Administrative Measures
- Disciplinary regulations containing data security provisions for employees are in place.
- Regular training and awareness programs on data protection are provided to employees.
- An authority matrix is established for employees.
- Corporate policies on access, information security, data storage, and data disposal are prepared and implemented.
- Confidentiality agreements are signed.
- Contracts include data security clauses.
- Data security policies and procedures are defined.
- Personal data security incidents are reported promptly.
- Physical access to areas containing personal data is restricted.
- Precautions are taken against external risks (fire, flood, etc.).
- Efforts are made to minimize personal data collected and processed.
- Periodic and/or random internal audits are conducted.
- Risks and threats are regularly assessed.
- Special measures are taken for sensitive personal data.
3.4.2. Technical Measures
- Closed network systems are used for personal data transfers over networks.
- Security measures are taken in IT procurement, development, and maintenance processes.
- Up-to-date antivirus software is used.
- Firewalls are implemented.
- Documents containing personal data transferred in paper form are labeled and secured.
- Personal data is backed up and backups are securely stored.
- Sensitive personal data sent via email is encrypted and transmitted through KEP or corporate email accounts.
- Secure encryption/cryptographic keys are used and managed by different units.
- Data on portable media is encrypted before transfer.
- Third-party data processors are periodically audited.
- Data loss prevention software is used.
3.4.3. Personal Data Protection Audit Activities
The Accounting Department is responsible for auditing the compliance, functionality, and effectiveness of technical and administrative measures taken to protect personal data and ensure data security, in accordance with legislation, policies, procedures, and internal guidelines.
Audits may be conducted by internal teams or outsourced audit firms. The results are reported to the managers of the Accounting, Marketing, Customer Relations, and IT departments, as well as the Board of Directors. Follow-up of necessary actions is the responsibility of the process owners, and the Accounting Department oversees the implementation, performs verification tests, and conducts re-audits if necessary.
Improvement and development efforts related to data security, beyond the audit results, are carried out by the relevant execution units of our Company.
3.4.4. Measures to Be Taken in Case of Unlawful Disclosure of Personal Data
In case personal data processed by our Company is unlawfully accessed or obtained by unauthorized persons, the Company shall notify the Data Protection Board and the relevant data subjects without delay, and within 72 hours at the latest.
If the data subject cannot be reached directly, the breach notification shall be published on the Company’s website. The Data Protection Officer shall carry out all necessary procedures and notifications in line with the principles set by the Board’s announcement dated 24.01.2019 and numbered 2019/10.
3.5. OBLIGATIONS REGARDING PERSONAL DATA PROCESSING ACTIVITIES
3.5.1. Obligation to Register with and Notify the Data Controllers’ Registry
In accordance with Article 16 of the LPPD and the Regulation on the Data Controllers’ Registry, our Company is registered in the Data Controllers’ Registry (VERBIS). The following information is made publicly available on VERBIS:
- Company details and address as the data controller,
- Purpose of personal data processing,
- Categories of data subjects and types of processed personal data,
- Parties to whom personal data may be transferred,
- Personal data that may be transferred abroad,
- Technical and administrative measures taken to ensure data security,
- Maximum retention periods for processed data.
In case of any changes to the registered information, such changes shall be reported via VERBIS to the Data Protection Authority within seven days from the date of the change.
3.5.2. Obligation to Inform the Data Subject
In accordance with Article 10 of the LPPD and the Communiqué on the Principles and Procedures for Fulfillment of the Obligation to Inform, our Company provides data subjects with necessary information at the time of data collection through clear and accessible clarification texts. The following information is provided:
- The identity of the data controller and its representative (if any),
- The purpose of processing personal data,
- To whom and for what purpose the personal data may be transferred,
- The method and legal basis of collecting personal data,
- Rights of the data subject as stated in Article 11 of the LPPD.
