GDPR
PERSONAL DATA PROCESSING POLICY
Dear Customers, Members, Business Partners/Suppliers, Employee Candidates, Employees, and Visitors; we as SKALN MODA TASARIM A.Ş. (hereinafter referred to as rautt or "Company”) place great importance on protection of your personal data. In this context, we would like to bring you up to date regarding your personal data and processing procedures as the “data controller” pursuant to the Law no. 6698 on Protection of Personal Data (“PoPD”).
With hereby Policy, the Company aims to ensure sustainability of the “principle of conducting company activities in a transparent manner.” In this context, the main principles adopted with regards to compliance of the Company, processing activities to the Law no. 6698 on Protection of Personal Data (“PoPD Law”) are established, and practices implemented by the Company are described.
The Policy aims at real entities whose personal data are being processed through automatically or non-automated means with the condition of being part of a data recording system.
The Policy has been published on the Company’s website and presented to the public. Provisions of the legislation shall apply in cases where the legislation in force, in particular the law, and regulations in this policy are conflicting.
The Company reserves the right to modify the policy in line with legal regulations.
DEFINITIONS
Company | SKALN MODA TASARIM A.Ş. |
Personal Data | Any information regarding a real person whose identity is known or can be identified. |
Processing of Personal Data | Any action on data such as obtaining, saving, storing, maintaining, modifying, re-organizing, explaining, transferring, overtaking, making obtainable, classifying, or preventing use of personal data through partially or fully automatic means or manual means with the condition of being part of any data recording system in its database |
Personal Data Owner/Data Subject | Means company Stakeholders, company Business Partners, company Officials, employee candidates, employees, visitors, company customers, potential customers, third parties, and individuals whose personal data have been processed by the company. |
Data Recording System | Means the recording system in which personal data are structured and processed based on certain criteria. |
Data Controller | Real or legal entity that establishes personal data processing purposes and methods and is responsible for setting up and managing the data recording system. |
Data Processor | Real and legal entity that processes personal data on behalf of a data controller by the authority granted. |
Clarification | Providing information to personal data subject regarding personal data processing processes. |
Express Consent | Consent based on free will regarding a certain subject and based on information |
Anonymization | Matching data with other data in order to making them impossible to associate, which has been previously associated with a person, with a person whose identity is known or knowable. |
Destruction | The process of removing personal data by deleting, destroying, or anonymization. |
The Law | Means the Law no. 6698 on Protection of Personal Data. |
PoPD Authority | The Personal Data Protection Authority. |
PERSONAL DATA COLLECTION CHANNELS AND TYPES OF DATA BEING PROCESSED
Your personal data described below may be processed based on your visit to rautt’ websites at www.rautt.com, your web membership by signing the membership contract, your shares through phone or e-mail correspondence, your subscription to the e-bulletin, your shopping through our website, your visits to our shops, your shopping at our stores, forms you have filled out, your visits to our other workplaces, your job applications, your employment, you signing contracts as suppliers or business partners, you making offers or engaging in legal or commercial relationship in any other manner.
a. Identifying Information: Name-Surname, T.R. Identification No., Date of Birth, Gender are data.
b. Contact Information: Address, phone number, e-mail address are data.
c. Visual and Audio Information: İmages of individuals in camera recordings taken at physical environments of rautt for security purposes, data regarding voices recorded during individual calls made to call centers, photographs in personnel files, our social media accounts, and our website etc.
d. Customer Transaction Data: Information such as records of use of products and services taken from the rautt website or stores as well as instructions and requests required for customers to use products and services, information such as call center records, invoice, receipt, cheque information, information contained in bank receipts, order information, request information
e. Sensitive Personal Information: This data category includes data types such as (i) healthcare services received from the personnel, healthcare data taken within the scope of personnel files and occupational safety as well as healthcare statements of personnel candidates, (ii) criminal records regarding criminal sentencing of personnel and personnel candidates.
f. Personnel Information: This data category includes type of data such as payroll information, disciplinary proceedings, statement of employment records, declaration of property information, resume information, performance assessment reports, and similar information on personnel within the scope of personnel files that are legally required within the scope of contract of employment of the personnel.
g. Training Data: Data such as diploma, transcript, and certificates proving educational background that are included in forms filled out by personnel and candidates during job applications, included in their resume, or requested during the hiring stage.
