KVKK

1. PURPOSE

As MOON REKLAM PRODÜKSİYON ORGANIZATION LTD.ŞTİ '' AÍLA OFFICIAL '', our priority is to process the personal data of real persons, including our customers, consumers, suppliers and employees, in accordance with the Constitution of the Republic of Turkey and the international agreements on human rights to which our country is a party, as well as the Personal Data Protection Law No. 6698 (" KVKK ") and the relevant legislation, and to ensure that the data subjects whose data are processed can effectively exercise their rights.

For this reason, as AÍLA OFFICIAL, we process, store and transfer all personal data regarding our employees, visitors, business contacts, business partners, customers, suppliers, consumers, users visiting our website, in short, all the personal data we obtain during our activities, including but not limited to the ones listed above , in accordance with the Personal Data Protection and Processing Policy (“ Policy ”).

The protection of personal data and the protection of the fundamental rights and freedoms of individuals whose personal data is collected are fundamental principles of our personal data processing policy. Therefore, in all our activities involving personal data, we maintain the protection of privacy, confidentiality of communication, freedom of thought and belief, and the right to effective legal remedies.

To protect personal data, we take all administrative and technical protection measures required by the nature of the relevant data in accordance with legislation and current technology.

This Policy explains the methods we follow for processing, storing, transferring and deleting or anonymizing personal data shared during our commercial or social responsibility and similar activities, within the framework of the principles referred to in the KVKK.

2. SCOPE

All personal data processed by the Company, including our customers, consumers, business contacts, business partners, employees, suppliers, potential customers, and third parties, are within the scope of this Policy.

Our policy is implemented in all activities related to the processing of personal data owned or managed by the Company, and has been prepared in accordance with the KVKK and other relevant legislation on personal data, as well as international standards in this field.

3. DEFINITIONS AND ABBREVIATIONS

In this section, special terms and expressions, concepts, abbreviations, etc. used in the Policy are briefly explained.

3.1. Company: MOON ADVERTISING PRODUCTION ORGANIZATION LTD.CO

3.2. Explicit Consent: Approval given on a specific subject, based on information and free will, with clarity that leaves no room for hesitation, and limited only to that transaction.

3.3. Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even when matched with other data.

3.4. Employee: Company Personnel.

3.5. Personal Data Owner (Relevant Person): The natural person whose personal data is processed.

3.6. Personal Data: Any information relating to an identified or identifiable natural person.

3.7. Special Personal Data: Data regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

3.8. Processing of Personal Data: Any operation performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.

3.9. Data Processor: Natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

3.10. Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

3.11. KVK Board: Personal Data Protection Board.

3.12. KVK Authority: Personal Data Protection Authority.

3.13. KVKK: Personal Data Protection Law published in the Official Gazette dated April 7, 2016 and numbered 29677.

3.14. Policy: AÍLA OFFICIAL Personal Data Protection and Processing Policy.

4. ROLES AND RESPONSIBILITIES

E-Commerce Manager: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. The natural or legal person who processes personal data.

E-Commerce Expert: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

5. LEGAL OBLIGATIONS

As a data controller, your legal obligations regarding the protection and processing of personal data in accordance with the KVKK are listed below:

5.1. Our obligation to inform

While collecting personal data as the Data Controller;

➢ The purpose for which your personal data will be processed,

➢ Our identity, information regarding the identity of our representative, if any,

➢ To whom and for what purpose your processed personal data may be transferred,

➢ Our method of collecting data and its legal basis,

➢ Rights arising from the law,

We have the obligation to inform the Relevant Person about these matters.

As a company, we take care to ensure that this Policy, which is open to the public, is clear, understandable and easily accessible.

5.2. Our obligation to ensure data security

As the Data Controller, we take administrative and technical measures stipulated in the legislation to ensure the security of personal data in our possession. Our obligations and measures regarding data security are detailed in Sections 9 and 10 of this Policy.

6. CLASSIFICATION OF PERSONAL DATA

6.1. Personal data

Personal data is any information relating to an identified or identifiable natural person.

Personal data protection applies only to natural persons. Information belonging to legal entities that does not contain information about a natural person is excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal entities.

6.2. Special personal data

Data regarding individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data are special personal data.

7. PROCESSING OF PERSONAL DATA

7.1. Our principles for processing personal data

We process personal data in accordance with the principles set out below.

7.1.1. Processing in accordance with law and principles of integrity

We process personal data in accordance with the rules of integrity, transparency and within the framework of our obligation to inform.

7.1.2. Ensuring that personal data is accurate and up-to-date when necessary

We take the necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We also provide Personal Data Owners with the opportunity to contact us to update their data and correct any errors in their processed data.