3.5.3. Obligation to Ensure the Security of Personal Data
In compliance with Article 12 of the LPPD and in recognition of the need to safeguard the fundamental rights and freedoms of data subjects, our Company takes all necessary administrative and technical measures to:
- Prevent unlawful processing of personal data,
- Prevent unauthorized access to personal data,
- Ensure the secure storage of personal data.
Our Accounting Department carries out or oversees necessary audits to ensure the operation of data security mechanisms.
3.5.4. Obligation to Comply with Decisions Issued by the Data Protection Board
Our Company undertakes to comply with all decisions issued by the Data Protection Board (the executive body of the Data Protection Authority), aimed at ensuring that personal data is processed in accordance with the law and fundamental rights and freedoms. Such decisions will be implemented without delay and within no later than 30 days from notification. Requested information and documents will be submitted within 15 days, and on-site inspections will be facilitated as needed.
3.5.5. Obligation to Respond to Applications by Data Subjects
As a data controller, our Company is committed to responding to applications made by data subjects regarding their personal data in accordance with Article 13 of the LPPD. Responses will be provided within 30 days, free of charge, unless the process requires additional costs.
Applications can be submitted using the form available on our website or at our reception desk. Signed application forms can be submitted:
- In person or via notary/post to: Süleymaniye OSB Mahallesi 1. Cadde No: 27 İnegöl/Bursa,
- Via registered electronic mail (KEP), secure electronic signature, or mobile signature,
- Via email to [email protected] from the email address previously registered with the Company.
Under Article 11 of the LPPD, data subjects may request to:
- Learn whether their personal data is processed,
- Request information if their personal data has been processed,
- Learn the purpose of processing and whether the data is used accordingly,
- Know the third parties to whom their data is transferred, domestically or abroad,
- Request correction of incomplete or incorrect data and to notify third parties,
- Request deletion or destruction of data and to notify third parties, if the reasons for processing no longer exist,
- Object to adverse outcomes resulting from automated processing,
- Claim compensation in case of damage due to unlawful data processing.
3.5.6. Obligation to Legally Acquire and Transfer Personal Data
In accordance with Article 4 of the LPPD, our Company processes personal data lawfully and in accordance with the principles of honesty. Accordingly, the acquisition and transfer of personal data are also carried out lawfully and ethically.
3.5.7. Obligation to Comply with Retention and Deletion Regulations
Pursuant to Article 7 of the LPPD, even if processed lawfully, personal data whose purpose no longer exists must be deleted, anonymized, or destroyed. Our Company has issued the necessary policies and established internal mechanisms to ensure this process is conducted effectively.
4. PREPARATION OF POLICIES, PROCEDURES AND RELATED GUIDELINES ON PERSONAL DATA PROCESSING AND PROTECTION
To ensure compliance with data protection laws, necessary documentation has been prepared for both internal use and public disclosure. These documents have been structured in line with the documentation model implemented by our Company. Any changes to publicly disclosed policies will be made available to data subjects in an easily accessible manner.
5. REVIEW
This Policy enters into force as of its approval by the Board of Directors. Except for decisions to revoke the Policy, any amendments or implementation details are delegated to the Accounting Department, with the Board’s approval.
This Policy is reviewed at least once per year. Required changes are submitted to the Board for approval and published after being updated. The Company’s PDPP Policy is made publicly available on our website. In case of a conflict between this Policy and the provisions of applicable legislation, including the LPPD, the legislative provisions shall prevail.
