As part of its legal and social responsibility; Golden Maprix Grup Organik Tarım Ürünleri İthalat İhracat Ticaret ve Sanayi Limited Şirketi (‘Golden Maprix’) is obliged to act in accordance with the legal legislation in force regarding the protection of personal data, particularly the Constitution of the Republic of Turkey (“Constitution”) and the Personal Data Protection Act No. 6698 (the “Act of the KVK”), and GOLDEN MAPRIX carries out the necessary work on protecting personal data by making compliance with such legal legislation a life cycle.
Within the scope of these studies, personal data protection, processing, storage and destruction policy was prepared by GOLDEN MAPRIX. Golden Maprix is committed to complying with national personal data protection regulations as part of its legal and social responsibility. With this policy the Company aims to inform; customers, potential customers, employee candidates, Company shareholders, Corporate officials, visitors, employees, shareholders and officials of the companies in cooperation, and persons related to the process of protecting, deleting, destroying and making the personal data of third parties.
Golden Maprix; collects personal data for virtual market membership as well as legal responsibilities and to provide better services. The collected personal data allows Golden Maprix to be informed about the latest products, advantageous shopping opportunities, personal advantageous suggestions and future events.
In addition, the data collected allows us to receive the most accurate feedback about our services, as we exchange information with personal data owners. In accordance with the KVK Act and related legal legislation, Golden Maprix, the data controller; sets the basic principles adopted in the processing and protection of personal data, administrative and technical measures taken on the protection of personal data, and the procedures and principles for determining the maximum time required for the purpose to which they are processed, by this policy.
In this Policy, Golden Maprix provides detailed explanations about which data are personal data, which of the personal data stored are administrative, and technical measures taken for the protection of personal data, and the processing and preservation of personal data, enlightening and informing personal data owners, transferring and protecting them to third parties.
This Policy relates to all personal data of customers, potential customers, employee candidates, institutional shareholders, authorized officials, visitors, employees, shareholders and officials of cooperating institutions and third parties, which are processed automatically or by non-automatic means provided that they are part of any data recording system.
In accordance with the KVK Act and related legal legislation, Golden Maprix sets the basic principles adopted in the processing and protection of personal data, administrative and technical measures taken on the protection of personal data and the procedures and principles for determining the maximum time required for the purpose they are processed, wiping, destroying and making anonymous with this policy.
The following assets that process and store personal data within Golden Maprix and all processes related to these assets are covered by this policy;
- All printed or written documents, other documents and files containing personal data
- All applications containing personal data
- All databases containing personal data
In this context; it relates to the personal data collected from customers, potential customers, employees, employee candidates, Golden Maprix shareholders, officials, Golden Maprix websites, e-commerce sites, business partners, employees, shareholders and officials and third parties, which are completely or partially automated or operated in automated ways, provided that they are part of any data registration system.
Data that has become anonymous and unidentified, such as the data that does not contain personal data and obtained for statistical assessments or studies, and data relating to legal entities is not considered personal data and is not subject to this Policy.
This Policy applies to real person customers of Golden Maprix and its affiliates under the control of Golden Maprix and other real persons who do not have a specific framework agreement with their subsidiaries under the control of Golden Maprix. Golden Maprix statements in this Policy will also include the institution and its subsidiaries under its control.
- ENFORCEMENT AND UPDATES
The policy has been published by our Company on its website and made public. In case of a conflict with the legislation in force, especially Law No. 6698, and other relevant regulations included in this Policy, the provisions of the legislations are applied. The Company reserves the right to amend this Policy in parallel with the regulations. The updated version of the Policy can be accessed on Golden Maprix website www.goldenmaprix.com.tr
|Express Consent||Consent on a particular issue, based on information and free will.|
|Personal Data||Any information pertaining to an identified or identifiable natural person. For example; name-surname, ID Number, email address, postal address, date of birth, credit card number etc.|
|Private Personal Data||Biometric and genetic data with data on race, ethnicity, political thinking, philosophical beliefs, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sex life, criminal conviction and security measures.|
|Personal Data Owner||The real person with personal data processed|
|Anonymization||It is the change of personal data in a way that loses the quality of personal data and this situation cannot be recovered.|
|Employee||Employees of Golden Maprix|
|Employment Applicant||Real persons who have applied for an employment position in any way or have sent their resume and related information to the company’s review|
|Constitution||Constitution of Republic of Turkey|
|KVK Act||Personal Data Protection Act No. 6698|
|KVK Board||Board of Personal Data Protection|
|KVK Institution||Institution of Personal Data Protection|
|Processing Personal Data||Any action taken on data such as obtaining, saving, storing, replacing, reorganizing, explaining, transferring, inheriting, obtainable classification or preventing the use of personal data in non-automated means, provided that it is completely or partially automated or part of any data recording system.|
|Customer||Real persons who use the products and services offered by our Company, regardless of whether they have any contractual affiliation with our Company.|
|Data Processor||It is a real and legal entity that processes personal data on its behalf, based on the authority given by the data controller. For example, the cloud computing company that keeps our Company’s data, the surveyors that have customers sign the forms, the call centre that calls under instructions, etc.|
|Data Record System||Registration system where personal data are structured and processed according to certain criteria|
|Data Owner||Real person whose personal data is processed|
|Data Controller||Natural or legal person, who determines the purposes and means of processing personal data, establishes and manages the place where data is systematically kept (data recording system).|
|Data Controllers Registry||Data Controllers Registry kept by the Presidency of the KVK Act Authority and open to the public under the supervision of the KVK Act Board|
|Visitor||Real persons who have entered the physical settlements of the company for various purposes or visited websites.|
|Employees, Shareholders and Officials of the Companies that We Cooperate with||Real persons with employees, shareholders and officials of the companies engaged in business relations with Golden Maprix (especially and not limited to performance assistant, business partner, supplier, program partner, etc.)|
|Golden Maprix Suppliers||Third parties from whom Golden Maprix purchases products and / or services based on contract|
|Potential Customer||Real persons who have requested to purchase and / or use our products and services or who have been evaluated in accordance with the rules of commercial practice and honesty.|
