The protection of personal data is among the highest priorities of Dekor Rulo Fırça Sanayi ve Ticaret Limited Şirketi (“Company”), and maximum effort is made to comply with all applicable legislation, especially the Law on the Protection of Personal Data No. 6698 (“Law”). Within the framework of this Personal Data Protection and Processing Policy (“Policy”), the Company explains the basic principles it has adopted regarding personal data processing activities, thereby informing personal data subjects and ensuring the necessary transparency. With full awareness of our responsibility in this context, your personal data is processed and protected within the scope of this Policy.
This Policy relates to all personal data of natural persons processed by the Company by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system. Detailed information regarding the personal data subjects in question can be accessed from the ANNEX 1 ("ANNEX 1 - Personal Data Subjects") document of this Policy.
The relevant legal regulations in force regarding the processing and protection of personal data will primarily find application. In case of any inconsistency between the legislation in force and the Policy, it is accepted that the legislation in force will apply. This Policy concretizes and regulates the rules set forth by the relevant legislation within the scope of the Company's practices.
In accordance with Article 12 of the Law, the Company takes the necessary measures according to the nature of the data to be protected in order to prevent the unlawful disclosure, access, transfer, or other security deficiencies that may occur in personal data. In this context, administrative and technical measures are taken, and audits are conducted or commissioned to ensure the necessary level of security in accordance with the guidelines published by the Personal Data Protection Board (“Board”).
Special importance is attached by the Law to certain personal data due to the risk of causing victimization or discrimination when processed unlawfully. These data are data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics.
The Company acts sensitively in the protection of special categories of personal data, which are determined as "special categories" by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of personal data are carefully implemented in terms of special categories of personal data, and necessary audits are provided within the Company.
Necessary trainings are organized within the Company to increase awareness towards preventing unlawful processing of personal data, preventing unlawful access to personal data, and ensuring the preservation of personal data.
Necessary actions are taken to create awareness among Company employees regarding the protection of personal data, and consultants are worked with if needed. In this direction, the Company evaluates the participation in relevant trainings, seminars, and information sessions, and updates and renews its trainings in parallel with the updates in the relevant legislation.
3.1.1. Processing in Conformity with the Law and Good Faith
The Company acts in accordance with the principles introduced by legal regulations and the rule of good faith in the processing of personal data. In this framework, personal data is processed to the extent required by the Company's business activities and limited to them.
3.1.2. Ensuring Personal Data is Accurate and Up-to-Date Where Necessary
The Company takes necessary precautions to ensure that personal data is accurate and up-to-date throughout the period it is processed, and establishes necessary mechanisms to ensure the accuracy and up-to-dateness of personal data for certain periods.
3.1.3. Processing for Specified, Explicit, and Legitimate Purposes
The Company clearly sets forth the purposes of processing personal data and processes it within the scope of purposes connected with its business activities in line with these activities.
3.1.4. Being Relevant, Limited, and Proportionate to the Purposes for which they are Processed
The Company collects personal data only in the nature and to the extent required by its business activities and processes it limited to the specified purposes.
3.1.5. Retaining for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which they are Processed
The Company retains personal data for the period necessary for the purpose for which they are processed and the minimum period stipulated in the legal legislation to which the relevant activity is subject. In this context, the Company first determines whether a period is stipulated in the relevant legislation for the storage of personal data, and if a period is determined, it complies with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which it is processed. At the end of the specified retention periods, personal data is destroyed in accordance with the periodic destruction periods or the data subject's application and with the determined destruction methods (deletion and/or destruction and/or anonymization).
Except for the explicit consent of the personal data subject, the basis of the personal data processing activity can be only one of the conditions specified below, or more than one condition can be the basis of the same personal data processing activity. In the event that the processed data is special categories of personal data, the conditions included in the Decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 will apply in addition to the regulations in this Policy.
Presence of Explicit Consent of the Personal Data Subject
One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the personal data subject must be related to a specific subject, based on information and expressed with free will.
In the presence of the following personal data processing conditions, personal data may be processed without the need for the explicit consent of the data subject.
In accordance with Article 10 of the Law and secondary legislation, the Company informs personal data subjects. In this context, the Company informs the relevant persons about by whom as the data controller and for what purposes the personal data is processed, for what purposes and with whom it is shared, by what methods it is collected and its legal reason, and the rights the data subjects have within the scope of the processing of their personal data.
