EVELUX TRAFİK GÜVENLİK SİSTEMLERİ VE REFLEKTİF ÜRÜNLERİ TİC. A.Ş.
PERSONAL DATA PROTECTION AND PRIVACY POLICY
1. INTRODUCTION
As EVELUX TRAFFIC SAFETY SYSTEMS AND REFLECTIVE PRODUCTS INC., we attach great importance to the protection of the personal data of all real persons with whom we come into contact in any way while carrying out our commercial activities, as well as to the full implementation of the requirements set out in the Law on the Protection of Personal Data No. 6698 (“KVKK” or the “Law”) since its entry into force.
This Personal Data Protection and Privacy Policy (“Policy”) has been prepared to inform you about the processes and principles regarding the recording, collection, use, sharing, and storage of personal data by EVELUX.
In this Policy, the principles regarding the processing of personal data belonging to data subjects by EVELUX are set out in accordance with the order of regulation contained in the KVKK, and these explanations cover our employees as well as our active and potential real and legal entity customers.
2. PROCEDURES AND PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA
A. DEFINITIONS
Definitions of the terms and abbreviations included in this Privacy Policy are listed below:
Data Subject
Refers to the natural person whose personal data is processed. Within the scope of the KVKK, only data belonging to natural persons are covered by the law. The data of legal entities are not subject to this law unless they contain information relating to an identifiable natural person.
Personal Data
Refers to any information relating to an identified or identifiable natural person. For data to be considered personal, it must relate to a real person who is identifiable or can be identified.
The concept of personal data includes all information about an individual, provided that the individual is identifiable or can be identified. In this context, not only information that reveals a person’s identity, such as name, surname, date, and place of birth, but also data such as phone number, vehicle license plate, social security number, passport number, résumé, photograph, image and voice recordings, fingerprints, genetic information, IP address, e-mail address, hobbies, preferences, contacts, group memberships, and family information — all of which make a person directly or indirectly identifiable — are considered personal data.
Sensitive Personal Data
Sensitive personal data include information about a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire, association, foundation or trade union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
Explicit Consent
Refers to consent that is based on information and given freely with regard to a specific subject. There is no formal requirement for the declaration of explicit consent; what matters is that the consent includes the elements defined in the Law and can be proven.
Therefore, explicit consent may be obtained verbally, in writing, or through electronic means. However, when provided in writing, consent statements should be clear, understandable, and concise. Additionally, explicit consent must include a positive declaration of intent.
Data Controller
Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. These may be individuals or legal entities such as public institutions, companies, associations, or foundations. The data controller is the person who can answer the questions “why” and “how” regarding a data processing activity.
Data Processor
Refers to a natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the latter. The activities of the data processor are limited mainly to the technical aspects of data processing. It is essential that the data processor carries out its activities based on the instructions received from the data controller.
Obligation to Inform
The data controller or the authorized person must inform the data subject about the identity of the data controller (and its representative, if any), the purpose of processing, to whom and for what purpose the data may be transferred, the method and legal basis for data collection, and other rights listed in Article 11 of the Law. Fulfillment of this obligation to inform does not depend on the consent of the data subject.
Personal Data Retention and Disposal Policy
Refers to the policy used by data controllers as a basis for determining the maximum period necessary for processing personal data and for performing deletion, destruction, or anonymization operations.
Personal Data Processing Inventory
Refers to the inventory created by data controllers in relation to their business processes, which associates personal data processing activities with purposes of processing, data categories, groups of recipients, and categories of data subjects; and details the maximum storage period necessary for each purpose, cross-border data transfers, and measures taken to ensure data security.
Application Form
Refers to the document that allows data subjects to exercise their rights, such as learning whether their personal data has been processed, requesting information about such processing, learning the purpose of processing and whether it has been used accordingly, knowing the third parties to whom data has been transferred domestically or abroad, requesting correction of incomplete or inaccurate data, requesting deletion or destruction of personal data, requesting notification of such operations to third parties, objecting to any result arising against themselves through analysis by automated systems, and requesting compensation in case of damage due to unlawful processing of personal data.
EVELUX processes personal data in accordance with the procedures and principles set forth in the Personal Data Protection Law (KVKK) and other relevant legislation. In this context, EVELUX ensures full compliance with the following principles stipulated in the KVKK when processing personal data.
• Lawfulness and fairness:
EVELUX carries out its data processing activities within the boundaries of the Turkish Constitution, the KVKK, and all other applicable legislation, as well as in accordance with the principle of good faith.
• Accuracy and being up to date when necessary:
EVELUX takes the necessary measures to ensure that personal data are accurate and kept up to date, and provides the data subjects with opportunities to make necessary corrections or updates so that the data reflect the real situation.
• Being processed for specific, explicit and legitimate purposes:
EVELUX processes personal data only for legitimate purposes that are clearly defined and lawful. No processing is carried out for any purposes other than those specified. Personal data are processed only when necessary and only in connection with the relationship established with the data subjects.