h. Professional Experience: Data such as professional experience, diploma information, courses attended, on-the-job training information, certificates, transcript information and similar information that are included in forms filled out by personnel and personnel candidates within the scope of their job application or included in their resumes.
i. Process Security Data: Data such as IP address, access logs, website login and logout information, and passwords.
j. Financial Data: The data group that contains individual financial information (bank account no., IBAN no., bank name, financial profile, mail order form etc.).
k. Asset Data: The data group that contains individual assets (Title deed copies/scans, vehicle title copies/scans).
l. Physical Location Security: Entrance and exit record information of employees and visitors, camera records etc.
m. Marketing Data: Shopping history information, surveys, cookie records, information obtained through campaign efforts etc.
DATA SUBJECT CATEGORIES | EXPLANATION | |
1 | Customer | Means real or legal entities benefiting from products and services provided by rautt. |
2 | Potential Customer | Means real or legal entities that are interested in using products and services provided by rautt , have the potential to become customers, showing the desire or offering to benefit from services through the website or other channels. |
3 | Visitor | Means real entities who visit any workplace or the website of the Company. |
4 | Third Parties | Means the Data Subject categories listed above as well as real entities except for rautt employees. |
5 | Business partners/Suppliers and their Employees | Parties with which rautt has entered into a business partnership in order to conduct commercial activities or, in this context, parties and their employees that provide products and services to the Company in accordance with rautt’ instruction in a contract based manner. |
6 | Employee Candidate | Means individuals who have made a job application to rautt. |
7 | Employee/Intern | Means real entities who provide services at rautt based on a labor contract. |
8 | Shareholder/Partner | Means Company shareholders and partners. |
HOW AND BASED ON WHICH LEGAL BASIS DO WE COLLECT YOUR PERSONAL DATA?
In Physical Medium;
Your personal data are being collected through methods such as your shopping at rautt stores, request forms you have filled out at stores, your store visits, contracts you have signed, offers, orders, job applications, CVs you have shared or job application forms you have filled out in this context, documents collected for personnel file.
In Electronic Medium;
Your personal data are being collected directly from you at electronic medium through your shopping at our website, membership forms you have filled out, requests and complaints you have shared on the website, phone, or through e-mail, you posts on our social media, and images captured on security cameras.
Your personal data collected on both media are stored in rautt database and may be processed through automated or non-automated means.
Your personal data may be processed within the scope of the commercial and/or contractual relationship between you and rautt (product or service purchasing, membership contract) for the purposes listed below and pursuant to article 5/2 of the Law no. 6698 within the scope of drawing up and execution of the contract, establishing a right, legal obligations of the data controller, and your legitimate interest with the condition of protecting and not damaging your rights. Your image is being recorded on security cameras during your visits to our workplaces for security purposes and these operations are being processed at a limited scope.
Your personal data listed above may be processed with your EXPRESS CONSENT pursuant to item 1 of article 5 of the Law in cases where you do not purchase goods or services from rautt, the type of data being requested is not directly related to products and services and will be used for marketing analysis purposes, and no legal or commercial relationship has been established between us. Your express consent will be taken when you tick the permission/approval boxes in membership and shopping fields of the website and press “send.” You may retract your permission at any time.
PROVIDING CLARIFICATION TO DATA SUBJECTS
Pursuant to article 10 of the law on Protection of Personal Data, rautt notifies data subjects while collecting personal data. In this context, rautt provides information regarding identity of the representative if any, which personal data will be processed for which purpose, to which parties and for which purpose processed personal data may be transferred, the method of and legal basis for collecting personal data, and the rights of data subjects based on the nature of data subject and the process of data processing. Clarification texts have been published at stores and on websites while necessary clarification processes have been completed for employees, suppliers, business partners, employee candidates, and visitors.
