EXPLANATION AND PRIVACY POLICY ON THE PROTECTION OF PERSONAL DATA

EXPLANATION AND PRIVACY POLICY ON THE PROTECTION OF PERSONAL DATA 

ECE ŞENYILDIZ (shortly ECCE), as the data controller, adopts the principles stipulated by the KVK Law in order to comply with the Law on Protection of Personal Data No.6698 ("KVK Law"), processing, deleting, destroying, anonymizing, transferring personal data, It fulfills its obligations regarding the enlightenment of the person concerned and the provision of data security. In this context, the Privacy and Protection of Personal Data Policy is made available to natural persons ("Relevant Person") whose personal data are processed. 

1. Scope and Purpose of the Privacy and Personal Data Protection Policy 

This Privacy and Personal Data Protection Policy; 

a) Methods of collecting personal data and legal reasons, 

b) The personal data of which groups of people are processed (Data Subject Person Group Categorization), 

c) In which category personal data are processed in relation to these groups of persons (Data Categories) and sample data types, 

d) In which business processes and for what purposes these personal data are used, 

e) Technical and administrative measures taken to ensure the security of personal data, 

f) To whom and for what purpose personal data can be transferred, 

g) Personal data retention periods, 

h) Profiling and Segmentation 

ı) What are the rights of the Related Persons on their personal data and how they can exercise these rights, 

i) How the Relevant Persons can change their positive or negative preferences in receiving electronic commercial messages, 

j) Sharing personal data with official authorities 

k) Cookie Usage and Management explains. 

A. Methods of Collecting Personal Data and Legal Reasons 

ECCE personal data are specified in Article 5 of the Personal Data Protection Law No.6698. 

a) It is clearly stipulated in the laws, 

b) Provided that it is directly related to the establishment or performance of a contract, it is necessary to process personal data belonging to the parties to the contract, 

c) It has been made public by the person concerned, 

d) It is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the relevant person are not harmed, 

e) Data processing is mandatory for the establishment, use or protection of a right, 

Based on legal reasons, it collects websites, mobile applications of websites, social media accounts, cookies, call center, notifications from administrative and judicial authorities, and other communication channels in audio, electronic or written form. 

B. Data Subject Person Group Categorization 

ECCE categorizes the data subject person groups whose personal data are processed in personal data processing processes and activities related to these processes as follows. However, personal data of other person groups (consultants, educators, bloggers) can be processed in accordance with the personal data processing conditions specified in Articles 5 and 6 of the KVK Law and in line with the legal reasons specified in this Privacy / Personal Data Protection Policy. 

C. Data Categories and Sample Data Types 

1.a) Member Customer 

Identity Information: Name, surname, date of birth, gender, T.C. identification number 

Location Information: City of residence, county (delivery address of the shopping made through ………  

Contact Information: mobile phone, e-mail address, address, postal code, fixed phone 

Financial Information: Tax office, invoice information 

Customer / Member Information: Membership information, membership ID number 

Customer / Member Transaction Information: Purchased product (s), amount of shopping, date of shopping, call center call records, commercial communication permission, campaigns / contests used, coupons used, information about the order. 

Risk Management Information: IP address 

Transaction Security Information: Password, password information 

Marketing Information: Cookie records, targeting information, evaluations showing habits and likes 

Auditory Data: Call center call logs 

Legal Transaction and Compliance Information: The start and end time of the service provided, the type of the service used, the amount of data transferred, the commercial electronic message permission given by the relevant Person in electronic environment, the membership agreement approved by the relevant person, the corporate membership agreement, other legal texts and conventions 

Marketing Information: Marketing sms, e-mail messages or calls made by the call center based on the commercial electronic message permission given by the person concerned 

Request / Complaint Management / Reputation Management Information: Records regarding the complaints and / or requests submitted by the relevant person through the website, mobile application, social media accounts or call center regarding the product or service purchased and the transactions made during the evaluation or management process of these requests. 

1.b) Guest Customer (users who shop from the site without becoming a member) 

Identity Information: Name, surname, date of birth, gender, T.C. identification number 

Location Information: City of residence, district (delivery address of shopping made through …… com) 

Contact Information: mobile phone, e-mail address, address, postal code, fixed phone 

Financial Information: Tax office, invoice information 

Guest Customer Transaction Information: Purchased product / s, shopping amount, date of shopping, call center call records, commercial communication permission, campaigns used, information about the order. 

