PERSONAL DATA PROTECTION POLICY

PERSONAL DATA PROTECTION POLICY

1.     PURPOSE

 

  Papilon Savunma Technology and Trade Inc. (“Papilon” or “Our Company”) shows its utmost effort to comply with all applicable legislation regarding the processing and protection of personal data. Within the framework of our Company's Personal Data Protection Policy (“Policy”), the principles adopted in the execution of personal data processing activities carried out by Papilon are explained. The policy aims to ensure the sustainability of Papilon's "principle of conducting company activities in a transparent manner in accordance with the law and honesty rules". In this context, the basic principles adopted in terms of compliance of Papilon data processing activities with the regulations in the Personal Data Protection Law No. 6698 (“PDPL”) are determined and the practices implemented by Papilon are explained. As Papilon, our customers, investors (shareholders), employees, suppliers and business partners who contact our company for themselves or as a representative of a company or organization, and also establish a relationship with us by applying for a job or visiting our website or in any other way. It attaches great importance to ensuring the confidentiality and security of the personal data of other natural persons. Expressions such as "we" and "our" in this Policy are used to express Papilon, unless expressly stated otherwise.

 

This Policy; Regarding all personal data owners who contact our company:
a. What kind of personal data our company processes,
b. Personal data processing purpose and legal basis,
c. How this personal data is used,
d. With whom our company may share personal data to.
e. How long your personal data will be stored,
f. What are the measures regarding the security of personal data,
g. It explains what the rights of the person concerned are over the personal data processed by our company and how these rights can be exercised.

 

2.     FIELD OF APPLICATION

 

This Policy determines the processing conditions of personal data and sets out the principles adopted by Papilon in the processing of personal data. In this context, the Policy; It covers all personal data processing activities within the scope of the Law carried out by Papilon, all personal data processed and the owners of this data. The main objective of our company's data policy is to be transparent to our customers, potential customers, visitors, company officials, all of the parties and institutions we cooperate with, in short, to every person whose data we process directly or indirectly related with our company. With this policy, our company determines and implements our rules for the processing of personal data within the framework of transparency and openness principles. In case of incompatibility between the current legislation and our policy; the legislation in force will be applied with priority, and if there is another policy or regulation on the same subject for more specific purposes other than this basic policy, firstly the articles containing special provisions are applied. 

 

3.       RULES ON THE PROCESSING OF PERSONAL DATA

 

3.1. Definition of “Personal Data”

 

In article 3/I(d) of the PDP Law, "personal data" is defined as any information relating to an identified or identifiable natural person. In this context, anonymous data and data that cannot be associated with a specific person are not considered personal data within the scope of this Policy. Personal data is divided into two groups as general data and special data. Pursuant to Article 6 of the PDP Law, a natural person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, biometric and genetic data are considered as special quality personal data. In case of processing of sensitive data, the special rules stipulated in the PDP Law regarding these are followed.

 

 

 

3.2.  General Principles Regarding the Processing of Personal Data

 

Pursuant to article 3/I(e) of the PDP Law, "data processing"; obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system such as inhibition, means all kinds of operations that can be performed on personal data.

While our company carries out personal data processing activities, it acts in accordance with the basic principles in (i) article 4 of the PDPL, (ii) personal data processing conditions in article 5 and (iii) private personal data processing conditions in article 6 of the PDPL.

Compliance with Core Principles;

(1) Compliance with the Law and the Rules of Integrity

Our company carries out personal data processing activities in accordance with the law and the rule of good faith, in accordance with the PDPL and the relevant secondary legislation, especially the Constitution of the Republic of Turkey.

(2) Accurate and Up-to-Date When Necessary

While processing personal data by our company, all necessary administrative and technical measures are taken to ensure the accuracy and topicality of personal data within technical possibilities.

(3) Processing for Specific, Explicit and Legitimate Purposes

Personal data is processed by our company in connection with the data processing conditions and to the extent necessary for the realization of the processing purpose of these services. In this context, the purpose of personal data processing is determined before starting the personal data processing activity, and data processing is not carried out on the assumption that it can be used in the future.

(4) Relating to the Purpose for which they are Processed, Being Limited and Measured, and Retained for the Time Required for the Purpose for which they are Processed

Our company retains personal data for a limited period of time stipulated in the relevant legislation or required by the data processing purpose. In this respect, personal data is deleted, destroyed or anonymized by our company in the event that the period stipulated in the legislation expires or the reasons requiring the processing of personal data disappear. Personal data is not stored by our company based on the possibility of its use in the future.

 

 

3.3. Processing Conditions of General Personal Data

 

Our company may process your personal data based on your explicit consent or for the legal reasons listed below.

