Personal Data Protection (KVKK) Policy
This policy explains how Aslora collects, uses, and protects your personal data in accordance with Turkish data protection law (KVKK).
The Turkish version of this policy is legally binding.
1. Purpose and Scope
The protection of personal data and ensuring privacy is adopted as a core corporate value by ASLORA TEKSTİL TİCARET LİMİTED ŞİRKETİ (hereinafter referred to as “ASLORA TEKSTİL” or the “Company”). Within the scope of its activities, the Company exercises utmost care and diligence in processing and protecting personal data belonging to real persons in accordance with applicable legal regulations and universal legal principles. The Company processes and protects personal data in its capacity as a data controller within the scope of this Personal Data Processing and Protection Policy (“Policy” or “KVK Policy”).
This KVK Policy relates to the personal data of data subjects, excluding our employees, processed by our Company as a Data Controller, whether fully or partially through automated means or by non-automated means provided that such processing is part of a data recording system. This Policy sets out how the principles and rules established under the applicable legislation are implemented within the Company’s personal data protection processes. While this Policy outlines the Company’s general approach and processes regarding the processing and protection of personal data, the obligation to inform under Article 10 of the KVK Law is fulfilled through specific privacy notices presented to data subjects based on the relevant process.
In the processing and protection of personal data, the applicable legislation, secondary regulations, and universal legal principles in force shall primarily apply. In the event of any inconsistency between this KVK Policy and the applicable legislation, the provisions of the applicable legislation shall prevail.
We may update this Policy from time to time; therefore, please ensure that you access the most current version of the Policy when using our services.
2. Definitions
“Explicit Consent”
Consent that is freely given, specific to a particular subject, and based on being informed.
“Obligation to Inform”
The Company’s obligation to provide information to Data Subjects, at the time personal data is obtained, in accordance with Article 10 of the KVK Law and the Communiqué on the Procedures and Principles to be Followed in Fulfilment of the Obligation to Inform.
“Data Subject”, “Data Owner”
Natural persons whose personal data is processed by the Company or by persons/entities authorized by the Company.
“Destruction”
The deletion, destruction, or anonymization of personal data.
“Personal Data”
Any information relating to an identified or identifiable natural person.
“Anonymization of Personal Data”
The process of rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even when matched with other data.
“Processing of Personal Data”
Any operation performed on personal data, whether fully or partially automated or by non-automated means as part of a data recording system, including collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or preventing the use of such data.
“Deletion of Personal Data”
The process of rendering personal data inaccessible and unusable in any way for the relevant users.
“Destruction of Personal Data”
The process of rendering personal data inaccessible, irretrievable, and unusable by anyone in any way.
“Board”
Personal Data Protection Board.
“Authority”
Personal Data Protection Authority.
“Law”, “KVK Law”
The Law on the Protection of Personal Data No. 6698.
“KVK Policy”
The Personal Data Protection and Processing Policy adopted by the Company.
“Special Categories of Personal Data”
Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
“Company”
ASLORA TEKSTİL TİCARET LİMİTED ŞİRKETİ.
“VERBIS”, “Registry”
The Data Controllers’ Registry Information System maintained by the Personal Data Protection Authority.
“Data Processor”
A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
“Data Controller”
A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
3. General Principles of Personal Data Processing
The Company complies with the “General Principles” set out in Article 4 of the KVK Law when processing personal data.
3.1 Processing in Compliance with Law and Good Faith
The Company manages its personal data processing activities in accordance with applicable legal regulations, universal legal principles, and the principle of good faith. In order to ensure transparency, the Company provides necessary information to Data Subjects and takes into account their interests and reasonable expectations. Within this scope, the Company prevents outcomes that the Data Subject would not expect and would not reasonably be expected to foresee.
3.2 Ensuring Data is Accurate and Up-to-Date
As a rule, personal data is processed based on the declarations of Data Subjects and is assumed to be accurate as declared. The Company takes reasonable care and diligence to ensure that personal data within its organization is accurate and up-to-date and does not contain incorrect information. Where changes to personal data are communicated by the Data Subject, the Company establishes the necessary administrative and technical mechanisms to update such data in its systems.
