POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA UNDER THE LAW NO 6698 BY MARKANO
                                                                                                                                                                       Contents
Chapter 1. Purpose and Enforcement of the Policy.................................... .................................................................. .................................................................. ..............................................0
Section 2. Scope of the Law and Our Company's Rights and Obligations arising from the Law.................... .................................................................. ...................... ..............one
                  I. General Principles Regarding the Processing of Personal Data .................................. .................................................................. .................................................................. ...................one
                 Purposes of Processing and Sharing Personal Data within the Scope of the II.Law.................................. .................................................................. .................................................one
   a. Purposes of Processing Personal Data .................................................. .................................................................. .................................................................. .......................................one
   b. Purposes of Sharing Personal Data.................................................. .................................................................. .................................................................. ........................................2
              Cases Out of the Scope of the Law III.................................................. .................................................................. .................................................................. ......................................2
Section 3. Processing of Personal Data by Our Company ............................................. .................................................................. .................................................................. ..........................3
I. Categorization of Personal Data Processed by Our Company ............................................ .................................................................. .................................................................. ..............3
II. Purposes of Processing Personal Data by Our Company ............................................. .................................................................. .................................................................. ..........................5

III. Transfer of Personal Data by Our Company and Categorization of the Parties to which Data Transfer is Made..................... ............................................6
IV. Procedure for Processing Personal Data by Our Company .................................................. .................................................................. .................................................................. ...........................6
V.Personal Data Security................................................. .................................................................. .................................................................. .................................................................. ...........................7
Chapter 4. Legal Rights of Data Owners .................................................. .................................................................. .................................................................. ....................................7
I. Rights of Data Owners ....................................... .................................................................. .................................................................. .................................................................. .......................8
II. Exercise of Rights ................................................. .................................................................. .................................................................. .................................................................. .........................8

Chapter 1. Purpose and Enforcement of the Policy
The Law on Protection of Personal Data No. 6698 (“Law”) entered into force on 7 April 2016. The law lays down the procedures and principles regarding the processing of personal data by natural or legal persons who are classified as “data controllers”, determine the purposes and means of processing personal data, and are responsible for the establishment and management of the data recording system.
Within the scope of the law, personal data is defined as “any information relating to an identified or identifiable natural person”; Processing refers to “obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automated or non-automatic means provided that it is a part of any data recording system. or any kind of operation performed on the data, such as preventing its use.
The law, among other regulations, imposes an obligation on data controllers to inform / enlighten the data owners whose personal data will be processed during the acquisition of personal data. According to Article 10 of the Law, data controllers
;•Identity of the data controller and its representative, if any
,•The purpose for which personal data will be processed,
To whom and for what purpose the processed personal data can be transferred
,•The method and legal reason for collecting personal data,
• He/she should inform about other rights listed in Article 11 of the Law.

This document (“Policy”) has been written in order to enlighten the natural persons whose personal data our Company processes as the data controller, within the scope of the above-mentioned article. The subject of this Policy is our Company's customers, corporate customers' shareholders, officials and employees, potential customers, shareholders, officials and employees of our business partners and suppliers, as well as our candidates, former employees and interns in our Company, and retirees of our Company, visitors, company Issues regarding the processing of personal data regarding our employees, including our shareholders, business partner and supplier candidates, and other third parties, are regulated within the scope of a separate policy text presented to employees in accordance with the Law.
Chapter 2. Scope of the Law and Our Company's Rights and Obligations arising from the Law
I. .General Principles Regarding the Processing of Personal Data
Pursuant to Article 4 of the Law, personal data must be processed in accordance with the procedures and principles stipulated in the Law and other relevant legislation. In this context, data controllers are obliged to comply with the following general principles regarding the processing of personal data, except for the fulfillment of the obligation to inform in Section 1 above:
• Compliance with the law and honesty rules.

