Personal Data Protection Law (KVKK)
BLACK GROUP TEXTILE TRADE LIMITED COMPANY
PERSONAL DATA PROTECTION, PROCESSING AND PRIVACY POLICY
1. Introduction
Black Group Tekstil Ticaret Limited Şirketi (hereinafter referred to as Black Fashion) makes every effort to comply with all legislation regarding the protection of personal data. This Black Group Tekstil Ticaret Limited Şirketi Personal Data Protection, Processing and Privacy Policy explains the principles adopted by our company in conducting personal data processing activities and the fundamental principles adopted in terms of our company's compliance with the regulations in the Law No. 6698 on the Protection of Personal Data. In this way, our company ensures the necessary transparency by informing the data subjects. With full awareness of our responsibility in this regard, your personal data is processed and protected within the scope of this Policy. With this Policy, Black Fashion, as the data controller, aims to inform the data subject.
1.1. Definitions
For the purposes of this law, the following definitions will be used:
a . Personal Data: Any information relating to an identified or identifiable natural person;
b. Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system;
c. Special Categories of Personal Data: Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data;
d. Data Controller: Any natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system;
e. Data Processor: A third-party natural or legal person who processes Personal Data on behalf of Black Fashion, based on the authorization given by Black Fashion;
f. Data Subject: The natural person whose personal data is processed;
g. Data Recording System: The recording system used by Black Fashion in which Personal Data is processed by structuring it according to specific criteria;
h. Board: The Personal Data Protection Board;
i. Institution: The Personal Data Protection Authority;
j. Law: This refers to the Law No. 6698 on the Protection of Personal Data, published in the Official Gazette dated April 7, 2016, and numbered 29677.
2. Principles Regarding the Processing of Personal Data
2.1. Processing Personal Data in Accordance with the Principles Stipulated in the Legislation
2.1.1 Lawful and Fair Operation
Black Fashion adheres to the principles established by legal regulations and the general rule of trust and honesty in the processing of personal data. Within this framework, personal data is processed only to the extent required by and limited to the business activities of our company.
2.1.1 Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
Black Fashion takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the processing period and establishes the necessary mechanisms to ensure the accuracy and currency of personal data at regular intervals.
2.1.2 Processing for Specific, Explicit and Legitimate Purposes
Black Fashion clearly states the purposes for which personal data is processed and processes it in accordance with its business activities and related purposes.
2.1.3 Being Relevant, Limited, and Proportional to the Purpose for Which They Are Used
Black Fashion collects personal data only to the extent and nature required for its business activities and processes it only for the specified purposes.
2.1.4 Retention for the Period Required by Relevant Legislation or Necessary for the Purpose for Which They Were Processed
Black Fashion retains personal data for the period necessary for the purpose for which it was processed and for the minimum period stipulated in the relevant legislation governing the activity. In this context, our company first determines whether a retention period for personal data is stipulated in the relevant legislation, and if a period is determined, it complies with that period. If no legal period exists, personal data is retained for the period necessary for the purpose for which it was processed. At the end of the determined retention periods, personal data is destroyed periodically according to the destruction schedules or upon the request of the data subject, and using the determined destruction methods.
2.2. Conditions for Processing Personal Data
Except for the explicit consent of the data subject, the basis for personal data processing activities may be only one of the conditions specified below, or multiple conditions may serve as the basis for the same personal data processing activity. If the processed data is special categories of personal data, the conditions set forth in section 2.3 (Processing of Special Categories of Personal Data) of this policy will apply.
2.2.1 Obtaining the Explicit Consent of the Data Subject
One of the conditions for processing personal data is the explicit consent of the data subject. This explicit consent must be given freely, based on informed knowledge, and relating to a specific matter. Personal data may be processed without the explicit consent of the data subject if the following conditions for personal data processing exist.
2.2.2 Explicitly Provided for in the Laws
The processing of a person's personal data can only be considered to meet this condition if it is explicitly provided for in the law, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data.
2.2.3 Inability to Obtain the Explicit Consent of the Relevant Party Due to Factual Impossibility
If a person is unable to express their consent due to factual impossibility or if their consent cannot be considered valid, and the processing of their personal data is necessary to protect their life or physical integrity or that of another person, then the personal data of the data subject may be processed.
2.2.4 Directly Related to the Formation and Performance of the Contract
The processing of personal data may be deemed fulfilled if it is directly related to the establishment or performance of a contract to which the data subject is a party, and the processing of personal data is necessary for this purpose.
2.2.5 Fulfillment of the Company's Legal Obligations
Personal data of the data subject may be processed if processing is necessary for our company to fulfill its legal obligations.
2.2.6 Public Disclosure of Personal Data by the Data Subject
If the data subject has made their personal data public, that personal data may only be processed for the purpose of that public disclosure.
2.2.7 Necessity of Data Processing for the Establishment or Protection of a Right
Personal data of the data subject may be processed if such processing is necessary for the establishment, exercise, or protection of a right.
2.2.8 Necessity of Data Processing for the Legitimate Interests of the Company
Personal data of the data subject may be processed if it is necessary for the legitimate interests of our company, provided that this does not harm the fundamental rights and freedoms of the data subject.
2.3. Processing of Special Categories of Personal Data
Special Categories of Personal Data may be processed by the company in accordance with the principles stated in this policy and by taking all necessary administrative and technical measures, including methods determined by the board, and only if the following conditions are met:
2.3.1 Special categories of personal data other than health and sexual life data may be processed without the explicit consent of the data subject if it is explicitly provided for in the laws, in other words, if there is an explicit provision in the law governing the relevant activity regarding the processing of personal data. Otherwise, the explicit consent of the data subject will be obtained in order to process such special categories of personal data.
