KVKK

Your Person Data is processed for limited and scaled open and legal purposes expressed in the related laws and under goodwill practices.

Your personal data are processed to invoice for the goods and services you have purchased under Tax Procedure Law, notify you about advertisement promotion campaigns via electronic messages under Law About Regulating Electronic Commerce, to offer you higher quality products and services, for your shopping details within the legal limits of the required regulations and mandatory company operations.

Transfer of Personal Data:

Your Personal data can be transferred to necessary administrative and official authorities for legal purposes, our group companies, our domestic or international resident business partners and domestic or international third parties whom we receive services within the legal boundaries.

Personal Data Collection Methods:

Your Personal Data is stored according to related regulations for accounting, creating your shopping history and offering suitable services for your demand as you are a customer of your stores.

Under Article 11 of Turkish Personal Data Protection Law (PDPL) your rights include:

Regarding your personal data, you can apply to us and

a) learn whether your personal data is processed,

b) demand information if your data is processed,

c) learn the purpose to process your personal data and whether such data is used purposefully,

d) demand knowledge about the domestic/international 3rd parties to whom your data is transferred,

e) ask to correct incomplete/incorrect data,

f) delete/destroy your personal data according to PDPL Article 7,

g) request notifying related third parties regarding the operations expressed in paragraph (e) and (f),

h) object to any results to the detriment of you when processed data is exclusively analysed via automatic systems.

i) demand for compensation of the loss if you experience any losses due to illegal personal data processing.

To benefit from your rights, any requests by the Data Owners to Vakko Companies shall be answered and concluded in the shortest time possible without exceeding 30 days. Data Owner can send requests or complaints via electronic mail to KVKK@vakko.com.tr address individually or with notary certified power of procuration with the condition to use a secure electronic signature in notary applications and ID controls by Vakko Holding A.Ş. Şirketi Vakko KVK.

VAKKO HOLDİNG A.Ş.

PERSONAL DATA PROTECTION AND PROCESSING POLICY

Prepared by: Vakko Holding A.Ş. Legal Consultancy Department

Version: 2.0

Approved by: Approved by Vakko Holding A.Ş. Board of Managers.

Last Update: 03/01- 2018 

INTRODUCTION

This Policy represents the executive structure, processes and procedures adopted by Vakko Holding A.Ş and the subsidiary companies to protect the personal data and to process such data lawfully. The purpose of this Policy is to internalise and raise necessary awareness for all employees and business partners to comply with the Law to take necessary technical and administrative precautions to protect and ensure the safety of personal data, process and store the personal data in line with Turkish Personal Data Protection Law 6698 (“PDPL” or “Law”)

Vakko Company Group is liable to take reasonable steps for Vakko Company Group and third parties processing data to handle the personal data according to legal requirements during business and transactions processes. With the awareness of this liability, Vakko consults competent executive and legal opinions and takes the necessary steps to store the data in line with the requirements of the Law.

Within this scope, detailed analysis has been conducted regarding the existing applications and according to the analysis results, all types of executive and technical processes are initiated to match all the processes with all international regulations regarding the Law and protection of personal data. The majority of the steps expressed in this Policy reflect the existing systems under Vakko Company Group and implemented by Vakko Company Group according to the Law. The compliance work initiated by Vakko under the Law and protection of personal data is considered as an opportunity for improvement to identify the top-level standards regarding the protection of personal data and to improve the business processes to apply these standards.

This Policy is prepared by the purpose of ensuring that all personal data related to Personal Data stored by Vakko Company Group regarding the personnel, customers, suppliers and all other individuals match the entire legal requirements including the predicted requirements by the Law and amendments and periodic auditing is undertaken to ensure Vakko Company Group follows the honest rules and lawful applications in the internal procedures.

Vakko Company Group shall fully comply with this Policy and the entire Vakko Company Group shall be audited according to this Policy and the compliance continuity shall be ensured with internalising this Policy by each member of the Vakko family.

DEFINITIONS

Vakko or Vakko Companies: Vakko Holding Anonim Şirketi and its subsidiaries (i) Vakko Tekstil ve Hazır Giyim San. İşl. A.Ş. (ii) Vakko Gıda A.Ş. (iii) Vakko Hediyelik Eşya İç ve Dış Tic. A.Ş. (iv) GVL Hediye Elektronik Hiz. San. ve Tic. A.Ş. (v) Birebir Retail Ayakkabı Hazır Giyim Aks. Tic. ve San. A.Ş. (vi) Enternasyonel Sanat ve Moda Eğ. Hizm. Ltd. Şti. and (vii) Prnv Hazır Giyim Tic. ve San. A.Ş. companies. Each company shall be separately referred to as Vakko and collectively as Vakko Company Group.

