CRAFIST® PERSONAL DATA PROTECTION POLICY
As KAROPAK END.SAN.TİC.A.Ş. (may be referred to as "Karopak", "Company" or "Crafist"), we aim to inform our employees, partners, authorities, customers, potential customers, visitors of our website (www.crafist.com) and third parties like real and legal persons about the processes of protection of personal data with the "Crafist® Personal Data Protection Policy". Personal data that we obtain from different sources during our commercial activities ,carried out by our company, are processed and protected in accordance with the law, in accordance with the General Data Protection Regulation and the Law on the Protection of Personal numbered 6698. Administrative and technical information on this subject is presented to you in the content of our policy.
In the presence of Istanbul Trade Registry Management;
Data Supervisor: KAROPAK END. SAN.TİC.A.Ş.
Registration number: İZMİR-113138
Central Registiration System No: 0524122854200001
Head Office Address: Ataşehir Mahallesi, 8229/2 Sok. No: 17, 35620 Çiğli / İzmir
This policy involves all kinds of all personal data records recorded automatically or not automatically of our employees, shareholders, authorities, customers, potential customers, employees, shareholders and authorities of the organizations we work with, our website visitors and third parties in all our physical locations and digital platforms where we conduct our commercial activities as Crafist®.
- Physical Locations:
- Karopak Head Office: Ataşehir Mahallesi, 8229/2 Sok. No: 17, 35620 Çiğli-İZMİR
- Karopak Istanbul Office: İnönü Caddesi Sümer Sok. Sümko Sitesi I-3 Blok No: 2, Kozyatağı-Kadıköy-İSTANBUL
- Karopak Eskişehir Office: Çamlıca Mahallesi Behçet Necatigil Sok. No: 7/11, Tepebaşı-ESKİŞEHİR
- Digital Platforms: With all digital platforms in Karopak® asset inventory,
- Local servers
- Cloud media servers
- User computers
- Data hosting and transport environments
- Legal Basis
This policy, prepared by our company, has been prepared in order to comply with the provisions of the General Data Protection Regulation (GDPR) and the legal regulations within the scope of the protection of personal data. In case of any law and regulation change that may occur in this regard, we indicate that we will care about all changes and will implement the necessary renewals as soon as possible as Crafist®.
- Procedures and Principles Regarding the Protection of Personal Data in Crafist®
- Principles Regarding Processing Personal Data in Crafist®
As Crafist®, we process personal data based on the Personal Data Protection Law (KVKK) and relevant legal regulations. Thus, we fully comply with all principles within the scope of the Personal Data Protection Act (KVVK).
- Conforming the law and honesty rules
As Crafist®, we carry out all our processing processes by complying with all honesty rules within the scope of the Constitution and Personal Data Protection Law (KVVK).
- Being accurate and up-to-date when necessary
As Crafist®, we take all necessary measures for the accuracy and currency of all the data we process. In order to ensure the authenticity of the data we process, we provide information and provide opportunities to data owners.
- Processing for specific, clear and legitimate purposes
As Crafist®, we only process data for clear and categorically defined legal purposes and do not take any other data processing action except these purposes. Based on this, we only process personal data in the context of the business relationships we have established with data owners and if necessary.
- Being connected, limited and measured with the purpose for which they are processed
As Crafist®, we process personal data in accordance with the realization of the specified purposes. We do not perform any out of purpose or escapable personal data processing. We do not perform any personal data processing relative to meeting the possible need which is thought to occur later.
- Keeping for the period predicted in the relevant legislation or required for the purpose they are interested in.
As Crafist®, we keep personal data only for the time required for the purpose specified in the relevant constitution or processed. Based on this, we first determine whether any period is specified in the constitution regarding the storage of personal data. If a period is specified, we will keep personal data in accordance with that period. In cases where no period is specified, we keep personal data in accordance with the purpose for which they were processed as much time as required. Our company deletes, destroys or anonymizes the personal data recorded when the period ends or the reasons for processing the data disappear. We do not consider the possibility of using personal data in the future and we do not keep any personal data except for the specified period.