2.3.2 Special categories of personal data relating to health and sexual life may be processed without explicit consent by persons or authorized institutions and organizations bound by an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing. Otherwise, the explicit consent of the data subject will be obtained in order to process such special categories of personal data.
2.4. Informing the Data Subject
Black Fashion informs data subjects in accordance with Article 10 of the law and secondary legislation. In this context, Black Fashion informs data subjects about who processes personal data as the data controller, for what purposes, with whom and for what purposes it is shared, the methods used to collect it, the legal basis, and the rights of data subjects regarding the processing of their personal data.
2.5. Transfer of Personal Data
Black Fashion may transfer the personal data and sensitive personal data of the data subject to third parties (third-party companies, official and private authorities, third-party individuals) located within the country in accordance with the lawful purposes of personal data processing and by taking the necessary security measures. Our company acts in accordance with the regulations stipulated in Article 8 of the law in this regard.
2.5.1. Transfer of Personal Data
Even without the explicit consent of the data subject, personal data may be transferred to third parties located within the country by the company, provided that one or more of the conditions specified below are met, and by exercising due diligence and taking all necessary security measures, including methods prescribed by the board.
The relevant activities regarding the transfer of personal data are explicitly provided for in the laws, and the transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,
The transfer of personal data is necessary for our Company to fulfill its legal obligations,
Personal data may be transferred by our company only for the purpose of making it public, provided that the data has already been made public by the data subject.
The transfer of personal data by the company is necessary for the establishment, exercise or protection of the rights of the company, the data subject or third parties,
The transfer of personal data is necessary for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of the data subject.
It must be necessary to protect the life or physical integrity of the person or another person, in cases where the person is unable to express their consent due to factual impossibility or where their consent is not legally valid.
2.5.2. Transfer of Special Categories of Personal Data
Special categories of personal data may be transferred by our company in accordance with the principles stated in this policy and by taking all necessary administrative and technical measures, including methods determined by the board, and only if the following conditions are met:
Personal data of a special category, other than health and sexual life data, may be processed without the explicit consent of the data subject if it is explicitly provided for in the laws, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data. Otherwise, the explicit consent of the data subject must be obtained.
Special categories of personal data relating to health and sexual life may be processed without explicit consent by persons or authorized institutions and organizations bound by an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing. Otherwise, the explicit consent of the data subject will be obtained.
2.6. Personal Data That May Be Processed
Black Fashion's purpose is the entirety of the purposes stated in the trade registers. The personal data that may be collected and processed in relation to Black Fashion's purpose, belonging to employees, their relatives, job applicants, interns, supplier employees and supplier officials, direct or indirect individual shareholders/partners, potential product and service buyers, customers, and other third parties, is listed below and may be expanded in line with Black Fashion's purposes:
• Identity data,
• Contact information,
• Location data,
• Personal information data,
• Data related to legal proceedings,
• Customer transaction data,
• Physical security data,
• Data related to transaction security,
• Data within the scope of risk management,
• Data related to the proper conduct of financial transactions,
• Data related to professional experience,
• Data related to marketing operations,
• Visual and audio recording data,
• Race and ethnicity data,
• Data on clothing and attire,
• Health data,
• Data related to criminal convictions and security measures,
2.7. Purposes of Personal Data Processing
Black Fashion undertakes to process personal data for its commercial partners only within the scope of the purposes and grounds stated below, with the exception of the exceptions stipulated in Article 5(2)(c) of the KVKK (Personal Data Protection Law);
• Implementation of Information Security Processes
• Conducting the Selection and Placement Processes for Job Applicants / Interns / Students
• Managing the application processes for job applicants.
• Implementing Employee Satisfaction and Engagement Processes
• Fulfilling Obligations Arising from Employment Contracts and Legislation for Employees
• Managing Employee Benefits and Advantage Processes
• Conducting Training Activities
• Enforcement of Access Permissions
• Ensuring Physical Security of the Space
• Managing Finance and Accounting Operations
• Implementing Company/Product/Service Loyalty Processes
• Execution of Assignment Processes
• Monitoring and Managing Legal Affairs
• Conducting Communication Activities
• Planning Human Resources Processes
• Conducting/Supervising Business Activities
• Implementation of Occupational Health and Safety Activities
• Implementing Business Continuity Activities
• Execution of Logistics Activities
• Execution of Goods/Services Procurement Processes
• Execution of Goods/Services Sales Processes
• Execution of Goods/Services Production and Operation Processes
• Execution of Customer Relationship Management Processes
• Conducting activities aimed at customer satisfaction.
• Conducting Marketing Analysis Studies
• Execution of Advertising / Campaign / Promotion Processes
• Implementation of Risk Management Processes
• Conducting Storage and Archiving Activities
• Execution of Contract Processes
• Tracking Requests/Complaints
• Ensuring the Security of Movable Property and Resources
• Execution of Supply Chain Management Processes
• Implementation of Wage Policy
• Execution of Marketing Processes for Products/Services
• Ensuring the Security of Data Controller Operations
• Foreign Personnel Work and Residence Permit Procedures
• Conducting Talent/Career Development Activities
• Providing Information to Authorized Persons, Institutions and Organizations
• Execution of Administrative Activities
• Creating and Tracking Visitor Records
3. Principles Regarding the Protection of Personal Data
3.1 Ensuring Personal Data Security
In accordance with Article 12 of the law, the company takes the necessary measures, depending on the nature of the data to be protected, to prevent the unlawful disclosure, access, transfer, or other security breaches of personal data. Within this scope, our company takes administrative measures and conducts or commissions audits to ensure the necessary level of security in accordance with the guidelines published by the Board.