|Policy||Golden Maprix’s Policy of Protecting, Processing, Retention and Destruction of Personal Data|
|Company/Golden Maprix||Golden Maprix Grup Organik Tarım Ürünleri İthalat İhracat Ticaret ve Sanayi Limited Şirketi|
|Company Shareholders||Real persons with Golden Maprix shareholders|
|Company Authority||Golden Maprix Board Member and other authorized real persons|
|Golden Maprix Data Owner Application Form||Application form that data owners will use when using their applications regarding their rights in Article 11 of the KVK Act.|
|Third Party||Third real persons in relation to these parties to ensure the security of trade transactions between the parties described above or to protect and benefit the rights of the parties mentioned in question|
- CATEGORIZATION OF PERSONAL DATA
The categories and explanations of personal data, which are partially or completely automatically processed within the scope of data processing activities carried out by Golden Maprix or non-automatic as part of the data recording system, and whose real person is identified and / or can be determined are as follows:
|PERSONAL DATA CATEGORIZATION||EXPLANATION OF PERSONAL DATA CATEGORIZATION|
|ID Data||All information such as ID number, nationality information, mother’s name, father’s name, birth place and date, gender, Social Security number, signature information, vehicle license etc. on the documents like driving license, ID Card, residence document, passport, attorney’s ID, marriage certificate.|
|Contact Data||Information such as phone number, address, email, fax number which clearly belongs to a real person.|
|Personal Data of Special Nature||‘Personal Data of Special Nature’ in Article 6 of the KVK Act is defined as, personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature.|
|Location Data||Location information obtained during the use of company tools|
|Security Data on Physical Space||To be kept within the data recording system, personal data such as cam records during physical space entry, physical space, finger prints records, records at security checkpoints, processed to ensure our security in every angle while carrying out our commercial activities,|
|Customer Data||Information obtained and produced from real person customers as a result of our commercial activities and the operations of the relevant units within the scope of these activities|
|Customer Transaction Data||Personal data obtained within the data registration system, records for the purchase of our products and services and the information obtained within the instructions required for purchase, and personal data processed to personalize and market usage and purchase habits in accordance with the likes and needs of the personal data owner who purchases and/or uses our products and services, and the reports and assessments generated as a result of this process|
|Demand/Complication Administration Data||Personal data regarding the receipt and evaluation of all kinds of demands or complaints directed to the communication channels of Golden Maprix by real persons who are or are not Golden Maprix customers|
|Reputation and Incident Management Information||In order to protect Golden Maprix’s commercial reputation and ensure the public’s correct public information, personal data, reviews (shares related to Golden Maprix, etc.) collected from social media, etc., regarding events that have the potential to affect Golden Maprix employees.|
|Financial Data||Personal data such as IBAN number, credit card information, financial profile, income information, etc. processed within the scope of records showing all kinds of financial results within the framework of Golden Maprix’s legal relationship with the personal data holder|
|Marketing Data||Personal data processed for the marketing of our products and services in line with the usage habits, taste and needs of the personal data owner and the reports and evaluations created as a result of this processing|
|Risk Management Data||Personal data processed by means of methods used in accordance with the generally accepted legal, commercial practice and good faith in these fields in order for us to manage our commercial, technical and administrative risks.|
- PROCESSING OF PERSONAL DATA
In order to ensure that personal data is processed in accordance with the law, the company takes technical and administrative measures according to technological facilities and the cost of implementation. Employees are informed that they cannot disclose the personal data they have obtained in violation of the provisions of the KVK Act and cannot use it for the purpose of processing and they will continue after their resignation, and necessary commitments are taken from them accordingly.
Golden Maprix’s personal data processing activity covers all kinds of action taken against data using automated, semi-automated or non-automated paths, without any restrictions. Golden Maprix has the right to process the information of a data owner during the period during the use of its services and by complying with the following principles after the termination of the relationship. Golden Maprix may process personal data of the data holder or third parties specified by the data owner for a variety of purposes, including but not limited to:
- Golden Maprix raises awareness of data-processing parties such as business partners and suppliers, where it transmits personal data to prevent unlawful processing of personal data, prevent in usability of unlawful access to data and ensure the legal retention of data.
- The obligations that Golden Maprix must comply with when processing personal data as a data controller and the obligation to comply with the legal, administrative and technical measures developed in this regard are imposed in accordance with the nature of their activity in data processing that process data in relation to various adjectives such as suppliers and business partners of the party.
- Golden Maprix takes the necessary technical and administrative measures according to the technological possibilities and implementation costs in order to keep personal data in secure environments and to prevent them from being destroyed, lost or changed for illegal purposes.
- Golden Maprix, in accordance with Article 12 of the KVK Law, carries out or has it done the necessary inspections within its body. These audit results are reported and necessary actions are carried out to improve the measures taken.
- Golden Maprix carries out a system that ensures that personal data processed in accordance with Article 12 of the KVK Law are obtained by others illegally, and this situation is reported to the relevant personal data owner and the KVK Board as soon as possible.
6.1. Scope of Processing Personal Data
During the period in which the services of the company are used and after the termination of the relationship, the institution shall have the right to process the information of a data subject by complying with the principles stated in the article 6.3.
Personal data processing by the institution includes all actions taken against the data using automatic, semi-automatic or non-automatic means without any restrictions. In other words, personal data processing means; data acquisition, collection, recording, photographing, recording, organizing, storing, modifying data from the data owner or third parties for the purposes of transferring, disseminating or presenting in different ways, grouping or combining, blocking, deleting or destroying, restoring, retrieving or disclosing, obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, transferring abroad, taking over the data fully or partially automatically or non-automatically, provided that it is part of any recording system being made available, classified or prevented from being used.
6.2. Purposes of Processing Personal Data
Golden Maprix may process personal data of the data holder or third parties specified by the data owner for a variety of purposes, including but not limited to the following.
Golden Maprix has the right to process the information of a data owner during the period during the use of its services and by complying with the following principles after the termination of the relationship.
