Telasis Personal Data Protection and Processing Policy
TELASIS TEXTILE PRODUCTS INDUSTRY AND TRADE INC.
PERSONAL DATA PROTECTION AND PROCESSING POLICY
Purpose and Scope of the Policy
The main purpose of this Personal Data Protection and Processing Policy ("Policy") of Telasis Textile Products Industry and Trade Inc. ("Company") is to inform our employees, employee candidates, supplier and business partner employees and authorities, and other individuals whose personal data is processed by our company about the Company’s personal data processing activities, the measures taken in this regard, the rights of data subjects, and the methods for exercising these rights in accordance with the Personal Data Protection Law ("Law").
Definitions
Explicit Consent
Consent given about a specific subject, based on information and expressed with free will.
Anonymization
The process of rendering personal data unidentifiable, irreversibly, in a way that it loses its nature as personal data.
Data Subject
The natural person whose personal data is processed.
Personal Data
Any information relating to an identified or identifiable natural person.
Special Categories of Personal Data
Data concerning race, ethnic origin, political opinion, philosophical beliefs, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Processing of Personal Data
Any operation performed on personal data such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use, whether fully or partially automated or non-automated as part of a data recording system.
Data Controller
The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data Processor
The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Processing of Personal Data
Basic Principles
Our Company acts in accordance with the principles outlined below pursuant to Article 4 of the Law for all Personal Data Processing activities.
Acting in accordance with the law and principles of good faith:
Our Company processes all personal data in compliance with applicable legislation and the principles of good faith.
Ensuring that personal data is accurate and up-to-date when necessary:
Our Company takes necessary measures to ensure the accuracy and, where necessary, the up-to-dateness of the personal data it processes.
Processing for specific, explicit, and legitimate purposes:
Our Company limits its Personal Data Processing activities to specific and legitimate purposes and clearly informs data subjects through clarification texts regarding such purposes.
Being relevant, limited, and proportionate to the purposes for which they are processed:
Our Company processes Personal Data only to the extent necessary and relevant to the purposes notified to the Data Subject at the time of collection.
Storing for the period stipulated in the relevant legislation or necessary for the processing purpose:
Our Company retains Personal Data for the duration specified in the applicable legislation. Where such a period is not specified, a reasonable retention period is determined based on the purpose of data use and the Company’s procedures, and data is retained only for this period.
Conditions for Processing Personal Data
Explicit Consent:
One of the conditions for processing personal data is the explicit consent of the data subject. In cases where explicit consent is required after fulfilling the obligation to inform the data subject, the data is processed only if the data subject gives their explicit consent.
Processing Personal Data Without Explicit Consent:
Personal Data may also be processed without the data subject's explicit consent in the following cases:
if it is explicitly provided for by the laws,
if it is necessary to protect the life or physical integrity of the data subject or another person, where the data subject is incapable of giving consent due to actual impossibility or legal invalidity,
if it is necessary for the establishment or performance of a contract to which the data subject is a party,
if it is necessary for the data controller to fulfill its legal obligations,
if the data has been made public by the data subject,
if it is necessary for the establishment, exercise, or protection of a legal claim,
if it is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
However, in such exceptional cases where Personal Data is processed without explicit consent, data subjects will be informed as per the obligation to inform under Article 16 of the Law. Through this notification, it will be made clear that the Personal Data is processed by Telasis in accordance with this Policy, and that such processing is carried out in compliance with the Law, relevant legislation, and this Policy.
Our Company processes personal data based on one or more of the conditions specified in the Law and in compliance with the regulations stipulated in the Law.
Processing of Special Categories of Personal Data
Within Telasis, Special Categories of Personal Data are processed solely to fulfill legal and administrative/judicial authority requirements and only when directly related to the operation of Telasis, in a highly restricted and secure manner. These data, in full compliance with the Law and with the implementation of all necessary administrative and technical measures, including those specified by the Personal Data Protection Board, may be processed without the Data Subject’s consent:
(i) if the processing of special categories of personal data (excluding data related to health and sexual life) is explicitly stipulated by law, and
(ii) in the case of data concerning health and sexual life, only when processed by persons or authorized institutions and organizations under the obligation of confidentiality, for the purposes of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.