Data: This represents the information stored on a computer in the electronic format or certain paper-based filing systems. Personal Data: This data represents any type of data of the identified or identifiable natural person. Vakko Company Group can use cookies to better understand customer preferences, to offer better services or similar purposes via the website to collect such data called “web registry information” (web browsers, mobile devices, operating system, visited pages, the date and time for accessing these web pages, visited specific pages and other information). Accordingly, if Personal Data is obtained or if the data collected with this method are processed to indicate a certain individual, such cookies and web registry information shall be subjected to this Policy.

Special/Sensitive Personal Data: This data represents the personal data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and outfit, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data. Sensitive data can only be processed under strict conditions and the processing requires open consent from the data owner.

Data Owner or Relevant: This includes all real persons including the employees whom the Personal Data is processed by Vakko. Data owner does not have to be a Turkish citizen or live in Turkey. All data owners have legal rights regarding their own personal data.

Data Supervisor: This represents any real person or legal entity determining personal data processing purposes and tools and responsible for data recording system installation and management. These individuals have liabilities to determine practices and principles in line with the Law. The data supervisors regarding all personal data used in Vakko business processes are Vakko Company Group and Vakko.

Data Processor: This is the individual that processes data based on the authority provided by a data supervisor and in the name of the supervisor. The employees of the data supervisor are excluded from this definition. However, if applicable, suppliers, business partners and other third parties processing personal data in the name of Vakko can be included in this definition.

Data Processing: This includes all types of activities regarding data use. This includes certain operations on data including but not limited to obtaining, recording, saving, keeping, editing, changing, retrieving, using, disclosing, deleting or destroying the data. Transferring the data to third parties also means data processing.

PURPOSE OF THE POLICY

The purpose of this Policy is to ensure necessary regulations for Law compliance to be adopted by every Vakko Company, edit applicable policies and create unity among the subsidiaries. Accordingly, the aim is to identify the valid rules and principles for all fundamental and business units regarding how this Policy, Law and related regulation should be/is applied to all these units by Vakko Company Group. Vakko Company Group shall make all internal processes compliant with this Policy.

Necessary adjustments shall be undertaken to comply with the Policy and compliance with the Policy shall be sustained by applying audit mechanisms with certain periods. The compliance of all personnel to this Policy shall be confirmed and all personnel shall be notified about any amendments. In-company training shall be organised to comply with the amended and updated processes and all personnel shall be liable to execute the entire process according to the Law. This Policy aims to create the necessary executive structure, process and procedures of Vakko Company Group under the Law and related regulation, necessary technical and executive precautions shall be ensured for Personal Data protection and security, internalise the compliance with Law on Personal Data, to raise awareness in personnel and all business partners and ensure compliance with Law.

A. PROVISIONS OF PROCESSING PERSONAL DATA

One of the important factors important for Vakko is to process the data according to Law on Personal Data and general provisions expressed in the related regulations. Accordingly, Personal Data shall be processed lawfully and in line with goodwill by Vakko Company Group: The purpose of this principle is not to prevent Personal Data processing but to ensure the Personal Data is processed honestly according to rules and laws and without negatively impacting the Data Owner. Data Owner shall be notified about the Data Supervisor, with what purpose Vakko will process this data, to whom can the data be disclosed or transferred to and the Data Owner’s rights. Certain conditions shall be met to process the Personal Data lawfully. These include but not limited to consent by the Data Owner to process Personal Data or processing being of the legitimate interest of the Data Supervisor or disclosed third parties. In some cases, explicit consent might be requested from the Data Owner regarding data processing. Being expressly permitted by any law; To protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent; to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract; for compliance with a legal obligation which the controller is subject to; The relevant information is revealed to the public by the data subject herself/himself; It is necessary for the institution, usage, or protection of a right; It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

However, Data Owners with processed data according to exceptions expressed here limitedly for Personal Data process shall be clarified according to Article 16 Clarification Liability of the Law, such clarification shall inform that Personal Data is processed by Vakko Company Group according to this Policy and the process of data in line with Law, related regulation and this Policy shall be confirmed. Within this framework, Vakko shall create the necessary processes to comply with the provisions in the Law:

The data shall be processed for certain, clear and legitimate purposes: Personal Data can be processed for purposes expressed to the Data Owner during the first data collection and for any other reason permitted by the Law. This means Personal Data cannot be a collection for one purpose and process for another one. If the change in the purpose of Personal Data processing is mandatory, Data Owner shall be notified about the new purpose of processing before processing the Personal Data. The data shall be processed in a limited, scaled and purposeful way: Personal Data shall only be collected within the scale expressed to Data Owner.

