Login

Language

Cart

Your cart is empty

PERSONAL DATA PROCESSING AND PROTECTION POLICY

§ 1.INTRODUCTION

 

1.1. Introduction

 

RAVY CARE PERSONAL CARE AND COSMETICS INDUSTRY AND TRADE LTD.CO. (“Company”)  We attach utmost importance to the legal processing and protection of personal data in accordance with Law No. 6698 on the Protection of Personal Data ("Law") and act with this care in all our planning and activities. With this awareness, we present this Personal Data Processing and Protection Policy ("Policy") for your information, both to fulfill our obligation to inform under Article 10 of the Law and to inform you of all administrative and technical measures we have taken regarding the processing and protection of personal data.

 

1.2. Purpose of the Policy

 

The primary purpose of this Policy is to provide explanations regarding systems for processing and protecting personal data in accordance with the law and its purpose. In this context, it is to inform individuals whose personal data is processed by our Company, particularly Company Shareholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers, and Third Parties. This aims to ensure full compliance with legislation in the processing and protection of personal data conducted by our Company and to protect all rights of personal data owners arising from personal data legislation.

 

1.3. Scope of the Policy and Personal Data Owners

 

This Policy has been prepared for individuals whose personal data is processed by our Company, including Company Shareholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers, and Third Parties, whether automatically or non-automatically as part of any data recording system, and will apply to the individuals specified. This Policy will not apply to legal entities or legal entity data in any way.

 

Our Company informs Personal Data Owners about the Law by publishing this Policy on its website. The Personal Data Processing Policy for Employees will apply to our Company's employees.  The data is within the scope specified below.  This Policy will not apply even if it is not within the scope of “Personal Data” or if the Personal Data processing activity carried out by our Company is not through the means specified above.

 

In this context, personal data owners within the scope of this Policy are as follows:

 

Company Stakeholder

 

The Company's Stakeholders are real persons.

 

Company Natural Person Business Partner

 

They are real persons with whom the Company has any kind of business relationship.

 

Stakeholders, Officials, Employees of the Company's Business Partners

 

Real and legal persons with whom the Company has any kind of business relationship  (business partner,  (such as a supplier)  including its employees, stakeholders and officials,  are all real persons.

 

Company Official

 

They are members of the company's board of directors and other authorized real persons.

 

Employee Candidate

 

They are real persons who have applied for a job with the Company through any means or have made their CV and related information available for review by the Company.

 

Company Customer

 

They are real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.

 

Group Company Customer

 

They are real persons who use or have used the products and services offered by the Company Group Companies, regardless of whether the Company has any contractual relationship with the Group Companies.

 

Potential Customer

 

They are real persons who have requested or shown interest in using the Company's products and services or who have been assessed in accordance with commercial practices and rules of integrity to be likely to have such interest.

 

Visitor

 

All natural persons who enter the physical premises of the Company for various purposes or visit the websites for any purpose.

 

Third Party

 

Other natural persons who are not included in the scope of the Personal Data Protection and Processing Policy prepared for Company Employees and who are not included in any personal data owner category in this Policy.

 

1.4.Definitions

 

The concepts used in this Policy have the following meanings:

 

Company/Our Company

 

RAVY CARE PERSONAL CARE AND COSMETICS INDUSTRY AND TRADE LTD.CO.

 

Personal Data/Data

 

It is any information relating to an identified or identifiable natural person.

 

Special Personal Data/Data

 

Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress code, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

 

Processing of Personal Data

 

Obtaining, recording, storing, preserving, changing, rearranging Personal Data, in whole or in part, by automatic means or non-automatic means provided that it is part of any data recording system,  explanation,  transfer,  takeover,  to make it available,   It is any operation performed on data, such as classifying or preventing its use.

 

Personal Data Owner/Relevant Person

 

It refers to the persons whose personal data is processed by the company.

 

Group Company

 

It refers to the company/companies affiliated with the group to which the Company is affiliated.

 

Data Recording System

 

It refers to the registration request in which personal data is structured and processed according to certain criteria.

 

Data Controller

 

It is the natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system.

 

Data Processor

 

A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

 

Explicit Consent

 

It is consent regarding a specific subject, based on information and expressed with free will.

