AKSOYOĞLU KONFEKSİYON TEKSTİL SANAYİ TİCARET ANONİM ŞİRKETİ

PERSONAL DATA PROTECTION, PROCESSING AND DISPOSAL POLICY

INTRODUCTION

As Aksoyoğlu Konfeksiyon Tekstil Sanayi Ticaret Anonim Şirketi “Aksoyoğlu” or “Company”, we respect and care about the security of your personal data and the privacy of your private life. We bring to your attention this Personal Data Protection, Processing and Destruction Policy “Policy”, which is prepared to inform you about the processing, transfer, storage and destruction of your personal data that you have shared with us and your rights regarding the use and protection of your personal data within the scope of the Personal Data Protection Law No. 6698 “KVKK” or “Law”.

As explained in this Policy, your personal data may be recorded, archived, updated, transferred, classified and processed in the ways listed in the KVKK and the relevant legislation within the scope of the relevant legislation.

With this Policy, we have tried to provide you with all information regarding the processing of personal data in a clear and understandable manner. If you have any questions about our use of your personal data after reading the Policy, you can always contact us using the contact information below.

Aksoyoğlu Konfeksiyon Tekstil Sanayi Ticaret Anonim Şirketi
Address: Etiler Mah. Özdeş Sk. Dadaş Apt No: 11 B Beşiktaş / İstanbul
Tax Office: Beşiktaş
Tax Identification Number: 0370765946
E-mail Address: info@dizagabo.com
Web Address: www.dizagabo.com

---

WHAT IS THE SCOPE OF THIS POLICY?

The scope of this Policy applies to the processing, protection and destruction of all personal data of you, the data subject. This Policy applies to all recording environments where your personal data owned or managed by us are processed and to our activities for the processing of your personal data.

---

OUR PURPOSES FOR PROCESSING YOUR PERSONAL DATA AND WHAT IS YOUR PERSONAL DATA THAT WE PROCESS?

Commercial Communication Processes

If you give commercial communication permission/explicit consent, we process your identity information such as name and surname, and contact information such as phone number, e-mail address and address information, for the purposes of general or personalized campaigns, advantages, promotions, advertisements, notifications, marketing activities and commercial communication activities such as SMS, e-mail and calls, conducting surveys for customer satisfaction regarding our products and services, campaigns, contests, sweepstakes, invitations, openings and other events.

Sales Processes

We process your identity information such as name-surname and tax number if you are a corporate customer, contact information such as e-mail and mobile phone, customer transaction information such as offer, order and cargo information, billing information and the institution you work for, for the purposes of sending your products to you, communicating with you when necessary such as invoice issuance and return processes, regarding new order processes, and your voice records if you contact us via phone.

Legal Processes and Internal Activities

We process your identity, communication, shopping, billing, transaction security information such as log records, and your voice records in order to fulfill our obligations arising from the legislation and to fulfill our other legal obligations to authorized public institutions and organizations.

For the purposes of exercising all kinds of litigation, response and objection rights against official institutions and organizations such as courts, enforcement offices and arbitral tribunals in case of disputes arising, conducting negotiation and agreement processes regarding disputes, providing you with the necessary information if you request information from us, and internal audit, internal control, reporting, testing, development and improvement studies, we process your identity information, contact information, shopping information, invoice information, transaction security information and legal transaction information.

We process your identity, contact, shopping, order and transaction security information in order to prevent the use of our website and other Aksoyoğlu systems in violation of membership agreements, legislation and morality, to detect suspicious transactions and illegal uses, and to block and unblock transactions.

---

TO WHOM AND FOR WHAT PURPOSE DO WE TRANSFER YOUR PERSONAL DATA?

We transfer your personal data to third parties only for the purposes specified in this Policy and in accordance with Articles 8 and 9 of KVKK.

In order for you to benefit from the services we provide in accordance with KVKK, your personal data that you share with us are shared with our business partners, natural persons or private legal entities and authorized institutions and organizations. In this context, the third parties to whom your personal data are transferred, and the purposes of transfer are as follows:

• With auditors during ordinary and special audits;
• With our legal advisors for the follow-up of receivables, execution of legal processes and protection of our Company’s interests;
• With public institutions and organizations authorized to request data;
• With the security company that automatically shares camera recordings taken to ensure the security of the physical space;
• With the building security team, where visitor lists are shared regularly to ensure physical space security and entry and exit;
• With our service providers, agents and domestic and international business partners for the execution of transactions within the scope of the Aksoyoğlu website;
• With our service provider supplier for the purpose of sending commercial electronic messages;
• With our suppliers and business partners that we receive support from within the scope of website visitor and customer satisfaction processes.

---

STORAGE MEDIA FOR YOUR PERSONAL DATA

Categorization of Your Personal Data

In accordance with the law, we process your personal data in the categories of identity, contact information, website visitor and customer transactions, finance, audio and visual records, and transaction security. In terms of company employees, we also process your personal data in the categories of professional experience, education and personnel data.

