GDPR

GDPR POLICY

BERİL TEXTILE PERSONAL DATA PROTECTION AND PROCESSING POLICY

This GDPR Policy includes explanations regarding the following topics:

1.     PURPOSE AND SCOPE

2.     DEFINITIONS

3.     PROCESSING OF PERSONAL DATA

3.1. Personal Data Categories and Purposes of Processing

3.2. Methods of Collecting Personal Data

3.3. Informing the Relevant Person

3.4. General Principles Regarding the Processing of Personal Data

3.5. Conditions for Processing Personal Data

3.6. Processing of Special Categories of Personal Data

3.7. Transfer of Personal Data

3.8. Storage and Disposal of Personal Data

4. PROTECTION OF PERSONAL DATA

5. RIGHTS OF DATA SUBJECTS AND EXERCISE OF THESE RIGHTS

5.1. Rights of Data Subjects

5.2. Exercising the Rights of Data Subjects

5.3. Evaluation and Response to Applications by Data Subjects

6. RELATIONSHIP OF GDPR POLICY WITH OTHER POLICIES

7. ENFORCEMENT AND AMENDMENTS TO GDPR POLICY

8. CONTACT US

1. PURPOSE AND SCOPE

The protection and privacy of personal data is adopted as an institutional culture by …………….. ANONYMOUS COMPANY (“BERİL TEXTILE” or “Company” as it will be referred to briefly under the Policy). The Company makes every effort to process and protect the personal data of real persons, in accordance with the laws and universal legal principles in force, within the scope of its activities. The Company is the data controller for the personal data you provide, including those related to this website, and processes and protects personal data under this Policy.

This GDPR Policy applies to the personal data of persons other than our employees, processed by the Company, fully or partially by automated or non-automated means provided they are part of any data recording system. The GDPR Policy demonstrates how the principles and rules set by the relevant legislation are applied in the Company’s GDPR processes.

The protection and lawful processing of personal data are primarily subject to the relevant legislation, secondary regulations, and universal legal principles in force. In case of any conflict between our GDPR Policy and the regulations in force, the latter shall prevail.

We may update this Policy from time to time, so please check back when you use our services to ensure you are reviewing our most current Policy.

• DEFINITIONS

• PROCESSING OF PERSONAL DATA

3.1. Personal Data Categories and Purposes of Processing

The Company processes personal data in accordance with the principles specified in the GDPR Law, based on at least one of the data processing conditions in Articles 5 and 6 of the GDPR Law. The Company informs relevant persons in the disclosure texts regarding data processing categories and purposes in accordance with Article 10 of the GDPR Law and secondary legislation.

3.2. Methods of Collecting Personal Data

The Company collects personal data by electronic or physical means, in compliance with the data processing conditions stipulated in the GDPR Law and this GDPR Policy.

The Company is committed to complying with legal norms when obtaining personal data. It collects data only as necessary for the relevant activity and ensures data security in data collection/transfer agreements with third parties.

3.3. Informing the Relevant Person

The Company informs relevant persons in accordance with Article 10 of the GDPR Law and the Notification on the Principles and Procedures for Fulfilling the Obligation to Inform regarding the identity of the data controller, the legal reasons and purposes for processing, the categories of data processed, the persons to whom the data is transferred, and the rights of the relevant persons.

3.4. Fundamental Principles Related to the Processing of Personal Data

The Company adheres to the “General Principles” stipulated in Article 4 of the GDPR Law regarding personal data processing activities.

3.4.1. Processing in Accordance with Law and Good Faith

The Company conducts personal data processing activities in accordance with the legal norms and universal principles of law, managing these processes transparently and ensuring that relevant persons are informed. The Company avoids creating unexpected or unreasonable outcomes for data subjects.

3.4.2. Ensuring Accuracy and Up-to-date Data When Necessary

As a rule, personal data is processed based on the declarations made by the relevant persons. The Company assumes that the data declared by the person is correct and is not obligated to verify it. However, the Company takes reasonable steps to ensure that the personal data is accurate and up-to-date when necessary.

3.4.3. Processing for Specific, Explicit, and Legitimate Purposes

Before starting personal data processing activities, the Company defines its legitimate and lawful processing purposes in a clear and specific manner.

3.4.4. Being Limited and Proportionate to the Purpose for Processing

The Company processes personal data proportionally and limited to the purposes it has defined and communicated to the relevant person.

3.4.5. Retaining for the Period Required by Relevant Legislation

The Company retains personal data for the periods stipulated in the legislation or for as long as necessary for the purpose of processing. Once these periods end, the Company deletes, destroys, or anonymizes the data.

The above principles apply regardless of whether the Company processes personal data based on explicit consent or other data processing conditions. The Company ensures that it complies with the data processing conditions and fulfills its obligation to inform the relevant persons.

3.5. Conditions for Processing Personal Data

The Company processes personal data either based on the explicit consent of the data subject or based on one or more of the other data processing conditions specified in the GDPR Law. The conditions for processing special categories of personal data are outlined in the section “Processing Special Categories of Personal Data.”

3.5.1. Presence of Explicit Consent of the Data Subject

If explicit consent is obtained from the data subject, this data processing condition is applicable.

3.5.2. Explicitly Stipulated in Laws

If processing personal data is explicitly required by law, this data processing condition applies.