3.2 Protection of Special Categories of Personal Data
The law attaches special importance to certain personal data due to the risk of causing harm or discrimination to individuals if processed unlawfully. This data includes information on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Black Fashion takes utmost care in protecting special categories of personal data, which are defined as such by law and processed lawfully. In this context, the technical and administrative measures taken by Black Fashion to protect personal data are meticulously applied with regard to special categories of personal data, and necessary audits are conducted within Black Fashion.
3.3 Increasing Awareness and Monitoring Regarding the Protection and Processing of Personal Data
Black Fashion provides necessary training to its business units to raise awareness about preventing the unlawful processing of personal data, unlawful access to personal data, and ensuring the preservation of personal data.
Black Fashion updates and renews the training of its employees regarding the protection of personal data in line with the updates to the relevant legislation.
4. Storage and Destruction of Personal Data
Our company retains personal data for the period necessary for the purpose for which it is processed and in accordance with the minimum periods stipulated in the relevant legislation governing the activity. In this context, our company first determines whether a retention period for personal data is stipulated in the relevant legislation and, if a period is determined, acts accordingly. If no legal period exists, personal data is retained for as long as necessary for the purpose for which it is processed. At the end of the determined retention periods, personal data is destroyed periodically according to the destruction schedules or upon the request of the data subject, and using the specified destruction methods.
| Data Category | Data Retention Period |
| 1- Identity | Minimum 1 month, maximum 10 years |
| 2- Communication | Minimum 1 month, maximum 10 years |
| 3- Location | 2 Years |
| 4- Personnel | 10 years |
| 5- Legal Transaction | 10 years |
| 6- Customer Transactions | 10 years |
| 7- Physical Space Security | Minimum 2 weeks, maximum 60 days. |
| 8- Transaction Security | 1 month |
| 9- Risk Management | 10 years |
| 10- Finance | 10 years |
| 11- Professional Experience | Minimum 1 month, maximum 10 years |
| 12- Marketing | 10 years |
| 13- Visual and Auditory Recordings Minimum | Minimum 1 month, maximum 10 years |
| 14- Race and Ethnic Origin | Minimum 1 month, maximum 10 years |
| 15- Dress and Appearance | Minimum 1 month, maximum 10 years |
| 16 - Health Information | 10 years |
| 17- Criminal Conviction and Security Measure | 10 years |
5. Data Subject and Exercise of These Rights
5.1. Rights of the Data Subject
Data subjects have the following rights:
a . To find out whether personal data is being processed,
b . Requesting information regarding the processing of personal data,
c . To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.
d . Knowing the third parties to whom personal data is transferred within the country,
e . The right to request the correction of personal data if it has been processed incompletely or incorrectly, and to request that the correction be notified to third parties to whom the personal data has been transferred.
f . The right to request the deletion or destruction of personal data if the reasons requiring its processing have ceased to exist, even if it has been processed in accordance with the law and other relevant legal provisions, and to request that this action be notified to third parties to whom the personal data has been transferred.
g . The right to object to a result that is detrimental to the individual, arising solely from the analysis of processed data by automated systems.
h . The right to claim compensation for damages incurred as a result of the unlawful processing of personal data.
5.2. Exercise of Rights by the Data Subject
To exercise the rights specified, individuals must submit their requests in writing using the following communication channels, along with information that will allow for the identification of the data subjects, and/or an application form prepared accordingly:
Via email to info@blackfashion.com.tr
Through software or an application developed for the purpose of the application
5.3. The Company's Response to Applications
Our company takes the necessary administrative and technical measures to process applications submitted by the relevant party in accordance with the law and secondary legislation.
If the data subject submits their request regarding the rights set forth in Section 5.1 (Data Subject's Rights) to our Company in accordance with the procedure, our Company will process the request free of charge as soon as possible and no later than 30 (thirty) days, depending on the nature of the request. However, if the process requires additional costs, a fee may be charged in accordance with the tariff determined by the Board.
6. Measures to Ensure the Accuracy and Up-to-Date Nature of Personal Data
Black Fashion maintains personal data accurately and up-to-date using the following methods:
6.1. Technical Measures
Network security and application security are ensured.
Closed-system networks are used for the transfer of personal data over the network.
Key management is implemented.
Security measures are taken within the scope of the procurement, development, and maintenance of information technology systems.
The security of personal data stored in the cloud is ensured.
An authorization matrix has been created for employees.
Access logs are maintained regularly.
Data masking measures are applied when necessary.
Up-to-date anti-virus systems are used.
Firewalls are used.
Personal data is backed up, and the security of the backed-up personal data is also ensured.
User account management and authorization control systems are implemented and monitored.
6.2. Administrative Measures
An authorization matrix has been created for employees.
Corporate policies have been prepared and implemented regarding access, information security, usage, storage, and disposal.
Employees who change roles or leave the company will have their authorizations in this area revoked.
Confidentiality agreements are made.
The signed agreements include data security provisions.
Personal data security policies and procedures have been established.
Personal data security is monitored.
Necessary security measures are taken regarding entry to and exit from physical environments containing personal data.
Personal data is minimized as much as possible.