- Personal Data Groups in Crafist®
As Crafist®, we define groups of persons in the process of personal data processing as stated below, adhering to the content of the Regulation on the Data Controllers Registry numbered 30286 published in the official newspaper on December 30, 2017.
Data Subject Groups and Explanations:
Employed Personnel: Real persons we employ within the scope of labor law within our company.
Candidate Personnel: Real persons whose application we receive for employment within our company or that we provide by human resources companies / platforms that are third parties.
Intern: Real persons that we have employed part-time within our company in order to support professional practical knowledge and theoretical training.
Partners: Real persons who own the shares that constitute the tangible assets of our company.
Shareholder: Real persons who become stakeholders of the company in order to purchase the shares of our company.
Managers: Real persons in charge of the management of our company.
Public Official: The real person who is responsible for the relations with official institutions and organizations (audit, trial, investigation, etc.) of our company.
Supplier: Real and legal persons who supply the services we provide from outside in order to carry out the activities of our company.
Supplier Personnel: A natural person who works for the supplier or supplier candidate who is in relation with our company.
Online Visitor: Real persons who visit the content of our website and our other sales channels in electronic environment without creating a membership registration or purchasing any product.
Online Members: Real persons who visit the content of our website and our other sales channels electronically by creating a membership record.
Customer: Real persons who purchase products through our website or other electronic sales channels.
Visitor: Real persons visiting the physical locations of our company without any contract.
Applicant: Real persons who submit their requests, requests and complaints to our company without being subject to any contract.
- Categories of Data Processed in Crafist®
As Crafist®, in order to carry out our commercial activities, we process some personal and private data of our employees’, suppliers’ and customers’ in accordance with the principles specified in this policy.
As Crafist®, we perform data processing according to the data category stated below.
Data Category Description:
Identity Data: The information we need in documents such as identity book, marriage certificate, passport, residence address, driving license.
Communication Data: Information that we can reach the person such as phone number, mobile phone number, e-mail address, address.
Location Data: Data to determine the location of the data owner using our website.
Customer Data: Information such as customer number, occupation information we receive from our customers who benefit from our products and services.
Customer Transaction Data: Information based on all kinds of transactions such as order information, requests, basket information made by our customers using our products and services.
Physical Space Security Data: Records and information taken at the entrance to our physical locations and during the stay at our physical locations, such as camera records, visit information, entrance exit logs
Transaction Security Data: Personal data we process such as website password and password in order to ensure legal, technical, administrative and commercial security between our company and our parties.
Risk Management Data: Processed personal data such as IP address, MAC address that we can manage the administrative, technical and commercial risks of our company.
Financial Data: Processed personal data such as information and invoices showing the financial transactions performed by the data owner.
Personal Data: All kinds of personal information and documents that we obtain from our employees and suppliers in our company that must be entered in the personal file by law.
Employee Candidate Data: Personal data shared by the candidate when applying for a job in our company, such as the CV, personality test, and interview notes, which we evaluate during the application process.
Employee Transaction Data: Personal data such as business trips, work entry-exit records, meeting notes, tracking of mail traffic, vehicle use, and the state of the company's card for any transaction related to the business performed by our company's employees and suppliers.
Employee Performance and Career Development Data: Processed personal data such as performance evaluation data of our employees in our company, interview evaluation data, training data on career development within the scope of human resources policy.
Fringe Benefits and Benefits Data: Personal data that we process for the follow-up of the benefits and benefits of our employees, such as private health insurance, vehicle allocation, and for our employees to benefit from these rights.
Marketing Data: Collected by our company for use in marketing activities; data such as reports showing the habits and tastes of the person, goal setting information, cookie records.
Legal Transaction and Compliance Data: Personal data that we process for the purpose of fulfilling legal obligations, such as data included in court and administrative authority decisions regarding the follow-up and determination of our legal claims and rights.
Audit and Inspection Data: Personal data such as audit reports, inspection reports, related interview records that we process within the framework of our company's compliance with company policies and legal obligations.
