KVKK Form

IDEA MODA DATA OWNER APPLICATION FORM IN ACCORDANCE WITH KVKK 11. MD
 

  1. APPLICANT INFORMATION
  • Name-Surname:………………………………………………………………………………..
  • TR ID number: ……………………………………………………………………………..
  • Mailing Address: ……………………………………………………………………………..
  • E-Mail Address: ……………………………………………………………………………..
  • Phone number: ……………………………………………………………………………..
  • If the applicant is a "parent/guardian or other legal representative", Name-Surname of the data owner: ……………………………………………………………………………..

2. YOUR RELATIONSHIP WITH THE IDEA
 ☐ Customer
☐ Commercial relationship (Specify the nature of the commercial relationship)
 ☐ Former Employee (indicate the dates you worked)
 ☐ Job Application / Resume sharing (specify date)
 ☐ Other (please specify) ……………………………………
 3. YOUR REQUEST
 According to the law, you can make a request on the following issues. Please put an X in front of your request. Requests on other issues are not within the scope of this Law , therefore we kindly ask you to forward requests on other issues to the relevant units.
☐ I would like to know whether your company processes personal data about me. Personal Data Protection Law art.11/1(a)
 ☐ If your company has processed personal data about me, I would like to receive information about this. Personal Data Protection Law, article 11/1(b)

 ☐ If your company processes personal data about me, I request information about the purpose of processing and whether it is used in accordance with its purpose. Personal Data Protection Law art.11/1(c )

 ☐ If my personal data is transferred to third parties at home or abroad, I want to know about these third parties. Personal Data Protection Law, article 11/1 (ç)
☐ I believe that my personal data has been processed incompletely or incorrectly and I would like it to be corrected. ( If you have selected this option , please write the personal data you want to be corrected in the field below and send the documents showing the correct and complementary information as attachments. (Photocopy of identity card etc.) Personal Data Protection Law art.11/1 (d)

 ☐ Although my personal data has been processed in accordance with the law and other relevant legal provisions, I believe that the reasons requiring processing have been eliminated and within this framework, I request the deletion of my personal data. Personal Data Protection Law article 11/1 (e)
☐ I want my personal data, which I believe to be processed incompletely or incorrectly, to be corrected by the third parties to whom it was transferred. ( If you have selected this option, please write the personal data you want to be corrected in the field below and send the documents showing the correct and complementary information as attachments. (Photocopy of identity card, etc.) Personal Data Protection Law article 11/1 (f)

 ☐ Although my personal data has been processed in accordance with the law and other relevant legal provisions, I believe that the reasons requiring processing have been eliminated and within this framework, I request that my personal data be deleted by the third parties to whom it has been transferred. Personal Data Protection Law, article 11/1 (f)
☐ I believe that my personal data processed by your company is being analyzed exclusively through automated systems and that this analysis has resulted in a result that is against me. I object to this result. ( Write the analysis result that you think is against you in the field below and send the documents supporting your objection as an attachment.) Personal Data Protection Law article 11/1 (g)

 ☐ I have suffered damages due to the unlawful processing of my personal data. I request compensation for this damage. ( Write the subject of the unlawful violation in the field below and send supporting documents as attachments. Court decision, Board decision, Documents showing the amount of material damage, etc. ) Personal Data Protection Law article 11/1 (h)
Please specify your request, which you marked above within the scope of the Personal Data Protection Law, in detail below:
 If you have any additional documents that you would like to support your application, please specify them and send them to us as an attachment to your petition.
 5- WHICH ADDRESS DO YOU WANT THE ANSWER TO BE SENT TO?
 ☐ I want it sent to my address.
 ☐ I want it sent to my e-mail address.
 ☐ I want to receive it in person. (If receiving it by proxy, a notarized power of attorney is required.)
IDEA always reserves the right to request additional information and documents to prove your identity in order to prevent your personal data from being shared with third parties unlawfully and to ensure the security of your personal data.
 I hereby accept, declare and undertake that the personal data I have shared with the Company in this application form is accurate and up-to-date, that I have not made an unauthorized application, and that I am aware that any legal and/or criminal liability that may arise otherwise will belong to me.

 Name, Surname and Signature of the Applicant

 IDEA FASHION
 PERSONAL DATA STORAGE - DESTRUCTION
 POLICY
PREPARED BY: HUMAN RESOURCES
 APPROVAL : COMPANY MANAGER

 VERSION HISTORY
 

Version No.

