Content Menu

Personal Data Protection Law

PERSONAL DATA PROTECTION LAW

WITHIN THE SCOPE OF 6698 NUMBERED LAW ON PROTECTION OF PERSONAL DATA

POLICY ON PROTECTION AND PROCESSING OF PERSONAL DATA OF THE EMPLOYEES OF NOON MARKETING E TRADE INCORPORATED COMPANY

(“POLICY”)

Data responsible: noonmar e-commerce logistics joint-stock company

Address: Şirinevler Kocasinan Cad. No:1 Kaman İş Merkezi Kat:1 D.5 Bahçelievler/İstanbul

1. PURPOSE AND SCOPE

1.1. This Policy arranges terms and conditions that will be followed by the Company during processing of Personal data of Employees. Thus, purpose of this Policy is to determine how Employees' personal data will be processed and to inform the Employees clearly about the condition of their personal data.

1.2. As noonmar, we are aware of our liability for the protection of personal data and providing legal assurance arranged as a constitutional right and we attribute significance to safely using of your personal data. The purpose of this Policy is to regulate the methods and principles to be followed in order to ensure that personal data of noonmar are processed and protected in accordance with the Law on Protection of Personal Data published in the Official Gazette April 7, 2016 dated and 29677 numbered.

1.3. This Policy finds an implementation area relevant to personal data of persons/employees who work with our company with business contracts either processed automatically or non-automatically as part of any data recording system. The scope of application of this Policy for the groups of Personal Data Owners in the categories listed below may be the entire Policy as well as only a number of provisions.

2. DEFINITIONS

Definitions used in this Policy are as follows:

Express consent	Consent to a specific issue, based onbeing informed and expressed with free will
Anonymousization	Making personal data that cannot be related with any identified or identifiable natural person, even by pairing it with other data
Personal data	Any information relating to an identified or identifiable natural person
Special Data	Any information that may cause discrimination or victimization of the person concerned
Biometric Data	Personal data deriving from specific technical processing related to the physical, physiological or behavioral characteristics of a real person, such as facial images or dactyloscopic data, that enable or confirm the unique identification of a natural person.
Processing of personal data	Obtaining, recording, storing, preserving, amending, reissuing, disclosure, transferring and taking over personal data in whole or in part either by automatic or non-automatic means provided that it is part of any data recording system.
KVK Law	Law on Protection of Personal Data 6698 numbered
KVK Board	Personal Data Protection Board
KVK Authority	Personal Data Protection Authority
TCK	Turkish Penal Code 5237 numbered
Data processor	Real or legal entity that processes personal data based on authorization and on behalf of data responsible
Owner of personal data	The real person whose personal data is processed and referred as "relevant person" in the Law on the Protection of Personal Data
Personal Data Owner Application Form	Application form for personal data owners, whose personal data is processed by noonmar, who may exercise their application rights relevant to article 11 of the Law
Data Responsible	Real or legal person that determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
Registry of Data Responsible	Registry of data responsible held by the Presidency under the supervision of the Personal Data Protection Board
Data Inventory	Inventory that is being composed and detailed by noonmar’s personal data processing activities in connection with the business processes; through being related with recipient group to which the personal data is transferred and the related personal data owner group

3. GENERAL PRINCIPLES REGARDING PROCESSING OF PERSONAL DATA

noonmar follows following principles in the processing of personal data:

Compliance with rules law and honesty

noonmar complies with the general principles of the law and the code of honesty set out in the Turkish Civil Law while fulfilling its liabilities to process and protect personal data.

Being correct and updated

Our company carries out all kinds of administrative and technical measures to ensure that personal data is kept correct and updated during the processing of personal data.

Processing for specific, clear and legitimate purposes

Our company clearly and strictly determines the purpose of personal data processing before starting to process personal data.

Being related, limited and restrained for the purpose they are processed

Personal data are processed by our Company to the extent necessary to achieve the specified objectives. In this context, our Company takes into account the requirement of proportionality in processing of personal data and does not use personal data other than the purpose required.