 

Anonymization

 

It is the process of making data that was previously associated with a person in no way associated with an identified or identifiable natural person, even by matching it with other data.

 

Law

 

Refers to the Personal Data Protection Law No. 6698.

 

Personal Data Protection Board

 

It is the Personal Data Protection Board.

 

 

§ 2. PROCESSING AND TRANSFER OF PERSONAL DATA

 

2.1. General Principles in the Processing of Personal Data

 

The Company processes Personal Data in accordance with the procedures and principles stipulated in the Law and this Policy. The Company acts in accordance with the following principles when processing Personal Data:

 

Personal Data is processed in accordance with the relevant legal rules and the requirements of the principle of honesty.

Personal Data is ensured to be accurate and up-to-date. In this context, issues such as identifying the sources from which data is obtained, verifying its accuracy, and assessing whether it needs to be updated are carefully considered.

Personal Data is processed for specific, explicit, and legitimate purposes. A legitimate purpose means that the Personal Data processed by the Company is necessary for and related to the business it conducts or the service it offers.

Personal Data is linked to the Company's stated purposes, and the processing of Personal Data that is not relevant or needed to achieve these purposes is avoided. The Company limits the data processed to only what is necessary to achieve these purposes. In this context, Personal Data processed is linked, limited, and proportionate to the purposes for which it is processed.

If there is a period stipulated for the storage of data in the relevant legislation, these periods are complied with; otherwise, Personal Data is kept only for the period necessary for the purpose for which it is processed. If there is no valid reason for the further storage of Personal Data, the data in question is deleted, destroyed or anonymized.

2.2. Conditions for Processing Personal Data

 

The Company does not process Personal Data without the explicit consent of the data subject. Personal Data may be processed without the explicit consent of the data subject if one of the following conditions is met.

 

The Company may process Personal Data from Personal Data Subjects, even without explicit consent, in cases expressly stipulated by law. For example, pursuant to Article 230 of the Tax Procedure Law, the explicit consent of the data subject is not required for the inclusion of the data subject's name on the invoice.

Personal Data may be processed without explicit consent for individuals who are unable to provide consent due to a physical impossibility or whose consent cannot be validated, or for the protection of the life or physical integrity of another person. For example, in cases where the individual's consent is invalid due to unconsciousness or mental illness, the Personal Data of the Data Subject may be processed during medical interventions to protect life or physical integrity. In this context, data such as blood type, past illnesses and surgeries, and medications used may be processed through the relevant healthcare system.

The Company may process personal data belonging to the parties to a contract, provided that it is directly related to the establishment or performance of that contract. For example, the account number of the payee may be obtained for payment of funds under a contract.

The Company may process Personal Data of Personal Data Owners if it is necessary to fulfill its legal obligations as a data controller.

Personal Data of the Personal Data Owners that have been made public by the Company, in other words, disclosed to the public in any way, may be processed as long as the legal interest to protect them has disappeared.

The Company may process Personal Data of Personal Data Owners without seeking explicit consent in cases where data processing is necessary for the exercise or protection of a legitimate right.

The Company may process Personal Data of Personal Data Subjects in cases where processing is necessary to ensure its legitimate interests, provided that it does not prejudice the fundamental rights and freedoms of Personal Data Subjects protected under the Law and Policy. The Company demonstrates due diligence in complying with the fundamental principles of Personal Data protection and balancing the interests of Personal Data Subjects.

2.3. Conditions for Processing Special Personal Data

 

The Company does not process Special Personal Data without the express consent of the data subject. However, Personal Data other than those related to health and sexual life may be processed without the express consent of the data subject in cases prescribed by law.  Personal Data related to health and sexual life is processed by the Company solely for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment, and care services, and planning and managing healthcare services and their financing, without the explicit consent of the data subject, under conditions where we are subject to a confidentiality obligation. The Company carries out the necessary procedures to take adequate measures, as determined by the Board, in the processing of Special Personal Data.

