November SALE! / Limited Time Offer
Login

Language

Cart

Your cart is empty

Personal Data Processing and Protection Policy

Personal Data Processing and Protection Policy
OR-PA Marketing and Textile Industry Inc.

PERSONAL DATA PROTECTION AND PROCESSING POLICY 2022

  1. Introduction

As OR-PA Marketing and Textile Industry Inc. ("Company"), we place great importance on the lawful processing and protection of personal data under the Personal Data Protection Law No. 6698 ("Law"). We act with the utmost care in all our planning and activities. With this awareness, we present this Personal Data Processing and Protection Policy ("Policy") to inform you about the details of our personal data processing processes.

1.1 Purpose of the Policy

The primary purpose of this Policy is to ensure the sustainability of the Company's principle of "conducting company activities with transparency," to provide explanations regarding systems for the lawful processing and protection of personal data in accordance with the Law's objectives, and to inform individuals whose personal data is processed by the Company, including Company Stakeholders, Company Officials, Company Business Partners, Employees, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers, and Third Parties.

1.2. Relevant Individuals

RELATED PERSON CATEGORIES DESCRIPTION
1. Shareholder Real persons who are shareholders of the Company.
2. Real Person Business Partner Real persons with whom the Company is in any type of business relationship.
3. Employees, Shareholders, or Representatives of the Company's Business Partners Real persons who are employees, shareholders, or representatives of legal entities (such as partners, suppliers) with whom the Company has any type of business relationship.
4. Company Official Real persons who are members of the Company's board of directors or other authorized individuals.
5. Employee/Intern Real persons employed under a contract or performing services within the Company.
6. Job Applicant Real persons who have applied for a job at the Company in any way or who have shared their CV and related information for review by the Company.
7. Customer of the Company Real persons who are current or potential customers of the Company's products or services, regardless of whether a contractual relationship exists.
8. Potential Customer Real persons who have shown an interest in using or acquiring the Company’s products or services, or who have been evaluated in accordance with the rules of commerce and good faith, including having been contacted for a commercial transaction.
9. Visitor Real persons who enter the Company's physical premises for specific purposes or who visit the Company's internet site in any way.
10. Third Party Real persons who are not categorized under the Related Person categories provided above, including employees’ family members.

 

 

1.3. Definitions

The terms used in this Policy have the meanings ascribed to them as follows:

TERM DEFINITION
Company OR-PA Marketing and Textile Industry Inc.
Personal Data Any information relating to an identified or identifiable real person.
Special Categories of Personal Data Data related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, and biometric and genetic data.
Processing of Personal Data Any operation or set of operations performed upon personal data such as collecting, recording, storing, keeping, altering, revising, disclosing, transferring, making retrievable, classifying, or preventing the use thereof, wholly or partly by automatic means or otherwise, provided that it is a part of any data recording system.
Data Subject or Related Person The natural person whose personal data is processed, including Company Shareholders, Employees, Business Partners, Officials, Employee Candidates, Visitors, Company Customers, Potential Customers, and Third Parties whose personal data is processed by the Company.
Group Company Refers to the companies belonging to the Orka Holding A.S. group.
Data Recording System The recording system in which personal data is processed by being structured according to specific criteria.
Data Controller The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Processor The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Explicit Consent The freely given, specific, informed, and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.
Anonymization Rendering personal data impossible to link with an identified or identifiable natural person, even by matching them with other data.
Law Refers to the Law on the Protection of Personal Data No. 6698.
KVK Board Refers to the Personal Data Protection Board.
Destruction The deletion, destruction, or anonymization of personal data.

 

2. METHOD AND LEGAL BASIS FOR COLLECTING PERSONAL DATA

Within the scope of the commercial, legal, contractual, or other relationship established between the Company and the Relevant Person; Personal Data is collected and processed by the Company from the relevant person directly in electronic or physical environments, based on the purposes detailed below and the legal grounds stipulated in Article 5, Paragraph 2 of the Personal Data Protection Law No. 6698, or if such a legal ground is not available, based on explicit consent. The necessary details regarding this matter are specified in the disclosure texts prepared separately for each data subject and presented to the Data Subjects in physical and electronic environments (Store and website disclosure texts, Supplier/Business partner disclosure text, Employee/Employee Candidate disclosure text, Visitor Disclosure text, etc.). At least one of the following conditions is accepted as the legal basis for data processing:

  • It is expressly provided for by the laws to which the Company is subject,
  • It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract, in order to provide the requested products and services or to fulfill the obligations under the contract,
  • It is necessary for compliance with a legal obligation to which the Company is subject,
  • The relevant person has made the data public,
  • It is necessary to establish, exercise, or protect a right as required by the legislation or the internal practices of the Company,
  • It is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the relevant person,
  • Explicit consent of the Data Subject.