Release Date

Change Description

1

Published on 14/12/2021

ALL















CONTENTS
 Page number
 A. PURPOSE AND SCOPE........................................................................................ 3

 B. DEFINITIONS ............................................................................................3
 

  1. IMPLEMENTATION OF THE POLICY AND RESPONSIBILITIES.................................. 4


 D. STORAGE MEDIA ......................................................................................... 4

  1. Non-electronic media…………………………………………………………..….4
  1. Electronic media…………………………………………………………………………….4


E.PRINCIPLES REGARDING STORAGE OF PERSONAL DATA…………………………………………5

  1. Legal reasons that necessitate storage………………..………………………………5
  1. Processing Purposes Requiring Storage…………………………………………………..5
  1. Ensuring the Security of Personal Data………………………………………………..5
  1. Administrative Measures Taken ……………………………………………………………………6
  1. Technical Measures Taken…………………………………………………………………6
  1. Storage Periods of Personal Data………………………………………………………………...8

 

  1. DESTRUCTION OF PERSONAL DATA…………………………………………………………………………..9
  1. Reasons Requiring Destruction………………………………………………………………9
  1. Destruction Techniques…………………………………………………………………………………….10

ba Deletion of Personal Data……………………………………………………………….10
 bb Destruction of Personal Data………………………………………………………….11
 bc Anonymization of Personal Data………………………….…………….11

  1. Destruction Process and Periods………………………………………………………………………….11


G- PUBLICATION AND STORAGE OF THE POLICY………………………………………….12
 H- POLICY UPDATE ………………………………………………………………….….12



  

  1. PURPOSE AND SCOPE

IDEA MODA Personal Data Storage and Destruction Policy (“IDEA MODA Personal Data Protection Policy”) has been prepared to determine the procedures and principles regarding the work and transactions regarding the storage and destruction activities carried out.
Personal data of IDEA MODA, employees, job candidates, customers and third parties, institutions or organizations with which it has relations as a service provider, and personal data of other third parties are within the scope of this Policy, and this Policy is applied to all recording environments where personal data owned or managed by IDEA MODA is processed and to activities related to the processing of personal data.
 

  1. DEFINITIONS

The terms used in the legislation and also in the IDEA MODA Personal Data Protection Policy are listed below.

  1. Personal Data: Any information relating to an identified or identifiable natural person.
  1. Special Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, dress code, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
  1. Personal Data Owner/Relevant Person: The natural person whose personal data is processed. For example; Customers and employees.
  1. Explicit Consent: Consent expressed with free will and based on prior information regarding a specific subject.
  1. Processing of personal data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, in whole or in part, by automatic means or non-automatic means provided that it is part of any data recording system.
  1. Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him,
  1. Destruction: Deletion, destruction or anonymization of personal data,
  1. Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person, even when matched with other data.
  1. Recording medium: Any medium containing personal data processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system,
  1. Recipient group: The category of natural or legal persons to whom personal data is transferred by the data controller,
  1. Personal Data Protection Law: Personal Data Protection Law No. 6698 dated 24 March 2016, published in the Official Gazette No. 29677 dated 7 April 2016.
  1. KVK Board: Personal Data Protection Board.
  1. KVK Authority: Personal Data Protection Authority.


 

  1. IMPLEMENTATION OF THE POLICY AND RESPONSIBILITIES


 All units and employees of IDEA MODA actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed, in order to properly implement the technical and administrative measures taken by the responsible units within the scope of the Policy, to train and raise awareness of the unit employees, to monitor and continuously audit them, to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law.
The titles and job descriptions of those responsible for the storage and destruction of personal data are as follows:
 

  • Company Manager: Responsible for employees to act in accordance with the policy.
  • HR Officer: Responsible for providing technical solutions needed in the implementation of the Policy.
  • Other unit personnel: Responsible for the implementation of the Policy in accordance with their duties.

 

  1. STORAGE ENVIRONMENTS

Personal data is stored securely and in accordance with the law in the environments listed below:

  1. Non-electronic media
  1. Paper
  1. Manual data recording systems (survey forms)
  1. Written, printed, visual media
  1. Electronic media
  1. Servers (Domain, backup, email, database, web, file sharing, etc.)
  1. Software (office software, Nebim, VCloud.)
  1. Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
  1. Personal computers (Desktop, laptop)
  1. Mobile devices (phone, tablet, etc.)
  1. Optical discs (CD, DVD, etc.)
  1. Removable memories (USB, Memory Card etc.)
  1. Printer, scanner, copier

 

  1. PRINCIPLES REGARDING STORAGE OF PERSONAL DATA

Personal data of employees, job candidates, customers and employees of third parties, institutions or organizations with whom IDEA MODA has relations as service providers are stored in accordance with the Law and are destroyed after being stored for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
 

  1. Legal reasons that necessitate storage: Personal data by IDEA MODA;
  1. Turkish Commercial Code No. 6102
  1. Turkish Code of Obligations No. 6098,
  1. Social Insurance and General Health Insurance Law No. 5510,
  1. Occupational Health and Safety Law No. 6331,
  1. Labor Law No. 4857,
  1. Personal Data Protection Law No. 6698,
  1. It is stored for the retention periods prescribed within the framework of tax legislation and other secondary regulations in force pursuant to these laws.

