Skip links

Design adds value faster than it adds costs.

Consera Group

KVKK Information

PERSONAL DATA PROTECTION POLICY

TABLE OF CONTENTS

PART ONE

Purpose and Effectiveness of the Policy

PART TWO

Scope of the Law and Our Company's Rights and Obligations Arising from the Law

General Principles on the Processing of Personal Data

Personal Data Processing and Sharing Purposes under the Law

Purposes of Processing Personal Data

Purposes for Sharing Personal Data

Cases Excluded from the Scope of the Law

PART THREE

Processing of Personal Data by our Company

Classification of Personal Data Processed by Our Company

Purposes of Processing of Personal Data by our Company

Transfer of Personal Data by our Company and Classification of the Parties to whom Data is Transferred

Procedure of Processing of Personal Data by our Company

Personal Data Security

SECTION FOUR

Rights of Data Subjects Arising from the Law

Rights of Data Subjects

Exercise of Rights

PART ONE

Purpose and Effectiveness of the Policy

Law No. 6698 on the Protection of Personal Data ("Law"), which entered into force on 07.04.2016, sets out the procedures and principles regarding the processing of personal data by natural or legal persons who are classified as "data controllers" and who determine the purposes and means of processing personal data and are responsible for the establishment and management of the data recording system.

This document ("Policy") has been prepared for the purpose of enlightening the natural persons whose personal data are processed by our Company as the data controller within the scope of the above-mentioned article.

Within the scope of the Law, personal data is defined as "any information relating to an identified or identifiable natural person" and processing is defined as "any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system".

Among other regulations, the Law imposes an obligation on data controllers to inform/illuminate data subjects whose personal data will be processed during the acquisition of personal data. According to Article 10 of the Law, data controllers are obliged to inform data subjects;

Identity of the data controller and its representative, if any,

The purpose for which personal data will be processed,

To whom and for what purpose the processed personal data may be transferred,

The method and legal grounds for collecting personal data,

other rights listed in Article 11 of the Law.

The subject of this Policy is our Company's customers, shareholders, officers and employees of our corporate customers, potential customers, shareholders, officers and employees of our business partners and suppliers, employee candidates, former employees and interns of our Company, persons retired from our Company, visitors, company officials and shareholders, business partner and supplier candidates and other third parties, and the issues regarding the processing of personal data of our employees are regulated within the scope of a separate policy text provided to employees in accordance with the Law.

PART TWO

 Scope of the Law and Our Company's Rights and Obligations Arising from the Law

  1. General Principles on the Processing of Personal Data

Pursuant to Article 4 of the Law, personal data must be processed in accordance with the procedures and principles stipulated in the Law and other relevant legislation. In this context, data controllers are obliged to comply with the following general principles regarding the processing of personal data, except for the fulfillment of the disclosure obligation specified in Section One:

Compliance with the law and good faith.

Being accurate and up to date when necessary.

Processing for specific, explicit and legitimate purposes.

Being relevant, limited and proportionate to the purpose for which they are processed.

Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

  1. Personal Data Processing and Sharing Purposes under the Law
  2. Purposes of Processing Personal Data

Our Company does not process Personal Data without the explicit consent of the data subject. Our Company may process Personal Data without the explicit consent of the data subject in the presence of one of the following conditions. Within the scope of Articles 5 and 6 of the Law, it has determined certain situations in which data can be processed without explicit consent in terms of personal data and sensitive personal data.

Personal data pursuant to Art,

Data processing is clearly stipulated by law,

It is mandatory to process the relevant data in order to protect the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,

Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract,

Data processing is mandatory for the data controller to fulfill its legal obligation,

Personal data has been made public by the data subject himself/herself,

Data processing is mandatory for the establishment, exercise or protection of a right,

Provided that it does not harm the fundamental rights and freedoms of the data subject, in cases where data processing is mandatory for the legitimate interests of the data controller, it can be processed even if the data subject does not have prior explicit consent (provided that the necessary information has been provided).