3.5.3. Inability to Obtain Explicit Consent Due to Physical Impossibility

If the data subject is unable to give consent due to a physical impossibility, personal data can be processed for the protection of the person’s life or physical integrity.

3.5.4. Direct Relevance to the Establishment or Execution of a Contract

Personal data can be processed if it is directly related to the establishment or execution of a contract to which the data subject is a party.

3.5.5. Mandatory for the Data Controller to Fulfill Legal Obligations

If it is necessary to process personal data for the data controller to fulfill its legal obligations, this data processing condition applies.

3.5.6. Personal Data Made Public by the Data Subject

If personal data is made public by the data subject, it can only be processed for purposes aligned with the disclosure.

3.5.7. Mandatory for the Establishment, Exercise, or Protection of a Right

Personal data can be processed if it is necessary for the establishment, exercise, or protection of a right.

3.5.8. Mandatory for the Legitimate Interests of the Data Controller

Personal data can be processed if it is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.6. Processing of Special Categories of Personal Data

The Company processes special categories of personal data in compliance with the additional measures announced by the Personal Data Protection Board, based on the presence of one of the following data processing conditions:

3.6.1. The explicit consent of the data subject.

3.6.2. Processing of special categories of personal data, other than health and sexual life, is stipulated in the laws.

3.6.3. Personal data regarding health and sexual life can be processed by persons under confidentiality obligations for purposes such as public health protection, medical diagnosis, and the execution of treatment services.

3.7. Transfer of Personal Data

3.7.1. Domestic Data Transfer

The Company transfers personal data, including special categories of personal data, to third parties in accordance with the provisions of Article 8 of the GDPR Law, based on legitimate data processing purposes.

3.7.2. International Data Transfer

The Company may transfer personal data abroad in accordance with the provisions of Article 9 of the GDPR Law, provided that one of the following conditions is met:

3.7.2.1. To foreign countries declared to have adequate protection by the Authority, or

3.7.2.2. In the absence of adequate protection, to foreign countries where data controllers in Turkey and the foreign country undertake adequate protection in writing and the Board grants permission, without requiring the explicit consent of the data subject.

3.7.2.3. In the absence of the above conditions, the transfer of personal data abroad is only possible with the explicit consent of the data subject.

The Company may transfer personal data abroad for purposes such as maintaining corporate electronic communication channels or ensuring data security.

3.8. Processing of Personal Data by Group Companies

Your personal data may be transferred or made accessible to Group Companies for the purposes of performing the services provided to you by BERİL TEXTILE.

3.9. Retention and Disposal of Personal Data

As the Data Controller, the Company retains personal data in accordance with the Retention and Disposal Policy, stating the retention periods and disposal cycles for each data category in VERBIS. The Company deletes, destroys, or anonymizes the data after the retention period expires.

PROTECTION OF PERSONAL DATA

The Company takes technical and administrative measures to ensure the lawful processing of personal data.

The Company ensures that personal data is only processed for the purposes specified in VERBIS and reduces the risks of unauthorized access or data breaches.

The Company maintains confidentiality, and personal data can only be accessed by authorized persons.

In the event of a data breach, the Company will take immediate action, notify the relevant persons and the Board, and take the necessary measures.

• RIGHTS OF DATA SUBJECTS AND EXERCISE OF THESE RIGHTS

5.1. Rights of Data Subjects

According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of their personal data. The rights of the data subject are listed in Article 11 of the GDPR Law as follows:

• The right to learn whether personal data is processed,
• The right to request information if personal data has been processed,
• The right to learn the purpose of processing personal data and whether it is used in line with the intended purpose,
• The right to know the third parties to whom personal data has been transferred domestically or abroad,
• The right to request the correction of incomplete or inaccurate data,
• The right to request the deletion or destruction of personal data in accordance with Article 7 of the GDPR Law,
• The right to request notification of the actions taken to third parties to whom personal data has been transferred,
• The right to object to the analysis of personal data solely by automated systems that result in unfavorable consequences,
• The right to request compensation for damages in case of unlawful processing of personal data.

5.2. Exercising the Rights of Data Subjects

The data subject can submit their requests regarding their rights in writing or via electronic methods previously communicated to the Company.

• Name, surname, and signature if the application is in writing,
• For Turkish citizens, the Turkish ID number; for foreigners, nationality, passport number, or identity number if any,
• Residential or workplace address for notification purposes,
• Notification email address, phone, or fax number if available,
• The subject of the request.

The data subject must attach the relevant information and documents to the application.

5.3. Evaluation and Response to Applications by Data Subjects

The Company will conclude requests by data subjects within 30 days, free of charge, but may charge a fee according to the tariff set by the Authority if the process involves a cost.

For written applications, the application date is the date the document is delivered to the data controller or its representative.

• RELATIONSHIP OF GDPR POLICY WITH OTHER POLICIES

The Company outlines its data protection principles in policies, making them available to the public as necessary.

• ENFORCEMENT AND AMENDMENTS TO GDPR POLICY

This GDPR Policy is published on the Company’s website and becomes effective on the publication date. The Company may make amendments to the GDPR Policy at any time, and the updated policy will become effective on the day it is published.

• CONTACT US

If you have any questions regarding this GDPR Policy or our approach to processing and protecting your personal data, you can contact us through the following means:

Title:
Address:

Phone:

Email Address:

ANNEX-1