KVKK Text

Gerra Collection

DATA PROTECTION AND PROCESSING POLICY

This Policy sets out the principles that Gerra Collection will adhere to in processing personal data in compliance with the Law on the Protection of Personal Data No. 6698 ("KVKK") and relevant regulations. The Company undertakes to act in accordance with the procedures and principles set forth in this Policy regarding the personal data processed within its organization.

  1. PURPOSE AND SCOPE

The purpose of this Policy is to establish the principles for the processing and protection of personal data by the Company. This Policy covers all activities related to personal data carried out by the Company and is applicable to such activities. This Policy may be amended by the Company when deemed necessary or in accordance with the requirements of the KVKK Regulations. In case of any inconsistency between the KVKK Regulations and this Policy, the KVKK Regulations shall prevail. The Company may modify this Policy when necessary or as required by the KVKK Regulations.

  1. DEFINITIONS

The definitions used in this Policy have the following meanings;

“Explicit Consent” Refers to consent based on informed consent on a specific subject, declared with free will.

“Anonymization” Refers to making personal data unidentifiable or unable to be associated with a specific or identifiable real person, even when matched with other data.

Notification Obligation” Refers to the obligation of the data controller or the authorized person during the acquisition of personal data to inform the data subject under Article 10 of the KVKK.

“Personal Data” Refers to any kind of information related to an identified or identifiable real person (the term “Personal Data” within the scope of this Policy will also include “Special Qualified Personal Data” as defined below, to the extent appropriate).

“Processing of Personal Data” Refers to any operation carried out on the data, whether or not by automated means or as part of any data recording system, including obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or using data in any way.

“Board” Refers to the Personal Data Protection Board.

Agency” Refers to the Personal Data Protection Agency.

“KVKK” Refers to Law No. 6698 on the Protection of Personal Data.

“KVKK Regulations” Refers to the Law No. 6698 on the Protection of Personal Data and other relevant legislation on the protection of personal data, regulatory and supervisory authorities, decisions, principles, provisions, instructions given by courts and other official authorities, applicable international agreements for the protection of data, and any other legislation.

“Special Qualified Personal Data” Refers to data related to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions, and data related to biometric and genetic information.

“Data Processor” Refers to the natural or legal person who processes Personal Data on behalf of the Data Controller by obtaining authorization from the Data Controller.

“Data Subject” Refers to all individuals whose Personal Data is processed by the Company or on behalf of the Company.

“Data Controller” Refers to the natural or legal person who determines the purposes and means of processing Personal Data and is responsible for the establishment and management of the data recording system.

  1. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

 

  1. Processing of Personal Data in Compliance with the Law and Fairness Principles

The Company will process personal data in accordance with the law, fairness rules, and the principle of proportionality, only to the extent necessary for the purposes of data processing.

  1. Taking Necessary Measures for Personal Data to be Accurate and Updated When Necessary

The Company will ensure that the personal data it processes is accurate and up-to-date and will take necessary measures in this regard. If the data subject requests changes to personal data under the KVKK Regulations, the relevant personal data will be updated.

  1. Processing of Personal Data for Specific, Clear, and Legitimate Purposes

The Company will process personal data for specific, clear, and legitimate reasons. The Company will determine the purposes for which personal data will be processed and inform the data subject of these purposes before processing the data. In this context, the data subject will be informed and, if necessary, explicit consent will be obtained in accordance with the KVKK Regulations.

  1. Processing of Personal Data Relevant, Limited, and Proportional to the Purpose

The Company will process personal data in a manner suitable for achieving the defined purposes and will avoid processing data that is irrelevant or unnecessary for the purpose.

  1. Retention of Personal Data for the Period Required by the Relevant Legislation or the Purpose for Which They Were Processed

The Company will retain personal data only for the periods specified in the laws or for the time required by the purpose of processing. If the Company wishes to retain Personal Data for a longer period than required by the KVKK Regulations or the purpose of processing personal data, the Company will act in accordance with the obligations specified in the KVKK Regulations.

  1. CONDITIONS FOR THE PROCESSING OF PERSONAL DATA

 

  1. Explicit Consent

Personal data will be processed only if the data subjects give their explicit consent after being informed as part of the fulfillment of the notification obligation. In this context, the rights of data subjects will be communicated before obtaining explicit consent. Explicit consent will be obtained using methods compliant with the KVKK Regulations, and the necessary period will be maintained within the same scope.

