Personal Data Protection
Privacy and Personal Data Protection Policy
As Adadünya Optik Turizm Ticaret Limited Şirketi (“Adadünya”), we act in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”).
Within the principles set out by the Law, Adadünya fulfills its obligations arising from the Law regarding the processing, deletion, destruction, anonymization, transfer of personal data, informing the data subject, and ensuring data security.
This Privacy and Personal Data Protection Policy, prepared in compliance with the Law, is made available to real persons whose personal data are processed (“data subject”).
1. Scope and Purpose of the Privacy and Personal Data Protection Policy
This Policy sets out in detail:
- Methods and legal grounds for collecting personal data,
- Which groups of individuals’ personal data are processed (Data Subject Categorization),
- Which categories of personal data are processed and sample data types (Data Categories),
- For what purposes the relevant personal data are used,
- To whom personal data may be transferred and for what purposes,
- Sharing of personal data with public institutions and official authorities,
- Retention periods of personal data,
- Profiling and segmentation,
- The rights of data subjects regarding their personal data and how they can exercise these rights.
a. Methods and Legal Grounds for Collecting Personal Data
Adadünya collects personal data through stores, call centers, websites, social media accounts, e-mail, postal mail, call center systems, CCTV, cookies, fax, notifications from administrative and judicial authorities, and other communication channels, in audio, electronic, or written form, in accordance with the personal data processing conditions stated in the Law and based on the legal grounds specified in this Policy.
b. Data Subject Categorization
Adadünya groups the data subjects whose personal data it processes as follows. These groups may be expanded within the framework of the processes and legal reasons stated in this Policy:
- Customer,
- Online Customer,
- Visitor,
- Online Visitor,
- Business Partner / Supplier
c. Data Categories and Sample Data Types
| No | Data Subject | Data Category | Data Types |
|---|---|---|---|
| 1 | Customer | Identity Information | Name–Surname, Gender, T.R. Identification Number, Turkish ID details (ID serial no., family order no., etc.), Date of Birth, Place of Birth, Marital Status, Passport Number |
| Contact Information | Address (home/work), E-mail, Phone/Mobile Phone | ||
| Financial Information | Bank Account Information, Financial Transaction Information, IBAN Number, Payment Information | ||
| Customer Information | Customer Number, Start/End Date and Reason of the Commercial Relationship, Customer Requests, Customer Satisfaction Information, Product Complaint and Request Information | ||
| Employment and Professional Information | Retirement Information, Insurance Information, Education Level, Graduation Information, Affiliated Organization | ||
| Legal Transaction and Compliance Information | Official Records (Police, etc.), Power of Attorney | ||
| Special Category Personal Data | Diopter Information, Hospital Reports | ||
| Information Security Information | Call Center Records, Credit Card Number, Credit Card Expiration Date | ||
| Family Members and Relatives Information | Name–Surname, Degree of Kinship, Profession, School, Date of Birth, Mobile Phone | ||
| Other | Call Center Records, CCTV | ||
| 2 | Online Customer | Identity Information | Name–Surname, Gender, Date of Birth, Place of Birth |
| Contact Information | Address (home/work), E-mail, Phone/Mobile Phone | ||
| Financial Information | Bank Account Information, Payment Information | ||
| Customer Information | Customer Number, Start/End Date and Reason of the Commercial Relationship, Customer Requests, Customer Satisfaction Information, Product Complaint and Request Information, Website Usage Habits, Search Details, Customer Instructions and Records | ||