Personal data security policies and procedures have been established.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
Personal data is minimized as much as possible.
Protocols and procedures for the security of sensitive personal data have been established and are being implemented.
If sensitive personal data is to be sent via email, it must be sent encrypted and using a registered email account (KEP) or corporate email account.
7. Changes to the Personal Data Protection Policy
Black Fashion may make changes to this policy as required by its operations or as legally necessary. The revised policy text will come into effect upon its publication on the website https://www.blackfashion.com.tr/. Black Fashion will also notify all relevant parties of any changes via email.
BLACK GROUP TEXTILE TRADE LIMITED COMPANY
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
1. Introduction
1.1 Purpose
This Personal Data Storage and Destruction Policy has been prepared by Black Group Tekstil Ticaret Limited Şirketi (hereinafter referred to as “Black Fashion”), acting as the data controller, in accordance with Law No. 6698 on the Protection of Personal Data, the Regulation on the Deletion, Destruction or Anonymization of Personal Data, which constitutes the secondary regulation of the law and was published in the Official Gazette on October 28, 2017, and related legislation, to determine the procedures and principles regarding the processes of storing, deleting, destroying and anonymizing personal data, to inform those whose personal data is processed by Black Fashion, and to fulfill the obligations under the law and related legislation.
In line with its core principles, Black Fashion prioritizes the processing of all personal data belonging to its employees, their relatives, job applicants, interns, supplier officials, supplier employees, direct or indirect individual shareholders/partners, potential product and service buyers, customers, visitors, and other third parties in accordance with the Turkish Constitution, international conventions, Law No. 6698 on the Protection of Personal Data, and other relevant legislation, and ensuring that the rights of the data subjects are effectively exercised.
The processes and procedures regarding the storage and destruction of personal data are carried out by Black Fashion in accordance with this Policy, which has been prepared for this purpose.
1.2 Scope
All personal data belonging to Black Fashion employees, their relatives, job applicants, interns, supplier officials, supplier employees, direct or indirect individual shareholders/partners, potential product and service buyers, customers, visitors, and other third parties are covered by this Policy, and this Policy applies to all record media owned or managed by Black Fashion where personal data is processed, and to all activities related to the processing of personal data.
1.3 Abbreviations and Definitions
| Explicit Consent | It is informed and freely given consent regarding a specific matter. |
| Anonymization | Personal data is processed in such a way that it cannot be linked to an identified or identifiable natural person, even when combined with other data. |
| Buyer Group | This term refers to the category of natural or legal person to whom personal data is transferred by the data controller. |
| Worker | She is an employee of Black Fashion. |
| Electronic Environment | These are environments where personal data can be created, read, modified, and stored using electronic devices. |
| Non-Electronic Environment | These include all written, printed, visual, and other media that fall outside of electronic media. |
| Supplier | A contracting party is a natural or legal person who provides goods and services to Black Fashion under a specific contract. |
| Contact Person | The person whose personal data is being processed is a natural person. |
| Relevant User | Data subjects are individuals within the data controller organization, or those acting under the authority and instructions of the data controller, who process personal data, excluding the person or unit technically responsible for the storage, protection, and backup of the data. |
| Personal Data Processing Inventory | Black Fashion's inventory details the personal data processing activities they carry out in accordance with their business processes; this inventory identifies the purposes and legal basis for personal data processing, data category, recipient group to whom the data is transferred, and the data subject group; and also explains the maximum retention period necessary for the purposes for which the personal data is processed, transfers to foreign countries, anticipated personal data, and measures taken regarding data security. |
| Destruction | Personal data can be deleted, destroyed, or anonymized. |
| Law | Law No. 6698 on the Protection of Personal Data |
| Recording Medium | This refers to any medium containing personal data that is processed wholly or partly automatically, or through non-automatic means as part of a data recording system. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
Processing of Personal Data | Personal data processing refers to any operation performed on data, such as obtaining, recording, storing, keeping, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system. |
| Special Category Personal Data | This includes data relating to a person's race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. |
| Periodic Destruction | When all the conditions for processing personal data stipulated in the law cease to exist, the personal data will be deleted, destroyed, or anonymized automatically at recurring intervals as specified in the personal data retention and destruction policy. |
| Policy | Personal Data Storage and Destruction Policy |
| Data Processor | A data controller is a natural or legal person who processes personal data on behalf of the data controller, based on the authorization given by the data controller. |
| Data Recording System | The data controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. |
| Data Controller | It is a data recording system in which personal data is processed by structuring it according to specific criteria. |
| Data Controllers Registry Information System | (VERBIS) is an internet-accessible information system created and managed by the Presidency of the Personal Data Protection Authority, which data controllers will use for applications to the Data Controllers Registry and other related processes concerning the Data Controllers Registry. |
| Regulations | Regulation on the Deletion, Destruction, and Anonymization of Personal Data published in the Official Gazette dated October 28, 2017. |
| Internal Management Regulations | Black Fashion Company Board of Directors Internal Regulations. |
2. Distribution of Responsibilities and Tasks
Black Fashion employees are obligated to comply with the rules set forth in this policy and to provide the necessary support to the units responsible for processing personal data. Company employees who process personal data act in accordance with fundamental principles, conditions for processing personal data, and conditions for processing special categories of personal data when carrying out data processing activities.