Any data that is not necessary for this purpose shall not be collected. All personnel shall avoid collecting unnecessary personal data. Contracts with suppliers/third parties shall contain mechanisms applying this provision. The data shall be correct and updated: Data Owners shall have opportunities to update their data and Data Owners shall be notified about these opportunities. Data Owners shall be notified about the updating processes when personal data are collected. The personnel should confirm the up-to-dateness of the data in certain periods; any data that is not updated or that is not beneficial to be processed in the updated format shall be deleted or anonymised if updating is not an option. The data shall not be held/stored and archived longer than the duration given in the related regulation or duration longer than necessitated by the data collection purpose: Personal Data shall not be stored longer than the requirements of the purpose. In other words, when personal data processing is no longer needed or required, personal data shall be destroyed or deleted from Vakko systems or anonymised.

Personal Data shall not be stored and archived with the assumption that the data will be required in the future. Each business unit shall evaluate the necessary duration to process different types of Personal Data and identify this duration in the written format. This duration shall not exceed the time that the business unit needs to store the data according to processing purpose. Please check section (E) regarding storing, deleting, destroying and anonymising Personal Data. The data shall be processed in line with Data Owner rights: Please check section (C) regarding Data Owner’s rights and legal application ways. The data shall be secured. Please check section (D) for Vakko policies regarding Data Security. The data shall not be transferred to individuals or organisations in countries without sufficient protection: Personal Data shall not be transferred abroad by Vakko Company Group.

Personal Data which are in Turkey shall not be transferred abroad including third-party servers for archiving purpose. However, if the data is decided to be transferred abroad or stored on servers abroad due to Company policies, the data shall be transferred abroad in line with TPDP provisions and rules set forth by the Personal Data Protection Board (“Board”). Please check section (D) regarding Personal Data transfer to third parties.

B. PERSONAL DATA OWNER RIGHTS

According to Article 11 of the Law, everyone, in connection with herself/himself, has the right to; Learn whether or not her/his personal data have been processed; Request information as to processing if her/his data have been processed; Learn the purpose of processing of the personal data and whether data are used in accordance with their purpose; Know the third parties in the country or abroad to whom personal data have been transferred; Request rectification in case personal data are processed incompletely or inaccurately; Request deletion or destruction of personal data within the framework of the conditions set forth; Request notification of the operations made as per to third parties to whom personal data have been transferred; Object to occurrence of any result that is to her/his detriment by means of analysis of personal data exclusively through automated systems; Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data.

C. SECURITY OF PERSONAL DATA

Vakko Company Group is liable to take all technical and executive precautions to prevent illegal Personal Data processing, prevent illegal access to Personal Data and ensure suitable security level to store Personal Data. Vakko must ensure to take necessary security precautions to prevent any loss or damage due to illegal or unauthorised Personal Data processing. In case of all these damages, Data Owners shall request compensation with remedies. The Law necessitates Vakko to take certain executive and technical precautions for Personal Data security from collection to destruction processes. As defined below, ensuring data security means ensuring privacy, integrity and access guarantee for the Personal Data. Privacy means only authorised individuals have access to data. Integrity means accurate Personal Data and is suitable for processing purposes. Access means accessing data by authorised users under authorised purposes when needed. Security procedures related to Personal Data shall be executed by consulting the Information Technologies (“IT”) department technically competent about data security and organised under Vakko.

Vakko Company Group shall limit the access authorisation of each business unit with the required scale to comply with existing practices. Related limitations are currently applied by Vakko Company Group and these limitations are regularly reviewed and access to Personal Data is only possible when it is mandatory. All personnel of Vakko Company Group shall be trained and informed regarding procedures identified for data security. Within this scope, passwords required to login into the system to Personal Data shall not be disclosed to any third parties or unauthorised personnel. Users with authorisation to access Personal Data shall ensure to log out of the computer session when they are not sitting in front of the computer and work without showing the private information to the passer-by.

Vakko Company Group is currently taking all technical precautions regarding data security for Personal Data and existing security systems, virus protection programs and message sending protection systems applied by Vakko Company Group shall be periodically audited and these systems shall be kept in the most up-to-date version. In this respect, technological developments shall be followed, the possible risks shall be intervened in the shortest time possible and the technical team and system shall be allocated. In addition to the above mentioned information, all Vakko personnel shall immediately inform [Vakko KVK Committee] to inform the related Data Owner and Board in case of any risks regarding the security of Personal Data and/or illegal use of processed Personal Data when applicable.

When applicable, contracts with third parties to whom the Personal Data is legally transferred shall be changed to ensure compliance of these businesses/organisations/institutions to take precautions to protect the Personal Data in addition to privacy liabilities. Vakko shall not transfer Personal Data to third parties that failed to take necessary security precautions and follow data privacy, integrity and access related provisions of the Law.