7.1.3. Processing for specified, explicit and legitimate purposes

As a company, we process personal data for our legitimate purposes, the scope and content of which are clearly defined, to carry out our activities within the framework of legislation and the ordinary course of business life.

7.1.4. Personal data must be relevant, limited and proportionate to the purpose for which they are processed.

We process personal data in a limited and proportionate manner, in connection with the purpose we have clearly and precisely determined.

We avoid processing personal data that is not relevant or does not need to be processed. Therefore, we do not process special personal data unless legally required to do so, or when we do, we obtain explicit consent.

7.1.5. Storage of personal data for the duration prescribed by legal regulations and for our legitimate commercial interests.

Many regulations in the legislation require personal data to be stored for a certain period of time. Therefore, we retain the personal data we process for the period stipulated in the relevant legislation or as long as necessary to meet the purposes for which the personal data is processed.

We delete, destroy, or anonymize personal data when the retention period stipulated in the legislation expires or when the processing purpose ceases. Our principles and procedures regarding retention periods are detailed in Article 9.1 of this Policy.

7.2. Our purposes for processing personal data

As a company, we process personal data for purposes similar to, but not limited to, the following:

➢ Carrying out our activities,
➢ Providing support services to customers within the scope of the contract and service standards,
➢ Determining the preferences and needs of our customers and shaping, personalizing and updating the services to be provided to our customers within this scope,
➢ To ensure the fulfillment of our legal obligations as required or mandated by legal regulations,
➢ Ability to conduct market research and statistical studies,
➢ Surveys, competitions, promotions and sponsorships,
➢ Organizing events,
➢ Evaluating job applications,
➢ To contact people who have business relations with the company,
➢ Marketing,
➢ Compliance management,
➢ Vendor / supplier management,
➢ Advertising,
➢ Legal reporting,
➢ Billing.

7.3. Processing of special personal data

Special personal data is processed by us by taking the administrative and technical measures prescribed by law and the Personal Data Protection Board, and if there is explicit consent, or in cases where it is mandatory under the legislation.

Sensitive personal data related to health and sexual life may be processed by persons or authorized institutions and organizations under a confidentiality obligation for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing healthcare services and their financing. Therefore, we do not process personal data other than that of our employees. Such data belonging to our employees may be processed by persons stipulated by law.

 

7.4. Processing of personal data within the scope of other memberships

If you become a member of our website or one of the programs we offer for purposes such as becoming a member of our programs, benefiting from our campaigns, being informed about the advantages we offer, etc., we collect your personal data through membership forms, process and transfer the personal data you share.

7.5. Processing of personal data collected through cookies on our website

We use cookies to improve how our website functions and how you use it, and to make your time on our website more productive and enjoyable. Additionally, we use some cookies to remember your preferences on our website, providing you with an enhanced and personalized experience.

We may collect your personal data through cookies on our website, process, transfer and store the data we collect.

If you do not want your personal data to be collected and processed through cookies, you can reject cookies on our website. Please note that if you reject cookies, our website may not function properly and may cause disruptions in the display or delivery of goods and services.

You can review our "Cookie Policy" for detailed information about the cookies we use on our website.

7.6. Exceptional cases where explicit consent is not required for the processing of personal data

We may process personal data without explicit consent in the exceptional cases listed below and arising from the law:

➢ It is clearly provided for in the laws;
➢ It is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract;

➢ Data processing is necessary for the establishment, exercise or protection of a right;

➢ It is mandatory for us to process your data for our legitimate interests as the data controller, provided that it does not harm fundamental rights and freedoms.

Exceptional cases where special personal data may be processed without the explicit consent of the Data Subject are specified in Article 7.3 of this Policy.

8. TRANSFER OF PERSONAL DATA

8.1. Transfer of personal data within the country

As a company, we act in accordance with the decisions and regulations stipulated in the KVKK and taken by the KVK Board regarding the transfer of personal data.

Save for the exceptional cases specified in the legislation, personal data and special data will not be transferred to other natural persons or legal entities without the express consent of the Data Subject.

In exceptional cases stipulated by the KVKK and other legislation, data may be transferred to the authorized administrative or judicial institution or organization in the manner and within the limits stipulated in the legislation, even without the explicit consent of the Data Subject.

In addition, in exceptional cases stipulated by legislation;

➢ In the cases explained in Article 7.6 of the Policy,

➢ In the cases listed in Article 7.3 of the Policy regarding special personal data,

➢ With the measures prescribed by the Personal Data Protection Board and the relevant legislation, special personal data regarding the health and sexual life of the Data Subject may be transferred to persons or authorized institutions and organizations under the obligation of confidentiality, without seeking explicit consent, only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.