Accordingly, the selected members of the Personal Data Protection Committee, their respective units, and their roles in the processes of storing and destroying personal data are explained in detail below.
| Personnel Title | Unit | Job description in the KVKK (Personal Data Protection Law) process. |
| Meryem Kabadayı | Human Resources | Compliance with personal data retention periods and management and supervision of the personal data destruction process. |
| Metin Oguzhan | Information Technology | Compliance with personal data retention periods and management and supervision of the personal data destruction process. |
Table 1: Task allocation for storage and disposal processes.
Table 1 shows the distribution of titles, units, and job descriptions of those involved in the processes of storing and destroying personal data.
3. Recording Media
Personal data is securely stored by Black Fashion in accordance with the law in the environments listed in Table 2.
| Electronic environments | Non-electronic environments |
|
|
Table 2: Personal data storage media
4. Storage and Disposal Instructions
Black Fashion operates within the following principles regarding the storage and destruction of personal data:
4.1 Storage Instructions
Article 4 of the law states that personal data must be relevant, limited, and proportionate to the purpose for which they are processed, and must be retained for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they are processed, while Articles 5 and 6 list the conditions for processing personal data.
Accordingly, within the scope of our activities, personal data is stored in accordance with the relevant legislation and/or for a period appropriate to our processing purposes.
4.1.1 Legal Reasons Requiring Retention
Personal data processed by Black Fashion is stored in accordance with the relevant legislation in its field of activity and/or for a period appropriate to our processing purposes. Accordingly, personal data will be stored within the scope of the legislation listed below, as well as other legislation currently in force or that will come into force, without being limited to those listed.
a . Turkish Constitution
b . Turkish Code of Obligations No. 6098
c . Law No. 6698 on the Protection of Personal Data
dSocial Security and General Health Insurance Law No. 5510
e. Law No. 6331 on Occupational Health and Safety
f . Labor Law No. 4857
g . Articles of the Labor Law No. 1475 that remain in force.
Law No. 213 on Tax Procedure
i . Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes
j. Turkish Commercial Code No. 6102
They are stored for the retention periods stipulated under these laws and other applicable legislation, without limitation.
4.1.2 Processing Purposes Requiring Storage
Personal data is securely stored by Black Fashion in physical or electronic environments, within the limits specified in the KVKK (Personal Data Protection Law) and other relevant legislation, primarily for the purpose of conducting commercial activities, fulfilling legal obligations, planning and managing personnel processes, and managing legal disputes, including litigation and enforcement proceedings.
Personal data is processed for the following purposes:
• Implementation of Information Security Processes
• Conducting the Selection and Placement Processes for Job Applicants / Interns / Students
• Managing the application processes for job applicants.
• Implementing Employee Satisfaction and Engagement Processes
• Fulfilling Obligations Arising from Employment Contracts and Legislation for Employees
• Managing Employee Benefits and Advantage Processes
• Conducting Training Activities
• Enforcement of Access Permissions
• Ensuring Physical Security of the Space
• Managing Finance and Accounting Operations
• Implementing Company/Product/Service Loyalty Processes
• Execution of Assignment Processes
• Monitoring and Managing Legal Affairs
• Conducting Communication Activities
• Planning Human Resources Processes
• Conducting/Supervising Business Activities
• Implementation of Occupational Health and Safety Activities
• Implementing Business Continuity Activities
• Execution of Logistics Activities
• Execution of Goods/Services Procurement Processes
• Execution of Goods/Services Sales Processes
• Execution of Goods/Services Production and Operation Processes
• Execution of Customer Relationship Management Processes
• Conducting activities aimed at customer satisfaction.
• Conducting Marketing Analysis Studies
• Execution of Advertising / Campaign / Promotion Processes
• Implementation of Risk Management Processes
• Conducting Storage and Archiving Activities
• Execution of Contract Processes
• Tracking Requests/Complaints
• Ensuring the Security of Movable Property and Resources
• Execution of Supply Chain Management Processes
• Implementation of Wage Policy
• Execution of Marketing Processes for Products/Services
• Ensuring the Security of Data Controller Operations
• Foreign Personnel Work and Residence Permit Procedures
• Conducting Talent/Career Development Activities
• Providing Information to Authorized Persons, Institutions and Organizations
• Execution of Administrative Activities
• Creating and Tracking Visitor Records
4.2 Reasons Requiring Destruction
Personal data;
The data controller must review and approve the request of the data subject, within the framework of their legal rights, to delete or destroy their personal data.
In cases where the processing of personal data is based solely on explicit consent, the withdrawal of consent by the data subject is prohibited.
Amendments or repeals of the relevant legal provisions that form the basis for the processing, storage, and destruction of personal data,
The purpose requiring the processing or storage of personal data ceases to exist,
Even though the maximum period requiring the retention of personal data has expired, there are no circumstances requiring the retention of personal data for a longer period,
If the data controller rejects a request from the data subject for the deletion, destruction, or anonymization of their personal data, if the response given is deemed insufficient, or if the controller fails to respond within the time limit stipulated by the Law; and if a complaint is filed with the Board and this request is found appropriate by the Board, Black Fashion shall delete and/or destroy the personal data upon the request of the data subject and in accordance with that request, or it shall delete and/or destroy and/or anonymize the data ex officio.
5. Technical and Administrative Measures
The technical and administrative measures that Black Fashion has taken to securely store personal data and prevent its unlawful processing and access are listed below, but are not limited to.
5.1 Technical Measures
Network security and application security are ensured.
Closed-system networks are used for the transfer of personal data over the network.
Key management is implemented.
Security measures are taken within the scope of the procurement, development, and maintenance of information technology systems.
The security of personal data stored in the cloud is ensured.
