AS ERDOGAN DERI SAN. TIC. LTD. STI.
The objective of this Policy for Confidentiality and Protection of Personal Data (“POLICY”) is to inform individuals in relation to the processing of personal data of job applicants, suppliers, online and physical visitors, members, customers, shareholders and partners of DERIMARKET’s (“Data Supervisor”).
In relation to the group of individuals applying for a job, DERIMARKET may process information such as;
and method of payment. Documents such as a criminal record and health report may also be required.
DERIMARKET may process an applicant’s personal data based on one or more purposes specified in the section of this POLICY, titled “VII. Personal Data Processing Purposes,” in accordance with the nature of the application.
Personal data of applicants may be collected during the recruitment process by employing other methods and tools specified in this POLICY, or with additional methods and tools specified below:
DERIMARKET processes collected personal data via computer systems and human resources personnel, automatically and manually.
DERIMARKET may carry out reference checks in respect of the applicant. The reference check process is usually carried out by means of confirming the accuracy of the information provided by the applicant. Determining factors that may have been withheld by the applicant and which may have the capacity to cause a threat to DERIMARKET will be part of the research conducted.
In the context of the reference check, necessary personal data such as the identification information of third parties and applicants, work and educational backgrounds may be shared. Personal data concerning the applicant may be obtained from third parties.
Applicants may, at all times, contact DERIMARKET regarding the reference check process.
Applicants who wish to exercise their rights based on the Law on Protection of Personal Data no 6698 (“LPPD”) may apply to DERIMARKET in accordance with the rules and procedures declared in this POLICY.
All personal data concerning the applicant which has been collected and processed during the application procedure are transferred to their personal file upon the decision to recruit the candidate for the vacant position.
With regards to the personal data it processes, DERIMARKET does not discriminate amongst data subject groups of individuals (such as applicants, group of individuals, interns). Detailed information regarding the security of personal data is found in the section of this document related to the security of personal data.
In the processing of personal data, the principles which are enshrined in legal regulations, and those which are related to general confidence and honesty are being complied with.
Periodical verifications and updates are made so that the data processed are accurate and up-to-date, and the necessary measures are taken accordingly. In this context, systems for controlling the correctness of personal data and making necessary corrections are implemented in DERIMARKET. These changes and updates can be made by members on the My Account page at www.derimarket.net
Personal data are processed in accordance with clear, specific and legitimate data processing purposes. The purpose for which the data will be processed is described in detail below.
In order for the envisaged purpose/purposes to be realized, personal data are processed in a measured manner and which is related to and limited to the purpose, and we abstain from processing the personal data which are not related to achieving the purpose or which are not needed.
DERIMARKET preserves personal data only for the period prescribed in the relevant legislation or the period required for the purpose of processing thereof. In this context, first of all we identify whether a period is stipulated in the relevant legislation for the preservation of personal data, if a period is prescribed, we act in accordance with it, and if no period is prescribed, we preserve the personal data for the period required for the purpose of processing thereof. In case of expiry of such period or in case the reasons requiring them to be processed cease to exist, provided there is no legal reason for allowing them to be processed for longer periods, personal data are deleted, destroyed or anonymized in accordance with DERIMARKET’s Policy on Preservation and Destruction of Personal Data.
Preservation periods have been additionally indicated below.
Express consent of the relevant person is only one of the conditions that needs to be satisfied according to the law and which makes processing of personal data legally possible. Apart from express consent, personal data may also be processed in case of the existence of one of the below-specified conditions stipulated by the law.
The basis on which personal data processing activity is carried out may be one or more than one of the below-specified conditions specified by the law. In the case where the personal data processed constitute private personal data; conditions listed under the heading “Circumstances Where Private Personal Data May be Processed” will be applied.
Individuals are informed of which personal data are being processed under this hereby POLICY, for which purposes and reasons the personal data are being processed, from which resources the personal data are collected, with whom these personal data will be shared, and how they will be used.
DERIMARKET can process the personal data of individuals without obtaining his/her express consent in cases where processing of personal data is explicitly prescribed by laws For example, pursuant of the Law on Electronic Trade Regulation, personal data to be processed in respect of procedures such as membership to DERIMARKET, granting electronic permission for trade, purchase orders, deliveries, cancellation or return of products.
Data may be processed without the explicit consent of an individual if it is compulsory to process personal data in order to protect the life or body integrity of the individual or any other person where an individual cannot give his/her consent or whose consent is deemed invalid due to actual impossibility.
Personal data belonging to the parties of a contract may be processed in case it is necessary, provided that it is directly related to the conclusion or performance of said contract. For example, the personal data provided by the Member in order to complete their DERIMARKET membership procedure.