•Being accurate and up-to-date when necessary.
• Processing for specific, explicit and legitimate purposes.
• Being connected, limited and restrained with the purpose for which they are processed.
.•Preservation for as long as required by the relevant legislation or for the purpose for which they are processed.
Purposes of Processing and Sharing Personal Data under the Second Law
a. Purposes of Processing Personal Data
In accordance with the law, as a rule, personal data cannot be processed without the explicit consent of the data owner. However, within the scope of Articles 5 and 6 of the Law, certain situations in which data can be processed without express consent have been determined in terms of personal data and special quality personal data.
 Personal data pursuant to Article 5,
• The data processing is clearly stipulated in the laws,
• It is mandatory to process the relevant data in order to protect the life or bodily integrity of the person or someone else, who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid,
• It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
Data processing is mandatory in order for the data controller to fulfill its legal obligations,
The personal data being made public by the person concerned
Data processing is mandatory for the establishment, exercise or protection of a right,

Provided that it does not harm the fundamental rights and freedoms of the data subject, in cases where data processing is necessary for the legitimate interests of the data controller, it can be processed even if there is no prior explicit consent of the data owner (provided that the necessary clarification has been made).
On the other hand, the Law includes biometric data regarding the race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures. and genetic data as "special quality" or "sensitive" personal data and stipulated more severe conditions for their processing. Accordingly, special categories of personal data can only be processed under the following conditions, except in cases where explicit consent has been obtained from the data owner:
• Data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, criminal convictions and security measures, and biometric and genetic data of individuals may be processed in the cases stipulated by the laws.
 •Personal data regarding health and sexual life can only be processed by persons or authorized institutions and organizations that are under the obligation of secrecy for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

b. Purposes of Sharing Personal Data
In accordance with data processing, the sharing (transfer) of personal data with a third party is also subject to the explicit consent of the relevant data owner. However, data transfer can also be carried out under the conditions where data processing is allowed according to Article 8 of the Law, and in this regard, in the presence of the conditions specified in Section 2.II.a above, personal data or sensitive personal data can be transferred even without the consent of the data owner.
Regarding the transfer of personal data to third parties, the law binds the transfer abroad to special conditions. Accordingly, personal data;
• In case of explicit consent of the data owner, or
• In cases where there is no explicit consent of the data owner, but one or more of the other conditions mentioned above are met;
• There is adequate protection in the country to which the data is transferred, and
• If there is no adequate protection in the country where the data is transferred, it can be transferred abroad provided that the data controller undertakes in writing with the data controller in the relevant foreign country and that the permission of the Personal Data Protection Board is obtained.
Cases Outside the Scope of the III.Law
Pursuant to Article 28 of the Law, the Law will not be applied in the following cases: • Processing of personal data by real persons within the scope of activities related to themselves or family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
Processing personal data for purposes such as research, planning and statistics, by making them anonymous with official statistics

Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that are authorized by law to ensure national defense, national security, public security, public order or economic security.
• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
Section 3. Processing of Personal Data by Our Company
 I. Categorization of Personal Data Processed by Our Company
Personal data is processed by our company under the following categories:
Data category Personal Data Categorization Description
Identity Information - Information contained in documents such as driver's license, identity card, residence, passport, attorney's ID, marriage certificate (eg TCKN, passport no., identity card serial no., name-domain, photo, place of birth, date of birth, age , place of registration, copy of proof of identity card)
Contact Information - Information used to contact the person (eg e-mail address, telephone number)

number, mobile phone number, address)
Location Data - Data to identify the location of the data subject (eg location data obtained while driving)
Customer Information - Information about customers who benefit from our products and services (eg customer number, profession information, etc.)
Customer Transaction Information - Information regarding any transaction performed by customers using our products and services (eg, requests and instructions, order and basket information, etc.)
Physical Space Security Information - Personal data regarding the records and documents taken at the entrance to the physical space, during the stay in the physical space (e.g. entry-exit logs, visit information, camera recordings, etc.)
Transaction Security Information - Personal data processed in order to ensure the technical, administrative, legal and commercial security of our company and related parties (for example, information such as website password and password, which indicates that the person is authorized to match the transaction associated with the personal data owner and that person and to perform that transaction)
Risk Management Information - Personal data processed in order to manage the commercial, technical and administrative risks of our company (eg IP address, Mac ID, etc. records)
Financial Information - Personal data within the scope of information, documents and records showing all kinds of financial results created according to the type of legal relationship with the personal data owner (For example: information showing the financial result of the transactions made by the data owner, loan amount, card information, loan payments, interest payable amount and ratio, debit balance, credit balance, etc.)

