As a data controller, Modanisa Elektronik Mağazacılık ve Ticaret A.Ş. (hereinafter referred to as “MODANİSA” or the “Data Controller”) is committed to the principles laid down by the Personal Data Protection Law No. 6698 (Kişisel Verilerin Korunması Kanunu) (hereinafter referred to as the “Personal Data Protection Law”) and the General Data Protection Regulation (“GDPR”) No. 2016/679 of the European Union, and duly complies with its duties arising therefrom in connection with the processing, deletion, destruction, anonymization, and transfer, of personal data, the provision of necessary information to data subjects, and the data security. We hereby present this Confidentiality and Personal Data Protection Policy (hereinafter the “Policy”) to real persons whose personal data is processed (hereinafter the “data subjects”).
Principles governing the processing of personal data
Criteria for processing personal data
Cases where specific personal data may be processed
Enlightening and informing groups of persons
Categorizing personal data
Purposes of processing personal data
Transferring personal data to third parties in Turkey or abroad
Management, and legal basis, of the processing of personal data
Duration of retaining personal data
Ensuring the security of personal data
Cookies
Legal rights of groups of people, and how to exercise these rights, and relevant contact information
Entry into force, and updates
We comply with the principles laid down by the applicable laws and regulations and the generally applied principles of honesty, integrity and transparency, when processing personal data.
2.2. Ensuring the accuracy of personal data, and updating personal data when necessary
We periodically check and update the personal data processed regarding the relevant groups of data subjects, and take any and all reasonable measures to ensure that such data is accurate and up to date at all times. Accordingly we develop systems aiming at checking the accuracy of, and accordingly correcting, personal data. Our members may change and update their personal data by accessing their account at www.modanisa.com
2.3. Processing for specific, clear and lawful Purposes
We process personal data for specific, clear and lawful purposes. This Policy sets forth the details of the purposes for which the data is to be processed.
2.4. Processing Personal Data only for, limited to, and in proportion with the intended purpose
We process personal data only for, limited to, and in proportion with the intended purpose, and refrain from processing any personal data irrelevant to or unnecessary for such purpose.
2.5. Retaining Personal Data as long as required under the applicable legislation or for the purpose of processing
MODANİSA retains Personal Data only as long as required under the applicable legislation or for the purpose of processing. Accordingly we check whether the applicable legislation prescribes a certain period for retaining personal data, and retain personal data for such period, if any. In the event that there is no such prescribed period, then we retain personal data only as long as required for the purpose of processing. Once the prescribed period expires, or the reasons for processing personal data no longer apply, we delete, destroy or anonimyze personal data in accordance with MODANİSA’s Policy for Retaining and Destroying Personal Data, unless there is a legal requirement requiring otherwise. This Policy gives the details of these retention requirements.
2.6. Integrity, and Confidential Treatment, of Personal Data
Personal data is processed by taking any and all technical and administrative measures to ensure such data’s security, including, but not limited to those affording protection against unauthorized or illegal processing, or accidental loss, destruction or damage.
Explicit consent of data subject is only one of the criteria required for lawful processing of personal data. Personal data may also be lawfully processed if any of the other legitimacy criteria set forth below is met.
The personal data of data subjects is being processed in compliance with the legitimacy criteria given below.
3.1. Clear requirement under the applicable legislation
MODANİSA may process personal data of data subject without their consent, if the applicable legislation clearly requires such processing.
For example, the Law Regulating Electronic Commerce requires MODANİSA to process personal data regarding memberships, commercial electronic authorizations, purchase orders, payments, deliveries, cancellations and returns.
3.2. Physical Impossibility of Getting Data Subject’s Explicit Consent, or Requirement to Process Personal Data for Protecting Vital Interests of the Data Subject or a Third Party
In the event that a data subject’s personal data must be processed in order to protect any other person against death or injury and such data subject is not physically or legally capable of giving their consent, then such data may be processed without this consent. Personal data may be also processed without the explicit consent of the data subject if and when such personal data must be processed in order to protect the vital interests of the date subject or a third party.