8.2. Transfer of personal data abroad

As a rule, personal data will not be transferred abroad without the explicit consent of the Data Subject. However, in cases where one of the exceptional circumstances set forth in Articles 7.3 and 7.6 of this Policy exists, third parties abroad may only:

➢ Being in countries with sufficient protection declared by the Personal Data Protection Board;

➢If the data controllers are located in countries where there is no adequate protection, the data controllers in Türkiye and in the foreign country in question must undertake in writing to provide adequate protection and the Personal Data Protection Board must have permission;
In cases where personal data may be transferred abroad without explicit consent, your personal data may be transferred abroad without explicit consent.
Your personal data may be transferred to our business partners located abroad and processed by our business partners and third parties for purposes such as providing better service, personalizing our website according to the needs and preferences of our customers, members and consumers, promoting our products and services, remembering your preferences in our search engines, etc.

8.3. Institutions and organizations to which personal data is transferred

Personal data includes, but is not limited to;

➢ To our suppliers,

➢To our business partners and business contacts,

➢Legally authorized public institutions and organizations ,

➢Legally authorized private law persons,

➢To our shareholders,

may be transferred according to the principles and rules described above.

8.4. Measures we take regarding the legal transfer of personal data

8.4.1. Technical measures

To protect personal data, but not limited to the following;

➢Making internal technical organization to process and store personal data in accordance with the legislation,

➢The security of the databases where your personal data will be stored is ensured by our Business Partners,

➢Follows and audits the processes of the established technical infrastructure,

➢We determine the procedures for reporting the technical measures and audit processes we take,

➢Periodically updates and renews technical measures,

➢Risky situations are re-examined and necessary technological solutions are produced,

➢We use virus protection systems, firewalls and similar software or hardware security products and establish security systems in line with technological developments,

➢We employ technically expert employees or work with business partners who have technically expert employees.

 

8.4.2. Administrative measures

To protect your personal data, but not limited to the following:

➢We create policies and procedures for accessing personal data, including company and subsidiary employees within our company,

➢We inform and train our employees regarding the legal protection and processing of personal data,

➢In the contracts we make with our employees and/or the policies we create, we record the measures to be taken in cases of unlawful processing of personal data by our Company Employees,

➢We audit the personal data processing activities of the data processors we work with or the partners of data processors.

9. STORAGE OF PERSONAL DATA

9.1. Personal data shall be stored for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

We store personal data for the period required for the purpose of processing personal data, without prejudice to the retention periods stipulated in the legislation.

In cases where we process personal data for more than one purpose, the data will be deleted, destroyed, or anonymized and stored if the processing purposes no longer exist or if there is no legal impediment to deleting the data upon the Data Subject's request. Legislative provisions and the decisions of the Personal Data Protection Board will be complied with regarding destruction, deletion, or anonymization.

9.2. Measures we take regarding the storage of personal data

9.2.1. Technical measures

➢ Creating technical infrastructures and related control mechanisms for the deletion, destruction and anonymization of personal data,

➢ We take the necessary precautions to ensure the safe storage of personal data,

➢ Employs employees with technical expertise,

➢Creating business continuity and emergency plans against possible risks and developing systems for their implementation,

➢We establish security systems in accordance with technological developments regarding the storage areas of personal data.

9.2.2. Administrative measures

➢We raise awareness among our employees by informing them about the technical and administrative risks associated with the storage of personal data,

➢In case of cooperation with third parties for the storage of personal data, we include provisions in the contracts made with the companies to which personal data is transferred, regarding the persons to whom personal data is transferred and the necessary security measures to be taken in order to protect and securely store the transferred personal data.

10. SECURITY OF PERSONAL DATA

10.1. Our obligations regarding the security of personal data

Personal data;

➢To prevent unlawful processing,

➢To prevent illegal access,

➢We take administrative and technical measures according to technological possibilities and implementation costs to ensure that it is stored in accordance with the law.

10.2. Measures we take to prevent the unlawful processing of personal data;

➢We carry out and have carried out the necessary audits within our company,

➢We train and inform our employees about the legal processing of personal data,

➢The activities carried out by our company are evaluated in detail for all business units, and as a result of this evaluation, personal data is processed specifically for the commercial activities carried out by the relevant units.

➢In cases where cooperation is made with third parties for the processing of personal data, the contracts made with the companies processing personal data include provisions regarding the necessary security measures to be taken by the persons processing personal data,

➢In case of unlawful disclosure of personal data or data leakage, we notify the Personal Data Protection Board and carry out the investigations and take the measures required by the legislation.