Individuals’ data may be processed without obtaining explicit consent, where it is compulsory to fulfill legal obligations as a data supervisor. For example, the delivery of an ordered product to a Member or the cost of a product being paid to the seller.
In case individuals’ personal data are made public by themselves, data may be processed without the need to obtain express consent. For example, personal data shared with the public by a member on the internet via HIS social media account, may be processed provided that it is done in accordance with the will and proportionality.
In the case where data processing is mandatory in order to establish, exercise or protect a right, data may be processed without obtaining the express consent of the individual. For example, in relation to a complaint issued to the consumer arbitration committee by a Member, entering the transaction and information into this complaint folder.
In case the data processing for DERIMARKET's legitimate interests is compulsory provided that the fundamental rights and freedoms of the individuals are not infringed, the data may be processed without obtaining the individual's explicit consent. For example, DERIMARKET conducting satisfaction surveys in order to ensure Customer satisfaction.
Employee personal data shall be processed on the basis of express consent in cases where it can not be processed based on any of the conditions specified in Articles 4.1 to 4.7 above.
5. CIRCUMSTANCES WHERE PRIVATE PERSONAL DATA MAY BE PROCESSED
Part of the personal data are categorized as “private personal data”, and they are subject to a special protection.
Private personal data may be processed in the event that the individual has given his/her express consent in accordance with the principles specified in this hereby POLICY and by taking the necessary administrative and technical measures.
In cases where the individual has not given his/her express consent, in the following cases, private personal data are processed provided that sufficient measures to be determined by the Board of Protection of Personal Data (“Board”) are taken:
6. ENLIGHTENING AND INFORMING INDIVIDUALS
During the acquisition of personal data, individuals shall be informed by DERIMARKET. In this context, they shall be informed of the identity of the contact person of DERIMARKET, the purpose for which personal data will be processed, to whom and for which purposes the data processed may be transferred, method of collecting personal data, and the rights that the employees are lawfully entitled to.
In case individuals request information in relation to their personal data, DERIMARKET shall inform them through [email protected] Physical visitors shall be informed about the video cameras present on DERIMARKET's premises. Additionally, there are signs placed at visible points inside the building, which offer brief information. With this hereby Policy, users visiting the DERIMARKET web site are informed; those who become Members are informed yet again not only by this hereby Policy, but also with the details presented on the Membership page.
7. CATEGORIZATION OF PERSONAL DATA
Within the scope of this policy, DERIMARKET processes the data of individuals in the below-specified categories:
8. PURPOSE OF PROCESSING OF PERSONAL DATA
Personal data are processed subject to the following conditions. The conditions are;
In the case that the above conditions are satisfied; DERIMARKET seeks to obtain the express consent of the personal data owners in order to process personal data.
DERIMARKET shall process personal data for the following purposes:
Candidate Working Group:
For the Customer Group:
For the Supplier Group (Supplier, Supplier Executive, Supplier Employee):
Claimant 3. For a Group of Individuals:
Public Official conducting the investigation or proceeding, for the administrative organ employee:
For Online Visitors:
For Shareholders/Partners:
9. TRANSFER OF PERSONAL DATA TO THIRD PERSONS NATIONALLY AND ABROAD
Personal data and private personal data belonging to individuals may be transferred to third persons (third party companies, group companies, real third persons) in accordance with their processing purposes, by taking the necessary security measures.
Personal data may be transferred to third parties in the the case where the conditions in LPPD’s Clause 8 and 9 are foreseen.
E-mail and/or telephone number may be shared with third parties abroad for singularization and match-up purposes. Information of anonymous quality about online visitors which are non-member and their website use habits are collected with cookies and can be shared.
Your personal data may be transferred to the below-listed individuals:
Scope of the above-specified persons to whom transfer is made, and the purpose of data transfer are specified below.
10. PRESERVATION PERIOD OF PERSONAL DATA
The preservation periods of personal data processed by DERIMARKET are indicated in the table below.
DEPARTMENT NAME
PERSONAL DATA GROUP
PERSONAL DATA CATEGORY
PRESERVATION PERIOD
LAW
Employee Data
Credentials
Contact Details
Financial Information
Information on Legal Transactions
Personal Information
Educational Information
Professional Experience and Knowledge
Information on Side Benefits
Personnel Group Information
Organization Information
Information on the Employee’s Performance and Career Development
Private Personal Data
10 years pursuant of Turkish Code of Obligations
Supplier Data (Real Person, Supplier Executive, Supplier Employee)
Risk Management
10 years following conclusion of legal relationship
Consultant/Trainer
Intern Lawyer
1 year following conclusion of internship
Customer
Claimant 3. Individuals
Information on Customer Transactions
Transaction Security Information
Risk Management Information
10 years as of final judgment
Public official representative of the office running the investigation and proceedings
Shareholder/Partner
Unlimited Time
HUMAN RESOURCES
Side Benefits
50 years
Copy of Marriage Certificate
Copy of Children’s IDs
Personnel Group Contact Details
10 years
Employee Candidate
3 years
Intern (Normal)
Information on Transactions of Employee
Intern (Mandatory)
PRODUCT
Corporate Identity Information
5 years following the end of legal relationship
Customer Data
Upon the end of the legal relationship; 1 year as of the date of retrieval of the commercial electronic message permit, 3 years for all records related to electronic trade, 2 years of traffic information pursuant of the law no. 5651, 10 years pursuant to TPL, TCO, TCC, Consumer Protection Law.
