Purpose and Scope of the Policy
This Personal Data Protection and Processing Policy (the “Policy”) has been prepared to provide information on the personal data processing activities carried out by Universal Export A.Ş. (the “Company”) within the scope of its operations, as well as the rules and principles forming the basis of such activities.
This Policy applies to all natural persons whose personal data is processed by the Company, excluding Company employees. Legal entities and information belonging to legal entities are not covered by this Policy.
Definitions Used in the Policy
The definitions set forth in this Policy shall be construed as follows. Any terms not expressly defined herein shall be deemed to have the meanings assigned to them under, primarily, the Law No. 6698 on the Protection of Personal Data and the secondary legislation enacted thereunder.
| Explicit Consent | Consent relating to a specific subject, based on information and expressed with free will. |
| Employee | A natural person who has an employment-like relationship with the Company and its affiliates under an employment contract or mandate agreement. |
| Electronic Environment | Environments in which personal data can be created, read, modified, and written through electronic devices. |
| Non-Electronic Environment | All written, printed, visual, and similar environments other than electronic environments. |
| Data Subject | The natural person whose personal data is processed. |
| Destruction | The deletion, destruction, or anonymization of personal data. |
| Law | The Law No. 6698 on the Protection of Personal Data. |
| “KVKK” | The Law No. 6698 on the Protection of Personal Data. |
| Recording Environment | Any environment where personal data processed fully or partially by automatic means, or by non-automatic means provided that it forms part of a data recording system, is stored. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Personal Data Processing Inventory | The inventory in which data controllers detail their personal data processing activities based on business processes, by associating such activities with processing purposes and legal grounds, data categories, recipient groups, and data subject groups, and by specifying maximum retention periods, personal data intended for transfer abroad, and data security measures. |
| Anonymization of Personal Data | Under this Policy, the process of rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even when matched with other data, including any amendments that may be made to the Regulation from time to time. |
| Processing of Personal Data | Any operation performed on personal data, such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use, whether fully or partially by automated means or by non-automated means as part of a data recording system. |
| Deletion of Personal Data | Under this Policy, the process of rendering personal data inaccessible and non-reusable for relevant users in any way, including any amendments that may be made to the Regulation from time to time. |
| Destruction of Personal Data | Under this Policy, the process of rendering personal data inaccessible, irretrievable, and non-reusable by anyone in any manner, including any amendments that may be made to the Regulation from time to time. |
| Board | The Personal Data Protection Board. |
| Authority | The Personal Data Protection Authority. |
| Special Categories of Personal Data | Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and attire, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. |
| Periodic Destruction | The deletion, destruction, or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy when all conditions for processing personal data under the Law cease to exist. |
| Policy | This Policy and all other policies that may be adopted in the future. |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| Data Controller Contact Person | The natural person notified to the Data Controllers Registry by the Data Controller Company during registration in order to ensure communication with the Authority regarding obligations arising under the Law and secondary legislation. As of the effective date of this Policy, Serkan Ayverdi has been designated for registration with VERBİS as the Data Controller Contact Person. |
| Regulation | The Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017. |
Effective Date and Updates
This Policy entered into force on [12.09.2019]. The Company reserves the right to update the Policy whenever deemed necessary, particularly in the event of legislative amendments, by publishing the most current version on its website. Therefore, data subjects are advised to check the website for the latest version of the Policy whenever they wish to obtain information regarding it.
Data Controller within the Scope of Personal Data Processing Activities
Universal Export Hizmetleri A.Ş., within the scope of the Law, determines the purposes and means of processing personal data while carrying out its operations and activities. In this respect, the Company informs data subjects through disclosure notices provided via the channels through which personal data is collected, regarding the purposes for which and the manner in which personal data is processed.
Similarly, the Company is responsible for the establishment and management of the data recording system in which such personal data is processed. Therefore, the Company acts as the data controller in respect of many of the personal data processing activities it carries out under the Law.
In certain cases, however, the Company may process personal data based on the instructions of another company, without determining the purposes and means of processing. In such cases, the Company acts as a data processor under the Law. Accordingly, this Policy is intended solely to inform data subjects regarding personal data processing activities where the Company acts as the data controller.
Personal Data Processing Activities and Purposes
Processing of Visitors’ Personal Data
Where visitors enter the Company building or premises, personal data processing activities are carried out in order to ensure building security, maintain visitor records properly, prevent and detect crime, and provide information to authorized institutions and organizations where necessary.
These personal data processing activities are carried out through:
• keeping camera recordings within the scope of CCTV monitoring activities inside and outside the building,
• keeping internet access logs within the scope of providing internet access to visitors,
• keeping visitor entry and exit records.
a) Retention of Camera Recordings
The Company conducts monitoring activities through cameras installed inside and outside the premises. These cameras are located at the security office, at entry points where turnstiles are visible, and at certain locations inside and outside the building. Data subjects are informed through warning signs placed in the relevant monitored areas.