The Company may transfer the personal data and special categories of personal data of the personal data subject to third parties (third party companies, official and private authorities, third party natural persons) by taking the necessary security measures in line with lawful personal data processing purposes. The Company acts in accordance with the regulations stipulated in Article 8 of the Law in this direction. Detailed information on this subject can be accessed from the ANNEX 2 ("ANNEX 2 - Third Parties to whom Personal Data is Transferred by the Company and Purposes of Transfer") document of this Policy.
Even without the explicit consent of the personal data subject, if one or more of the conditions specified below exist, personal data may be transferred to third parties by the Company by showing due care and taking all necessary security measures, including the methods prescribed by the Board:
In addition to the above, personal data may be transferred to foreign countries declared by the Board to have adequate protection ("Foreign Country with Adequate Protection") in the presence of any of the above conditions. In the absence of adequate protection, it can be transferred to foreign countries ("Foreign Country where the Data Controller Committing Adequate Protection is Located") where data controllers in Turkey and in the relevant foreign country commit to adequate protection in writing and where the Board's permission exists, in line with the data transfer conditions stipulated in the legislation.
By informing the relevant persons in accordance with Article 10 of the Law and secondary legislation, personal data is processed in accordance with the general principles specified in the Law, especially the principles specified in Article 4 of the Law regarding the processing of personal data, limited and based on at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, in line with the Company's personal data processing purposes. Within the framework of the purposes and conditions specified in this Policy, detailed information about the processed personal data categories and categories can be accessed from the ANNEX 3 ("ANNEX 3 - Personal Data Categories") document of the Policy.
Detailed information regarding the processing purposes of the aforementioned personal data is included in ANNEX 4 ("ANNEX 4 - Personal Data Processing Purposes") of the Policy.
The Company retains personal data in accordance with the period required for the purpose for which they are processed and the minimum periods stipulated in the legal legislation to which the relevant activity is subject. In this context, the Company first determines whether a period is stipulated in the relevant legislation for the storage of personal data, and if a period is determined, it complies with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which it is processed. At the end of the specified retention periods, personal data is destroyed in accordance with the periodic destruction periods or the data subject's application and with the determined destruction methods (deletion and/or destruction and/or anonymization). The Company Personal Data Retention and Destruction Policy is applied for the storage and destruction of personal data.
Personal data subjects will be able to submit their requests regarding their rights listed below to our Company via the Application Form available at www.dekor.com using the methods determined by the Board.
Personal data subjects have the following rights:
The Company takes the necessary administrative and technical measures to finalize the applications to be made by the personal data subject in accordance with the Law and secondary legislation.
In case the personal data subject submits their request regarding the rights set out in section 6.1 to our Company in due form, the relevant request will be concluded free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board. In this regard, the Procedure Regarding the Application of the Data Subject to the Data Controller and the Answering of the Application is applied along with the provisions of the Law.
Security camera monitoring and recording activities are carried out by the Company in and around the company in order to ensure security, for the purposes stipulated in the relevant legislation in force, and in accordance with the personal data processing conditions listed in the Law. Similarly, in order to ensure the safety of operations in forklifts and Company vehicles, video recording is made with a camera that records to its internal memory and has no external access.
In accordance with Article 10 of the Law, personal data subjects are informed about the camera monitoring and recording activity. The purpose of the Company in maintaining the video camera monitoring and recording activity is limited to the purposes listed in this Policy. Accordingly, the monitoring and recording areas of security cameras, their number, and when the monitoring will be done are implemented sufficiently to achieve the security purpose and limited to this purpose. Areas where monitoring may result in interference with the person's privacy exceeding security purposes (e.g., toilets) are not subject to monitoring.
Only a limited number of Company employees have access to live camera images and records recorded and stored in digital media. The limited number of people with access to the records declare that they will protect the confidentiality of the data they access with a confidentiality agreement.
7.2.1. Treatment of Health Information as Special Categories of Personal Data
The criminal record and health information of employees are accepted as special categories of personal data. In addition to the regulations regarding special categories of personal data in this Policy, the provisions of the Personal Data Protection Board's Decision dated 31/01/2018 and Numbered 2018/10 (Annex 5 - Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data) shall apply.
