PROCESSING AND PROTECTION OF PERSONAL DATA POLICY

ARTOFIS FURNITURE SANAYİ VE TİCARET ANONİM ŞİRKETİ

PROCESSING AND PROTECTION OF PERSONAL DATA POLICY

1. INTRODUCTION
The Law on Protection of Personal Data No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677, in order to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and to determine the obligations of real and legal persons who process personal data. ) in accordance with Article 10 of the Law, titled “Information Obligation of the Data Controller”. In this context, in the capacity of Data Controller;

Our Employees / Employee Candidates / Interns
Our Dealers / Our Customers / Our Potential Customers
Persons and employees who buy products or services
Our visitors
Officials and Employees of Our Suppliers
Public Employees
including Members of the Board of Directors, Shareholders and Third Parties
ARTOFIS FURNITURE IND. TRADE. Inc. Within the scope of this policy, we inform all personal data processed by us regarding mutual rights and obligations.

Our company informs the personal data owners during the acquisition of personal data in accordance with Article 10 of the KVK Law. In this context, it clarifies the identity of MASACHI and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the personal data owner for legal reasons. Accordingly, in Article 11 of the KVK Law, “requesting information” is also listed among the rights of the personal data owner. Our company provides the necessary information in case the personal data owner requests information in accordance with the 20th article of the Constitution and the 11th article of the KVK Law.

The scope of this Policy consists of all personal data of our customers, potential customers, employees, employee candidates, company officials, business partners, dealers and other third parties that are processed automatically or non-automatically, provided that they are part of any data recording system.

2. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA
Our company, in accordance with Article 20 of the Constitution and Article 4 of the KVK Law, regarding the processing of personal data; in accordance with the law and the rules of honesty; accurate and up-to-date where necessary; for specific, clear and legitimate purposes; engages in personal data processing activities in a connected, limited and measured manner for this purpose. Our company retains personal data for as long as required by law or for the purpose of processing personal data.

Our company informs the personal data owners in accordance with the 20th article of the Constitution and the 10th article of the KVK Law and provides the necessary information in case the personal data owners request information. acts in accordance with the regulations stipulated in the law and set forth by the KVK Board.

3. FUNDAMENTAL PRINCIPLES PROVIDED IN THE LEGISLATION ON THE PROCESSING OF PERSONAL DATA
· Processing in Compliance with Law and Integrity
· Ensuring Personal Data Are Accurate and Up-to-Date When Necessary
Processing for Specific, Explicit and Legitimate Purposes
· Relating to the Purpose for which they are Processed, Limited and Measured
· Retention for as long as required by the relevant legislation or for the purpose for which they are processed.
It is processed within the scope of the following purposes in accordance with its principles.

4. COLLECTION METHOD AND LEGAL BASIS OF PERSONAL DATA
Your personal data is collected for the purpose of providing the products and services we offer as MASACHI in line with the above-mentioned purposes, within the determined legal framework, and in this context, for MASACHI to fulfill its contractual and legal responsibilities completely and accurately.

Personal data can be collected by our company through verbal, written and/or electronic means, by giving clear and understandable verbal, written and/or electronic information to the personal data owners and by obtaining their explicit consent when necessary, in accordance with the law and honesty rules, provided that they are connected and limited to legitimate purposes. are collected, used, recorded, stored and processed within the framework of the principle of proportionality. And also; Within the framework of our company’s commercial purpose, such as contacting us, establishing a contractual relationship, visiting our business, sending your CV, transmitting your information to us for commercial purposes, sharing information in promotion and fair organizations, through different channels and based on different legal reasons; It is collected in order to improve the services we offer and to carry out our commercial activities. Your personal data collected for this legal reason can also be processed and transferred for the purposes specified in this Clarification Text within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law No. 6698.

In addition, we ensure that your personal data will not be transferred by our company to third parties abroad without meeting the conditions determined by the legislation and the board or without your explicit consent.