An authorization matrix has been created for employees.
Access logs are maintained regularly.
Data masking measures are applied when necessary.
Up-to-date anti-virus systems are used.
Firewalls are used.
Personal data is backed up, and the security of the backed-up personal data is also ensured.
User account management and authorization control systems are implemented and monitored.
5.1. Administrative Measures
An authorization matrix has been created for employees.
Corporate policies have been prepared and implemented regarding access, information security, usage, storage, and disposal.
Employees who change roles or leave the company will have their authorizations in this area revoked.
Confidentiality agreements are made.
The signed agreements include data security provisions.
Personal data security policies and procedures have been established.
Personal data security is monitored.
Necessary security measures are taken regarding entry to and exit from physical environments containing personal data.
Personal data is minimized as much as possible.
Personal data security policies and procedures have been established.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
Personal data is minimized as much as possible.
Protocols and procedures for the security of sensitive personal data have been established and are being implemented.
If sensitive personal data is to be sent via email, it must be sent encrypted and using a registered electronic mail (KEP) or corporate email account.
6. Techniques for Destructing Personal Data
Personal data will be destroyed by Black Fashion, either automatically or upon request from the data subject, in accordance with the provisions of the relevant legislation and using the techniques described below, at the end of the retention period stipulated in the relevant legislation.
Black Fashion has adopted the methods of deletion, destruction, and anonymization, which are among the destruction methods covered by the Regulation, for the destruction of Personal Data held within its premises.
| Data Recording Medium | Explanation |
| Personal data stored on servers | For personal data stored on servers whose retention period has expired, the system administrator will delete the data by revoking the access rights of the relevant users. |
| Personal Data in Electronic Environments | Personal data stored electronically will be rendered inaccessible and unusable for all employees except the database administrator after the required retention period has expired. |
| Personal Data Located in the Physical Environment | Personal data stored in physical form, for which the required retention period has expired, is rendered inaccessible and unusable by all employees except the unit manager responsible for the document archive. Additionally, it is blacked out by drawing over/painting over/erasing it to make it unreadable. |
| Personal Data Contained on Portable Media | Personal data stored on flash-based storage media for which the retention period has expired are encrypted by the system administrator and stored in secure environments with encryption keys, with access rights granted only to the system administrator. |
Table 3 : Destruction of Personal Data
7. Storage and Disposal Periods
• Personal data processed by our company within the scope of its activities is stored for the periods stipulated by law and for the duration of the statute of limitations, and the storage periods are generally as follows:
• The retention and destruction periods for personal data, on a data-by-data basis, are specified in the "Personal Data Processing Inventory".
• Registration with Verbis based on data categories,
• In terms of processes, they are listed in the table below.
| PERIOD | STORAGE TIME | DESTRUCTION PERIOD |
| Maintaining all documents and records related to workplace accidents. | Ten years from the date of the accident | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Maintaining records to ensure employees' rights under the Social Security Institution. | 10 years from the date of leaving the job | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Maintaining Documents and Records Relating to Training Activities Conducted within the Scope of Occupational Health and Safety | 10 years since leaving the job | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Signing an employment contract with employees when they start work. | 10 years since leaving the job | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Obtaining copies of diplomas and certificates from employees for the purpose of keeping a record of their professional experience. | 10 years since leaving the job | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Obtaining Employee Health Reports | 10 Years | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Maintaining records of disability status information, blood type information, personal health information, and information on devices and prostheses used. | 10 Years | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
Disability Board Health Report | 10 Years | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Maintaining Employee Resumes | 10 years since leaving the job | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Maintaining Records of Salary Payments and Payroll Information | 10 years from the date of leaving the job | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Maintaining Legal Documents and Records Regarding Wage Garnishments | Ten years from the date of completion of the legal process. | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Other Legal Procedures | Ten years from the date of completion of the legal process. | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Maintaining Power of Attorney Records | Ten years from the date of completion of the legal process. | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Maintaining Documents and Records Regarding Employee Leave Processes | 10 years since leaving the job | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| The Process of Creating an Employee's Personnel File | 10 years since leaving the job | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Managing the Termination Process | 10 years since leaving the job | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
Vehicle Usage Instructions and Assignment Process | 10 years | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Official Inspection Processes | 10 years | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Field Work Monitoring Processes | 10 years | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Traffic Fines are Legal. | Ten years from the completion of the transaction. | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Personnel List Maintenance Processes | 10 years | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Staff ID Badge | 10 years | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Vehicle Accident Reports | 10 years | During the first periodic destruction period following the expiration of the storage period (in any case not exceeding 6 months) |
| Mediation Activities Processes | Ten years from the date of completion of the legal process. | |
| Contract Processes | Ten years from the date of completion of the legal process. | |
| Educational Processes | 10 years | |
| Insurance Processes | 10 years | |
| Premium Payment Processes | 10 years | |
| Customer Transaction Processes | 10 years |
Table 4: Table of storage and destruction times by process.
8. Periodic Destruction Period
Black Fashion has set a periodic destruction interval of 6 months.
9. Publication and Preservation of Policy
The policy is prepared in two different formats: a printed copy with a wet signature and an electronic copy. It is published on our website at https://www.blackfashion.com.tr/. The printed copy is kept in the Human Resources department.
10. Policy Update Period
The policy is reviewed as needed, and necessary sections are updated. Updated versions are then republished.
11. Implementation of the Policy
Black Fashion may make changes to this policy as required by its operations or as legally necessary. The revised policy text will come into effect upon its publication on the website https://www.blackfashion.com.tr/. Black Fashion will also notify all relevant parties of any changes via email.
