1. INTRODUCTION
With the amendment made to Article 20 of the Constitution by Law No. 5982 in 2010, everyone’s right to request the protection of personal data relating to them was placed under constitutional guarantee. Within the scope of harmonization with European Union criteria, the Personal Data Protection Law No. 6698 (PDPL/KVKK) entered into force on 07.04.2016. The PDPL largely parallels the EU Directive 95/46/EC and ensures the protection of individuals’ personal data under a comprehensive framework.
While legal entities’ data is protected under current legislation, the PDPL regulates personal data protection for natural persons. Omega Nonwoven Tekstil Sentetik ve Dokuma Tic. A.Ş. (“Omega”) places utmost importance on the security of personal data within the principles of quality, transparency and integrity in the services it provides; in line with the PDPL and secondary regulations, decisions of the Personal Data Protection Board, and sectoral legislation, this Policy is implemented.
2. PURPOSE AND SCOPE
2.1
The Policy aims to ensure the effective implementation of the arrangements required for PDPL compliance within Omega, based on fundamental principles.
2.2
In line with this Policy, all administrative and technical measures are taken regarding the processing and protection of personal data; necessary internal procedures are established, awareness trainings are provided, and control mechanisms are set up.
2.3
The Policy sets out the obligations of Omega to ensure compliance with the PDPL and the fundamental principles to be observed in all processes. Measures and audits applicable to employees and business partners are also included herein.
2.4
In the event of non-compliance with the Policy or relevant legislation, in addition to criminal and legal liabilities arising from law, disciplinary sanctions may be applied within Omega depending on the nature of the incident.
3. DEFINITIONS
3.1 Explicit Consent
Consent that is informed, given freely, and specific to a particular subject.
3.2 Anonymization
Rendering personal data impossible to associate with an identified or identifiable person, even by matching with other data.
3.3 Data Subject
The natural person whose personal data is processed (customer, employee, candidate, supplier employee, visitor, website visitor, etc.).
3.4 Personal Data
Any information relating to an identified or identifiable natural person (name-surname, national ID no., contact, address, resume, visit records, IP, visual/audio records, etc.).
3.5 Processing of Personal Data
Any operation performed on data such as collection, recording, storage, preservation, alteration, disclosure, transfer, acquisition, classification, blocking of use, deletion, destruction or anonymization.
3.6 Special Categories of Personal Data
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect, dress, association/foundation/trade-union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
3.7 Data Processor
A natural or legal person who processes personal data on behalf of the data controller based on the authorization given by the controller.
3.8 Data Controller
The natural or legal person who determines the purposes and means of processing and is responsible for establishing and managing the data recording system. Under this Policy, the data controller is Omega.
4. IMPLEMENTATION OF THE POLICY AND RESPONSIBILITIES
4.1
Omega Nonwoven Tekstil Sentetik ve Dokuma Tic. A.Ş., in its capacity as Data Controller, is responsible for implementing this Policy across all internal operations and processes.
4.2
Within Omega, the PDMS (Personal Data Management System) Representative is authorized and responsible—supported by the Legal Counsel and internal audit unit—for implementing the regulations, procedures, guidelines, standards and training activities prepared under this Policy.
4.3
All employees, business partners, guests and relevant third parties within Omega must cooperate with the PDMS Representative in preventing legal liabilities, risks and threats that may arise under the legislation concerning compliance with the Policy.
4.4
All departments and bodies of Omega, together with all personnel, are obliged to act in accordance with the Policy and to ensure compliance with its provisions.
4.5
This Policy will be uploaded to common information systems within Omega to be accessible at all times, and will also be published on Omega’s website. Any changes to the Policy will be added to the information system and website in an up-to-date manner, ensuring that data subjects can access and be informed of the provisions. The PDMS Representative will manage the announcement of the Policy and subsequent changes.
4.6
In case of conflict between this Policy and applicable legislation, Omega, as Data Controller, accepts that legislative provisions shall prevail. Should such a conflict arise, the PDMS Representative is responsible for managing the process of updating the Policy in line with the legislation.
5. PRINCIPLES FOR PROCESSING PERSONAL DATA
5.1 General Principles
Omega processes personal data within the scope of this Policy in accordance with the principles set out in Article 4 of the PDPL.
5.1.1 Lawfulness and Fairness
As Data Controller and a prudent merchant, Omega undertakes to conduct personal data processing activities lawfully and in good faith as stipulated by Article 2 of the Civil Code and applicable legislation.