3.3. Direct Relevance to Entering into, or Performing, an Agreement
Personal data of a contracting party may be processed if such processing is directly relevant to the execution or performance of a contract to be entered into with such party. For example, the personal data that a person may enter for becoming a member of MODANİSA is directly related to the membership agreement, while the processing of the data on the name and address of the receiver is directly relevant to the performance of a distance sale agreement.
3.4. MODANİSA’s Compliance with a Statutory Requirement
A data processor may process a data subject’s personal data without their consent, if such processing is required in order to comply with a statutory requirement. For example if a customer returns a product, MODANİSA is required to process such person’s personal data in order to refund the relevant payment.
3.5. Publicized Personal Data
If a data subject publicizes their personal data, then such data may be processed without their explicit consent. If a member is connected to MODANİSA over social media, then the personal data that such member shares publicly on their social media accounts may be freely processed, provided that such processing is relevant and proportional to the member’s intentions when sharing such data.
3.6. Personal Data Required to be Processes for Evidencing or Protecting a Right
If it is necessary to process data for establishing, exercising or protecting a right, then the data subject’s personal data may be processed without their explicit consent. For example if a Member files a complaint with a consumer arbitration panel, providing the court with the information on the relevant purchase is a form of processing such member’s personal data for evidencing or protecting a right.
3.7. Processing Personal Data Based on Legitimate Interests
MODANİSA may process personal data without the explicit consent of the relevant data subjects, if the legitimate interests of MODANİSA requires such processing, provided that it does not violate their fundamental rights or freedoms.
3.8. Processing Personal Data Based on Explicit Consent
In the event that none of the conditions set forth above for processing personal data is met, then data subject’s explicit consent is required. In such event, data subject’s explicit consent should be taken in accordance with the criteria set by the Personal Data Protection Law and the GDPR. For example, in order to process a data subject’s personal data for sending commercial e-mails, their explicit consent is required.
4.1. Processing Sensitive Personal Data based on Data Subject’s Explicit Consent
Sensitive personal data may be processed in accordance with the principles set forth in this Policy, and by taking the necessary administrative and technical measures, if the data subject explicitly consents to such processing.
4.2. Processing Sensitive Personal Data without Data Subject’s Explicit Consent
A data subject’s sensitive personal data, other than medical and sexual data, may be processed without the consent of such data subject for the purposes required under the applicable legislation, provided that the measures set by the Personal Data Protection Council are sufficiently taken. Medical and sexual personal data may be processed only for protecting public health, providing protrective medicine, medical diagnosis, treatment and care services, and planning and managing the financing of healthcare services, only by those subject to nondisclosure obligations, or the authorities and agencies authorized for such purposes. For example medical information related to occupational health and workplace safety may be processed by the workplace MD of MODANİSA.