PURPOSES OF PERSONAL DATA PROCESSING
Your Personal Data are being processed for the purposes below:
a. For Customers and Members;
For individuals who have purchased goods or services from rautt or agreed to join in the membership program and signed the membership contract;
o Managing Goods/Services Purchasing Processes
o Managing Goods/Services Selling Processes
o Managing Customer Relations Management Processes
o Conducting Activities concerning Customer Satisfaction
o Ensuring Security of Physical Environments
o Conducting Activities in Accordance with Legislation
o Providing After Sales Support Services
o Carrying out Finance and Accounting Works
o Managing Company/Product/Service Loyalty Processes
o Carrying out Actions and Activities within the Scope of Commercial/Contractual Relations, Fulfilling Financial and Legal Obligations
o Following Up on Requests/Complaints
o Fulfilling Legal Obligations
o Notifying Authorized Individuals, Institutions, and Organizations
o Drawing Up and Execution of Membership Contract and Having Customers
Benefit from Membership Advantages
o Carrying out Legal Processes
o Promotional and Marketing Activities
o Communication Activities and Submitting Commercial Electronic Messages
o Conducting Marketing Analysis Studies
o Carrying out Advertising/Campaign/Promotional Processes
o Information Security, Storage, and Archiving activities
b. For Potential Customers;
Your identification and contact information submitted directly by you through your visit to our website and stores, forms you have filled out, your posts on our Social Media Accounts, and your requests and complaints sent to our call center may be processed with your express consent for marketing purposes in order to send you advertising, campaign, and other commercial messages and in accordance with the goal of marketing within the context of offering certain special products to you. If you have submitted a request or complaint to rautt, your identification and contact information may be processed within the scope of our legitimate interests and for a limited period pursuant to article 5/2 of the Law for managing such request or complaint.
c. For Suppliers/Business Partners;
Within the scope of the commercial relationship between you and our Company, personal data of your employees submitted by company officials and you may be processed for the purposes below pursuant to article 5/2 of the Law within the scope of drawing up and executing our Contract, legal obligations of the data controller, and legitimate interests of our company, and in accordance with the basic principles set forth by the law as well as conditions for processing personal data.
o Fulfilling Legal Obligations
o Managing Contractual Processes
o Carrying out Business Processes
o Carrying out Finance and Accounting Works
o Carrying out and Following up on Legal Processes
o Conducting Activities in Accordance with Legislation
o Carrying out Internal Operations
o Management of Strategic Planning & Business Partners/Suppliers
o Ensuring Security of Physical Environments
o Carrying out Logistics Activities
o Managing Supply Chain Management Processes
o Storage of information that are required to be stored pursuant to relevant legislation; copying them in order to prevent information losses, backup
d. For Visitors;
Your visual data obtained in physical environments with security cameras as well as identification, contact, and access log records obtained within the scope of Internet access provided to you during your visits to our workplace are processed for the purposes below within the scope of your visits to our Company, website, and stores within the scope of ensuring security of physical environments for the purpose of ensuring security of both our company and you.
o Carrying out Supervision and Security Activities
o Carrying out Information Security Processes
o Creating and Monitoring Visitor Records
o Ensuring Security of Physical Environments
o Notifying Authorized Individuals, Institutions, and Organizations
o Ensuring Security of Data Controller Operations
o Providing Internet Access and Ensuring Security of Access
o Fulfilling Legal Obligations
e. For Employee Candidates;
rautt carries out data processing activities with justifications of being able to establish contracts of employment, the need to use them as evidence in case of legal conflicts, and the company’s legitimate interest within the scope of the purposes listed below by using personal data collected from CVs of personnel candidates within the scope of job applications obtained from career sites, the company headquarters, or stores.
o Carrying out Employee Candidate/Intern/Student Recruitment
Processes
o Carrying out Application Processes of Employee Candidates
o Conducting Human Resources Operations and In Particular Personnel
Recruitment Processes, Creating a Candidate Pool
o Carrying out Activities regarding Ensuring Business Continuity
o Ensuring Security of Physical Environments
f. For Employees;
rautt processes personal data of its personnel within the scope of being able to create a personnel file for reasons based on relevant legislation, executing the service contract, and rautt’ right to govern as well as legitimate interests in accordance with the purposes listed below. A detailed clarification text on this subject has been provided to all personnel against signature.
o Carrying out Human Resources Operations and In Particular Personnel Activities,
o Fulfilling Contract of Employment and Legislation Based Obligations for Employees
o Carrying out Fringe Benefits Processes for Employees
o Carrying out Occupational Health/Safety Activities
o Carrying out Activities regarding Ensuring Business Continuity
o Notifying Authorized Individuals, Institutions, and Organizations
o Carrying out Supervision/Ethics Activities
o Carrying out Training Activities
o Carrying out Clearances
o Carrying out Information Security Processes
o Conducting Activities in Accordance with Legislation
o Carrying out Finance and Accounting Works
o Ensuring Security of Physical Environments
o Carrying out Authorization Processes
o Following Up on and Carrying out Legal Affairs
o Carrying out/Supervision of Business Activities
o Carrying out Administrative Activities
o Posting Necessary Legal Notices to Government Agencies, Benefiting from Incentives of Government Agencies, Posting Notices to Relevant Authorities within the Scope of Government Agency Audits
o Storage of information that are required to be stored pursuant to relevant legislation; copying them in order to prevent information losses, backup.