However, even in cases where these exceptions apply, Telasis fulfills its obligation to inform the Data Subject regarding the processing of Special Categories of Personal Data and obtains the explicit consent of the Data Subject. In cases where the exceptions are not applicable or there is any doubt about their applicability, any Special Categories of Personal Data obtained without explicit consent are immediately destroyed. In such situations, Telasis' Contact Person is immediately informed to coordinate the necessary measures and, if applicable, to notify the relevant Data Subject and the Board as soon as possible.
Special Categories of Personal Data, including employees’ health data, may be processed by the Human Resources department to the extent required by legislation and in accordance with the Telasis Policy on Protection of Special Categories of Personal Data. Additionally, certain health data may be processed by the workplace physician and occupational safety specialists. Health data processed by Human Resources and the workplace physician are handled in accordance with the provisions of the Regulation on Personal Health Data and are not shared with any business unit, including the relevant departments. Access to such data is extremely limited. Any sharing of these data with third parties for archiving purposes is protected by encryption systems, and no one outside the relevant departments has access to these health records. Even for archiving purposes, data processed by the workplace physician are not shared with any third party. In compliance with legal regulations, the relevant health data processed by the workplace physician are transferred to the Central Health Data System maintained by the Ministry of Health, according to the standards determined by the Ministry.
Types of Personal Data Processed by the Company
The personal data collected by our Company may vary depending on the nature of your legal relationship with the Company (employee, employee candidate, service provider/business partner, visitor, etc.). The categories of personal data processed in compliance with the principles and conditions specified in the Law and by informing the relevant individuals in accordance with Article 10 of the Law are as follows:
Employee Candidate
Identity Data: Name-surname, Turkish ID number, date of birth
Contact Data: Mobile phone number, home address, email address
Employment Data: Resume details, salary information
Professional Experience Data: Diploma information, attended courses, in-service training, certificates, transcripts
Employees
Identity Data: Name-surname, Turkish ID number, date of birth
Contact Data: Mobile phone number, home address, email address
Employment Data: Resume details, salary information
Professional Experience Data: Diploma information, attended courses, in-service training, certificates, transcripts
Financial Data: Bank account information, IBAN
Visual and Audio Records: Photo and video recordings
Family and Close Relatives Data: Contact details of family members or relatives
Location Data: GPS data of company vehicles
Transaction Security Data: IP address, website access logs, passwords, log files
Physical Space Security: Entry-exit records, CCTV footage
Legal Transaction Data: Information related to legal/court proceedings
Health Data: Medical reports, workplace accident reports
Criminal Conviction Data: Criminal record
Service Provider/Supplier / Business Partner
Identity Data: Name-surname
Contact Data: Mobile phone number, address, email
Employment Data: Resume details
Professional Experience Data: Diploma information, attended courses, in-service training
Visual and Audio Records: Photo and video recordings
Physical Space Security: Entry-exit records, CCTV footage
Criminal Conviction Data: Criminal record
Health Data: Medical reports
Financial Data: Bank information, credit card details, etc.
Visitor
Identity Data: Name-surname, vehicle license plate
Physical Space Security: Entry-exit records, CCTV footage
Transaction Security Data: IP address, website access logs, log files
CCTV Monitoring at Company Facilities
If you visit our Company premises, visual data may be collected via closed-circuit camera systems and retained only for the duration necessary for the following purposes:
Preventing and monitoring antisocial and criminal behavior, ensuring the safety of our premises and equipment, and protecting the health and safety of visitors and employees. Areas that may intrude upon privacy beyond these purposes are not subject to monitoring. Our Company places warning signs and notifications at monitored areas in addition to general disclosures to inform individuals that surveillance is in place. This is done to protect the rights of the data subjects and ensure transparency in the processing of personal data. All necessary administrative and technical measures are taken by the Company to secure the data collected via CCTV systems.
Retention of Internet Access Logs for Employees and Guests
To ensure security and for the purposes stated in this Policy, the internet access logs of guests and employees during their stay at our facilities may be recorded in accordance with Law No. 5651 and its related regulations.
Access to these logs is limited to a few authorized Company personnel in the IT department.
These records are processed and shared only with competent public institutions or authorities upon request or within internal audit processes to fulfill our legal obligations.
