Data Privacy and Security
Data Privacy and Security
Dear Customers, Members, Business Partners/Suppliers, Personnel Candidates and Visitors ; As Derimod Deri Konf. Paz. San. ve Tic. A.Ş (“ DERİMOD ” or the “ Company” ), we attach great importance to the protection of your personal data. In this context, in accordance with the Personal Data Protection Law No. 6698 (“ LPPD ”), we would like to inform you about your personal data and processing processes as the “data controller”.
This Policy aims to ensure the sustainability of the Company's "principle of conducting company activities in a transparent manner". In this context, the basic principles adopted in terms of the Company's data processing activities' compliance with the regulations in the Personal Data Protection Law No. 6698 ("LPPD Law") are determined and the practices implemented by the Company are explained.
The Policy is intended for natural persons whose personal data is processed by the Company through automatic or non-automatic means provided that it is part of any data recording system.
The Policy has been published on the Company's website and made available to the public. In the event of conflict between the current legislation, particularly the Law, and the regulations set forth in this Policy, the provisions of the legislation shall apply.
The Company reserves the right to make changes to the Policy in line with legal regulations.
WHAT PERSONAL DATA DO WE PROCESS?
The personal data specified below may be processed depending on the exchange of goods/services between you and DERİMOD, the conclusion of a membership agreement, your visits to our workplaces, your application for a job or your entering into a legal or commercial relationship in any other way.
Identity Information: Data regarding Name-Surname, TR identity number, Gender, Date of Birth, IP address.
Contact Information: Data regarding address, telephone number and e-mail address.
Visual and Audio Information: Data regarding the images of people included in camera recordings made for security purposes in DERİMOD physical environments and the voices of people recorded during call center calls.
Purchased Product and Payment Information: Data regarding products purchased within the scope of purchases made from the DERİMOD website or stores.
Shopping Habits: Data regarding the results of the person's tastes, likes and preferences obtained through cookies during their visits to DERİMOD websites.
Education Data: Data such as diplomas, transcripts, and certificates showing educational background, which are included in the forms filled out by personnel candidates within the scope of job applications or in the CV they prepare.
Professional Experience: Data showing the work experience and professional titles in the form filled out by the personnel candidates within the scope of their job applications or in the CV they prepare.
Special Personal Data: Data consisting of health declarations and criminal records shared by personnel candidates within the scope of job applications.
|
CONTACT PERSON CATEGORIES |
EXPLANATION |
|
|
1 |
Customer |
It refers to real or legal persons who benefit from the services offered by DERİMOD. |
|
2 |
Potential Customer |
It refers to real or legal persons who show interest in using the services offered by DERİMOD, who have the potential to become customers, who demonstrate their will to benefit from the services through the website or other channels, and who request an offer. |
|
3 |
Visitor |
It refers to real persons who visit all workplaces and website of the company. |
|
4 |
Third Parties |
Refers to real persons excluding the above mentioned Relevant Person categories and DERİMOD employees. |
|
5 |
Business Partners/Suppliers |
It refers to the parties with which DERİMOD establishes business partnerships for purposes such as carrying out its commercial activities or who provide goods or services to the Company in accordance with DERİMOD's instructions and on a contract basis, and the employees of these parties. |
|
6 |
Staff Candidate |
Refers to people who apply for a job at DERİMOD. |
HOW AND FOR WHAT LEGAL REASON DO WE COLLECT YOUR PERSONAL DATA?
In the Physical Environment;
Your personal data is collected directly from you through the purchases you make from DERİMOD stores, the forms you fill out in stores and events, your store visits, the contracts you sign, the CVs you share as part of your job application or the job application forms you fill out.
In Electronic Environment;
Data is collected directly from you electronically through the purchases you make on the DERİMOD website, the Derimod Club Card membership forms you fill out, the requests and complaints you share on the website, by phone or e-mail, our call center, and your posts on our social media accounts.
Your personal data collected from both environments are recorded in the DERİMOD database and can be processed by automatic and non-automatic means.