PARTIES TO WHICH DATA ARE TRANSFERRED AND PURPOSES OF TRANSFER
rautt may transfer your personal data to domestic receiver groups for the purposes listed in this policy and in order to carry out business processes within the scope of other legislation:
o Our suppliers and business partners in order to provide or deliver the services offered to you (such as companies providing web infrastructure services, delivery companies, call center companies, auditing companies, message management system),
o Our business partners and suppliers to which we cooperate and/or from which we receive services in order to offer and introduce services and similar purposes as well as banks, financial institutions, companies providing information technologies systems, companies providing services related to sending SMS and e-mails, survey companies
o Lawyers, auditors, consultants, and companies providing services,
o Agents, trustees, and representatives authorized by you
o Institutions and organizations such as regulatory and supervisory authorities, courts, and execution offices that are authorized to request your personal data and individuals appointed by them,
COMMERCIAL ELECTRONIC COMMUNICATION
rautt may contact data owners for the purpose of sending electronic commercial messages (PHONE CALL, SMS, E-MAIL, MOBILE PUSH) for advertising, campaign announcements, promotions, and similar purposes. rautt gets electronic communication permission from relevant persons for this activity and carries out said activities within the scope of this permission.
ENSURING SECURITY AND CONFIDENTIALITY OF PERSONAL DATA
The Company takes all necessary measures within the bounds of possibility in order to prevent illegal disclosure of, access to, and transfer of personal data or any possible security shortfall based on the nature of data to be protected.
In this context, the Company takes all (i) administrative and (ii) technical precautions, (iii) sets up an internal auditing system, and (iv) acts in accordance with precautions set forth in the PoPD Law in case of illegal disclosure of personal data.
The Company, directly or upon request of relevant person deletes, destroys, or anonymizes personal data for which reasons for processing cease to be despite it being legally processed pursuant to article 7 of the Law in accordance with the Data Protection and Destruction Policy, legislation, and the guide published by the Authority.
rautt has prepared and internally released a DESTRUCTION POLICY that established methods of Destruction of personal data. All destruction processes are carried out based on this policy. At the same time, rautt has clearly established destruction periods for each process and type of personal data in its personal data inventory. The storage period stated in the inventory is taken as basis during periodical data destruction process carried out every 6 months.
MATTERS REGARDING PROTECTION OF PERSONAL DATA
Pursuant to article 12 of the PoPD Law, rautt takes necessary technical and administrative precautions to prevent illegal processing of and illegal access to personal data it has been processing as well as ensure protection of data and carries out necessary audits or has them carried out in this context.
rautt takes technical and administrative precautions, based on technological means and implementation costs, in order to ensure that personal data are processed legally.
TECHNICAL PRECAUTIONS
The main technical precautions taken by rautt to ensure legal processing of personal data are as below:
o Personal data processing activities carried out by rautt are audited by using the technical systems being installed.
o The technical precautions taken are reported to relevant individual as required by the internal audit mechanism.
o There are departments handling technical aspects and personnel knowledgeable on this issue are being employed.
o New technological advancements are being followed and technical precautions are being taken in particular with regards to cyber security, the precautions taken are periodically updated and renewed.
o Each rautt department puts into use technical solutions regarding access and authorization within the framework of legal compliance.
o Access authorization is being limited and authorizations are reviewed regularly. Access of former employees are limited, with their accounts being closed.
o Technical precautions taken as required by internal operations of rautt are reported to relevant users and issues that pose a risk are re-evaluated to create necessary technological solutions.
o Up-to-date Anti-virus protection systems and firewalls are being used.
o Software that prevent data loss are being used.
o Access logs are kept in a manner that prevents user intervention.
o Network security and application security are ensured.
o A closed cycle network is being used for network personal data transfers.
o Key management is being implemented.
o Security measures are taken with regards to supply, development, and maintenance of information technologies systems.
o Data masking precautions are taken when necessary.
o Back up of personal data are taken, security of personal data backups are ensured.
o All information systems including applications that collect personal data are subjected to regular external influence tests and vulnerabilities identified during such tests are corrected.