Risk Management Information: IP address 

Transaction Security Information: Password, password information 

Marketing Information: Cookie records, targeting information, evaluations showing habits and likes 

Auditory Data: Call center call logs 

Legal Procedure and Compliance Information: Start and end time of the service provided, the type of service used, the amount of data transferred, the commercial electronic message permission given by the Relevant Person in electronic environment, other legal texts and contracts that enable the services provided by ECCE 

Marketing Information: Marketing sms, e-mail messages or calls made by the call center based on the commercial electronic message permission given by the person concerned 

Request / Complaint Management / Reputation Management Information: Complaints and / or requests conveyed by the relevant person through the website, mobile application, social media accounts or call center related to the product or service purchased and 

records regarding the transactions made during the evaluation or management process 

2.Online Visitors 

Transaction Security Information: Password, mobile phone, password information 

Legal Transaction Information / Risk Management Information: IP address 

Legal Procedure and Compliance Information: Start and end time of the service provided, the type of service used, the amount of data transferred. 

3. Person to whom the purchased product will be delivered on behalf of 

Identity Information: Name, surname, date of birth, gender, T.C. identification number 

Location Information: City of residence, district (delivery address of the shopping made through …… ... com) 

Contact Information: mobile phone, e-mail address, address, postal code, fixed phone 

Financial Information: Tax office, invoice information 

4. Seller / Supplier / Vendor Candidate / Seller or Supplier Employee or Official 

Identity Information: TR Identity Number, Name Surname 

Contact Information: e-mail address, telephone, REM address, address, mobile phone 

Financial Information: Account Number, Tax Office, Tax Identification Number, tax plate, IBAN 

Legal Procedure and Compliance Information: Signature circular, activity certificate, 

Special Quality Personal Data / Legal Transaction Information: Signature 

1.b) Guest Customer (users who shop from the site without being a member) Personal Data 

● Ability to shop from the platforms as "guest", 

● Improving the services offered through the platforms, developing new services and providing information on this, 

● In terms of existing Guest Customers with commercial electronic message approval; Analyzing preferences, likes and needs and providing special promotions, opportunities and benefits to the Guest Customer, 

● Promoting and marketing applications, goods / products and services in line with the Guest Customer's preference and liking by remarketing, targeting, profiling and analysis in line with the explicit consent of the Guest Customer, 

● Resolving guest customer problems and complaints, 

● Improving the Guest Customer experience on both the platform and the mobile application, 

● Follow-up of accounting and purchasing transactions, 

● Legal processes and compliance with legislation, 

● Responding to information requests from administrative and judicial authorities, 

● Providing information and process security and preventing malicious use, 

● Making the necessary arrangements to ensure that the processed data are up-to-date and accurate, 

● Fulfillment of legal obligations 

2. Online Visitor Personal Data 

● Processing online visitor data within the scope of Law No. 5651, 

● Legal processes and compliance with legislation, 

● Responding to information requests from administrative and judicial authorities, 

● Providing information and process security and preventing malicious use, 

● Fulfillment of legal obligations 

3. Personal Data of the Person to whom the Purchased Product will be Delivered 

● Carrying out product delivery processes, 

● Follow-up of accounting and purchasing transactions, 

● Legal processes and compliance with legislation, 

● Responding to information requests from administrative and judicial authorities, 

● Providing information and process security and preventing malicious use, 

● Making the necessary arrangements to ensure that the processed data are up-to-date and accurate, 

● Fulfillment of legal obligations 

4. Personal Data of Seller / Supplier / Vendor Candidate / Vendor or Supplier Employee or Official 

● Execution of contract processes, 

● Follow-up of accounting and purchasing transactions, 

● Legal processes and compliance with legislation, 

● Responding to information requests from administrative and judicial authorities, 

● Providing information and process security and preventing malicious use, 

● Making the necessary arrangements to ensure that the processed data are up-to-date and accurate, 

● Fulfilling legal obligations 

E. Technical and Administrative Measures Taken to Ensure the Security of Personal Data 

ECCE is committed to taking all necessary technical and administrative measures and showing due diligence to ensure the confidentiality, integrity and security of your personal data. 

ECCE takes the necessary measures to prevent unauthorized access, misuse, illegal processing, disclosure, alteration or destruction of personal data. ECCE uses generally accepted security technology standards such as firewalls and Secure Socket Layer (SSL) encryption when processing personal data. In addition, when sending your personal data to ECCE via website, mobile application and mobile site, these data are transferred using SSL. 

Regarding the prevention of unlawful access to personal data processed by ECCE, prevention of unlawful processing of these data and protection of personal data: 

● Protects all areas on the website or mobile application from which personal data is taken, with SSL, 

● Creates and applies access authorization and control matrices for its employees in order to prevent unlawful processing of personal data collected from the website or mobile application, 

● In order to ensure that personal data are not accessed illegally; periodically conducts penetration tests, tests the system's resistance to unauthorized access, 

● For all secondary data processing other than the primary processing purpose, WHICH METHOD TO USE uses the SA method. WHICH METHOD TO BE USED SA uses encryption methods in the systems containing this data and implements a stricter access authorization and control policy, 

● It ensures that personal data in paper environment are kept in lockers and accessed only by authorized persons. 

