Privacy and Security

FORTEKS İÇ VE DIŞ TİCARET LİMİTED ŞİRKETİ PRIVACY AND PROTECTION OF PERSONAL DATA POLICY

1 PURPOSE AND SCOPE OF THE POLICY

This Privacy and Personal Data Protection Policy (“POLICY”) covers the personal data of lujurian (“Data Controller”), job applicants, suppliers, online and physical visitors, members, customers, shareholders and partners (“Person Groups”). It aims to enlighten the groups of people in question regarding the processing of

2 CANDIDATES GROUP

2.1 Personal Data Collected Regarding the Candidate Person Group

Regarding the group of candidates applying to lujurian for job application;

  • Curriculum vitae, work experience, educational background, foreign language certificate and other certificates,
  • Name, surname, address, date of birth, e-mail address, phone number and other contact information,
  • Records of information obtained by means of teleconference, video call, telephone or in case of face-to-face interviews,
  • Information obtained as a result of references or research by lujurian,
  • Results of recruitment tests that determine talent and personality traits,
  • It can process information such as wage expectation, disability and convict status, payment method. If the situation requires, information such as criminal record and health report may also be requested from the candidate.
2.2 Purposes of Collecting and Processing Personal Data of Candidates

lujurian, this POLICY “VII. Based on one or more of the purposes specified in the section titled "Purposes of Processing Personal Data" and taking into account the nature of the application, the candidate's personal data may be processed for the following purposes:

  • Evaluating the candidate's qualifications, experience and interest, suitability for the open position,
  • If necessary, checking the accuracy of the information submitted by the candidate or contacting third parties and conducting a reference search about the candidate,
  • To contact the candidate about the application and recruitment process or, if appropriate, to contact the candidate for any position opened later in the country or abroad,
  • To meet the requirements of any legislation or the demands of the authorized institution or organization,
  • develop and improve the recruitment principles implemented by Lujurian,
  • To carry out the activities that need to be done within the framework of occupational health and safety.
2.3 Methods of Collection and Processing of Personal Data of Candidates

During the recruitment process, the personal data of the candidates may be collected by the following methods and means, together with or in addition to other methods and means specified in this POLICY:

  • Application form published in print or electronic media,
  • Resumes submitted by candidates to lujurian via e-mail, cargo, reference and similar methods,
  • LinkedIn with employment or consulting companies,
  • During the interview, by means of video conferencing, telephone or in case of face-to-face interviews,
  • Checks made to confirm the accuracy of the information submitted by the candidate and researches made by lujurian,
  • Recruitment tests that identify talent and personality traits, conducted by experts with experience and the results of which are examined.

lujurian processes the collected personal data through computer systems and human resources personnel, automatically or non-automatically.

2.4 Conducting Reference Search on Candidates

lujurian can do reference research on candidates. The reference research to be conducted will generally aim to confirm the accuracy of the information given by the candidate. In addition, it will be among the aims of the research that can be done to determine the information that the candidate hides about himself and that may cause risks for the lujurian.

Within the scope of the reference research to be made, necessary personal data such as identity information, work and education experiences of the candidates can be shared with third parties. In addition, personal data about candidates can be obtained from third parties.

Candidates can always contact lujurian about the reference research to be done about them.

2.5. Candidates' Rights Regarding Personal Data

Candidates who want to exercise their rights arising from the Personal Data Protection Law No. 6698 (“KVKK”) can apply to lujurian within the scope of the procedures and principles explained in this POLICY.

2.6 Of The Personal Data Collected During The Candidacy Process, Which Will Continue To Be Processed In The Case Of Recruitment

All personal data collected and processed about the candidate during the recruitment processes are transferred to the personnel file if the candidate is decided to be employed in the relevant vacant position.

2.7 Security of Candidates' Personal Data

lujurian does not discriminate between data subject groups (such as candidate, person group, intern) in terms of the personal data it processes. Detailed information about the security of personal data can be found in the section of this document on the security of personal data.

3 PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

3.1 Lawful and Integrity Processing

In the processing of personal data, the principles introduced by legal regulations and the general rule of trust and honesty are followed.

