PDPL Policy
Informative Text Pursuant on the Protection of Personal Data Law Number. 6698 Dear Customer, Supplier, Visitor,

Dear Customer, Supplier, Visitor,
The Law numbered 6698 (“Law” or “PDPL”) on the Protection of Personal Data has been enacted on April 7th, 2016. The Law involves regulations on the protection and processing of any kind of personal data and it shall be binding upon any data of identified or identifiable persons.
Hereby, this Protection and Processing of Personal Data Policy introduce the declarations and the explanations adopted by Reha Textile Foreign Industry & Limited Company.  Within this context, the processes involve the following data subjects.
The definitions of the terms used in this Policy are available at the beginning of this document.
Natural persons
Corporate Client Shareholders, Officers, Employees
Potential Customers
Company Officers
Shareholders
Former Employees / Retired Employees
Business Partner Shareholders, Officers, Employees
Supplier Shareholders, Officers, Employees
Employee and Intern Candidates
Business Partner Candidates
Supplier Candidates
Visitors
Press
Third Parties
Data subjects covered by this policy are not limited to the subject categories mentioned above. It applies to all of our employees, business contacts, customers, potential customers, suppliers, our website visitors, all personal data processed by Reha Textile Industry and Limited Company.


Data Processed by Reha Textile
Our company can process general or personal data upon the data subject’s freely given consent or without consent, as referred in Article 5th and 6th of the Law. General and data with special nature processed by our company are stated below, and varies specifically according to various factors such as the data type, relationship type between the data subject and our company (member, customer, employee, service provider, etc), quality and communication tools.
According to the principles in relevant policies and this confidentiality policy, our company can process data according to subjects’ means of relationship with our company -i.e: customer, employer, business partner, service provider, and quality. The processible data are stated below:
Identifying data such as name, surname, occupation, title, employer, education, occupational, gender, marital status, citizenship status, tax obligation data, work experience, and if present parent, legal guardian, or surrogate data.
Data such as date of birth, place of birth, ID number, blood type, religion, and photographs are present in identifying documents like personal IDs, passports, and driver's license.
Communication data such as home, work, temporary residency address, e-mail, or fax number.
Freely given consent of data of subject -a customer or a member- when the subject is logged in into our system or contacted our system using social media.
Communication log data such as phone calls, e-mail, data about purchasing items, and other audial or visual data.
Internet protocol address, device information, unique identifier information, device type, advertisement information, unique device icon, statistics on web page views, incoming and outgoing traffic information, routing URL, internet log information, location information, visited websites and our websites, our platforms, actions carried out through our websites, advertisement, e-mail contents.
The security camera coverage, the number of security cameras, and the matter where surveillance activities will be carried out are put into practice in such a way adequate for the achievement of the security purposes and limited to these purposes. Video recording and footage activities are carried out for the tracking of guests’ entrances-exits our buildings and premises. Video and sound data collecting systems function 24 hours a day, seven days a week.  A limited number of authorized personnel have access to the collected data, and a legal document issued for the protection of personal data has been signed by these persons within the framework of the Personal Data Protection Law No. 6698. Images and sounds that are watched and/or recorded are transferred to third parties depending on the purpose within the scope of the Law on the Protection of Personal Data No. 6698. Data security is protected by the relevant legislation rules within the framework of the intracompany regulations.
Video and sound data are kept for 20 days, except for the exemptions foreseen by the legislation.
Information about the video and audio recordings are declared at the building and facility entrances and on the company's website.


Processing Personal Data
Our Data Processing Policy
Your data may be processed by our company for such reasons and purposes given below.
Processing in accordance with legal and trust grounds, processing data by following the principles of general trust norms, transparency, and acknowledging responsibility, ensuring personal data accuracy and up-to-dateness where necessary, data owners should take the necessary measures to ensure data stored is accurate and up-to-date. In this respect, Reha Textile allows data subjects to update their data on the database and takes necessary precautions for accurate data transfer. Processing for specific, explicit, and legitimate purposes: As Reha Tekstil Industry and Limited Company, we process personal data within the scope and content of our legitimate purposes determined to continue our activities within the framework of the legislation and the usual flow of commercial life. That personal data have to be related, limited, and appropriate for the purposes they are processed for:
Data provided by the subject are processed only for pre-determined explicit and specific purposes that are stated when providing. We avoid processing unrelated and unnecessary personal data. In this respect, unless there is a legal necessity we do not process personal data, or else we ask for explicit consent when the data is to be processed.  Storing personal data no longer than stated in the relevant legislation’s relevant Article. Many legal legislations necessitate storing data for a certain period. In this regard, Reha Textile stores personal data only for the period necessitated by relevant legislation or personal data processing legislation. At the end of the determined retention periods, personal data are deleted, destroyed, or anonymized.