3. CATEGORIES AND PURPOSES OF PROCESSING PERSONAL DATA

3.1. Categories of Personal Data

Within the Company, based on one or more of the conditions for processing personal data specified in Article 5 of the Law, and in accordance with the legitimate and lawful personal data processing purposes of the Company, the following categories of personal data are processed, limited to the subjects covered by this Policy and in compliance with the general principles set forth in Article 4 of the Law and all other obligations set forth in the Law. The general definitions of the personal data processed in these categories are provided below, along with an explanation of what information they encompass.

PERSONAL DATA CATEGORY DESCRIPTION OF PERSONAL DATA CATEGORY
Identity Information Information related to an identified or identifiable real person; such as Name-surname, Turkish ID number, place of birth, date of birth, gender, ID card and passport number, tax number, social security number, etc.
Contact Information Information related to an identified or identifiable real person; such as telephone number, address, email address, fax number, etc.
Location Information Information that identifies the location of the Relevant Person within the scope of the operations carried out by the Company's units, such as GPS location data while using Company vehicles.
Transaction Security Information Data such as IP address, computer password, internet access records belonging to the data subject.
Physical Space Security Information Personal data such as records and documents taken during entry to physical spaces owned by the Company, records taken while inside the physical space, camera records, and records taken at the security checkpoint.
Financial Information Personal data related to any financial results created according to the type of legal relationship established between the Company and the Relevant Person, including information, documents, and records related to processed financial data, bank account number, IBAN number, credit card information, asset data, income information, etc.
Visual/Audio Information Information belonging to an identified or identifiable real person; including photographs and camera recordings, audio recordings obtained through call centers.
Personnel Information Any type of personal data processed in relation to the creation of personnel rights within the scope of the employment contract established with the Company and real persons working in a personnel capacity.
Education and Professional Data Information related to the work history and educational background of employees, candidates, customers, and potential customers.
Legal Transaction Information Data processed within the scope of the determination, tracking, and fulfillment of the Company's legal claims and obligations.
Customer Transaction Information Information related to the records of the use of products and services and the necessary instructions and requests for the use of products and services by the customer.
Marketing Data Personal data processed for the customization and marketing of products and services according to the usage habits, preferences, and needs of the Relevant Person, and reports and evaluations created as a result of this processing.
Special Categories of Personal Data Data specified in Article 6 of the Law and characterized as requiring more stringent processing and protection conditions due to their nature (e.g., health data, biometric data, etc.).

 

3.2. General Principles in the Processing of Personal Data

Personal Data is processed by the Company in accordance with the procedures and principles set forth in the Law and this Policy. The Company adheres to the following principles when processing Personal Data:

  • Personal Data is processed in compliance with relevant legal rules and the principles of good faith.

  • Personal Data is ensured to be accurate and up-to-date. In this context, care is taken to ensure that the sources from which the data is obtained are specific, that the accuracy is verified, and that the need for updates is evaluated.

  • Personal Data is processed for specific, clear, and legitimate purposes. The legitimacy of the purpose means that the Personal Data processed by the Company is connected to and necessary for the work it performs or the service it provides.

  • Personal Data is processed in connection with and limited to the purpose of achieving the objectives set by the Company. The Company avoids processing Personal Data that is not related to or needed for the fulfillment of the purpose. The processed data is limited to what is necessary for achieving the purpose. In this context, Personal Data is processed in connection with, limited to, and proportionate to the purposes for which it is processed.

  • The Company complies with the retention periods stipulated in the relevant legislation for the storage of data; otherwise, it retains Personal Data only for the period necessary for the purpose for which it is processed. If there is no valid reason to retain the Personal Data for a longer period, the data is deleted, destroyed, or anonymized.

3.3. Purposes of Processing Personal Data

Personal Data is processed by the Company in accordance with the conditions and principles of data processing, and for the purposes listed below.

The existence of the purposes listed below may vary depending on each Relevant Person.