- Realization of Golden Maprix’s services duly and properly,
- Fulfilment of obligations under legal legislation,
- Making its web-site and applications easier to use,
- Providing information to audit companies, relevant attorneys, information storage, reporting and information stipulated by regulatory and supervisory authorities
- Planning, supervision and execution of information security processes,
- Preparation and presentations of various reports, research essays,
- Collecting, evaluating and meeting the complaints, questions, demands and suggestions of the Data Owner,
- Planning and execution of customer relationship management processes,
- Planning and/or execution of customer satisfaction activities,
- Promotion, marketing and campaign activities for services and products,
- Planning and execution of the sales processes of products and / or services,
- Fulfilment of the contract concluded with the customer,
- Follow-up of Legal Affairs,
- Follow-up of contract processes and / or legal claims,
- To know our members and improve our communication,
- Providing better and more reliable service to the customer, developing more suitable services and products and maintaining them continuously,
- Customize and recommend products and services offered by Golden Maprix according to customers’ likes, usage habits and needs,
- Visiting the company or website when call centres or web pages are used to use Golden Maprix services. Participation in these training, seminars or organizations of the company,
- Management of relations with business partners and / or suppliers,
- Ensuring the security of the Company Headquarters, warehouses, stores and other facilities,
- Planning and execution of emergency management processes,
- Planning and execution of personnel processes regarding subcontractor employees,
- Follow-up of finance and / or accounting works,
- Planning and follow-up of building and / or construction works,
- Planning and execution of market research activities for company recruitment and employee processes, sales and marketing of products and services,
- Planning and execution of corporate communication activities,
- Planning and execution of logistics activities,
6.3. Processing of Personal Data in accordance with the Principles Stipulated in the Legislation
Pursuant to Article 5 of the KVK Act, personal data can only be processed in accordance with the procedures and principles stipulated in the KVK Act and other relevant legal legislation. As Golden Maprix, personal data is processed in accordance with both the KVK Law and the procedures and principles specified under other relevant legal legislation; under the KVK Act, it was clearly regulated that the following principles must be respected in the processing of personal data.
- Processing of Personal Data in accordance with law and integrity rules
Golden Maprix carries out the activity of processing personal data in accordance with the Constitution of the Republic of Turkey, KVK Act, other relevant legal legislations, regulations and the honesty rule based on the relationship of trust.
- Ensuring The Accuracy and Up-to-Date Of Processed Personal Data
Golden Maprix; while conducting the personal data processing activity, it has set up systems and processes to ensure the accuracy and currency of the personal data it processes. In this context, Golden Maprix takes the necessary measures to correct and verify the accuracy of personal data holders’ personal data.
- Processing of Personal Data for Specific, Open and Legitimate Purposes
Golden Maprix, within the scope of the disclosure obligation in Article 10 of the KVK Act, before starting the processing of personal data, clearly and precisely determines the purpose of personal data processing and processes it within open and legal purposes.
- Processing Personal Data Related to Purpose, Limited and Measured
Golden Maprix processes personal data in connection with the purpose of performing the service it has set and offers before starting its processing activity. Golden Maprix does not carry out personal data processing activities with the assumption that the purpose is not related or that it is needed in the future. The processing of personal data is limited to the activities and legal obligations of Golden Maprix.
- Storage of Personal Data for the Period Stipulated in the Relevant Legislation or Required for the Purpose of Processing
Golden Maprix retains personal data limited to the time required for the purpose stipulated or processed in the KVK Law and applicable legislation. Accordingly, Golden Maprix stores personal data as limited to this period if a period is stipulated in the relevant legislation, or for the period required for the purpose for which they are processed, if a period is not stipulated. Golden Maprix does not store personal data with the possibility of future use. Golden Maprix deletes, destroys or anonymizes personal data if the reasons for the expiration or processing of the period are eliminated.
6.4. Terms of Processing Personal Data
Golden Maprix only processes personal data in cases stipulated in the law or with the explicit consent of the person. Without explicit consent, personal data may also be processed in case of one of the other conditions listed below. The basis of personal data processing activity may be only one of the following terms, or more than one of these terms may be the basis of the same personal data processing activity. If the processed data is private personal data, the following terms apply.
In accordance with the regulation in Article 5 of the KVK Act, Golden Maprix processes personal data, as a rule, with the explicit consent of the person. However, in accordance with paragraph 2 of Article 5 of the KVK Act; The Legislator has allowed the processing of personal data even in the absence of explicit consent. According to this; Personal data can also be processed by Golden Maprix in the presence of one of the other conditions and/or some of the other conditions written in the paragraphs “Bright Line” and “Non-Harming the Fundamental Rights and Freedoms of the Person concerned and Mandatory Data Processing for Golden Maprix’s Legitimate Interest”. The existence of only one of the following conditions is sufficient for personal data processing activity; more than one of the conditions mentioned can be the basis of the same personal data processing activity. Section 7.1 of the Policy also mentions how to apply the data processed in the event of special personal data.
- Presence of the Explicit Consent of the Personal Data Owner
One of the conditions in which personal data is processed is the explicit consent of the personal data owner. The personal data owner should disclose his/her approval for the processing of his/her personal data in a clear manner that there will not be any hesitation of his/her free will.
Personal data of the data owner may be processed by Golden Maprix without the explicit consent of the data owner, in accordance with the law, if explicitly stipulated by the law. For example; personal data is processed while keeping the registry files of the employees within the framework of the Labour Law and the relevant legislation.
- Mandatory for the protection of the life or body integrity of the person who is unable to disclose his/her consent due to actual impossibility
The data owner’s personal data may be processed if it is mandatory to process personal data in order to protect the life or body integrity of the person who is unable to disclose his consent due to actual impossibility. In cases where the personal data cannot be disclosed to the owner’s consent or whose consent is not valid, the data owner’s personal data may be processed if it is mandatory to process personal data to protect the life or body integrity of the person himself or another person. For example; if the health information of a customer who had an accident in the Golden Maprix sales store is given to the store authorities by his/her family, this personal data is processed.
- The requirement to operate personal data of the parties of the contract provided that it is directly related to the establishment or disclosure of a contract
Personal data may be processed by Golden Maprix if it is necessary to process personal data belonging to the parties of the contract, provided that it is directly related to the establishment or performance of a contract. For example, the customer who shopped at the Golden Maprix Virtual Market, notifies the company about his/her name, surname, address and telephone information for delivery of the products they ordered.