3.3 Processing for Specific, Explicit and Legitimate Purposes
The Company determines its data processing purposes clearly and explicitly before initiating any processing activity, ensuring that such purposes are legitimate and lawful. Personal data is processed only in connection with the Company’s products and services and to the extent necessary for those purposes.
3.4 Being Relevant, Limited and Proportionate
Personal data is processed in a manner that is relevant, limited, and proportionate to the purposes determined by the Company and communicated to the Data Subject. The Company ensures that a reasonable balance is maintained between the intended purpose of processing and the data processing activity itself, limiting processing to what is necessary to achieve the intended purpose.
3.5 Retention for the Required Period
The Company retains personal data for the period stipulated under applicable legislation or for the period required for the purpose for which the data is processed. Once the retention period expires or the purpose of processing no longer exists, personal data is deleted, destroyed, or anonymized. As the Data Controller, the Company has determined retention periods, destruction cycles, and the technical and administrative measures to be applied in the retention of personal data within its Personal Data Retention and Destruction Policy and is aware of its obligation to ensure that personal data is retained in accordance with these principles.
These principles apply regardless of whether personal data is processed based on explicit consent or other legal grounds for processing. In this context, the Company processes personal data in compliance with both the applicable processing conditions and the general principles, while also fulfilling its obligation to inform Data Subjects.
4. Information on the Processing of Personal Data
The Company has defined, in a structured and updatable manner, the categories of personal data it processes, the groups of Data Subjects whose data is processed, the purposes of processing, the legal grounds for processing, the methods of data collection, the recipient groups to whom personal data is transferred, the retention periods and destruction processes applicable to personal data whose retention period has expired, as well as the technical and administrative measures implemented to ensure the security of personal data.
All such information is summarized, regularly updated, and made publicly available through the Data Controllers’ Registry Information System (VERBIS) on the official website of the Personal Data Protection Authority (verbis.kvkk.gov.tr), and is maintained up to date on the relevant platform.
4.1 Categories of Personal Data
The Company has categorized the personal data it processes in order to ensure compliance with legal requirements and to effectively manage its personal data processing and protection processes.
All personal data categories are primarily grouped under two main categories: “Personal Data” and “Special Categories of Personal Data.”
The personal data categories processed within the Company and their definitions are as follows:
Identity Data
Information such as name and surname, parents’ names, mother’s maiden name, date of birth, place of birth, marital status, identity card serial number, Turkish ID number, and signature.
Contact Data
Information such as address, email address, contact address, registered electronic mail (KEP) address, and phone number.
Employee Data
Information such as payroll records, disciplinary investigations, employment entry and exit records, asset declarations, CV details, and performance evaluation reports.
Legal Transaction Data
Information included in correspondence with judicial authorities and in case files.
Customer Transaction Data
Information such as call center records, invoices, promissory notes, checks, receipt information, order details, and request records.
Physical Space Security Data
Information such as entry and exit records of employees and visitors and camera recordings.
Transaction Security Data
Information such as IP address, website login and logout records, and password and login credentials.
Financial Data
Information such as bank details, IBAN, financial performance data, credit and risk information, and asset-related data.
Professional Experience Data
Information such as diploma details, attended courses, professional training records, certificates, and transcripts.
Marketing Data
Information such as shopping history, survey data, cookie records, and data obtained through campaign activities.
Visual and Audio Data
Information such as photographs, videos, and audio-visual recordings.
Special Categories of Personal Data
Criminal Conviction and Security Measures Data
Information relating to criminal convictions and security measures.
Health Data
Information such as disability status, blood group, personal health data, and information regarding medical devices and prosthetics.
4.2 Data Subject Groups
The groups of Data Subjects whose personal data is processed within the Company and their definitions are publicly disclosed and published on the Data Controllers’ Registry Information System (VERBIS) available on the official website of the Personal Data Protection Authority (verbis.kvkk.gov.tr).
4.3 Purposes of Processing Personal Data
The Company processes personal data in accordance with the “General Principles of Personal Data Processing” set out in Article 4 of the Law, and based on at least one of the legal grounds specified in Articles 5 and 6 of the Law, in a limited and proportionate manner.
In accordance with Article 10 of the Law and the relevant secondary legislation, the Company informs Data Subjects separately, through specific privacy notices, about the categories of personal data processed and the purposes of such processing.