Retention for the period required by the relevant legislation or for the purpose for which data had been processed

Our Company retains personal data for a limited period of time as required by the Law on the Protection of Personal Data and related legislation or for a period necessary for the purposes data processing. In this context, our company firstly determines whether a period has been specified for retention of data in the relevant legislation, in case such period has been specified, behaves in accordance with relevant legislation, in case such period has not been specified, then retains data for a period necessary for the purposes for which such data had been processed. In the event that the period expires or elimination of the reasons of processing data, personal data is deleted, terminated or made anonymous by our Company. Data processing activity is not carried out with the assumption that they may be used in the future.

4. PROCESSING OF PERSONAL DATA

Our Company may process personal data with express consent of the personal data owner or without express consent in cases specified in Articles 5 and 6 of the Law on the Protection of Personal Data.

4.1. TERMS OF PROCESSING OF PERSONAL DATA

The express consent of the personal data owner is one of the legal basis that makes it possible to process personal data in accordance with the law. Other than from express consent, personal data may also be processed in the presence of any of the following conditions. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may compose the basis of the same personal data processing activity. In the event that the processed data is special personal data, besides the rules written here; the conditions under the heading "Cases where special personal data can be processed" under this section apply below.

Processing of personal data of employee based on express consent: Employees' personal data is processed on the basis of express consent, unless it is processed on a different basis. Employees are informed about which personal data are processed, for what purposes and for which reasons their personal data are processed, from which sources their personal data are collected, with whom this personal data will be shared and their express consent are taken. Taking express consent is prepared for each data collecting source, taking into account the source from which the personal data is collected.
Clearly foreseen in legislation: Where the law expressly requires the processing of personal data, the Company will process personal data.
The inability to obtain express consent due to actual impossibility: In the event that it is compulsory to process the personal data of the Employees who are unable to disclose their consent due to the impossibility or whose consent cannot be validated, to protect the life or physical integrity of the person or another person, the data may be processed without the express consent of such Employee.
Being involved directly with establishing and executing the contract: Provided that it is directly with establishing and executing the contract, if it is necessary to process the personal data of the parties for the contract.
Company fulfilling the legal obligation: Employees' data may be processed without express consent if processing is mandatory to fulfill legal obligations as a data responsible.
Publication of personal data of employee: In case personal data of the employees are publicized by them, the data can be processed without the need for express consent.
Processing data is obligatory for establishing or protection of a right ı In case it is compulsory to process data for the establishment, exercising or protection of a right, the data may be processed without the express consent of the Employees.
Processing of data based on legitimate interest: Provided that it is compulsory to process data for the legitimate interests of the Company, without prejudice to the fundamental rights and freedoms of the employees, the data may be processed without the express consent of the employees.

One or more personal data processing terms that make such personal data processing activity legal may apply at the same time.

4.2. CONDITIONS FOR PROCESSING SPECIAL PERSONAL DATA

Some of the personal data is organized separately as “special personal data" and is subject to special protection. Special attention has been attributed to such data due to the risk of victimization or discrimination of persons when they are processed illegally.

Processing of special personal data based on express consent: Special personal data may be processed with the express consent of the Employees. According to the characteristics of special personal data, special personal data may be processed in accordance with the principles specified in this Policy and neecssary administrative and technical measures.
Cases where personal data may be processed without express consent: Special personal data are processed in the following cases provided that adequate measures are taken by the Personal Data Protection Board in cases where employees do not have explicit consent:

In cases foreseen by law considering special personal data other than health and sexual life of employee,
Considering special personal data of employee relevant to health and sexual life of employee, with the purpose of public health protection, preventive medicine, medical diagnosis, treatment and care services, health services and planning and management of finance, in case they are processed by persons, authorized institutions and offices that are obliged to keep secret.