- Data Processing Activity Requirement for Golden Maprix to Fulfil its Legal Obligation
Personal data of the data owner can be processed if data processing is mandatory for Golden Maprix to fulfil its legal obligations. For example, in accordance with the complaints made to the Prosecutor’s Office regarding the expenditures made from credit cards without the knowledge of credit card holders, the data is submitted by the decision of the Prosecutor’s Office.
- In case of pollicisation of the personal data by Personal Data Owner
In the event that the data owner has personally made his personal data public (social media, etc. in any way and manner), the relevant personal data may be processed by Golden Maprix without explicit consent. For example, the data of the person who has left his phone number on the home page of the Golden Maprix social media account and is looking for a job can now be processed without his express consent but limited to this scope.
- When Data Processing is Mandatory for the Establishment or Protection of a Right
In the event that data processing is mandatory for the establishment, use or protection of a right, the personal data of the data owner may be processed. For example, keeping the sales contract with the quality of evidence and using it when necessary.
- Obligation of Data Processing for the Legitimate Interest of Golden Maprix on the Condition of Not Damaging the Fundamental Rights and Freedoms of the Relevant Person
Although the protection of personal data is a constitutional right; Personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of Golden Maprix, provided that it does not harm the fundamental rights and freedoms of the personal data owner. For example, personal data processing activities in calculations to be made by the financial affairs department.
PROCESSING OF SPECIAL PERSONAL DATA
7.1. Terms of Processing of Special Personal Data
Personal data designated as “specially categorized” under the KVK Law is also stated in this Policy due to its sensitivity, due to the risk of causing victimization or discrimination of persons when committed illegally.
It is forbidden to process special quality personal data defined in Paragraph 1 of Article 6 of the KVK Law without the explicit consent of the data owner, as stated in the second paragraph of Article 6 of the KVK Law. The third paragraph of Article 6 of the KVK Law regulates the exceptions to this rule.
By Golden Maprix; special qualified personal data is processed in accordance with the above mentioned law provided that sufficient measures to be determined by the KVK Board are taken.
7.2. Protection of the Special Categorized Personal Data
The Personal Data Protection Act and a number of personal data are also mentioned in this Policy due to the risk of causing people’s victimization or discrimination when committed illegally. The processing of special categorized personal data is clearly stated in Article 7.1 of the Policy.
For employees involved in the processing of private personal data; necessary measures are taken to provide; regular trainings on the matters of law and related regulations and special qualified personal data security, to make confidentiality agreements, to clearly define the scopes and durations of the users authorized to access the data, to perform authorization checks periodically, to immediately remove the authorities of employees who have a change of duties or leave their jobs in this area, and in this context, to receive back the inventory allocated to them by the data controller.
If the environments where special qualified personal data are processed, stored and/or accessed are electronic media; necessary measures are taken for keeping data using cryptographic methods, keeping cryptographic keys safe in different environments, safe logging of transaction records of all transactions carried out on data, continuous monitoring of security updates for the environments where the data is located, regularly-conducting /doing the necessary security tests, recording the test results, making user authorizations for this software if the data is accessed through software, regular security tests/making of these software, recording the test results, ensuring remote access to the data if necessary, providing at least two-stage authentication system.
Necessary measures are taken to prevent unauthorized entry and exits by ensuring the physical safety of these environments where qualified personal data is processed, stored, and/or accessed, if it’s a physical environment; according to the nature of the environment adequate safety measures (against electrical leakage, fire, flooding, theft, etc.) are taken.
TRANSFER OF PERSONAL DATA
In accordance with the objectives of Golden Maprix to serve the data owner properly, the data processing requires the transfer/sharing of data relating to the data owner and/or third parties that the data owner points to.
Personal data can be transferred to ensure that the necessary works for the benefit of the products and services offered by Golden Maprix are carried out by the business units and that the products and services offered by the institution are customized and recommended according to the tastes, usage habits and needs of customers.
Ensuring the legal and commercial security of persons involved in business relations with Golden Maprix and Golden Maprix (administrative operations for communication carried out by the Company, ensuring the physical security and control of the company’s locations, evaluation processes of partner/customer/supplier (authorized or employees), reputation research processes, legal compliance processes, audit, financial affairs, etc.), for the purpose of determining and implementing the commercial and business strategies of Golden Maprix and ensuring the execution of the company’s human resources policies can be transferred to business partners, suppliers, company officials, shareholders, affiliates, legally authorized public institutions and private persons within the framework of the terms and objectives of the personal data processing requirements and objectives specified in articles 8 and 9 of the KVK Act.
Golden Maprix is able to take the necessary security measures for the purposes of processing the personal data that is in accordance with the law and transfer personal data and privately qualified personal data to third parties (third-party companies, group companies, third real persons). In this respect, the company acts in accordance with the regulations stipulated in Article 8 of the KVK Law.
Golden Maprix applies the exceptions for the transfer process specified in this Policy article, as specified in the 2nd paragraph of the 8th article of the KVK Law.
The provisions of other laws regarding the transfer of personal data are reserved.
8.1. Transfer of Personal Data Domestically
In accordance with Golden Maprix’s objectives to provide better service to the personal data owner, to be able to meet their demands more accurately, to improve its services and communication, to enable customer satisfaction practices and information, and to eliminate technical problems, and so on, within the scope of data processing activity, the data owner and/or third parties indicated by the data owner may need to transfer/share data to third parties. In this direction, Golden Maprix acts in accordance with the regulations stipulated in Article 8 of the KVK Law and the regulations in this Policy within the scope of the said article. Namely;
- Personal data to carry out the necessary works for the benefit of products and services offered by Golden Maprix by the business units, the products and services offered by Golden Maprix to customize and recommend according to the tastes, usage habits and needs of customers,
- Ensuring the legal and commercial security of people involved in business relations with Golden Maprix and (administrative operations for communication carried out by Golden Maprix, ensuring the physical security and control of Golden Maprix locations, evaluation processes of partner/customer/supplier (authorized or employees), reputation research processes, legal compliance process, audit, financial affairs, etc.)
- For the purpose of determining and implementing Golden Maprix’s commercial and business strategies and ensuring the execution of the company’s human resources policies, it can be transferred to business partners, suppliers, Golden Maprix authorities, shareholders, affiliates, legally competent public institutions and private persons within the framework of the personal data processing requirements and objectives specified in Articles 8 and 9 of the KVK Act.