| Employment and Professional Information | Retirement Information, Insurance Information, Education Level, Graduation Information, Affiliated Organization | ||
| Marketing Information | Product Preferences, Customer Satisfaction Survey Results | ||
| 3 | Visitor | Identity Information | Name–Surname, T.R. Identification Number, Passport Number |
| Contact Information | E-mail, Phone/Mobile Phone | ||
| Information Security Information | Law No. 5651 logs | ||
| Other | Vehicle License Plate, CCTV | ||
| 4 | Online Visitor | Information Security Information | Password, Membership Number, Mobile Phone |
| Legal Transaction Information | IP Address | ||
| 5 | Business Partner / Supplier | Identity Information | Name–Surname, Gender, T.R. Identification Number, Turkish ID details (ID serial no., family order no., etc.), Date of Birth, Place of Birth, Marital Status, Professional Credentials |
| Contact Information | Address, E-mail, Phone, Mobile Phone | ||
| Financial Information | Bank Account Information, Financial Transaction Information, IBAN Number, Payment Information, Copies/Photocopies of Letters of Guarantee | ||
| CV and Professional Information | Education Level, Military Service Status, Sector Information, Affiliated Organization, Employment Start/End Date, Title/Position, Insurance Information | ||
| Legal Transaction and Compliance Information | Signature Circular, Activity Information, Power of Attorney | ||
| Special Category Personal Data | Criminal Record, Signature, Health Information | ||
| Other | Vehicle License Plate, CCTV, Photograph |
d. Purposes of Using Personal Data
Personal data are used by Adadünya for the following purposes:
- Conducting commercial activities and managing related business processes,
- Planning/executing effectiveness, efficiency and/or appropriateness analyses,
- Planning/executing business continuity activities,
- Planning/executing logistics activities,
- Planning/executing corporate communication activities,
- Planning/executing supply chain management processes,
- Planning, auditing and executing information security processes,
- Monitoring finance and accounting activities,
- Planning/executing operational processes,
- Planning/executing internal and external training activities,
- Managing relationships with business partners and/or suppliers,
- Planning/executing sales processes of products and/or services,
- Planning/executing after-sales support activities,
- Planning/executing customer relationship management processes,
- Following up customer requests and/or complaints,
- Planning/executing market research for the sales and marketing of products and services,
- Planning/executing marketing processes,
- Planning/executing customer satisfaction activities,
- Following up legal affairs and fulfilling legal liabilities,
- Ensuring operations are carried out in compliance with company procedures and relevant legislation,
- Providing information to authorized institutions as required by legislation,
- Planning/executing audit activities,
- Ensuring the security of company premises/facilities and operations,
- Ensuring the security of movable assets and resources,
- Ensuring the security of company fixtures and/or resources,
- Creating visitor records.
e. To Whom and For What Purpose Personal Data May Be Transferred
Adadünya transfers personal data only within the purposes specified in this Policy and in accordance with Articles 8 and 9 of the Law, to third parties and to its shareholder abroad.
Data transfers are carried out via secure environments and channels provided by the relevant third party. Depending on the scope of the service received from third parties, in cases where the transfer of personal data is not necessary, transfers are made using pseudonymous data.
Personal data subject to domestic and international transfers are protected legally through KVKK-compliant provisions in our contracts, in addition to technical measures ensuring security, taking into account whether the counterparty is a data controller or data processor.