Personal Information - Personal data, which is the basis for the formation of the personal rights of the employees of the company's suppliers (any information and document that must be entered in the personnel file by law)
Employee Candidate Information -Personal data used in the application evaluation process (eg CV, interview notes, personality test results, etc.)
Employee Transaction Information -Personal data related to all kinds of work-related transactions carried out by the supplier employees of the Company (eg, entry-exit records, business trips, information about meetings attended, security inquiries, e-mail traffic monitoring information, vehicle usage information, company card expenditures) information)
Employee Performance and Career Development Information - Personal data processed for the purpose of measuring the performance of the company's supplier employees and planning and carrying out their career development within the scope of human resources policies (e.g. performance evaluation reports, interview results, career development trainings)
Benefits and Benefits Information - Personal data processed for the follow-up of the Company's fringe benefits and benefits offered to supplier employees and for supplier employees to benefit from them (e.g. private health insurance, vehicle allocation)
Marketing Information - Data to be used by our company in marketing activities (eg, reports and evaluations showing the habits and tastes of the person collected for marketing purposes, targeting information, cookie records, data enrichment activities)
Legal Transaction and Compliance Information -Personal data processed for the purpose of determination and follow-up of legal claims and rights, and performance of debts and legal obligations (for example, data contained in documents such as court and administrative authority decisions)

Audit and Inspection Information - Personal data processed within the scope of our company's compliance with its legal obligations and company policies (eg audit and inspection reports, relevant interview records and similar records)
Special Qualified Personal Data - Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data
Request/Complaint Management Information -Personal data regarding the receipt and evaluation of all kinds of requests or complaints directed to our company (eg, requests and complaints against the Company, records and reports related to them)
Audio-Visual Data - Visual and audio recordings associated with the personal data owner (e.g. photographs, camera recordings and audio recordings)
                                                                           
II. Purposes of Processing Personal Data by Our Company
Our company processes personal data within the scope specified above for the following purposes:
•Planning, auditing and execution of information security processes
• Creation and management of information technologies infrastructure
•Planning and execution of fringe benefits and benefits for employees

•Corporate communication for employees and/or corporate social activities in which employees participate.
planning and/or execution of responsibility and/or non-governmental organizations activities
•Planning and execution of employees' access to information authorizations
•Following and/or auditing the business activities of the employees
•Finance and/or accounting work follow-up
• Follow-up of legal affairs
•Planning of human resources processes
Performing efficiency/efficiency and/or relevance analyzes of business activities
planning and/or execution of activities
•Planning and execution of business activities
•Planning and executing information access authorizations of business partners and/or suppliers
• Management of relations with business partners and/or suppliers
• Planning and/or execution of occupational health and/or safety processes
•Planning and/or execution of business continuity activities
•Planning and execution of corporate communication activities
•Planning and execution of corporate governance activities
•Planning and execution of logistics activities
•Planning and execution of customer relationship management processes
•Planning and/or execution of customer satisfaction activities
• Following up on customer requests and/or complaints

• Execution of personnel procurement processes
• Fulfillment of obligations arising from employment contracts and/or legislation for company employees
•Planning and execution of company audit activities
•Planning and execution of external training activities
• Complying with company procedures and/or relevant legislation
Planning and execution of operational activities necessary to ensure the execution of
• Planning and/or execution of in-company training activities
•Planning and execution of in-company orientation activities
• Ensuring the security of company operations
• Ensuring the security of company premises and/or facilities
• Establishing and/or increasing loyalty to the products and/or services offered by the company
planning and/or execution of processes
• Planning and/or execution of the company's production and/or operational risk processes
•Realization of corporate and partnership law transactions
• Follow-up of contract processes and / or legal requests
•Execution of strategic planning activities
Planning and execution of supply chain management processes
•Compensation Management
•Planning and execution of production and/or operation processes
Planning and execution of market research activities for sales and marketing of products and services
• Planning and execution of marketing processes of products and / or services

• Planning and execution of sales processes of products and / or services
• Ensuring that the data is accurate and up-to-date
• Providing information to the authorized institutions based on the legislation
•Creating and tracking visitor records
III. Transfer of Personal Data by Our Company and Categorization of Data Transferred Parties
Personal data by our company, Markano Virtual Mağazacılık ve Elektronik Dış Tic. Ltd.Şti., Company officials, affiliates, business partners, suppliers, shareholders, legally authorized public institutions and organizations and private institutions.
IV. Procedure of Processing Personal Data by Our Company
Our company, as the data controller, informs the data owners in line with Article 10 of the Law before obtaining their personal data from the data owners within the scope of its obligations arising from the Law. If any data processing process carried out by our company does not meet the conditions specified in the Law and detailed in Section 2.II.a and b above, explicit consent is obtained from the data owners and the related processes are carried out within the framework of the aforementioned express consent.
Within the scope of the law, express consent is defined as “consent related to a certain subject, based on information and expressed with free will”, and accordingly, our Company provides their explicit consent after informing the data owners in accordance with Article 10 of the Law.