Identity Information: Name, Surname, Birthday, Gender, Citizen Identity Card No. | Customer – Member customer, visiting customer Supplier’s representative Supplier’s employee Candidate for employment |
Contact Information: Cell phone number, e-mail address, address, postal code, landline number | Customer – Member customer, visiting customer Supplier’s representative Supplier’s employee Candidate for employment |
Location | Customer – Member customer, visiting customer Supplier’s employee |
Legal Transactions: Agreements, legal information | Customer – Member customer, visiting customer Supplier’s representative Supplier’s employee Candidate for employment |
Customer Transactions: Product(s) purchased, size and color preferences, amount and date of purchase, call center call records, campaigns/games participated, coupons used, order info. | Customer – Member customer, visiting customer |
Transaction Security: Passwords, passcodes, IP information | Customer – Member customer, visiting customer Online visitor Supplier’s representative Supplier’s employee |
Finance Invoice info, bank account info, financial info, payment, outstanding debt/credit | Customer – Member customer, visiting customer Supplier’s representative Supplier’s employee |
Professional experience | Supplier’s employee Candidate for employment |
Marketing | Customer – Member customer, visiting customer Online visitor |
Personal data is processed if
- the applicable legislation clearly requires the processing of your personal data;
- MODANİSA needs to process your personal data directly for executing or performing an agreement;
- MODANİSA needs to process your personal data for performing a statutory duty;
- the personal data in question has already been publicized by the data subject in question, provided that such processing does not go beyond the purpose of such publicizing;
- MODANİSA requires to process personal data for evidencing, exercising or protecting any right belonging to MODANİSA, or any data subject or third party;
- MODANİSA needs to process personal data for legitimate purposes, without violating any data subject’s fundamental rights or freedoms;
- MODANİSA needs to process personal data in order to protect the data subject or any third party against death or injury, provided that such data subject or third party is not physically or legally capable of expressing their consent or it is a must to process the personal data in order to protect vital interests of the data subject or a third party.
7.2. Purposes of Processing
MODANİSA processes personal data for the purposes given below:
FOR CUSTOMERS:
Personal Data of Member Customers may be processed for:
- completing membership process;
- presenting, improving or developing services, and providing information in connection therewith;
- performing membership agreements and distance sale agreements;
- announcing promotions, campaigns and benefits, and conducting marketing activities, with the explicit consent of data subjects;
- Improving desktop, tablet, mobile platform and mobile app experiences;
- accounting and purchase transactions;
- compliance with legal processes and applicable legislation;
- responding to any information request made by administrative or judicial authorities;
- ensuring data and transaction safety, and preventing malicious use;
- making the necessary arrangements for ensuring the accuracy and up to dateness of the data processed;
- establishing and implementing the processes aiming at ensuring data safety and improving internal processes.
- making available and improving the services provided by MODANİSA, developing new services, and providing information in connection therewith;
- announcing promotions, campaigns and benefits, and conducting marketing activities, with the explicit consent of data subjects;
- Improving desktop, tablet, mobile platform and mobile app experiences;
- accounting and purchase transactions;
- compliance with legal processes and applicable legislation;
- responding to any information request made by administrative or judicial authorities;
- ensuring data and transaction safety, and preventing malicious use;
- making the necessary arrangements for ensuring the accuracy and up to dateness of the data processed;
- establishing and implementing the processes aiming at ensuring data safety and improving internal processes.
- managing the business processes conducted with the suppliers;
- complying with statutory requirements and conducting legal matters, such as entering into agreements for necessary services;
- entering into agreements with selected suppliers, and conducting the relevant operations;
- conducting purchase, manufacturing, supply and other similar operations;
- conducting purchase operations, providing post-sale services, and conducting the processes related to returns and cancellations;
- complying with the requirements of the law on occupational health and applicable agreements;
- checking the payment of the premiums required to be made to employees and the state under the Social Security Act;
- checking the licenses of employees (certificates, authorization letters etc.);
- ensuring the frugal use of company’s sources, and improving company’s operations for the benefit of customers:
- getting letters from suppliers wherein they undertake to comply with the obligations under the Personal Data Protection Law that MODANİSA needs to comply with regarding personal data security;
- monitoring accounting processes and purchases, checking and approving payments;
- complying with legal proceedings and applicable legislation, performing statutory duties;
- responding to information requests made by administrative and judicial authorities;
- ensuring information and transaction security, and preventing malicious use;
- making necessary arrangements for ensuring the up to dateness and accuracy of the data processed;
- checking the performance of actions undertaking, and planning inspections.
- complying with HR policies, conducting and completing HR processes;
- planning selection and assessment processes regarding job applicants;
- performing the activities required in connection with occupational health and workplace safety;
- conducting the necessary communication for recruiting;
- selecting and assigning trainees, and planning operational processes.