Supplier Data (Supplier Employee, Supplier Executive)
Upon the end of the legal relationship, 10 years in accordance with TCC and TPL.
PRIVATE LABEL
Supplier Data (Supplier Employee, Supplier Executive, Accounting Executive.
10 years following the end of legal relationship
ADMINISTRATIVE AFFAIRS
IT
(INFORMATION TECHNOLOGIES)
(Mac Adress, Internet Logs)
2 years
Online Visitor Data
Supplier Data
STORE
Employee Candidate Information
BUSINESS DEVELOPMENT
Purchase Order Information
Until the end of the project period.
On-line Visitor Data
Location Information
Information on Pages Visited
ACCOUNTING
5 years in accordance with TPL, 10 years in accordance with TCC
Purchase Department
5 years following conclusion of legal relationship
STUDIO
(Photograph, video recordings)
70 years following the end of legal relationship
Transaction Information
Arranged to be updated on an annual basis
11. SAFETY OF PERSONAL DATA
To ensure the safety of personal data, reasonable measures are taken which will prevent risks of unauthorized access, accidents and data losses, deliberate deletion of data or damages to data.
To prevent access to personal data by persons other than those who have been granted authorisation to access, all necessary technical and physical measures are taken..In this context, particularly the authorization system shall be designed in such a way to make it impossible for anyone to access personal data to an extent which is more than required While ensuring safety of private personal data such as health data, measures which are more strict compared to measures related to other personal data are taken.
Authorized persons are subjected to necessary safety checks. In addition, the aforementioned persons are trained in relation to their duties and responsibilities.
Records of access to personal data are kept to the extent permitted by technical opportunities, and these records are reviewed at regular intervals. When an unauthorized access is suspected, an investigation is immediately initiated.
DERIMARKET shall comply with the obligations specified below for the purpose of ensuring safety of the data being processed:
12. LEGAL RIGHTS OF INDIVIDUALS AND METHODS FOR EXERCISING THESE RIGHTS
Rights which can be exercised by individuals in relation to personal data as stated in LPPD Clause 11, are specified below:
2. Principles in Relation to Exercising Rights in Relation to Personal Data
To exercise their rights relating to personal data, DERIMARKET members may submit their application via e-mail with the e-mail address they have registered into the system during their membership process, to [email protected]. Individuals who are not members can submit their application by using the Use of Personal Data Application Form via www.derimarket.net Applications filed in this manner will receive a response within 30 days.
13. EFFECTIVENESS AND UPDATABILITY
This hereby POLICY has entered into force on date of publication. The Policy may be updated for the purpose of adaptation to changing conditions and compliance with the legislation. Information regarding the relevant update will be provided via www.derimarket.net
ANNEX-1
DEFINITIONS STATED IN THE POLICY
Express Consent: Consent in relation to a specific matter, which is based on informing and which is expressed with free will.
Anonymization: Anonymization of personal data is to render it impossible for personal data to be associated in any manner with the identity of a real person who is is identified or identifiable, even if they are matched with other data.
Personal Data Owner: Real persons whose personal data is being processed. For example, Members, Customers...
Personal Data: means any kind of information about an identified or identifiable real person.
Private Personal Data: Data in relation to race, ethnic origin, political opinion, philosophic belief, religion, sect or other beliefs, appearance, membership to associations, foundations or unions, health, sexual life, imprisonment and security measures and biometric and genetic data are private personal data.
Personal Data
Protection: Any transaction carried out with the data, such as obtaining, recording, storage, preservation, alteration, reorganization, disclosure, transfer, takeover, making available, classifying the personal data or blocking its usage by full or partly automatic means, or by non-automatic means provided that they are part of a data entry system.
Data Processor: Real and legal persons who process personal data on behalf of the data supervisor depending on the authorization granted by the data supervisor.
Data Responsible: Real and legal persons who determine the aims and tools with which personal data will be processed, real and legal persons responsible for responsible for the establishment and management of the data record system.
LPPD: means the Law on the Protection of Personal Data No. 6698.