PERSONAL DATA PRIVACY AND SECURITY POLICY
Dear Customers, Members, Business Partners/Suppliers, Job Applicants, Employees, and Visitors; asDR MOM HAND ORGANIC COSMETICS LTD. (“Dr. Mom Hand” or “Company”), we attach great importance to the protection of your personal data. In this context, we would like to inform you about your personal data and processing processes as the “data controller” in accordance with the Personal Data Protection Law No. 6698 (“KVKK”).
This Policy aims to ensure the sustainability of the Company's “principle of conducting company activities with transparency.” In this context, the basic principles adopted in terms of compliance with the regulations in the Personal Data Protection Law No. 6698 (“KVK Law”) are determined, and the practices carried out by the Company are explained.
The Policy is directed at natural persons whose personal data are processed by the Company through automated or non-automated means, provided that they are part of any data recording system.
The Policy has been published on the Company's website and made available to the public. In the event of a conflict between the regulations in the applicable legislation, especially the Law, and the provisions in this Policy, the provisions of the legislation shall apply.
The Company reserves the right to make changes to the Policy in line with legal regulations.
DEFINITIONS
Company DR MOM HAND ORGANIC COSMETICS LTD.
Personal Data Any information relating to an identified or identifiable natural person.
Processing of Personal Data Any operation performed on personal data, whether fully or partially automated or by non-automated means, provided that it is part of any data recording system, such as obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of such data.
Personal Data Owner/Relevant Person Refers to the Company's Stakeholders, Business Partners, Company Officials, Job Applicants, Employees, Visitors, Company Customers, Potential Customers, Third Parties, and individuals whose personal data is processed by the company.
Data Recording System Refers to the recording system in which personal data is processed by being structured according to specific criteria.
Data Controller Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Processor Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Explicit Consent Refers to consent that is based on information and expressed with free will regarding a specific subject.
Anonymization Refers to rendering data that has been associated with a person in such a way that the person cannot be identified or made identifiable by any means, even by matching with other data.
Destruction Refers to the process of deleting, destroying, or anonymizing personal data to make it inaccessible.
Law Refers to the Personal Data Protection Law No. 6698.
KVK Board Refers to the Personal Data Protection Board.
WHICH PERSONAL DATA DO WE PROCESS
Depending on your visit to Dr. Mom Hand's website, your Dr. Mom Hand Club Card membership, your shares in telephone or email communications, your e-newsletter subscription, your phone calls/shares with Customer Services, your purchases of products/services from Dr. Mom Hand through contact or appointment forms you fill out, your visits to our workplaces, your job applications, or your engagement in any other legal or commercial relationship, the following personal data may be processed.
Identity Information: Name-Surname, Turkish ID Number, Place of Birth, Date of Birth, Signature.
Contact Information: Address, phone number, email address.
Visual and Auditory Information: Data relating to individuals' images in camera recordings made for security purposes in Dr. Mom Hand's physical environments, and data relating to individuals' voices recorded in call center calls.
Customer Transaction Data: Information such as records of the use of products and services purchased from Dr. Mom Hand's website or stores, instructions and requests necessary for the customer's use of products and services, customer number, contract numbers, transaction date, account number, etc.
Special Categories of Personal Information: This data category refers to (i) health data obtained from personnel within the scope of healthcare services, personnel and occupational safety, or health declarations obtained from personnel candidates, and (ii) types of data such as criminal record data related to convictions for personnel and personnel candidates.
Personal Information: This data category includes types of data such as identity, contact information, profession, education, and financial information of the personnel, required to be legally created within the scope of the personnel file established within the framework of the employment contract with the personnel.
Education Data: Data such as diplomas, transcripts, and certificates showing the educational background, which are included in the forms filled out or resumes prepared by personnel and candidates as part of their job applications, or requested during the recruitment process.
Professional Experience: Data included in the forms filled out or resumes prepared by personnel candidates as part of their job applications, showing their work experience and professional titles.
Transaction Security Data: Data such as IP address, access logs, start and end time of the provided service, type of service utilized, amount of data transferred.
CATEGORIES OF RELATED PERSONS
- Refers to real or legal persons benefiting from the services offered by Dr. Mom Hand.
- Potential Customer Refers to real or legal persons who show interest in using the services offered by Dr. Mom Hand, have the potential to become customers, express their intention to benefit from the services through the website or other channels, and request a quote.
- Refers to real persons visiting all workplaces and the website of the Company.
- Third Parties Refers to real persons excluding the categories of Related Persons mentioned above and Dr. Mom Hand employees.
- Business Partners/Suppliers and Their Employees Refers to parties with whom Dr. Mom Hand has established business partnerships for purposes such as carrying out commercial activities, or who provide goods or services to the Company in accordance with Dr. Mom Hand's instructions and on a contractual basis, and their employees.