7.2.2. Separate Storage of Personal Data Related to the Employee and Employees Authorized to Process these Data
Special categories of personal data related to the employee are stored separately from other personal data in order to protect them from unauthorized access and to provide higher security, as far as Company facilities allow. The Company takes care to process these data in the narrowest possible scope. In cases where the processing of these data is necessary, persons authorized to perform this processing are informed so that they can understand the sensitivity of these data and take the necessary precautions.
7.2.3. Access to Personal Data Belonging to the Employee
Access to personal data related to the employee can only be carried out by Company employee(s) authorized in this regard if necessary. Additionally, health data may be disclosed to managers at the level necessary for them to fulfill their managerial roles.
According to paragraph 5 of Article 12 of the Law, in the event that the processed personal data is obtained by others through illegal means, in other words, in case of a personal data breach, the Company is obliged to notify this situation to the relevant person and the Board as soon as possible.
In order to prevent data breaches, the Company takes all necessary measures by conducting a risk assessment prior to a personal data breach, taking into account all administrative and technical measures specified in the Law, KVKK sub-regulations, and this policy. In the event of a personal data breach, the Company conducts a preliminary assessment regarding the breach and carries out prevention and recovery efforts to mitigate the effects of the breach as a result of the risk assessment. Within the framework of the efforts carried out, it notifies the Board without delay and within 72 hours at the latest.
The Data Breach Notification Procedure finds application before and after a personal data breach.
This Policy is disclosed to the public on the website. A printed paper copy is also kept at the Company.
The Company reserves the right to make changes to this Personal Data Processing and Protection Policy in line with the amendments made in the Law, Board decisions, developments in the sector or in the field of informatics. Changes made in this Policy are immediately processed into the text, and explanations regarding the changes are explained at the end of the policy.
This Policy is approved by the legal representative of the Company. It enters into force by being announced to all employees and, as of its effective date, will be binding for all business units, consultants, external service providers, and anyone processing personal data.
Tracking whether employees fulfill the requirements of the policy will be the responsibility of the employer. When a behavior contrary to the policy is detected, if the contradiction is significant, the contact person will be informed without losing time. Necessary administrative action will be taken about the employee acting contrary to the policy after the evaluation to be made by the employer.
| Personal Data Subject Category | Description |
|---|---|
| Employee | Real person working in the Company with a contract |
| Employee Candidate | Candidate real person who will work in the Company with a contract |
| Shareholder | Real person who owns Company shares |
| Supplier | Real persons who are shareholders, officials, and employees of institutions and organizations providing all kinds of goods and services within the framework of their activities with the Company |
| Person Receiving Products or Services | Real persons whose personal data are obtained within the scope of the goods and services offered by the Company, regardless of whether there is any contractual relationship with the Company, and employees or officials of legal entity customers |
| Potential Product or Service Buyer | Real persons whose personal data are obtained to offer them proposals within the scope of the goods and services offered by the Company, and employees or officials of legal entity customers |
| Intern | Real person doing an internship at the Company |
| Visitor | Real persons who have entered the physical premises owned by the Company for various purposes and real persons who visit the website |
| Other | Banker, Endorser, Doctor, etc., other 3rd party real persons |
The Company may transfer the personal data of the data subjects managed by this Policy in accordance with Articles 8 and 9 of the Law to natural persons or private law legal entities and authorized public institutions and organizations within the scope and purposes specified below.