| No | Data Subject | With Whom and For What Purpose Are Personal Data Shared? |
|---|---|---|
| 1 | Customer / Online Customer | Sharing contact information with an SMS Provider to send SMS messages for commercial communications or organizational matters (such as store opening/closing) to customers with commercial electronic message consent; sharing invoice details with an e-invoice provider to deliver e-invoices electronically; sharing personal data with the Call Center to resolve customer requests and complaints; sharing personal data with a lawyer to prepare defense petitions if consumers apply to the Consumer Arbitration Committee; sharing delivery recipient information with cargo/shipping companies; sharing personal data in an anonymized manner with suppliers for procuring products such as lenses; sharing customer personal data with Adadünya’s shareholder GrandVision for reporting and statistical studies; sharing with suppliers for storing physical and electronic customer records; and sharing website usage preferences and browsing history with third parties providing support domestically and abroad, including instant messaging service providers, for segmentation and contacting the customer in line with their likes and preferences. |
| 2 | Business Partner / Supplier | In case any work is to be carried out in Adadünya stores, sharing identity data as necessary; and sharing for the storage of physical and electronic business partner/supplier records. |
f. Personal Data Sharing with Public Institutions and Official Authorities
| No | Data Subject | With Whom and For What Purpose Are Personal Data Shared? |
|---|---|---|
| 1 | Customer / Online Customer | Sharing customers’ diopter data with the Social Security Institution (“SGK”) and, if the customer is a member of the Turkish Grand National Assembly (TBMM), with TBMM, so that customers may benefit from eyewear and lens entitlements; sharing personal data with SGK during SGK and Ministry of Health audits; reporting unlawful incidents occurring in-store to relevant official institutions such as the Public Prosecutor’s Office; and sharing invoices and collection receipts with representatives of the Ministry of Finance during tax audits. |
| 2 | Visitor / Online Visitor | Sharing personal data and traffic/browsing information (such as log records) relating to visits or memberships on e-commerce platforms, with authorized public institutions and organizations that are legally entitled to request such information within the scope of legal obligations (including, but not limited to, combating crime, threats to public security, etc.); sharing logs with official institutions; and sharing camera recordings with official institutions such as prosecutors and courts upon request. |
| 3 | Business Partner / Supplier | Sharing current account records opened within commercial relationships with Trade Registry Directorates and notaries; sharing personal data with relevant public institutions and notaries to fulfill legally required notifications by accounting; sharing invoices and collection receipts with representatives of the Ministry of Finance during tax audits; and sharing financial data with banks to fulfill payment obligations arising from the existing commercial relationship. |
g. Retention Periods of Personal Data
Adadünya retains personal data it processes for the periods stipulated in relevant legislation or required by the purpose of processing, in compliance with the Law. Approximate retention periods within the Personal Data Retention and Disposal Policy are as follows:
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Personal Data Relating to Customers | 10 years after termination of the legal relationship; 3 years under Law No. 6563 and secondary legislation | Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502 |
| Personal Data Relating to Business Partners / Suppliers | 10 years after termination of the legal relationship | Law No. 6102, Law No. 6098, Law No. 213 |
| CV and Personnel Information Received During Job Applications | 2 years | To contact past applicants regarding new positions |
| Call Center Voice Recordings | 3 years | Law No. 6563 and secondary legislation |
| Personal Data Relating to Online Customers | 10 years after termination of the legal relationship; 3 years under Law No. 6563 and secondary legislation | Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502 |
| Personal Data Relating to Potential Customers | 1 year | Retrospective analysis |
| Personal Data Relating to Visitors (Camera Recordings) | 3 months | Ensuring security |
| Personal Data Relating to Online Visitors | 2 years | Law No. 5651 |
| All Records Relating to Accounting and Financial Transactions | 10 years | Law No. 6098 |
h. Data Subjects’ Rights Regarding Their Personal Data and How to Exercise Them
The rights of data subjects under Article 11 of the Law are as follows:
- To learn whether personal data are processed,
- To request information if personal data have been processed,
- To learn the purpose of processing and whether they are used in accordance with the purpose,
- To know the third parties to whom personal data are transferred domestically or abroad,
- To request correction if personal data are processed incompletely or inaccurately,
- To request deletion or destruction of personal data within the framework of Article 7 of the Law,
- To request notification of the correction/deletion/destruction operations to third parties to whom data were transferred,
- To object to results against the person arising from analysis exclusively through automated systems,
- To request compensation for damages in case of unlawful processing.
To exercise your rights regarding your personal data, you may submit your requests via the “Contact Form” accessible on the Adadünya website, via Adadünya’s official e-mail address [email protected], or via the official phone line “0850 259 81 01” for changes, updates, and/or deletion requests.