On the other hand, the Law defines data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data as "sensitive" or "sensitive" personal data and stipulates more stringent conditions for their processing. Accordingly, sensitive personal data may only be processed under the following conditions, except in cases where explicit consent has been obtained from the data subject:

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data may be processed in cases stipulated by law.

Personal data relating to health and sexual life may only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

  1. Purposes for Sharing Personal Data

In accordance with data processing, the sharing of personal data with a third party (transfer) is also subject to the explicit consent of the relevant data subject. However, according to Article 8 of the Law, data transfer can also be carried out under the conditions permitted for data processing, and in this direction, in the presence of the conditions specified in Section 2.2.a above, personal data or sensitive personal data can be transferred even without the consent of the data subject.

In relation to the transfer of personal data to third parties, the Law sets special conditions for the transfer abroad. Accordingly, personal data;

In case of explicit consent of the data subject, or

In cases where there is no explicit consent of the data subject but one or more of the other conditions mentioned above are met;

In the event that there is adequate protection in the country where the data is transferred and there is no adequate protection in the country where the data is transferred, it can be transferred abroad provided that the data controller undertakes adequate protection in writing together with the data controller in the relevant foreign country and the permission of the Personal Data Protection Board is obtained.

  1. Cases Excluded from the Scope of the Law

Pursuant to Article 28 of the Law, the Law shall not apply in the following cases:

Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that personal data are not disclosed to third parties and the obligations regarding data security are complied with.

Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.

Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime.

Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.

Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions.

SECTION THIRD Processing of Personal Data by our Company

  1. Classification of Personal Data Processed by Our Company

Data Category : Personal Data Categorization Description

Identity Information : Information contained in documents such as driver's license, identity card, residence card, passport, lawyer's ID card, marriage certificate (e.g. TRKN, passport no., identity card serial no., name-surname, photograph, place of birth, date of birth, age, place of birth, place of registration, sample identity card)

Contact Information : Information used to contact the person (e.g. e-mail address, telephone number, cell phone number, address)

Location Data : Data used to determine the location of the data subject (e.g., location data acquired while driving)

Customer Information : Information about customers who benefit from our products and services (e.g. customer number, occupation information, etc.)

Customer Transaction Information : Information regarding all kinds of transactions performed by customers who benefit from our products and services (e.g. requests and instructions, order and basket information, etc.)

Physical Space : Security Information Personal data related to records and documents taken at the entrance to the physical space, during the stay in the physical space (e.g. entrance and exit logs, visit information, camera records, etc.).

Transaction Security Information : Personal data processed in order to ensure the technical, administrative, legal and commercial security of our Company and related parties (e.g. information such as website password and password that shows that the person is authorized to match the transaction associated with the personal data owner and to perform that transaction)

Risk Management Information : Personal data processed to manage the commercial, technical and administrative risks of our company (e.g. IP address, Mac ID, etc. records)

Financial Information : Personal data within the scope of information, documents and records showing all kinds of financial results created according to the type of legal relationship with the personal data owner (For example: information showing the financial result of the transactions made by the data owner, loan amount, card information, loan payments, interest amount and rate to be paid, debt balance, receivable balance, etc.).

Personal Data : All kinds of personal data processed for obtaining information that will be the basis for the protection of the personal rights of natural persons who are in a working relationship with the Personal Data Owner (all kinds of information and documents that must be entered into the personal file by law)

Employee Candidate Information: Personal data belonging to data subjects who share their information to apply for a job with our company, used in the application evaluation process (e.g. resume, interview notes, personality test results, etc.).