Our Purposes for Processing Personal Data
Your personal data may be processed by our Company under the conditions stated in Articles 5 and 6 of the Law and for the purposes listed below:
Carrying out necessary activities for the operation of the Company in accordance with applicable legislation
Fulfilling legal obligations including required procedures, records, and notifications
Communicating with relevant individuals within the scope of procurement, sales, delivery, or other business relations
Planning and executing human resources processes and needs
Fulfilling obligations related to personnel recruitment, employment contracts, and legal requirements
Managing recruitment processes for employee candidates
Monitoring and/or auditing employees’ work performance
Planning and executing employee benefits and rights
Managing employee payroll
Supporting employee training and professional development
Planning and executing emergency management processes
Ensuring physical space security
Ensuring the security of movable property and resources
Ensuring the safety of Company premises, assets, and resources
Ensuring the safety of employees and visitors
Planning and executing occupational health and safety processes
Recording and tracking visitor information
Planning, auditing, and executing information and data security processes
Managing supplier and business partner relationships, consulting/service procurement processes
Fulfilling obligations related to providing information or undergoing audits required by authorized institutions
Conducting management activities
Managing financial and accounting affairs
Managing goods/services procurement processes
Managing goods sales and operations processes
Managing contract processes
Managing logistics activities
Carrying out corporate and partnership legal procedures
Following up and conducting legal affairs
Storage, Deletion, Destruction, and Anonymization of Personal Data
Our company determines the retention periods of personal data by taking into account the applicable legislation and the purposes of data processing. In this context, legal obligations and statutes of limitation related to personal data processing activities are also considered. If the legislation does not stipulate a specific period for retaining certain types of personal data, retention periods are determined based on the purpose of data processing. These periods are determined by considering our company's practices and commercial customs.
Personal data may be stored for purposes such as serving as evidence in possible legal disputes, asserting a right that can be proven with personal data, establishing a defense, and responding to information requests from competent public institutions. In such cases, statutes of limitation and company practices are considered. Once the stated retention period ends and there is no other legal basis for retention, the personal data is deleted or anonymized. Upon request from the data subject, and in the absence of any other legal reason for retention, the data is deleted, destroyed, or anonymized.
Transfer of Personal Data
Your personal data may be shared for purposes such as managing human resources processes, fulfilling obligations arising from contracts and laws, ensuring and improving workplace safety, and ensuring the legal and commercial security of our Company and its stakeholders; for the management of our Company, conducting operations, and establishing and implementing corporate policies. These transfers may be based on legitimate interests, fulfillment of legal obligations, performance of contracts, or the establishment, use, and protection of legal rights, and can be made to our suppliers, service providers, business partners, affiliates, shareholders, auditors, group companies, as well as legally authorized public institutions and private persons.
In such cases, our Company takes necessary measures to ensure that the parties to whom personal data is transferred process and transfer such data in compliance with the rules in this Policy and applicable legislation.
Transfer of your personal data abroad may only occur under the following conditions:
If you have provided explicit consent, or
In the absence of explicit consent, if one or more of the legal conditions specified in the Law are met;
And if there is adequate protection in the country to which the data is transferred as per the decision of the Personal Data Protection Board, or
If there is no adequate protection, provided that our Company and the data controller in the foreign country commit in writing to ensure adequate protection and obtain the approval of the Personal Data Protection Board.
Data Security
Our Company takes necessary technical and administrative measures to ensure the security of personal data, prevent unlawful access, and prevent unlawful processing in accordance with Article 12 of the Law.
In this context, our Company ensures necessary audits, complies with the Law, applies proper authorization based on data sensitivity, trains and informs employees (especially those with access to personal data) regarding their duties and responsibilities, and includes data protection clauses in contracts with third parties to whom personal data is transferred.
Security measures include:
Network and application security.
Disciplinary procedures covering data security for employees.
Periodic training and awareness programs.
Authority matrix for employees.
Regular logging of access records.
Confidentiality agreements.
Use of up-to-date antivirus software.
Use of firewalls.
Inclusion of data security provisions in contracts.
Extra security for data transferred on paper and marking them as confidential.
Defined data security policies and procedures.
Security controls for access to physical media containing personal data.
Protection of physical environments from external risks (fire, flood, etc.).
Security of environments containing personal data.
Data minimization principles.
Data backups and security of backups.
User account management and authority control with tracking.
Logs are kept without user interference.
Identification of existing risks and threats.
Penetration testing.
Encryption.