10.2.1. Technical and administrative measures taken to prevent unlawful access to personal data

To prevent unlawful access to personal data;

➢Employs employees with technical expertise or takes care to work with business partners that employ employees with technical expertise,

➢Periodically updates and renews technical measures,

➢We create access authorization procedures within our company,

➢We determine the procedures for reporting the technical measures and audit processes we take,

➢We create and periodically audit the data recording systems used within our company in accordance with the legislation,

➢Creating emergency aid plans against possible risks and developing systems for their implementation,

➢We train and inform our employees about access to personal data and authorization,

➢In cases where cooperation is made with third parties for the purposes of processing and storing personal data, the contracts made with the companies that provide access to personal data include provisions regarding the necessary security measures to be taken by the persons who access personal data,

➢Establishing security systems within the framework of technological advancements to prevent unlawful access to personal data,

➢ Under this heading, we pay attention to working with business partners who employ employees with technical expertise or in cases where the above-mentioned activities are carried out through our business partners.

10.2.2. Measures we take in case of unlawful disclosure of personal data

We take administrative and technical measures to prevent the unlawful disclosure of personal data and update them in accordance with our relevant procedures. If we detect unauthorized disclosure of personal data, we establish systems and infrastructure in accordance with legislation to notify the relevant person and the Personal Data Protection Board.

If an unlawful disclosure occurs despite all administrative and technical measures taken, this may be announced on the KVK Board's website or by another method, if deemed necessary by the KVK Board.

11. RIGHTS OF THE PERSONAL DATA OWNER

As part of our obligation to inform, we inform Personal Data Owners and establish systems and infrastructures related to this information. We make the necessary technical and administrative arrangements to enable Personal Data Owners to exercise their rights regarding your personal data.

Personal Data Owner has the right to control his/her personal data;

➢Learning whether personal data is being processed,

➢Requesting information about personal data if it has been processed,

➢To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

➢Knowing the third parties to whom personal data is transferred, either domestically or abroad,

➢To request correction of personal data if it is processed incompletely or incorrectly,

➢To request the deletion or destruction of personal data if the reasons requiring the processing of personal data are eliminated,

➢To request that the above-mentioned correction, deletion or destruction be notified to third parties to whom personal data has been transferred,

➢To object to any adverse results arising from the analysis of processed data exclusively through automated systems,

➢To request compensation in case of damages due to unlawful processing of personal data,

has the rights.

11.1. Exercise of rights regarding personal data

Personal Data Owner may send his/her request regarding his/her personal data by this method if a separate method is determined by the Personal Data Protection Board or in writing and with a wet signature to the contact address: Meşrutiyet Mahallesi Rumeli Caddesi No:36/38 D.14 Şişli İstanbul or by sending it to our registered e-mail address business.info.aila@gmail.com with a secure electronic signature.

In the application that the Personal Data Owner will make to exercise the above-mentioned rights and that includes explanations regarding the right he/she requests to exercise, the requested matter must be clear and understandable, the requested matter must be related to the applicant's person or, if he/she is acting on behalf of someone else, he/she must be specifically authorized in this matter and this authority must be documented, the application must also include his/her identity and address information and documents proving his/her identity must be attached to the application.

Such requests will be made individually, and requests made by unauthorized third parties regarding personal data will not be taken into consideration.

11.2. Evaluation of the application;

11.2.1. Application response time

Requests regarding personal data are finalized as soon as possible, depending on their nature, and in any case within 30 (thirty) days at the latest, free of charge or against a fee specified in the tariff if the conditions specified in the tariff published by the Personal Data Protection Board are met.

Additional information and documents may be requested during the application or while the application is being evaluated.

11.2.2. Our right to reject the application

Applications regarding personal data;

➢Processing of personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,

➢Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate the privacy of private life or personality rights or constitute a crime,

➢Processing of personal data made public by the Personal Data Owner,

➢The application is not based on a justified reason,

➢The application contains a request that is contrary to the relevant legislation,

➢Failure to comply with the application procedure,

In such cases, it is rejected with justification.

11.3. Application evaluation procedure

In order for the response period specified in Article 11.2.1 of this Policy to begin, requests must be sent in writing with a wet signature or via [electronic signature and KEP] or sent with information and documents proving the identity of the applicant using other methods determined by the Personal Data Protection Board.

If the request is accepted, the relevant action will be taken, and a written or electronic notification will be provided. If the request is rejected, the reason will be explained and the applicant will be notified in writing or electronically.

11.4. Right to complain to the Personal Data Protection Board

In case the application is rejected, the response we provide is deemed insufficient or the response is not given in a timely manner, the applicant has the right to file a complaint with the Personal Data Protection Board within 30 (thirty) days from the date of learning the response and in any case within 60 (sixty) days from the date of application.

12. PUBLICATION AND STORAGE OF THE DOCUMENT

This Policy is stored in two different environments: printed paper and electronically.

13.UPDATE PERIOD

This Policy is reviewed at least once a year and updated, if necessary, within the principles set out in the Documentation Management Procedure.

14. ENFORCEMENT

This Policy is deemed to have entered into force after its publication on the Company's website.