 

2.4. Conditions for Transfer of Personal Data

 

Our Company may transfer the Personal Data of Personal Data Owners and Special Personal Data to third parties in accordance with the Law by establishing the necessary confidentiality conditions and taking security measures in line with the purposes for which Personal Data is processed. Our Company acts in accordance with the regulations stipulated in the Law during the transfer of Personal Data. In this context, our Company, in line with its legitimate and lawful Personal Data processing purposes, is subject to the provisions of Article 5 of the Law listed below.  Based on one or more of the Personal Data processing conditions specified in the article and in a limited manner

 

Personal Data to third parties:

 

If the Personal Data owner has explicit consent;

If there is a clear regulation in the law regarding the transfer of Personal Data, if it is mandatory to protect the life or physical integrity of the Personal Data owner or someone else, and

If the Personal Data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid,

If it is necessary to transfer Personal Data belonging to the parties to a contract, provided that it is directly related to the establishment or execution of a contract,

If the transfer of Personal Data is mandatory for our Company to fulfill its legal obligations,

If the Personal Data has been made public by the Personal Data owner,

If the transfer of Personal Data is mandatory for the establishment, exercise or protection of a right,

Provided that it does not harm the fundamental rights and freedoms of the Personal Data owner, Personal Data may be transferred if it is necessary for the legitimate interests of our Company.

2.4.1. Conditions for Transfer of Personal Data Abroad

 

Our Company may transfer Personal Data and Special Personal Data of Personal Data Subjects to third parties abroad by taking the necessary security measures in line with the purposes for which it processes Personal Data. Our Company may transfer Personal Data to foreign countries that have been declared adequately protected by the Personal Data Protection Board, or, if such protection is lacking, to foreign countries where the data controllers in Türkiye and the relevant foreign country have undertaken, in writing, to provide adequate protection and where the Personal Data Protection Board has granted its consent.

 

2.5. Conditions for Transfer of Special Personal Data

 

The Company may transfer the Personal Data Owner's Special Personal Data to third parties in the following cases, in line with legitimate and lawful Personal Data processing purposes, by showing due care, taking the necessary security measures and taking the adequate measures prescribed by the Personal Data Protection Board.

 

 

 

In case of explicit consent of the Personal Data Owner or

In case of the existence of the following conditions, without the explicit consent of the Personal Data Owner;

 

 

Personal Data of a Special Nature (data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or unions, criminal convictions and security measures, as well as biometric and genetic data), other than the health and sexual life of the Personal Data Owner, in cases prescribed by law,

Sensitive Personal Data regarding the health and sexual life of the Personal Data Owner may only be disclosed by persons or authorized institutions and organizations under a confidentiality obligation for the purposes of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing.

2.5.1. Transfer of Special Personal Data Abroad

 

The Company may transfer the Personal Data Owner's Special Personal Data to foreign countries where there is a data controller that has adequate protection or undertakes adequate protection in line with legitimate and lawful Personal Data processing purposes, by showing due care, taking the necessary security measures and taking the adequate measures prescribed by the Personal Data Protection Board, in the following cases.

 

In case of explicit consent of the Personal Data Owner or

In case of the existence of the following conditions, without the explicit consent of the Personal Data Owner;

 

 

Personal Data of a Special Nature (data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or unions, criminal convictions and security measures, as well as biometric and genetic data), other than the health and sexual life of the Personal Data Owner, in cases prescribed by law,

Sensitive Personal Data regarding the health and sexual life of the Personal Data Owner may only be disclosed by persons or authorized institutions and organizations under a confidentiality obligation for the purposes of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing.

 

 

§ 3. PURPOSES OF PROCESSING AND TRANSFERRING PERSONAL DATA AND PERSONS TO WHOM IT WILL BE TRANSFERRED

 

3.1. Purposes of Processing and Transfer of Personal Data

 

Personal Data;  the Company in accordance with the law and the purpose of the Law,

 

Planning and implementing human resources policies in the best possible way,

Correct planning, execution and management of commercial partnerships and strategies,

Ensuring the legal, commercial and physical security of himself and his business partners,

Ensuring institutional functioning, planning and execution of management and communication activities,

To ensure that Personal Data Owners benefit from our products and services in the best way possible and to recommend them by customizing them according to their demands, needs and requests,

Ensuring data security at the highest level,

Creation of databases,

Improving the services offered on the website and correcting errors on the website,