D. TRANSFERRING PERSONAL DATA TO THIRD PARTIES

Transferring Personal Data to third parties in the country shall be conducted when the Personal Data processing purposes is mandatory to apply the contact with the Data Owners and according to legitimate interests of the Company provisioned by the Law. Personal Data cannot be transferred other than processing purposes. However, although the processing is considered within the scope of exceptions for consent, open consent shall be collected from Data Owners to transfer the Personal Data within the Vakko Company Group and to business partners with security precautions. Vakko Company Group shall conduct a preliminary assessment regarding personal data privacy in business partner selection and contracts with these partners shall include provisions to satisfy the requirements of the related Law regarding Personal Data security and privacy. Personal Data shall not be transferred abroad by Vakko Company Group.

Personal Data which are in Turkey shall not be transferred abroad including third-party servers for archiving purpose. However, if there is a decision to transfer or store the Personal Data abroad due to Company Policies, open consent for Data Owner shall be collected by Vakko Company Group immediately if the consent is not collected and the data shall not be transferred to any other country that the country identified by the Board with sufficient protection.

If applicable, Personal Data can be transferred to foreign countries with sufficient protection after the written consent of the Board regarding data transfer and ensuring the data responsible real persons and/or legal entities in the respective country provides a written undertaking stating the sufficient protection. Accordingly, Vakko shall design processes to act according to regulations predicted in Article 8 and 9 of the Law. Data Owners that approve this Policy openly accepts their Personal Data to be shared among Vakko Company Group and/or third-party business partners, public/private institutions and organisations, suppliers, Vakko Company Group partners, company officers, banks, funds, companies and other 3rd parties or institutions that Vakko Company Group receives service/support/consultancy or engage in collaboration/project/program/financing when information and documents are depended by public organisations and institutions compliant with the rights expressed in the related regulations for legal proceedings limited with the purposes of Personal Data processing and archiving.

Processing personal data by Vakko Company Group or business partners is under the legitimate interest of our group if such processing is necessary to protect the rights and interests of Vakko and to operate the business activities in line with Vakko Company Group’s principles, operations, processes, targets and strategies. This shall not be deemed as Personal Data processing against the Law and the entire Vakko Company Group executes the related processes to ensure the highest compliance with the Law. Vakko Company Group shall undertake to clarify this situation to all Data Owners and written consent shall be collected from Data Owners regarding data transfer.

E. PROCEDURES FOR DELETING, DESTROYING AND ANONYMISING PERSONAL DATA

Procedures For Deleting and Destroying Personal Data. Vakko Company Group shall delete and destroy the Personal Data ex officio or based on the request by the related individuals when the reasons to process the data are eliminated by following the minimum storage durations predicted in the related Law and regulation. Methods used for deleting or destroying: Personal Data that can be destroyed physically can be processed non-automatically without being a part of any data registry system. When such data are deleted/destroyed, physical destruction without using the personal data later shall be applied. Safe Deletion from Software

When data processed with completely or partially automatic methods and stored in the digital environment is deleted/destroyed, the methods to ensure deleting the data from software permanently and irrevocably are applied. Anonymising Personal Data Procedure

Anonymising Personal Data represents turning the data in a format where such data cannot be matched with a real person and be used for identifying a real person. Procedure for Anonymising Masking: Data masking is turning personal data into an anonymous form by taking the basic identifiers of the personal data from the data set. Aggregation: The data aggregation method is to turn the personal data into a form that cannot be identified with any individuals. Data Derivation: With the data derivation method, the aim is to create more general content from the personal data content and to turn the personal data into a format that cannot be matched with any real persons. Data Shuffling, Permutation: With the data shuffling method, the personal data set values are shuffled and the link with the real persons is broken. The minimum time to delete, destroy or anonymise the Personal Data shall be identified by the business units that process the related Personal Data and the entire Vakko Company Group systems shall be compliant with these processes. If Vakko Company Group decides to store the data for a longer time due to legal requirements regarding Personal Data processing purposes, Data Owners shall be notified about such a decision and the duration of Personal Data processing.

In any case, Vakko Company Group is liable to comply with clarification liability regarding Personal Data storing procedures and data processing purposes. When there is minimum storage duration under the related laws and regulations, deleting, destroying or anonymising demands from Data Owners shall be rejected due to legal liabilities. If there is no duration specified in the Personal Data storage regulation, Personal Data is processed until the existing business, procedure, applications and commercial life practices identified by Vakko and such data shall be deleted, destroyed or anonymised when this duration is completed. Although the personal data processing purpose is terminated by the durations in the related regulation and identified by Vakko Company Group, such data can be archived for such data acting as evidence for possible legal conflicts or claiming rights regarding personal data or to ensure defence without re-processing the data.

By considering the statute of limitations in archiving duration, Vakko Company Group shall identify the statute of limitations based on its own experience and previous requests from similar data groups. In this case, personal data shall not be accessible for any purpose other than the solution of a legal conflict without a new open consent and approval for processing the data. At the end of archiving duration, the archived data shall be deleted, destroyed or anonymised. 

