1. Introduction
Pursuant to Article 20 of the Constitution of the Republic of Türkiye, everyone has the right to request the protection of their personal data. In line with this constitutional right, this Personal Data Protection Policy has been prepared by ER-BA TEKSTİL SANAYİ VE TİCARET LİMİTED ŞİRKETİ (“ERBA”), acting in the capacity of Data Controller, in order to ensure the secure processing and protection of personal data belonging to real persons, including company employees, job applicants, interns, suppliers, supplier employees, subcontractors, subcontractor employees, third parties, and visitors. ERBA has taken all necessary administrative and technical measures to protect personal data processed in accordance with Law No. 6698 on the Protection of Personal Data (“KVKK”) and related secondary legislation.
2. Purpose
The primary purpose of this Policy is to ensure the security of personal data processed—either automatically or non-automatically as part of any data recording system—through lawful data processing activities and the implementation of administrative and technical measures, particularly for employees and all real persons with whom ERBA maintains legal and commercial relationships.
3. Scope
This Policy covers all personal data processed by ERBA relating to employees, subcontractors, subcontractor employees, suppliers, supplier employees, job applicants, interns, third parties, and visitors, whether processed automatically or non-automatically as part of a data recording system.
4. Purposes of Processing Personal Data
ERBA processes personal data for the following purposes:
- Conducting corporate sustainability activities
- Managing relationships with suppliers and subcontractors
- Managing recruitment and personnel procurement processes
- Conducting internal audit and legal processes
- Carrying out corporate governance and communication activities
- Managing requests and complaints
- Providing information to authorized persons or institutions as required by legislation
- Creating and monitoring visitor records
Where the processing activity does not meet any of the conditions stipulated under Law No. 6698, or where special categories of personal data are involved, explicit consent is obtained from the data subjects.
5. Principles of Personal Data Processing
ERBA processes personal data in accordance with the following fundamental principles:/p>
- Processing personal data lawfully and in good faith
- Ensuring accuracy and keeping data up to date when necessary
- Processing for specific, explicit, and legitimate purposes
- Processing data in a manner that is relevant, limited, and proportionate
- Retaining personal data for the period required by relevant legislation or for the purpose of processing
- Informing and notifying data subjects
- Establishing systems to enable data subjects to exercise their rights
- Taking necessary administrative and technical measures to ensure data security
- Acting in compliance with legislation and Personal Data Protection Board regulations when transferring data to third parties
- Showing due care in processing special categories of personal data and obtaining explicit consent
6. Conditions for Processing Personal Data
ERBA processes personal data under the following conditions:
- Where explicitly stipulated by law
- Where necessary for the establishment or performance of a contract
- Where required to fulfill ERBA’s legal obligations
- Where the personal data has been made public by the data subject
- Where processing is necessary for the establishment, exercise, or protection of a right
- Where processing is necessary for ERBA’s legitimate interests, provided that fundamental rights and freedoms of the data subject are not harmed
- Where processing is mandatory to protect the life or physical integrity of the data subject or another person, and consent cannot be obtained due to physical or legal incapacity
7. Ensuring the Security of Personal Data
ERBA takes all necessary technical and administrative measures to ensure the lawful processing and protection of personal data in line with current technological capabilities, including but not limited to:
- Periodic audits by the IT Department
- Training employees to raise awareness of personal data protection
- Defining processing activities, processors, and responsibilities and executing data processing agreements
- Limiting access rights and regularly reviewing authorization matrices
- Implementing antivirus software, firewalls, and security systems
- Conducting regular vulnerability and security scans
- Logging access to data storage areas and monitoring unauthorized access attempts
- Using lawful backup programs for secure data storage
8. Rights of the Data Subject and Application Procedure
Pursuant to Article 11 of Law No. 6698, data subjects have the right to:
- Learn whether their personal data is processed
- Request information if their personal data has been processed
- Learn the purpose of processing and whether it is used accordingly
- Know third parties to whom personal data is transferred domestically or abroad
- Request correction of incomplete or inaccurate data
- Request deletion or destruction of personal data under legal conditions
- Object to outcomes against themselves resulting from automated processing
- Request compensation for damages arising from unlawful processing
Applications may be submitted using the Application Form available on our website. Requests are concluded free of charge within 30 days depending on their nature.
9. Retention Periods and Disposal Methods
ERBA retains personal data for the periods specified under applicable legislation and its Personal Data Retention and Disposal Policy. Where no specific retention period is stipulated, data is retained in accordance with business practices and subsequently deleted or destroyed. CCTV records are deleted periodically in accordance with internal policies.
10. Categories of Data Subjects and Data Types
Personal data processed includes data relating to employees, job applicants, interns, suppliers, supplier employees, subcontractors, subcontractor employees, third parties, and visitors. Data categories include identity, contact, address, education, financial, employment, health, biometric, and visual data as permitted by law.
11. Transfer of Personal Data
ERBA may transfer personal data in compliance with Articles 8 and 9 of Law No. 6698 to:
- Senior executives and authorized personnel of ERBA
- Technical service providers
- Data storage service providers
- Legally authorized public institutions and judicial authorities
ERBA does not transfer personal data abroad.
12. CCTV Monitoring Activities
CCTV monitoring is conducted in accordance with Law No. 6698, relevant legislation, and ERBA’s CCTV Policy to ensure security and safety. Recordings are shared only with authorized parties and data subjects are duly informed.