| Persons to Whom Data May Be Transferred | Definition | Purpose of Data Transfer |
|---|---|---|
| Natural persons or private law legal entities | Parties that provide goods and services to the Company on a contractual basis while conducting its commercial activities. | Limited to the purpose of providing goods and services as an outsourced resource and to conduct commercial activities |
| Authorized Public Institutions and Organizations | Public institutions and organizations authorized to receive information and documents from the Company according to the provisions of the relevant legislation. | Limited to the purpose requested by the relevant public institutions and organizations within their legal authority |
| Personal Data Category | Description |
|---|---|
| Identity | Information such as name-surname, T.R. identity/tax identification number, nationality, place of birth, date of birth, gender, marital status, workplace information, SSI/Institution registration number, and information on documents such as driver's license, identity card, and passport. |
| Contact | Information such as phone number, address, e-mail address, fax number, etc. |
| Physical Space Security | Camera recording. |
| Customer Transaction | Invoice, promissory note, check, receipt information. |
| Finance | Bank account information, IBAN number, income information, bank account movements, credit card information, etc. |
| Audio-Visual Records | Photograph |
| Personnel | Start date of employment, leave start-end dates, payroll, minutes regarding the personnel file, etc. |
| Legal Action | Signature, signature circular, power of attorney information, court and administrative authority decisions, etc. |
| Transaction Security | IP address, web visitor cookie information |
| Professional Experience | Education and profession information. |
| Special Categories of Personal Data | Religion information, health information, biometric photograph, criminal conviction, and security measures information. |
| Other Information | Signature |
| Personal Data Processing Purposes |
|---|
| Execution of emergency management processes |
| Execution of application processes of employee candidates |
| Fulfillment of Obligations Arising from Employment Contracts and Legislation for Employees |
| Execution of Fringe Benefits and Interests Processes for Employees |
| Execution of training activities |
| Execution of Activities in Compliance with Legislation |
| Execution of Finance and Accounting Affairs |
| Ensuring Physical Space Security |
| Execution of assignment processes |
| Follow-up and Execution of Legal Affairs |
| Execution of communication activities |
| Execution/Supervision of Business Activities |
| Execution of occupational health/safety activities |
| Execution of Logistics Activities |
| Execution of Goods/Services Purchasing Processes |
| Execution of Goods/Services Sales Processes |
| Execution of Storage and Archive Activities |
| Execution of Contract Processes |
| Ensuring the security of data controller operations |
| Informing Authorized Persons/Institutions and Organizations |
| Creation and tracking of visitor records |
Decision Date : 31/01/2018
Decision No : 2018/10
Summary of Topic : Discussion of "Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data".
It has been unanimously decided to accept and publish the "Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data" prepared within the scope of paragraph (4) of Article 6 and subparagraph (ç) of paragraph (1) of Article 22 of the Law, as attached, in the Official Gazette.
Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data
Paragraph (4) of Article 6 of the Law on the Protection of Personal Data No. 6698 (Law) states, "Adequate measures determined by the Board must also be taken when processing special categories of personal data."
Within this framework, pursuant to subparagraphs (ç) and (e) of paragraph (1) of Article 22 of the Law, adequate measures to be taken by data controllers processing special categories of personal data have been determined by the Personal Data Protection Board as follows:
This Personal Data Retention and Destruction Policy ("Policy") has been prepared to determine the procedures and principles to be applied by the Company regarding the retention, deletion, destruction, or anonymization of personal data that we hold in our capacity as data controller as Dekor Rulo Fırça Sanayi ve Ticaret Limited Şirketi ("Company"), in accordance with the Law on the Protection of Personal Data No. 6698 and other legislation.
In this context, the personal data of our employees, employee candidates, customers, and all natural persons whose personal data is held by the Company for any reason are managed in accordance with the laws within the framework of the Personal Data Processing and Protection Policy and this Personal Data Retention and Destruction Policy.
The contact person determined by the Company is authorized and tasked with carrying out/having carried out the necessary procedures for the processing, retention, and destruction of the data of the relevant persons in accordance with the law, the Personal Data Processing and Protection Policy, and the Personal Data Retention and Destruction Policy, and to supervise the processes. In this context, the job description is as follows.
Table 1: Distribution of duties for retention and destruction processes
| Title | Job Description |
|---|---|
| Contact Person | Responsible for directing all kinds of planning, analysis, research, risk determination activities in the projects carried out in the process of compliance with the Law; managing the processes that need to be carried out in accordance with the Law, the Personal Data Processing and Protection Policy, and the Personal Data Retention and Destruction Policy, examining and evaluating the applications of the relevant persons, carrying out the retention and destruction processes and auditing them, and reporting all business and transactions to the Company management when necessary. In addition, the Contact Person takes an active role in ensuring that the technical and administrative measures taken are properly implemented by the Company employees, increasing the training and awareness of the department employees, monitoring and continuous auditing, and taking technical and administrative measures to ensure data security in all environments where personal data is processed to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the lawful retention of personal data. |
Personal data is securely retained by the Company in a lawful manner in the environments listed in Table 2.
Table 2: Personal data retention environments
| Electronic Environments | Non-Electronic Environments |
|---|---|
|
|
Personal data of third parties such as employees, employee candidates, customers, visitors, and those involved as service providers, and employees of companies and institutions are retained and destroyed by the Company in accordance with the Law.
The Company acts within the framework of the following principles regarding the retention and destruction of personal data.