Personal Data processing by Vakko Group Company and the main processing purposes are as follows: Real Persons Customer Data: Without being valid for each Vakko Company Group, name, surname, address, e-mail, mobile phone, home phone, business phone date of birth, ID number, gender, loyalty card number, parent type, marital status, profession, date of marriage, spouse's name, spouse's date of birth, educational status, school name, number of children, membership associations, followed media, social media, telephone brand, favourite team, car brand, the most frequently entered website, domestic travel preference, international travel preference, body size, shoe size, bride-groom name, surname, wedding and guests data the real person of the real persons can be processed. 

Such Personal Data are processed limited to creating sales history, creating invoices, issuing invoices, defining loyalty card to the membership account, transmitting loyalty card or printed communication materials, delivering the product, sending e-invoices, sending newsletters, marketing communication, customer analysis, increasing customer loyalty, special production making and similar purposes without covering every processed Personal Data. Data Regarding Corporate Customers, 

Suppliers and Service Provider Personal and Authorised Individuals: Without being valid for each Vakko Company Group, Personal Data regarding special clothing for corporate customer personnel or in general personnel name, personnel surname, personnel registration number, personnel ID, identification number, personnel height, personnel weight, personnel gender, personnel size; Name, surname, e-mail of the person authorized to sign, national ID, bank information, other information about private companies and similar companies can be processed. Such Personal Data are processed limited to custom-made clothing production, wholesale, creating sales history, creating invoices, invoicing, delivering the product, sending e-invoices, sending newsletters, marketing communications, customer analysis, opening a current account, reconciliation, project-based government receiving incentives and similar purposes without covering every processed Personal Data. The data processed by Vakko Company Group might be transferred to these individuals and the transfer procedures are provided in (E) section of this Policy. Lead Data: Without being valid for each Vakko Company Group, Personal Data of Vakko Company Group leads such as name, surname, e-mail, gender, mobile phone, date of birth, home address, work address, size, date of marriage and similar data can be processed. Such Personal Data are processed limited to send gifts, to send loyalty cards, to send event invitations, to send newsletters, to conduct marketing communication, to analyse, to inform about the new product and similar purposes without covering every processed Personal Data.

Lead data is the data obtained from the leads which can be transferred to third parties with the consent of the leads by informing the leads that Vakko Company Group can process the data according to the above-mentioned purposes. In the first contact with leads, leads shall be informed about this Policy and processed data according to clarification liability and the Personal Data shall be immediately deleted, destroyed or anonymised in case of a request/complaint.

In case of forming a customer relationship with the leads, the data processed under this scope shall be subjected to the procedures related to customer data. Without being valid for each Vakko Company Group, name, surname, place of birth, date of birth, mobile phone, e-mail, residence address, residence status, age of residence, gender, salary, marital status, spouse's name, spouse's surname, spouse's job status, resident or taxpayer status of the children cared for, number of children, registration number, national identity number, social security number, shoe number, photo, name and surname of the person to be contacted in case of emergency, degree of proximity of the person to be contacted in case of emergency, mobile phone of the person to be contacted in case of emergency, educational information, CV, residence certificate, copy of identity card, diploma, work certificate , criminal record, blood type, military service certificate, health report, insurance service statement, insurance record, employment contract, transcript, reference letter, job adaptation questionnaire, performance forms, dismissal interview form, excused leave form, annual leave form, job descriptions and similar data of the Vakko Company Group personnel can be processed.

Sensitive Personal Data including the health data of the personnel shall be processed by the Human Resources business unit limited to the requirements of the regulation. Please check section (G) regarding Sensitive Personal Data processing. Additionally, certain health data shall be processed by a workplace doctor and occupational safety expert. Health data processed by Human Resources and workplace doctors are not processed or shared with any other business unit according to Regulation on Data Processing and Ensuring Privacy published on 29863 Gazette on 20 October 2016. Access to this data is limited to the highest level. Sharing with third parties for archiving shall be/is protected with an encryption system and no one other than the archiving firm shall have access to health data. The agreements with third parties shall be revised to confirm this situation. Data processed by the workplace doctor is not shared by any third parties including archiving purposes. Health data processed by the workplace doctor needs to be transferred to the Central Health Data System under the Ministry of Health according to Regulation on Processing of Personal Health Data and Ensuring Privacy and based on standards set forth by the Ministry of Health. Such Personal Data including but not limited to create personnel records, measuring performance in workshops, paying staff salaries, receiving government incentives for the project, recording entry and exit times, updating information, making an insurance notification, to analyse, to evaluate the performance of the employee, to evaluate the exit, to get permission, to request an advance and similar purposes are processed with employee consent and approval.