Data Processing Purposes of Reha Textile
Reha Textile Industry and Limited Company processes personal data for not limited but including such reasons given below.
Within the scope of operating our activities, we provide customers support services that are legislated by the contract and within the framework of service standards,  determining the preferences and needs of our customers and shaping and updating the services to be provided, to ensure our legal obligations are fulfilled as required or necessitated by legal regulations.
Articles 5 and 6 of the Law states the conditions for the processing of personal data and data with special nature. Personal data of special nature are limited in the Law, and the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, data on criminal conviction and security measures, as well as biometric and genetic data. Article 5 of the Law determines the processing conditions of non-special personal data, the conditions for processing special data are regulated in Article 6.
According to the related articles, personal data with special nature may be processed in case: personal data subject expresses their explicit consent, there is a regulation about the transfer of personal data by law, the transfer is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving their consent or whose consent is not deemed legally valid, the transferring of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfillment of that contract, the personal data transfer is mandatory for our Company to fulfill its legal obligation, the personal data are made available to the public by the data subject himself, the personal data transfer is mandatory for the establishment, exercise, or protection of any right, it is mandatory for the establishment,exercise or protection of any right, it is mandatory for the legitimate interests of data owner, provided that the transfer shall not violate the fundamental rights and freedoms of the data subject.
The personal data with special nature may only be processed in case:
Personal data subject expresses their explicit consent, there is a regulation in the law of processing personal data with special nature, excluding those relating to health and sexual life, including only personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or unions, convictions and security measures, and the biometric and generic data.
Personal data of special nature related to health and sexual life can be processed only by persons or authorized public institutions and organizations that have confidentiality obligation, for protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
The explicit consent exceptionalities constituted by the law are:
It is explicitly provided for by the laws,
Processing of personal data belonging to the parties of a contract is necessary provided that it is directly related to the conclusion or fulfillment of that contract,
It is mandatory for the establishment, exercise, or protection of any right,
It is mandatory for the legitimate interests of the controller, provided that such processing shall not violate the fundamental rights and freedoms of the data subjects.


Obligation to Supply Information to the Data Subject
Reha Textile Industry & Limited Company shall fulfill its obligation to supply information as set forth under the PDP Law by providing the below information concerning data subjects at the time of personal data collection.
The identity of the Reha Textile as a data controller and of Reha Textile’s representative,  the purpose of data processing, to whom and for what purposes the processed data may be transferred, the method and legal reasonings  of  personal data collection
The rights of the data subject are:
To learn whether his data are processed or not, to learn the purposes of his data processing and whether this data is used for intended purposes, to know the third parties to whom his personal data are transferred, to request the rectification of the incomplete or inaccurate data, if any and transfer of this request to the third parties, to object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavorable consequence for him, to request compensation for the damages arising out of the unlawful processing of his personal data, to request the deletion or destruction of his personal data upon the disappearance of reasons which require the processing of personal data that have been processed in compliance with PDP Law and related provisions of other laws and to request notification of the operations carried out in this context to third parties to whom his personal data has been transferred.
In this context, Reha Textile Industry and Limited Company personal data collection channels have been identified for the fulfillment of the disclosure obligation specific to these collection activities, the data owner is illuminating with the lighting points and texts that have the scope and conditions sought in the PDP Law.