6. DEFINITIONS
The following definitions are of key importance within the scope of this Personal Data Protection Policy:
Anonymization | Rendering personal data incapable of being associated with an identified or identifiable natural person, even when matched with other data. |
Communiqué on the Principles and Procedures for Fulfillment of the Obligation to Inform | The communiqué published in the Official Gazette dated March 10, 2018, and numbered 30356. |
Regulation on Processing and Protection of Personal Health Data | The regulation published in the Official Gazette dated October 20, 2016, and numbered 29863. |
Personal Health Data | Any information related to the physical or mental health of a natural person, including data on health services provided to that individual. |
Personal Data | Any information relating to an identified or identifiable natural person. |
Data Subject | The natural person whose personal data is processed (e.g., customers, employees). |
Processing of Personal Data | Any operation performed on personal data, whether wholly or partly by automated means or by non-automated means as part of a data recording system, including collection, storage, alteration, disclosure, transmission, or deletion. |
LPPD | The Law on the Protection of Personal Data No. 6698, published in the Official Gazette on April 7, 2016. |
Data Protection Board | The authority responsible for overseeing the enforcement of the LPPD. |
Data Protection Authority | The institution overseeing the implementation of the LPPD in Türkiye. |
Special Categories of Personal Data | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect, appearance, membership of associations, foundations, or unions, health, sexual life, criminal convictions and security measures, and biometric/genetic data. |
Constitution of the Republic of Türkiye | The Constitution dated November 7, 1982, and published in the Official Gazette on November 9, 1982. |
Turkish Penal Code | The Penal Code dated September 26, 2004, and published in the Official Gazette on October 12, 2004 (Law No. 5237). |
Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on their authorization. |
Data Controller | A natural or legal person who determines the purposes and means of processing personal data and is responsible for managing the data recording system. |
Communiqué on the Application Procedures to the Data Controller | The communiqué published in the Official Gazette on March 10, 2018, numbered 30356. |
Data Controllers’ Registry (VERBIS) | A public registry kept by the Data Protection Authority under the supervision of the Data Protection Board. |
Regulation on the Data Controllers’ Registry | The regulation published in the Official Gazette dated December 30, 2017, and entered into force on January 1, 2018. |
7. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY
Our Company processes the following categories of personal data as detailed in the “Personal Data Processing Inventory”:
- 1- Identity: (Name-surname, mother-father name, mother’s maiden name, date of birth, place of birth, marital status, ID serial number, national ID number, etc.)
- 2- Contact: (Address, email address, registered email address (KEP), phone number, etc.)
- 3- Employment: (Payroll data, disciplinary actions, onboarding documents, asset declarations, resume information, performance reports, etc.)
- 4- Legal Transactions: (Data in correspondence with judicial authorities, case files, etc.)
- 5- Customer Transactions: (Call center records, invoice/check/promissory note details, receipt information, order details, request records, etc.)
- 6- Physical Security: (Employee and visitor entry-exit logs, CCTV recordings, etc.)
- 7- Financial: (Balance sheets, financial performance data, credit and risk reports, asset information, etc.)
- 8- Professional Experience: (Diplomas, attended courses, in-service training records, certificates, transcripts, etc.)
- 9- Marketing: (Purchase history, survey results, cookie records, campaign-generated data, etc.)
- 10- Visual and Audio Data: (Visual and audio recordings, etc.)
- 11- Philosophical Beliefs, Religion, Sect, and Other Beliefs: (Beliefs, religious affiliations, sect memberships, etc.)
- 12- Health Information: (Disability status, blood type, personal health details, medical device/prosthetic usage, etc.)
- 13- Criminal Convictions and Security Measures: (Criminal record information, security-related measures, etc.)
- 14- Clothing and Appearance: (Dress code and clothing information, etc.)
- 15- Biometric Data: (Fingerprint data, etc.)
- 16- Other: (Commercial Activity Certificate / Chamber of Commerce Registry – for international fair participation)
- 17- Other: (Commercial Invitation – for international fair participation)
- 18- Other: (Bank Statement – for international fair participation)
- 19- Other: (Fair Participation Certificate – for international fair participation)
8. PURPOSES OF PROCESSING PERSONAL DATA
The personal data listed above is processed for the purposes specified separately for each category in our VERBIS registration and Personal Data Inventory, including but not limited to operational, legal, financial, employment, marketing, and security needs of our Company.