The personnel data processing and personal files are stored and processed by the common Human Resources unit under Vakko Holding Anonim Şirketi for the entire Vakko Company Group. Limited to this data processed by the Human Resources unit, all personnel accept that the Human Resources unit under any Vakko Company Group other than the Vakko company they are registered to process their data by accepting this Policy. Employee Candidate Data: Without being valid for each Vakko Company Group, Personal Data such as Name, surname, mother's name, father's name, gender, place of birth, date of birth, military status, marital status, spouse's name, spouse's surname, number of children, residence address, home phone, business phone, mobile phone, e-mail, emergency contact name and surname, the degree of proximity of the person to be contacted in case of emergency, the mobile phone of the person to be contacted in case of emergency, the home phone of the person to be contacted in an emergency, the business phone of the person to be contacted in case of emergency, CV information, educational information, foreign language level, internships, courses and seminars attended. work experience, personal information, name of the person giving the reference, the surname of the person giving the reference, place/position of the person giving the reference, the mobile phone of the person giving the reference for the employee candidates of Vakko Company Group might be processed. This Personal Data is processed limited to recruit the most suitable candidate without covering all processed Personal Data. With a contractual relationship, the data processed within this scope shall be subjected to procedures and processes related to employee/personnel data. 

Student Data Personal Data including but not limited to name, surname, telephone, e-mail, address, ID number, name of the person making the payment, the surname of the person making the payment, invoice title, invoice address, tax office and number for the invoice, last graduated school, school/sector of students joining Vakko ESMOD program providing training for fashion sector under the collaboration of Vakko and international fashion school ESMOD. Processing of this data is undertaken under public authorities to execute the agreement or to organise a certificate and/or with the consent of related individuals and Vakko shall undertake the clarification of liability requirements for this purpose.

Such Personal Data is processed limited to enrol in training, to share with ESMOD regarding certification and registration procedures, to ensure the continuation of the training, to provide the information and requests regarding the training at the end of the training and similar purposes without covering all processed Personal Data. 

Data Regarding Payment Tools

Without being valid for all Vakko Company Group, Personal Data including but not limited to student's name, student's surname, cardholder's name, cardholder's surname, cardholder's ID number, bank name and card type, credit card information can be processed to enable mail order payment for wholesale or activities regarding the training. Such Personal Data are processed limited to payment purpose.All necessary precautions to ensure the safety of such data are taken and the access to such that shall be limited with authorised personnel, re-use of the data shall be prevented to ensure transaction safety including but not limited to deleting the safety code and more advanced procedures shall be applied and updated if necessary. Audience Data: Fundamentally valid for business units (Power, PowerFM, PowerTurk) broadcasting music in Vakko, Personal Data such as name, surname, telephone number, e-mail, address, city, age, date of birth, gender, profession, identity information, education status, mobile phone, photographs other than selfies taken by these persons and similar for contest and analysis for listeners might be processed.Such Personal Data are processed to join contests, analyzed to apply for gift cards and contest rewards and similar purposes by being shared to third parties if third parties are involved in the operation. Please refer to article (E) for transfer to third parties.

Complaint Data

Without being valid for all Vakko Company Group, Personal Data including but not limited to consumers' name, surname, gender, e-mail, mobile phone, home phone, date of birth, address, size, ID number can be processed to complete the consumer complaint or requests under 6502 Law on Protection of Consumer. Such Personal Data are processed including but not limited to complete and analyse the received complaints and requests.

F. PROCESSING SENSITIVE PERSONAL DATA

Sensitive Personal Data is processed with the highest safety and security under Vakko Company Group only to execute legal and administrative requirements without being directly related to operations of Vakko Company Group. Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations. However, Vakko Company Group shall undertake the clarifications liabilities regarding Sensitive Personal Data processing even though there are exceptions and collect open consent of Data Owner even though there are exceptions. In case of no exceptions or reasonable doubt about being applicable, Sensitive Personal Data collected without open consent shall be immediately deleted, destroyed and anonymised. In such cases, this situation shall be immediately declared to [Vakko KVK Committee] to inform the related Data Owner and Board when the necessary precautions are applicable.

G. CLARIFICATION LIABILITIES FOR PERSONAL DATA OWNER

Vakko Company Group is liable to inform the real persons when obtaining Personal Data. The scope of liability for this clarification is as follows: The identity of data supervisor and the representative, if any, processing purpose of Personal Data, to whom and with which purpose can the processed Personal Data be transferred and rights under section (C) of the Data Supervisor regarding Personal Data collection management and the legal basis. Vakko Company Group shall collect the clarification consent form from Data Owners regarding data processing via data obtaining tools from Third Parties to prove that necessary notification and clarification liability has been undertaken to process the data on the systems. Personal Data may be automatically or non-automatically collected verbally, in writing or electronically through all sales channels of Vakko Company Group including but not limited to electronic commerce, retail and wholesale stores, branches, websites, call centres from which third parties can be served, and all other similar channels. Obtaining Personal Data in Written Format: When obtaining Personal Data in the written format, Clarification Liability shall be undertaken regarding the data processing by referencing this Policy and by using related new forms and information for revision. Additionally, all types of forms and agreements including Permitted Contact Forms collected from the customers shall be revised for the Data Owner to give open consent for Personal Data processing although the related data group processing can be evaluated as an exception under the related Law.