5.1.2 Accuracy and Up-to-dateness
Omega takes all measures, to the extent allowed by technology, to ensure the accuracy and up-to-dateness of personal data during processing. Based on requests notified by the data subject to Omega and/or when deemed necessary by Omega, administrative and technical mechanisms will be operated to correct inaccurate or outdated personal data and verify its accuracy.
5.1.3 Processing for Specific, Explicit and Legitimate Purposes
Personal data is processed by Omega lawfully, limited to the services provided or to be provided and in line with legal requirements. The purpose of processing is determined clearly and explicitly before processing begins.
5.1.4 Being Relevant, Limited and Proportionate to the Purpose
Personal data is processed in connection with, limited to, and as necessary for the achievement of the stated purposes. Processing of personal data that is not related to the purpose or not needed is avoided as a basic principle.
5.1.5 Retention for the Necessary Period
Personal data is retained for the period stipulated by the legislation or required by the purpose of processing. At the end of such period, personal data is deleted, destroyed or anonymized by Omega. Administrative and technical measures are taken to ensure deletion at the end of the required period.
6. CONDITIONS FOR PROCESSING PERSONAL DATA
Article 5 of the PDPL regulates the conditions for processing personal data. Omega carries out personal data processing in accordance with the conditions set out below.
6.1 Presence of Explicit Consent of the Data Subject
The main rule is to obtain the explicit consent of the data subject for processing. Omega processes personal data for the transactions covered by consent, provided that the data subject is duly informed as required by the PDPL and gives clear consent regarding the purpose of processing.
6.2 Processing Due to Legal Requirements
Even without explicit consent, where processing of personal data is mandatory under applicable legislation, processing will be deemed lawful provided other necessary criteria are met.
6.3 Protection of Life or Physical Integrity
Where processing is mandatory to protect the life or physical integrity of the data subject or another person in cases where the data subject is unable to express consent or where consent is not legally valid.
6.4 Establishment/Performance of a Contract
Processing necessary for transactions directly related to the conclusion or performance of a contract.
6.5 Legal Obligation
Processing necessary for the data controller to fulfill its legal obligations.
6.6 Publicized by the Data Subject
Processing limited to the purpose for which the personal data has been made public by the data subject.
6.7 Establishment, Exercise or Protection of a Right
Processing mandatory for the establishment, exercise or protection of a right.
6.8 Legitimate Interest
Processing necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
7. CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA
7.1 Explicit Consent
As a rule, special categories of personal data are processed with explicit consent.
7.2 Cases Where Processing Without Consent Is Possible
In cases prescribed by law and subject to adequate security measures.
7.3 Health and Sexual Life Data
Processed for purposes of public health, diagnosis, treatment and financing by persons under confidentiality obligation.
7.4 Measures to Be Taken
Security measures determined by the Board are implemented; the PDMS team is responsible within the company.
8. TRANSFER OF PERSONAL DATA
8.1 Within Turkey
With explicit consent or under the conditions of Article 5/2 of the PDPL; for special categories of personal data, Article 6 and Board-mandated measures apply.
8.2 Abroad
With explicit consent or with appropriate safeguards plus safe country/authorization processes.
9. DELETION, DESTRUCTION, ANONYMIZATION
When the purpose ends and/or the retention period expires, operations are carried out in accordance with legislation and recorded.
10. OBLIGATIONS OF THE DATA CONTROLLER
10.1 Obligation to Inform
Notifications to data subjects pursuant to Article 10 of the PDPL.
10.2 Security of Personal Data
10.2.1 Preventing Unlawful Processing
- Data inventory, access authorizations, logging, encryption, backup, security software, penetration tests.
- Trainings, procedures, confidentiality obligations, supplier agreements.
10.2.2 Preventing Unlawful Access
- Authorization, authentication, network/endpoint security, TLS/VPN, device restrictions, incident response plans.
10.2.3 Auditing of Measures
Periodic audits; corrective/preventive actions for nonconformities.
11. RIGHTS OF THE DATA SUBJECT AND APPLICATION PROCEDURE
This section will be completed according to the text you provide regarding application channels, timelines and identity verification steps.
12. EFFECTIVE DATE AND UPDATES
This Policy enters into force on the date approved by OMEGA NONWOVEN Management. The PDMS Representative will carry out the necessary work regarding amendments to this Policy and their implementation; updates will come into force upon the approval of the General Manager of Omega Nonwoven Tekstil Sentetik ve Dokuma Tic. A.Ş.
Omega Nonwoven – Management