KVKK Retention and Disposal Policy
ADADÜNYA OPTİK TURİZM TİCARET LIMITED COMPANY POLICY ON DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
1. PURPOSE OF THE DISPOSAL POLICY
The purpose of this Disposal Policy (“Policy”) is to set out the procedures for deletion, destruction, or anonymization—ex officio or upon the request of the data subject—of personal data processed in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”), when the conditions for processing stated in Articles 4, 5 and 6 of the Law cease to exist, pursuant to the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28/10/2017 (“Regulation”).
| Explicit Consent | Consent given freely, based on being informed, and related to a specific subject. |
| Relevant User | Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person/unit responsible for technical storage, protection and backup of data. |
| Disposal | Deletion, destruction or anonymization of personal data. |
| Recording Medium | Any medium containing personal data processed wholly or partly by automated means or, provided it is part of a data recording system, by non-automated means. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Personal Data Policy | The Personal Data Protection and Privacy Policy prepared by Adadünya Optik. |
| Processing of Personal Data | Any operation performed on personal data such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing their use. |
| Anonymization of Personal Data | Making personal data impossible to be associated with an identified or identifiable natural person, even by matching with other data. |
| Deletion of Personal Data | Making personal data inaccessible and non-reusable for relevant users. |
| Destruction of Personal Data | Making personal data inaccessible, irretrievable and non-reusable for anyone. |
| Board | Personal Data Protection Board. |
| Special Category Personal Data | Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations/foundations/unions, health, sexual life, criminal convictions and security measures, and biometric/genetic data. |
| Periodic Disposal | Deletion, destruction or anonymization carried out ex officio at recurring intervals specified in the retention and disposal policy when all conditions for processing under the Law cease to exist. |
| Data Subject / Relevant Person | The natural person whose personal data are processed. |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. |
| Regulation | The Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on 28 October 2017. |
3. RECORDING MEDIA WHERE PERSONAL DATA ARE STORED
Personal data belonging to data subjects are stored securely by Adadünya Optik in the following environments in compliance with the Law and relevant legislation:
Electronic media:
• CRM
• MS SQL Server
• E-mail Inbox
• Microsoft Office Programs
• Video Recording Devices
Physical media:
• Department Cabinets
• Folders
• Archive
4. EXPLANATIONS REGARDING THE REASONS REQUIRING RETENTION AND DISPOSAL
Personal data are retained securely within the boundaries set forth in the Law and other relevant legislation, particularly for: (a) sustaining educational and commercial activities, (b) fulfilling legal obligations, (c) planning and performing employee rights and benefits, and (d) managing customer relations.
Reasons requiring retention include:
- Personal data being directly related to the establishment and performance of contracts,
- Processing being necessary for the establishment, exercise, or protection of a right,
- Processing being necessary for Adadünya Optik’s legitimate interests provided that fundamental rights and freedoms are not harmed,
- Processing being necessary for Adadünya Optik to fulfill a legal obligation,
- Retention being explicitly stipulated by legislation,
- Existence of explicit consent for retention activities requiring explicit consent.
Pursuant to the Regulation, personal data are deleted, destroyed or anonymized ex officio or upon request in the following cases:
- Amendment or repeal of the legislative provisions forming the basis for processing or retention,
- Elimination of the purpose requiring processing or retention,
- Elimination of the conditions set out in Articles 5 and 6 of the Law,
- Withdrawal of consent where processing is based solely on explicit consent,
- Acceptance of the data subject’s request for deletion/destruction/anonymization,
- Rejection of the request, insufficient response, or failure to respond within the legal period and the Board finding the request appropriate,
- Expiration of the maximum retention period with no condition justifying longer retention.
5. MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the Law, Adadünya Optik takes necessary technical and administrative measures to prevent unlawful processing, prevent unlawful access, and ensure the safeguarding of personal data, and performs or commissions necessary audits. If personal data are obtained by third parties through unlawful means despite all measures, Adadünya Optik informs the relevant units as soon as possible.