Special Qualified Personal Data: The race, origin, political opinion, religion, sect, belief, dress and dress, union or association membership, health, sexual life, whether or not to be punished, data on security measures, biometric and genetic data of the persons related to our company. .
Request / Complaint Management Data: The personal data we process regarding the requests and complaints received by our company and the reports regarding these requests and complaints.
Visual and Audio Data: Visual and audio data we process, such as camera recordings, sound recordings, photographs, of people related to our company.
- Purposes of Processing Personal Data in Crafist®
As Crafist®, we ensure that data is processed according to the data category we explain in this policy we offer you. We process personal data with the explicit consent of the data owner as required by law.
Our data processing; It aims to fulfill the obligations of state laws such as Labor Law, Code of Obligations, Commercial Code, Tax Law. However; As Crafist®, we explain our purposes for processing personal data as follows.
- To realize our business needs by complying with our commercial purposes.
- To fulfill the obligations of our employees within the framework of labor law.
- To plan and realize the fringe benefits and benefits of our employees.
- To carry out the necessary authorization studies in order to protect the personal data of our employees, suppliers, users and customers.
- To carry out our accounting and finance business and transactions.
- To carry out our legal affairs and transactions.
- To operate the business processes in our company within the framework of business activities and to ensure their sustainability.
- To ensure the physical security and information security of our company.
- To realize, operate and maintain our corporate communication and managerial activities.
- To realize, operate and maintain our storage, logistics, transportation and transportation activities.
- To plan, operate and maintain the management of customer relations.
- Realizing survey studies in order to monitor the satisfaction of our customers.
- To be able to meet the expectations and demands of our customers.
- To plan, realize and maintain our call center activities.
- To evaluate the demands and complaints of our customers and to increase the satisfaction of our customers.
- To ensure our corporate continuity and to continue our services.
- Fulfilling the obligations of our institution personnel arising from the employment contract or regulation.
- Planning and realizing our audit activities.
- To carry out our training activities inside and outside the institution in a planned or unplanned manner.
- To use information technologies and to ensure system security.
- To carry out and maintain our corporate operations.
- To be able to evaluate legal requests or contract processes.
- To be able to realize and maintain our activities in the supply chain management process.
- To plan and maintain our market research activities for the marketing of our products and services.
- To be able to make our product promotions.
- To be able to carry out the advertisement and promotion activities of our products on social media platforms.
- To be able to evaluate and analyze our customers' website movements by automatically recording their website activities in order to create our marketing and sales strategies.
- To be able to deliver our products to our customers abroad within the time we commit.
- To be able to perform and maintain product return and cancellation processes in cash by our customers.
- To be able to receive our product payments in accordance with the laws of the Republic of Turkey and the world payments system.
- Keeping the data accurate and up-to-date.
- To be able to fulfill the demands based on regulations against authorized institutions.
- To create and follow the records of our visitors who visit our institution.
- To be able to manage the customer management of our website more effectively.
- Updating our corporate applications in line with different needs or creating new modules and testing the created modules.
- To ensure database security.
- To provide system and network security.
- Ability to perform slowdown of service or leakage and penetration tests.
- To be able to test the needs of safe software.
- Ensuring the Security of Personal Data in Crafist®
As Crafist®, we make provisions for technical and managerial to prevent illegal arrival to personal data we process in accordance with the laws regarding the protection of personal data and to provide the necessary security system in order to protect the data appropriately. In this context, we make and have the necessary audits done.
- Technical Measures
- We take technical measures in accordance with technological developments and regularly update the measures we take.
- We implement the necessary firewalls, software and hardware in order to prevent any kind of attack that may harm the system, such as slowing down or hijacking the system, and to protect the virus.
- We make the necessary internal controls in having the characteristics of the systems we set up.
- In having the characteristics of the systems we set up, we make an information technology risk assessment and carry out processes for the realization of business analysis.
- In order to prevent or observe the leakage of personal data outside our company, we provide the technical infrastructure and ensure the emergence of the relevant matrices.
