Your Cart

Personal Data Processing and Protection Policy

Our company, AZKarbon Elektronik Ticaret Ve Hizmetler A.Ş. acts in the capacity of data controller with the awareness of the importance of the confidentiality and security of personal data obtained within the scope of the Personal Data Protection Law No. 6698 ("PDPL") and other relevant legislation. Law No. 6698 on the Protection of Personal Data and the relevant legislation aims to fulfil the requirements for compliance with the relevant legislation and to establish a data protection and processing policy in international standards. 

 

Our Company's Personal Data Protection Policy (Policy) is set forth in line with the principles of lawfulness, honesty and openness adopted by the Company in the protection and processing of personal data. 

 

In this Policy, due to our Company's capacity as a data controller, the basic principles we take as a basis in the processing of personal data are included. Our Company acts with the determination of maximum compliance by not compromising the basic principles during personal data processing activities and acts with the determination of maximum compliance. It determines its personal data processing processes with the Personal Data Inventory in accordance with the Constitution, PDPL and relevant legislation. These data are processed in accordance with the provisions of other relevant legislation, especially PDPL, and as specified in this Policy. 

 

2. SCOPE 

This Policy covers all personal data processed by automatic means or non-automatic means, provided that it is part of any data recording system, to the natural person who owns personal data defined as "data subject" in PDPL and related legislation. The method of collection of personal data obtained on the basis of the channels through which the personal data of the relevant persons reach our Company and the relevant persons accessing these channels, the legal reason for the collection, the purposes of processing and the shared parties are included in the Clarification Texts provided to the relevant persons in detail and, if necessary, in the Explicit Consent Texts.   

 

3. DEFINITIONS 

  

 

Anonymisation 

 

  

 

: 

 

Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data 

 

Explicit Consent 

 

: 

 

 The person whose personal data shall be processed declares their consent to the transaction after being informed before the relevant transaction is carried out. 

 

Clarification Text 

 

: 

 

Explanation to the data subject about the purpose for which the personal data shall be stored, for how long, by which method it is collected, how it is stored and whether it shall be shared with third parties 

 

Presidency 

 

: 

 

Presidency of the Personal Data Protection Authority 

 

Inventory  

 

: 

 

Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes of personal data processing, data category, transferred recipient group and data subject group and by explaining the maximum period required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security. 

 

Relevant Person 

 

: 

 

The natural person whose personal data is processed 

 

Destruction 

 

: 

 

Deletion, destruction or anonymisation of personal data 

 

Processing 

 

: 

 

It is defined in Article 3 of the PDPL as the processes of recording, storing, preserving, changing, reorganising, disclosing, transferring, taking over, making available, and classifying personal data.  

 

Law / PDPL 

 

: 

 

Personal Data Protection Law 

 

Personal Data 

 

: 

 

Any information relating to the natural person who is identified or can be identified. For example, name, surname, Turkish ID, e-mail, address, date of birth, bank account number, etc. Therefore, the processing of information on legal entities is not covered by the PDPL. 

 

Processing Of Personal Data 

 

  

 

: 

 

Obtaining personal data in whole or in part by automatic or non-automatic means provided that it is part of any data recording system, saving, storing, changing, rearranging, explaining, transferring, inheriting data, all kinds of operations performed on the data, such as making the data available, classifying it or preventing it from being used, 

 

Board 

 

: 

 

Personal Data Protection Board 

 

Authority 

 

: 

 

Personal Data Protection Authority 

 

Sensitive Data 

 

  

 

  

 

Data about the race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures of individuals, biometric and genetic data of people  

 

VERBIS 

 

: 

 

The information system created and managed by the Presidency, accessible via the Internet, which data controllers shall use in the application to the Registry and other related transactions regarding the Registry 

 

Data Processor 

 

: 

 

A natural or legal person who processes personal data on behalf of the data officer based on the authorisation given by the data officer. 

 

Data Officer 

 

: 

 

A natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system. 

 

Data Controllers Registry 

 

: 

 

Data Controllers Registry kept by the Presidency 

 

Data Controller Contact Person 

 

: 

 

The natural person notified by the data controller during the registration to the Registry for the communication to be established with the Authority regarding the obligations of the legal entities resident in Turkey and the non-resident legal entity data controller representative within the scope of the Law and the secondary regulations to be issued based on this Law. 