Within the scope of the commercial and/or contractual relationship between you and DERİMOD (product or service exchange, membership agreement, workplace visits), within the framework of the purposes specified below and in accordance with Article 5 of Law No. 6698; the establishment and execution of the contract, the establishment of a right, the fulfillment of legal obligations and our legitimate interests, provided that we observe your rights and do not harm them . During your visits to our workplaces, your identity information and your image with a security camera are recorded for security reasons and processed limited to this operation.
In cases where you do not receive goods or services from DERİMOD and no legal or commercial relationship is established between us, we can process your personal data specified above based on your EXPRESS CONSENT in accordance with Article 5, Paragraph 1 of the Law. Your explicit consent can be obtained in our stores with your wet signature on printed forms or by sending the PASSWORD generated for you to DERİMOD personnel if you find the information text sent to you via SMS appropriate, or it will be obtained by marking the permission/approval boxes in the membership and shopping areas on the website and pressing the "send" button. You can withdraw permissions at any time.
PURPOSES OF PROCESSING YOUR PERSONAL DATA
Your Personal Data is processed for the purposes stated below:
1) For Customers and Members;
1) Conducting Goods / Services Purchasing Processes
2) Execution of Goods / Services Sales Processes
3) Execution of Customer Relationship Management Processes
4) Carrying out activities aimed at customer satisfaction
5) Ensuring Physical Space Security
6) To carry out transactions and activities within the scope of commercial/contractual relationships and to fulfill financial and legal obligations.
7) Tracking of Requests / Complaints
8) Fulfillment of legal obligations
9) Establishment and execution of the membership agreement and ensuring that customers benefit from membership benefits.
10) Conducting legal processes
11) Promotion and marketing activities
12) Providing information to authorized persons, institutions and organizations
13) Sending commercial electronic messages
14) Information Security
15) Preservation of your information that must be stored in accordance with the relevant legislation; copying and backing up to prevent information loss; ensuring the consistency of your information; taking the necessary technical and administrative measures to ensure the security of our databases and your information.
2) For Potential Customers;
Your identity and contact information obtained directly from you through your visits to our website and stores, forms you fill out, e-bulletin membership, shares on our Social Media Accounts, requests and complaints you send to our call center; are processed in accordance with your explicit consent and for marketing purposes within the scope of the aim of informing you about our company's products and services and offering you special products. If there is a request or complaint you have sent to DERİMOD, in this case, your identity and contact information is processed for a limited period in accordance with Article 5/2 of the Law in order to manage this request and complaint.
3) For Suppliers/Business Partners;
Within the scope of the commercial relationship between you and our company, personal data belonging to your company officials and employees can be processed for the purposes set out below, in accordance with the basic principles stipulated in the Law and within the scope of the establishment and execution of our contracts, fulfillment of legal obligations and legitimate interests of our company, as specified in Article 5 of the Law, and within the scope of personal data processing conditions.
1) Fulfillment of Legal Obligations
2) Execution of contract processes
3) Conducting Finance and Accounting Affairs
4) Carrying out and following up legal processes
5) Conducting Internal Company Operations
6) Strategy planning & business partners/supplier management
7) Ensuring physical space security
8) Carrying out logistics activities
9) Managing Supply Chain Management Processes
10) Preservation of your information that must be stored in accordance with the relevant legislation; copying and backing up to prevent information loss; ensuring the consistency of your information; taking the necessary technical and administrative measures for the security of our databases and your information.
4) For Visitors;
Within the scope of your visits to our company, website and other workplaces, in order to ensure the security of our company and you, as well as to fulfill our legal obligations and our legitimate interests, your identity and visual data in physical environments through security cameras and visitor logs, and your identity and communication data obtained within the scope of internet access provided to you during your visit to our workplace are processed for the following purposes.