 

(1) Explicit provision of data processing in laws: PDP Law in the absence of one of the reasons listed in law article 5/II and 6/II and III, we can only process your personal data based on your explicit consent. You can always withdraw your express consent in the ways stipulated in article 9 of this Policy.

(2) Being directly related to the establishment or performance of a contract: We may process the personal data of the representatives of the legal entities we serve and the suppliers or their representatives from which we purchase products or services for the purposes of negotiating contracts, signing contracts and fulfilling our contractual obligations.
(3) If it is necessary for the fulfillment of a legal obligation: For example, personal data may be shared with these institutions and courts upon the request of the courts or administrative bodies within the framework of the relevant legislation, provided that it is limited to the scope of the request.

(4) The data has been made public by the person concerned: Your personal data can be processed if it has been made public by you. For example, the personal data of potential suppliers or their representatives that have been made public may be processed for the purposes of evaluating their adequacy in meeting our product or service needs and communicating with these people. Again, the data of the employee candidates that they have made public on social media can be used in the evaluation of their job applications.
(5) If data processing is mandatory for the establishment, exercise or protection of a right: For example, your personal data may be processed for the purposes of filing a lawsuit or defending a lawsuit.
(6) Based on legitimate interest: We may also process your personal data for our legitimate interest. For example, in order to meet our Company's future product or service or workforce needs, we may store personal data of potential suppliers and employee candidates in our Company's information repository.

 

3.4. Processing Conditions of Sensitive Personal Data

 

Our company pays special attention to the processing of personal data of special nature. In this context, our company firstly determines whether there are data processing conditions in sensitive personal data processing, and after making sure that the condition of compliance with the law exists, data processing is carried out.

Sensitive personal data notion: Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are all expresses as sensitive personel data.

General Condition: It is forbidden to process sensitive personal data without the explicit consent of the person concerned.

Exceptions and Special Cases: Personal data other than health and sexual life listed in the first paragraph may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws.

Personal data related to health and sexual life are only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, by persons or authorized institutions and organizations under the obligation of secrecy without seeking the explicit consent of the person concerned can be processed.

 

4.     DATA PROCESSED BY PAPILON

 

Papilon can process general and special personal data with the explicit consent of the data owner or without explicit consent in cases stipulated in Articles 5 and 6 of the PDP Law.

Which data will be processed by Papilon for each data owner may vary depending on various factors such as the type and nature of the relationship between the data owner and Papilon, and the communication channels used. In this context, some of the general and special data processed by Papilon are shown below.

·       Data such as name-surname, profession, title, institution/organization information, educational background, employment history, gender, marital status, family and social life information, citizenship status and other personal information, and information about parents, guardians and attorneys, if any.

·       Data such as date of birth, place of birth, ID number and photograph in documents for identification purposes such as ID, passport, driver's license.

·       Contact information such as address, telephone, e-mail and fax number of home, workplace or temporary residence.

·       Visual and audio recordings.

·       Customer and procurement process data.

·       Content and communication records of e-mail correspondence with Papilon.

·       Internet protocol (IP) address, device ID, unique identifier information, device type, advertising ID, unique device icon, statistics on web page views, inbound and outbound traffic information, redirect URL, internet log information, location information, visited sites and information on transactions and actions performed through our websites, platforms, internet network, and advertisements and e-mail contents.

·       Customer information, customer transaction information,

·       Information on request/complaint management,

·       Information on legal affairs,

·       Information on ethical values and legal compliance,

·       Financial information,

·       Audit information,

·       Electronic media usage information,

·       Information on goods and services provided and provided,

·       Business activities information,

·       Information on trade and other licenses and permits,

·       Physical location security information,

·       Visual and auditory information (photograph, camera, sound recordings),

·       Telecommunication records,

·       E-mail and information systems services usage records,

·       Login records,

·       Union membership information,

·       Health reports and health information,

·       Images and information about work accidents, injuries, diagnosis and treatments,

·       Biometric data and criminal record information,

·       HEPP Codes of our employees,

·       Covid-19 vaccine information of our employees,

·       PCR knowledge of our employees,

·     HES codes, vaccination information, PCR query results and fever measurement results of our stakeholders

 

 

5.     PURPOSE OF PROCESSING PERSONAL DATA

 

As Papilon, we may process personal data for the following purposes and retain them for as long as these purposes require:

    • Establishment and fulfill of contracts,
    • Carrying out the commercial activities of our company,
    • To be able to carry out business processes related to commercial activities,
    • Management and execution of relations with business partners and/or suppliers, informing about the contents of products and services.
    • Establishing and developing the company's human resources policies, providing the company's employee needs within the framework of these policies, and conducting and developing the recruitment processes.
    • Conducting our activities in accordance with the legislation,
    • Customizing and improving our services to our customers, providing effective customer service,
    • Ensuring and improving coordination, cooperation and efficiency in and between units within our company,
    • Ensuring the security of our company's website and other electronic systems and physical environments,
    • Conducting investor relations, organizing events for investor satisfaction in this context,
    • Celebrating special days, being included in sweepstakes or competitions, giving gifts and other similar events, promotions and campaigns in favor of the data owner.
    • Conducting communication activities,
    • Getting your opinion with surveys and voting,
    • Investigation, detection, prevention of violations of the contract and the law and reporting them to the relevant administrative or judicial authorities,
    • Execution of finance and accounting works,
    • Follow-up and execution of legal affairs,
    • Answering requests and questions.
    • Conducting legal and commercial relations with our company and people who have business relations with our company and ensuring the security of these relations.
    • Realization of corporate and partnership law transactions, planning and execution of corporate governance activities.
    • Execution of strategic planning activities,
    • Ensuring the security of our company's locations.
    • Planning of logistics activities,
    • Continuing reputation Studies,
    • Follow-up of finance and accounting affairs, creation and tracking of visitor records,
    • Execution of HES code, temperature, PCR test results and emergency processes of employees and visitors and protection of public health.

 

6.     METHOD OF COLLECTING PERSONAL DATA

 

Personal data can be collected by our Company through verbal, written and/or electronic means, by giving clear and understandable verbal, written and/or electronic information to the personal data owners, and by obtaining their explicit consent when necessary, in accordance with the law and honesty rules, in connection with the legitimate purposes clearly stated above and It is collected and used within the framework of the principle of proportionality, on a limited basis, and recorded, stored and processed in paper and digital media when necessary, and in the cloud environment when necessary. Although the type and nature of the relationship between the data subject and Papilon may vary depending on various factors, the methods used in collecting personal data are generally as follows:

 

    • Directly from the data owner through physical and electronic media where the data owner communicates with our Company,
    • Persons and institutions represented by/representing the data owner,
    • Persons, institutions and organizations that are referenced in job applications or included in the applicant's work and education history.
    • Through the company's subcontractors, business partners or other contracted persons and organizations.
    • Via social media or other public channels.

 

 

7.     LEGAL REASONS FOR THE PROCESSING OF PERSONAL DATA

 

As Papilon, we process your personal data based on your explicit consent or the legal reasons listed below:

7.1. Clearly stipulated in laws: PDP Law in the absence of one of the reasons listed in articles 5/II and 6/II and III, we can only process your personal data based on your explicit consent. You can always withdraw your express consent in the ways stipulated in Article 9 of this Policy.

7.2. Being directly related to the establishment or fulfilment of a contract: We may process the personal data of the representatives of the legal entities we serve and the suppliers or their representatives from whom we purchase products or services for the purposes of negotiating contracts, signing contracts and fulfilling our contractual debts.

7.3. Obligatory in order to fulfill our legal obligation: For example, personal data may be shared with these institutions and courts upon the request of the courts or administrative bodies within the framework of the relevant legislation, provided that it is limited to the scope of the request.

7.4. If the data has been made public by the person concerned: Your personal data may be processed if it has been made public by you. For example, the personal data of potential suppliers or their representatives that have been made public may be processed for the purposes of evaluating their adequacy in meeting our product or service needs and communicating with these people. Again, the data of the employee candidates that they have made public on social media can be used in the evaluation of their job applications.

7.5. Data processing is mandatory for the establishment, exercise or protection of a right: For example, your personal data may be processed for the purposes of filing a lawsuit or defending a lawsuit.

7.6. Data processing is mandatory for our legitimate interests, provided that it does not harm your fundamental rights and freedoms: we may also process your personal data for our legitimate interests. For example, we may store personal data of potential suppliers and employee candidates in our Company's information repository in order to meet our Company's future product or service or workforce needs.

 

8.     COMPLIANCE WITH PERSONAL DATA TRANSFER TERMS

 

Personal data transfers to be made by Papilon are carried out in accordance with the personal data transfer conditions regulated in Articles 8 and 9 of the PDPL.

 

8.1. Domestic Transfer of Personal Data

In accordance with Article 8 of the PDPL, Papilon acts in accordance with the data processing conditions in data transfer activities to be carried out in the country.

 

8.2. Transfer of Personal Data Abroad

Personal data by Papilon in accordance with Article 9 of the PDPL; (i) in accordance with the personal data processing conditions and (ii) the data controllers in Turkey and in the relevant foreign country undertake in writing, in case the country to be transferred is one of the countries with adequate protection declared by the Board, or in case there is no adequate protection in the relevant foreign country, and It can be transferred abroad with the permission of the board.