The Company conducts camera surveillance and retains records for the following purposes:
• to assist in the prevention and detection of crime,
• to facilitate the identification, apprehension, and prosecution of persons committing crimes or disturbing public order,
• to contribute to public safety and the security of the buildings,
• to assist in identifying acts that may lead to disciplinary investigations against employees.
Unless required to be retained for a longer period as evidence, for the investigation of a crime, or under applicable legislation, images recorded through the relevant camera system shall be retained for a maximum period of 3 months from the date of recording.
Where necessary or upon a legal request, camera recordings may be shared with authorized institutions and organizations for the purposes of assisting in the prevention and detection of crime, facilitating the identification, apprehension, and prosecution of offenders or persons disturbing public order, and fulfilling our legal obligations. Responsibility for the operation, management, and all other matters relating to the camera system within the Company is monitored by the Purchasing and Administrative Affairs Directorate.
The processing of personal data through the retention of camera recordings is based on the following legal grounds:
• the necessity of processing for the fulfillment of the Company’s legal obligations,
• the necessity of processing for the establishment, exercise, or protection of the Company’s legal rights,
• the Company’s legitimate interest in the prevention of crime and the maintenance of security.
b) Retention of Internet Access Logs
Where visitors connect to the Company’s internet network as guest users, certain personal data is processed.
Such personal data includes:
• full name,
• internet usage log records,
• MAC ID,
• IP address,
• mobile phone number,
• username,
• password information.
This information is not disclosed to any third party outside the Company, except where it must be shared with authorized institutions and organizations in order to fulfill our legal obligations upon a legal request.
The aforementioned personal data is processed for the following purposes:
• ensuring that activities are carried out in compliance with legislation,
• providing information to authorized persons, institutions, and organizations where necessary or upon a legal request,
• granting visitors internet access as guest users,
• ensuring information security.
Personal data processed through the retention of internet access logs is processed electronically on the basis of:
• the fact that such processing is expressly provided for under the Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through Such Publications,
• the fulfillment of our legal obligations under the Regulation on Collective Use Providers of Internet Access (Official Gazette Date and Number: 11.04.2017, 30035),
• the necessity of processing in order to provide internet access to you as a visitor.
Personal data processed within this scope is retained for the statutory period of 2 years.
c) Retention of Visitor Entry and Exit Records
Where persons visit the Company as visitors, certain personal data is processed.
Such personal data includes:
• full name,
• name of the company where the visitor works,
• purpose of visit,
• person being visited.
This information is not disclosed to any third party outside the Company, except where it must be shared with authorized institutions and organizations in order to fulfill our legal obligations upon a legal request.
The aforementioned personal data is processed for the following purposes:
• ensuring compliance of activities with legislation,
• creating and tracking visitor records,
• ensuring physical space security,
• protecting Company assets, employees, and building security,
• providing information to authorized persons, institutions, and organizations.
Personal data processed through the retention of visitor entry and exit records is processed in physical environments on the basis of:
• the fulfillment of our legal obligations,
• the Company’s legitimate interest in ensuring the security of its buildings and employees.
Personal data processed within this scope is retained for 6 months from the end of the visit.
Processing of Candidates’ Personal Data in Recruitment Processes
As a candidate, your personal data may be processed for the purpose of conducting recruitment processes, based on your application to a job posting published by our Company or through information provided for job applications via channels such as the Turkish Employment Agency (İŞKUR) candidate database, career platforms, or similar sources.
Personal data may be submitted directly by you to our Company, as well as through electronic or physical means via career platforms, the İŞKUR candidate database, or third-party service providers supporting recruitment processes.
Within this scope, depending on the position applied for, the following personal data provided in your CV or during recruitment interviews may be processed:
your name and surname, contact details, military service status, gender, date of birth, education background, previous work experience, certifications, driver’s license information, foreign language skills, references, computer skills, seminars and courses attended, scholarships received, projects carried out, job preferences, positions intended to be undertaken within the Company, earliest possible start date, salary expectations, previous applications to the Company, willingness to work night shifts, hobbies, reasons for leaving previous employment, information regarding relatives employed within the Company, travel availability, and preferred departments.
For certain positions, in order to assess whether the candidate is physically suitable for the role, health data and criminal record information may also be processed, solely for determining whether there are any legal impediments to employment. Such data is processed exclusively for these purposes and is not used for any other purpose.
The processing of candidates’ personal data during recruitment processes is based on the legal grounds of ensuring that the candidate can exercise their right to apply and the Company’s legitimate interest in establishing the necessary human resources to sustain its operations. In cases where these legal grounds do not exist, personal data is processed based on the candidate’s explicit consent.