Exercise of Data Subject’s Rights
The data subject shall submit his request relating to the personal data a method specified by PDP Committee or by sending the application to the address Çakmaklı Mah. Katip Sok. No:2/1 Büyükçekmece/İstanbul or to registered electronic mail address rehatekstilas@hs03.kep.tr. The request should be undersigned by the applicant using a secure electronic signature.
To benefit from all rights written above, the data subject’s request should be:
Explicit and specific, must be related to the person of the applicant or if third parties are present on behalf of the data subject, including a documented legal authorization specifically in this matter, and the application must contain the identity and address information and documents proving the identity must be attached.
Reha Textile Industry and Limited Company shall respond to the requests that will be made by the data subject regarding their right of access within thirty days at the latest. If the applicant is a third party applying on behalf of the data subject, a legal power authorization document should be included which is particularly issued for the applicant’s name.
In order to identify whether or not the applicant is a personal data subject, Reha Textile Industry, and Limited Company may request information from the relevant person or to clarify the matters contained in the personal data subject’s application, or may address questions to the personal data subject concerning their application.


The applications regarding personal data
In the following cases, Reha Textile may reject the applicant personal data subjects’ applications by explaining the justifications in case:
In case their personal data are processed for the purposes of official statistics and for the purposes such as research, planning, and statistics through anonymization, their personal data are processed for the purposes of art, history, literature, or science or in the context of the freedom of expression, provided that the data do not violate the privacy of private life or personal rights or that they do not constitute an offense.
Processing Personal Data that is Made Available to the Public by Data Subjects
The application is not based on valid grounds, involves a request against the regulation, the application’s form does not meet the requirements.
Personal Data Security Requirements
Being aware of the importance of data security, Reha Textile Industry & Limited Company takes all necessary technical and executive measures and makes necessary controls to provide an appropriate level of security in order to prevent unlawful processing, unlawful access, and ensure retention of personal data in accordance with the Article 12 of the PDP Law. In this regard, necessary measures have to be executed, controlled, and required urgent actions have to be taken immediately when there is a security risk to ensure the following precautions.

Taking Necessary Technical and Executive Measures to Provide Lawful Data Processing
Data controller Reha Textile Industry & Limited Company is liable for taking any technical, software, hardware, and administrative measures for anonymization of personal data.
Necessary Technical Measures to Provide Lawful Processing of Personal Data

  • All processes related to data processing activities held by Reha Textile Industry and Limited Company are analyzed based on business units. In this context, a personal data processing map is issued. From data collecting to deleting, Reha Textile Industry & Limited Company conducts necessary auditions in their institution or organization in order to implement the provisions of the Law.
  • All personal data processing within Reha Textile Industry and Limited Company is audited with technical systems.
  • Technical measures taken are periodically reported to the concerned according to the internal audit mechanism.