  1. Processing of Personal Data Without Obtaining Explicit Consent

In cases where the processing of personal data without obtaining explicit consent is foreseen within the scope of the KVKK Regulations, the Company may process personal data within the limits set by the KVKK Regulations without obtaining the explicit consent of the data subject. In this context,

  • If expressly provided by laws,
  • If it is necessary to process personal data belonging to the parties of a contract, directly related to the establishment or performance of a contract, and provided that it is directly related to the fulfillment of the Company's legal obligation,
  • If processing personal data is mandatory for the Company to fulfill its legal obligations,
  • If personal data has been made public by the data subject,
  • If the processing of personal data is necessary for the establishment, exercise, or protection of a right, provided that it does not harm the fundamental rights and freedoms of the data subject,
  • If processing is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject,

Personal data may be processed by the Company without explicit consent.

  1. Processing of Special Qualified Personal Data

Special qualified personal data may only be processed if the data subject's explicit consent is obtained or if the processing of special qualified personal data is explicitly required by law, excluding data related to sexual life and personal health. Health and personal data related to sexual life may be processed without obtaining explicit consent for the purposes of protecting public health, carrying out preventive medicine, conducting medical diagnosis, treatment and care services, planning and managing health services and financing, by individuals under the obligation of confidentiality (e.g., Company doctor) or authorized institutions and organizations. Measures determined by the Company will be taken when processing special qualified personal data.

 

  1. DATA SUBJECT INFORMATION OBLIGATION

The Company will inform data subjects about how their personal data will be processed during the collection of data. In accordance with the KVKK, the minimum requirements that must be included in the notification are as follows:

  1. Identity of the Company as the data controller and, if any, its representative
  2. Purposes of processing personal data
  3. To whom and for what purposes personal data can be transferred
  4. Legal reasons for collecting personal data
  5. Rights of the data subject
  6. Obligation to respond to data subject applications

 

  1. DATA SUBJECT RIGHTS

Data subject rights are as follows:

(1) To learn whether personal data is being processed,

(2) If personal data has been processed, to request information about it,

(3) To learn the purpose of processing personal data and whether they are used in line with that purpose,

(4) To know the third parties to whom personal data is transferred domestically or abroad,

(5) If personal data is incomplete or incorrectly processed, to request correction and notification of this correction to third parties to whom the personal data has been transferred,

(6) To request the deletion or destruction of personal data in case the reasons requiring processing cease to exist, even if it has been processed in accordance with the law, and to request the notification of this to third parties to whom the personal data has been transferred,

(7) To object to a result against oneself arising from the analysis of the processed data through exclusively automated systems,

(8) To request the remedy of damages in case personal data is processed unlawfully.

The data subject can send their requests regarding the above-mentioned rights to the email address given below, the Company's KEP address, or the postal address given below, which may change from time to time, using the methods determined by the Board.

  • Data Controller: Gerra Collection
  • Email: info@gerracollection.com

If the data subject submits their request regarding the above-mentioned rights to our Company in accordance with the procedure, our Company will conclude the relevant request within the shortest time and within a maximum of 30 (thirty) days free of charge, depending on the nature of the request. However, if the process requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

 

  1. PROCESSING PURPOSES OF PERSONAL DATA

The Company processes personal data within the purposes and conditions specified in Article 5.2 and Article 6.3 of the KVKK, listed in Article 4 of our policy.

In this context, the Company processes personal data for the following purposes:

  • Conducting Information Security Processes
  • Conducting Activities in Compliance with Legislation
  • Conducting Finance and Accounting Affairs
  • Ensuring Physical Space Security
  • Tracking and Conducting Legal Affairs
  • Conducting Business Operations/Supervision
  • Conducting Logistics Activities
  • Conducting Purchase Processes of Goods/Services
  • Conducting Sales Processes of Goods/Services
  • Conducting Production and Operation Processes of Goods/Services
  • Managing Customer Relations Processes
  • Conducting Activities for Customer Satisfaction
  • Conducting Marketing Analysis Studies
  • Conducting Advertising/Campaign/Promotion Processes
  • Conducting Contract Processes
  • Ensuring Security of Movable Assets and Resources
  • Conducting Marketing Processes of Products/Services
  • Ensuring Security of Data Controller Operations
  • Providing Information to Authorized Individuals, Institutions, and Organizations
  • Conducting Management Activities

If the processing activity carried out for the above-mentioned purposes does not meet one of the conditions foreseen within the scope of the KVKK, explicit consent of the data subject will be obtained for the relevant process.