- Employee Candidate Refers to persons who apply for a job at Dr. Mom Hand.
- Refers to real persons who perform services under an employment contract at Dr. Mom Hand.
- Refers to the shareholders and partners of the Company.
HOW AND ON WHAT LEGAL BASIS WE COLLECT YOUR PERSONAL DATA
In Physical Environment;
Your personal data is collected directly from you through your purchases from Dr. Mom Hand's stores, skin and hair analysis forms you fill out in stores, forms developed for our "Recommend to a Friend" application, your store visits, contracts you sign, CVs you share as part of your job application or job application forms you fill out.
In Electronic Environment;
Your personal data is collected directly from you through your purchases from Dr. Mom Hand's website, Dr. Mom Hand Club Card membership forms you fill out, requests and complaints you share through the website, by phone or email, our call center, your posts on our social media accounts, and images reflected on security cameras.
Your personal data collected from both environments is recorded in the Dr. Mom Hand database and can be processed through automated and non-automated means.
In the context of the commercial and/or contractual relationship between you and Dr. Mom Hand (product or service exchange, membership agreement, workplace visits), within the framework of the purposes specified below and in accordance with Article 5 of Law No. 6698; the establishment and execution of the contract, the establishment of a right, the fulfillment of legal obligations, and within the scope of our legitimate interests, provided that we protect your rights and do not cause harm. During your visits to our workplaces, your image is recorded via a security camera for security reasons and is processed limited to this operation.
If you do not purchase goods or services from Dr. Mom Hand, and if no legal or commercial relationship is established between us, we may process your personal data mentioned above based on your EXPLICIT CONSENT in accordance with Article 5, Paragraph 1 of the Law. Your explicit consent can be obtained by providing the PASSWORD generated for you to Dr. Mom Hand personnel if you find the disclosure text sent to you via SMS or email acceptable, or by checking the permission/consent boxes in the membership and shopping areas on the website and pressing the “submit” button. You can withdraw your permissions at any time.
PURPOSES OF PROCESSING YOUR PERSONAL DATA
Your Personal Data is processed for the purposes specified below:
For Customers and Members;
Execution of Goods / Services Procurement Processes
Conducting Goods / Services Sales Processes
Carrying Out Customer Relationship Management Processes
Conducting Customer Satisfaction Activities
Ensuring Physical Space Security
Provision of After-Sales Support Services
Conducting Financial and Accounting Affairs
Execution of Company / Product / Service Loyalty Processes
Conduct Transactions and Activities Within the Scope of Commercial/Contractual Relationship, Fulfill Financial and Legal Obligations
Tracking Requests / Complaints
Fulfilling Legal Obligations
Providing Information to Authorized Persons, Institutions, and Organizations
Establishment and Execution of the Membership Agreement and Customer Membership
Benefiting from Its Advantages
Legal Proceedings Management
Marketing and Promotional Activities
Commercial Electronic Message Sending
Conducting Marketing Analysis Studies
Managing Advertisement / Campaign / Promotion Processes
Information Security, Storage, and Archiving activities
For Potential Clients;
Your visits to our website and stores, the forms you fill out, your e-newsletter subscriptions, your posts on our Social Media Accounts, and the requests and complaints you submit to our call center; your identity and contact information obtained directly from you are processed with your explicit consent for marketing purposes, such as sending you advertisements, campaigns, and other commercial communications related to our products and services, and offering you certain products tailored to you. If it is a request or complaint you have submitted to Dr. Mom Hand, then in this case, your identity and contact information are processed for a limited period of time in accordance with Article 5/2 of the Law to manage this request or complaint.
For Suppliers/Business Partners;
Within the scope of the commercial relationship between our company and you, personal data belonging to your company officials and employees can be processed for the purposes listed below, in accordance with the basic principles stipulated in the Law and within the conditions of personal data processing, as specified in Article 5 of the Law; the establishment and execution of our contracts, fulfillment of legal obligations, and within the framework of our company's legitimate interests.
Fulfilling Legal Obligations
Managing Contract Processes
Conducting Financial and Accounting Affairs
Legal Processes Execution and Follow-up
Conducting Internal Company Operations
Strategic Planning & Business Partners/Supplier Management
Ensuring Physical Space Security
Conducting Logistics Activities
Managing Supply Chain Management Processes
Storage of your information required by relevant legislation; copying and backing up to prevent data loss; ensuring the consistency of your information; taking necessary technical and administrative measures for the security of our databases and your information
For Visitors;
Within the scope of your visits to our company, website, and other workplaces, visual data from security cameras in physical environments for the safety of our company and you, as well as transaction security data obtained during the internet access provided to you during your visit to our workplace, are processed for the following purposes.