 

Deletion 

 

: 

 

Deletion of Personal Data means that personal data cannot be accessed or reused in any way for the relevant users. 

 

Destruction 

 

: 

 

Destruction of personal data, the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way 

 

  

 

  

 

BASIC PRINCIPLES IN THE PROCESSING OF PERSONAL DATA   

Our company meets the general principles and conditions specified in the legislation regarding the protection and processing of personal data and acts in accordance with the principles listed below in order to ensure that personal data is processed in accordance with the Constitution and PDPL and at the same time, our employees carry out our activities in accordance with these principles with high awareness in company practices. 

 

Processing of Personal Data is Prohibited as a Rule 

The Company is aware that the processing of personal data is prohibited as a rule and processes it only within the limits stipulated by the legislation based on the following reasons: 

 

a. Explicit Consent of the Personal Data Subject 

One of the conditions for processing personal data is the explicit consent of the subject of the personal data. The explicit consent of the personal data subject must be related to a specific subject, based on the information and freely given. Data is processed within the scope of the explicit consent of the owner and for the purposes specified in the explicit consent. As a rule, in the presence of the conditions set out in subparagraphs b, c, d, e, f, g and h of this Article, it is not necessary to obtain the explicit consent of the personal data subject. 

 

b. clearly stipulated in the law 

The personal data of the data subject shall be processed in accordance with the law if expressly provided for in the law. In cases where data processing is permitted by law, data processing is limited to the reasons and data categories specified in the relevant law. 

 

c. Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility 

The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose their consent due to actual impossibility or whose consent cannot be recognised as valid in order to protect the life or physical integrity of themselves or another person. 

 

d. Direct Relevance to the Establishment or Performance of the Contract 

Provided that it is directly related to the conclusion or performance of a contract, personal data may be processed if it is necessary to process the personal data of the parties to the contract (provided that the person whose data shall be processed based on the conclusion or performance of the contract is one of the parties to the contract). 

 

e. Fulfillment of Legal Obligation 

In cases where data processing is mandatory for the Company to fulfil its legal obligations, it may process the personal data of the data subject. 

 

f. Publicization of Personal Data by the Personal Data Subject 

In the event that the personal data of the data subject is made public by them, the relevant personal data may be processed limited to the purpose of publication. 

 

g. Data processing is mandatory for the establishment, use or protection of a right 

The personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise or protection of a right. 

 

h. Data Processing is Mandatory Due to Legitimate Interests 

Provided that it does not harm the fundamental rights and freedoms of the personal data subject, the personal data of the data subject may be processed if data processing is mandatory for the legitimate interests of our Company. 

 

In the event that the processed data is sensitive personal data as defined in the PDPL, if there is no explicit consent of the personal data subject, personal data may only be processed in the following cases, provided that the Board determine adequate measures are taken: 

 

Compliance with the Law and Good Faith 

Pursuant to Article 4 of the PDPL, our Company processes personal data in accordance with the law and good faith and aims to balance conflicting interests by pursuing "fair advantage". Information is based on openness and honesty; clear information is given about the purpose of use of the personal data collected, and the data is processed within this framework.  

 

Purposefulness, Limitation and Proportionality 

Our Company determines the purposes for which it shall process the data of the data subject in line with their explicit consent. In this regard, it avoids processing personal data that is not related to the purpose of processing or is not needed, and the data required during data processing activities are collected at a minimum level. 

 

Ensuring that Personal Data is Accurate and Updated When Necessary 

Our Company ensures that the personal data it processes is accurate, relies on the declarations of the relevant person for this purpose and obtains confirmation of its up-to-dateness when necessary. 

 

Processing of Personal Data for Specific, Explicit and Legitimate Purposes 

Our Company collects and processes personal data for legitimate and lawful reasons. Our Company processes personal data in connection with the activities they carry out, within a reasonable framework and to the extent necessary, and retains them for the period stipulated in the relevant legislation or required for the purpose for which they are processed. 

 

Data Safety Principle 

Our Company is aware that ensuring the security of your personal data with the awareness of the speed of development of technology is not limited to legal methods and that it is necessary to take technology-supported security measures. In this regard, all necessary measures are taken to ensure data security.  

 

Data Minimization Principle 

  

 

The Data Minimization Principle refers to the collection and processing of data in a manner that is adequate, relevant and limited to only the data required for collection and processing.  