Accordingly, your personal data processed are;

Your identity information (T.R./Foreign Identity Number, name and surname, place and date of birth, marital status, gender, passport information, driver’s license)
Your contact information (residence address, telephone number, fax number, e-mail address)
Your location information (location information of your current location, address information)
Personal Information (Employment contract, education, diploma information, certificate information, SSI employment entry, exit statement, GSS entry information, family status statement, dependents, spouse, child proximity information, embezzlement certificate received according to the nature of the job, employment document, resignation, termination, severance and notice payroll, payroll information, disciplinary investigation information, SGK registry number, service breakdown, resume information, leave information, personnel performance evaluation reports, work accident information, information in the job application form, bank account information , IBAN number information)
Legal Transaction Information (Personal information in correspondence with judicial authorities, bank account information, case and enforcement files, information notified to lawyers, arbitral tribunals, mediators and relevant public institutions and organizations within this scope)

Customer, supplier, dealer, service providers transaction information (Name, Surname, TR No, Tax No, address, e-mail information, telephone contact information, bank account information, check, promissory note, payment, finance, signature circular information)
Physical Space Security Information (Customer, supplier, service providers, managers and employees, company employees, employee candidates, entry-exit camera recording information of visitors, card printing system kept due to entry-exit information)
Financial Information (balance sheet information, financial performance information, credit and risk information, asset information, bank account information, information on customs procedures, personal information in the forms kept and notified regarding foreign trade, current account information)
Professional experience information (education information, diploma information, working life, courses attended, in-service training information, certificates, driver’s license information, other information in the notified forms)
Visual Records (if you provide, the photo information on the completed, printed forms, documents and official identity documents, the photos you choose to put during the job application, the website in fairs, advertisements, marketing organizations, company campaigns, our social media accounts or third-party social media channels) your used, shared photos, your images in camera recordings)
Health Information (Health status information written in the job application form for employees and employee candidates, health reports for employees, periodic examination information, drug information, blood group information, personal health and physical disability status information, health board reports)
Criminal Conviction and Security Measures information (Criminal record, conviction, judicial status information),
Attire and attire information (Dress size number, shoe number purchased for the purpose of providing work clothes)
Risk Management Data (Data collected by the company while continuing its operations, vehicle license, trade registry)
User name, personal information filled in the system, bank name, e-mail address, telephone number recorded electronically on the company website and/or collected via online payment
Information on the complaints or requests submitted to our company and the procedures carried out during the evaluation and management process,

5. PURPOSE OF PROCESSING PERSONAL DATA
Our company processes personal data limited to the purposes and conditions specified in the personal data processing conditions specified in the 2nd paragraph of the 5th article of the Law on the Protection of Personal Data No. 6698 and the 3rd paragraph of the 6th article. These purposes and conditions;

Within the framework of the legal obligations arising from the relevant legislation and the expressly stipulated in the Laws for the Institution to carry out the relevant activities regarding the processing of your personal data.
The processing of your personal data by our Company is directly related to and necessary for the establishment or performance of a contract,
The processing of your personal data is mandatory for our Company to fulfill its legal obligations,
Provided that your personal data has been made public by you; your processing by our Company in a limited way for the purpose of making you public,
The processing of your personal data by our Company is mandatory for the establishment, exercise or protection of the rights of our Company or you or third parties,
It is mandatory to process personal data for the legitimate interests of our Company, provided that it does not harm your fundamental rights and freedoms,
Processing personal data by our company is mandatory for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to express his consent due to actual impossibility or legal invalidity,
The processing of sensitive personal data other than the health and sexual life of the personal data owner is stipulated in the law,
Special categories of personal data relating to the health and sexual life of the personal data owner are processed by persons or authorized institutions and organizations that are under the obligation to keep confidential, for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. .
Also;