Website Visitors and Cookies

On our website, your internet movements within the site are recorded by technical means such as cookies in order to fulfill the obligations in the relevant legislation or to ensure that your visits to the site are carried out in accordance with your visit purposes, to show you customized content and to engage in online advertising activities.

Campaigns are organized on the website we own and the websites of our business partners and personal data can be processed in these areas. We take the necessary technical and administrative measures regarding the protection and processing of personal data in relation to these activities we carry out and inform you with detailed information texts on the relevant website.

Basic Principles on Processing and Destruction

We process your personal data for specific, explicit and legitimate purposes in accordance with the regulation in the KVKK, in accordance with the law and good faith, accurately and updated when necessary. Your processed personal data are processed in accordance with the principles of being connected, limited and proportionate to the purpose for which they are processed and are retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

Recording Media

Your personal data is securely stored in accordance with the law in the environments listed below:

Electronic Media

• Servers such as server, backup, e-mail, database, web page and file sharing systems;
• Software such as office software and portals;
• Information security devices such as firewall, intrusion detection and prevention systems, log files and anti-virus systems;
• Personal computers such as desktop and laptop computers;
• Mobile devices such as phones and tablets;
• Removable memories such as USB and memory cards;
• Printer, scanner and copier;
• Camera recordings such as photos and videos.

Non-Electronic Media

• Paper;
• Written, printed and visual media.

---

EXPLANATIONS ON STORAGE AND DISPOSAL

We store and destroy your personal data in accordance with the KVKK for the following legal reasons.

Legal Grounds for Retention

Your personal data processed within the framework of our activities are kept for the periods stipulated in the relevant legislation. In this context, your personal data can be processed for:

• Ensuring the continuation of the contractual relationship;
• Realization of commercial activity;
• Fulfillment of Aksoyoğlu’s legal obligations;
• Turkish Commercial Code No. 6102;
• Turkish Code of Obligations No. 6098;
• Law No. 6698 on the Protection of Personal Data;
• Law No. 6563 on the Regulation of Electronic Commerce;
• Banking Law No. 5411;
• Law No. 5510 on Social Security and General Health Insurance;
• Law No. 6331 on Occupational Health and Safety;
• Labor Law No. 4857;
• Law No. 6502 on Consumer Protection;
• Law No. 4054 on the Protection of Competition;
• Income Tax Law No. 193;
• Retention periods stipulated under other secondary regulations in force pursuant to these laws.

Processing Purposes Requiring Retention

We store your personal data that we process within the framework of our activities for the following purposes:

• Conducting and supervising commercial activities;
• Carrying out human resources processes;
• Carrying out the Company’s service and goods procurement, sales and marketing activities and providing the necessary communication within this scope;
• Execution of after-sales support services for goods and services;
• Ensuring corporate communication;
• Ensuring company security and transaction security;
• Conducting financial and statistical studies;
• Performing works and transactions within the framework of concluded contracts and protocols;
• Ensuring that legal obligations are fulfilled as required or mandated by legal regulations;
• Liaising with real or legal persons with whom we have a business relationship;
• Making legal reports;
• Managing customer processes;
• Executing risk management processes;
• Executing and supervising access authorizations;
• Managing fairs, organizations and other events;
• Executing advertising, campaign and promotion processes;
• Conducting selection and placement processes for the relevant person;
• Carrying out activities to ensure business continuity;
• Conducting performance evaluation processes;
• Carrying out storage and archive activities;
• Conducting talent and career development activities;
• Providing the burden of proof as evidence in future legal disputes.

Reasons for Destruction

In the cases listed below, it is accepted that the conditions for processing your personal data have disappeared:

• Amendment or abolition of the provisions of the relevant legislation that constitute the basis for processing personal data;
• The contract between the parties has never been established, the contract is not valid, the contract is automatically terminated, the contract is terminated or the contract is revoked;
• The purpose requiring the processing of personal data disappears;
• Processing of personal data is contrary to the law or good faith;
• In cases where the processing of personal data takes place only based on explicit consent, the data subject’s withdrawal of consent;
• Acceptance by the data controller of the application made by the data subject regarding the personal data processing activity within the framework of the rights in subparagraphs e and f of Article 11 of the KVKK;
• In cases where the data controller rejects the application made by the data subject with the request for the deletion or destruction of personal data, the response is found insufficient or does not respond within the period stipulated in the KVKK; in case of a complaint to the KVK Board and this request is approved by the KVK Board;
• Although the maximum period for retaining personal data has elapsed, there are no circumstances that justify retaining personal data for a longer period;
• The disappearance of the conditions requiring the processing of personal data in Articles 5 and 6 of the KVKK.

In these cases, your personal data are deleted, destroyed or anonymized ex officio or upon your request in accordance with the periods specified in this Policy.

---

HOW DO WE DESTROY YOUR PERSONAL DATA?

At the end of the period stipulated in the relevant legislation or at the end of the retention period required for the purpose for which they are processed, your personal data are destroyed by us ex officio or upon your application by the following techniques in accordance with the provisions of the relevant legislation.