4.3. CATEGORIES RELATED TO PERSONAL DATA PROCESSED BY OUR COMPANY

Personal data category	Explanation
Identification data	Documents such as identification card and passport involving information on name-surname, TR ID No, tax ID no, nationality, mother name, father name, date and place of birth, gender and information like signature/initial, vehicle plate etc.
Personal data	Any personal data that is processed to obtain information that will be the basis for the creation of personal rights of personnel or real persons in working relationship with the Company (Identity information, job application form, passport photos, education information etc.)
Audio / Visual Information	Processing of identification data within the scope of pictures and video records shot during and after the seminar, training and maintenance services organized by our company.
Physical Space and Safety Information	Personal data relating to records and documents received during entry into the physical space, during the stay in the physical space; camera recordings, security point recordings, etc.
Communication data	Phone number, full address information, e-mail address, in-company contact information (internal phone number, corporate e-mail address).
Financial data	Financial and salary details, payrolls, premium remuneration, premium amounts, file and debt information related to enforcement proceedings, bank passbook, minimum living allowance information, private health insurance amount.
Biometric Data	Camera footage taken for security measures of persons and handprint data for overtime recording
Employees Performance and Career Development Data	Training and skills, information on which training at which date, e-mail, signed participation form, customer quality evaluation form, evaluation of monthly performance and target performing status, activity information.
Working data	Register number, position name, department and unit, title, last employment date, entry and exit dates, insurance entry / retirement, allocation number, social security number, TTF no, tax office number, flexible working hours, holding registration number, travel status, retirement fund, retirement fund entry date, retirement fund registration number, attachment date of social security organization for artisans and the self-employed, registration number of social security organization for artisans and the self-employed, accounting code, number of working days, projects worked, monthly total overtime working information, severance pay base date, severance pay additional day, on strike last day,
Leave data	Leave-of-employment base date, leave-of-employment additional days, leave group, leave / return date, day, leave reason, leave address / telephone
Demand or Complaint Management Information	Personal data relevant to taking and assessing all kinds of demands and complaints directed to our Company for data processed in part or completely automatically or non-automatically as part of the data recording system, which is clearly identifiable or identifiable to a natural person.

5. ENSURING THE SECURITY AND PRIVACY OF PERSONAL DATA

In accordance with Article 12 of the KVK Law, our Company takes all necessary technical and administrative measures to prevent illegal processing and illegal access to personal data, to ensure protection for personal data and to ensure appropriate measures for safety of personal data.

5.1. TECHNICAL MEASURES TAKEN TO ENSURE THE LEGAL PROCESSING OF PERSONAL DATA AND TO PREVENT ILLEGAL ACCESS TO PERSONAL DATA

Access and authorization technical solutions are put into operation in accordance with the legal compliance requirements determined on the basis of business unit.
The personal data processing activities performed within our company are controlled by the established technical systems.
The technical measures taken are reported to the related person periodically as required by the internal audit mechanism.
Software and hardware including virus protection systems and firewalls are being installed.
Personnel with technical knowledge are employed.

5.2. ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE LEGAL PROCESSING OF PERSONAL DATA AND TO PREVENT ILLEGAL ACCESS TO PERSONAL DATA

The main administrative measures taken by our Company to prevent illegal access to personal data are as follows:

Employees are trained on technical measures to prevent illegal access to personal data.
In line with the business unit-based legal compliance requirements, access and authorization processes of personal data are designed and implemented within the Company.
Employees are informed that they will not be able to disclose the personal data they achieved against the provisions of the KVK Law and that they cannot use such data for any purpose other than for processing purposes, and that this obligation will continue after their resignation and necessary commitments are taken accordingly.
Contracts concluded by our Company with persons in which personal data are transferred in accordance with the law; the provisions that the persons to whom the personal data are transferred will take the necessary security measures and will ensure their institutions will also follow these measures.
In accordance with Article 12 of the KVK Law, our company performs necessary inspections within its structure.
If the personal data processed in accordance with Article 12 of the KVK Law is obtained by others by illegal means, our Company operates the system that ensures that the relevant personal data owner and the KVK Board will be notified as soon as possible.