Your personal data is carried out by our business units in order to benefit from the services offered by our Company; providing the service and at the same time its performance, offering the services offered by our company to you; planning and/or executing market research activities for the marketing of services; Ensuring the delivery of products by making logistics cooperation with third parties, forwarding our offer in case of a request for the performance of services within the scope of the Company’s fields of activity, planning and/or execution of support services activities; Completion of contract processes and/or follow-up of legal requests, ensuring the legal, technical and commercial occupational safety of the related persons, to ensure the execution and performance of the company, to ensure the communication and communication with the real and legal persons with whom the company has legal relations, to ensure the corporate quality of the company, to ensure the safety of the related persons, to make and follow the domestic and international sales transactions related to our products and services, management, customs procedures, to carry out transactions related to the foreign trade process, to provide payment and collection transactions through banks or by check, promissory note, credit card, other commercial payment methods; Ensuring the execution of our company’s human resources policies, evaluating if you apply for a job, fulfilling our legal and legal obligations if you are our employee; Fulfilling legal obligations towards our employees, increasing service sales for companies, providing marketing, customer satisfaction analysis, measuring and increasing customer satisfaction, complaint management, providing quality follow-up; Ensuring security at company workplaces and offices, ensuring your safety when you visit our business; contacting you if you request information from our company; performance of the contract if you request service; Execution of Assignment Processes; Planning, auditing and execution of information security processes; Creation and management of information technology infrastructure; Providing Physical Venue Security, therefore taking Camera Records; Follow-up of finance and/or accounting works; Follow-up and Execution of Legal Affairs; Planning and execution of business activities; Planning and execution of corporate communication activities; Determination and implementation of our company’s commercial and business strategies, fulfillment of our contractual obligations, arranging records and documents, fulfilling legal procedures such as lawsuits and enforcement proceedings, information storage, reporting, informing, and developing and managing our current and R&D practices 5 and 6 of the Law No. 6698 for the purposes of marketing the product, complying with taxes and other obligations, monitoring the technical functions of the Site, ensuring that it works properly and solving any problems that may arise, providing communication activities, and informing the Authorized Persons, Institutions and Organizations. It will be processed in accordance with the personal data processing conditions and purposes specified in Articles . The data of our employees, the Labor Law, the Labor and Social Security legislation and the obligations stipulated by the other legislation in force, within our human resources policy or for operational reasons such as increasing the performance level and employee satisfaction and ensuring job security and work peace, and within the scope of the KVK Law, The transactions will also be processed within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law No. 6698. In addition, it may be processed by our Company or real or legal persons with whom our Company cooperates or authorizes and Provides Services.

6. PROTECTION AND PROCESSING OF PRIVATE PERSONAL DATA
Our company strictly complies with the regulations stipulated in the KVK Law in the processing of personal data determined as “special quality” by the KVK Law. In Article 6 of the KVK Law, a set of personal data that carries the risk of causing victimization or discrimination when processed unlawfully is determined as “special quality”. These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Our company acts sensitively in the protection of special quality personal data, which is determined as “special quality” by the KVK Law and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of special quality personal data, and necessary audits are provided within MASACHİ. Apart from this, if there is a personal data that needs to be processed in accordance with the relevant Legislation, in accordance with the legislation in force and provided that the measures to be determined by the Board are taken, the special quality personal data varies depending on whether the personal data owner has express consent or not. Accordingly, special categories of personal data:

If the personal data owner has express consent, or
If the personal data owner does not have express consent;
Special categories of personal data other than the health and sexual life of the personal data owner, in cases stipulated by the laws,
Persons or authorized institutions and organizations that are under the obligation of keeping confidential, for the purpose of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, processed by.

7. TRANSFER OF PERSONAL DATA
As a rule, personal data can be transferred to third parties with the explicit consent of the personal data owner or in line with the exceptions stipulated in Article 5 of the KVKK, or in line with the exceptions stipulated in the KVKK article 6/3 and other laws, provided that adequate measures are taken.

If the personal data owner has express consent;
If there is a clear regulation in the law regarding the transfer of personal data,
If it is necessary for the protection of the life or physical integrity of the personal data owner or someone else, and the personal data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid;
If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is mandatory for our company to fulfill its legal obligation,
If the personal data has been made public by the personal data owner,
If personal data transfer is necessary for the establishment, exercise or protection of a right,
If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
Your personal data; Carrying out the necessary work by our business units in order to benefit you from the products and services offered by our company; Suggesting the services offered by our company to you by customizing them according to your and your company’s needs; Ensuring the execution of our company’s human resources policies; Ensuring the legal and commercial security of our company and the people who have a business relationship with our company; For the purposes of determining and implementing our company’s commercial and business strategies; To our customers, business partners, suppliers, company dealers, the companies we receive support from, the transport companies we receive support from, our certified public accountant, the lawyers we work with when necessary, the banks we work with to provide wage policies, private pension and insurance companies, Health information and reports in order to provide Occupational Health and Safety To our OHS and Occupational Doctors, to Health Institutions and Hospitals in case of Occupational Accidents, to software, hardware, information and technology companies for the establishment of computer operating systems and computer programs used within our company, maintenance and repair of the programs, Chambers of Commerce to which we are affiliated, Tax Procedure Law, Persons or organizations authorized by the Social Security Institution legislation, Court of Accounts, Law on the Prevention of Laundering Proceeds of Crime, Turkish Commercial Code, Code of Obligations and other legislation, legally authorized public institutions and organizations, administrative bodies It will be possible to transfer personal data to farmers, legal authorities and private individuals within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law No. 6698.

If your sensitive personal data is to be transferred, your personal data can be transferred to the relevant third parties in cases stipulated by the laws in terms of sensitive personal data other than health and sexual life, by obtaining the explicit consent of the person concerned. Except for the cases stipulated in the law, your personal data of special nature is not transferred.