 

Deletion of Your Personal Data

Data Recording Environment	Description
Personal Data on Servers	For your personal data on the servers, deletion is made by the system administrator by removing the access authorization of the relevant users for those whose retention period has expired.
Personal Data in Electronic Media	Those of your personal data stored in electronic media whose period of retention has expired shall be made inaccessible and non-reusable in any way for employees, other than the database administrator.
Personal Data in Physical Environment	For your personal data kept in the physical environment, those that expire, except for the unit manager responsible for the document archive, are rendered inaccessible and non-reusable in any way for other employees. In addition, the blackout process is applied by scratching, painting or erasing in such a way that it cannot be read.
Personal Data on Portable Media	Your personal data stored in flash-based storage media, which expire after the period of time required for storage, are encrypted by the system administrator and stored in secure environments with encryption keys, with access authorization given only to the system administrator.

 

Destruction of Your Personal Data

Data Recording Environment	Description
Personal Data in Physical Environment	Those of your personal data in paper media whose retention period has expired are irreversibly destroyed in paper shredding machines.
Personal Data in Optical / Magnetic Media	Physical destruction of your personal data on optical media and magnetic media, such as melting, incineration or pulverization, is applied to those whose retention period has expired.

 

Anonymization of Your Personal Data

We anonymize the data that can be used in statistics and reporting. Within the scope of anonymization, your personal data is rendered unassociable with an identified or identifiable natural person, even by appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of data by us or third parties and/or the matching of data with other data.

---

STORAGE AND DESTRUCTION PERIODS

Your processed personal data are processed in accordance with the principles of being connected, limited and proportionate to the purpose for which they are processed and are retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed. Regarding your personal data being processed within the scope of our activities:

• Retention periods on personal data basis for all personal data within the scope of activities carried out depending on the processes in the data inventory; and
• Process-based retention periods are included in this Policy.

These retention periods are updated by us if necessary. At the end of the retention periods, the relevant data is deleted, destroyed or anonymized within six months, which is the periodic destruction period. Accordingly, we perform periodic destruction in June and December each year.

Retention and Destruction Periods by Process

Process	Storage Time	Destruction Period
Human Resources Processes Employees	10 years from the termination of the employment relationship. Within the scope of Law No. 6331.	At the first periodic destruction following the end of the storage period.
Employee Candidate Evaluation Processes	3 years from the end of the negotiation.	At the first periodic destruction following the end of the storage period.
Conclusion of Contracts with Service Providers, Processing of Contracts and Communication	10 years from the termination of the contractual relationship.	At the first periodic destruction following the end of the storage period.
Website Visitor / Customer Transactions - Website Visitor / Customer Financial Analysis - Service Analysis	10 years from the termination of the contractual relationship.	At the first periodic destruction following the end of the storage period.
Marketing Activities	10 years from the termination of the contractual relationship.	At the first periodic destruction following the end of the storage period.
Emergency - Risk Management and Accident Reporting	10 years from the termination of the contractual relationship.	At the first periodic destruction following the end of the storage period.
Resolving Website Visitor / Customer Complaints Received via Social Media or E-Mail	5 years from the resolution of customer complaints.	At the first periodic destruction following the end of the storage period.
Incoming Notifications	10 years from the date of receipt.	At the first periodic destruction following the end of the storage period.
Contracts	10 years from the end of the contract.	At the first periodic destruction following the end of the storage period.
Security Camera Recordings	2 years from the date of registration.	At the first periodic destruction following the end of the storage period.

 

WHAT ARE YOUR RIGHTS?

We have made the necessary assignments and established the relevant channels in order to respond to your questions as soon as possible. In this context, we have adopted the principle of realizing administrative and technical arrangements in order to respond to your questions in a short time and updating and changing them in accordance with the conditions of the day.

As the personal data owner, you have the right to request the following from our Company, which is the data controller:

• To learn whether your personal data is being processed;
• To request information if this data has been processed;
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose;
• If personal data is transferred both domestically and abroad, to learn the persons and places of transfer;
• To request correction of your personal data in case of incomplete or incorrect processing;
• To request the deletion or destruction of your personal data in case the reasons requiring the processing of your personal data disappear;
• If your personal data is corrected or destroyed, to request that this matter be notified to third parties to whom the data has been transferred;
• To object to unfavorable results arising from analysis exclusively through automated systems;
• To demand compensation for damages in case you suffer damage due to unlawful processing of your personal data.

Your personal data will be destroyed or anonymized upon your request, except for personal data that still has a purpose for data processing, data that must be retained due to limitation periods and retention periods specified in this Policy, and/or personal data that must be kept by law.

As the owner of personal data, you can make a request from our Company as the data controller within the above scope by sending an e-mail to info@dizagabo.com, by sending a notification via notary public or by registered mail with return receipt requested, or by applying in person to the address below:

Aksoyoğlu Konfeksiyon Tekstil Sanayi Ticaret Anonim Şirketi
Address: Etiler Mah. Özdeş Sk. Dadaş Apt No: 11 B Beşiktaş / İstanbul
E-mail: info@dizagabo.com