 

  1. Processing Purposes Requiring Storage: IDEA MODA stores the personal data it processes within the framework of its activities for the following purposes.

 

  1. To carry out human resources processes.
  1. To ensure corporate communication.
  1. To ensure the security of the institution,
  1. To be able to do statistical studies.
  1. To be able to carry out work and transactions as a result of signed contracts and protocols.
  1. To ensure the fulfillment of legal obligations as required or made mandatory by legal regulations.
  1. To establish contact with real/legal persons who have business relations with the institution.
  1. To make legal reports.
  1. The burden of proof as evidence in legal disputes that may arise in the future.

 

  1. Ensuring the Security of Personal Data


IDEA MODA takes all necessary measures, within the possibilities, according to the nature of the data to be protected, to prevent the unlawful disclosure, transfer, unlawful access to personal data, or any other security deficiencies that may occur. In this context;
 

  1. The administrative measures taken to ensure the lawful processing and transfer of personal data and to prevent unlawful access to personal data are as follows:

 

  • It trains and raises awareness of its employees regarding the protection of personal data.
  • Confidentiality clauses have been added to the contracts of employees regarding the activities carried out by the institution.
  • The disciplinary procedure to be applied to employees who do not comply with security policies and procedures is prepared in the HR regulation and delivered to the personnel as an annex to their contracts.
  • Before starting to process personal data, the Institution is obliged to inform the relevant persons.
  • A personal data processing inventory has been prepared.
  • In cases where personal data is subject to transfer, the contracts signed with the persons to whom personal data is transferred include clauses stating that the party to whom personal data is transferred will fulfill its obligations to ensure data security. In this context, the party to whom personal data is transferred is undertaken to take all necessary measures to protect personal data and to ensure that these measures are implemented in their own organizations.
  • The security of physical environments containing personal data is ensured.
  • Internal audit is conducted.

 

  1. The technical measures taken to ensure the lawful processing and transfer of personal data and to prevent unlawful access to personal data are as follows:
  • Regarding the protection of personal data, technical measures are taken to the extent possible with technology, and the measures taken are updated and improved in parallel with developments.
  • Expert personnel are employed in technical matters.
  • Access to personal data processed by personnel is limited to the relevant company employee in line with the determined processing purpose.
  • To ensure that technical management activities of server computers and data storage systems are carried out, within this scope;
  1. Fulfillment of technical management and documentation functions such as determining user needs, supply, installation, configuration, patching, capacity planning, performance adjustments, operation, backup, restoring from backups, etc. of server system hardware used within the technical infrastructure of IDEA MODA and MS Windows operating systems providing service on them,
  1. Carrying out server user activation/de-activation, configuration and authorization activities,
  1. Carrying out virtualization and virtualization performance optimization studies on servers,
  1. Carrying out daily monitoring operations of storage systems that work integrated with servers or have SAN/NAS structures, making occupancy/capacity plans, performing backup/restoration operations,
  1. Carrying out system integration, testing, and quality control activities for software and hardware of server and storage systems, continuously checking that the hardware, operating system, or application modules that are put into service are functioning properly, and carrying out maintenance and operation activities such as correction/development/improvement/increasing efficiency.
  1. Carrying out daily monitoring of server systems and all services running on these systems, checking that all server hardware and services are operational, taking protective and corrective measures for abnormally shut down servers or services, carrying out configuration and control of system logs,
  1. Preparation and updating of basic level end user manuals and provision of end user training on server hardware, operating systems, storage systems and application software,
  1. Managing and securing the most authorized access passwords of server systems,
  1. We follow new technologies in the field of server hardware and operating systems and adapt them to the institution's infrastructure.
  • To carry out technical management activities of basic applications and protocols such as e-mail systems, Web Servers, SMTP, POP, IMAP, LDAP, FTP, SNMP, DNS, etc., within this scope;
  1. Fulfillment of technical management, operation and documentation functions such as user activation/de-activation/routing, configuration, patching, capacity planning, performance adjustments, backup, restoring from backups, etc. of the e-mail server system used within the technical infrastructure of IDEA MODA,
  1. Fulfilling the management/configuration and documentation functions of SMTP, POP, IMAP protocols serving in the infrastructure of e-mail systems,
  1. Carrying out the management of system users and configuration/management/backup/authorization of the LDAP protocol,
  1. Carrying out operational work such as opening an FTP area, defining a DNS domain/sub-domain, etc.
  1. Ensuring that end-user requests requiring e-mail, LDAP, FTP, DNS, etc. definitions are fulfilled in accordance with the relevant procedures/policies and standards of IDEA MODA; taking and implementing the necessary measures to prevent non-standard LDAP, e-mail, sub-domain definitions and data pollution,
  1. Managing and ensuring the security of the most authorized access passwords of application systems,
  1. We follow new technologies in the field of e-mail servers and applications and adapt them to the institution's infrastructure.
  • To carry out technical management activities of database management systems, within this scope;
  1. Fulfillment of technical management and documentation functions such as determining user needs, supply, installation, configuration, patching, capacity planning, performance adjustments, operation, backup, restoring from backups, etc. of all database management systems such as Oracle/MS-SQL/MYSQL, etc. used within the technical infrastructure of IDEA MODA,
  1. Carrying out database SQL scripting work,
  1. Carrying out database user activation/de-activation, configuration and authorization activities,
  1. Integration of data structures of all systems within IDEA MODA, carrying out testing and quality control activities, ensuring data integrity. Taking precautions to prevent data duplication, continuously checking that the data infrastructure is providing healthy service, carrying out maintenance and operation activities such as correction/development/improvement/increasing efficiency,
  1. The operations of managing and securing the most authorized access passwords of database management systems are carried out.