7.1. Transfer of Private Personal Data
Our company, by showing the necessary care, taking the necessary security measures and taking the adequate measures prescribed by the KVK Board; In the following cases, the sensitive data of the personal data owner in line with the legitimate and lawful personal data processing purposes

If the personal data owner has express consent, or
If the personal data owner does not have express consent;
Special categories of personal data other than the health and sexual life of the personal data owner (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, criminal convictions and security measures) and biometric and genetic data), in cases stipulated by law,
Persons or authorized institutions and organizations that are under the obligation of keeping confidential, for the purpose of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, may be transferred to third parties.

8. PERSONAL DATA STORAGE PERIOD
Our company keeps personal data for the period specified in these legislations, if it is foreseen in the relevant laws and regulations. If the legislation regarding how long personal data should be stored is not regulated for a period of time, personal data is processed for a period of time that requires it to be processed in accordance with our Company’s practices and commercial practices, depending on the services our company provides while processing that data, and then it is deleted, destroyed or anonymized.

The purpose of processing personal data has ended; if the storage periods determined by the relevant legislation and the company have come to an end; Personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. Despite the expiry of the statute of limitations and the statute of limitations for the right to assert the aforementioned right in the establishment of the terms herein, retention periods are determined on the basis of the examples in the requests made to our Company on the same issues before. In this case, the stored personal data is not accessed for any other purpose and access is provided only when it is required to be used in the relevant legal dispute. Here, too, personal data is deleted, destroyed or anonymized after the aforementioned period expires.

9. DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA
Although our company has been processed in accordance with the provisions of the relevant law as regulated in article 138 of the Turkish Penal Code and article 7 of the KVK Law, in the event that the reasons requiring processing disappear, personal data is deleted upon our company’s own decision or upon the request of the personal data owner. is made anonymous.

(i) Personal Data Deletion and Destruction Techniques
Despite the fact that it has been processed in accordance with the provisions of the relevant law, our company may delete or destroy personal data upon its own decision or upon the request of the personal data owner, in the event that the reasons requiring processing are eliminated.

(ii) Physically Destroyed

Personal data can also be processed in non-automatic ways, provided that it is part of any data recording system. While such data is being deleted/destroyed, a system of physical destruction of personal data is applied so that it cannot be used later.

(iii) Securely Delete from Software

While deleting/destroying data processed by fully or partially automated means and stored in digital media; methods are used to delete the data from the relevant software in a way that cannot be recovered again.

(iv) Expert Secure Erase

In some cases, MASACHI may agree with an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by the person who is an expert in this field, in a way that cannot be recovered.

(v) Techniques to Anonymize Personal Data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching them with other data. Our company can anonymize personal data when the reasons that require the processing of personal data processed in accordance with the law are eliminated.

In accordance with Article 28 of the KVK Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the KVK Law and the explicit consent of the personal data owner will not be sought.

10. ISSUES REGARDING THE PROTECTION/SECURITY OF PERSONAL DATA
In accordance with Article 12 of the KVK Law, our company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent illegal access to the data and to ensure the preservation of the data, and to carry out the necessary audits in this context. or is making.

10.1.Technical and Administrative Measures Taken to Ensure Legal Processing of Personal Data
Our company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data is processed in accordance with the law.

(i) Technical Measures Taken to Ensure Legal Processing of Personal Data
The main technical measures taken by our company to ensure the legal processing of personal data are listed below:

Personal data processing activities carried out within our company are audited by established technical systems.
The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
Personnel knowledgeable in technical matters are employed.
(ii) Administrative Measures Taken to Ensure Legal Processing of Personal Data
The main administrative measures taken by our company to ensure the legal processing of personal data are listed below:

Employees are informed and trained on the law of protection of personal data and the processing of personal data in accordance with the law.
All the activities carried out by our company are analyzed in detail for all business units, and as a result of this analysis, personal data processing activities are revealed in the commercial activities carried out by the relevant business units.
Personal data processing activities carried out by our company’s business units; The requirements to be fulfilled in order to ensure that these activities comply with the personal data processing conditions sought by the Law No. 6698 are determined according to each business unit and the detailed activity it carries out.
Except for the Company’s instructions and exceptions made by law, in the contracts and documents governing the legal relationship between our Company and employees and/or those engaged in business activities, records that impose the obligation not to process, disclose or use personal data are placed, and awareness of employees is created in this regard and audits are carried out.
Personal Data Inventory is Prepared.