• Being relevant, limited and proportionate to the purpose for which they are processed:
EVELUX processes personal data in a manner suitable, relevant, and limited to achieving the intended purpose, in compliance with the KVKK and other relevant legislation, and avoids the processing of unnecessary data.
• Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed:
Personal data processed by EVELUX are retained only for the period stipulated in the relevant legislation or for as long as necessary for the purposes of processing. If a specific retention period is defined by law, EVELUX complies with it; otherwise, data are stored only for as long as required by the purpose of processing.
EVELUX processes personal data in accordance with the conditions specified below. Except for the cases stipulated in the KVKK, EVELUX processes personal data only with the explicit consent of the data subject. However, in the following cases listed in the KVKK, personal data may be processed without the explicit consent of the data subject:
• When explicitly stipulated by law,
• When it is necessary for the protection of the life or physical integrity of the data subject or another person, who is unable to express consent due to actual impossibility or whose consent is not legally valid,
• When it is necessary to process the personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of such contract,
• When it is necessary for the data controller to fulfil its legal obligations,
• When the personal data have been made public by the data subject,
• When processing is necessary for the establishment, exercise, or protection of a right,
• When processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
EVELUX exercises special care in the processing of sensitive personal data, which are considered to require greater protection for various reasons. Such data are not processed without the explicit consent of the data subject, except in cases permitted by law and provided that adequate safeguards determined by the Personal Data Protection Board are taken.
Sensitive personal data other than those related to health and sexual life may be processed without the explicit consent of the data subject when stipulated by law. However, data concerning health and sexual life may only be processed without explicit consent under confidentiality obligations and with adequate safeguards, for the following purposes:
• Protection of public health,
• Preventive medicine,
• Medical diagnosis,
• Conduct of treatment and care services,
• Planning and management of healthcare services and their financing.
For data processing activities requiring the explicit consent of the data subject, EVELUX has prepared explicit consent statements both for its employees and for its customers. In these consent statements, in line with the relevant EU regulations forming the basis of the KVKK, data subjects are provided with a clear choice to allow or deny the processing of their personal data by EVELUX, and they are informed of the possible consequences of not giving consent.
Personal data obtained by EVELUX may be processed for the following purposes:
Personal data obtained by EVELUX are securely stored, in physical or electronic form, for an appropriate period to enable the company to carry out its commercial activities. In these processes, EVELUX fully complies with all obligations stipulated under the KVKK and relevant legislation.
Unless longer retention is permitted or required by applicable laws, personal data are deleted, destroyed, or anonymized—either automatically or upon the request of the data subject through the attached application form—once the purposes for processing cease to exist, in accordance with the EVELUX Personal Data Retention and Destruction Policy.
When personal data are destroyed by various methods, such data are rendered irretrievable and unusable. However, in cases where the data controller has a legitimate interest, personal data may be retained for up to ten (10) years, corresponding to the general statute of limitations under the Turkish Code of Obligations, provided that such retention does not harm the fundamental rights and freedoms of the data subjects. After the expiration of this limitation period, the data are deleted, destroyed, or anonymized following the above-mentioned procedure.
EVELUX exercises due care to comply with the conditions set forth in the Personal Data Protection Law (KVKK) regarding the sharing of personal data with third parties, without prejudice to the provisions contained in other laws. In this context, personal data are not shared with third parties by EVELUX without obtaining the explicit consent of the data subject. However, if one of the conditions listed below under the KVKK is met, personal data may be transferred without the explicit consent of the data subject:
• When explicitly stipulated by law,
• When it is necessary to protect the life or physical integrity of the person who is unable to give consent due to actual impossibility, or whose consent is not legally valid, or another person,
• When it is necessary to process the personal data of the parties to a contract, provided that such processing is directly related to the conclusion or performance of the contract,
• When it is necessary for the data controller to fulfil its legal obligations,
• When the data have been made public by the data subject,
• When it is necessary for the establishment, exercise, or protection of a right,
• When it is necessary for the legitimate interests of the data controller, provided that such processing does not harm the fundamental rights and freedoms of the data subject.
Provided that adequate safeguards are implemented, personal data other than those concerning health and sexual life may be transferred without explicit consent if permitted by law.
Personal data relating to health and sexual life may also be transferred, without the explicit consent of the data subject, for the following purposes, provided that confidentiality obligations are observed and sufficient safeguards are taken:
• Protection of public health,
• Preventive medicine,
• Medical diagnosis,
• Execution of treatment and care services,
• Planning and management of healthcare services and their financing.
When transferring special categories of personal data, EVELUX fully complies with the conditions stipulated for the processing of such data.
Regarding the transfer of personal data abroad, EVELUX acts in accordance with Article 9 of the KVKK, which requires the explicit consent of the data subject.
However, if one of the lawful processing conditions— including those related to sensitive personal data—exists, personal data may be transferred abroad without explicit consent, provided that the foreign country ensures an adequate level of protection.
If the country to which the data will be transferred is not among those deemed by the Personal Data Protection Board (“the Board”) to provide adequate protection, EVELUX and the data controller/data processor located in that foreign country must undertake adequate protection in writing and obtain authorization from the Board prior to transfer.