Employee Transaction Information: Personal data related to all kinds of business-related transactions carried out by the Company's supplier employees (e.g. entry-exit records, business travels, information on meetings attended, security query, e-mail traffic monitoring information, vehicle usage information, company card expenditure information)

Marketing Information : Data to be used by our company in marketing activities (e.g. reports and evaluations showing the habits and tastes of the person collected for marketing purposes, targeting information, data enrichment activities)

Legal Transaction and Compliance Information: Personal data processed for the determination and follow-up of legal receivables and rights and for the performance of debts and legal obligations (e.g. data contained in documents such as court and administrative authority decisions)

Audit and Inspection Information: Personal data processed within the scope of our company's legal obligations and compliance with company policies (e.g. audit and inspection reports, relevant interview records and similar records)

Sensitive Personal Data : Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Request/Complaint Management Information: Personal data regarding the receipt and evaluation of all kinds of requests or complaints addressed to our Company.

Audiovisual Data : Visual and audio recordings associated with the personal data subject (e.g. photographs, camera recordings and audio recordings)

  1. Purposes of Processing of Personal Data by our Company

Our Company processes personal data for the following purposes within the scope stated above:

  • Planning, auditing and execution of information security processes
  • Establishment and management of information technology infrastructure
  • Planning and execution of employee benefits and perks
  • Planning and/or execution of corporate communication for employees and/or corporate social responsibility and/or non-governmental organization activities in which employees participate
  • Planning and execution of employee authorizations to access information
  • Monitoring and/or supervision of employees' work activities
  • Follow-up of financial and/or accounting affairs
  • Follow-up of legal affairs
  • Planning of human resources processes
  • Planning and/or execution of activities for conducting effectiveness/efficiency and/or relevance analysis of business activities
  • Planning and execution of business activities
  • Planning and execution of authorizations of business partners and/or suppliers to access information
  • Management of relationships with business partners and/or suppliers
  • Planning and/or execution of occupational health and/or safety processes
  • Planning and/or execution of business continuity activities
  • Planning and execution of corporate communication and management activities
  • Planning and execution of logistics activities
  • Planning and execution of customer relationship management processes
  • Planning and/or execution of customer satisfaction activities
  • Follow-up of customer requests and/or complaints
  • Execution of personnel recruitment processes
  • Fulfillment of obligations arising from the employment contract and/or legislation for Company employees
  • Planning and execution of company audit activities
  • Planning and execution of external training activities
  • Planning and execution of the necessary operational activities to ensure that the Company's activities are carried out in accordance with company procedures and/or relevant legislation
  • Planning and/or execution of in-house training activities
  • Ensuring the security of company operations
  • Ensuring the security of company premises and/or facilities
  • Planning and/or execution of the processes of creating and/or increasing loyalty to the products and/or services offered by the Company
  • Planning and/or execution of the Company's production and/or operational risk processes
  • Realization of company and partnership law transactions
  • Follow-up of contract processes and/or legal requests
  • Execution of strategic planning activities
  • Wage management
  • Planning and execution of supply chain management processes
  • Planning and execution of production and/or operation processes
  • Planning and execution of market research activities for sales and marketing of products and services
  • Planning and execution of marketing processes of products and/or services
  • Planning and execution of sales processes of products and/or services
  • Ensuring that data is accurate and up-to-date
  • Providing information to authorized institutions due to legislation
  • Creation and follow-up of visitor records
  1. Transfer of Personal Data by our Company and Classification of the Parties to whom Data is Transferred

Personal data may be transferred by our Company to our Company officials, affiliates, business partners, suppliers, shareholders, legally authorized public institutions and organizations and private institutions for the above-mentioned purposes.

  1. Procedure of Processing of Personal Data by our Company

Within the scope of its obligations arising from the Law as a data controller, our Company informs the data subjects in accordance with Article 10 of the Law before obtaining personal data from the data subjects. If any data processing process carried out by our Company does not meet the conditions specified in the Law and detailed in Section 2.2.a and b above, explicit consent is obtained from the data subjects and the relevant processes are carried out within the framework of the explicit consent.

Within the scope of the Law, explicit consent is defined as "consent regarding a specific subject, based on information and expressed with free will" and in this direction, our Company obtains the explicit consent of data subjects after informing them in accordance with Article 10 of the Law.