8.1.1.Transfer of Special Categorized Personal Data Domestically
By taking the necessary measures and precautions stipulated by the KVK Board; Golden Maprix may transfer the private data of the personal data owner to third parties in line with its legitimate and legal purposes, taking into account the conditions set out in section 7 of this Policy.
8.2. Transfer of Personal Data Abroad
Golden Maprix may transfer the personal data and special categorised personal data of the personal data owner to third parties by taking the necessary security measures in line with its legal purposes. Personal data processed by Golden Maprix; pursuant to Article 9 of the KVK Law, provided that sufficient precautions are taken with paragraph 2 of Article 5 of the KVK Law, if one of the conditions specified in paragraph 3 of Article 6 of the KVK Law is met and the personal data will be transferred to the transfer of the foreign country by the KVK Board in the case that has been classified as one of the countries where either the lack of adequate protection of an adequate protection of responsible data in Turkey and in the relevant foreign country can be transferred to the pledge in writing and KVK Board of recording the presence of the permit.
8.2.1. Transfer of Special Categorized Personal Data Abroad
Golden Maprix, with due diligence, taking necessary security measures and adequate precautions stipulated by the KVK Board; in line with legitimate and lawful personal data processing purposes, it may transfer the private data of the personal data owner to the countries that have been declared with sufficient protection or where adequate protection is committed by the data controller in a foreign country, taking into account the conditions set out in section 7 of this Policy.
If private personal data is required to be transmitted via email, it must be encrypted with an enterprise email address or by using a Registered E-mail (REP) account. If it is required to be transferred via portable memory, CD, DVD, etc., it should be encrypted with cryptographic methods and the cryptographic key should be kept in a different environment. If transferring is carried out between servers in different physical environments, data transfer should be performed by installing VPN or SFTP method between servers. If data is required to be transferred through paper media, necessary measures must be taken against the risks such as theft, loss or sighting by unauthorized persons, and necessary measures must be taken to send the documents in the format of “confidentiality-grade documents”.
8.3. Third Parties to whom Personal Data are Transferred and Transfer Purposes
Golden Maprix may transfer customers’ personal data to the categories listed below in accordance with Article 8 and 9 of the KVK Act:
(i) Golden Maprix business partners,
(ii) Golden Maprix suppliers,
(iii) Golden Maprix subsidiaries,
(iv) Golden Maprix shareholders,
(v) Legally authorized public institutions and organizations,
(vi) Legally competent private law contacts,
(vii) To other third parties in accordance with data transfer requirements
The scope of the persons mentioned above and the purposes of data transfer are as follows; In the transmissions made by Golden Maprix, actions are taken in accordance with the provisions regulated in Section 10 of the Policy.
|Persons for Data Transfer||Definition||Purpose of Data Transfer|
|Business Partner||While carrying out the commercial activities of Golden Maprix, Golden Maprix describes the parties it has partnered with for the purpose of selling, promoting and marketing its products and services, after-sales support, and conducting joint customer loyalty programs.||Limited to ensuring the fulfilment of the purpose of establishing the partnership|
|Supplier||It identifies the parties that provide services to the Company on contract-based terms in accordance with the Company’s orders and instructions when conducting the commercial activities of Golden Maprix.||Limited to ensure that Golden Maprix is outsourced from the supplier and that the services required to carry out the commercial activities of Golden Maprix are provided by Golden Maprix.|
|Affiliates||Companies in which Golden Maprix is a shareholder||Limited to ensure the execution of commercial activities that require the participation of Golden Maprix’s affiliates|
|Shareholders||Our shareholders who are authorized to design the strategies and audit activities regarding the commercial activities of Golden Maprix in accordance with the relevant legislation provisions||Limited to designing strategies for the commercial activities of Golden Maprix in accordance with the provisions of the relevant legislation and|
|Legally Authorized Public Institutions and Organizations||Public institutions and organizations authorized to receive information and documents from Golden Maprix in accordance with the provisions of the relevant legislations||Limited with the purpose requested by the relevant public institutions and organizations within the legal authority|
|Legally Competent Private Law Contacts||Private law persons authorized to receive information and documents from Golden Maprix in accordance with the relevant legislation provisions||Limited to the purpose requested by the relevant private law persons within the legal authority|
RIGHTS AND OBLIGATIONS RELATED TO PERSONAL DATA
9.1. Obligation for Personal Data Owners to Be Informed by Golden Maprix
In accordance with Article 10 of the KVK Law; Golden Maprix is obliged to enlighten personal data owners during the acquisition of personal data.
In this context, Golden Maprix informs the data owners about what purposes the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of personal data collection and legal reasons, and what are the rights of the data owner in accordance with Article 11 of the KVK Law and obtain their explicit consent.
9.2. Rights of Personal Data Owner and Application Method
Personal data owner can make the following requests by applying to Golden Maprix in accordance with Article 11 of the KVK Law:
- Learn whether or not her/his personal data have been processed,
- Request information as to processing if her/his data have been processed,
- Learn the purpose of processing of the personal data and whether data are used in accordance with their purpose,
- Know the third parties in the country or abroad to whom personal data have been transferred,
- Request rectification in case personal data are processed incompletely or inaccurately,
- Request deletion or destruction of personal data within the framework of the conditions set forth under article 7 and to request notification of the transaction made within this scope to third parties to whom personal data has been transferred,
- Request notification of the operations made as per indents (d) and (e) to third parties to whom personal data have been transferred,
- Object to occurrence of any result that is to her/his detriment by means of analysis of personal data exclusively through automated systems
- Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data
Personal data holders must submit their requests for use of the above mentioned rights in accordance with paragraph 1 of article 13 of the KVK Law by filling out the Data Holder Application Form or by other methods determined by the KVK Board. Contact addresses are as follows;
Address: Golden Maprix Grup Organik Tarım Ürünleri İthalat İhracat Ticaret ve Sanayi Limited Şirketi: Saricioglu Mah. Buhara Cad. Matim İş Merkezi No:158/A Battal Gazi, Malatya, Türkiye
9.3. Cases Excluding the Rights of Personal Data Owner
It has been regulated that the provisions of the KVK Law will not be applied in the presence of the situations specified in the 1st paragraph of Article 28 of the KVK Law; in this context, it is not possible for personal data owners to claim their rights enumerated in the KVK Law regarding personal data processed by Golden Maprix.