New forms, documents and clarifications texts encouraging compliance with Law shall be used in customer relations and all related employees shall be trained to provide detailed and sufficient information and show references to the real persons. Personal Data clarification consent forms shall be obtained in written form in all cases. Obtaining Personal Data in Verbal Format: The individuals shall be notified about the Personal Data processing clarification liability for obtaining any new data that do not exist in the existing customer data according to Consent Contact Forms and any data obtained via Call Centre. During obtaining the verbal data, the individual shall be reminded to record the call with prior information and consent shall be approved for processing such personal data according to this Policy and existing Consent Contact Forms.The employee and the Call Centre shall re-evaluate and apply the business operations based on this framework. Obtaining Personal Data in Electronic Format: Data obtained from electronic commerce channels and other internet channels of Vakko shall be revised to comply with clarification liability regarding this Policy, all documents including distant sales agreement that requires obtaining and processing Personal Data and processing on documents/link addresses/webpages. This Policy shall be published on all Vakko Company group websites accessible from all web pages and systems to approve data processing by Vakko Company Group shall be established to collect data from any address that might require data collection. Unless clear consent is selected for Personal Data processing, none of the information or documents shall be automatically recorded or processed to any Vakko Company Group systems.

H. PROCEDURE REGARDING COMPLAINT PROCESSES

Any requests by the Data Owners to Vakko Companies shall be answered and concluded in the shortest time possible without exceeding 30 days. Data Owner can send requests or complaints via electronic mail to KVKK@vakko.com.tr address individually or with notary certified power of procuration with the condition to use a secure electronic signature in notary applications and ID controls by Vakko Holding A.Ş. Şirketi Vakko KVK. All employees processing requests received via email or phone shall be careful about disclosing any personal data recorded by Vakko. This personnel shall verify the identity of the individuals accessing via calls to make sure that the individual has the right/authority regarding collecting the Personal Data. If the personnel is unsure about the identity of the caller or receives a call without identity control, the personnel should recommend a written request submitted to the caller.

These employees shall consult their managers in challenging situations. No one shall be forced to disclose Personal Data. If personnel demands notification/request from Data Owners being subjected to the above-mentioned procedures, a written report shall be submitted to [Vakko KVK Committee] after receiving this notification/request and all instructions shall be followed when answering such requests. This business unit shall contact personnel in related business units and support units to conclude the complaints/requests. Requests from the Data Owner shall be reported and evaluated with care and concluded by [Vakko KVK Committee] in at most 30 days by considering the qualities of the demand without subjecting an additional fee to the Data Owner if applicable to the related complaint or request.

The process regarding Data Owner request including deleting, destroying and anonymising Personal Data shall be as follows: [Vakko KVK Committee] department shall conduct the first assessment to the request to decide whether the request/complaint is valid or whether ID verification or additional information is necessary. [Vakko KVK Committee] department shall contact the individuals in the written format, confirm that the access demand is received from the related individual, demand for ID verification or additional information when needed and reject the request if the access request is subjected to any exception.

A query on all related electronic and printed filing systems shall be organised. [Vakko KVK Committee] shall assign the complicated situations especially those that require third party individuals or situations that might damage the commercial privacy or legal processes in case of Personal Data disclosure and receive support to answer the request. [Vakko KVK Committee] shall organise the requested information in an easily readable format. [Vakko KVK Committee] might accept the Data Owner request for the related Vakko Company or reject it with a rejection reason in a written or electronic environment. The request might be rejected including but not limited to one of the exceptions regarding the applications of the Law and the Policy.

If the request of the Data Owner is accepted, the request shall be immediately processed by the related departments of Vakko. The complaint owner can completely or partially object to answers or detections by Vakko Company Group and related Vakko employees shall be notified about this subject. The related employee shall be immediately notified to [Vakko KVK Committee]. In such cases, the complaint request shall be re-evaluated and deemed to be final. The initial duration shall be valid for applicable procedures and durations and this shall not mean that durations predicted by the Law shall not be terminated or interrupted. Such that a second assessment shall be undertaken for the sole purpose of customer satisfaction rather than a legal obligation. According to the Law, starting from the initial response to the first complaint by the Data Owner, Vakko Company Group has the right to apply to the Board within 30 (thirty) days from the date of obtaining the answer and within 60 (sixty) days from the date of the first application, and compliance with the said periods is the final term.

