DATA PRIVACY POLICY

your personal data is safe with us…

At Sesli Tekstil, the protection of your personal data is among our highest priorities. This policy explains how your data is processed and your rights under Turkish Law No. 6698 on the Protection of Personal Data (PDPL).

Download Document (.docx)

SESLİ TEKSTİL SANAYİ VE TİCARET AŞ

PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. INTRODUCTION

1.1. General

Ensuring the confidentiality and security of personal data and compliance with relevant legal regulations are among the top priorities of Sesli Tekstil Sanayi ve Ticaret AŞ (the "Company"), and the utmost care is taken in this regard. The process managed through this Personal Data Protection and Processing Policy (the "Policy") and other written policies within the Company, together with the intended purpose, is to inform our employees, job candidates, visitors, guests and other third parties (the "Data Subjects") about the lawful processing, storage and protection of their personal data and to reflect our corporate culture.

In the preparation of this Policy, the Company takes as guidance the regulations contained in the Constitution of the Republic of Turkey and in Law No. 6698 on the Protection of Personal Data (the "PDPL"), together with the provisions in other relevant legal norms concerning the protection and processing of personal data and the decisions of the Personal Data Protection Board.

This Policy explains the core principles adopted by the Company for the processing of personal data, as set out below:

  • Processing personal data in accordance with the law and the rules of good faith,
  • Keeping personal data accurate and, when necessary, up to date,
  • Processing personal data for specified, explicit and legitimate purposes,
  • Ensuring personal data is connected with, limited to and proportionate to the purposes for which it is processed,
  • Retaining personal data for the period stipulated in relevant legislation or required by the purpose for which it is processed,
  • Informing the data subjects,
  • Establishing the necessary processes for data subjects to exercise their rights,
  • Taking the necessary measures in the processing and storage of personal data,
  • Transferring personal data to third parties in line with the requirements of the processing purpose,
  • Exercising the necessary diligence in the processing and protection of special categories of personal data,
  • Deleting, destroying or anonymising personal data once the purpose of processing ceases to exist.

1.2. Purpose of the Policy

The primary purpose of this Policy is to explain the personal data processing activities carried out lawfully by the Company and the procedures adopted for the protection of personal data, thereby informing the Data Subjects and ensuring transparency. In addition, this PDP Policy and other written policies aim to make our principle of compliance with the PDPL and other relevant legal regulations on personal data security sustainable.

1.3. Scope of the Policy

The scope of this Policy covers natural persons whose personal data is processed by the Company by automated means, or by non-automated means provided that it forms part of a data filing system; an Internal Directive on the Protection of Personal Data has been established within the scope of this Policy.

1.4. Application of the Policy and Relevant Legislation

This Policy has been drawn up by giving concrete form to the principles set out in the relevant legislation. In the event of any inconsistency between applicable legislation and this Policy, the Company undertakes and accepts that the applicable legislation shall prevail.

1.5. Entry Into Force

This Policy enters into force upon approval by the Company's Board of Directors, is published on the website (……………..) and is thus made accessible to Data Subjects.

2. DEFINITIONS AND ABBREVIATIONS

3. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Accordance with the Principles Set Out in the Legislation

3.1.1. Processing in Accordance with Law and Good Faith

The Company has adopted compliance with the law and the rules of good faith as a fundamental principle in all operations carried out on personal data. In this context, by embracing the principle of transparency, it informs Data Subjects about the purpose of use of the collected personal data through this Policy and other texts.

3.1.2. Ensuring That Personal Data Is Accurate and, When Necessary, Up to Date

While carrying out personal data processing activities, the Company has systems and processes in place to ensure the accuracy and currency of the personal data it processes. In this context, Data Subjects may apply to the Company to ensure that their personal data is kept accurate and up to date.

3.1.3. Processing for Specified, Explicit and Legitimate Purposes

The Company clearly determines the purpose of personal data processing within legitimate and lawful limits and makes this information available to Data Subjects, through this Policy and other texts, before the processing activity begins.

3.1.4. Being Connected with, Limited to and Proportionate to the Purposes for Which They Are Processed

The Company processes personal data in a manner connected with and proportionate to its activities, within the purposes necessary to carry out those activities. In this context, when conducting data processing activities, it carefully refrains from processing personal data that is not related to the achievement of the purpose and is not currently or foreseeably needed.