4.4 Legal Grounds for Processing Personal Data
The Company processes personal data based on the explicit consent of the Data Subject or, where applicable, on one or more of the other legal grounds for processing, in accordance with such conditions. If the processed data qualifies as Special Categories of Personal Data, the conditions set out under the section “Processing of Special Categories of Personal Data” of this Policy shall apply.
Explicit Consent of the Data Subject
Where the Data Subject has provided explicit consent that is freely given, specific, and based on being informed, this constitutes a valid legal ground for processing. Explicit consent obtained from the Data Subject is retained by the Company in a verifiable manner for the period required under applicable KVK legislation. Where one or more of the legal grounds listed below exist, personal data may be processed without requiring explicit consent.
Explicitly Provided for by Law
Where the processing of personal data is explicitly stipulated by applicable law, this constitutes a valid legal ground. For example, personal data may be processed in order to fulfil legal obligations under the KVK Law, the Law on Consumer Protection, the Turkish Code of Obligations, the Turkish Commercial Code, the Tax Procedure Law, and other relevant legislation.
Inability to Obtain Consent Due to Impossibility
Where it is not possible to obtain the Data Subject’s consent due to actual impossibility, or where consent cannot be legally validated, and the processing of personal data is necessary to protect the life or physical integrity of the Data Subject or another person, this constitutes a valid legal ground.
Processing is Directly Related to the Establishment or Performance of a Contract
Where the processing of personal data is necessary, provided that it is directly related to the establishment or performance of a contract to which the Data Subject is a party, this constitutes a valid legal ground.
Compliance with Legal Obligations of the Data Controller
Where the processing of personal data is necessary for the Company to fulfil its legal obligations arising from applicable legislation or contractual requirements, this constitutes a valid legal ground.
Data Made Public by the Data Subject
Where personal data has been made public by the Data Subject, such data may be processed, limited to the purpose for which it was made public.
Processing is Necessary for the Establishment, Exercise or Protection of a Right
Where the processing of personal data is necessary for the establishment, exercise, or protection of a legal right, this constitutes a valid legal ground.
Processing is Necessary for the Legitimate Interests of the Data Controller
Where processing is necessary for the legitimate interests of the Company, provided that such processing does not harm the fundamental rights and freedoms of the Data Subject, this constitutes a valid legal ground.
4.5 Processing of Special Categories of Personal Data
The Company processes Special Categories of Personal Data by complying with the additional measures determined by the Personal Data Protection Board and by implementing all necessary administrative and technical safeguards, provided that at least one of the following legal grounds exists.
Pursuant to Article 6/3 of the KVK Law, the processing of Special Categories of Personal Data is prohibited. However, such data may be processed under the following conditions:
a) The explicit consent of the Data Subject is obtained.
b) It is explicitly provided for by law.
c) It is necessary to protect the life or physical integrity of the Data Subject or another person where the Data Subject is unable to give consent due to actual impossibility or where consent is not legally valid.
d) It relates to personal data that has been made public by the Data Subject, provided that such processing is in line with the purpose of disclosure.
e) It is necessary for the establishment, exercise, or protection of a legal right.
f) It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management, and financing of healthcare services, provided that it is carried out by persons or authorized institutions under a legal obligation of confidentiality.
g) It is necessary for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance.
h) It is carried out by foundations, associations, or other non-profit organizations established for political, philosophical, religious, or trade union purposes, in accordance with the legislation to which they are subject and their stated objectives, limited to their field of activity, and provided that the data is not disclosed to third parties, and relates only to their current or former members or persons who are in regular contact with such organizations.
4.6 Methods of Collecting Personal Data
The Company collects personal data through physical and electronic channels, in accordance with applicable legal regulations, the purposes set out in this Policy, and the relevant legal grounds for processing.
The channels through which personal data is collected include:
Physical Data Collection
Physical mail
Printed forms
Electronic Data Collection
Email
Website
Software and applications used
IT devices and systems
Corporate social media accounts
Communication platforms
These data collection channels may vary depending on the development and evolution of business processes and technological advancements. In line with the principle of transparency, any such changes will be reflected through updates to this Policy.
4.7 Transfer of Personal Data
The Company transfers personal data and Special Categories of Personal Data to third parties in accordance with Articles 8 and 9 of the KVK Law, based on lawful processing purposes and by implementing all necessary administrative and technical safeguards.