10.2 Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
Our company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and the cost of implementation in order to prevent the imprudent or unauthorized disclosure, access, transfer or any other unlawful access to personal data.

 

(i) Technical Measures Taken to Prevent Unlawful Access to Personal Data

The main technical measures taken by our company to prevent unlawful access to personal data are listed below:

Technical measures are taken in accordance with the developments in technology, the measures taken are periodically updated and renewed.
Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a business unit basis.
The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, the issues that pose a risk are reevaluated and the necessary technological solution is produced.
Software and hardware including virus protection systems and firewalls are installed.
Network Firewall is provided and log records are kept.
Personnel knowledgeable in technical matters are employed.
(ii) Administrative Measures to Prevent Unlawful Access to Personal Data
The main administrative measures taken by our company to prevent unlawful access to personal data are listed below:

Access to personal data and authorization processes are designed and implemented within the Company in accordance with business unit-based legal compliance requirements.
Employees are informed that the personal data they learn cannot be disclosed to others in violation of the provisions of the KVK Law and cannot be used for purposes other than processing, and this obligation will continue after they leave their job.
Contracts concluded by our company with the persons to whom personal data are transferred in accordance with the law; Provisions are added that the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data and ensure that they are complied with.
10.3. Storing Personal Data in Secure Environments
Our company takes the necessary technical and administrative measures according to the technological possibilities and implementation cost in order to store personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.

(i) Technical Measures Taken for Storing Personal Data in Secure Environments

The main technical measures taken by our company to store personal data in secure environments are listed below:

In order to store personal data in secure environments, systems suitable for technological developments are used and logging is made.
Technical security systems are established for the storage areas, the technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, and the necessary technological solutions are produced by re-evaluating the risky issues.

(ii) Administrative Measures to Keep Personal Data in Secure Environments
The main administrative measures taken by our company to store personal data in secure environments are listed below:

Employees are trained to ensure that personal data is stored securely.
In the event that an external service is received by our company due to technical requirements regarding the storage of personal data, the contracts concluded with the relevant companies to which the personal data is transferred in accordance with the law; Provisions are included that the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data and that these measures will be complied with in their own organizations.
10.4. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
Our company operates the system that ensures that the personal data processed in accordance with Article 12 of the KVK Law is obtained by others illegally, and this situation is reported to the relevant personal data owner and the KVK Board as soon as possible.

11. BUILDING, FACILITY ENTRANCES AND MONITORING ACTIVITY WITH THE CAMERA CONDUCTED IN THE BUILDING FACILITY
Personal data processing activities carried out by our company at the entrances and inside the facility are carried out in accordance with the Constitution, Law No. 5188 on Private Security Services, KVK Law No. 6698 and other relevant legislation. In order to ensure security, our company carries out personal data processing activities for monitoring the entrance and exit of guests with security cameras in our company’s buildings and facilities.

Personal data processing is carried out by our Company by using security cameras and recording guest entries and exits. In this context, our Company acts in accordance with the Constitution, KVK Law and other relevant legislation.

Our company, within the scope of monitoring with security cameras; To increase the quality of the service provided, to ensure its reliability, to ensure the safety of the company, its customers and other persons, to prevent and detect the crime of third parties in the company, to monitor the compliance of the worker with occupational health and safety measures, to monitor the worker’s use of workplace tools and equipment in accordance with the rules, and to aims to protect their interests.

Legal Basis for Surveillance Activity

The camera monitoring activity carried out by our company is carried out in accordance with the Law No. 5188 on Private Security Services and the relevant legislation.

Carrying out Surveillance Activities with Security Cameras According to KVK Law

Our company acts in accordance with the regulations in the KVK Law in the execution of camera surveillance for security purposes. Our company carries out security camera monitoring activities in order to ensure security in its buildings and facilities, for the purposes stipulated in the laws and in accordance with the personal data processing conditions listed in the KVK Law.

Announcement of Monitoring Activity with Camera

Our company informs the personal data owner in accordance with Article 10 of the KVK Law. Thus, it is aimed to prevent harming the fundamental rights and freedoms of the personal data owner, and to ensure transparency and enlightenment of the personal data owner.

For the camera monitoring activity by our company; This Policy is published on our company’s website (online policy regulation) and a notification letter stating that monitoring will be carried out is posted at the entrances of the areas where monitoring is performed (on-site lighting).