Communicating with Personal Data Owners who submit their requests and complaints and ensuring request and complaint management,

Event management,

Management of relationships with business partners or suppliers,

Carrying out personnel recruitment processes,

Supporting Group Companies in personnel recruitment processes and compliance with relevant legislation,

Planning and execution of audit activities to ensure that the activities of the Group Companies are carried out in accordance with the relevant legislation,

Supporting the planning and execution of fringe benefits and benefits to be provided to himself and the senior executives of the Group Companies,

Providing support to Group Companies in carrying out corporate and partnership law transactions,

Execution/monitoring of financial reporting and risk management processes,

Execution/follow-up of company legal affairs,

Carrying out activities to protect the reputation,

Managing investor relations,

Providing information to authorized institutions arising from legislation,

Creating and monitoring visitor records.

Your personal data is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to its purposes. If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Law, your explicit consent is obtained by the Company for the relevant processing process.

 

3.2. Persons to Whom Personal Data Will Be Transferred

 

Personal Data may be shared with our business and solution partners, banks, and third parties who perform technical, logistical, and other similar operations on our behalf, solely to the extent appropriate to the nature of the service, to ensure the complete and flawless nature of the services provided to you. These third parties are the only parties whose access to the relevant information is essential for the full and flawless provision of these services.

 

Apart from these, your Personal Data may also be transferred - limited to the relevant person or institution only - in cases where it is necessary to share data with third parties in order to provide the service fully and flawlessly, if it is necessary for the Company to fulfill its legal obligations, if it is clearly stipulated in the laws or if there is a judicial/administrative order issued in accordance with the laws.

 

Some of the Personal Data may be shared with advertisers in an anonymized form, only in aggregate form with information from other users, to enable advertisements to be tailored to the target audience.

 

Anonymized data is information that cannot be matched with you, our visitors/customers, and does not contain personally identifiable information or make you identifiable. Your privacy is guaranteed with anonymized data.

 

§ 4. COLLECTION METHOD AND LEGAL REASON OF PERSONAL DATA, DELETION, DESTRUCTION AND ANONYMIZATION AND STORAGE PERIOD

 

4.1. Method and Legal Reason for Collecting Personal Data

 

For the purpose of auditing compliance with Article 1, which regulates the purpose of the Law, and Article 2, which regulates the scope of the Law, Personal Data is collected and processed by the Company or data processors assigned by the Company, in all kinds of verbal, written and electronic media; through technical and other methods, through various means such as stores, sales points, call centers, the Company website, mobile applications, in order to fully and accurately fulfill the responsibilities arising from the law within the framework of legal reasons based on legislation, contract, request and request, in order to achieve the purposes set out in the Policy.

 

4.2. Deletion, Destruction or Anonymization of Personal Data

 

Deletion of Personal Data,  Without prejudice to the provisions of other laws regarding the destruction or anonymization of personal data, the Company has operated in accordance with the provisions of this Law and other laws,  If the reasons requiring processing are eliminated, the data subject shall delete, destroy or anonymize Personal Data ex officio or upon the request of the data owner. By deleting Personal Data, this data is destroyed in a way that it cannot be used or recovered in any way. Accordingly, Personal Data is irreversibly deleted from the documents, files, CDs, floppy disks, hard disks in which they are recorded. The destruction of Personal Data means the destruction of the documents in which the data is recorded in such a way that the information cannot be recovered or used again,  file,  CD,  floppy disk,  It refers to the destruction of materials suitable for data storage, such as hard disks. Anonymizing data means making it impossible to associate Personal Data with an identified or identifiable natural person, even when matched with other data.

 

4.3. Storage Period of Personal Data

 

The Company retains Personal Data for the period specified by applicable legislation, if required by law. If legislation does not specify the retention period for personal data, Personal Data is processed for the period required by the Company's practices and business practices, depending on the activities carried out by the Company while processing that data, and is then deleted, destroyed, or anonymized.