Personal data belonging to the relevant persons are retained by the Company especially for (i) maintaining the Company's activities, (ii) fulfilling legal obligations, (iii) planning and executing employee rights and fringe benefits within the limits specified in the Law and other relevant legislation.
The reasons requiring retention are as follows:
Personal data held within the Company are retained for the period stipulated in the relevant legislation for the purposes and reasons specified herein, in accordance with the Law and the Company's Personal Data Processing and Protection Policy (The relevant policy can be accessed on the website).
Personal data;
In these cases, they are ex officio or upon the request of the relevant person, deleted, destroyed, or anonymized by the Company as of the date of acceptance of the relevant person's request in the event that the explicit consent is withdrawn.
The following criteria respectively are used in determining the retention and destruction periods of personal data obtained by the Company in accordance with the Law and other relevant legislative provisions.
The retention and destruction periods determined by the Company are provided in the table below.
Table 3: Retention and destruction periods
| Process | Retention Period | Destruction Period |
|---|---|---|
| Data retained under the Labor Law | 10 years following the termination of the employment relationship | In the first periodic destruction period following the end of the retention period |
| Data retained under the Turkish Commercial Code | 10 years from the year following the date of the relevant document | In the first periodic destruction period following the end of the retention period |
| Data kept under SSI legislation | 10 years following the termination of the employment relationship | In the first periodic destruction period following the end of the retention period |
| Documents that can be used in a claim/lawsuit regarding a work accident/occupational disease | 10 years following the termination of the employment relationship | In the first periodic destruction period following the end of the retention period |
| Documents that can be used in a claim/lawsuit regarding a work accident/occupational disease | 10 years following the termination of the employment relationship | In the first periodic destruction period following the end of the retention period |
| Data collected in accordance with other relevant legislation | For the period stipulated in the relevant legislation | In the first periodic destruction period following the end of the retention period |
| If the relevant personal data is the subject of a crime within the scope of the Turkish Penal Code or other legislation imposing a penal provision | For the statute of limitations for filing a lawsuit | In the first periodic destruction period following the end of the retention period |
If the Company's purpose for using the relevant personal data has not ended, if the retention period foreseen for the relevant personal data pursuant to the relevant legislation is longer than the periods in the table, or if the statute of limitations for filing a lawsuit regarding the relevant issue requires the personal data to be retained longer than the periods in the table, the periods in the table above may not be applied. In this case, whichever of the purpose of use, special legislation, or litigation statute of limitations period ends later, that period will find application.
In accordance with Article 11 of the Regulation, the Company has determined the periodic destruction period as 6 months. Accordingly, the periodic destruction process is carried out before the Company until the last day of January and July every year.
Personal data whose retention period has expired is deleted, destroyed, or anonymized in accordance with the procedures outlined in this Policy, at intervals determined within the framework of the destruction periods in the table above. All transactions related to the deletion, destruction, and anonymization of personal data are recorded, and these records are kept for at least 3 (three) years, excluding other legal obligations.
The relevant person can apply to our Company and request the deletion or destruction of their personal data. When requested, the relevant person's;
In all cases, responses regarding the acceptance, partial acceptance, or rejection decisions of the request are notified to the relevant person in writing or electronically within thirty (30) days at the latest.
All administrative and technical measures taken by the Company within the framework of the principles in Article 12 of the Law for the purpose of securely retaining personal data, preventing unlawful processing and access, and destroying data in accordance with the law are listed below.