BLACK GROUP TEXTILE TRADE LIMITED COMPANY
CUSTOMER INFORMATION TEXT REGARDING THE PROTECTION OF PERSONAL DATA
1. Topic
As Black Group Tekstil Ticaret Limited Şirketi (hereinafter referred to as Black Fashion), we attach great importance to the security of your personal data and strive to take all necessary security measures in this regard. As the data controller, we process your personal data in accordance with the Law No. 6698 on the Protection of Personal Data and related legislation, within the scope of this Customer Information Text on the Protection of Personal Data and the Personal Data Protection, Processing and Privacy Policy.
1.1. Data Subject to Explicit Consent
Black Fashion processes the following personal data of its customers in accordance with the nature of its relationship with the customer:
a . Identity information data
b. Contact information data
c. Legal transaction data
d. Customer data within the scope of the transaction.
e . Data within the scope of physical space security.
f . Data within the scope of risk management.
g. Financial data
h . Data within the scope of marketing.
1.2. Method, Legal Basis and Purpose of Processing Personal Data
Customers' personal data is obtained in physical and electronic form within the scope of the contractual relationship between Black Fashion and the company.
Personal data processed by the company is retained for a period appropriate to our processing purposes and subject to the relevant legislation in its field of activity. Accordingly, personal data will be retained in accordance with the following legislation, but not limited to those listed below, as well as other current or future legislation.
a . Turkish Constitution
b. Turkish Code of Obligations No. 6098
c. Law No. 6698 on the Protection of Personal Data
d . Law No. 5510 on Social Security and General Health Insurance
e . Law No. 6331 on Occupational Health and Safety
1.1 . Labor Law No. 4857
1.2. Remaining articles of the Labor Law No. 1475
1.3 . Tax Procedure Law No. 213
1.4 . Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes
1.5. Turkish Commercial Code No. 6102
Personal Data collected during this process may be processed for the purposes of Black Fashion's customer relationship management processes, conducting and monitoring business activities, managing logistics activities, managing contract processes, managing risk management processes, managing finance and accounting operations, managing communication activities, managing goods/services procurement processes, providing after-sales support services for goods/services, managing goods/services sales processes, managing goods/services production and operation processes, conducting customer satisfaction activities, managing supply chain processes, managing storage and archiving activities, managing product/service marketing processes, providing information to authorized persons, institutions and organizations, conducting marketing analysis studies, monitoring and managing legal affairs, ensuring physical security, and creating and tracking visitor records.
2. Transfer of Personal Data
3.1 Black Fashion may transfer Customer Personal Data to natural persons or private legal entities residing in Turkey, shareholders and business partners, suppliers, and authorized public institutions and organizations for the purposes stated above.
2. Duration of Personal Data Processing
3. Black Fashion maintains the Personal Data it processes accurately and up-to-date using technological methods. If the reasons requiring the processing of Personal Data cease to exist, Black Fashion will delete, destroy, or anonymize the Personal Data automatically or upon the Customer's request.
| 3.1.1. DATA CATEGORY | 4. DATA RETENTION PERIOD |
| 5. Identity | 6. Minimum 1 month, Maximum 10 years |
| 7. Communication | 8. Minimum 1 month, Maximum 10 years |
| 9. Legal Transaction | 10. 10 YEARS |
| 11. Customer Transactions | 12. 10 YEARS |
| 13. Physical Space Security | 14. Minimum 2 weeks, Maximum 60 days |
| 15. Risk Management | 16. 10 YEARS |
| 17. Finance | 18. 10 YEARS |
| 19. Marketing | 20. 10 YEARS |
1. Customer Rights
You can submit your requests regarding your rights to us using the methods stipulated in the relevant article of the Law. Your request will be processed free of charge as soon as possible, but no later than thirty (30) days. However, if the process requires additional costs, we may request a fee according to the tariff determined by the Board. The customer has the following rights regarding Personal Data processed by Black Fashion:
a. To find out whether your personal data is being processed;
b. Requesting information regarding the processing of personal data;
c. To learn the purpose of processing your personal data and whether it is being used appropriately for that purpose;
d. To learn the third parties to whom personal data is transferred within the country;
e. Requesting the correction of personal data if it has been processed incompletely or inaccurately;
f. Requesting the deletion or destruction of personal data within the framework of Article 7 of the KVKK (Law on Protection of Personal Data);
g. In accordance with sections 6.e and 6.f of this Declaration, we request that the actions taken be notified to third parties to whom personal data has been transferred;
h. The right to object to a result that is detrimental to them arising from the analysis of their personal data exclusively through automated systems, and
i. The right to claim compensation for damages incurred as a result of the unlawful processing of personal data.
To exercise the rights mentioned above, the Customer must provide Black Fashion with information that will allow for identification of the Customer and submit their requests in writing using any of the following communication methods:
a. By email to info@blackfashion.com.tr;
b. Send an email to etrade@blackfashion.com.tr or;
c. Through software or an application developed for the purpose of the application.
2. Personal data may be processed without the explicit consent of the data subject if one or more of the following conditions are met:
5.1 . The relevant activities regarding the transfer of personal data are explicitly provided for in the laws; the transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract; and, in the case of a contract between the parties, the processing of the personal data of the parties to the relevant contract is necessary.
5.2. The transfer of personal data is necessary for the Company to fulfill its legal obligations,
3. Personal data may be transferred by our Company only for the purpose of public disclosure, provided that the data has been made public by the data subject.