1) Conducting Audit and Security Activities
2) Security of movable property and resources
3) Execution of Information Security Processes
4) Creating and Tracking Visitor Records
5) Ensuring Physical Space Security
6) Providing Information to Authorized Persons, Institutions and Organizations
7) Ensuring the Security of Data Controller Operations
8) Providing Internet Access and Ensuring Access Security
4) For Employee Candidates;
DERİMOD carries out data processing activities within the scope of the legitimate interests of our company, for the purposes of personnel supply and management of human resources processes, establishment of employment contracts, establishment of a right and use as evidence in legal disputes, within the scope of the following purposes, by using the personal data received from the personnel candidates through our website www.derimod.com.tr or through the CVs or application forms you fill out within the scope of job applications you make to our company headquarters or stores, as specified in Article 5 of the Law. In case of health declaration and sanction data being obtained from the personnel candidate, express consent is also requested.
1) Conducting the Selection and Placement Processes of Employee Candidates / Interns / Students
2) Conducting the Application Process of Employee Candidates
3) Conducting human resources operations and especially personnel recruitment processes,
4) Carrying out business continuity activities and ensuring physical space security
PARTIES TO WHICH YOUR PERSONAL DATA IS TRANSFERRED AND THE PURPOSES OF TRANSFER
DERİMOD may transfer your personal data to the following domestic recipient groups within the scope of the Law and other legislation for the purposes set out in this Policy:
1) To our suppliers and business partners with whom we work to provide or deliver the services offered to you (companies from which we receive web infrastructure services, cargo companies, auditing companies, etc.)
2) Our business partners, supplier companies, banks, financial institutions with whom we cooperate and/or receive services for the purpose of providing, promoting and similar services,
3) Advertising agencies from which we receive services for the management of our website and social media accounts,
4) Lawyers, auditors, consultants and service providers,
5) To your attorneys, guardians and representatives authorized by you,
6) To institutions or organizations authorized to request your personal data, such as regulatory and supervisory authorities, courts and enforcement offices, and to persons designated by them,
7) Our group company DERİMOD KONFEKSİYON AYAKKABI LERİ SANAYİ VE TİCARET A.Ş. with whom we use the same database.
COMMERCIAL ELECTRONIC COMMUNICATIONS
DERİMOD may also process identity and communication data to send electronic commercial messages (SMS, E-MAIL, etc.) to data owner persons for commercial purposes such as advertisements, campaign announcements, promotions, etc. by using the communication data, and may communicate with these persons. DERİMOD obtains electronic communication permission from the relevant persons for this activity and carries out the said activity within the scope of this permission.
RIGHTS OF THE RELATED PERSONS AS STATED IN ARTICLE 11 OF THE LAW
1) Learning whether your Personal Data is being processed,
2) Request information regarding your Personal Data if it has been processed,
3) To learn the purpose of processing Personal Data and whether they are used in accordance with their purpose,
4) Knowing the third parties to whom your Personal Data is transferred, either domestically or abroad,
5) Request correction of your Personal Data if it is processed incompletely or incorrectly,
6) Request the deletion or destruction of your Personal Data within the framework of the conditions stipulated in the KVKK legislation .
7) Request that the transactions made within the scope of Articles 5 and 6 be notified to third parties to whom your Personal Data has been transferred,
8) To object to the emergence of a result to your detriment as a result of the analysis of processed data exclusively through automatic systems,
9) If you suffer damage due to the unlawful processing of your Personal Data, you have the right to demand compensation for this damage.;
ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA
The Company takes all necessary measures, to the extent possible, depending on the nature of the data to be protected, to prevent unlawful disclosure, access, transfer or other security deficiencies of personal data.
In this context, the Company takes all necessary (i) administrative and (ii) technical measures, (iii) establishes an audit system within the company, and (iv) acts in accordance with the measures stipulated in the Personal Data Protection Law in case of unlawful disclosure of personal data.
