Corporate Personal Data Protection Policy
 

Document Title: Personal Data Protection Policy Document Scope: The purpose of this policy is to define the principles and procedures to be implemented by Cebir Giyim ve Kuyumculuk San. Dış Tic. Ltd. Şti. regarding the planning and execution of processes for the protection of personal data. Publication Date: 10.11.2022 Version No: 1 Legal Reference: Law No. 6698 on the Protection of Personal Data and related legislation Approval Authority: Board of Directors of Cebir Giyim San. ve Tic. Ltd. Şti.


1. Purpose

The right of every individual to demand the protection of their personal data is a fundamental right guaranteed by the Constitution. As Cebir Giyim San. ve Tic. Ltd. Şti., we consider fulfilling this right one of our most important responsibilities. Therefore, we prioritize the lawful processing and protection of your personal data.

This Corporate Personal Data Protection Policy has been prepared to define the core principles and procedures we follow when processing and safeguarding personal data, reflecting the importance we place on data privacy.


2. Scope

This policy applies to all personal data managed by Cebir Giyim San. ve Tic. Ltd. Şti., whether collected fully or partially through automated means or through non-automated means that form part of a data recording system. It covers all operations performed on personal data, including collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use.

The policy applies to personal data processed in relation to shareholders, executives, customers, employees, supplier representatives and employees, and third parties.

Cebir Giyim San. ve Tic. Ltd. Şti. reserves the right to amend this policy in line with legislative developments and decisions issued by the Personal Data Protection Authority, with the aim of ensuring better protection of personal data.


3. Definitions

  • Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.
  • Explicit Consent: Freely given, specific, informed consent expressed by the data subject regarding a particular matter.
  • Anonymization: The process of rendering personal data incapable of being associated with an identified or identifiable natural person, even when combined with other data.
  • Data Subject: The natural person whose personal data is processed.
  • Authorized User: Individuals who process personal data within the organization of the data controller or under its authority and instructions, excluding those responsible for the technical storage, protection, and backup of data.
  • Destruction: The deletion, disposal, or anonymization of personal data.
  • Law / KVKK: Law No. 6698 on the Protection of Personal Data.
  • Data Medium: Any environment in which personal data is processed, whether fully or partially automated, or non-automated as part of a data recording system.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Data Inventory: A detailed inventory created by data controllers that maps personal data processing activities to business processes, including processing purposes, legal bases, data categories, recipient groups, data subject groups, maximum retention periods, cross-border transfers, and security measures.
  • Processing of Personal Data: Any operation performed on personal data, whether fully or partially automated or non-automated as part of a data recording system, including collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use.
  • Board: The Personal Data Protection Board.
  • Authority: The Personal Data Protection Authority.
  • Special Categories of Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
  • Periodic Destruction: The routine deletion, disposal, or anonymization of personal data at recurring intervals, as specified in the data retention and destruction policy, when the legal grounds for processing no longer exist.
  • Policy: The Personal Data Protection Policy.
  • Data Processor: A natural or legal person who processes personal data on behalf of the data controller, based on its authorization.
  • Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.


4. General Principles

Cebir Giyim San. ve Tic. Ltd. Şti. evaluates the compliance of personal data with the following principles during the planning phase of any new workflow that requires data processing. Workflows that do not meet these criteria are not implemented.

When processing personal data, Cebir Giyim San. ve Tic. Ltd. Şti. adheres to the following principles:

  • Acts in accordance with the law and the principles of good faith.
  • Ensures that personal data is accurate and, where necessary, kept up to date.
  • Processes data for specific, explicit, and legitimate purposes.
  • Ensures that data is relevant, limited, and proportionate to the purpose of processing.
  • Retains data only for the duration required by relevant legislation or the purpose of processing, and destroys it once the purpose no longer exists.