4. The transfer of personal data by the company is necessary for the establishment, exercise or protection of the rights of the company, the data subject or third parties,
5. Personal data transfer activities must be necessary for the legitimate interests of the company, provided that this does not harm the fundamental rights and freedoms of the data subject.
6. When a person is unable to express their consent due to factual impossibility or when their consent is not legally valid, and it is necessary to protect their own life or the life or physical integrity of another person.
7. Scope
This privacy policy, published by Black Fashion on its website, sets forth the terms and conditions of its Personal Data Protection, Processing, and Privacy Policy.
BLACK GROUP TEXTILE TRADE LIMITED COMPANY
DATA SUBJECT APPLICATION FORM
1. Application Method
In accordance with Article 11 of the Law No. 6698 on the Protection of Personal Data, you can submit your requests within the scope of your rights to Black Group Tekstil Ticaret Limited Şirketi (hereinafter referred to as Black Fashion) using this form and one of the methods described below, as per Article 13 of the Law and Article 5 of the Communiqué on the Procedures and Principles for Applications to the Data Controller.
| APPLICATION METHOD | APPLICATION ADDRESS | INFORMATION TO BE INCLUDED IN THE APPLICATION | |
| 1. Application in Writing | Personal application with wet signature or via notary public. | The envelope/notification should be marked "Information Request under the Law on the Protection of Personal Data". | |
| 2. Application via Registered Electronic Mail (KEP) | By using a Registered Electronic Mail (KEP) address | The subject line of the email should read "Information Request under the Personal Data Protection Law". | |
| 3. Application using the email address registered in the system. | By using the email address registered in the Black Fashion system. | The subject line of the email should read "Information Request under the Personal Data Protection Law". | |
| 4. Application with an Email Address Not Registered in the System | By using an email address not registered in the Black Fashion system, which will include a mobile signature/e-signature. | The subject line of the email should read "Information Request under the Personal Data Protection Law". |
Your applications submitted to us will be answered within thirty (30) days from the date your request is received, in accordance with the second paragraph of Article 13 of the Law, depending on the nature of the request. Our responses will be delivered to you in writing or electronically, in accordance with the provisions of Article 13 of the relevant Law.
2. Your Identity and Contact Information
Please fill out the fields below so we can contact you and verify your identity.
| Name and Surname: | |
| Turkish Republic Identity Number / Passport Number or Identity Number for Citizens of Other Countries: | |
| Residential Address / Business Address for Service of process: | |
| Mobile Phone: | |
| Phone Number: | |
| Fax Number: | |
| Email Address: |
3. Please specify your relationship with Black Fashion. (Customer, business partner, etc.)
(such as job applicant, former employee, third-party company employee, shareholder)
☐ Customer ☐ Visitor | ☐ Business Partner ☐ Other |
☐ My Former Employee Years I worked: ☐ Other: | ☐ I submitted a job application/shared my resume. History: ☐ I am an employee of a third-party company. Please specify the company you work for and your position: |
| I would like to know if Black Fashion processes my personal data. | |
| If Black Fashion processes my personal data, I request information about these data processing activities. | |
| If Black Fashion processes my personal data, I would like to know the purpose of this processing and whether it is being used in accordance with that purpose. | |
| If my personal data is transferred to third parties domestically or internationally, I want to know who those third parties are. | |
| I believe my personal data has been processed incompletely or inaccurately, and I request that it be corrected. | |
| Any information/documents you believe to be incorrect or incomplete and wish to be corrected, as well as information/documents demonstrating that your personal data is accurate and complete, must be submitted to us in addition to the requested information/documents. | |
| I believe that the reasons for processing my personal data no longer exist, and therefore I request that this data be destroyed using an appropriate method (deletion, destruction, anonymization). I request that my personal data, which I believe has been processed incompletely and incorrectly, be corrected by the third parties to whom it has been transferred. | |
| Any information/documents you believe to be incorrect or incomplete and wish to be corrected, as well as information/documents demonstrating that your personal data is accurate and complete, must be submitted to us in addition to the requested information/documents. | |
| I request that the personal data I have requested to be deleted also be deleted from the hands of the third parties to whom it has been transferred. | |
I believe that my personal data processed by Black Fashion was analyzed exclusively through automated systems, and that this analysis resulted in an outcome detrimental to me. I object to this outcome. |
4. Please specify your request under the Law and the personal data involved in the request in detail.
5. Appendices
If you wish to provide supporting documents for your application, please indicate them below and attach them to this form.
6. Please choose how you would like to be notified of our response to your application.
☐ I would like it sent to my address.
☐ I would like it sent to my email address.
(If you choose email, we will be able to respond to you more quickly.)
☐ I want to pick it up in person.
(If receiving the item by proxy, a notarized power of attorney or authorization document is required.)
This application form has been prepared to determine your relationship with Black Fashion and to fully identify any personal data processed by Black Fashion, so that your application can be answered accurately and within the legal timeframe. To eliminate legal risks that may arise from unlawful and unfair data sharing, and especially to ensure the security of your personal data, Black Fashion reserves the right to request additional documents and information (such as a copy of your national identity card or driver's license) for identity and authorization verification. Black Fashion accepts no responsibility for claims arising from inaccurate or outdated information provided in this form, or from unauthorized applications. Furthermore, we reserve the right to charge fees in accordance with relevant legislation if this involves costs.
Applicant (Contact Person)
Name and Surname:
Application Date:
Signature :