Processing of Personal Data of Supplier and Business Partner Employees and Representatives
Since data belonging to legal entities is not considered personal data, such data does not fall within the scope of this Policy. However, personal data of employees and representatives of supplier companies, business partners, and group companies—engaged in the provision of goods and services and in operational collaborations—are processed within the scope of our ordinary operational activities.
Such personal data is processed for purposes including, but not limited to:
ensuring the supply of goods and services, planning accommodation and transportation for Company visits when necessary, organizing events, planning and executing occupational health and safety processes, assessing suitability for work, establishing communication for business processes, planning and executing business activities, managing dealer relations, conducting finance and accounting operations, managing sales processes of products and services, handling logistics and shipment processes, managing import and export operations, executing contract processes, conducting audit, investigation, and intelligence activities, managing supplier research and quotation processes, performing risk assessments for supplier registration, reporting on suppliers and business partners, providing information to authorized institutions and organizations, and ensuring compliance with legal obligations.
Additionally, within the scope of contract execution with suppliers and business partners, personal data of authorized signatories included in signature circulars may also be processed.
Principles of Personal Data Processing
The Company informs its employees and takes all necessary administrative and technical measures to ensure compliance with the following five fundamental principles in all processes involving personal data, from collection to destruction:
• Processing in accordance with the law and principles of good faith
• Ensuring accuracy and, where necessary, keeping data up to date
• Processing for specific, explicit, and legitimate purposes
• Being relevant, limited, and proportionate to the purpose of processing
• Retaining data only for the period required by applicable legislation or for the purpose for which it is processed
Accordingly, the Company processes personal data in compliance with legislation and within the framework of good faith principles. Data subjects are informed through appropriate channels via privacy notices, ensuring that personal data is processed for specific, explicit, and legitimate purposes and in a limited and proportionate manner. When the purpose of processing ceases, personal data is deleted, destroyed, or anonymized.
Conditions for Processing Personal Data
The conditions for processing personal data are set out in Articles 5 and 6 of the Law. The Company takes into account the conditions specified in Article 5 for processing non-sensitive personal data and Article 6 for processing sensitive personal data.
Conditions for Processing Non-Sensitive Personal Data
The conditions required for processing non-sensitive personal data are outlined in Article 5 of the Law as follows:
• Explicitly provided for by law
• Necessary to protect the life or physical integrity of a person who is unable to give consent due to actual impossibility or whose consent is not legally valid
• Necessary for the establishment or performance of a contract, provided that it is directly related to the parties of the contract
• Necessary for the Company to fulfill its legal obligations
• The personal data has been made public by the data subject
• Necessary for the establishment, exercise, or protection of a right
• Necessary for the legitimate interests of the Company
In cases where at least one of the above conditions is not met, personal data may be processed only with the explicit consent of the data subject.
| Examples Regarding the Specified Data Processing Conditions are Provided in the Table Below: | |
| Data Processing Condition | Example |
| Explicitly provided for by law | Retention of employee personal records within the scope of Labor Law |
| Actual impossibility | Recording the identity information of an unconscious patient into the hospital system |
| Establishment or performance of a contract | Recording the address information of a person for the delivery of a purchased product |
| Legal obligation of the data controller | Sharing requested information with the court |
| Making data public (by the data subject) | Publishing contact details on a website to enable communication |
| Establishment, exercise, or protection of a rightEntering username and password information into the system to provide internet access to guest users | |
| Legitimate interest | Recording visitors’ name and surname information in a logbook for security purposes. |
In cases where none of the above conditions are met, explicit consent must be obtained from the relevant individuals in order to process personal data.
Conditions for Processing Special Categories of Personal Data
Special categories of personal data are defined under the Law as data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
The conditions required for processing such special categories of personal data are set out in Article 6 of the Law as follows:
• For special categories of personal data other than health and sexual life, processing is permitted where it is explicitly provided for by law.
• For data relating to health and sexual life, processing is permitted by persons under a confidentiality obligation or by authorized institutions and organizations for purposes such as the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of healthcare services and their financing.
• In cases where none of the above conditions are met, the explicit consent of the data subject must be obtained.
| Examples Regarding the Specified Data Processing Conditions are Provided in the Table | |
| Data Processing Condition | Example |
| Explicitly provided for by law | Retaining an employee’s union membership information in their personnel file in accordance with the relevant legislation |
| Protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of healthcare services and their financing; processing by persons under a confidentiality obligation or by authorized institutions and organizations | Keeping periodic health reports by the workplace physician |
In cases where none of the specified data processing conditions are met, explicit consent must be obtained from the relevant individuals in order to process personal data.