 

  

 

5. PERSONAL DATA COLLECTION CHANNELS  

  

 

Our Company may collect the personal data of the data subjects specified in Article 4 of this Policy verbally, in writing or electronically by automatic or non-automatic methods. Relevant persons are informed in accordance with the relevant legislation based on the channels through which personal data are obtained.  

 

  

 

6. TYPES OF PERSONAL DATA  

  

 

Personal data obtained by our Company from the data subjects specified in this Policy, data categories, collection channels, processing purposes and legal grounds for processing, third parties to whom personal data are transferred and the purposes of transfer are also regulated in detail in the relevant person clarification text. In case of changes in the personal data obtained from the data subjects, the Inventory and VERBIS records are updated.  

 

  

 

7. CLARIFICATION OBLIGATION 

  

 

Following Article 10 of the PDPL, our Company informs the relevant persons who own personal data that it obtains while carrying out its activities before or at the latest during the acquisition of personal data.  

 

The information that must be communicated to data subjects within the framework of this clarification obligation is given below with its main headings.   

 

- Identity of the data controller and its representative, if any,  

 

- The purpose for which personal data shall be processed,  

 

- To whom and for what purpose the processed personal data may be transferred,  

 

- The method and legal grounds for collecting personal data,  

 

- Other rights of the Data Subject listed in Article 11 of the PDPL 

 

  

 

In order to fulfil the clarification obligation, our Company has prepared clarification texts on the basis of the process, and the persons whose data are processed to be submitted to the data subjects within the scope of the PDPL mentioned above provision. After the clarification texts are presented to the data subjects, explicit consent declarations are obtained for data processing activities and data categories that require the explicit consent of the data subject in order for our Company to carry out its commercial activities.   

 

  

 

Within the framework of Article 28(1) of the PDPL,  our Company has no clarification obligation in the cases listed below: 

 

  

 

Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence provided that personal data are not disclosed to third parties and the obligations regarding data security are complied with 

- Processing of personal data for purposes such as research, planning and statistics by anonymising them with official statistics,  

 

  

 

- Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defence, national security, public security, public order, economic security, privacy or personal rights or constitute a crime,  

 

- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organisations authorized by law to ensure national defence, national security, public security, public order or economic security,  

 

  

 

- Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions. 

 

  

 

Within the framework of Article 28(2) of the PDPL,  the disclosure obligation shall not be applicable in the following cases:  

 

  

 

- Processing of personal data is necessary for the prevention of crime or criminal investigation,  

 

- Processing of personal data made public by the data subjects themselves,  

 

- Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorised and authorized public institutions and organisations and professional organisations in the nature of public institutions based on the authority granted by law, 

 

 - Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters. 

 

8. SENSITIVE PERSONAL DATA POLICY 

  

 

In accordance with the Decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 on Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Data within our Company, sensitive personal data are protected by us on the basis of special security measures. In this regard, Sensitive Data Policy has been prepared and put into practice in our Company.  

 

  

 

Article 6 of the sensitive personal data law is as follows: 

 

  

 

(1) Data about race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction, security measures and biometric and genetic data are sensitive personal data.  

 

  

 

(2) Processing of sensitive personal data without the explicit consent of the data subject is prohibited. 

 

  

 

(3) Personal data other than health and sexual life listed in the first paragraph may be processed without the explicit consent of the data subject in cases stipulated by law. Personal data relating to health and sexual life can only be processed by persons or authorised institutions and organisations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the data subject.  

 

  

 

(4) In the processing of sensitive personal data, adequate measures are also required as determined by the Board. 

 

  

 

The principles adopted in the protection and processing of sensitive personal data are set forth in line with the principles of compliance with the law, honesty and openness. An Access Authorization Matrix has been prepared in order to monitor the security of sensitive data within our Company and authorisation of access to the channels where such data is processed.  