3.2 Ensuring Personal Data Is Accurate and Up-to-Date When Necessary

Periodic controls and updates are made to ensure that the processed personal data of individual groups are accurate and up-to-date, and necessary measures are taken accordingly. In this context, systems for checking the accuracy of personal data and making necessary corrections are created within lujurian. In terms of members, these changes and updates can be made from the My Account Page on the www.lujurian.com website.

3.3 Processing for Specific, Clear and Legitimate Purposes

Personal data is processed based on clear, specific and legitimate data processing purposes. The purpose for which the data will be processed is detailed below.

3.4 Being Relevant, Limited and Proportionate to the Purpose for which they are Processed

Personal data is processed in a measured, purpose-related and limited manner in order to achieve the foreseen purpose/purposes, and the processing of personal data that is not related to the realization of the purpose or that is not needed is avoided.

3.5 Retention for as Long as Required for the Purpose of Processing or Envisioned in the Relevant Legislation

lujurian retains personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, first of all, it is determined whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, this period is acted upon. In the event that the period expires or the reasons requiring its processing are eliminated, personal data are deleted, destroyed or anonymized in accordance with Lujurian's Personal Data Retention and Disposal Policy, unless there is a legal reason allowing them to be processed for a longer period of time.

Storage periods are also given below.

4 TERMS OF PROCESSING PERSONAL DATA OF PERSON GROUPS

The explicit consent of the relevant groups of persons is only one of the reasons for compliance with the law that makes it possible to process personal data in accordance with the law. Apart from express consent, personal data may also be processed in the presence of one of the other legal compliance reasons listed below.

The basis of the personal data processing activity can be only one of the reasons for compliance with the law stated below, or more than one of these conditions can be the basis of the same personal data processing activity. If the processed personal data is special quality personal data; The conditions set out in the heading "Conditions in which Special Categories of Personal Data may be Processed" below apply.

Person groups are informed about the personal data processed by this POLICY, for what purposes and for what reasons their personal data is processed, from which sources their personal data is collected, with whom this personal data will be shared and how it will be used.

4.1 Explicitly Provided in Laws

In cases where the laws expressly stipulate the processing of personal data, lujurian data processes personal data without obtaining the explicit consent of the groups of persons to be processed. For example, processing personal data in processes such as membership in lujurian, granting commercial electronic permission, order, payment, delivery, cancellation or return of the product in accordance with the Law on the Regulation of Electronic Commerce.

4.2 Failure to Obtain Explicit Consent of the Related Person Due to Actual Impossibility

In case the personal data of the group of persons who are unable to express their consent due to actual impossibility or whose consent cannot be validated is necessary to protect the life or physical integrity of the person or another person, the data may be processed without the explicit consent of the individual group.

4.3 Directly Related to the Establishment or Performance of the Contract

Provided that it is directly related to the establishment or performance of a contract, the data may be processed if it is necessary to process the personal data of the parties to the contract. For example, the personal data provided by the Member in order to carry out the membership process to lujurian.

4.4 Fulfillment of lujurian's Legal Obligation

In case the processing is necessary to fulfill legal obligations as a data controller, personal data of the individual group may be processed without obtaining explicit consent. For example, in the case of an order for any product, this product is delivered to the Member, such as the payment of the product price to the seller.

4.5 Making Personal Data Public by Groups of Persons

If the personal data of the person group has been made public by him, the data may be processed without the need for explicit consent. For example, personal data shared by the Member publicly on the internet and social media accounts may be processed if this sharing is in accordance with his will and to the extent.

4.6 Requirement of Data Processing for the Establishment or Protection of a Right

If data processing is necessary for the establishment, exercise or protection of a right, the data may be processed without the explicit consent of the individual group. For example, placing the shopping and information in this complaint file based on a complaint made by the Member to the consumer arbitration committee.

4.7 Processing of Data Based on Legitimate Interest

Provided that it does not harm the fundamental rights and freedoms of the person group, personal data may be processed without the express consent of the person group, if data processing is necessary for the legitimate interests of lujurian. For example, making satisfaction surveys by lujurian in order to ensure customer satisfaction.