 

If the purpose of processing personal data has expired, and the retention periods specified by relevant legislation and the Company have expired, personal data may be retained solely as evidence in potential legal disputes or to assert or defend a relevant right related to personal data. Retention periods are determined based on the statute of limitations for asserting the aforementioned right and examples of previous requests submitted to the Company regarding the same matters despite the expiration of the statute of limitations. In such cases, stored personal data is not accessed for any other purpose and is only accessed when necessary in the relevant legal dispute. After the aforementioned period, personal data is deleted, destroyed, or anonymized.

 

Detailed regulations regarding the Company's techniques for storing, deleting, destroying and anonymizing Personal Data are included in the Company's Personal Data Storage and Destruction Policy.

 

 

 

§ 5. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

 

In accordance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to prevent the unlawful processing of the Personal Data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and to ensure the appropriate level of security, and to conduct or have the necessary audits conducted within this scope.

 

5.1. Ensuring the Security of Personal Data

 

5.1.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data

 

The Company takes technical and administrative measures, in accordance with technological possibilities and implementation costs, to ensure the lawful processing of Personal Data.

 

Technical Measures Taken to Ensure Lawful Processing of Personal Data

The main technical measures taken by the Company to ensure the lawful processing of Personal Data are listed below:

 

Personal Data processing activities carried out within the Company are audited by established technical systems.

The technical measures taken are periodically reported to the relevant party as required by the internal audit mechanism.

Personnel knowledgeable in technical matters are employed.

Administrative Measures Taken to Ensure Lawful Processing of Personal Data

 

 

The main administrative measures taken by the Company to ensure the lawful processing of Personal Data are listed below:

 

 

 

Employees are informed and trained about Personal Data Protection Law and the lawful processing of Personal Data.

All activities carried out by the Company are analyzed in detail across all business units, and as a result of this analysis, Personal Data processing activities are revealed, specific to the activities carried out by the relevant business units.

Personal Data processing activities carried out by the Company's business units; the requirements to be fulfilled to ensure that these activities comply with the Personal Data processing conditions sought by the Law are determined specifically for each business unit and the detailed activity it carries out.

In order to ensure legal compliance requirements determined on a business unit basis, awareness is raised and application rules are determined for the relevant business units; the necessary administrative measures to ensure the control and continuity of these matters are implemented through in-company policies and training.

The contracts and documents governing the legal relationship between the Company and its employees include clauses that impose the obligation not to process, disclose or use Personal Data, except for the Company's instructions and exceptions stipulated by law, and employees are made aware of this and their obligations arising from the Law are fulfilled by conducting audits.

5.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

 

The Company takes technical and administrative measures, taking into account the nature of the data to be protected, technological possibilities and implementation costs, to prevent the reckless or unauthorized disclosure, access, transfer or any other unlawful access of Personal Data.

 

Technical Measures Taken to Prevent Unlawful Access to Personal Data

The main technical measures taken by the Company to prevent unlawful access to Personal Data are listed below:

 

Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.

Access and authorization technical solutions are implemented in accordance with legal compliance requirements determined on a business unit basis.

Access rights are limited and reviewed regularly.

The technical measures taken are periodically reported to the relevant parties as required by the internal audit mechanism, and the issues that pose a risk are re-evaluated and the necessary technological solutions are produced.

Software and hardware including virus protection systems and firewalls are installed.

Personnel knowledgeable in technical matters are employed.

Applications that collect Personal Data are regularly scanned to identify security vulnerabilities. Any vulnerabilities found are resolved.

Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The main administrative measures taken by the Company to prevent unlawful access to Personal Data are listed below:

 

Employees are trained on technical measures to prevent unlawful access to Personal Data.

Access and authorization processes for Personal Data are designed and implemented within the Company in accordance with legal compliance requirements for processing Personal Data on a business unit basis.

Employees are informed that they cannot disclose the Personal Data they have learned to anyone else in violation of the provisions of the Law and cannot use it for purposes other than those for which it was processed, and that this obligation will continue after they leave their job, and the necessary commitments are obtained from them in this regard.

Provisions are added to the contracts concluded by the Company with the persons to whom Personal Data is lawfully transferred, stipulating that the persons to whom Personal Data is transferred will take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organizations.

5.1.3. Storing Personal Data in Secure Environments

 

The Company takes the necessary technical and administrative measures, in accordance with technological possibilities and implementation costs, to store Personal Data in secure environments and to prevent its destruction, loss or alteration for unlawful purposes.