3.1.5. Retention for the Period Stipulated in the Relevant Legislation or Required by the Purpose of Processing

The Company retains personal data only for the period specified in the relevant legislation or limited to the period necessary for the purposes for which it is processed. In this context, it is first determined whether the relevant legislation has set a retention period for the personal data; if a period has been set, processing is carried out in line with that period, and if no specific period has been set, the period necessary for the purpose for which each piece of personal data is processed is determined and the data is retained for that period.

In this context, the Company prepares and implements a policy and directive on the deletion, destruction or anonymisation of personal data.

3.2. Processing of Personal Data in Accordance with, and Limited to, the Processing Conditions Set Out in Article 5 of the PDPL

The Company processes personal data only based on the explicit consent of the Data Subject or, in the cases set out in the PDPL where explicit consent is not required, without such consent and only within those conditions.

3.2.1. Explicit Consent

Explicit consent is a declaration made by the Data Subject freely, regarding a specific matter and based on information. Pursuant to Article 5/1 of the PDPL, the Company respects and abides by the explicit consent of the Data Subject when required in personal data processing activities.

3.2.2. Cases Where Explicit Consent Is Not Required

Article 5/2 of the PDPL provides that, in certain cases, personal data may be processed without the explicit consent of the Data Subject. As obtaining explicit consent from the data subject where one of the specified conditions exists would be regarded as misleading the Data Subject, the Company does not rely on explicit consent in cases where the data processing conditions are present.

3.3. Processing of Special Categories of Personal Data

The Company exercises the utmost care in the processing and protection of personal data designated by the PDPL as "special categories" because, when processed, they entail a greater risk of causing harm or discrimination to individuals; the principles adopted in relation to special categories of personal data are addressed separately in this Policy.

If the Data Subject has not given explicit consent, special categories of personal data may be processed by the Company in the following cases, provided that adequate measures determined by the Board are taken:

  • Special categories of personal data other than those concerning the data subject's health and sexual life, in the cases stipulated by law,
  • Special categories of personal data relating to the data subject's health and sexual life may be processed without the data subject's explicit consent only by persons under an obligation of confidentiality or by authorised institutions and organisations, for the purposes of protecting public health, preventive medicine, medical diagnosis, the provision of treatment and care services, and the planning and management of health services and their financing.

The Company has established additional measures and processes for the processing of and access to special categories of personal data. In this framework, the environments in which special categories of personal data are stored are protected by secondary locks and secondary passwords, and they are processed only by authorised persons within the framework of the authorisation matrix.

3.4. Transfer of Personal Data

Personal data may be transferred — within the framework of the personal data processing conditions and purposes set out in Articles 8 and 9 of the PDPL, for the fulfilment of the purposes set out in this Policy — to supervisory bodies in the context of audit activities; to our shareholders for reasons stemming from oversight and shareholder rights under applicable legal regulations; to public institutions and organisations authorised by law; to our domestic and/or foreign suppliers and business partners; and to natural persons providing services or third parties receiving services.

4. PRINCIPLES FOR THE PROTECTION OF PERSONAL DATA

4.1. Technical and Administrative Measures Taken by Our Company Regarding the Security of Personal Data

4.1.1. Technical Measures

The main technical measures taken by the Company to ensure the lawful processing of personal data and to prevent unlawful access to personal data are as follows:

  • Personal data processing activities carried out within the Company are audited through the technical systems established.
  • Personnel knowledgeable and experienced in technical matters are employed.
  • Relevant departments have been established for technical matters.
  • The technical measures taken are periodically reported to the authorised unit/person as required by the internal audit mechanism.
  • A backup programme that complies with applicable law is used to ensure the secure storage of personal data.
  • New technological developments are monitored, technical measures are taken on systems particularly in the field of cybersecurity, and the measures taken are periodically updated and renewed.
  • Technical access and authorisation measures are used within the framework of legal compliance requirements determined for each department of the Company.
  • Access privileges are restricted, privileges are reviewed regularly and the accounts of former employees are closed.
  • Software and hardware including anti-virus systems and firewalls are used.
  • The use of counterfeit software and hardware is strictly avoided. All products we use are genuine and licensed.

