PRIVACY AND PERSONAL DATA PROTECTION POLICY
  1. Introduction
  • Purpose and Scope of the Policy

The Personal Data Protection Law No. 6698 (“Law”) entered into force on April 7, 2016; This Privacy and Personal Data Protection Policy (“Policy”) is carried out to ensure Innthebox Yazılım Pazarlama A.Ş. ( “InntheBox”  or “Company”)  compliance with the Law and to determine the principles to be followed by the Company in the fulfillment of obligations related to the protection and processing of personal data. The policy determines the terms of processing of personal data and sets out the main principles adopted by the Company in the processing of personal data. In this context, the Policy covers all personal data processing activities under the Law by the Company, the data subjects of all personal data processed by the Company and all personal data processed.

1.2 Enforcement and Amendment

The policy was published by the Company on its website and presented to the public. In case of conflict with the legislation in force, especially the Law, and the regulations in this Policy, the provisions of the legislation shall apply.

The Company reserves the right to make amendments to the Policy in line with the legal regulations.

  1. DATA SUBJECTS RELATED TO PERSONAL DATA PROCESSING ACTIVITIES, PROCESSING PURPOSES AND THE CATEGORIES OF PERSONAL DATA

2.1. Data Subjects

Data subjects within the scope of the Policy are all real persons except employees of the Company whose personal data is processed by the Company.

In this context, the categories of data subjects in general are as follows:

 

RELATED GROUPS

  

Remarks

 
1 Customers It means legal and natural persons who purchase services from the Company.
2 Supplier/Contractor/Business Partners The real person suppliers who provides products and services to the Company.
3 Visitors Refers to the real persons visiting the Company’s campus.
4 Employee, intern and supplier employee Refers to persons who work in the Company directly or under contract through the supplier.
5 Employee Candidate Refers to real persons who apply for a job by sending CVs to the Company or other methods.
6 Third Parties Refers to real persons except the employees of the Company with the categories of data subjects mentioned above.

2.2. Purposes of the Personal Data Processing

Your personal data and special category of personal data can be processed by the Company for the following purposes in accordance with the personal data processing conditions under the Law and the relevant legislation:

MAIN PURPOSES SUB-PURPOSES
To carry out the necessary works in order to benefit the data subjects from the services provided by the Company by our business units and to carry out the relevant business processes

 

1. Planning and execution of after-sales support services activities,

2. Planning and execution of customer relationship management processes,

3. Tracking customer demands and complaints

4. Planning and execution of sales processes of products and services
To carry out the necessary works by our relevant business units in order to carry out the commercial activities carried out by the Company and to carry out the related business processes

1. Planning and execution of corporate communication activities,

2. Planning and execution of supply chain management processes,

3. Planning and execution of authority to information access of business partners and suppliers

4. Tracking finance and accounting

5. Planning and execution of logistics activities
 

Planning and Execution of the Company’s Human Resources Policies and Processes

1. Planning of human resources processes

2. Fulfillment of contractual and regulatory obligations for employees of the Company

3. Wage management

4. Planning and execution of personnel exit procedures

5. Execution of personnel procurement processes

6. Monitoring and supervision of employees’ business activities

7. Planning and execution of in-house training activities

8. Planning and execution of side benefits and interests for employees

9. Planning and execution of in-house appointment-promotion and dismissal processes
Planning and Execution of the Company’s Commercial and Business Strategies 1. Management of relationships with business partners and suppliers
 

Ensuring the legal, technical and commercial-business safety of the Company and the data subjects involved in the business relationship with the Company

 

1. Ensuring the safety of Company premises and facilities

Ensuring the safety of Company operations

Ensuring the safety of Company fixtures and resources
Planning and execution of the activities required to customize the products and services offered by the Company according to the likes, usage habits and needs of the data subjects and recommend them to the data subjects

 

1. Planning and execution of production and operation processes,

2. Planning and execution of customer satisfaction activities

3. Planning and execution of the processes of establishing and increasing the commitment to the products and services offered by the Company

2.3 Personal Data Categories

Your personal data, which is categorized below by the Company, is processed in accordance with the personal data processing conditions under the Law and related legislation:

PERSONAL DATA CATEGORIZATION DESCRIPTION
ID Information All information about the identity of the person in the documents such as driver’s license, identity card, place of residence, passport, attorney’s ID, marriage certificate
Contact Information Information regarding communication with the data subjects such as phone number, address, e-mail
Customer Information Information obtained and produced about the data subject as a result of our business activities and the operations carried out by our business units within this framework
Customer Transaction Information All information, including registrations for the use of our products and services and customer’s instructions and requests for the use of products and services, including contact information about customer employees
Process Security Information Your personal data processed to ensure our technical, administrative, legal and commercial security while carrying out our business activities
Financial Information Processed personal data related to information, documents and records showing all kinds of financial results created according to the type of legal relationship that our Company has established with the personal data subjects
Employee Candidate Information Personal data processed regarding individuals who have applied to become an employee of our Company or who have been evaluated as employee candidates in accordance with the human resources needs of our Company due to commercial practice and good faith or who have a working relationship with our Company
Legal Transaction and Compliance Information Legal receivables and determination of our rights, follow-up and performance of our debts and personal data processed within the scope of our legal obligations and compliance with the policies of our Company
Audit and Inspection Information Personal data processed within the scope of our Company’s legal obligations and compliance with the Company policies
Special Category of Data Individuals’ race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance , association, foundation or union membership, health, sexual life, criminal conviction and security measures data and biometric and genetic data are special category of personal data.
Marketing Information Personal data processed for marketing of our products and services by customizing them in accordance with the usage habits, likes and needs of the data subject and the reports and evaluations created as a result of these processing results
Request/Complaint Management Information Personal data regarding the receipt and evaluation of any requests or complaints directed to our Company
Reputation Management Information Information collected in order to protect the commercial reputation of our Company and the actions taken with the evaluation reports created in this regard
Event Management Information Personal data processed in order to take necessary legal, technical and administrative measures against developing events in order to protect the commercial rights and interests of our Company and the rights and interests of our customers

3.PRINCIPLES AND CONDITIONS FOR THE PROCESS OF PERSONAL DATA

3.1 Principles for the Processing of Personal Data

Your personal data is processed by the Company in accordance with the personal data processing principles under Article 4 of the Law. These principles must be followed for each personal data processing activity:

  • Processing of personal data in accordance with the law and good faith; The Company acts in accordance with the laws, secondary regulations and general principles of law in the processing of your personal data; it attaches importance to processing personal data limited to the purpose of processing it and taking into account the reasonable expectations of data subjects.
  • Accurate and up-to-date personal data; Attention is paid to whether your personal data processed by the Company is up to date and controls are made about it. In this context, data subjects are granted the right to request correction or deletion of their accurate and outdated data.
  • Processing of personal data for specific, clear and legitimate purposes; The Company identifies the purposes of data processing before each personal data processing activity and pays attention to the fact that these purposes are not unlawful.
  • Being connected, limited and measured for the purpose for which personal data is processed; The Company is limited to the personal data necessary to achieve the purpose of collecting data processing activities and necessary steps are taken in order not to process personal data that are not related to this purpose.
  • Keeping personal data for as long as required by legislation or processing purposes; Personal data is deleted, destroyed or anonymized by the Company after the purpose of personal data processing has disappeared or with the expiry of the period stipulated in the legislation.

3.2 Terms for the Processing of Personal Data

Your personal data is processed by the Company in the presence of at least one of the personal data processing terms set forth under Article 5 of the Law. Explanations of these terms are as follows:

  • In cases where the explicit consent of the personal data subject exists but where other data processing terms do not exist, in accordance with the general principles set forth under heading 3.1, the personal data of the data subject may be processed by the Company with sufficient knowledge of the personal data processing activity with the free will of the data subject, in such a way that there is no room for publicity and only if it consents limited to that transaction.
  • If personal data processing activity is expressly stipulated in law, personal data may be processed by the Company without the explicit consent of the data subject. In this case, the Company will process personal data within the framework of the relevant legal regulation.
  • In the event that the explicit consent of the data subject cannot be obtained due to factual impossibility and personal data processing is mandatory, personal data belonging to the data subject, whose consent cannot be disclosed by the Company or whose consent cannot be validated, will be processed if personal data processing is mandatory in order to protect the life or bodily integrity of the data subject or a third party.
  • In the event that the personal data processing activity is directly related to the establishment or performance of a contract, personal data processing activity will be carried out if it is necessary to process personal data belonging to the parties to the contract established or already signed between the data subject and the Company.
  • In the event that it is mandatory to carry out personal data processing activities in order to fulfill the legal obligation of the data controller, the Company processes personal data in order to fulfill its legal obligations stipulated under the applicable legislation.
  • The data subjects’ publicization of personal data subjects, Personal data that has been disclosed to the public by the data subject in any way and has been made available to the public as a result of publicization may be processed by the Company, even without the explicit consent of the data subjects, for the purpose of publicization.
  • In the event that personal data processing is mandatory for the establishment, exercise or protection of a right, the Company will be able to process the personal data of the data subject without the explicit consent of the data subjects within the scope of necessity.
  • If data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject, personal data may be processed by the Company provided that the balance of interest of the Company and the data subject is observed. In this regard, in the processing of data based on legitimate interest, the Company primarily determines the legitimate interest it will gain as a result of the processing activity. It evaluates the possible impact of the processing of personal data on the rights and freedoms of the data subject and performs the processing activity if it is in the opinion that the balance is not disturbed.