Although no period has been determined for the storage of personal data within the scope of the law, it is essential to keep personal data for as long as required by the relevant legislation or for the purpose for which they are processed, in accordance with general principles. Our company makes an evaluation based on the legislation in force regarding each data processing process and the purpose of the process, in order to determine the retention periods in accordance with the said principle. Accordingly, our Company keeps personal data at least for the period required by its legal obligations, and in any case, until the relevant statute of limitations expires. Our company anonymizes, deletes or destroys personal data in accordance with the Law when the purpose of processing the relevant personal data disappears within the scope of any process, including the expiration of the aforementioned periods. Anonymization within the scope of the law is defined as making personal data unable to be associated with an identified or identifiable natural person under any circumstances, even by matching them with other data.
V. Personal Data Security
In order to ensure the security of personal data, our company takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, deliberate deletion or damage to data. In this context, at least the following actions are taken by our Company:
Taking software and hardware security measures appropriate to the processed personal data
•Performing the audits stipulated under the law
• Ensuring compliance of the Company and employees with the Law through in-company trainings, policies and procedures

•Providing and recording access to information on the basis of necessity with in-company authorizations
Follow-up of personal data processing activities on a process basis
• Obtaining contractual commitments regarding the protection and security of personal data in relations with suppliers
Chapter 4. Rights of Data Owners Arising from the Law
I. Rights of Data Owners
According to Article 11 of the Law, personal data owners;
•Learning whether personal data about him/her is processed or not,
• If personal data about him/her has been processed, requesting information about it,
•Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
• Knowing the third parties to whom personal data is transferred in the country or abroad,
• Requesting correction of personal data in case of incomplete or incorrect processing,
• Requesting the deletion or destruction of personal data in the event that the reasons requiring processing disappear, although it has been processed in accordance with the provisions of the law and other relevant laws,
• Requesting notification of the transactions made as a result of requests for correction, deletion and destruction, to third parties to whom personal data has been transferred,
• Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,

• It has the right to demand the compensation of the damage in case of loss due to unlawful processing of personal data. Paragraph 2 of Article 28 of the Law regulates that in certain circumstances, the data owner cannot make a claim from the data controller other than the compensation of his losses.
According to this,
•Personal data processing is necessary for the prevention of crime or for criminal investigation,
Processing of personal data made public by the person concerned,
•Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution, based on the authority given by the law,
•In cases where personal data processing is necessary for the protection of the economic and financial interests of the State with regard to budget, tax and financial matters, the rights specified above cannot be exercised for the relevant data.
II. Exercise of Rights
Data owners will be able to use the Application Form to exercise the above-mentioned rights. Applications must be signed with a secure electronic signature issued under the Electronic Signature Law No.

[email protected]
address, or by e-mail sent from the e-mail address previously notified to our Company and registered in our Company's system. If a method other than the aforementioned methods is foreseen by the Personal Data Protection Board, applications can also be submitted by this method.
Requests of data subjects transmitted by one of the methods mentioned above are evaluated and answered by our Company within a maximum of thirty days. Our company reserves the right to request additional information and documents from the applicant, especially in order to evaluate whether the applicant is the relevant data owner.
As a rule, data subject applications are compiled by our Company free of charge. However, if a fee has been determined by the Personal Data Protection Board regarding the request of the data owner, our Company will have the right to demand payment over this fee.

 

 

 

 

cultureSettings.RegionId: 0 cultureSettings.LanguageCode: EN
Çerez Kullanımı

Sizlere en iyi alışveriş deneyimini sunabilmek adına sitemizde çerezler(cookies) kullanmaktayız. Detaylı bilgi için Kvkk sözleşmesini inceleyebilirsiniz.