5.3. MEASURES TO BE TAKEN IN CASE OF ILLEGAL DISCLOSURE OF PERSONAL DATA

In case processed personal data is obtained by others through illegal means, our Company will promptly notify the relevant data owner and the Board.

6. PURPOSE PROCESSING AND RETENTION PERIODS FOR PERSONAL DATA

6.1. PURPOSES OF PROCESSING PERSONAL DATA

noonmar performs personal data processing activities within the scope of the personal data processing conditions indicated in articles 5 and 6 of the KVK Law for the following purposes:

The fulfillment of the purpose for the performance of work contract, in particular;

Leave approval of employees, monitoring the remaining leave days, making the arrangements for the leave
Undertaking the process of discharge from the job
To ensure undertaking of payroll transactions
Paying salaries to employees

In order to fulfill the requirements within the scope of Labor Law, Work Health and Safety Law, Social Security Law and related legislation and other laws and legislation, in particular;

Composing personnel files for staff
To make SSI notifications, İŞKUR notifications, police station notification and incentive and legal obligation notification
To ensure opening compulsory private pension insurance account
Control of entry and exit records of employees as required by the employment contract
Making payments to enforcement files after making deductions from the wages of employee
Legal reporting of occupational accidents
Undertaking occupational health and safety transactions
Comply with other information storage, reporting, and information obligations foreseen by the legislation, the relevant regulatory authorities and other legal offices.
Execution of court decisions
In order to ensure security within the company; in particular;
To provide workplace safety
Ensuring employees' entry and exit to the building where the company headquarters is located
Due to requirement deriving from the performance of customer contracts; in particular;
Making right /wrong distinction for customer complaints, increasing customer satisfaction, understanding customer needs and improving customer-related processes
Assessing customer service quality and training of employees

In order to manage the company, conduct the business and implement the company policies, in particular;

Monitoring and reporting the sales performance of the Company's employees
Since fingerprinting is used to control the entry and exit times of Company Employees, to collect data only for this purpose
Paying expenses to employees
Composing Employees page by loading Employee data, updating existing data
To provide communication with employees
To confirm that Employees who are allocated or provided with a vehicle are qualified to drive and their driving licenses have not been suspended for any reason
Providing vehicles and parking spaces for employees
To provide printing business cards
Ensuring that packages received by cargo and courier are forwarded to the relevant Employees
Record of security cameras for the protection of work health and safety, protection of the workplace and control of the production process
Monitoring of those who use company vehicle both for safety of employees and the performing of the work
To provide service and travel organization
Composing employee e-mail by entering employee data
To perform research projects related with employees
Ensuring control of the entry and exit of employees
Recording of the documents collected during the application and interview of the employees
Communication for the purpose of celebration
Training planning, reporting of training, preparation of training certificates, follow-up of employees participating in the trainings, follow-up of development processes as a result of training
Ensuring quality control
Communicating with relevant persons in case of emergency
Making satisfaction survey analysis

In case processing performed for the mentioned purposes does not meet any of the conditions specified in KVK Law, noonmar provides the express consent of the personal data owner with respect to the relevant processing.

6.2. Retaining period for Personal Data

Our company determines whether a period of time is stipulated in the relevant legislation for retaining of personal data. In case a period is stipulaed in the relevant legislation, it shall comply with this period; in case a period is not specified, it will keep the personal data for the time required for the purpose for which it was processed. In case purpose of the processing of personal data has expired and the relevant legislation and / or the retention periods set by our Company have ended, they shall be kept only for the duration of the statutory limitation periods in order to provide evidence in case of possible legal disputes, to assert the right related to personal data or to establish the defense. Personal data is not stored by our Company based on the possibility to be used in the future.