 

  1. Storage Periods of Personal Data


 The retention periods of personal data on a process basis are as follows:
 

Contracts

10 years following termination of the contract

All Records Regarding Accounting and Financial Transactions

10 years

 

Commercial Electronic Mail Approval Records

From the date of withdrawal of consent

1 Year from

 

 

 

 

Personal Data Regarding Suppliers

10 Years after the legal relationship ends

Data kept within the scope of SGK Legislation (Ex: Employment declarations, premium/service documents, etc.)

10 Years from the end of the Business Relationship

Data Regarding the Personnel File Stored Within the Scope of the Labor Law

10 Years from the end of the Business Relationship

Data Stored Within the Scope of Labor Law (e.g., severance pay, notice pay, bad faith compensation, information that may be subject to compensation for violation of the principle of equal treatment, payroll records, number of annual leave days, etc.)

5 Years from the end of the Business Relationship

Data Collected Within the Scope of Occupational Health and Safety Legislation (Ex: Pre-employment health tests, health reports, OHS Trainings, records of Occupational Health and Safety activities, etc.)

15 Years from the end of the Business Relationship

In accordance with the Labor Law: Responding to Court/execution requests for information regarding employees

10 Years from the end of the Business Relationship

 

Job Application/Internship Application/Data Regarding Candidate Applications in Case the Application is Not Accepted (Ex: CV, Resume, Cover Letter, Application Form, etc.)

3 months

Log Records of Employees' Access to Environments Containing Their Personal Data

10 Years from the end of the Business Relationship

 

Personal Data Regarding Tax Records

5 Years

Personal Data Processed with Documents Required to be Kept in Accordance with Tax Procedure Law, such as Invoice /Expense Slip/Receipt

5 Years

 

Personal Data Processed as Commercial Books, Documents Created Based on Records in Commercial Books, Financial Statements, etc., Required to be Kept in Accordance with Company Activities

10 Years

Personal Data Processed for Security Purposes in Accordance with CCTV Cameras (Camera Records)

3 Months

Seminar/Meeting Participants Registration

2 Years from the End of the Event

 

Institutional Communication Activities

10 Years from the End of Operation

Human Resources Processes

10 Years from the End of Operation

Personal Data Protection Board Procedures

10 years



 

  1. DESTRUCTION OF PERSONAL DATA
  1. Reasons Requiring Destruction: Personal data is deleted, destroyed or deleted, destroyed or made anonymous ex officio by IDEA MODA upon the request of the relevant person in the following cases;
  • Amendment or repeal of the relevant legislative provisions that form the basis of processing,
  • The purpose requiring processing or storage is eliminated,
  • In cases where personal data is processed only based on explicit consent, the person concerned must withdraw his/her explicit consent,
  • The application made by the relevant person for the deletion and destruction of his/her personal data within the framework of his/her rights in accordance with Article 11 of the Law is accepted by the Institution,
  • In cases where the institution rejects the application made by the relevant person requesting the deletion, destruction or anonymization of his/her personal data, finds the response insufficient or does not respond within the period stipulated in the Law; to file a complaint with the Board and the Board finds this request appropriate,
  • In cases where the maximum period for which personal data must be stored has passed and there are no circumstances that would justify storing personal data for a longer period,

 

  1. Destruction Techniques: At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data will be destroyed by IDEA MODA ex officio or upon the application of the relevant person, again in accordance with the relevant legislation, using the techniques specified below.


 ba Deletion of Personal Data

  • Personal Data Located on Servers; For personal data located on servers whose storage period has expired, the system administrator will remove the access authorization of the relevant users and delete them.