  1. TRANSFER OF PERSONAL DATA

 

  1. General Terms

The Company, by taking necessary precautions, can transfer personal data to real or legal persons in Turkey and/or abroad in line with the regulations prescribed by the Law and this Policy.

Personal data can be transferred to third parties in Turkey or abroad without obtaining explicit consent if it is stipulated explicitly by laws or if one of the following conditions is met, as specified in Article 5.2 and Article 6.3:

  • The country to which the transfer is made has the status of a country where sufficient protection is determined by the Board
  • If the country to which the transfer is made does not have the status of a country where sufficient protection is determined by the Board, the data controller in Turkey and the data controller in the relevant foreign country provide a written commitment that sufficient protection will be ensured, and the permission of the Board is obtained.

 

  1. Transfer of Special Qualified Personal Data

Special Qualified Personal Data can be transferred by the Company, in compliance with the principles stated in this Policy and including the methods determined by the Board, by taking necessary administrative and technical measures under the following conditions:

  • Except for health and personal data related to sexual life, special qualified personal data may be processed without explicit consent if it is explicitly stipulated in the laws, meaning there is a clear provision in the relevant law for the processing of personal data. Otherwise, explicit consent of the data subject will be obtained.
  • Special qualified personal data related to health and personal life may be processed without obtaining explicit consent for the purposes of protecting public health, conducting preventive medicine, carrying out medical diagnosis, treatment and care services, planning and managing health services and financing, by individuals under the obligation of confidentiality (e.g., Company doctor) or authorized institutions and organizations. Otherwise, explicit consent of the data subject will be obtained.

In addition to the above, personal data may be transferred to foreign countries that provide sufficient protection or, in case of insufficient protection, to foreign countries where the data controller who provides sufficient protection is located, in accordance with the conditions specified in the legislation.

The Company, in accordance with Articles 8 and 9 of the KVKK, can transfer the personal data of data subjects managed by this Policy to the following categories of individuals:

(i) Company business partners,

(ii) Company suppliers,

(iii) Real Persons and Private Law Legal Entities,

(iv) Public institutions and organizations authorized by law,

(v) Private legal entities authorized by law.

  1. DATA SECURITY AND MANAGEMENT

The Company will take necessary legal, technical, and administrative measures for data security and will show the utmost care and attention in this regard. The Company takes technological and administrative measures according to the processing of personal data in compliance with the law. Employees will be informed that they cannot disclose personal data they have learned in violation of the KVKK, cannot use it for purposes other than processing, and this obligation will continue after their duties are terminated, and necessary commitments will be obtained from them in this regard.

The Company will take technical and administrative measures to prevent the unlawful disclosure, access, transfer, or any other unauthorized access to personal data that will be protected according to the nature of the data, technological possibilities, and application costs.

The Company will increase awareness among data processing institutions such as business partners and suppliers to prevent the unlawful processing of personal data, prevent access to data unlawfully, and ensure the lawful preservation of data. Measures will be taken to ensure that business partners and suppliers operate in compliance with the KVKK in personal data processing activities.

  1. STORAGE AND DESTRUCTION OF PERSONAL DATA

The Company will keep personal data for the period required for the purpose for which they were processed, in compliance with the legal regulations related to the activity and the minimum periods specified. If there is a legal period specified in the relevant legislation for the storage of personal data, this period will be complied with. If there is no legal period, personal data will be kept for the period required for the purpose for which they were processed. At the end of the determined storage periods, personal data will be destroyed by methods specified by the Company periodically or in accordance with the application of the data subject.

  1. CHANGES TO THE POLICY AND EFFECTIVE DATE

The provisions in this Policy may be changed by the Company when deemed necessary, and in accordance with the KVKK Regulations, by being published on the websites. In case any of these provisions changes, the relevant changes will come into effect on the date of publication.

This Policy was published on 25.01.2024 and became effective.

Gerra Collection