Conducting Audit and Security Activities
Conducting Information Security Processes
Creating and Tracking Visitor Records
Ensuring Physical Space Security
Providing Information to Authorized Persons, Institutions, and Organizations
Ensuring the Security of Data Controller Operations
Providing Internet Access and Ensuring Access Security
For Job Applicants;
Dr. Mom Hand processes your personal data obtained through the CVs you share or the application forms you fill out during your job applications made either through our website www.drmomhand.com or directly to our company headquarters or stores, for the purposes specified in Article 5 of the Law; for personnel recruitment and management of human resources processes, and for the establishment of employment contracts, the establishment of a right, and as evidence in legal disputes, within the scope of our company's legitimate interests, for the purposes listed below.
Conducting Employee Candidate / Intern / Student Selection and Placement Processes
Conducting Job Application Processes of Employee Candidates
Conducting Human Resources Operations and Especially Personnel Recruitment Processes
Conducting Activities to Ensure Business Continuity
Ensuring Physical Space Security
For Employees;
Dr. Mom Hand processes personal data of employees for reasons arising from relevant legislation to create a personnel file, to enter into a service contract with you, and within the scope of Dr. Mom Hand's management right and legitimate interest, for the purposes listed below.
Conducting Information Security Processes
Fulfilling Employment Contract and Legislative Obligations for Employees
Conducting Processes of Benefits and Interests for Employees
Conducting Audit / Ethical Activities
Conducting Training Activities
Conducting Access Authorizations
Conducting Activities in Compliance with Legislation
Conducting Financial and Accounting Affairs
Ensuring Physical Space Security
Conducting Assignment Processes
Following and Conducting Legal Affairs
Planning Human Resources Processes
Conducting Business Activities / Audits
Conducting Occupational Health / Safety Activities
Conducting Activities to Ensure Business Continuity
Providing Information to Authorized Persons, Institutions, and Organizations
Conducting Management Activities
Making Necessary Legal Notifications to Official Institutions, Benefiting from Incentives before Official Institutions, Notifying Relevant Authorities within the Scope of Inspections by Official Institutions
Conducting Human Resources Operations and Especially Personnel Affairs,
PARTIES TO WHOM YOUR PERSONAL DATA IS TRANSFERRED AND PURPOSES OF TRANSFER
Dr. Mom Hand may transfer your personal data to the following domestic recipient groups for the purposes stated in this Policy, within the scope of the Law and other legislation:
To our suppliers and business partners (such as companies providing web infrastructure services, cargo companies, audit firms) with whom we work to provide or deliver the services offered to you,
To our business partners, suppliers, banks, financial institutions, IT service companies, companies providing SMS and email sending services, survey companies with whom we cooperate and/or receive services for the provision, promotion, and similar purposes of services,
To lawyers, auditors, consultants, and service providers,
To your authorized proxies, guardians, and representatives,
To regulatory and supervisory institutions and organizations authorized to request your personal data, such as courts and enforcement offices, and to the persons they designate,
To Dr. Mom Hand Group of Companies to which our company belongs.
COMMERCIAL ELECTRONIC COMMUNICATION
Dr. Mom Hand may process identity and contact data and communicate with data subjects to send commercial electronic messages (SMS, EMAIL, etc.) for advertising, campaign announcements, promotions, and other commercial purposes by using their contact information. Dr. Mom Hand obtains electronic communication consent from the relevant individuals for this activity and carries out the mentioned activity within the scope of this consent.
RIGHTS OF RELEVANT PERSONS UNDER ARTICLE 11 OF THE LAW
To learn whether your Personal Data is being processed,
If your Personal Data has been processed, to request information regarding this,
To learn the purpose of processing your Personal Data and whether they are used in accordance with their purpose,
To know the third parties to whom your Personal Data is transferred domestically or abroad,
To request the correction of your Personal Data if it is incomplete or incorrectly processed,
To request the deletion or destruction of your Personal Data within the framework of the conditions stipulated in the KVKK legislation,
To request the notification of the transactions made under Articles 5 and 6 to the third parties to whom your Personal Data has been transferred,
To object to the emergence of a result against you by analyzing the processed data exclusively through automated systems,
To demand the compensation of the damage in case you suffer damage due to the unlawful processing of your Personal Data.
ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA
The Company takes all necessary measures to prevent the unlawful disclosure, access, transfer, or other security deficiencies of personal data, within the scope of possibilities, according to the nature of the data to be protected.
In this context, the Company takes all necessary (i) administrative and (ii) technical measures, (iii) establishes an audit system within the company, and (iv) acts in accordance with the measures stipulated in the KVKK Law in case of unlawful disclosure of personal data.
DESTRUCTION OF PERSONAL DATA
Pursuant to Article 7 of the Law, although it has been processed in accordance with the law, in case the reasons for processing no longer exist, the Company deletes, destroys, or anonymizes personal data ex officio or upon the request of the Relevant Person, in accordance with its Data Protection and Destruction Policy, the legislation, and the guide published by the Institution.