4.8 Processing of Personal Data of Person Group Based on Explicit Consent

In cases where the personal data of the person group cannot be processed based on any of the conditions specified in 3.1 - 3.7 above, it will be processed based on express consent.

5 SITUATIONS WHERE SPECIAL QUALITY PERSONAL DATA MAY BE PROCESSED

Some of the personal data is regulated separately as "personal data of special nature" and is subject to special protection.

5.1 Processing of Private Personal Data Based on Explicit Consent

Special categories of personal data can be processed by taking the principles specified in this POLICY and the necessary administrative and technical measures, in case of the explicit consent of the person group.

5.2 Circumstances in which Private Personal Data may be Processed without Express Consent

Special categories of personal data may be processed in the following cases, provided that adequate measures to be determined by the Personal Data Protection Board (“Board”) are taken, in cases where there is no explicit consent of the person group:

  • Special categories of personal data other than the health and sexual life of the person group, in cases stipulated by the laws,
  • Personal data of a special nature regarding the health and sexual life of the individual group can only be collected by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. .

ENLIGHTENING AND INFORMING 6 PEOPLE GROUP

During the acquisition of personal data, the person group is informed by lujurian. In this context, the identity of the contact person of lujurian, the purpose for which the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the individual groups for legal reasons are notified to them.

If groups of people request information regarding their personal data, necessary information is given by lujurian via kisiselveriresim@lujurian.com. Physical visitors are informed that recordings are made with cameras at locations belonging to Lujurian. In addition, short information is given on the signs in the building so that all visitors can see it. Users who visit lujurian's web page are informed by this Policy, and users who not only visit the page but also become Members are informed by this Policy and from the Membership page.

lujurian Contact Person:
Hunting. Fatih Onur LENGERLI
kisiselveriyim@lujurian.com

7 CATEGORIZATION OF PERSONAL DATA

Within the scope of this POLICY, the following categories of personal data of the individual groups are processed by lujurian:

  • Credentials
  • Communication information
  • Location Data
  • Family Members and Close Information
  • Physical Space Security Information
  • Financial Information
  • Personal Information
  • Candidate Employee Information
  • Contact Group Transaction Information
  • Legal Action and Risk Information
  • Special Qualified Personal Data
  • Complaint Management Information

8 PURPOSE OF PROCESSING PERSONAL DATA

8.1 Terms of Processing

Personal data is processed limited to the following conditions. These conditions are;

  • The relevant activity regarding the processing of your personal data is clearly stipulated in the law,
  • The processing of your personal data by lujurian is directly related to and necessary for the establishment or performance of a contract,
  • The processing of personal data is mandatory for lujurian to fulfill its legal obligation,
  • Provided that the personal data has been made public by the person group; limited processing by lujurian for the purpose of publicizing,
  • The processing of personal data by lujurian is mandatory for the establishment, exercise or protection of the rights of lujurian or its groups or third parties,
  • It is mandatory to process personal data for the legitimate interests of lujurian, provided that it does not harm the fundamental rights and freedoms of individual groups,
  • lujurian's processing of personal data is necessary for the protection of the life or physical integrity of the data subject or another person, and in this case, the data subject is unable to express his consent due to actual impossibility or legal invalidity.

In the absence of the above-mentioned conditions; In order to process personal data, lujurian seeks the express consent of personal data owners.

8.2 Machining Purposes

lujurian, personal data; It operates for the following purposes:

For the Candidate Employee Group:

  • Ensuring the completion and execution of human resources policies and processes,
  • Planning the application selection and evaluation processes of employee candidates,
  • Execution of activities that should be done within the framework of occupational health and safety,
  • Communication activities necessary for the placement of employee candidates,
  • Intern recruitment, placement and planning of operation processes.
  • For a trainee lawyer; Fulfillment of legal requirements within the scope of professional solidarity within the scope of Attorneyship Law.