- keeping log entries of system operations by online visitors and users;
- compliance with the legal processes and the applicable legislation;
- responding to information requests made by administrative and judicial authorities;
- ensuring information and transaction security, and preventing malicious use;
- complying with statutory requirements.
8.1. Transferring Personal Data
Personal data and sensitive personal data may be transferred to third parties (legal entities or persons) for certain processing purposes by taking any and all necessary security measures, provided that the conditions set forth in Articles 8 and 9 of the PDPL are met.
Personal data may also be transferred abroad given the software and server infrastructure used or outsourced.
The Personal Data Protection Agency has not yet announced its lists of secure countries, and accordingly personal data may be transferred abroad under Article 9 of the PDPL with the explicit consent of data subjects.
8.2. Third Party Transferees of Personal Data
Your personal data may be transferred to the categories of people listed below:
- MODANİSA’s business partners,
- MODANİSA’s suppliers,
- MODANİSA’s subsidiaries,
- MODANİSA’s shareholders,
- Public authorities and entities authorized by law
- Private legal entities authorized by law
The Company processes your personal data that it receives electronically or physically by using methods that are fully or partially automatic, or that is not automatic, but a party of a data recording system, for the legitimate purposes given below for each category of persons, in accordance with Article 5 of the PDPL and the relevant provisions of the GDPR, for the purposes given in this Policy.
For Clients (Members and Visitors):
- Protecting rights and interests of the Clients;
- Granting certain rights and privileges to the Clients for business purposes;
- Maintaining and developing intracompany activities;
- Performing the duties imposed by the applicable laws and regulations;
- Processing personal data of contracting parties, if and when directly necessary for executing or performing an agreement;
- Processing personal data for legitimate interests of the data controller, such as entering the Clients’ purchase orders to the relevant bookkeeping and analysis software, to ensure the sustainability of the business, provided that such processing does not violate the Clients’ fundamental rights and freedoms;
- The Client’s express consent.
- Performing a legal duty imposed on the data processor;
- Processing personal data of contracting parties, if and when directly necessary for executing or performing an agreement;
- Processing personal data for the data processor’s legitimate interests, such as keeping the contact details of the relevant parties to maintain business and ensure fast and effective communications;
- The Supplier’s/Business Partner’s express consent.
- Processing personal data of contracting parties, if and when directly necessary for executing or performing an agreement;
- Processing personal data for the data processor’s legitimate interests, such as keeping and analyzing personal data for any recruitment in the future, provided that such processing does not violate potential employees’ fundamental rights and freedoms;
- The Potential Employee’s express consent.
- Processing personal data of contracting parties, if and when directly necessary for executing or performing an agreement
- Processing personal data for the data processor’s legitimate interests, such as analyzing the most visited pages for business development purposes, provided that such processing does not violate online visitors’ fundamental rights and freedoms;
- The Online Visitor’s express consent.
Please find below information on how long MODANİSA retains personal data that it processes, and the legal basis of such processing.