4.7.1 Domestic Transfer
The Company acts in compliance with the law in all data transfer activities. Personal data is transferred to third parties only to the extent required by the service provided. Recipient groups acting as “Data Processors” are appropriately instructed regarding data security through data transfer agreements.
The recipient groups and example purposes of transfer are as follows:
Authorized Public Institutions and Organizations
For the purpose of fulfilling our legal obligations.
Natural Persons or Private Legal Entities
For the purposes of conducting and following legal affairs, obtaining consultancy services, and ensuring compliance with applicable legislation.
Suppliers (Product / Service Providers), Cargo and Logistics Companies
For the purposes of providing products and services, ensuring business continuity, performing contractual obligations, and managing logistics and delivery processes.
Business Partners
For the purposes of managing contractual processes, facilitating the sale of products and services, and ensuring the continuity of commercial activities.
Banks
For the purposes of managing financial and accounting processes.
4.7.2 International Transfer
The Company may transfer personal data abroad only in accordance with Article 9 of the KVK Law and by implementing the necessary administrative and technical safeguards. Such transfers may take place where one of the following conditions is met:
a) Personal data may be transferred abroad if at least one of the conditions specified in Articles 5 and 6 of the Law exists and an adequacy decision has been issued regarding the country, specific sectors within that country, or international organizations to which the data will be transferred.
b) In the absence of an adequacy decision, personal data may be transferred abroad provided that at least one of the conditions specified in Articles 5 and 6 exists, and that the Data Subject has the ability to exercise their rights and seek effective legal remedies in the country of transfer, and that one of the following appropriate safeguards is ensured by the parties:
– The existence of a non-international agreement between public institutions or organizations or professional organizations with public institution status in Türkiye and public institutions or organizations or international organizations abroad, and approval of the transfer by the Board.
– The existence of binding corporate rules, approved by the Board, which include provisions on the protection of personal data and are applicable to companies within a group of undertakings engaged in joint economic activity.
– The existence of a standard contract announced by the Board, which includes provisions such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional safeguards for Special Categories of Personal Data.
– The existence of a written undertaking containing adequate protection provisions and approval of the transfer by the Board.
If none of the above safeguards can be provided, personal data may only be transferred abroad based on the explicit consent of the Data Subject.
c) In the absence of an adequacy decision and where none of the above safeguards can be ensured, personal data may be transferred abroad, on an exceptional basis, only if one of the following conditions applies:
– The Data Subject has explicitly consented to the transfer after being informed of the potential risks.
– The transfer is necessary for the performance of a contract between the Data Subject and the data controller or for the implementation of pre-contractual measures taken at the request of the Data Subject.
– The transfer is necessary for the establishment or performance of a contract concluded between the data controller and another natural or legal person in the interest of the Data Subject.
– The transfer is necessary for overriding public interest.
– The transfer is necessary for the establishment, exercise, or protection of a legal right.
– The transfer is necessary to protect the life or physical integrity of the Data Subject or another person where the Data Subject is unable to give consent due to actual impossibility or where consent is not legally valid.
– The transfer is made from a register that is open to the public or to persons with a legitimate interest, provided that the conditions for access set out in the relevant legislation are fulfilled and the person requesting the transfer has a legitimate interest.
Recipient Groups and Transfer Purposes
Suppliers (Product / Service Providers)
For the purposes of providing products and services, ensuring business continuity, and obtaining server infrastructure services.
4.8 Retention and Destruction of Personal Data
As the Data Controller, the Company has determined retention periods, destruction cycles, and the technical and administrative measures to be applied in the retention of personal data within its Personal Data Retention and Destruction Policy, and has declared these periods separately for each category of personal data in VERBIS. The Company is aware of its obligation to ensure that personal data is retained in accordance with these principles.
Pursuant to the KVK Law, personal data is retained for the period stipulated in the relevant legislation or for the period required for the purpose for which it is processed. These retention periods have been determined, and upon their expiration, personal data is deleted, destroyed, or anonymized in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data, at the periodic destruction intervals defined in the relevant Policy. Personal data may also be anonymized for analytical purposes.
Further information may be requested through the contact details provided in this KVK Policy.