Pursuant to Article 10 of the KVKK, data subjects must be informed before or at the time of obtaining personal data. Under this obligation to inform, the following details must be provided to the data subject:
• The identity of the data controller and, if any, its representative,
• The purpose for which the personal data will be processed,
• To whom and for what purpose the processed personal data may be transferred,
• The method and legal basis of collecting personal data,
• The rights of the data subject as set forth in Article 11 of the KVKK.
To fulfil this obligation, EVELUX has prepared and implemented information notices specific to each process and data subject category.
However, pursuant to Article 28/2 of the KVKK, EVELUX shall not be obliged to inform the data subject in the following cases:
• When the processing of personal data is necessary for the prevention of crime or for a criminal investigation,
• When the personal data have been made public by the data subject,
• When personal data are processed by authorized public institutions, organizations, or professional bodies with public institution status, on the basis of the authority granted by law, for the purpose of carrying out audit, supervision, or disciplinary investigations,
• When personal data processing is necessary for protecting the economic and financial interests of the State in matters related to budget, taxation, or financial affairs.
EVELUX has taken all necessary measures to ensure that the data subjects can exercise the rights granted to them under Article 11 of the KVKK regarding the personal data processed in accordance with this Policy. These rights include:
a) To learn whether personal data are being processed,
b) To request information if personal data have been processed,
c) To learn the purpose of processing and whether personal data are used in accordance with their purpose,
d) To know the third parties to whom personal data are transferred, whether within or outside Turkey,
e) To request correction of personal data if they are incomplete or inaccurate,
f) To request deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
g) To request that the operations carried out pursuant to items (e) and (f) be notified to third parties to whom the data have been transferred,
h) To object to any result arising to their detriment through the exclusive analysis of processed data by automated systems,
i) To request compensation for damages incurred as a result of unlawful processing of personal data.
Data subjects may exercise the above rights by completing and signing the Data Subject Application Form (Annex 1 of this Policy), attaching a photocopy of their ID, and sending it to the official address of EVELUX via registered mail with return receipt.
Detailed instructions on how to fill out and submit the form are provided in the Application Form attached as Annex 1.
EVELUX shall provide its response to such applications either in physical or electronic form to the data subject. Requests will be handled as soon as possible and no later than thirty (30) days, free of charge. However, if the requested action incurs a cost, EVELUX may charge the applicant according to the fee schedule determined by the Board. EVELUX may request additional information or documentation from the applicant during the evaluation process.
In accordance with Article 12(1) of the KVKK, EVELUX takes all necessary technical and administrative measures to ensure an appropriate level of security for the protection of personal data. The measures adopted by EVELUX are outlined below:
Within the scope of administrative precautions:
• Company employees have been trained and made aware of their responsibilities under the KVKK.
• Necessary corporate policies have been established.
• VERBIS (Data Controllers Registry) notification has been duly completed.
• A Personal Data Processing Inventory has been prepared.
• Confidentiality undertakings have been executed.
• In the event that personal data are unlawfully obtained by others, EVELUX will notify both the affected data subjects and the Board as soon as possible.
Within the scope of technical precautions:
• Network and application security are ensured.
• Personal data transferred over the network are transmitted via a closed system network.
• Up-to-date antivirus software is used.
• Firewalls are implemented.
• The security of environments containing personal data is maintained.
• Personal data are backed up, and the security of backups is ensured.
• Intrusion detection and prevention systems are in place.
• Data masking is applied when necessary.
• Policies and procedures for personal data security are defined.
• Data minimization principles are implemented.
• Specific protocols and procedures for the protection of sensitive personal data have been developed and implemented.
• Physical environments containing personal data are protected against external risks.
• Access rights of employees who change roles or leave the company are revoked.
• Security measures are applied in the procurement, development, and maintenance of IT systems.
• Personal data are destroyed irreversibly, leaving no audit trail.
• In compliance with Article 12 of the KVKK, digital media storing personal data are protected using encryption or cryptographic methods that meet information security standards. Physical storage media are safeguarded with appropriate physical measures and entry-exit logs are maintained.
EVELUX records and processes visual data (video surveillance) in accordance with the fundamental principles set out in this Policy and the KVKK, for purposes including ensuring the general and commercial security of its facilities and workplaces, monitoring personnel entry and exit, and supporting operational activities.
The video records are securely stored in physical or electronic form for an appropriate period in line with their processing purpose.
In locations where video recording takes place, notices are visibly displayed to inform data subjects.
EVELUX fully complies with all obligations regarding the protection of personal data under the KVKK and other relevant legislation in the course of such activities.
No video surveillance is conducted in areas where privacy expectations are high.
• Software Companies
• Banks
• Insurance Companies
• Revenue Administration
• Tax Inspection Board
• Trade Registry Office and Trade Registry Gazette
• Notaries
• Social Security Institution (SGK)
• Turkish Employment Agency (İŞKUR)
• Law Firms
• Courts and Enforcement Offices
• Certified Public Accountants and Accountants
• Municipalities
• Chambers and Professional Associations