DESTRUCTION OF PERSONAL DATA
In the event that the reasons requiring processing of personal data are eliminated, despite being processed in accordance with the law in accordance with Article 7 of the Law, the Company shall delete, destroy or anonymize the personal data ex officio or upon the request of the Relevant Person, in accordance with the Data Protection and Destruction Policy, legislation and the guide published by the Institution, which it has prepared specifically for this purpose.
DERİMOD has prepared a DESTRUCTION POLICY that specifies the destruction procedures for personal data and has published it within the company. All destruction processes are carried out in accordance with this policy. At the same time, the destruction periods for each process and personal data type are clearly determined in the DERİMOD personal data inventory. The storage periods specified in the inventory are taken as basis in the periodic data destruction process carried out every 6 months.
ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the Personal Data Protection Law, DERİMOD takes the necessary technical and administrative measures to prevent the unlawful processing of personal data it processes, unlawful access to data, and to ensure the preservation of data, to ensure an appropriate level of security, and to conduct or have conducted the necessary inspections within this scope.
DERİMOD takes technical and administrative measures according to technological possibilities and implementation costs to ensure that personal data is processed in accordance with the law.
TECHNICAL MEASURES
The main technical measures taken by DERİMOD to ensure the lawful processing of personal data are listed below:
1) Personal data processing activities carried out within DERİMOD are supervised by established technical systems.
2) The technical measures taken are periodically reported to the relevant party as required by the internal audit mechanism.
3) Departments have been established for technical issues and personnel knowledgeable in this regard are employed.
4) New technological developments are followed and technical measures are taken on systems, especially in the field of cyber security, and the measures taken are periodically updated and renewed.
5) Access and authorization technical solutions are put into effect within the framework of legal compliance requirements determined for each department within DERİMOD.
6) Access rights are limited and reviewed regularly. Access restrictions are applied to former employees and accounts are closed.
7) Technical measures taken in accordance with DERİMOD's internal operations are reported to the relevant users, risky issues are re-evaluated and the necessary technological solutions are produced.
8) Software and hardware including virus protection systems, data vulnerability security and firewalls are installed.
9) Personnel specialized in technical matters are employed.
10) All information systems, including applications where personal data is collected, are regularly subjected to external impact testing to detect security vulnerabilities, and the vulnerabilities found are closed based on the results of this testing.
ADMINISTRATIVE MEASURES
Administrative measures taken by DERİMOD to ensure the lawful processing of personal data:
1) DERİMOD employees are informed and trained on personal data protection law and the lawful processing of personal data.
2) All personal data processing activities carried out by DERİMOD are carried out in accordance with the personal data inventory and its annexes, which are created by analyzing all business units in detail.
3) Personal data processing activities carried out by the relevant departments within DERİMOD; the obligations to be fulfilled to ensure that these activities comply with the personal data processing conditions sought by KVKK are linked to written policies and procedures by DERİMOD, and each business unit is informed about this issue and the issues to be taken into consideration specific to the activities it carries out are determined.
4) The audit and management of personal data security in the departments within DERİMOD are organized by the Information Security Committees. Awareness is created to ensure the legal requirements determined on a business unit basis, and the necessary administrative measures are implemented through in-company policies, procedures and training to ensure the auditing of these issues and the continuity of the application.
5) Records containing information and data security regarding personal data are included in the service contracts and related documents between DERİMOD and employees, and additional protocols are made. Studies have been carried out to create the necessary awareness for employees on this issue.
6) Legal compliance, access to personal data and authorization processes within the company are implemented by taking into account personal data processing processes for each department within DERİMOD.
7) You can submit your request to exercise your rights under the KVKK specified above by filling out the application form on DERİMOD's website, along with documents that will verify your identity, (i) to DERİMOD's postal address with a wet signature, by hand or by registered mail, or (ii) a copy with a secure electronic signature to DERİMOD via the address kvkk@derimod.com.tr.
In the event that data owners (related persons) submit their requests regarding their personal data to our Company in writing, the Company, as the data controller, carries out the necessary processes in accordance with Article 13 of the Personal Data Protection Law to ensure that the request is finalized as soon as possible and within thirty (30) days at the latest, depending on the nature of the request.