5. Data Security Measures
The Company implements technical and administrative measures, within the scope of technological capabilities and taking into account implementation costs, to ensure the lawful processing of personal data. Additional and enhanced measures are applied for Special Categories of Personal Data, and necessary internal audits are conducted at the highest level on a periodic basis. These security measures are also declared in VERBIS.
The Company takes all appropriate security measures to ensure that personal data is processed only for the intended purposes and to mitigate risks such as unauthorized access, unlawful processing, transfer, deletion, or alteration of personal data. These measures also include safeguards to prevent the transfer of personal data to countries that do not provide an adequate level of data protection.
Personal data processed by the Company is confidential, and the Company complies with this confidentiality obligation. Access to personal data is restricted to authorized personnel only. In this context, systems are designed in accordance with applicable standards, third-party service providers are carefully selected, and compliance with this KVK Policy is ensured within the Company.
Despite the implementation of necessary data security measures, in the event that personal data is compromised or accessed by unauthorized third parties as a result of attacks on the Company’s systems or platforms, the Company will take immediate action to remedy the breach and minimize any potential harm. The Company will promptly notify the relevant Data Subjects and the Board and take the necessary measures. Rules and procedures regarding personal data breaches are set out in the Personal Data Breach Management Policy.
6. Obligation to Inform
The Company informs Data Subjects, in accordance with Article 10 of the KVK Law and the Communiqué on the Procedures and Principles to be Followed in Fulfilment of the Obligation to Inform, through relevant privacy notices regarding the identity of the data controller, the methods by which personal data is collected, the legal grounds and purposes of processing, the parties to whom personal data is transferred and the purposes of such transfers, as well as the rights of Data Subjects in relation to the processing of their personal data.
7. Rights of the Data Subject
Under the Constitution of the Republic of Türkiye, everyone has the right to request the protection of their personal data. In this context, the rights of Data Subjects regarding their personal data are set out in Article 11 of the KVK Law as follows:
– To learn whether their personal data is being processed
– To request information if their personal data has been processed
– To learn the purpose of processing and whether personal data is used in accordance with such purpose
– To know the third parties to whom personal data is transferred domestically or abroad
– To request the correction of incomplete or inaccurate personal data
– To request the deletion or destruction of personal data within the framework of the conditions set out in Article 7 of the KVK Law
– To request that such correction, deletion, or destruction be notified to third parties to whom personal data has been transferred
– To object to any outcome that is to the detriment of the Data Subject as a result of analysis of processed data exclusively through automated systems
– To request compensation for damages in case personal data is processed unlawfully
Data Subjects may submit their requests regarding the above-mentioned rights in writing to the Company’s registered electronic mail (KEP) address, by secure electronic signature, mobile signature, or via the email address previously notified to and registered in the Company’s systems. Data Subjects may also use the “Data Subject Application Form” available on the Company’s website.
Applications must include the following information:
– Name and surname, and signature if the application is submitted in writing
– Turkish ID number for citizens of the Republic of Türkiye; nationality, passport number or identification number (if any) for foreign nationals
– Residential or business address for notification
– Contact details such as email address, telephone number, and fax number (if any)
– The subject of the request
Relevant information and documents supporting the request must also be attached. Applications will only be evaluated if submitted in Turkish. In order for third parties to submit an application on behalf of the Data Subject, a special power of attorney issued through a notary must be provided.
If Data Subjects submit their requests in accordance with the procedures set out in this Policy and in the Communiqué on the Procedures and Principles for Application to the Data Controller, the Company will conclude the request as soon as possible and within a maximum of 30 (thirty) days, free of charge. However, if the process requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.
For written applications, the date on which the document is delivered to the data controller or its representative shall be considered as the application date. For applications made by other methods, the date on which the request reaches the data controller shall be considered as the application date.
8. Effectiveness and Amendments
This Policy is published on the Company’s website and enters into force as of the date of publication. The Company reserves the right to amend this Policy at any time. Such amendments shall become effective on the date the updated Policy is published.
9. Contact Information
If you have any questions regarding this KVK Policy or the processing and protection of your personal data, or if you wish to exercise any of your rights under the KVK Law, you may contact us through the following channels:
ASLORA TEKSTİL TİCARET LİMİTED ŞİRKETİ
Address: Esentepe Mah. Talatpaşa Cad. No:5 İç Kapı No:1 Şişli / İstanbul
Email: hello@asloraswim.com