In this framework, the Company carries out ongoing and sustainable work on the technical measures determined by the Board and listed below:

  • Authorisation Matrix
  • Authorisation Control
  • Access Logs
  • User Account Management
  • Network Security
  • Application Security
  • Encryption
  • Penetration Testing
  • Intrusion Detection and Prevention Systems
  • Log Records
  • Data Masking
  • Data Loss Prevention Software
  • Backup
  • Firewalls
  • Up-to-Date Anti-Virus Systems
  • Deletion, Destruction or Anonymisation
  • Key Management

4.1.2. Administrative Measures

The main administrative measures taken by the Company to ensure the lawful processing of personal data and to prevent unlawful access to personal data are as follows:

  • Our personnel are informed and trained in personal data protection law and in the lawful processing of personal data.
  • The personal data processing activities carried out by the Company's business units, and the requirements to be fulfilled to ensure those activities comply with the data processing conditions set out in the PDPL, are examined for each business unit and for each activity carried out.
  • The contracts and documents governing the legal relationship between the Company and its employees include provisions imposing obligations not to process, disclose or use personal data outside of the Company's instructions and statutory exceptions, and employee awareness on this matter is raised.
  • To meet the legal compliance requirements identified on a business-unit basis, awareness is raised within the relevant business units and implementation is initiated. The administrative measures necessary to audit these matters and ensure the continuity of implementation are put into practice through internal Company policies and training.
  • In line with activity-based legal compliance requirements, access and authorisation processes for personal data within the Company are designed and implemented.
  • For ease of monitoring and compliance with the PDPL and other relevant regulations, related work and procedures are tracked by the Personal Data Protection Committee established for this purpose.
  • Contracts entered into with third parties to whom personal data is lawfully transferred by the Company include provisions stating that the necessary security measures will be taken to protect the transferred personal data and that compliance with these measures will be ensured within their own organisations.

In this framework, the Company carries out ongoing and sustainable work on the administrative measures determined by the Board and listed below:

  • Preparation of Personal Data Processing Inventory
  • Corporate Policies (Access, Information Security, Use, Retention and Destruction, etc.)
  • Contracts (Between Data Controller-Data Controller, Data Controller-Data Processor)
  • Confidentiality Undertakings
  • Internal Periodic and/or Random Audits
  • Risk Analyses
  • Employment Contract, Disciplinary Regulation (Inclusion of Legally Compliant Provisions)
  • Corporate Communication (Crisis Management, Processes for Informing the Board and Data Subjects, Reputation Management, etc.)
  • Training and Awareness Activities (Information Security and the Law)
  • Notification to the Data Controllers Registry Information System (VERBİS)

4.2. Raising and Auditing Our Employees' Awareness in the Field of Personal Data Protection

The Company ensures that the necessary training and meetings are organised to raise awareness of preventing the unlawful processing of personal data, preventing unlawful access to data and securely safeguarding the data.

Where needed, professionals are engaged to help raise the awareness of existing Company employees on personal data protection.

4.3. Protection of Special Categories of Personal Data

Personal data classified as special categories under the PDPL and processed lawfully are protected by the Company with care. In this context, the technical and administrative measures taken by the Company for the protection of personal data have been determined on the basis of the relevant legal regulations and the decision titled "Adequate Measures to Be Taken by Data Controllers in the Processing of Special Categories of Personal Data" published by the Personal Data Protection Authority, and are applied with particular care for the protection of special categories of personal data.

4.4. Procedure to Be Followed in Case of Unauthorised Disclosure of Personal Data

If personal data processed by the Company is obtained by others through unlawful means, the Company shall notify the data subject and the Board of this situation within 72 hours.

If deemed necessary by the Board, this situation may be announced on the Board's website or by another method.

4.5. Personal Data Inventory

Each unit of the Company maintains an up-to-date personal data processing inventory. The unit manager is responsible for the accuracy and currency of this inventory and, where necessary, for presenting it to the contact person. Keeping the inventories accurate, applying the Company's current personal data protection policy and following developments in personal data protection are continuously monitored.

5. DATA SUBJECT APPLICATIONS TO THE DATA CONTROLLER, OUR CONTACT CHANNELS AND THE EVALUATION OF APPLICATIONS

5.1. Subject of the Application

The Company attaches great importance and value to the rights of Data Subjects and provides the means for them to exercise those rights. The Company has prepared and published on its website a "Data Subject Request Form" so that data subjects can easily submit their requests. However, the use of this form by Data Subjects is not mandatory. Every application made in accordance with the Communiqué on the Application Procedures and Principles to the Data Controller will be reviewed.