ADMINISTRATIVE PRECAUTIONS
Administrative precautions taken by rautt with regards to legal processing of personal data:
o rautt employees are informed and trained on the law on protection of personal data and legal processing of personal data.
o All personal data processing activities of rautt are carried out in accordance with the personal data inventory and its annexes prepared through detailed analysis of all business units.
o Personal data processing activities carried out by relevant departments of rautt and obligations that should be fulfilled in order to ensure compliance with personal data processing conditions of the law have been defined by the written policy and procedures of rautt and each business unit have been notified of the issue, with matters related to their work that require particular attention being described.
o Information Security Committees organize Auditing and management of rautt departments regarding personal data security. Awareness is raised in order to fulfill legal requirements set forth for each business unit and administrative precautions regarding auditing of these issues and ensuring continuity of this practice is ensured through internal policies, procedures, and training.
o Service contracts between rautt and employee and relevant documents include relevant clarification regarding personal data as well as records containing data security and additional protocols are created. Efforts towards raising awareness among employees on this issue have been made.
o Each unit within rautt implements legal compliance, internal access and authorization processes by considering personal data processing processes.
o Current risks and threats have been identified.
o Protocols and procedures regarding sensitive personal data have been established and are implemented.
o Contracts signed include provisions on data security.
o Personal data security issues are reported quickly.
o Personal data security is being monitored.
o Relevant security precautions concerning entrance and exits to physical environments containing personal data are taken.
o Physical environments containing personal data are secured against external risks (fire, flood etc.).
o Environments containing personal data are secured.
o Personal data are reduced as much as possible.
RIGHTS OF DATA SUBJECTS PURSUANT TO ARTICLE 11 OF THE LAW
o Finding out whether their personal data have been processed,
o Requesting information if their personal data have been processed,
o Learning the reason why their personal data have been processed and whether it has been used,
o Learning the domestic and foreign third parties to which their personal data have been transferred,
o Requesting correction if your personal data have been processed partially or incorrectly,
o Requesting deletion or destruction of your personal data in accordance with conditions set forth in PoPD legislation,
o Requesting that third persons to which your data have been transferred are notified of the processes carried out within the scope of articles 5 and 6,
o Objecting to any result that is detrimental for the individual which has been obtained through analysis of the processed data by use of automated systems exclusively,
o Demanding indemnification due to damages incurred based on illegal processing of personal data.
To exercise their rights, data subjects may submit their requests, along with information and documents necessary to authenticate their identity, to rautt by using the methods below:
o Submitting a copy of another written document with wet signature containing information to be disclosed as per the legislation personally or with certified mail to the address SUADİYE MAH. BAĞDAT CAD. 399/1/1 KADIKÖY/ İSTANBUL / TÜRKİYE
o Submitting this form or another written document or e-mail content containing information to be disclosed as per the legislation or to the address info@rautt.com by using an e-mail address previously submitted to the company and registered in our system,
o Other methods described in the legislation.
After Data Subject duly submits a request to rautt, rautt will finalize relevant request free of charge and at least within thirty days based on nature of the request. However, a fee of 1 TL per page as established by the PoPD Authority or cost of the medium recording device if requested on electronic medium shall be paid in cases where reply to the request exceeds the criterion of 10 pages.
Within the scope of ensuring data security, the Company may request information in order to determine whether the applicant is the owner of personal data that is subject to the application. In addition, our Company may ask questions to the data subject regarding their application in order to finalize the application in accordance with the request.
rautt may reject requests of data subjects by explaining the reasons behind it in cases where there is a possibility of violating rights and freedoms of other individuals, it requires disproportional effort, or the information is a matter of public record.
EFFECTIVE DATE OF THE POLICY
This policy prepared by rautt has entered into effect in 2021. This Policy is published on rautt’ website at (www.rautt.com) and is accessible to data subjects.
SKALN MODA TASARIM A.Ş. (DATA CONTROLLER)
ADDRESS: SUADİYE MAH. BAĞDAT CAD. 399/1/1 KADIKÖY/ İSTANBUL
PHONE: +9(0216) 532 62 82
MERSİS:
WEB ADDRESS: www. rautt.com