 

Technical Measures Taken to Store Personal Data in Secure Environments

The main technical measures taken by the Company to store Personal Data in secure environments are listed below:

 

Systems compatible with technological advancements are used to store Personal Data in secure environments.

Personnel specialized in technical matters are employed.

Technical security systems are established for storage areas, security tests and investigations are conducted to identify security vulnerabilities in information systems, and any existing or potential risks identified as a result of these tests and investigations are addressed. The technical measures taken are periodically reported to the relevant parties as required by the internal audit mechanism.

Backup programs are used in accordance with the law to ensure the safe storage of Personal Data.

Access to the environments where Personal Data is kept is restricted, allowing only authorized persons to access this data limited to the purpose for which the personal data is stored. Access to the data storage areas where Personal Data is located is logged, and any improper access or access attempts are instantly communicated to the relevant parties.

Administrative Measures Taken to Store Personal Data in Secure Environments

The main administrative measures taken by the Company to store Personal Data in secure environments are listed below:

 

Employees are trained to ensure that Personal Data is stored securely.

Legal and technical consultancy services are provided to follow developments in the field of information security, privacy and personal data protection and to take necessary actions.

In the event that the Company outsources services due to technical requirements for the storage of Personal Data, the contracts concluded with the relevant companies to which Personal Data is lawfully transferred shall include provisions stipulating that the persons to whom Personal Data is transferred shall take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organizations.

5.1.4. Audit of Measures Taken for the Protection of Personal Data

 

The Company conducts or commissions the necessary internal audits in accordance with Article 12 of the Law. The results of these audits are reported to the relevant department within the Company's internal operations, and necessary actions are taken to improve the measures taken.

 

5.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

 

The Company operates a system that ensures that if Personal Data processed in accordance with Article 12 of the Law is obtained by others through unlawful means, this is promptly reported to the relevant Personal Data Owner and the Personal Data Protection Board. If deemed necessary by the Personal Data Protection Board, this may be announced on the Personal Data Protection Board's website or by another method.

 

5.2. Observing the Legal Rights of Personal Data Owners

 

The Company respects all legal rights of Personal Data Subjects through the implementation of the Policy and the Law, and takes all necessary measures to protect these rights. Detailed information regarding the rights of Personal Data Subjects is provided in the sixth section of this Policy.

 

 

 

5.3. Protection of Special Personal Data

 

The law attaches particular importance to certain types of Personal Data due to the risk of causing victimization and/or discrimination when processed unlawfully. This data includes data related to race, ethnicity, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data. The Company demonstrates utmost care in protecting special Personal Data, which is designated as "special" by law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company to protect personal data are implemented with utmost care with respect to Special Personal Data, and the necessary controls are maintained within the Company in this regard.

 

 

 

§ 6. RIGHTS OF THE PERSONAL DATA OWNER, EXERCISE AND EVALUATION OF RIGHTS

 

6.1. Information to the Personal Data Owner

 

In accordance with Article 10 of the Law, the Company provides information to Personal Data Owners when collecting Personal Data. In this context, the Company provides information on the identity of the Company representative, if any, the purposes for which Personal Data will be processed, to whom and for what purposes the processed Personal Data may be transferred, the method and legal basis for collecting Personal Data, and the rights of the Personal Data Owner.

 

6.2. Rights of the Personal Data Owner Pursuant to the Personal Data Protection Law

 

Pursuant to Article 10 of the Law, the Company informs you of your rights; provides guidance on how to exercise these rights; and implements the necessary internal operational, administrative, and technical regulations for all of these purposes. Pursuant to Article 11 of the Law, the Company provides the following to individuals whose Personal Data is collected:

 

Learning whether personal data is being processed,

To request information regarding the processing of personal data,

To learn the purpose of processing Personal Data and whether they are used in accordance with their purpose,

Knowing the third parties to whom Personal Data is transferred, either domestically or abroad,

To request correction of personal data if it is processed incompletely or incorrectly,

Request the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law,

Article 11 (d) of the Law  And  (to)  To request that the transactions carried out in accordance with the clauses be notified to third parties to whom personal data has been transferred,

To object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,

To request compensation for damages in case of damages due to unlawful processing of Personal Data.

explains that they have rights.