Any person, by applying to the Company, has the right to:

a) Learn whether their personal data is being processed,

b) If their personal data has been processed, request information regarding such processing,

c) Learn the purpose of processing of their personal data and whether they are used in accordance with that purpose,

ç) Know the third parties to whom their personal data is transferred, in Turkey or abroad,

d) Request the rectification of their personal data if it has been processed incompletely or inaccurately,

e) Request the deletion or destruction of personal data within the conditions stipulated in Article 7 of the PDPL,

f) Request that the actions taken under (d) and (e) be notified to the third parties to whom the personal data has been transferred,

g) Object to an adverse outcome arising against the person as a result of the processed data being analysed exclusively by automated systems,

ğ) Request compensation for damages incurred due to the unlawful processing of their personal data.

These constitute the data subject's rights.

5.2. Application Method and Address

5.3. Post-Application Process

Applications submitted to us are answered, depending on the nature of the request, no later than 30 (thirty) days from the date the request reaches the Company. Our responses are sent based on the notification method indicated by the applicant in the Data Subject Request Form.

Pursuant to Article 14 of the PDPL, Data Subjects may file a complaint with the Board if the application is rejected, the response is deemed inadequate or no response is provided within the required period — within thirty days of becoming aware of the Company's response, and in any event within sixty days of the date of the application.

5.4. Application Fee

Applications are, as a rule, made free of charge. However, if the action requested by data subjects requires an additional cost, the Company will charge the fee in accordance with the tariff determined by the Board.

6. INFORMING AND NOTIFYING DATA SUBJECTS

In accordance with Article 10 of the PDPL, the Company informs data subjects about the process of obtaining personal data through this Policy and through the Privacy Notice and other texts that are easily accessible on our website. In this context, the Company informs data subjects about the identity of the data controller, the purposes for which personal data will be processed, to whom and for what purposes processed personal data may be transferred, the method and legal basis of personal data collection, and the data subject's other rights.

A Data Subject Request Form has been created and published on the Company's website so that Data Subjects can more easily exercise their rights set out in the PDPL. The relevant section is explained in detail under heading 5.

7. PURPOSES OF PROCESSING PERSONAL DATA AND RETENTION PERIODS

7.1. Purposes of Processing Personal Data

The Company processes personal data only within the purposes and conditions of the personal data processing requirements set out in Articles 5 and 6 of the PDPL. These purposes and conditions are:

  • The processing of personal data is expressly provided for in law in connection with the Company's relevant activity,

Processing of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,

The processing of personal data is mandatory for the Company to fulfil its legal obligations,

Personal data has been made public by the data subject and is processed by the Company in a manner limited to the purpose of such publication,

The processing of personal data by the Company is mandatory for the establishment, exercise or protection of a right,

It is mandatory to engage in personal data processing activities for the legitimate interests of the Company, provided that the fundamental rights and freedoms of the data subjects are not harmed,

Personal data processing by the Company is mandatory for the protection of the life or bodily integrity of the data subjects or of another person, in cases where the data subjects are unable to give their consent due to actual impossibility or legal incapacity,

Special categories of personal data other than data subjects' health and sexual life are processed in the cases stipulated by law,

Special categories of personal data relating to data subjects' health and sexual life are processed by persons under an obligation of confidentiality or by authorised institutions and organisations for the purposes of protecting public health, preventive medicine, medical diagnosis, the provision of treatment and care services, and the planning and management of health services and their financing.

7.2. Retention Periods for Personal Data

Where required by relevant legislation, the Company retains personal data for the period specified in that legislation. In addition, in determining retention periods, our obligations arising from relevant contracts and our administrative and legal responsibilities/obligations are also taken into account.

Once the purpose of processing personal data ends and the retention period set by relevant legislation and the Company expires, this personal data is deleted and backed up solely to serve as evidence in possible legal disputes or to enable assertion of a related right linked to the personal data. In such cases, the personal data is not accessed for any other purpose. Personal data is destroyed or anonymised after the periods specified in the Company's Personal Data Retention and Destruction Policy have ended.