All records related to accounting and financial transactions	2 years	Law numbered 6102, Law numbered 213
Commercial electronic message approval records	2 years from date of revocation of approval	Law numbered 6563 and secondary legislation
Information and / or CVs received for job application	12 months
Image / video recording collected with the purposes pf protecting occupational health and safety, protection of the workplace and control of the production process	2 months
Biometric data obtained from employees during the entry-exit process through hand-print reading	2 months

7. PERSONAL DATA BEING DELETED, TERMINATED AND MAKING ANONYMOUS

Your data stored within the scope of Law, will be retained for maximum period indicated in relevant legislation of maximum period required for the processing purposes or in any case legal statutory limitation periods. As arranged in article 138 of Turkish Penal Code and article 7 of KVK, in case processing reasons of data which have been processed in accordance with relevant legislation have removed, either ex officio or upon your request, they will be deleted, terminated and made anonymous under the conditions of Regulation on Personal data being deleted, terminated and making anonymous that was published on Official Gazette 30224 numbered and 28.10.2017 dated.

8. ISSUES CONCERNING THE TRANSFER OF PERSONAL DATA

Our Company may transfer personal data and special personal data with condition of taking legal personal data processing purposes and taking necessary measures to the third parties (“Third Parties”) both inside and/or outside the country. Our Company will behave in accordance with artices 8 and 9 of Law.

8.1 Transfer of personal data

Personal data may be transferred to third parties in case of express consent of data owner or without express consent of data owner in case of the conditions specified below by taking all necessary measures including the measures stipulated by the Board:

In case relevant activities related to transfer of personal data are clearly specified in law,
The transfer of personal data by the Company is directly relevant and necessary for the establishment or executing of a contract,
The transfer of personal data is compulsory for our Company to fulfill its legal obligations,
Provided that the personal data have been publicized by the data owner, our Company has limited data transfer for the purpose of publicity,
The transmission of personal data by the Company is mandatory for the establishment, use or protection of the rights of the Company or the data owner or third parties,
Providing personal data transfer activities for the legitimate interests of the Company, with the condition that they do not harm the fundamental rights and freedoms of the data owner,
It is obligatory to protect life or body integrity of data owner or any third party who is unable to disclose his or her consent due to impossibility or whose legal consent is not granted.

In case personal data will be transferred abroad by our Company, in addition to the aforementioned conditions, they will be transfererd to foreign countries which are declared by the Board that they have adequate protection (Foreign country with adequate protection) or in case of lack of adequate protection, to the foreign countries where both data responsible in Turkey and foreign country commits adequate protection in written form and Board gives consent (Foreign country where data responsible committing adequate protection exists).

8.2. Transfer of Special Personal Data

Our company attributes great importance to the confidentiality and security of your biometric data. noonmar undertakes that your fingerprint records will not be transferred to any third party in Turkey and / or abroad. However, your personal data can be transferred in Turkey or abroad in accordance with the legal data processing purposes, with the condition of showing necessary care, taking the necessary security measures including the methods stipulated by the Board and in the scope of below mentined conditions.

Special personal data other than health and sexual life can be transferred in case of expresst consent of the data owner or in cases prescribed by law without express consent.
Considering special personal data of employee relevant to health and sexual life of employee, with the purpose of public health protection, preventive medicine, medical diagnosis, treatment and care services, health services and planning and management of finance, in case they are processed by persons, authorized institutions and offices that are obliged to keep secret.

In case personal data can be transferred in Turkey or abroad, addition to the aforementioned conditions, they will be sent to foreign countries with adequate protection or foreign countries where data responsible commits adequate protection.

8.3. Person Groups where Personal Data have been transferred by our Company

In line with articles 8 and 9 of KVK Law, our Company may transfer the personal data of data owners within the scope of this Policy to person groups inside the country and abroad within the framework of specified purposes:

PERSON GROUPS	DESCRIPTION	PURPOSE OF TRANSFER
Supplier	Describes the parties providing services to noonmar on a contract basis in accordance with the orders and instructions of our Company while noonmar conducts its commercial activities	Personal data is shared on a limited basis in order to ensure that our Company outsources the supplier and provides the services for noonmar necessary to carry out the commercial activities of our Company
Business/Solution partner	Defines companies and other persons with whom our Company cooperates or will cooperate for the purpose of conducting commercial activities of our Company such as the sale, marketing and / or joint customer loyalty programs for the Company's products and services.	In order to ensure the fulfillment of the purpose of establishing the business partnership, personal data are shared to a limited extend.
Legally Authorized Public Institutions and Organizations	Defines public institutions or organizations (ex courts, tax offices) that are legally authorized to request information and / or documents from our Company established for the purpose of performing a public service in line with the provisions of the relevant legislation.	Personal data are shared in limited manner upon request of public institutions and organizations within their legal authorization.
Legally Authorized Private Law Entities	Defines institutions or organizations (ex. banks, insurance companies) established in accordance with certain conditions determined by the law in line with the provisions of the relevant legislation and which continue their activities within the framework determined by the law.	Personal data are shared in limited manner on the subjects covered by the activities of the related private institutions and organizations.

9. CLARIFICATION LIABILITY OF OUR COMPANY

noonmar, in line with Article 10 of the KVK Law, demystify personal data owners when obtaining personal data. Thus, within this scope, demystifying is being performed by noonmar to personal data owners during obtaining of data on identification of our company, for which purposes personal data will be processed, to whom such personal data may be transferred for which reasons, method and reason of collecting personal data and rights of personal data owners according to article 11 of KVK Law. In accordance with article 11 of KVK Law, noonmar will inform personal data owners upon their request.

On the other hand, noonmar does not have such informing liability in conditions mentioned below according to article 28 of KVK Law:

Personal data processing is necessary for crime prevention or criminal investigation,
Processing of personal data publicized by the owner of such data,
Personal data processing is required for the conduct of supervisory or regulatory missions and for disciplinary investigation or prosecution by authorized and relevant public institutions and organizations and professional organizations with the characteristics of public institutions, based on the authority granted by law,
Personal data processing is necessary to protect the economic and financial interests of the state in relation to budget, tax and financial matters.

10. RIGHTS OF PERSONAL DATA OWNERS AND EXERCISING SUCH RIGHTS

In line with article 13 of KVK Law, evaluation of rights of personal data owners and information supposed to be made of data owners is being realized through this text as well as noonmar Personal Data Owner Application Form. Personal data owners may submit their requests regarding the processing of their personal data to us within the framework of the principles indicated in the relevant form.

10.1. APPLICATION RIGHT

Pursuant to Article 11 of the KVK Law, anyone whose personal data have been processed can apply to our Company and make requests for the following issues:

To learn whether personal data have been processed or not,
To request information if personal data have been processed,
To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
To request complete and precise termination of the fingerprint registration,
To learn third parties to whom personal data is transferred both in Turkey or abroad,
In case personal data is incomplete or incorrectly processed, to request that it be corrected and to notify the third parties to whom the personal data has been transferred,
In case reasons for the processing personal data are eliminated, to request deletion, termination or anonymization of such data and to request transaction carried out within this scope will be notified to the third parties to whom the personal data has been transferred,
To raise objection to the occurrence of a disadvantaged situation for data owner by analyzing the processed personal data exclusively through automated systems,
To request indemnity for damages in case of damage due to illegal processing of personal data.

Personal data owners shall not be able to assert their rights (except the right to claim damages) in accordance with Article 28 (2) of the KVK Law:

Personal data processing is necessary for the prevention of crime or for criminal investigation.
Processing of personal data publicized by the data owner himself/herself.
Personal data processing is necessary for the authorized public institutions and organizations and professional organizations with the characteristics of public institutions for the execution of supervisory or regulatory missions and for disciplinary investigation or prosecution based on the authority granted by law.
That personal data processing is necessary to protect the economic and financial interests of the State in relation to budget, tax and financial matters.

10.2. RESPONDING METHOD

In accordance with Article 13 of the KVK Law, our Company shall finalize the application requests submitted by the personal data owner as soon as possible and within 30 (thirty) days at the latest according to the nature of the request.

The application of the personal data owner may be rejected in the following cases:

Preventing other people's rights and freedoms
Requires disproportionate effort
Information being publicly available
Endangering the privacy of others
Existence of one of the cases that are not covered under the KVK Law