 

9.     PERSONS AND ORGANIZATIONS TO WHICH PERSONAL DATA MAY BE TRANSFERRED IN DOMESTIC AND INTERNATIONAL

 

Papilon may transfer personal data to third parties in the country and abroad for the purposes indicated under the heading "Purposes of Processing Personal Data" of this Policy, provided that it complies with the conditions stipulated in the PDP Law and takes the necessary security measures, and on servers located in the country or abroad, or can be stored in other electronic media. Although the third parties to whom personal data can be transferred may vary depending on various factors such as the type and nature of the relationship between the data owner and Papilon, in general they are as follows:

·       Group companies,

·       Authorized institutions and organizations

·       Work partners

·       Suppliers

·       Subcontractors

·       Shareholders and to the authorities

    • Legally Authorized public institutions and organizations
    • Legally authorized private legal persons

 

Papilon does not share the personal data it has obtained with others for the promotion and marketing activities of third parties in any way without the express and specific consent of the data owner.

 

10.   PERSONAL DATA STORAGE PERIOD

 

Papilon stores personal data in its data inventory in accordance with the periods determined in all relevant legislation. As Papilon, we retain personal data only for the period necessary for the realization of the purposes specified in this Policy, except where a longer period is legally required or permitted. Personal data whose storage period has expired are deleted, destroyed or anonymized by us within the framework of Article 7 of the PDP Law.

If the purpose of processing and storing personal data has been eliminated and the periods determined by all relevant legislation regarding personal data and the principles determined by our company in this policy have passed, personal data can be stored for use in all kinds of legal disputes that may arise in the future. The personal data specified in this section are only stored for use in legal disputes and cannot be used for any other purpose. In line with the above explanations, all possible precautions and precautions are taken by Papilon.

 

11.  INFORMING OF PERSONAL DATA OWNER

In accordance with Article 10 of the Law, Papilon enlightens the personal data owners during the acquisition of personal data. In this context, during the acquisition of personal data by Papilon, Papilon corporate identity, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and legal reason are within the scope of Article 11 of the Law of the personal data owner information, regarding the rights it has.

12.  SECURITY OF YOUR PERSONAL DATA

Papilon takes all necessary technical and administrative measures to ensure the appropriate level of security in order to ensure that your personal data is processed and stored in a safe manner in accordance with the law and to prevent unlawful access to your personal data.

 

13.  RIGHTS OF THE DATA OWNER

 

If you, as Personal Data Subject, submit your requests regarding your rights of the Personal Data Subject, listed in article 11 of the Law no. 6698, to our Company; we will conclude the request as soon as possible and at the latest within thirty days according to the nature of the request. In this context, personal data subjects are entitled to find out whether their personal data is processed, request pertinent information if their personal data was processed, find out why personal data was processed and whether it was used properly, know the third parties to whom personal data is transferred within the country or abroad, request correction of personal data if it is incompletely or incorrectly processed, and request notification of this procedure to third parties to whom personal data is transferred, even though personal data is processed pursuant to the Law no. 6698 and other applicable provisions of the law, request deletion or destruction of personal data in case the reasons for processing no longer exist, and request notification of this procedure to third parties to whom personal data is transferred, object to existence of a result against the person upon analysis of processed data exclusively by automated systems, request indemnification of losses if you incur any loss due to unlawful processing of personal data. Pursuant to the law, you can submit your applications regarding your personal data personally to the address Mebusevleri Mah., Ergin Sk., No: 9, Çankaya / ANKARA upon confirmation of identity, or by means of other methods specified in the Law and applicable legislation upon confirmation of identity. Our Company shall finalize applications at no charge pursuant to article 13 of the Law on Protection of Personal Data. If a cost is required for the process, the tariff determined by Personal Data Protection Board shall be applicable. If the request is rejected, reasons for rejection shall be notified on written or electronic media.

 

 

14.  USE OF THE WEBSITE

On the websites owned and managed by Papilon, ensuring that the visitors of these websites perform their visits on the sites in accordance with the purposes of their visit, providing them with customized content, providing social media features, facilitating the visit by remembering them if they visit the relevant website again, and online advertising. In order to be able to carry out its activities, the internet movements of the visitors within the site are recorded by technical means (eg Cookies).

Papilon may refuse to use the cookies it uses on the websites it owns and manages, change their types or functions, or add new cookies.

 

15.  CHANGES TO THE POLICY

 

As Papilon, it is possible for us to make changes to this Policy at different times. The current version of the Policy prepared by our company can be accessed on the Papilon website and the changes that can be made in the Policy can be followed on the Papilon website.

As a rule, changes will be made by uploading them to Papilon's website and will become effective as of this date, but Papilon may also notify these changes in other ways it deems appropriate.