5. Measures Taken for Data Security

Cebir Giyim San. ve Tic. Ltd. Şti. (“Maraton Sportswear”) takes all necessary technical and administrative measures to ensure an appropriate level of security in order to:

  • (i) Prevent unlawful processing of personal data
  • (ii) Prevent unauthorized access to personal data
  • (iii) Ensure the secure storage of personal data


5.1. Technical Measures

  • Network and application security are maintained.
  • Security measures are implemented during the procurement, development, and maintenance of IT systems.
  • Access logs are regularly recorded.
  • Up-to-date antivirus systems are used.
  • Firewalls are in place.
  • Security measures are taken for entry and exit to physical environments containing personal data.
  • Physical environments containing personal data are protected against external risks (e.g., fire, flood).
  • The security of environments containing personal data is ensured.
  • Personal data is backed up, and the security of backup data is also maintained.
  • User account management and authorization control systems are implemented and monitored.
  • Log records are kept in a manner that prevents user intervention.
  • Intrusion detection and prevention systems are used.
  • Data encryption is applied.

 

5.2. Administrative Measures

  • Disciplinary regulations containing data security provisions are in place for employees.
  • Regular training and awareness programs on data security are conducted for employees.
  • Corporate policies on access, information security, usage, retention, and destruction have been established and implemented.
  • Data masking measures are applied when necessary.
  • Confidentiality agreements are signed.
  • An authorization matrix has been created for employees.
  • Data access rights are revoked for employees who change roles or leave the organization.
  • Contracts include data security clauses.
  • Personal data security policies and procedures have been defined.
  • Personal data security incidents are reported promptly.
  • Monitoring of personal data security is conducted.
  • Personal data is minimized as much as possible.
  • Periodic and/or random internal audits are conducted.
  • Existing risks and threats have been identified.
  • Protocols and procedures for the protection of special categories of personal data have been established and implemented.
  • If special category personal data is sent via email, it is encrypted and transmitted using KEP (Registered Electronic Mail) or a corporate email account.
  • Data processors and service providers are made aware of data security requirements.


6. Rights of the Data Subject

The data subject may submit a request to Cebir Giyim San. ve Tic. Ltd. Şti. (“Maraton Sportswear”) regarding the following rights:

  • To learn whether their personal data is being processed
  • If processed, to request information regarding such processing
  • To learn the purpose of processing and whether it is used in accordance with that purpose
  • To learn the third parties to whom personal data has been transferred domestically or abroad
  • To request correction of incomplete or inaccurate data and notification of such correction to third parties

Even if personal data has been processed in accordance with KVKK and other applicable laws, the data subject may request deletion, destruction, or anonymization of personal data if the reasons for processing no longer exist, and request notification of such actions to third parties.

The data subject may also:

  • Object to any outcome against them resulting from the analysis of personal data exclusively through automated systems
  • Request compensation for damages arising from unlawful processing of personal data


7. Breach Notifications

Employees of Cebir Giyim San. ve Tic. Ltd. Şti. (“Maraton Sportswear”) are required to report any action, incident, or situation they believe to be in violation of the provisions of the Law on the Protection of Personal Data (KVKK) and/or this Policy to Management.

Following such a report, Management may convene to assess the situation and, if deemed necessary, develop an appropriate action plan.

If the breach involves the unlawful acquisition of personal data by third parties, the incident shall be reported to the relevant data subject and the Personal Data Protection Authority within 72 hours, in accordance with the Board Resolution dated 24.01.2019 and numbered 2019/10.


8. Amendments

Any amendments to this Policy shall be drafted by Management and submitted to the Board of Directors of Cebir Giyim San. ve Tic. Ltd. Şti. for approval.

Once approved, the updated Policy may be distributed to employees via email or published on the company’s website.


9. Effective Date

This version of the Policy was approved by the Board of Directors on 10.11.2022 and entered into force on the same date.

 

 

cultureSettings.RegionId: 0 cultureSettings.LanguageCode: EN
 
KUPON FIRSATI
İlk Alışverişte %10 İndirim
İndirim Kodu : MARATON10
KOPYALA
Tüm Ürünlerde Geçerlidir.
Kapat