For Customer Group:

  • Fulfillment of legal obligations in accordance with electronic commerce and Turkish commercial law.
  • Planning activities for customer satisfaction and/or experience.
  • Ensuring compliance with legal, regulatory and company management obligations and good practice.
  • Preparing the product to be delivered in accordance with the customer order and ensuring that it reaches the customer within the promised delivery time
  • Informing the relevant department in order to transfer the product costs regarding the cancellation or return to the customer's account as soon as possible.
  • Establishing and implementing processes to ensure information security.
  • Reducing the risk to an acceptable level.
  • Risk management.
  • Creating Access Authorization and Control Matrix.
  • Detection of Data Transfer techniques
  • Establishment of data storage processes and methods
  • Determination and execution of remote access methods and processes
  • Sharing anonymous data within the framework of customer-related CRM applications and using the results in decision support systems.
  • Campaign planning, feasibility studies and accurate targeting within the scope of CRM.
  • Preparation and regular follow-up of invoices.
  • Fulfillment of company obligations.
  • Data collection to build customer portfolio.
  • Data collection to bring the out-of-stock product to the customer.
  • Data collection in order to provide refurbishment services to the customer.

For Supplier Group (Supplier, Supplier Official, Supplier Employee):

  • Managing the business process with suppliers.
  • Fulfillment of legal processes and legal requirements such as the contract for the required service.
  • Ensuring communication with the relevant supplier in order to make production on behalf of the company.
  • Establishment of contracts with selected suppliers.
  • Execution of purchases.
  • Monitoring and controlling production processes.
  • Execution of return cancellation processes in communication with the warehouse when there is a missing faulty product after production.
  • Checking and approval of payments.
  • In accordance with the Occupational Health Act and contract.
  • Making and controlling the premium payments to be paid to the employee and the state in accordance with the SSI legislation.
  • Checking whether the employees have qualification documents (certificate, authorization certificate, etc. depending on the job they do)
  • Control of hygiene and working at height documents.
  • Evaluation of the compliance of supplier employees according to the OHS law.
  • Checking whether SGK premium debts are paid or not.
  • Gathering the necessary information and documents in order to establish a legal relationship with the supplier.
  • Managing supplier relationships.
  • Ensuring economical use of company resources and customer-oriented improvement of company operations.
  • Determining warehouse needs and eliminating them quickly and economically.
  • Purchasing the products needed by the company.
  • Preparation of necessary visuals for product promotion and marketing.
  • Providing the necessary human resources at the point of preparing the necessary visuals for product promotion and marketing.
  • Obtaining commitments from the natural or legal person supplier that processes personal data to comply with the obligations that lujurian has to comply with in terms of data security pursuant to KVKK.
  • Checking the fulfillment of the commitments and planning the audits.
  • Foreseeing an indefinite confidentiality obligation for its suppliers.
  • Regulation of the supplier's obligation to notify lujurian as soon as possible in the event that the personal data transferred to the supplier is obtained unlawfully.

For the 3rd Person Group of Claiming:

  • Ensuring compliance with legal, regulatory and company management obligations and good practice.

For the public official, administrative institution employee, representing the authority carrying out the investigation or trial:

  • Providing information and documents that may be needed in the management of legal and administrative processes.
  • Fulfillment of legal obligations.

For Online Visitor:

  • Compliance with legal regulations.
  • Logging of system activities of online visitors and users.

For Shareholder/Partner:

  • Providing information and documents that may be needed in the management of legal and administrative processes

9 TRANSFER OF PERSONAL DATA TO DOMESTIC AND OVERSEAS THIRD PARTIES

Personal data and sensitive personal data belonging to the person group can be transferred to third parties (third party companies, third real persons) by taking the necessary security measures in line with the processing purposes.

9.1 Transfer of Personal Data

Personal data may be transferred to third parties if the conditions stipulated in Article 8 and Article 9 of the KVKK are fulfilled.

Members' e-mail and/or phone numbers can be shared with third parties abroad for singularization and matching. Anonymous information and site usage habits of online visitors who are not members of the site are collected and shared with cookies.

9.2 Third Parties and Purposes of Transfer of Personal Data

Your personal data may be transferred to the following data subject groups:

  • to lujurian business partners,
  • to lujurian suppliers,
  • to lujurian subsidiaries,
  • to the lujurian shareholders,
  • Legally authorized public institutions and organizations,
  • Legally authorized private legal persons.