Personal Data Retention Period
Where a specific period is stipulated by law, our Company retains personal data for the period defined in the legislation. If no period is defined, data is retained for as long as the processing purpose remains valid and in accordance with company practices and business customs, after which it is deleted, destroyed, or anonymized.
If the processing purpose has ended and the legal or company-defined retention period has expired, personal data may still be retained only:
as evidence in legal disputes,
to assert a right linked to the data, or
to establish a defense.
Retention durations in such cases are determined based on the statutes of limitation or prior examples of similar requests made to the Company. Access to such data is restricted and only granted when required in a legal dispute. Once this secondary purpose is also no longer valid, data is deleted, destroyed, or anonymized.
Details of the Company's technical approach to the storage, deletion, destruction, and anonymization of personal data are included in our Personal Data Retention and Destruction Policy.
Deletion, Destruction, and Anonymization of Personal Data
Even if personal data has been processed in accordance with the law, if the reasons for processing no longer exist, the data is deleted, destroyed, or anonymized by the data controller, either on its own initiative or upon the request of the data subject.
Telasis ensures that data deletion, destruction, or anonymization is carried out in accordance with:
general principles regarding data processing under the law,
technical and administrative measures required by data security obligations, and
decisions of the Personal Data Protection Board.
All such operations are recorded and retained for at least three years, unless otherwise legally required.
Unless the Board decides otherwise, the data controller selects the appropriate method for deletion, destruction, or anonymization.
If retention is mandated by law, data is kept for the legally required period. Once that period ends, if no justification for further retention exists, the data is appropriately deleted, anonymized, or destroyed.
If there is no legal retention period, reasonable retention durations are determined. When these end, the data is appropriately deleted, anonymized, or destroyed.
If processing is based solely on explicit consent, and the data subject withdraws consent, the data is deleted, anonymized, or destroyed.
If the data subject exercises their rights and the controller accepts the request, the data is deleted, anonymized, or destroyed.
If a request for deletion, destruction, or anonymization is rejected, or not responded to within the legal timeframe, and the request is later approved by the Board upon complaint, the data will still be deleted, anonymized, or destroyed.
Data Subjects’ Rights
According to Article 11 of the Law, Data Subjects have the following rights against the Data Controller:
To learn whether their Personal Data is being processed, and if so, to request information regarding this processing.
To learn the purpose of processing Personal Data and whether it is used in accordance with its intended purpose.
To know the third parties to whom Personal Data is transferred domestically or abroad.
To request the correction of Personal Data if it has been processed incompletely or inaccurately.
To request the deletion or destruction of Personal Data within the framework of the conditions stipulated in the relevant legislation, and to request that such actions be notified to third parties to whom the Personal Data has been transferred.
To object to the occurrence of a result against the individual by means of analyzing processed data exclusively through automated systems.
To demand compensation for damages incurred due to the unlawful processing of Personal Data.
Exceptions to Rights under Article 28(2) of the Law
According to Article 28, paragraph 2, of the Law, the following cases are excluded from the right to make requests:
If processing of Personal Data is necessary for the prevention of a crime or for a criminal investigation.
If the Personal Data has been made public by the Data Subject themselves.
If processing of Personal Data is necessary for the performance of supervisory or regulatory duties, or for disciplinary investigations or prosecutions, by authorized public institutions or organizations and professional organizations in the nature of public institutions, based on the authority granted by the law.
If processing of Personal Data is necessary to protect the State’s economic and financial interests with respect to budgetary, tax, and financial matters.
In these cases, the rights stated above—except for the right to demand compensation for damages—cannot be exercised.
Exercising Rights by Data Subjects
If you submit your requests regarding your rights by completing the Data Subject Application Form available at http://www.telasis.com.tr, your request will be concluded free of charge as soon as possible and within no later than 30 (thirty) days, depending on the nature of the request. However, if the process incurs an additional cost, a fee may be charged based on the tariff set by the Personal Data Protection Board.
In order for third parties to submit requests on your behalf, a notarized special power of attorney must be issued to that person.
Our Company may request information from the Related Person to verify whether the applicant is indeed the Data Subject, and may ask questions regarding the application to clarify the issues raised.
Effective Date
This Policy, prepared by Telasis, becomes effective as of the date it is published on the website and is made available to related persons upon the Data Subject's request. This Policy will remain in force until it is removed from the website.