● Personal data processed through cookies belonging to third parties from which the service is obtained is deleted from the systems of third parties in case the membership terminates. 

Although ECCE takes the necessary information security measures, in the event that personal data is damaged as a result of attacks on the platforms operated by ECCE or the ECCE system, or gets in the hands of unauthorized third parties, ECCE immediately notifies you and the Personal Data Protection Board and takes the necessary measures. 

F. To Whom and For What Purpose Personal Data Can Be Transferred 

ECCE transfers personal data to third parties only for the purposes specified in this Privacy and Protection of Personal Data Policy and in accordance with Articles 8 and 9 of the KVK Law. Member Customer / Guest Customer data processed within this scope and the person information to be delivered on behalf of the purchased product are shared with the seller and the cargo company, and these data can also be accessed by the call center when necessary. The information of the person to be issued an invoice is shared with the cargo company in order to send the invoice to the relevant person. 

Mobile phone number and / or e-mail address of Member Customer / Guest Customer; Based on the commercial electronic message approval, the commercial electronic message is shared with the service provider in order to promote, advertise, and offer benefits and opportunities in line with shopping preferences, tastes and habits. 

Website or mobile application usage preferences and browsing history are shared with our domestic / foreign business partners from which the cookie service is received in order to make segmentation and to communicate with the Member Customer / Guest Customer in line with their likes and preferences. In this context, personal data transfers are carried out through the secure environment and channels provided by the relevant third party. Depending on the content and scope of the service received from third parties; In all cases where the transfer of personal data of Member Customer / Guest Customer is not required, transfer is made using …………… ..data (named data). 

In order to increase the satisfaction and loyalty of the Member Customer / Guest Customer, the data of the Member Customer / Guest Customer is shared with companies that will conduct market research. 

Within the scope of reporting and statistical studies, data belonging to Member Customer / Guest Customer are shared with ……………. Companies that are partners of ECCE. 

In addition, your personal data will be shared with our business partners abroad for the purposes of providing business development services, providing statistical and technical services and conducting customer relations. 

Member Customer / Guest Customer / Online Visitor will write to ECCE corporate, whatever system the service offered is domestically or internationally or internationally ………. The system will send its personal data abroad, since it is abroad to be written. If Member Customer / Guest Customer / Online Visitor does not want to send their personal data abroad, they will be able to use other communication facilities provided by ECCE. 

In addition to the technical measures to ensure the security of personal data subject to domestic and international transfer, as mentioned above; Taking into account that the counterparty of the legal relationship is a data controller or a data processor, it is also legally protected thanks to the provisions in line with the KVK Law included in our contracts. 

During the shared information, as stated above, when transferring personal data to countries outside of Turkey, the data transfer as permitted by applicable law and in accordance with this policy for data protection is ensured. 

G. Personal Data Retention Periods 

ECCE maintains the personal data it processes in accordance with the KVK Law for the periods stipulated in the relevant legislation or required by the processing purpose. These periods are approximately as follows in our Personal Data Storage and Destruction Policy: 

TYPE DURATION LEGISLATION 

Call Center voice recordings 3 years Law No. 6563 and related secondary legislation 

Membership and records regarding the order 10 years Law No. 6098 

Accounting and financial transactions 

10 years Law No. 6102, Law No. 213 

Cookies Maximum 540 days 

Commercial electronic message confirmation records 1 year from the date of withdrawal of approval Law No. 6563 and related secondary legislation 

Traffic information on online visitors 2 years Law No. 5651 

Information and / or CVs received due to job application 1 year 

10 years after the legal relationship ends; 6563 S. Law, 6102 S. Law, 

Regarding personal data, in accordance with the 6563 Law and the relevant secondary legislation, 3 years 6098 No. Law, 213 No. 

                                                                                                                                        6502 S. Kanu 

Personal data on suppliers 10 years after the termination of the legal relationship, 6102 No. Law, 6098 No. 

                                                                                                                                        213 S. Law 

Usability test study 2 weeks 

 personal data collected for the purpose of 

                   You can review our Cookie Policy regarding the retention periods of personal data obtained through cookies. 

H. Profiling and Segmentation 

By using personal data processed in relation to ECCE Member Customer / Guest Customer; 

a. Regarding the Member Customer / Guest Customer who approves to receive commercial electronic messages, it carries out profiling and segmentation in order to prepare content more suitable for the likes and preferences of the Member Customer / Guest Customer, to provide advertisement, promotion and discounts. 

b. Profiling and segmentation for the Member Customer / Guest Customer who has not given commercial electronic message approval; 

● Making product improvements (determining the best-selling or non-sold product categories), 

● Modeling by analyzing shopping preferences, organizing campaigns for customer groups with the potential to buy a certain product and uploading it to the system, 

● Actions such as taking actions to increase the sales potential are carried out. 