 

  • Personal Data in Electronic Media: Personal data in electronic media, whose storage period has expired, are rendered inaccessible and non-reusable by any means for employees (related users), except for the database administrator.

 

  • Personal Data in Physical Environment: Personal Data are rendered inaccessible and unusable in any way for the period that requires storage of personal data kept in physical environment. In addition, the process of blackening is also applied by drawing/painting/erasing it so that it cannot be read.

 

  • Personal Data Located on Portable Media: Personal data kept on flash-based storage media, for which the period requiring storage has expired, are encrypted by the system administrator and stored in secure environments with encryption keys, with access authorization granted only to the system administrator.

bb Destruction of Personal Data

  • Personal Data in Physical Media: Personal data in paper media, whose storage period has expired, are destroyed irreversibly in paper shredders.

 

  • Personal Data Contained in Optical / Magnetic Media: Personal Data Contained In optical and magnetic media, the personal data that has expired is physically destroyed by melting, burning or pulverizing it. In addition, the magnetic media is subjected to a high magnetic field by passing it through a special device, rendering the data on it unreadable.


 bc Anonymization of Personal Data
 Personal data is rendered incapable of being associated with an identified or identifiable natural person, even through the use of techniques appropriate to the recording medium and relevant field of activity, such as the return of the data by the data controller or third parties and/or matching of the data with other data.
 

  1. Destruction Process and Times




 For personal data whose storage period has expired at ca IDEA MODA, the ex officio deletion, destruction or anonymization process is carried out by the IT Coordinatorship.
 Unless otherwise decided by the Board, the appropriate method of deleting, destroying or anonymizing personal data whose storage period has expired is selected ex officio by IDEA MODA. In case of destruction of personal data upon the request of the relevant person, the appropriate method is selected and implemented by explaining the reason for the destruction.
cc Periodic destruction period: In accordance with Article 11 of the Regulation on the Deletion, Destruction or Anonymization of Personal Data, periodic destruction is carried out in April and October every year at IDEA MODA.
 In the first periodic destruction operation following the date on which the obligation to erase, destroy or anonymize personal data arises, personal data will be erased, destroyed or anonymized.
 cd All operations regarding the deletion, destruction and anonymization of personal data are recorded and the records in question are kept for at least three years, excluding other legal obligations.
ce Periods for erasing and destroying personal data upon request by the relevant person: If the relevant person applies to IDEA MODA pursuant to Articles 11 and 13 of the Law and requests the erasure or destruction of his/her personal data;

  • If all conditions for processing personal data have been eliminated , the personal data subject to the request will be deleted, destroyed or made anonymous within thirty days at the latest, and the relevant person will be informed.
  • If all the conditions for processing personal data have been eliminated and the personal data subject to the request has been transferred to third parties , the request of the relevant person is notified to the third party; the necessary procedures are carried out within the scope of the Regulation on the Erasure, Destruction or Anonymization of Personal Data by the third party.
  • If all the conditions for processing personal data have not been eliminated, the rejection is made within thirty days at the latest, with an explanation of the reason, and the response is notified to the relevant person in writing or electronically.


 G- PUBLICATION AND STORAGE OF THE POLICY
 The policy document is published in two different media, with wet signature (printed paper) and electronic media, and is disclosed to the public on the website. The printed paper copy is also kept in the file BY THE DATA CONTROLLER CONTACT PERSON.

 H- POLICY UPDATE
It enters into force from the moment it is approved by the Company Manager. This Policy is reviewed as needed and the necessary sections are updated. Changes can be made to this Policy and put into effect with the approval of the Company Manager. The application rules that will be arranged in accordance with this Policy and specify how the issues specified in this Policy will be implemented in specific subjects will be arranged in the form of additions to the relevant regulations. The IDEA MODA KVK Policy has been published on the website and presented to the public.

In case of conflict between the current legislation, especially the Personal Data Protection Law, and the regulations included in this Policy, the provisions of the legislation shall apply.