 

6.3. Cases Where the Personal Data Owner Cannot Assert His/Her Rights

 

Since the following cases are excluded from the scope of the Law in accordance with Article 28 of the Law, Personal Data Owners cannot assert their rights listed in Article (6.2) of this Policy in the following cases:

 

Personal Data is processed by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and that obligations regarding data security are complied with.

Processing of Personal Data by making it anonymous with official statistics for purposes such as research, planning and statistics.

Processing of Personal Data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime.

Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.

Processing of Personal Data by judicial authorities or enforcement authorities in connection with investigation, prosecution, trial or execution proceedings.

In accordance with Article 28/2 of the Law, Personal Data Owners cannot assert their rights listed in Article (6.2) of this Policy, except for the right to demand compensation for damages, in the following cases:

 

Personal Data processing is necessary for the prevention of crime or criminal investigation.

Processing of personal data made public by the Personal Data Owner.

Personal Data processing is necessary for the performance of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with public institution status, based on the authority granted by law.

The processing of Personal Data is necessary to protect the economic and financial interests of the State regarding budgetary, tax and financial matters.

6.4. Exercise of Personal Data Owner's Rights

 

Personal Data Owners may submit their requests regarding their rights listed in Article (6.2) of this Policy to the Company, free of charge, by completing and signing the Application Form, which you can access from the link ………………………………………………., along with information and documents that will identify them, using the methods specified below or other methods determined by the Personal Data Protection Board:

 

After completing the application form, a signed copy must be delivered personally or through a notary public to the address Yeşilköy Mahallesi, Atatürk Caddesi, EGS BUSINESS PARK No:12 İç Kapı No:390 Bakırköy/İstanbul, RAVY CARE PERSONAL CARE AND COSMETICS INDUSTRY AND TRADE LTD.CO.

After completing the application form and signing it with your “secure electronic signature” within the scope of Electronic Signature Law No. 5070, the secure electronically signed form must be sent via registered e-mail to ………………………….. The applicant must come in person and apply with a document proving his/her identity and information and documents related to the application subject, and submit the application form using the e-mail address previously notified to the Company and registered in the Company’s system.

 

 

In order for third parties to request an application on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will apply.

 

6.5. The Company's Procedure and Timeframe for Responding to Applications

 

The Company will process requests included in the application free of charge as quickly as possible, within thirty days at the latest, depending on the nature of the request. However, if the process requires additional costs, a fee as determined by the Personal Data Protection Board may be charged. The Company may accept or reject the request, explaining the reason, and will provide a response in writing or electronically. If the request included in the application is accepted, the Company will fulfill the request.

 

6.6. Personal Data Owner's Right to Complain to the Personal Data Protection Board

 

In cases where the application is rejected, the response is found insufficient or the application is not responded to in a timely manner, the data owner has the right to lodge a complaint with the Personal Data Protection Board within thirty days from the date on which he/she learns of the response and, in any case, within sixty days from the date of application.

 

 

 

§ 7. MANAGEMENT STRUCTURE IN ACCORDANCE WITH THE COMPANY'S PERSONAL DATA PROCESSING AND PROTECTION POLICY

 

A Personal Data Committee has been established within the Company in accordance with the decision of the Company's senior management to manage this Policy and other policies related to and affiliated with this Policy.  Personal Data Committee, Personal Data Owners' data is processed in accordance with the law,  It is authorized and responsible for carrying out the necessary procedures for the storage and processing of personal data in accordance with this Policy and other policies affiliated with and related to this Policy. Detailed regulations regarding the members of the Personal Data Committee and their duties are included in the Personal Data Storage and Destruction Policy published on the Company's website.

 

 

 

§ 8. UPDATES, ADAPTATIONS AND CHANGES

 

8.1. Update and Compliance

 

The Company reserves the right to make changes to this Policy and other related and related policies due to changes in the Law, in accordance with the decisions of the Personal Data Protection Board, or in line with developments in the sector or the field of information technology. Changes to this Policy will be immediately incorporated into the text, and explanations regarding the changes will be provided at the end of the Policy.