Although no time period is specified for the retention of personal data under the Law, in accordance with the general principles, it is essential to retain personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed. In order to determine the retention periods in accordance with the said principle, our Company makes an assessment based on the legislation in force regarding each data processing process and the purpose of the process. Accordingly, our Company retains personal data at least for the period required by its legal obligations and in any case until the relevant statute of limitations expires.

Our Company anonymizes, deletes or destroys personal data in accordance with the Law when the purpose of processing the relevant personal data disappears within the scope of any process, including the expiration of the aforementioned periods. Within the scope of the Law, anonymization is defined as "making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data" and our Company's anonymization activities are carried out in accordance with the applicable legislation.

  1. Personal Data Security

In order to ensure the security of personal data, our Company takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, deliberate deletion or damage to data. In this context, at least the following actions are taken by our Company:

  • Taking appropriate software and hardware security measures for processed personal data
  • Carrying out the audits stipulated under the Law
  • Ensuring compliance of the Company and employees with the Law through internal trainings, policies and procedures
  • Ensuring and recording access to information on the basis of necessity through internal authorizations
  • Realization of process-based follow-up of personal data processing activities
  • Obtaining contractual commitments regarding the protection and security of personal data in relations with suppliers

SECTION FOUR

Rights of Data Subjects Arising from the Law

  1. Rights of Data Subjects

Personal data subjects according to Article 11 of the Law;

  • To learn whether personal data about him/her is being processed,
  • To request information if personal data about him/her has been processed,
  • To learn the purpose of processing personal data and whether they are used for their intended purpose,
  • To know the third parties to whom personal data are transferred domestically or abroad,
  • To request correction of personal data in case of incomplete or incorrect processing,
  • To request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the Law and other relevant laws,
  • To request notification of the transactions made as a result of correction, deletion and destruction requests to third parties to whom personal data are transferred,
  • To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
  • In case of damage due to unlawful processing of personal data, to demand compensation for the damage

rights.

Paragraph 2 of Article 28 of the Law stipulates that in certain circumstances, the data subject may not request anything other than compensation for damages from the data controller. According to this

  • Processing of personal data is necessary for the prevention of crime or criminal investigation,
  • Processing of personal data made public by the data subject himself/herself,
  • Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law,
  • Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters

In such cases, the above-mentioned rights cannot be exercised for the relevant data.

  1. Exercise of Rights

Data subjects will be able to use the Application Form to exercise the rights mentioned above.

Applications, together with the documents that will identify the identity of the relevant data owner, may be made by delivering a wet signed copy of the form by hand or through a notary public or by other methods specified in the Law to "Huzur Mah. Ayazağa Cad. 4B/601 Maslak -Sarıyer / İstanbul" or by using secure electronic signature, mobile signature or the e-mail address you have previously notified us and registered in our system [email protected] or [email protected] can be made in writing by sending an e-mail. If a method other than the aforementioned methods is envisaged by the Personal Data Protection Board, applications can also be submitted by this method.

Data subject requests submitted by one of the above-mentioned methods are evaluated and responded by our Company within maximum thirty days. Our Company reserves the right to request additional information and documents from the applicant, especially in order to evaluate whether the applicant is the relevant data subject.

As a rule, data subject applications are evaluated free of charge by our Company. However, if a fee is determined by the Personal Data Protection Board regarding the data subject's request, our Company will have the right to demand payment over this fee.

The Company reserves the right to make changes in this Policy and other policies related and related to this Policy due to amendments to the Law, in accordance with the decisions of the PDP Board or in line with the developments in the sector or in the field of informatics.

Changes made to this Policy are immediately incorporated into the text and explanations regarding the changes are explained at the end of the Policy.

VLM 4 BUILDING SYSTEMS INVESTMENT CO.

Mersis No. 0925-0718-1480-0001

Explore
Drag