Within the scope of profiling and segmentation studies, the personal data of the Member Customer / Guest Customer, especially the name and surname, mobile phone, e-mail or address information, are not used directly, instead, transactions are made with the Member Customer / Guest Customer IDs assigned to them. The personal data of the Customer / Member is protected by the use of the Member Customer / Guest Customer ID or in other words pseudonym data. Member Customer / Guest Customer IDs are only accessible to related persons or departments within ECCE. These IDs assigned to the Member Customer / Guest Customer are kept encrypted by ECCE in the system and access to this section is again granted only to limited persons. 

What Are the Rights of Relevant Persons on Their Personal Data and How They Can Use These Rights 

The rights of the Relevant Person on personal data processed by ECCE in accordance with Article 11 of the KVK Law are listed below: 

● Learning whether personal data is being processed, 

● Requesting information if personal data has been processed, 

● Learning the purpose of processing personal data and whether they are used appropriately for their purpose, 

● To know the third parties in the country or abroad to whom personal data have been transferred, 

● To request correction of personal data in case of incomplete or incorrect processing, 

● Request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVK Law, 

● Request notification of the transactions made pursuant to subparagraphs (D) and (E) to third parties to whom personal data have been transferred, 

● To object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems, 

● To demand the compensation of the damage in case of damage due to unlawful processing of personal data. 

In order to exercise your rights over your personal data; You can access your account from the "My Account" section in the eccediamonds.com website, mobile application and mobile site and make necessary changes, updates and / or deletions. In addition, you can make your application and use your rights with the methods specified in the "Application Form" regulated in accordance with Article 13 of the KVK Law on the website or mobile application of electronic commerce platforms operated by ECCE. 

I. How Relevant Persons Can Change Their Positive or Negative Preferences About Receiving Electronic Commercial Messages 

You can change or update your positive or negative preferences for receiving commercial electronic messages, which you have given or at a later time, by accessing the "My Account" section while you are a member of the website or mobile application of electronic commerce platforms operated by ECCE. 

Termination of membership does not mean the withdrawal of your consent to receive commercial electronic messages. Therefore, make sure that you have completed all the procedures to withdraw your consent. 

You can follow the steps specified in our Cookie Policy on cookie management. 

J. Personal Data Sharing with Official Authorities 

ECCE, your personal data regarding your visit or membership to electronic commerce platforms and mobile applications operated by ECCE, and your traffic information such as your browsing information; For the purpose of the fulfillment of ECCE's legal obligation (including but not limited to crime, threats to state and public security, etc. where ECCE has a legal or administrative obligation to report or provide information), the public who is legally authorized to request such information will be able to share with institutions and organizations. 

l. Cookie Usage and Management 

For detailed information about the cookies used by ECCE, the types of cookies, their purposes, storage times and cookie management, you can review our Cookie Policy. 

2. Conditions for Deletion, Destruction and Anonymization of Personal Data 

ECCE keeps the personal data processed through its website, mobile application or mobile site for the periods stipulated by the relevant laws and / or the periods required by the processing purposes pursuant to Article 7, 17 of the KVK Law and Article 138 of the Turkish Penal Code. In the event that these periods expire, they will delete, destroy or anonymize in accordance with the provisions of the Regulation on Deletion, Destruction or Anonymization of Personal Data. 

Deletion of personal data by ECCE refers to the process of making personal data inaccessible and unavailable in any way for the relevant users. ECCE creates and implements user-level access authorization and control matrix for this. It takes the necessary measures to perform the deletion in the database. 

The destruction of personal data by ECCE means the process of making the personal data inaccessible, unavailable and reusable in any way. 

The anonymization of personal data by ECCE means making personal data unrelated to an identified or identifiable natural person under any circumstances, even if they are matched with other data. 

ECCE explains in detail the methods for deletion, destruction and anonymization and the technical and administrative measures taken within the scope of the Personal Data Storage and Destruction Policy prepared in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data. In this Policy, the period of periodic destruction stipulated by the Regulation is also determined as 6 months. 

3. Changes to the Privacy / Protection of Personal Data Policy 

ECCE can always make changes to this Privacy / Personal Data Protection Policy. These changes become effective immediately upon the publication of the new amended Privacy / Personal Data Protection Policy. Necessary information will be given to you, our members, in order to be aware of the changes in this Privacy / Protection of Personal Data Policy.