Except for the right to demand compensation for personal data owners in cases specified in Paragraph 2 of Article 28 of the KVK Law; they cannot claim other rights listed in the KVK Law.
9.4. Personal Data Holder’s Right to Apply to Golden Maprix
Personal data holders will be able to fill out the application form on Golden Maprix’s website and forward their requests for the use of legally recognized rights to “Saricioglu Mah. Buhara Cad. No:158/A Battalgazi Malatya, Turkey” with wet or secure electronic signatures.
It is not possible to request by third parties on behalf of personal data owners, but a third party must be authorized by a special power of attorney issued on behalf of the third party to apply by the personal data owner in order to make a claim.
9.5. Replies of Golden Maprix to the Applications of the Personal Data Owners
In accordance with Article 13 of the KVK Act; the requests submitted by the personal data owner in accordance with the above procedure shall be finalized by Golden Maprix free of charge within the shortest time and no later than thirty days, depending on the nature of the request.
If the transaction also requires a cost, Golden Maprix will charge the applicant the fee at the tariff set out by the KVK Board. If the application is caused by Golden Maprix’s error, the fee charged will be refunded to the relevant person.
Golden Maprix may request information from the person concerned in order to determine whether the applicant has personal data and to clarify the requests made in the application.
Golden Maprix’s responsibility cannot be mentioned if requests that are not communicated by law and/or by law do not reach the Golden Maprix in accordance with the procedure specified in section 9.4 of the Policy.
Golden Maprix may reject the application of the applicant by explaining the justification in the cases mentioned in Article 28 of the KVK Law and in the following cases:
(1) The possibility of the personal data subject’s request to hinder the rights and freedoms of other persons
(2) In cases of requests requiring disproportionate effort have been made
(3) The requested information is public information
9.6. Complaint Right of the Personal Data Owner to the KVK Board
Personal data owner can make a complaint to the board as specified in Article 14 of the KVK Law.
The personal data owner cannot apply to the KVK Board without using the right of application specified in the section 9.4 of this Policy and article 13 of the KVK Law.
Technical and Administrative Measures to Keep Personal Data Safe and to Prevent Them against Illegal Access and Procession
In accordance with Article 12 of the KVK Law, Golden Maprix takes all kinds of technical and administrative measures to ensure the security level, conducts the necessary audits in this context or has them done within the framework of contracts made with third party companies.
10.1. Confidentiality in Processing Personal Data
Personal data processed by Golden Maprix in accordance with the law is subject to data security. Golden Maprix takes all necessary technical and organizational measures to ensure the confidentiality and security of privately qualified personal data and personal data collected through websites and/or other applications.
Any employee of Golden Maprix is prohibited from unauthorized access to this data, processing it or using it for private or commercial purposes, sharing it with unauthorized persons, or otherwise making it accessible. Golden Maprix’s employees may only access personal data appropriately within the scope and type of tasks in question. For this, roles and responsibilities are detailed and separated. The processing of this data by any employee of Golden Maprix who is not authorized under its legitimate duty is an unauthorized transaction.
Administrators should inform their employees of the obligation to protect data privacy at the beginning of the employment relationship. The obligation will continue after the termination of employment.
10.2. Security in Processing Personal Data
Before accessing personal data, the data owner is verified through the website or application.
This provision shall apply to whether the data is processed electronically or on paper. The following technical and administrative measures are defined and implemented to protect personal data, especially until new data processing methods are revealed. These measures are designed by taking into account the most advanced technology available, the risks of data processing and the need to protect data.
10.3. Technical Measures
Within Golden Maprix, personal data processing activities and storage in a safe environment are carried out with technical systems and technical solution applications. Technical measures are taken in accordance with the developments in technology; the measures taken are updated and renewed periodically.
The technical measures taken are periodically reported to the relevant authority in accordance with the internal control mechanism and the necessary technological solution is produced by re-evaluating the risk-raising issues.
Expert staffs in their areas are employed in technical issues
Software and hardware containing virus protection systems and firewalls are used. Secure Sockets Layer (SSL) encryption is used on all web pages where personal data is collected with online services such as Golden Maprix e-commerce sites. To take advantage of these services, an SSL-powered browser such as Safari, Firefox, Chrome, or Internet Explorer is required. In this way, the privacy of personal data transmitted over the internet can be protected.
Golden Maprix complies with PCI DSS (Payment Card Industry Data Security Standard) regulations created to ensure data security on card payment systems and securely delivers and functions data on card payment systems. The credit card number is encrypted by Golden Maprix’s online credit card application and transmitted to the bank and never shared with third parties. Credit card information is not stored / recorded or kept by Golden Maprix.
Legal backup programs are used to ensure secure storage of personal data.
In addition, the data classification system used within the organization is integrated with the data leak prevention (DLP) system. Thus, all electronic documents containing personal data must be classified within Golden Maprix, and the removal from the institution is controlled by the DLP system.
10.4. Administrative Measures
Employees are informed and trained about the law on the protection of personal data and the processing of personal data in accordance with the law and that cannot be explained to anyone in violation of the legislation and cannot be used for any purpose other than processing.
Records and commitments for not processing, not using and not exposing any personal data, are added to the contracts and documents between Golden Maprix and its employees, except for Golden Maprix instructions and exceptions imposed by law.
Provisions regarding the prevention of unlawful processing/accessing of personal data and provision of legal protection of data and ensuring compliance with these measures in their own organizations are added to the contacts which are done with the Parties to whom personal data are legally transferred by Golden Maprix with the purpose of receiving technical services from third parties regarding the storage of personal data.
Golden Maprix provides training and seminars for business partners on preventing unlawful processing of personal data, preventing unlawful access to data, and ensuring data preservation.
10.5. Conducting Audit Activities
In accordance with Article 12 of the KVK Law, Golden Maprix carries out the necessary audits within its own and its business partners or has it done within the framework of contracts made with third party companies. These audit results are reported to the relevant department within the scope of the internal operation of the company and necessary actions are carried out to improve all the measures taken.