The Personal Data obtained is processed by the Company in accordance with the conditions for processing personal data specified in Articles 5 and 6 of the Law on the Protection of Personal Data (KVK Law) and for the purposes listed below:

3.3.1. The Company's Primary Purposes for Processing Personal Data

MAIN OBJECTIVES SUB-OBJECTIVES
Execution of Company Operations and Management of Human Resources, Personnel Processes 1. Structuring and Execution of Commercial Activities
2. Planning, Monitoring, and Execution of Information Security Processes
3. Event Management
4. Fulfillment of Obligations Arising from Legislation for Employees
5. Tracking of Financial and Accounting Processes
6. Planning and Execution of Occupational Health and Safety Processes
7. Planning and Execution of Human Resources Processes
8. Planning and Execution of Business Activities
9. Planning and Execution of Business Continuity Activities
10. Planning and Execution of Corporate Communication Activities
11. Planning and Execution of Logistics Activities
12. Execution of Production and Operation Processes
13. Execution of Audit and Security Activities
14. Creation and Tracking of Visitor Records
15. Ensuring Physical Security
16. Providing Information to Authorized Persons, Institutions, and Organizations
17. Ensuring the Security of Data Controller Operations
18. Ensuring Internet Access and Internet Security
19. Preservation of Information Required by Relevant Legislation; copying, backing up, and ensuring the consistency of information; taking necessary technical and administrative measures to secure databases and information.
Legal, Technical, and Administrative Activities 1. Planning and Execution of Emergency Management Processes
2. Planning and Execution of Occupational Health and Safety Processes
3. Monitoring Legal Processes
4. Providing Information to Authorized Organizations
5. Creation and Tracking of Visitor Records
6. Planning and Execution of Company Production and Operational Risk Processes
7. Ensuring the Security of Company Operations
8. Ensuring the Security of Company Premises and Facilities
9. Ensuring the Security of Movable Property and Resources
10. Planning and Execution of Company Audit Activities
11. Planning and Execution of Company Activities in Compliance with Relevant Legislation
12. Management of Information and Processing Security Processes
Customer-Facing Processes/Operations and Marketing Activities 1. Planning and Execution of Product and Service Procurement, Sales Processes
2. Planning and Execution of After-Sales Support Service Activities
3. Planning and Execution of Product and Service Sales and Marketing Processes
4. Monitoring Contract Processes and Legal Claims
5. Execution of Financial and Accounting Processes
6. Execution of Customer Relationship Management Processes
7. Execution of Advertising, Promotion, and Marketing Activities
8. Execution of Customer Satisfaction-Oriented Activities
9. Ensuring Physical Security
10. Monitoring of Requests/Complaints
11. Fulfillment of Legal Obligations
12. Execution of Legal Processes
13. Execution of Communication Activities and Sending of Commercial Electronic Messages
14. Establishment of Membership Contracts
15. Information and Process Security
16. Planning and Execution of Processes for Building and Increasing Loyalty to Products and Services Provided by the Company
17. Planning and Execution of Market Research Activities for Product and Service Sales and Marketing
18. Providing Information to Authorized Institutions and Organizations
Financial Operations 1. Banking and Insurance Transactions
2. All Payment and Collection Transactions
3. Financial and Accounting Processes
4. Investment Processes
5. Financial Leasing Transactions
6. E-Invoice and E-Archive Transactions
7. Transactions Arising from Tax Legislation
8. Preservation of Information Required by Relevant Legislation; copying, backing up, and ensuring the consistency of information
Strategic Planning & Business Partner/Supplier Management 1. Execution of Activities in Compliance with Legislation
2. Execution of Contract, Order, and Supply Processes
3. Execution of Financial and Accounting Processes
4. Ensuring Physical Security
5. Execution of Logistics Activities
6. Management of Supply Chain Processes
7. Preservation of Information Required by Relevant Legislation; copying, backing up, and ensuring the consistency of information; taking necessary technical and administrative measures to secure databases and information.