I. COMMUNICATION WITH PERSONAL DATA PROTECTION INSTITUTION

Vakko Company Group is liable to send the information and documents requested by the Board in 15 (fifteen) days except for information and documents with state secrets and permit any investigation if necessary. [Vakko KVK Committee] is identified as the business department for correspondence with the Institution and employees shall direct all communication with the Institution regarding Personal Data protection to [Vakko KVK Committee]. Vakko and all Vakko personnel shall follow the decisions of the Institution based on direct or indirect investigation in at most 30 days from the notification without any delay. All Vakko Company Group shall be open to the public by Protection of Personal Data Board under the supervision of the Board following the active operation of the Board and formation of administration under Law on Protection of Personal Rights and register to Data Owner Registry unless registry exceptions are imposed by the Board.J. PERSONAL DATA PROTECTION AND PROCESSING POLICY GOVERNING STRUCTUREThe Personal Data Management Supreme Board is formed and the Protection of Personal Data Committee is created by Vakko Holding A.Ş. to comply with the Law on Protection of Personal Data regulations and to execute the Policy of Protection and Processing Personal Data.The duties of this Committee are making decisions regarding the Protection and Processing of Personal Data, submitting the decisions to the upper board for submission to the senior management, making changes in policy regarding the Protection and Processing of Personal Data, ensuring the implementation and supervision of the Policy, determining the issues to be done within the framework of the Law on Protection of Personal Data and the relevant legislation, evaluate the applications of the data owners, to follow the developments regarding the Protection of Personal Data, to ensure its implementation by informing the concerned parties and to take the necessary precautions.

K. EXCEPTION FOR POLICY APPLICATION

As expressed by Article 28 of the Law, the non-applicable cases for the Law shall be valid for this Policy: Processing of personal data by natural persons in the course of a purely personal or household activity, provided that obligations relating to data security are complied with and data are not transferred to third parties; Processing of personal data for the purposes of official statistics and, through anonymization, research, planning, statistics and similar; Processing of personal data for the purposes of art, history, and literature or science, or within the scope of freedom of expression, provided that national defence, national security, public safety, public order, economic safety, privacy of personal life or personal rights are not violated; Processing of personal data within the scope of preventive, protective and intelligence-related activities by public institutions and organizations who are assigned and authorized for providing national defence, national security, public safety, public order or economic safety; Processing of personal data by judicial authorities and execution agencies with regard to investigation, prosecution, adjudication or execution procedures.

Except for clarification obligation, Data Owners shall not have the right to use their rights in the related Law and this Policy if one of the below-mentioned exceptions exist: Processing of personal data is necessary for the prevention of crime or investigation of a crime; Processing of personal data revealed to the public by the data subject herself/himself; Processing of personal data is necessary, deriving from the performance of supervision or regulatory duties, or disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations with public institution status; Processing of personal data is necessary for the protection of economic and financial interests of the state related to budget, tax, and financial matters.

Other than the above-mentioned provisions, Personal Data obtained from completely or partially automatic or non-automatic methods from any data registry system are outside the scope of this Policy. Accordingly, the Law and this Policy will not be applicable for all data that are not registered in any data registry system of Vakko Company Group. The liability of Vakko shall be limited with the provisions of the Turkish Republic Constitution and Turkish Penal Law.

L. MODIFICATIONS AND AMENDMENTS

If any employee has any questions or problems regarding this Policy and the related Law, the employee shall contact [Vakko KVK Committee]. Accordingly, the highest level of clarity of the related Law and this Policy regarding the understanding of all the employees shall be confirmed and the employee internalisation of the Law and this Policy shall be ensured. By accepting this Policy, all employees accept, declare and undertake to comply with this Policy in their business processes. If it is believed that any employee or other Data Owner fails to comply with this Policy in terms of personal data, the subject shall be directed to [Vakko KVK Committee]. This Policy can be amended and updated according to Directives and other secondary regulations prepared and executed according to the related Law.

Vakko Company Group and all employees accept, declare and undertake to fully comply with the amendments in the Law and this Policy and secondary regulations regarding the protection of Personal Data. If this Policy has any amendments, all Data Owners shall be notified about the related amendment and all the linked addresses and channels where the Data Owners shall be informed about the updated policy shall be updated and provided.

RESULTS AND LIABILITY

Vakko improves international general principal compliance processes related to the protection of personal data with the existing Turkish Republic Constitution and Turkish Penal Law to execute all processes according to the Law and to undertake the requirements of the Law. According to this general Policy prepared to be applied to all business units is binding for all business units and employees by Personal Data processing principles by Vakko Company Group.