3.3 Conditions for the Processing of Special Category of Personal Data

As per Article 6 of the Law, special category of personal data are specified in a limited number. These are, people’s race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data.

The Company may process special category of personal data by taking additional measures determined by the Personal Data Protection Board in the following situations.:

  • The processing of special category of personal data other than health and sexual life can be processed if the data object gives explicit consent or is explicitly stipulated under the law.
  • Personal data related to health and sexual life can only be processed without seeking the explicit consent of the data subject by persons or authorized institutions and organizations that are under the obligation to keep secrets for the purpose of protecting public health, preventive medicine, medical diagnosis, conducting treatment and care services, planning and management of health services and financing.
4. TRANSFER OF PERSONAL DATA

In accordance with the additional regulations set forth in Articles 8 and 9 of the Law and determined by the Personal Data Protection Board; in case of conditions for the transfer of personal data, it can transfer personal data domestically or abroad.

  • The transfer of personal data to third parties domestically ,your personal data can be transferred by the Company in the presence of at least one of the data processing conditions stipulated under Article 5 and Article of the Law and explained under the 3rd Heading of this Policy and provided that the basic principles of data processing are followed.
  • The transfer of personal data to third parties abroad, in cases where the person does not have explicit consent, your personal data can be transferred abroad by the Company in the presence of at least one of the data processing conditions stipulated under Article 5 and Article of the Law and explained under the 3rd Heading of this Policy and provided that the basic principles of data processing are followed.

In the event that the country to which the transfer will be made is not among the safe countries to be announced by the Personal Data Protection Board, upon the written undertaking of sufficient protection by the Company and the data controller in the relevant country, with the permission of  Personal Data Board to this processing and in the presence of at least one of the data processing conditions (see Title 3. Policy.) stipulated under Article 5 and Article of the Law, personal data can be transferred to third parties abroad.

Within the scope of the general principles of the Law and the data processing requirements in Article 8 and 9, the Company is able to transfer data to the parties categorized in the following table:

SHARED PARTY CATEGORISATION SCOPE TRANSFER PURPOSE
Business Partner Parties based abroad that it has established a joint venture company conducting commercial activities of the resident and / or parties domiciled in Turkey Transfer of personal data domestically and abroad in a limited way in order to ensure the fulfillment of the objectives of the business partnership.
Companies receiving Supplier / Support Services Parties that provide services for the Company to continue its business activities in accordance with the instructions it receives from the Company and based on its contract with the Company Transfer limited to the purchase of outsourced services from the supplier and /or consultants in the fields of law, tax
Legally Authorized Public Institution Public institutions and organizations authorized legally to receive information and documents from the Company Limited personal data sharing for the purpose of requesting information from relevant public institutions and organizations
Private Institution Authorized by Law The Private entities/persons is  authorized legally to receive the information and documents from the Company Sharing of data limited to the purpose requested by the relevant private entities/ persons within the legal authority

  1. ENLIGHTMENT OF DATA SUBJECTS AND THE RIGHTS OF DATA SUBJECTS

According to Article 10 of the Law, data subjects must be enlightened about the processing of personal data before the processing of personal data or at the time of processing of personal data at the latest.  In accordance with the relevant article, the necessary internal structure has been established in order to enlighten the data subjects in every situation where the personal data processing activity is carried out by the Company as the data controller. In this context;

  • Please refer to Section 2.2 of the Policy for the purpose for which your personal data is processed.
  • For the parties to which your personal data is transferred and for the purpose of transfer, please refer to the 4th  of the Policy.
  • Please refer to sections 3.2 and 3.3 of the Policy to examine the conditions for processing your personal data, which can be collected through different channels in physical or electronic environments.
  • As a data subject, we would like to state that you have the following rights in accordance with Article 11 of the Law:
  • To find out if your personal data has been processed,
  • Request information about your personal data if it has been processed,
  • To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
  • To know the third parties to which your personal data is transferred domestically or abroad,
  • Request correction of your personal data in case of incomplete or incorrect processing and request notification of the transaction made in this context to third parties to which your personal data is transferred,
  • To request the deletion or destruction of personal data in the case of the disappearance of the reasons that require its processing and to request notification of the transaction made in this context to the third parties to which your personal data is transferred, although it has been processed in accordance with the Law and other relevant law provisions,
  • Object to this in the event of a result against you by analyzing the processed data exclusively through automatic systems,
  • Request damages if you suffer damages due to unlawful processing of your personal data.

Please submit your applications regarding your rights listed above to our Company via the address [info@innthebox.com].   Depending on the nature of your request, your applications will be finalized free of charge as soon as possible and within thirty days at the latest; however, if the process requires an additional cost, you may be charged according to the tariff to be determined by the Personal Data Protection Board.