 

3.3.2. The Company's Purposes for Processing Personal Data for Specific Relevant Persons

3.3.2.1. The Company's Customers

Customer data is processed in various ways, including visits to the D'S Damat website, online shopping, in-store purchases, alterations forms filled out during store visits, product review forms, and other forms. Additionally, information shared during telephone or email correspondence, interactions with Customer Services, completed contact forms, or any other commercial or legal relationship are processed. This data includes, but is not limited to, identity information (Name, Surname, Turkish ID Number, Gender), contact information (Email Address, Address, Telephone Number, IP Address), data related to the product purchased within the scope of the Company's activities, audio data recorded during conversations with customer service, and visual data captured by security cameras inside the store. This data is collected and processed under the legal grounds specified in Article 5, Paragraph 2 of the Law, such as the establishment, execution of a contract, establishment of a right, and legitimate interests.

In addition to this, personal data such as Occupation, Date of Birth, and Date of Marriage may be collected to organize special campaigns for customers and offer special discounts under the D'S Damat card. However, explicit consent is required from the data subject for processing this data.

Moreover, personal data shared by customers who express their intention to benefit from and be informed about the products and services offered by D'S Damat is used to provide various benefits to the relevant person and for sending targeted advertising, sales, marketing, surveys, and similar electronic communications. If no product or service sales relationship has been established with the data subject, the above-mentioned data will only be processed based on explicit consent for the following purposes:

The Company conducts data processing activities under the following purposes within the purchase and sale relationships established with real or legal entity customers related to the products and services offered:

  • Execution of Product/Service Purchase, Production, and Sales Processes
  • Execution of After-Sales Support Services, Production, and Operation Processes
  • Execution of Customer Relationship Management Processes
  • Execution of Activities Aimed at Customer Satisfaction
  • Ensuring Physical Security
  • Execution of Communication and Information Security Activities
  • Execution of Activities in Compliance with Legislation
  • Execution of Financial and Accounting Processes
  • Execution of Processes Related to Company/Product/Service Loyalty
  • Execution of Marketing Analysis Studies
  • Execution of Advertising/Campaign/Promotion Processes
  • Execution of Transactions and Activities Within the Scope of Commercial/Contractual Relationships, Fulfillment of Financial and Legal Obligations
  • Tracking Requests/Complaints
  • Fulfillment of Legal Obligations
  • Providing Information to Authorized Persons, Institutions, and Organizations
  • Execution of Legal Processes
  • Execution of Storage and Archiving Activities

3.3.2.2. The Company's Potential Customers

The personal data of potential customers are processed based on explicit consent under Article 5 of the Law through direct collection of identity information (Name, Surname, Date of Birth, Gender) and contact information (Phone Number, Email Address), Occupation, and Date of Marriage via visits to our website, D'S Damat Card (Loyalty Card) membership, social media accounts, phone or email communications, interactions with Customer Services, requests, suggestions, or complaints, and business cards shared at fairs and events (where data on the business card is considered public). Additionally, with the consent of the relevant person, this data may be processed for marketing purposes, including being informed about the Company's products and services, sending commercial electronic communications related to advertisements and campaigns, and offering personalized products.

3.3.2.3. The Company's Employees

All personal data of employees who work under an employment contract within the Company is processed under the Law No. 6698, within the scope permitted by the Law, for purposes such as establishing and fulfilling the employment contract, proving the employment relationship, recording wages and wage-related information, fulfilling legal notifications to the Ministry of Finance, Ministry of Labor, Social Security Institution, and other institutions, implementing occupational health and safety principles, fulfilling legal obligations arising from laws, determining working conditions, managing services provided within the Company (e.g., meals, transportation, security), arranging special health insurance policies for employees and their family members due to the services provided, arranging travel insurance, booking flight and hotel reservations, opening salary bank accounts, making mandatory private pension payments, making social security premium payments, providing education scholarships offered to employees, managing the processes related to the Company's membership in the Turquality program, and tracking legal processes with official institutions.

The purposes of processing personal data related to employees are listed below:

  • Execution of Information Security Processes
  • Execution of Employee Satisfaction and Loyalty Processes
  • Fulfillment of Obligations Arising from the Employment Contract and Legislation for Employees
  • Execution of Processes Related to Employee Benefits and Rights
  • Execution of Audit/Ethics Activities
  • Execution of Training Activities
  • Execution of Access Authorization Processes
  • Execution of Activities in Compliance with Legislation
  • Execution of Financial and Accounting Processes
  • Ensuring Physical Security
  • Execution of Assignment Processes
  • Monitoring and Execution of Legal Processes
  • Planning of Human Resources Processes
  • Execution/Monitoring of Business Activities
  • Execution of Occupational Health/Safety Activities
  • Receiving and Evaluating Suggestions for Improvement of Business Processes
  • Execution of Business Continuity Activities
  • Execution of Performance Evaluation Processes
  • Providing Information to Authorized Persons, Institutions, and Organizations
  • Execution of Management Activities
  • Making Necessary Legal Notifications to Official Institutions, Benefiting from Incentives with Official Institutions, and Providing Notifications to Relevant Authorities Within the Scope of Official Audits
  • Execution of Human Resources Operations, Particularly Personnel File Activities
  • Ensuring Employee Control and Processing Personal Data Required Within the Scope of the Employer's Management Rights