10.6. Measures to be taken in Case of Unlawful Disclosure of Personal Data
In the event that personal data processed in accordance with the KVK Law and the relevant legislations are obtained by others through illegal means, Golden Maprix is obliged to carry out the specified measures in accordance with Article 12, paragraph 5 of the KVK Law. The necessary system shall be established in order to ensure the necessary detection and notification.
Following the notification made to the KVK Board, the KVK Board may announce this situation as specified in the paragraph 5 of the 12th Article of the KVK Law.
- Deleting Suppressing, Anonymizing of Personal Data
11.1. Principles for the Destruction of Personal Data in Accordance with the Law
All transactions regarding the deletion, suppression and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.
Golden Maprix complies with the following principles in the storage and disposal of personal data
a) Compliance with the law and honesty.
- b) Being accurate and up-to-date when necessary.
- c) Processing for specific, explicit and legitimate purposes.
- d) Being connected, limited and moderated with the purpose of its processing.
- e) Being kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
Golden Maprix destroys personal data for the following reasons;
- The expiry of the periods determined by laws regarding the storage of personal data,
- End of disposal period determined by Golden Maprix,
- Expiry of periodic disposal period determined by Golden Maprix,
- Amendment or abolition of the relevant legislation provisions that constitute the basis for processing personal data,
- When the relevant contract has never been established, the contract is not valid, the contract is automatically terminated, the contract is terminated or the contract is withdrawn,
- The disappearance of the purpose requiring the processing of personal data,
- Processing of personal data is against the law or the rule of good faith,
- In cases where the processing of personal data is only based on express consent, the person concerned withdraws his consent,
- Acceptance of the application made by the relevant person regarding the personal data processing activity within the framework of his rights,
- In the event that Golden Maprix refuses the application made by the person concerned with the request of deletion or destruction of his personal data, the response is found to be insufficient or does not respond within the period stipulated by the law; making a complaint to the KVK Board and approval of this request by the Board,
- Although the maximum period for the storage of personal data has passed, there are no conditions that would justify the storage of personal data for a longer period.
- Elimination of the conditions that require the processing of personal data in Articles 5 and 6 of the Personal Data Protection Law.
11.2. Techniques of Deleting and Destructing Personal Data
Deletion or destruction of personal data is the process of making personal data inaccessible and unavailable in any way for relevant users. Golden Maprix deletes or destroys personal data by using the following techniques
- Golden Maprix takes all necessary technical and administrative measures to ensure that the deleted personal data cannot be accessed and reused by the relevant users.
- If the deletion of personal data will result in other data not being accessible and not being able to use this data, Golden Maprix applies the following rules;
– Archiving personal data by making it unrelated to the person concerned,
– Being unavailable to any other institution, organization and / or person
– Taking all necessary technical and administrative measures to ensure that personal data can only be accessed by authorized persons.
– In case of direct deletion request by real people, deletion of personal data of the relevant person from Golden Maprix systems.
- Deletion of personal data that is a part of any data recording system and processed by non-automatic means;
– Blackening of unnecessary personal data,
– It is carried out by masking unnecessary personal data in paper form transferred to electronic media by scanning or without digitizing.
The deletion conditions mentioned above are met by the following methods;
11.2.1. Physical Destruction
Personal data can also be processed in non-automatic ways, provided that it is a part of any data recording system. While such data is deleted / destroyed, a system of physical destruction of personal data in a way that cannot be used later is implemented.
11.2.2. Secure Deletion from Software
While the data processed in fully or partially automatic ways and stored in digital media is deleted / destroyed; Methods for deleting data from the relevant software in a way that cannot be recovered again are used.
11.2.3. Safe Deletion by Expert
Golden Maprix may in some cases contract with an expert to delete personal data on its behalf. In this case, the personal data are securely deleted / destroyed by the person skilled in this field so that they cannot be recovered again.
11.3. Techniques of Anonymizing Personal Data
The anonymization of personal data is the rendering of personal data that cannot be associated with an identified or identifiable natural person under any circumstances, even if they are matched with other data.
Golden Maprix may anonymize personal data if the terms of processing are eliminated in accordance with the law. Thus, anonymized personal data can be processed for research, planning and statistical purposes in accordance with Article 28 of the KVK Law. Such processing is outside the scope of the KVK Law and the public consent of the personal data owner will not be sought. Since the personal data processed by anonymity will be outside the scope of the KVK Law, this Policy will be used in accordance with Article 9 of the Act. The rights held in the section will not apply to this data.
Golden Maprix uses the techniques in anonymization of the personal data.
Data masking is the method of anonymization of personal data by extracting the basic determinant information of personal data from the data set. For example, extracting information such as first name, last name, ID No., etc., which allows identification of the personal data owner.
By data aggregation method, many data are aggregated and personal data cannot be associated with any person. For example, a statement that there are as many as Y customers at the age of X, without specifying their age
11.3.3. Data Derivation
By data derivation method, a more general content is created than the content of personal data and it is ensured that personal data cannot be associated with any person. For example, stating the age instead of the date of birth
11.3.4. Data Hash
By mixing the data hash method with its values within the personal data set, it is possible to break the link between values and contacts.
11.4. Storage and Destruction Times of Personal Data and Periodic Destruction Times
Golden Maprix deletes, destroys or anonymizes personal data in the first periodic destruction following the date on which the obligation to delete, destroy or anonymize personal data arises. The periodic time for destruction is six months. Retention times for personal data are determined in accordance with the KVK Law and business processes.
The KVK Board may shorten the periods specified in this article in case of damages that are difficult or impossible to compensate and there is an obvious violation of the law. When the data owner requests the deletion or destruction of his/her personal data by contacting Golden Maprix in accordance with Article 13 of the KVK Act;
- a) If all the conditions for processing personal data have disappeared; Golden Maprix deletes, destroys or anonymizes the personal data owner to the request. Golden Maprix concludes the data subject’s request within thirty days at the latest and informs the data owner.
- b) If all of the personal data processing conditions have disappeared and the personal data subject to the request is transferred to third parties, Golden Maprix will notify the third party; Ensures that the necessary procedures are carried out before the third party.
- c) If the terms of processing personal data have not been completely eliminated, this request is made by Golden Maprix under article 13 of the KVK Act in accordance with paragraph 3, the reason can be explained and the rejection response is reported to the person in writing or electronically no later than thirty days.