5.1. Technical Measures
- Technical measures are taken in line with technological developments and are updated periodically.
- Access and authorization solutions are implemented in line with legal compliance requirements.
- Access rights are restricted and reviewed regularly.
- Technical measures are periodically checked and risks are reassessed.
- Anti-virus systems and firewalls are installed.
- Qualified personnel are employed for technical matters.
- Applications where personal data are collected are regularly scanned for security vulnerabilities and remedied.
- Penetration testing may be used when necessary to check system weaknesses.
- Destruction of personal data is ensured in a non-recoverable manner without leaving an audit trail.
5.2. Administrative Measures
- Employees are trained on technical measures to prevent unlawful access.
- Access/authorization processes are designed and implemented according to compliance requirements; data sensitivity and importance are considered.
- Contractual records are added stating that personal data must be processed lawfully, not disclosed, not used unlawfully, and confidentiality obligations continue even after termination of employment.
- Employees are informed that they cannot disclose personal data or use them outside the purpose and undertake commitments accordingly.
- Contracts with parties to whom personal data are transferred include provisions requiring necessary security measures and compliance.
- In case personal data are obtained unlawfully, the incident is notified to the data subject and the Board as soon as possible.
- Experienced personnel may be employed and trained in data protection and data security.
- Audits are performed/commissioned and any privacy/security vulnerabilities are remedied.
6. MEASURES REGARDING DISPOSAL OF PERSONAL DATA
Although processed lawfully, Adadünya Optik may delete or destroy personal data upon its own decision or upon the request of the data subject when the reasons requiring processing cease to exist. After deletion, data cannot be accessed or used again. An effective data tracking process will be managed to define and monitor disposal processes.
6.1. Methods for Deletion, Destruction and Anonymization
6.1.1. Deletion of Personal Data
Deletion means making personal data inaccessible and non-reusable for relevant users. Adadünya Optik may use one or more of the following methods:
- For paper records: blacking out/obscuring, painting over, cutting, or erasing.
- For office files in a central system: removing user access rights.
- For databases: deleting the rows/columns containing personal data.
- Secure deletion with expert assistance when needed.
6.1.2. Destruction of Personal Data
Destruction means making personal data inaccessible, irretrievable and non-reusable by anyone.
- Physical destruction
- Shredding with a paper destruction machine
- De-magnetization: passing magnetic media through special devices exposing them to high magnetic fields so that data become unreadable.
6.1.3. Anonymization of Personal Data
Anonymization means making personal data impossible to be associated with an identified or identifiable natural person, even by matching with other data. Adadünya Optik may use one or more of the following methods:
- Masking: removing key identifying information from the dataset.
- Record removal: removing unique records/rows that create identifiability.
- Regional hiding: hiding a value when it creates a rare combination that identifies a person.
- Global coding: generalizing data (e.g., using age instead of date of birth; region instead of full address).
- Adding noise: adding +/- deviations to numeric data (e.g., weight values +/- 3 kg) to prevent exact identification.
In accordance with Article 28 of the Law, anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing falls outside the scope of the Law, and explicit consent of the data subject will not be sought.
Adadünya Optik may decide ex officio to delete, destroy or anonymize personal data and freely determine the method according to the selected category. If the data subject selects one of these categories in their application under Article 13 of the Regulation, Adadünya Optik has discretion regarding the method to be used within that category.
7. RETENTION AND DISPOSAL PERIODS
Adadünya Optik retains personal data for the period necessary for the purpose for which they are processed. If the primary purpose for collection or any secondary legal basis specified in this Policy ceases to exist, personal data may continue to be retained for the periods specified in Annex 1.
Where legislation stipulates a period, that period is complied with. If no period is stipulated, personal data are retained for the maximum period specified in Annex 1. These periods are determined considering Adadünya Optik’s data categories and data subject groups and by taking into account statutory obligations and the maximum limitation period under the Turkish Code of Obligations (10 years).