3.3.2.4. The Company's Job Candidates

Orka Holding A.Ş., to which the Company belongs, conducts the personnel recruitment processes for all group companies. In this context, the Company uses the job application form organized by Orka Holding A.Ş. during its recruitment processes.

As the data controller, the Company processes the personal data shared by candidates within the scope of job applications (such as CVs or completed application forms), including identity, contact, education, profession, salary, military status, work history, reference data, and personal data obtained from aptitude and skill tests conducted by various departments to assess the candidate's suitability for the job during the recruitment process. This data is processed in the Company's automated systems or physical environments and according to the Company's written standards for the purpose of establishing a job relationship with the candidate and is retained for 2 years. The purpose of this retention is to allow for the reevaluation of the candidate for possible future job opportunities. If no job relationship is established within this period, the data is destroyed in the first periodic destruction process after the end of the 2nd year. If the candidate is hired, this information is stored in the personnel file.

If the Company wishes to collect special categories of personal data from job candidates, such as health data and criminal records, it will request explicit consent from the candidate before processing this information. The Company does not process any other special categories of personal data of job candidates other than those mentioned in this document. Therefore, candidates are requested not to include such information in their CVs and application forms. The general purposes of processing personal data related to job candidates are listed below:

  • Execution of Employee/Intern/Student Selection and Placement Processes
  • Execution of Job Application Processes
  • Execution of Human Resources Operations, Personnel Recruitment, and Hiring Processes
  • Ensuring Business Continuity, Execution of Business Activities, and Ensuring Physical Security
  • Use as Evidence in Disputes
  • Execution of Management Activities

3.3.2.5. The Company's Visitors

During visits to the Company's workplace by real persons, personal data consisting of identity and visual data is processed by the Company for the purpose of ensuring the safety of visitors and the Company, through the creation of visitor records and the recording of images with security cameras. This personal data is not shared with third parties under any circumstances, except when it is necessary for the performance of a contract, legal obligations, or in response to a written request from public authorities. Necessary legal warnings and notifications regarding this are provided at the entrance to the workplace and on the Company's website in the information text. In addition, for security purposes and for the other purposes specified in this Policy, the Company may provide internet access to visitors while they are on the Company's premises. In this case, log records related to internet access are kept in accordance with Law No. 5651 and the regulations issued under this law; these records are only shared with authorized public institutions and organizations upon request or during audits conducted within the Company. The purposes of data processing in this area are listed below:

  • Execution of Information Security Processes
  • Creation and Tracking of Visitor Records
  • Ensuring Physical Security
  • Providing Information to Authorized Persons, Institutions, and Organizations
  • Ensuring the Security of Data Controller Operations
  • Ensuring Internet Access and Internet Security
  • Execution of Audit and Security Activities

3.3.2.6. The Company's Business Partners and Suppliers

In the context of the commercial activities conducted by the Company, personal data (Identity data, Contact data, Financial data, Signature data) of real or legal person traders and tradespeople with whom there is a commercial or legal relationship is processed. This data is processed in accordance with the principles outlined in Article 5 of the Law, such as the establishment and execution of contracts, fulfillment of legal obligations, and the legitimate interests of the Company, and in compliance with the fundamental principles stipulated in the Law. Personal data is collected and processed by the Company through the direct provision by Suppliers and Business Partners, and for the purposes listed above, and in electronic environments. The purposes of data processing are:

  • Execution of Contract Processes
  • Execution of Financial and Accounting Processes
  • Execution and Monitoring of Responsibilities Arising from Legislation and Legal Processes
  • Execution of Internal Company Operations
  • Strategic Planning & Business Partner/Supplier Management
  • Ensuring Physical Security
  • Execution of Logistics Activities
  • Management of Supply Chain Processes
  • Preservation of Information Required by Relevant Legislation; Preventing Information Loss by Copying and Backing Up; Ensuring the Consistency of Your Information; Taking Necessary Technical and Administrative Measures for the Security of Our Databases and Your Information