Identity | 15 years starting from the end of the legal relationship | Law No. 6563 Regulating Electronic Commerce (6563 Sayılı Elektronik Ticaretin Düzenlenmesi Hakkında Kanun), Turkish Code of Commerce No. 6102 (6102 Sayılı Türk Ticaret Kanunu), Turkish Code of Obligations No. 6098 (6098 Sayılı Türk Borçlar Kanunu), Tax Procedure Code No. 213 (213 Sayılı Vergi Usul Kanunu), Consumer Protection Law No. 6502 (6502 Sayılı Tüketicinin Korunması Kanunu), Labor Code No. 4857 (4857 Sayılı İş Kanunu), Occupational Health and Workplace Safety Law No. 6331 (6331 Sayılı İş Sağlığı ve Güvenliği Kanunu ) |
Contact | 10 years starting from the end of the legal relationship | Law No. 6563 Regulating Electronic Commerce Turkish Code of Commerce No. 6102, Turkish Code of Obligations No. 6098, Tax Procedure Code No. 213, Consumer Protection Law No. 6502, Labor Code No. 4857, Occupational Health and Workplace Safety Law No. 6331 |
Location | 10 years starting from the end of the legal relationship | Law No. 6563 Regulating Electronic Commerce Turkish Code of Commerce No. 6102, Turkish Code of Obligations No. 6098 |
Litigation | 10 years starting from the final decision | Civil Litigation Procedure Code No. 6100 (6100 Sayılı Hukuk Muhakemeleri Kanunu), Criminal Litigation Procedure Code No. 5271 (5271 Sayılı Ceza Muhakemeleri Kanunu) |
Customer transactions | 10 years starting from the end of the legal relationship | Law No. 6563 Regulating Electronic Commerce Turkish Code of Commerce No. 6102, Turkish Code of Obligations No. 6098, Tax Procedure Code No. 213, Consumer Protection Law No. 6502, Law No. 5651 for Regulating Online Broadcasts and Combatting Crime Committed by way of such Broadcasts (Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts) |
Transaction security | 2 years | Law No. 5651 for Regulating Online Broadcasts and Combatting Crime Committed by way of such Broadcasts |
Finance | 10 years starting from the end of the legal relationship | Law No. 6563 Regulating Electronic Commerce, Turkish Code of Commerce No. 6102, Turkish Code of Obligations No. 6098, Tax Procedure Code No. 213, Consumer Protection Law No. 6502 |
Marketing | Throughout the legal relationship |
We take any and all technical and physical measures to prevent unauthorized access to personal data. Within this context, we design our authorization system allowing access to personal data on a need to know basis. We take more strict measures to ensure the security of sensitive personal data, such as medical data. We conduct a security check and apply an internal screening process on any person authorized to access data, and provide such persons with trainings on their duties and responsibilities.
We keep records of access to personal data, to the extent permitted by available technical capacities, and periodically analyze these records. We launch internal inspections, and take immediate legal action, when we detect unauthorized access
MODANİSA takes the following security measures to ensure the security of the data that it processes:
- The network and application security is ensured.
- Close system network is used to transfer data through a network path;
- Key method is used.
- Security measures are taken, in the scope of supply, development and maintenance of information technologies systems.
- The security of personal data stored on cloud is ensured.
- There are disciplinary regulations, involving data security provisions for employees.
- Data security and awareness themed periodical trainings for employees are arranged.
- Authorization matrix for employees is formed.
- Access logs are kept regularly.
- Corporate policies are created and started to be executed in fields of access, information security, retention and destruction.
- Confidentiality agreements are made.
- Mission based authorization of employees, who change positions or quit their jobs, are taken back.
- Up-to-date antivirus systems are used.
- Firewalls are used.
- Concluded agreements contain data security provisions.
- Additional security measures are taken for personal data that are transferred in printed form, and the relevant papers are sent as classified documents.
- Personal data security policies and procedures are set.
- Personal data security issues are reported without delay.
- Personal data security is monitored continuously.
- Necessary security measures are taken for access to physical media containing personal data.
- Physical media containing personal data is secured against external risks (such as fire, flood, etc.).
- Physical media containing personal data is secured.
- Personal data is minimized as much as possible.
- Personal data is backed up, and the backups are secured.
- Periodical/random in-house inspections are conducted.
- Log records are kept free from user intervention.
- Current risks and threats are determined.
- Policies and procedures for ensuring the security of sensitive personal data are specified and executed.
- When sending sensitive personal data by e-mail, such data is sent in encrypted form from a registered or corporate e-mail address.
- Attack detection and prevention systems are used.
- Penetration tests are run.
- Sensitive private data is encrypted before being transferred on a flash disk, CD or DVD.
- Data processing service providers are periodically inspected for data security purposes.
- Data processing service providers’ awareness on data security is raised.