When the obligation to delete/destroy/anonymize arises due to the expiration of these periods, Adadünya Optik performs disposal in the first periodic disposal following that date.
8. COMPANY’S PERIODIC DISPOSAL PERIOD
Adadünya Optik’s periodic disposal period is 1 year. Personal data whose retention period has expired are disposed of in 1-year cycles within the framework of the disposal periods in Annex 1, in accordance with the procedures set out in this Policy. Data will be deleted in a non-recoverable manner from media such as documents, files, CDs, diskettes, hard drives, etc.
9. PERSONNEL
As the data controller under the Law, Adadünya Optik shall assign personnel whose titles, units and job descriptions are provided in Annex 2, based on Article 11/1 of the Regulation, to fulfill obligations regarding retention and disposal. The appointed persons are responsible within their authority boundaries under the Turkish Commercial Code, Code of Obligations and Turkish Penal Code.
Department managers are responsible for supervising whether relevant users act in compliance with this Policy and the Personal Data Policy under the Law and Regulation, and for reporting disposal activities carried out during periodic disposal periods to the Chair of the Adadünya Optik Personal Data Protection Board.
10. APPLICATION OF THE DATA SUBJECT
The data subject may apply to Adadünya Optik with a signed application petition to be obtained from Adadünya Optik, pursuant to Article 13 of the Law and Article 12 of the Regulation, to request deletion or destruction of their personal data.
- If all conditions for processing personal data have ceased to exist, the data controller deletes, destroys or anonymizes the data subject’s personal data. The data controller finalizes the request within 30 days at the latest and informs the data subject.
- If all conditions for processing have ceased and the personal data have been transferred to third parties, the data controller notifies the third party and ensures the necessary actions under the Regulation are taken.
- If all conditions for processing have not ceased, the request may be rejected by the data controller with justification, and the rejection response is notified to the data subject in writing or electronically within 30 days at the latest. Adadünya Optik may reject deletion requests for the following reasons:
- Processing anonymized data for official statistics, research, planning and statistics.
- Processing within the scope of freedom of expression for artistic, historical, literary or scientific purposes, provided it does not violate national security/public order, privacy or personality rights, and does not constitute a crime.
- Processing carried out by authorized public institutions for preventive/protective/intelligence activities to ensure national security/public safety/public order/economic security.
- Processing by judicial authorities relating to investigation, prosecution, trial or execution.
- Processing necessary to prevent crime or for criminal investigation.
- Processing of personal data made public by the data subject.
- Processing necessary for supervisory/regulatory duties or disciplinary investigations by authorized public institutions or professional organizations.
- Processing necessary to protect the state’s economic and financial interests relating to budget, tax and financial matters.
- The request may hinder others’ rights and freedoms.
- Disproportionate effort requests.
- The requested information is publicly available.
10.1 Exercising the Data Subject’s Rights
Data subjects may submit their requests regarding the rights listed in Section 9 by providing identification information/documents, by completing and signing the application petition obtainable from Adadünya Optik, and submitting it via the methods specified or other methods determined by the Board. For third parties to apply on behalf of data subjects, a special power of attorney issued via a notary is required.
10.2 Right to File a Complaint with the Personal Data Protection Board
Under Article 14 of the Law, if the application is rejected, the response is deemed insufficient, or no response is given within the legal period, the data subject may file a complaint with the Board within 30 days from learning the response and in any case within 60 days from the date of application.
11. INFORMATION THAT THE COMPANY MAY REQUEST FROM THE APPLICANT
Adadünya Optik may request information from the applicant to determine whether the applicant is the data subject. Adadünya Optik may also ask the data subject questions to clarify the matters in the application.
12. REVISION AND WITHDRAWAL
If this Policy is revised or withdrawn, the revised policy or the new policy will be announced on Adadünya Optik’s website.
13. EFFECTIVE DATE
This Policy enters into force on 15/10/2019.