4. PURPOSES AND RECIPIENT GROUPS FOR THE TRANSFER OF PERSONAL DATA

4.1. Persons/Recipient Groups to Whom Personal Data May Be Transferred

In accordance with the principles set forth in the KVK Law, and especially Articles 8 and 9 of the KVK Law, the personal data of relevant persons covered by this Policy (see 1.2) may be transferred to the following recipient groups for the purposes specified in the table above:

  • To Orka Holding A.Ş. and other group companies Orka Tekstil Sanayi ve Turizm Ticaret A.Ş. and Red Tanıtım ve İletişim Hizmetleri A.Ş.,
  • To our suppliers and business partners with whom we work to provide or deliver goods and services to the relevant persons,
  • To our business partners, suppliers, banks, and financial institutions with whom we collaborate and/or receive services for the provision, promotion, and similar purposes of goods,
  • To the agencies and organizations from which we receive services for the management of our website and social media accounts,
  • To lawyers, auditors, consultants, and firms from whom services are received,
  • To your authorized representatives, guardians, and trustees,
  • To regulatory and supervisory bodies and to courts and enforcement offices and other public authorities legally authorized to request your personal data and to the persons they designate,
  • To other third parties in accordance with the conditions for data transfer.

4.2. Purposes of Personal Data Transfer

Your Personal Data may be transferred for the purposes listed below to the person categories managed by the Policy in compliance with the law and the purpose of the Law.

PERSONS TO WHOM DATA CAN BE TRANSFERRED DEFINITION PURPOSE OF DATA TRANSFER
Business Partner Parties with whom the Company establishes business partnerships for purposes such as conducting its commercial activities. Can be used solely for ensuring the fulfillment of the purposes for which the business partnership was established.
Supplier Parties providing services to the Company on a contract basis within the scope of the Company's commercial activities and in accordance with the Company’s orders and instructions. Can be used solely for ensuring that the services outsourced from the supplier and required for the fulfillment of the Company's commercial activities are provided. Examples include banks, insurance companies, travel agencies, event agencies, service providers, cargo companies, training firms, and SMS and email sending service providers.
Affiliates Companies in which the Company holds shares. Can be used solely for ensuring the execution of the commercial activities that require the participation of the Company's affiliates.
Company Shareholders The shareholders of the Company. Can be used solely for purposes within the scope of the Company's corporate governance activities, including legal obligations, corporate communication, and management activities.
Company Executives Individuals authorized to sign on behalf of the Company. Can be used solely for purposes such as the design of the Company's commercial activities, the management of these activities at the highest level, and their supervision.
Group Companies All companies within Orka Holding A.Ş. (Orka Tekstil Sanayi ve Turizm Ticaret A.Ş., Or-Pa Pazarlama ve Tekstil Sanayi A.Ş., Red Tanıtım ve İletişim Hizmetleri A.Ş.). Can be used solely for purposes such as the use of a shared database and the execution of the Company's commercial activities, including the planning of strategies and the supervision of operations.
Legally Authorized Public Institutions and Organizations Public institutions and organizations authorized by the relevant legal provisions to request information and documents from the Company. Can be used solely for legal purposes within the scope of the legal powers of public institutions and organizations.
Legally Authorized Private Legal Persons Private legal persons authorized by the relevant legal provisions to request information and documents from the Company. Can be used solely for legal purposes within the scope of the legal powers of private legal persons.

 

5. STORAGE AND DESTRUCTION OF PERSONAL DATA

Without prejudice to the provisions of other laws regarding the deletion, destruction, or anonymization of Personal Data, the Company, in accordance with this Law and other legal provisions, deletes, destroys, or anonymizes Personal Data ex officio or upon the request of the relevant person when the reasons for processing no longer exist.

The Company retains Personal Data for the duration specified in the relevant legislation. If no duration is specified in the legislation, Personal Data is processed for the period required by the Company's practices and commercial life customs related to the activity in which the data is processed, and then it is deleted, destroyed, or anonymized in accordance with Article 7 of the Law, ex officio or upon the request of the relevant person, in accordance with the guidelines published by the KVK Institution.