 

  

 

9. RIGHTS OF THE PERSONAL DATA SUBJECT  

  

 

Within the scope of Article 11 of PDPL,  everyone has the right to apply to our company in the capacity of data controller in the following matters: 

 

(1) Everyone can apply to the data controller and request information about themselves;  

 

a) Learning whether personal data is being processed,  

 

b) Requesting information if personal data has been processed,   

 

c) Learning the purpose of processing personal data and whether they are used in accordance with their purpose,  

 

ç) To know the third parties to whom personal data are transferred domestically or abroad,   

 

d) To request correction of personal data in case of incomplete or incorrect processing,  

 

e) To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of Law No. 6698,  

 

f) To request notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data are transferred,  

 

g) To object to the emergence of a result to the detriment of the person by analyzing the processed data exclusively through automated systems,  

 

ğ) In case of damages due to unlawful processing of personal data, to request the elimination of the damage, 

 

  

 

10. METHOD OF EXERCISING THE RIGHTS OF THE PERSONAL DATA SUBJECT 

  

 

In accordance with paragraph 1 of Article 13 of the PDPL and within the scope of the Communiqué on the Procedures and Principles of Application to the Data Controller published in the Official Gazette dated 10.3.2018 and numbered 30356, applications to be made to our Company, which is the data controller, regarding these rights must be submitted to us in writing or by other methods determined by the Personal Data Protection Board ("Board"). 

 

The "Data Subject" shall be able to notify our Company of their rights and requests listed in subparagraph A. In this regard, the relevant person may apply in writing within the following scope in order to exercise all other rights they have in accordance with Article 11 of Law No. 6698 on the Protection of Personal Data: 

 

  

 

My personal application of the applicant, 

By post with signature affidavit attached, 

Through a notary public, 

By secure electronic signature, 

By signing with the secure electronic signature defined on behalf of the applicant and sending it to the KEP address specified below, 

By sending from the e-mail address previously notified to the data controller by the data subject and registered in the system of the data controller, 

  

 

The following points must be included in the application.  

 

  

 

 Name, surname and signature if the application is in writing, 

Turkish Republic ID number for citizens of the Republic of Turkey, nationality, passport number or ID number, if any, for foreigners, 

Residential or workplace address for notification, 

Electronic mail address, telephone and fax number for notification, if any, 

Demand issue, 

Relevant information and documents  

  

 

For written applications, the date on which the document is notified to the data controller or its representative shall be taken as the date of application. 

 

  

 

For applications made by other methods, the date of receipt of the application to the data controller shall be taken as the date of application. 

 

The application shall be finalised free of charge as soon as possible and within thirty days at the latest, depending on the nature of the requestHowever, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged. 

 

The person must make applications. It's only possible to submit a power of attorney application on behalf of another person, given that it has the content to request information within the scope of PDPLIf our Company suspects the identity of the applicant, it may request the relevant verification information from the relevant person. 

 

  

 

11. CONTACT INFORMATION  

  

 

Title: AZKarbon Elektronik Ticaret Ve Hizmetler A.Ş. 

 

Headquarters: Emrez Mah. Akçay Cad. No:64/2 Gaziemir/İzmir 

 

  

12. MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA  

  

 

In accordance with Article 12 of PDPL,  it takes the necessary administrative and technical measures in order to prevent unlawful processing and access to personal data processed by our Company and to ensure that personal data is kept securely and to carry out and/or have the necessary audits carried out within this scope. Although measures are taken in accordance with the nature of personal data, sensitive personal data are protected by more stringent security measures.   

 

  

 

13. STORAGE OF PERSONAL DATA 

  

 

Personal data obtained by our Company are securely stored in physical or electronic media for an appropriate period in order for our Company to continue its activities. Within the scope of the activities in question, our Company acts in accordance with the obligations stipulated in all relevant legislation, especially PDPL, regarding the protection of personal data.  

 

  

 

If a period is not specified in the legislation on how long personal data should be stored, personal data is stored for the period determined by taking into account the following criteria and destroyed at the end of this period. Therefore, personal data are deleted, destroyed or anonymised after the expiry of the period. 

 

  

 

Pursuant to the relevant legislation, personal data shall be deleted, destroyed or anonymised in the event that the purposes for processing personal data expire and if requested by the relevant person, with the exception of cases where it is permitted or required to keep personal data for a more extended period.  

 

  

 

In the event that personal data is deleted by means of the methods above, such data shall be destroyed in such a way that it cannot be used and recovered in any way again. However, in cases where the data controller has a legitimate interest, personal data may be stored until the expiration of the general limitation period (ten years) regulated in the Code of Obligations, provided that the fundamental rights and freedoms of the data subjects are not harmed, despite the expiration of the purpose of processing and the periods specified in the relevant laws. Employee data shall be kept for 15 years after the termination of the contract within the scope of the Labor Law and Occupational Safety Legislation. After the expiration of the statute above of limitations, personal data shall be deleted or destroyed by being recorded in the procedures set out in the Storage and Destruction Policy.