Within the scope of administrative measures, the Company;
Within the scope of technical measures, the Company;
The deletion, destruction, and anonymization techniques used by the Company are detailed in the table below:
Table 4: Deletion Methods
| Environment | Method and Explanation |
|---|---|
| Deletion Methods for Personal Data Held in Printed Form | Blacking out: Personal data in printed media is deleted using the blacking out method. The blacking out process is carried out by cutting out the personal data on the relevant document where possible, and where not possible, by making it invisible using indelible ink so that it is irreversible and unreadable with technological solutions. |
| Deletion Methods for Personal Data Held in Cloud or Local Digital Environments | Secure deletion from software: Personal data kept in cloud environments or local digital environments are deleted with a digital command so that they can never be recovered again. Data deleted in this way cannot be accessed again. |
Table 5: Destruction Methods
| Environment | Method and Explanation |
|---|---|
| Destruction Methods for Personal Data Held in Printed Form | Physical destruction: Documents kept in printed form are destroyed with paper shredders in a way that they cannot be put back together again. |
| Destruction Methods for Personal Data Held in Local Digital Environments |
Physical destruction: This is the process of physically destroying optical and magnetic media containing personal data by melting, burning, or pulverizing them. Data is rendered inaccessible by processes such as melting, burning, pulverizing optical or magnetic media, or passing it through a metal grinder. Degaussing (demagnetizing): This is the process of irretrievably corrupting the data on the magnetic media by exposing it to a high magnetic field. Overwriting: It prevents the reading and recovery of old data by writing random data consisting of 0s and 1s at least seven times over magnetic media and rewritable optical media. |
| Destruction Methods for Personal Data Held in Cloud Environments | Secure deletion from software: Personal data kept in cloud environments are deleted with a digital command so that they can never be recovered again, and when the cloud computing service relationship ends, all copies of the encryption keys required to make the personal data usable are destroyed. Data deleted in this way cannot be accessed again. |
Table 6: Anonymization Methods
| Method | Description |
|---|---|
| Removing variables | It is the removal of one or more of the direct identifiers that are included in the personal data belonging to the relevant person and that would serve to identify the relevant person in any way. This method can be used to anonymize personal data, or it can be used to delete this information if there is information within the personal data that does not conform to the data processing purpose. |
| Regional masking | It is the process of deleting information that could be distinctive regarding the data that is an exception in the data table where personal data is collectively anonymized. |
| Generalization | It is the process of bringing together the personal data of many people and removing distinctive information to turn it into statistical data. |
| Lower and upper limit coding / Global coding | For a particular variable, ranges belonging to that variable are defined and categorized. If the variable does not contain a numerical value, then data close to each other within the variable are categorized. Values that remain within the same category are combined. |
| Micro aggregation | With this method, all records in the data set are first arranged in a meaningful order, and then the entire set is divided into a certain number of subsets. Then, by taking the average of the value of the designated variable for each subset, the value of that variable for the subset is replaced with the average value. In this way, since indirect identifiers within the data will have been corrupted, it becomes difficult to associate the data with the relevant person. |
| Data mixing and perturbation | Direct or indirect identifiers within personal data are mixed with other values or corrupted, their relationship with the relevant person is severed, and they are caused to lose their identifying characteristics. |
This Policy is published in two different media: wet signed (printed paper) and electronic, and is disclosed to the public on the www.dekor.com website. A printed paper copy is also kept at the Company.
The Company reserves the right to make changes to this Personal Data Retention and Destruction Policy in line with the amendments made in the Law, Board decisions, developments in the sector or in the field of informatics. Changes made in this Policy are immediately processed into the text, and explanations regarding the changes are explained at the end of the policy.
This Policy is approved by the legal representative of the Company.
This Policy is approved by the legal representative of the Company. It enters into force by being announced to all employees and, as of its effective date, will be binding for all business units, consultants, external service providers, and anyone processing personal data.
Tracking whether employees fulfill the requirements of the policy will be the responsibility of the employer. When a behavior contrary to the policy is detected, if the contradiction is significant, the contact person will be informed without losing time. Necessary administrative action will be taken about the employee acting contrary to the policy after the evaluation to be made by the employer.
You can forward your requests within the scope of your rights specified in Article 11 of the Personal Data Protection Law No. 6698, which you can access from the Clarification Text on our website, to our company by completely filling out the Application Form also available on our website and using one of the methods described below.
| APPLICATION METHOD | ADDRESS | DESCRIPTION |
|---|---|---|
| In-Person Application (The applicant applies in person with an identity-verifying document) or Notification via Notary Public |
Yanyol Cad. No:42 Kaynarca – Pendik / İSTANBUL |
"Information Request under the Personal Data Protection Law" will be written on the envelope/notification. |
| Application via Electronic Mail | info@dekor.com | "Information Request under the Personal Data Protection Law" will be written in the subject line of the e-mail. |
Pursuant to paragraph 2 of Article 13 of the Law, your applications submitted to us will be answered as soon as possible and within 30 (thirty) days at the latest from the date your request reaches us, depending on the nature of the request. Our responses will be delivered to you in writing or electronically in accordance with the provision of Article 13 of the relevant Law.
© 2026 DEKOR RULO FIRÇA SANAYİ VE TİCARET LİMİTED ŞİRKETİ. ALL RIGHTS RESERVED