The Company has prepared and published within the Company a DESTRUCTION POLICY that defines the destruction procedures for personal data, applicable to all group companies within Orka Holding A.Ş. All destruction processes are carried out in accordance with this policy.

6. PERSONAL DATA PROTECTION MEASURES

The Company takes necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of Personal Data, prevent unlawful access to data, and ensure the preservation of data, in accordance with Article 12 of the Law, and conducts or has the necessary audits conducted.

The Company takes technical and administrative measures based on technological capabilities and implementation costs to ensure the lawful processing of personal data.

6.1. Ensuring the Security of Personal Data

6.1.1. Technical and Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

(i) Technical Measures Taken to Ensure the Lawful Processing of Personal Data

The main technical measures taken by the Company to ensure the lawful processing of Personal Data are listed below:

  • Personal data processing activities carried out within the Company are regularly audited.
  • The technical measures taken are periodically reported to the committee in accordance with the internal audit mechanism.
  • An IT department has been established, and knowledgeable personnel have been employed in this area.
  • New technological developments are followed, and technical measures are taken on systems, especially in the field of cybersecurity; the measures taken are periodically updated and renewed.
  • Access and authorization solutions are implemented in accordance with the legal compliance requirements determined for each department within the Company.
  • Access rights are restricted, and authorizations are regularly reviewed. Access restrictions are applied to former employees, and accounts are closed after certain periods.
  • The technical measures taken within the Company's internal operations are reported to personnel with access rights to databases, risks are re-evaluated, and necessary technological solutions are produced.
  • Software and hardware that include virus protection systems, data vulnerability protection, and firewalls are installed.
  • Personnel with expertise in technical matters are employed.
  • All information systems, including applications where personal data is collected, are subjected to regular external impact tests to identify security vulnerabilities, and the identified vulnerabilities are closed based on the results of these tests.

(ii) Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

The main administrative measures taken by the Company to ensure the lawful processing of Personal Data are listed below:

  • The Company's employees are informed and trained on personal data protection law and the lawful processing of personal data, in line with developments in legislation or business practices.
  • All personal data processing activities conducted by the Company are carried out in accordance with the personal data inventory and its appendices, which are created by analyzing all business units in detail.
  • The personal data processing activities carried out by the relevant departments within the Company are regulated by written policies and procedures created by the relevant companies to ensure compliance with the personal data processing conditions required by the KVKK; each business unit has been informed about this and the aspects to be considered for the specific activities they conduct have been determined.
  • The management and audit of personal data security within the relevant departments of the Company are organized by the IT department. Awareness is created to ensure the fulfillment of legal requirements determined on a business unit basis, and necessary administrative measures are implemented through internal policies, procedures, and training to ensure the continuity of implementation.
  • Service agreements and related documents between the Company and employees include records of information and data security related to personal data, and additional protocols are made. Awareness-raising activities are carried out to create the necessary awareness among employees on this subject.
  • In each department within the Company, legal compliance, access to personal data, and authorization processes are implemented, taking into account personal data processing processes. (Access rights to databases containing personal data are provided and controlled by the IT and ERP support departments.)
  • The Company adds personal data confidentiality provisions or obtains data protection commitments to the contracts it makes with its business partners and suppliers with whom it has a business relationship and from whom it receives services (related to business activities that include personal data processing).

7. RIGHTS OF THE RELEVANT PERSON, USE OF RIGHTS, AND EVALUATION

7.1. Rights of the Relevant Person Under the KVKK

The Company informs you of your rights in accordance with Article 10 of the Law, provides guidance on how to exercise these rights, and takes the necessary internal business processes, administrative, and technical arrangements to fulfill these rights. In accordance with Article 11 of the Law, the Company explains the following rights to the persons whose Personal Data is collected:

  • The right to learn whether Personal Data has been processed or not,
  • The right to request information if Personal Data has been processed,
  • The right to learn the purpose of processing Personal Data and whether they are used in accordance with its purpose,
  • The right to know the third parties to whom Personal Data has been transferred domestically or abroad,
  • The right to request the correction of incomplete or incorrect Personal Data,
  • The right to request the deletion or destruction of Personal Data under the conditions stipulated in Article 7 of the Law,
  • The right to request that the correction and deletion requests made under subparagraphs (d) and (e) of Article 11 of the Law be communicated to third parties to whom Personal Data has been transferred,
  • The right to object to the processing of Personal Data exclusively by automated systems that lead to a result against the person himself,
  • The right to demand compensation for damages suffered due to the unlawful processing of Personal Data.