Necessary Administrative Measures to Provide Lawful Processing of Personal Data
Reha Textile Industry & Limited Company informs and educates its employees about personal data protection law and lawful processing of personal data. Reha Textile Industry and Limited Company take necessary precautions to prevent any personal data processing, disclosure and use for the contracts, documents, policies, and regulations pursuant to the PDP law. Access to personal data should be limited to the relevant employees for the purpose of data processing. All means of personal data obtained by the company should not be accessible to all employees. All processes related to data processing activities within Reha Textile Industry and Limited company should be analyzed based on business units and in accordance with these analyses, personal data processing activities should be organized. 
Requests to ensure that the activities of each business unit comply with the personal data processing conditions specified in the PDP Law, each business unit, and the detail that it carries out should be determined specific to the activity. In order to fulfill the legal compliance requirements determined on the basis of business units, awareness should be raised specifically to relevant business units and implementation rules should be determined. The necessary administrative measures should be taken to ensure the supervision of these issues and the continuity of the implementation and the policies, procedures, and training should be implemented.
Technological and Executive Measures to Prevent Unlawful Access to Personal Data
Reha Textile Industry & Limited Company takes technical and executive measures to ensure that personal data is processed in accordance with the law, to prevent the indiscreet or unauthorized disclosure to third parties, access, transfer, or other unlawful access of personal data, and to prevent them from being stored in any other unsafe storage.
Technological Measures to Prevent Unlawful Access to Personal Data
Rexa Textile Industry and Limited Company take up-to-date technological technical measures and these measures are periodically updated and improved. Our Company conducts necessary intracompany technical activities to ensure the lawful processing of personal data. Reha Textile Industry and Limited Company provide technical software for the safety of personal data storage. Personal data is always secured with prepared procedures and policies. Technical measures taken are periodically reported to the concerned pursuant to the internal audit mechanism, and the required technical solution is produced by reevaluating the risks. Required software and systems, including virus protection systems and firewalls, are installed. Technical personnel is employed for technical matters.
Executive Measures Taken to Prevent Unlawful Access to Personal Data
Reha Textile Industry & Limited Company informs and educates its employees about personal data protection law and lawful processing of personal data. Reha Textile Industry and Limited Company ensure business activities are conducted pursuant to intracompany politics and legislations. Awareness-raising activities are organized for employees in accordance with the intracompany policies and legislations. In accordance with the legal compliance requests on the basis of the business unit, Reha Textile Industry and Limited Company designs and exercises personal data access and authorization processes for the company.
Our employees are committed to signing non-disclosure agreements and confidentiality agreements which include they will not be processing any personal data by violating the relevant provisions of the PDP Law and they will not use these data except for their processing purpose, and this liability will continue after they resign. Necessary data security measures are taken to prevent unauthorized access to personal data, and the adequacy of the measures taken is subject to periodic checks to continuously improve the existing data security system.
Retention of Personal Data
In accordance with the Law, personal data is stored only for the period stated or as necessitated by the purpose. Reserving the rights of retention period legislated by the law, we only store personal data for the period necessary for processing. When more than one purpose is present, the purpose of processing is obsolete or the data subject’s request of deletion is valid on legal grounds, then the data is deleted, destroyed, or stored by anonymization in accordance with the PDP Committee regulations.
Measures for Retention of Personal Data
Technical measures
We develop technical infrastructures to provide security to delete, destroy, or anonymize personal data and determine related auditory mechanisms. We perform necessary activities to provide secure storage of personal data and accordingly employ technical experts. By analyzing risks and developing appropriate business continuity and emergency plans, we develop performing plans. We establish security systems in accordance with technological developments regarding personal data storage.
Executive measures
We raise awareness of our employees by informing employees about the technical and executive risks of personal data retention. In the case of cooperation with third parties for the storage of personal data, we form a contract to work with companies that we transfer personal data. To ensure provide secure storage and retention for data subjects, we include necessary provisions.

 

PROCESSING OF PERSONAL DATA BY REHA TEXTILE
As legislated by the Law, Reha Textile Industry and Limited Company informs data subjects for what purpose they process relevant personal data, to whom and for what purposes the processed personal data can be transferred, the method and legal grounds of personal data collection, and the rights of the data owner.
When any process requires explicit consent from the data subject as legislated by the law, RehaTextile Industry and Limited Company request the data subject’s explicit consent after informing them of the provisions above.


Transfer of Personal Data
Domestic Transfer of Personal Data
As Reha Textile Industry and Limited Company, we only transfer personal data in line with legitimate and legal personal data regulations of the PDP Committee.
Reserving the rights of exemptions in the legislation, personal data, and data with special nature are not transferred to other real persons or legal entities without the explicit consent of the data subject.
In exceptional cases stipulated by PDPL and other legislations, the data can be transferred to the authorized administrative or judicial institution or organization without the explicit consent of the data subject, but not by violating the legislation and its limits.
Besides with the exceptional circumstances stipulated by the legislation;
For cases regarding personal data of non-special nature, by taking necessary measures obligated by the PDP Committee personal data of special nature related to health and sexual life can be processed without explicit consent to only by persons or authorized public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, preventive medicine, medical diagnosis, exercising treatment and nursing services, planning and management of health-care services as well as their financing.

 

Transfer of Personal Data Abroad
Personal data cannot be transferred abroad without the explicit consent of the data subject. In cases where there is one of the exceptional cases regarding non-special personal data, third parties abroad can only access data if:
The third party is in a country is approved as an adequate country in terms of protection level according to the PDP Committee, the country is not approved by the PDP Committee as an “Adequate Country”, then data controllers in Turkey and abroad commit in writing to provide an adequate level of protection and the PDP Committee has authorized this transfer, then the personal data can be transferred to foreign countries without the explicit consent of the data subject.