Dr. Mom Hand has prepared a DESTRUCTION POLICY that determines the methods of destruction of personal data and has published it within the company. All destruction processes are carried out in accordance with this policy. At the same time, Dr. Mom Hand has clearly determined the destruction periods for each process and type of personal data in the personal data inventory. In the periodic data destruction process carried out every 6 months, the retention periods determined in the inventory are taken as a basis.
MATTERS RELATING TO THE PROTECTION OF PERSONAL DATA
Dr. Mom Hand, in accordance with Article 12 of the KVKK Law, takes necessary technical and administrative measures to ensure the appropriate level of security to prevent the unlawful processing of personal data, unlawful access to data, and to ensure the preservation of data, and conducts or has conducted necessary audits within this scope.
Dr. Mom Hand takes technical and administrative measures according to technological possibilities and implementation costs to ensure the lawful processing of personal data.
TECHNICAL MEASURES
The main technical measures taken by Dr. Mom Hand to ensure the lawful processing of personal data are listed below:
Personal data processing activities carried out within Dr. Mom Hand are monitored through established technical systems.
The technical measures taken are periodically reported to the relevant parties as part of the internal audit mechanism.
Departments have been established on technical issues, and knowledgeable personnel are employed in this regard.
New technological developments are followed, and technical measures are taken on systems, especially in the field of cybersecurity, and the measures taken are periodically updated and renewed.
Access and authorization technical solutions are implemented within the framework of legal compliance requirements determined for each department within Dr. Mom Hand.
Access permissions are restricted and regularly reviewed. Access restrictions are applied to former employees and accounts are closed.
The technical measures taken in accordance with the internal operations of Dr. Mom Hand are reported to the relevant users, and issues posing risks are re-evaluated to produce the necessary technological solutions.
Software and hardware including virus protection systems, data breach securities, and firewalls are installed.
Expert personnel in technical matters are employed.
All information systems, including applications where personal data is collected, are regularly subjected to external impact testing to identify security vulnerabilities, and these vulnerabilities are addressed based on the test results.
ADMINISTRATIVE MEASURES
Administrative measures taken by Dr. Mom Hand to ensure the lawful processing of personal data:
Dr. Mom Hand employees are informed and trained on personal data protection laws and the lawful processing of personal data.
All personal data processing activities carried out by Dr. Mom Hand are conducted in accordance with a personal data inventory and its annexes, created by analyzing all business units in detail.
The personal data processing activities carried out by the relevant departments within Dr. Mom Hand are bound to written policies and procedures by Dr. Mom Hand to ensure compliance with the personal data processing conditions required by the KVKK, and each business unit is informed about this matter and the issues to be considered in their specific activities are determined.
The audit and management of personal data security within the departments of Dr. Mom Hand are organized by the Information Security Committees. Awareness is created to meet the legal requirements determined on a business unit basis, and necessary administrative measures are implemented through internal policies, procedures, and training to ensure the continuity of these practices.
Records containing information and data security related to personal data are included in the service contracts and relevant documents between Dr. Mom Hand and its employees, and additional protocols are made. Efforts have been made to create the necessary awareness for employees on this matter.
Legal compliance, access, and authorization processes for personal data within the company are implemented by considering the personal data processing processes specific to each department within Dr. Mom Hand.
To exercise your rights under the KVKK mentioned above, you can send your request to Dr. Mom Hand by filling out the relevant person application form available at www.drmomhand.com or by sending a similar written document with a wet signature to (i) the postal address of Dr. Mom Hand below via registered mail with return receipt, or (ii) by using your electronic mail address registered in our systems to kvkk@drmomhand.com via email, or (iii) through other application methods specified in the relevant legislation.
If individuals submit their requests regarding their personal data to our Company in writing, the Company, as the data controller, ensures that the necessary processes are carried out to conclude the request as soon as possible and within thirty (30) days at the latest, in accordance with Article 13 of the KVKK, depending on the nature of the request.
Within the scope of ensuring data security, the Company may request information to verify whether the applicant is the owner of the personal data subject to the application. Our Company may also ask questions related to the application to ensure that the request is concluded appropriately.
If the application of the relevant person is likely to hinder the rights and freedoms of other individuals, require disproportionate effort, or the information is public, Dr. Mom Hand may reject the request by explaining the reason.
ENFORCEMENT OF THE POLICY
This Policy, organized by Dr. Mom Hand, was enacted in 2020. It is published on Dr. Mom Hand's website (www.drmomhand.com) and made accessible to relevant individuals upon request of personal data owners.
DR MOM HAND ORGANIC COSMETICS LTD. (DATA CONTROLLER)
ADDRESS:
71-75 Shelton Street, Covent Garden, London, United Kingdom
PHONE: +44 7848 99 6901
WEB: www.drmomhand.com