7.2. Exercising the Rights of the Relevant Person

Relevant Persons can submit their requests regarding their rights listed in clause (7.1) of this Policy, with the necessary identification information and documents, by completing and signing the Application Form available at the "Application Form" link or by submitting a similar written document to the Company free of charge through the following methods or other methods determined by the KVK Board:

(i) After filling out the application form, a wet-signed copy can be delivered in person or sent via registered mail to the address Ayazağa Mahallesi Kemerburgaz Caddesi Vadi Istanbul Park Sitesi 7 B Blok No: 7 C / 40 Sarıyer/ISTANBUL.

(ii) After filling out the application form, a signed copy can be sent from the email address previously notified to the Company and registered in the Company's systems to the Company's email address: KVKKbasvuru@dsdamat.com.tr.

(iii) After completing and signing the application form with your "secure electronic signature" under the scope of the Electronic Signature Law No. 5070, the securely signed form can be sent to the registered electronic mail address: orpapazarlama@hs01.kep.tr.

To make an application request on behalf of the Data Subjects, the person making the request must have a special power of attorney issued by a notary public on behalf of the Data Subject.

7.3. Procedure and Time Frame for the Company’s Response to Applications

If the Relevant Person submits their requests regarding their Personal Data to the Company in writing (in accordance with the communiqué published by the KVK Board), the Company, as the data controller, ensures that the request is processed as soon as possible and within no more than thirty (30) days, as stipulated by Article 13 of the KVK Law.

The Company may request information to confirm whether the applicant is the owner of the Personal Data subject to the request, within the scope of data security. The Company may also ask questions related to the application to ensure the request is addressed appropriately.

The Company reserves the right to refuse the request, explaining its reasoning, in cases where the request may infringe on the rights and freedoms of others, requires disproportionate effort, or involves information that is already publicly available.

8. MANAGEMENT STRUCTURE ACCORDING TO THE COMPANY’S PERSONAL DATA PROCESSING AND PROTECTION POLICY

The Company has established a "Personal Data Protection Committee" within each Company to ensure compliance with, maintain, and uphold personal data protection legislation. This Committee is responsible for ensuring unity among company units, executing the systems established to ensure compliance with personal data protection legislation, and improving them as needed. In this context, the main duties of the KVK Committee are outlined below:

  • Prepare and implement basic policies related to the protection and processing of personal data within the Company.
  • Determine how the implementation and audit of the Company's policies on the protection and processing of personal data will be conducted, assign internal roles accordingly, and ensure coordination.
  • Identify the necessary steps to ensure compliance with the KVKK and relevant legislation, oversee their implementation, and coordinate efforts.
  • Increase awareness within the Company and among collaborating institutions regarding the protection and processing of personal data.
  • Identify potential risks in the Company's personal data processing activities and ensure that necessary precautions are taken; propose improvements.
  • Design and implement training programs on the protection and processing of personal data.
  • Decide on applications submitted by data subjects.
  • Coordinate the execution of informational and educational activities to ensure that data subjects are informed about the Company's personal data processing activities and their legal rights.
  • Prepare and implement changes to basic policies on personal data protection and processing.
  • Monitor developments and regulations on personal data protection and recommend necessary adjustments to Company operations to senior management.
  • Manage relations with institutions and the KVK Board.

9. UPDATES, COMPLIANCE, AND CHANGES

The Company reserves the right to make changes to this Policy and other related policies due to amendments in the Law, decisions of the KVK Board, or developments in the sector or information technology.

Any changes made to this Policy are immediately incorporated into the text, and explanations regarding the changes are provided at the end of the Policy.

Changes:

  • 02/04/2018: The Personal Data Processing and Protection Policy was published.
  • 01/03/2020: The Personal Data Processing and Protection Policy was revised in light of recent developments.

OR-PA PAZARLAMA VE TEKSTİL SANAYİ A.Ş.

(DATA CONTROLLER)
ADDRESS: Ayazağa Mahallesi Kemerburgaz Caddesi Vadi İstanbul Park Sitesi 7 B Blok No: 7 C/40 Sarıyer/ISTANBUL
PHONE: 0212 314 23 23
MERSIS: 0644032088500011

EASY REFUND

SECURE SHOPPING

STERILE PACKAGE

CUSTOMER CARE