- We receive leakage testing service at regular intervals and in case of any need. Thus, we control the system inanitions.
- We monitor the entrances and exits to the physical areas with security camera systems.
- Card reader systems and finger reading systems have been installed in important data processing areas.
- We make use of TS / ISO 27001 Information Security Management Systems Security standards.
- Our employees working in information technology units keep their authorization to access personal data under control.
- Only determinated authorized persons can access and process data provided from digital media.
- When we efface personal data, the data can not be recycled and can not leave behind an audit mark.
- Complying with the Personal Data Protection Law (KVVK), we protect any digital platform where we keep personal data with encoded or cryptographic methods by ensuring information security.
- We realize the necessary logging procedures in accordance with the principles of law for the regulation of broadcasts in the internet atmosphere and the intended for struggling offenses committed.
- We conduct "Leakage Tests" and "Inanition Tests" at regular intervals with the information systems we use. We carry out our improvement works immediately against any risky situation that may occur.
- Administrative Measures
- The personal data we have kept can only be accessed by our personnel assigned to this job due to the job description. We make limitations by considering the quality and importance of the data.
- If the personal data we process are obtained by others in an unlawful manner, we will immediately notify the relevant authority and the committee.
- We sign contracts with the people who share their personal data regarding the protection of personal data and data security, or we ensure data security with the new provisions added to the existing contract.
- We employ personnel who are knowledgeable and experienced in the processing of personal data. We provide necessary trainings to our staff on the protection of personal data and data security.
- As Crafist®, under the supervision of our own legal entity, we make and have the necessary audits made in order to implement the provisions of the law.
- As Crafist®, all legal business agreements, additional commitments and all confidentiality agreements regarding information security are signed between us and all our suppliers working with us.
- As Crafist®, all legal business agreements, commitments and confidentiality agreements are signed between us and all companies with whom we share data abroad.
- As Crafist®, business agreements, commitments and confidentiality agreements are signed between our company and third parties such as our employees or the suppliers from whom we provide services.
- We process by meeting the requests from our customers in accordance with the regulation on the protection of personal data within the valid legal periods and return to the applicant.
- All processes belonging to the units under the roof of Crafist® have been determined. Necessary administrative and technical measures were taken by making risk assessments of the processes.
- As Crafist®, we provide our personnel with the necessary trainings to prevent unlawful access to personal data.
- As Crafist®, we ensure the annihilation and destruction of papers and documents containing personal data in physical environments through paper grinding machines.
- Ensuring Safety for Personal Data in Special Quality
Data considered as special qualified personal data; Biometric and genetic data regarding race, ethnicity, political opinion, belief, religion, sect, dress and clothing, health, sexual life, membership of any association or union, criminal conviction and security measures.
As Crafist®, we protect the special qualified personal data indicated in our policy regarding the protection of personal data by taking administrative and technical measures in accordance with the law.
- Annihilation Methods of Personal Data in Crafist®
As Crafist®, we process personal data in accordance with legal obligations regarding the protection of personal data. If the processing requirements of the data we process are eliminated, personal data are officially deleted, anonymized or destroyed by our data officer at the request of the person concerned.
We regularly conduct research and scans of personal data that need to be deleted, anonymized or destroyed every 6 months. We keep the log records of automatic or manual deletion, anonymization or annihilation for 3 years.
As Crafist®, we perform the annihilation methods of personal data as explained below.
- Deletion or Destruction of Personal Data in the Physical Environment
Personal data can sometimes be processed in non-automatic ways. When deleting or destroying personal data processed by non-automatic means, we physically destroy personal data so that they will not be used again later.
When it is necessary to destroy personal data processed in our digital environments, our technical experts make the related physical hardware and devices completely unusable.
We completely destroy the personal data on paper with paper shredders, whose activities are terminated, at the request of the data owners or the storage period stipulated by the law has expired.
- Deletion or Destruction of Personal Data from Application Software and Databases
As Crafist®, we collect and process data in accordance with our personal data protection policy by using different application software on various digital platforms in order to conduct our activities.