11.4.1. Time for Ex Officio Deleting, Destroying or Anonymyizng of Personal Data
Golden Maprix considers the following periods within the scope of its obligation to delete, destroy or anonymize personal data:
- In the first periodic disposal process following the date on which the liability arises
- Periodic disposal period cannot be longer than 180 days in any case.
11.4.2. Time for Deleting, Destroying or Anonymyizng of Personal Data On the Request of Relevant Person
In case the relevant person applies to Golden Maprix for deletion or destruction of the personal data that belongs to him/her;
- If all requirements for processing personal data have been eliminated; Golden Maprix may delete, destroy or anonymize personal data subject to demand. Requests to delete or destroy contacts will be finalized by Golden Maprix within thirty days at the latest.
- If all of the terms of processing personal data have not been eliminated, this request may be rejected by Golden Maprix by explaining its motive, and the rejection will be notified to the person in writing or electronically no later than thirty days at the latest.
11.5. Internal Management of Personal Data Processing, Storage and Destruction Processes
In any transactions related to personal data to be carried out upon completion of the process and compliance process in accordance with Golden Maprix, the KVK Law and the relevant legislative provisions, the management of this Policy and the processes related to this Policy shall be carried out as:
A customer requesting the deletion of personal data from Golden Maprix systems; may request the deletion of personal data through the Mobile App, Website, Call Centre, or by contacting the Stores in person. The request received from any of the channels is saved to the call system and the customer is called back by the call centre for verification. After it is cleared which of the Customer’s data in Golden Maprix and e-commerce systems will be deleted, the customer data is deleted by running the deletion processes on the related systems.
In accordance with the procedures and principles set out in the KVK Law and other laws, Golden Maprix records and stores personal data in the Golden Maprix data warehouse, which is fully or partially automated or not automated as part of any data registration system.
12.1. Registration and Tracking at the Entry and / or Inside of Stores, Headquarters Buildings etc.
For the purposes of increasing the quality of the service offered by Golden Maprix, ensuring its reliability, ensuring the security of the company, customers and other persons, and protecting the interests of the customers regarding the service they receive, personal data processing is carried out in stores, buildings and facilities by monitoring with security cameras. The camera surveillance activity is carried out in accordance with the Law on Private Security Services and the relevant legislation. The privacy of the person is not subject to monitoring in areas (for example, toilets) that may result in intervention that exceeds security objectives.
In accordance with Article 10 of KVK Law, Golden Maprix enlightens the personal data owner by posted notifications, letter statements about Privacy and Data Security Policy either publishing on the website or hanging up the notifications that the monitoring is made at the entrances of the areas, and the personal data obtained is protected by technical measures.
12.2. Entry-Exit Tracking of the guests to the places such as Stores HQs etc.
Golden Maprix is in the process of processing personal data for the purposes set out in this Policy by taking the credentials of visitors and by accessing the Visitor Program for the purposes specified in this Policy to monitor visitor entry and exits in the Golden Maprix buildings and facilities.
12.3. Ensuring Corporate Facility Security and Website Visitors
In order to ensure security by the company, personal data processing activities are made for monitoring activities in corporate buildings and facilities with security cameras and for the monitoring of guest entrances and exits.
Visitors’ video recordings are obtained through the camera and monitoring system at the entrances of the building, the facility and within the facility. In addition, the visitor’s credentials are obtained and participated in and kept in the Visitor Program.
Within the scope of security camera monitoring activity we aim to improve the quality of the service offered, to ensure its reliability, to ensure the safety of the company, customers and others, and to protect the interests of customers regarding the service they receive.
In accordance with Article 12 of the KVK Law, necessary technical and administrative measures are taken by the company to ensure the security of personal data obtained as a result of camera monitoring activity.
Log records of Internet access are recorded according to the provisions of Law No. 5651 and the supervisory provisions of the legislation regulated in accordance with this Law; these records are processed only for the purpose of requesting them by authorized public institutions and organizations or for the fulfilment of the relevant legal obligations in the audit processes to be carried out within the company.
Golden Maprix owns websites; ensure that people who visit these sites make their visits on the sites appropriately for the purposes of their visit; internet activity within the site is recorded by technical means (e.g. Cookies-cookies) in order to show them customized content and to be able to do online advertising activities.
Detailed explanations regarding the protection and processing of personal data related to these activities are included in the texts of the relevant websites “Golden Maprix Trading Inc. Website Privacy and Data Security Policy”.
- INTERNAL GOVERNANCE UNDER THE PROTECTION AND PROCESSING OF PERSONAL DATA
Personal Data Protection Committee (‘Committee‘) has been established to monitor and manage the actions necessary for compliance with Law No. 6698. within Golden Maprix.
The main duties of the Committee are as stated below:
- To provide the basic policies for the protection and processing of personal data and for the approval of the senior management to prepare and enact changes where necessary,
- To decide how to implement and control policies on the protection and processing of personal data and to make the necessary task distribution and coordination within the company within this framework
- To determine the issues that need to be done in order to ensure compliance with the relevant legislation no. 6698 and to present what needs to be done for the approval of the senior management; monitoring and coordinating the implementation,
- To raise awareness within the Company and with the Company’s business partners about the protection and processing of personal data,
- To ensure that necessary measures are taken by identifying the risks that may occur in Golden Maprix’s personal data processing activities; to provide improvement proposals for the approval of senior management,
- To follow the relevant legislation on the protection of personal data, to make updates to prepared texts and policies,
- To design trainings on the protection of personal data and implementation of policies and to carry out the trainings after obtaining the necessary approvals,
- To decide on personal data owners by creating a mechanism to meet their applications quickly,
- To coordinate the execution of information and training activities in order to ensure that personal data owners are informed about personal data processing activities and their legal rights,
- To follow developments and regulations on the protection of personal data; advise the senior management on what needs to be done in accordance with these developments and regulations,
- Coordinating relations with the KVK Board and the KVK Institution,
- Fulfilling other duties that senior management will give in the protection of personal data.
- To provide improvement recommendations in order to ensure that necessary measures are taken by identifying the risks that may occur in the Company’s personal data processing activities.