Purpose and Purpose of Surveillance with Cameras

The purpose of maintaining the video camera monitoring activity by our company is limited to the purposes listed in this Policy. In this direction, the monitoring areas, the number of security cameras and when they will be monitored are implemented in a limited manner and sufficient to achieve the security purpose. The privacy of the person is not subject to monitoring in areas that may result in interference beyond security purposes.

Security and Retention Period of Personal Data Obtained by Camera Monitoring Activity

In accordance with Article 12 of the KVK Law, our company takes the necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring.

The storage period of personal data obtained through camera monitoring is 30 days as per the industry custom, unless there is a special situation requiring further storage, and the data is deleted at the first periodic destruction period at the end of the storage period.

Only a limited number of MASACHI employees have access to the records recorded and maintained in the digital environment.

12. STORAGE OF RECORDS REGARDING THE INTERNET ACCESS PROVIDED TO OUR VISITORS IN THE BUILDINGS AND FACILITIES
To ensure security by our company and for the purposes specified in this Policy; Internet access can be provided by our Company to our Visitors who request it during their stay in our Buildings and Facilities. In this case, the log records of your internet access are recorded in accordance with the Law No. 5651 on the Regulation of Broadcasts Made on the Internet and Combating Crimes Committed Through These Broadcasts and the prevailing provisions of the legislation regulated in accordance with this Law; These records are only processed when requested by authorized public institutions and organizations or in order to fulfill our legal obligations in the audit processes to be carried out within the Company.
Only a limited number of employees and the information system department that we receive support from have access to the log records obtained within this framework. Company employees who have access to the aforementioned records access these records only for use in requests or audit processes from authorized public institutions and organizations, and share them with legally authorized persons.

13. RIGHTS OF THE DATA SUBJECT AND THE USE OF THESE RIGHTS
Our company carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the KVK Law in order to evaluate the rights of the personal data owners and to provide the necessary information to the personal data owners.

If personal data owners submit their requests regarding their rights listed below in writing to our company, our company concludes the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. Personal data owners;

Learning whether personal data is processed or not,
If personal data has been processed, requesting information about it,
Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
Knowing the third parties to whom personal data is transferred at home or abroad,
Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing are eliminated, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting that the transaction carried out within this scope be notified to the third parties to whom the personal data has been transferred,
Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
It has the right to demand the compensation of the damage in case of loss due to the unlawful processing of personal data.

13.1. Circumstances in which the Personal Data Owner cannot assert his rights
Personal data owners cannot claim the rights of personal data owners listed in 10.1.1. in these matters, as the following cases are excluded from the scope of the KVK Law in accordance with Article 28 of the KVK Law:

Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.
Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to article 28/2 of the KVK Law; In the cases listed below, personal data owners cannot claim their other rights listed in 10.1.1., except for the right to demand the compensation of the damage:

The processing of personal data is necessary for the prevention of crime or for criminal investigation.
Processing of personal data made public by the personal data owner.
Personal data processing is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority granted by the law.
The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

13.2. Exercise of Personal Data Owner’s Rights
In order to exercise your above-mentioned rights, fill in the Related Person Application Form at www.masachi.com and submit your written request to “HOSAB 11. Cad. No:1 Nilüfer/BURSA” with wet signature, or to our registered e-mail address kvkk@masachi.com with secure electronic signature, mobile signature or ARTOFİS MOBİLYA SAN. VE TİC. A.Ş (MASACHİ) by using the e-mail address previously notified and registered in the data controller’s system. Applications should be made in Turkish.

In the applications, the name, surname and signature if the application is written, for the citizens of the Republic of Turkey, T.C. identification number, nationality for foreigners, passport number/identity number, place of residence or workplace address for notification, e-mail address for notification, telephone or fax number, and subject of request, if any.

In the application containing your explanations regarding the right you have as the personal data owner and you will make and request to use the above-mentioned rights; The subject you request must be clear and understandable, the subject you request is related to yourself or if you are acting on behalf of someone else, you must be specifically authorized in this regard and document your authority, the application must contain your identity and address information, and documents confirming your identity must be attached to the application.

In this context, your applications will be finalized by our Company in the capacity of Data Controller as soon as possible and within 30 days at the latest. If the application of the person concerned is to be answered in writing, up to ten pages will not be charged. A transaction fee of 1 TL may be charged for each page over ten pages. If the response to the application is given in a recording medium such as CD or flash memory, ARTOFİS MOBİLYA SAN. VE TİC. A.Ş (MASACHİ) cannot exceed the cost of the recording medium.