We perform inventory studies in databases containing personal data we keep in application software. We prepare an inventory on databases with personal data, at tables related to these databases and in which areas these tables are kept. In the inventory we have prepared, we also indicate tables and fields that do not contain direct personal data, but are likely to match any person when matching.
There may be times when data owners request data deletion. At such times, we delete all personal data from the relevant tables, except for the personal data in the groups whose retention periods are not expired, which are determined in accordance with legal provisions and specified in our company's policy.
However, during the process of deleting personal data, there may be situations where we can not access other data or use the data within the system. In such cases, provided that certain conditions are met, we archive the data by making it unrelated to the person and we consider that the archived data have been deleted. These conditions;
- Being unavailable to any other organization or person.
- Taking whatever managerial and technical precautions to ensure that only authorized persons can access personal data.
We perform the destruction of equipment on digital platforms by demagnetizing, physically destroying and overwriting.
- Demagnetization: We expose the data on magnetically stored media to high magnetic field, ensuring that it becomes unreadable. If we are not successful in this way, we will complete the process by physical destruction of the media.
- Physical Destruction: We physically destroy personal data recorded by non-automatic ways so that they cannot be used later. This is the only way we can destroy data in the form of paper or hard copy.
- Overwriting: We make it impossible to use and read old data with special software over magnetic or rewritable optical media.
In some cases, as Crafist®, we agree with a technical expert who we have made the necessary confidentiality and supplier agreements to ensure that personal data is deleted. Personal data that is securely deleted by technical experts becomes unusable again.
- Anonymizing Personal Data
While making personal data anonymous, we take advantages of three methods such as masking, subtraction of variance and data modification.
We only change the values without changing the format of personal data and we ensure this change is never detected and recycled.
- Subtraction of Variance
We remove one or more columns with high descriptors in the database tables in which we store personal data and private personal data.
7.3.3 Data Modification
We randomly change the places of the lines of personal data or special qualified personal data in columns of the same type that we keep in database tables.
- Rights of the Relevant Person (Data Owner) in Crafist®
As Crafist®, we explain the rights of data owners mentioned in our policy regarding the protection of personal data we present to you as follows.
- To learn if personal data is processed or not processed.
- To request information about the processed personal data.
- To learn the purposes and suitability to purposes of the processed personal data.
- To know the third people in the native country or foreign country whose private data are delivered.
- If the processed personal data is incomplete or incorrect, to request the correction of defects and to request the third parties to whom the data is transferred to be notified of the process applied within this framework.
- To object to the person making an adverse result, provided that the processed personal data is analyzed especially by automated systems.
- To request compensation for the damage if personal data is processed inappropriately and is damaged.
As Crafist®, we finalize the incoming requests free of charge within 30 (thirty) days at the latest. However, if a cost arises regarding the requests we have finalized, we may demand the fees determined by the Personal Data Protection Board. In cases where personal data are processed with explicit consent, if explicit consent is withdrawn, persons will be removed from the membership system required by the transaction based on explicit consent and will not be able to benefit from the advantages they have benefited since that date.
You can follow the changes within the framework of our regulation and policy regarding personal data from our website.
Working Hours: 09.00-18.00 on weekdays
Data Supervisor: KAROPAK ENDÜSTRİYEL SANAYİ TİCARET ANONİM ŞİRKETİ
Address: Ataşehir Mahallesi, 8229/2 Sok. No: 17, 35620 Çiğli / İzmir
For your requests regarding your personal data, e-mail: email@example.com
Customer Contact Center: +90 539 599 19 79
Data Contact Person: Ebru Fatma Göçmen
Address: İnönü Caddesi Sümer Sk. Sümko Sitesi I-3 block No: 2 Kozyatağı - Kadıköy - İstanbul
Our data contact person evaluates the requests you have submitted to us and, depending on the nature of the request, reaches the relevant person through our communication channels within 30 days at the latest.
For your support and information requests on other issues, e-mail: firstname.lastname@example.org