Personal Data Sharing
Personal data processed by the Company may be transferred to third parties within the framework of the principles set forth in the Law. In this context, personal data is shared domestically with the parties and for the purposes specified below:
• With Universal Export, for the purposes of conducting reporting processes; monitoring and managing proposal and contract processes; carrying out order, production, inventory, and operational processes of products and services; monitoring and executing logistics activities; conducting evaluation and selection processes of potential business partners and suppliers and performing preliminary research within this scope; as well as monitoring and executing audit, legal, and regulatory compliance processes,
• With consultants, suppliers, and business partners from whom goods and services are procured, for the purposes of purchasing goods and services and managing procurement processes,
• With legally authorized public institutions and organizations and relevant persons, for the purposes of ensuring that activities are carried out in compliance with legislation, conducting and following legal affairs, and providing information to authorized persons, institutions, and organizations.
Within the scope of such data sharing, personal data is transferred to the specified parties based on one or more of the following legal grounds: establishment, exercise, or protection of a right; fulfillment of the legal obligations of the data controller; and legitimate interest.
Retention of Personal Data and Measures Taken for Data Security
Your personal data may be retained by the Company in accordance with the following periods:
• Periods stipulated under applicable legislation to which the Company is subject,
• Until the purposes for processing your personal data cease to exist,
• For the duration necessary to provide our products and services.
In cases where none of these conditions exist to justify continued processing, personal data is deleted, destroyed, or anonymized by the Company.
In addition, the Company takes all necessary technical and administrative measures to prevent unlawful processing of personal data, prevent unauthorized access, and ensure the secure storage of such data.
Below are the main technical and administrative measures implemented by the Company to ensure data security:
• Network and application security are ensured.
• Closed system network is used for personal data transfers over networks.
• Key management is implemented.
• Security measures are taken within the scope of procurement, development, and maintenance of IT systems.
• Disciplinary regulations including data security provisions are in place for employees.
• Employees receive periodic training and awareness programs on data security.
• Authorization matrix for employees has been established.
• Access logs are regularly maintained.
• Corporate policies regarding access, information security, usage, storage, and destruction have been prepared and implemented.
• Confidentiality undertakings are executed.
• Access rights of employees who change roles or leave the Company are revoked.
• Up-to-date antivirus systems are used.
• Firewalls are utilized.
• Contracts include provisions on data security.
• Personal data security policies and procedures are defined.
• Personal data security issues are promptly reported.
• Personal data security is continuously monitored.
• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• Physical environments containing personal data are secured against external risks (such as fire, flood, etc.).
• Security of environments containing personal data is ensured.
• Personal data is minimized where possible.
• Personal data is backed up, and the security of backups is ensured.
• User account management and authorization control systems are implemented and monitored.
• Periodic and/or random internal audits are conducted.
• Log records are maintained in a way that prevents user intervention.
• If special categories of personal data are sent via email, they are encrypted and sent through registered electronic mail (KEP) or corporate email accounts.
• Secure encryption/cryptographic keys are used for special categories of personal data and managed by different units.
• Intrusion detection and prevention systems are used.
• Cybersecurity measures are implemented and continuously monitored.
• Encryption is applied.
• Special categories of personal data transferred via portable devices (USB, CD, DVD) are encrypted.
• Additional security measures are taken for personal data transferred via paper, and documents are sent in a confidential format.
In addition to the above, further technical and administrative measures are taken by the Company depending on the nature of the personal data and the level of confidentiality required.
Rights Regarding Personal Data
The Company acts as the data controller with respect to the processing of your personal data. Accordingly, data subjects may submit requests to the Company regarding the following rights:
• To learn whether your personal data is processed
• To request information if your personal data has been processed
• To learn the purpose of processing your personal data and whether they are used in accordance with such purpose
• To know the third parties to whom your personal data is transferred domestically or abroad, if any
• To request correction of incomplete or inaccurate personal data and to request notification of such correction to third parties to whom the data has been transferred
• To request deletion or destruction of personal data in case the reasons requiring processing no longer exist, even if processed in accordance with the Law, and to request notification of such action to third parties, if any
• To object to a result that is against you arising from the analysis of your personal data exclusively through automated systems
• To request compensation for damages in case your personal data is processed unlawfully
You may contact us at any time to obtain more information about your rights and to exercise them. Upon submission of your request, it will be concluded as soon as possible and at the latest within thirty (30) days, depending on the nature of the request.
You may initiate this process via the following link:
https://unvexport.com.tr/kvkk-basvuru-formu
| This Policy has been prepared to inform data subjects on all matters regarding the processing of their personal data. Within the scope of this Policy, responding to all questions related to personal data in a transparent and understandable manner is one of the Company’s fundamental principles | Therefore, if you have any questions regarding the Policy, you may send an email to kvkk@unvexport.com.tr |