Within the scope of ensuring data security, the Company may request information to determine whether the applicant is the owner of the personal data subject to the application. Our Company may also ask questions regarding the application of the Relevant Person in order to ensure that the application is concluded in accordance with the request.
In cases where the application of the relevant person is likely to impede the rights and freedoms of other people, requires disproportionate effort, or is public information, DERİMOD may reject the request by explaining the reason.
DEFINITIONS
|
Company |
Derimod Leather Conf. Sun. Singing. And Trade. Inc. |
|
Personal Data/Data |
Any information relating to an identified or identifiable natural person. |
|
Processing of Personal Data |
It is any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, in whole or in part, by automatic means or non-automatic means provided that it is part of any data recording system. |
|
Personal Data Owner/Relevant Person |
It refers to Company Stakeholders, Company Business Partners, Company Officials, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers, Third Parties and persons whose personal data is processed by the company. |
|
Data Recording System |
It refers to the recording system in which personal data is structured and processed according to certain criteria. |
|
Data Controller |
It is the natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system. |
|
Data Processor |
A natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him. |
|
Explicit Consent |
It is consent regarding a specific subject, based on information and expressed with free will. |
|
Anonymization |
It is the process of making data that was previously associated with a person incapable of being associated with an identified or identifiable natural person, even by matching it with other data. |
|
Destruction |
It is the process of removing personal data by deleting, destroying or making it anonymous. |
|
Law |
Refers to the Personal Data Protection Law No. 6698. |
|
Personal Data Protection Board |
It is the Personal Data Protection Board. |
SECURITY OF INFORMATION
DERİMOD attaches great importance to the security of its customers' information and works with the most advanced technological tools to ensure this. In order to ensure the security of our site, all kinds of physical, electronic and administrative measures have been taken in secure environments. All information is stored and backed up on secure servers.
Information received through our site is carried with a technology called SSL (Secure Socket Layer) that provides secure information transfer. On the pages where you transfer your financial information on our site, you will see a lock or key image on the far right of your browser's address bar (depending on the browser you are using) and the first letters of the address in this address bar changing from 'http' to 'https'. If you see these, you can be sure that you are on our site's secure servers.
SITE-VISITOR COMMUNICATION SECURITY
The communication between the site and the visitor on the order pages on DERİMOD's website is carried out with 128 bit SSL standard. This communication standard is a quality that is used securely even on sites that have a large number of transactions. Whether this communication format is available on the page where credit card information will be given, is indicated by the fact that the expression written in the address bar when the page is accessed is not in the form of http://.. but in the form of https://.. When you access pages of this nature, there is also a lock sign in the lower right corner of the browser.
SITE-BANK COMMUNICATION SECURITY
The security regarding the transfer of credit card information from the site to the bank is realized with the maximum security offered by the Bank. In addition to the many components of the security in question, the CVV2/CVC2 code is also used on our site as a precaution against shopping with stolen cards or card information.
ON-SITE DATA SECURITY
In transactions that you will make in a secure environment, no person, institution or organization other than you and the bank that assigned the credit card to you can access your information. The credit card transaction page transmits the card information directly to the bank POS system and notifies the customer of the transaction result. Credit card information is not transferred via e-mail or similar methods. It is not possible for us to access the credit card information transferred as a result of the online transaction.
ENFORCEMENT OF THE POLICY
This Policy, prepared by DERİMOD, came into force on December 17, 2019. This Policy is published on DERİMOD's website (www.derimod.com.tr) and is made accessible to the relevant persons upon the request of personal data owners.
DERİMOD LEATHER CLOTHING MARKETING INDUSTRY AND TRADE INC. (DATA CONTROLLER)
ADDRESS : Gursel District Imrahor Street Premier Campus Office Block No:29 /A 219 independent section Kagithane/ISTANBUL
PHONE: 0850 288 4 288
CRS: 293000831300010
WEB: www.derimod.com.tr