Article 11 of the Personal Data Protection Law lists the rights that may be exercised by groups of persons as follows:
- Get information on whether or not personal data has been processed;
- Ask for information on how personal data has been processed;
- Get information on the purpose of processing personal data, and check whether or not personal data has been duly processed for this purpose;
- Learn the identity of third parties to whom personal data has been transferred in Turkey or abroad;
- Request the correction of any missing or incorrect personal data;
- Ask for the deletion or destruction of personal data in accordance with the conditions set forth in Article 7 of the Personal Data Protection Law, and the notification of the action taken under the said Article to any and all third parties to whom personal data has been transferred;
- Object to any unfavorable consequence of the analysis of personal data exclusively by automated systems;
- Claim damages arising from unlawful processing of personal data.
Data subjects’ rights on their personal data are set forth in the 3rd Chapter of the GDPR (from Article 12 to Article 23) as follows:
- You may withdraw your consent if your personal data is being processed based on your express consent;
- You may demand the restriction of the processing of your personal data where one of the following applies:
- You contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of your personal data;
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- Your personal data are no longer needed for the purposes of the processing, but you require such data for establishment, exercise or defense of legal claims;
- You have objected to processing pursuant to Article 21 (1) of the GDPR pending the verification whether our legitimate interests override your rights.
- You may object to the processing of your personal data if your personal data are processed for protecting public interests or based on the data controller’s authority under the applicable law or the legitimate interests of the data controller or a third party, including by way of profiling;
- You have the right to access the following:
- The verification of the processing of your personal data, the purposes of the processing and the categories of personal data concerned;
- The recipients or categories of recipients to whom your personal data have been or will be disclosed; where possible, the envisaged period for which the personal data will be stored, or oif not possible, the criteria used to determine that period;
- The existence of the right to request the rectification or erasure of personal data or restriction of processing of personal data, and the existence of the right to lodge a complaint with a supervisory authority;
- Any available information as to the source of your personal data, if not directly collected from you; and
- The existence of automated decision making mechanisms that we use, including profiling, meaningful information about the lgic involved as well as the envisaged consequences of such processing for you, and the significant information.
- You may have your personal data transferred to you or another data controller, if that it technically possible, in an organize, usable and machine readable format, if your personal data are processed based on your express consent, or a contractual provision, by using automated mechanisms.
- You may get information on the existence of automated decision making processes, including profiling, the logic involved and their possible consequences and significance for you.
14.3. Principles Governing the Exercise of Rights on Personal Data
Data subject may exercise their rights on personal data by filling in the Personal Data Protection Application Form available at www.modanisa.com , sign it by mobile signature and e-signature, or use their e-mail address registered and approved by our System, and send it to our registered e-mail modanisa@hs03.kep.tr or our e-mail address kisiselverilerim@modanisa.com. You may also file your applications in printed form by hand signing your application and sending it to Kuşbakışı Cad. No:27 Altunizade, Üsküdar/İstanbul. You may also use the same address for any notice that you would like to give by the virtue of a notary public regarding your claims.
We will respond in 30 days following any application filed in line with the procedure set forth above and in the Personal Data Protection Law. If your application is rejected, you find our response insufficient or we fail to timely respond to your application, you may file a complaint with the Personal Data Protection Board within 30 days following your receipt of our response, and in any event, 60 days after your application.
We appointed a data protection officer (a “DPO”) under the GDPR to ensure the transparency, and accuracy of the processing of your personal data and the relevant compliance. You may contact our Data Protection Officer at dpo@modanisa.com
You may find the personal data protection application form at this link
Modanisa.com’s contact details are as follows:
Modanisa Elektronik Mağazacılık ve Tic. A.Ş.
Address: Altunizade Mahallesi Kuşbakışı Cad. No:27/1 Üsküdar/İstanbul
Telephone: 0850 333 64 72 (NISA)
E-mail: kisiselverilerim@modanisa.com