Processed personal data and personal data inventories are reviewed on six-month cycles, and any personal data that must be deleted/destroyed is deleted/destroyed within these six-month periodic destruction cycles and the action is recorded.

8. PERSONAL DATA PROCESSING ACTIVITIES IN THE WORKPLACE

8.1. Camera Monitoring at Entrances to and Within Work Areas

In order to ensure the security of Data Subjects and of the Company, the Company carries out personal data processing activities relating to security camera monitoring and entry/exit and working-hours tracking at the entrances to and within the locations where we provide services and conduct our work. The Company acts in compliance with the PDPL and other relevant legislation in this regard.

8.1.1. Provision of Information About the Camera Monitoring Activity

The Company informs data subjects in accordance with Article 10 of the PDPL; the purpose is to prevent harm to data subjects' fundamental rights and freedoms and to ensure transparency. With regard to camera monitoring activities, the Company provides notice both through this Policy on its website (online notice) and through signage at the entrances to monitored areas stating that monitoring will be carried out (on-site/layered notice).

8.1.2. Purpose of the Camera Monitoring Activity and Limitation to Purpose

The Company processes personal data in accordance with the PDPL, connected with, limited to and proportionate to the purposes for which they are processed. The purpose of conducting video-camera monitoring is limited to the purposes set out in this Policy. Accordingly, the monitoring areas, number and timing of the security cameras are implemented in a manner sufficient to achieve the security objective and limited to that purpose.

8.1.3. Ensuring the Security of Data Obtained Through Camera Monitoring

All necessary technical and administrative measures are taken to ensure the security of personal data obtained through camera recording. Detailed information can be found in the section on data security measures.

8.1.4. Who May Access the Information Obtained Through Monitoring and to Whom It Is Transferred

Access to the information obtained from monitoring and to the storage environment is restricted to persons authorised on this matter. Live camera images may be viewed by security officers who are Company employees or external service providers. The limited number of persons with access to the recordings declare, through a confidentiality undertaking, that they will protect the confidentiality of the data they access.

8.2. Tracking of Visitor Entries/Exits at the Entrances to and Within Work Areas

For security purposes and the purposes set out in this Policy, the Company and the externally engaged firm carry out personal data processing activities for tracking visitor entries and exits in the Company's work areas.

When the first and last names of persons entering our work areas as visitors are collected, data subjects are informed via notices posted in the relevant areas or otherwise made available to guests. Data collected for the purpose of tracking visitor entries and exits is processed solely for that purpose, and the related personal data is recorded in physical and/or electronic form in the data filing system.

8.3. Recording Information Relating to Electronic Devices at Entrances to Work Areas

In line with the care and sensitivity the Company shows for information security and the protection of personal data, when our guests use their personal computers or similar electronic devices, we record the MAC addresses of such computers or similar devices. The reason for this is to ensure the security of the Company and of the persons whose personal data is held within the Company.

9. REVIEW

This Policy enters into force upon approval by the Company's Board of Directors. Changes to the Policy require the approval of the person/persons authorised by the Board of Directors. Matters relating to the implementation of this Policy within the Company are systematised through internal Company policies, procedures and directives. The Policy is reviewed every six months and, where necessary, revisions are made with the approval of the authorised person.

10. PERSONAL DATA PROTECTION COMMITTEE

The Company has appointed a contact person within the framework of personal data protection law. A Committee consisting of ………. persons has been formed from among the employees of the Company's units. The Company contact person chairs the Personal Data Protection Committee (the "Committee").

The contact person acts on the views and recommendations of the Committee regarding administrative and technical measures. The principles established by the Committee on administrative and technical measures are taken into account. The Committee makes the necessary efforts to ensure the Company's compliance with personal data protection legislation. The contact person audits the Company units for which they are responsible under personal data protection law. As a result of these audits, the contact person warns the relevant units where necessary and informs senior management of the situation.

The contact person ensures coordination so that data subject applications submitted to the Company are answered within statutory time limits and in accordance with proper procedure. The contact person manages the Company's relations with the Personal Data Protection Authority.

11. EFFECTIVE DATE

This Policy enters into force as of the date it is adopted and announced by the Company's Board of Directors/authorised bodies.

Amfori BSCI GRS Oeko-Tex TSE ISO 9001 ISO 14001 ISO 45001