top of page

FAQ

HASHTAG TEXTILE TRADE LIMITED COMPANY

 KVKK PERSONAL DATA STORAGE AND DISPOSAL POLICY

1. PURPOSE

This Personal Data Retention and Disposal Policy (“Policy”) has been prepared for the purpose of determining the procedures and principles regarding the storage and destruction activities carried out as the data controller as Hashtag Tekstil Ticaret Limited Şirketi (“Hashtag Kids” or “Company”).

As part of its legal and social responsibility, Hashtag Kids is committed to complying with national personal data protection, processing, storage and destruction regulations within the scope of the Personal Data Protection Law No. 6698 ("Law"). 

In this context, your personal data of our employees, employee candidates, customers, service providers, visitors and for any reason at Hashtag Kids, within the framework of the Hashtag Kids Personal Data Processing and Protection Policy and this policy; T.R. Its Constitution is preserved and destroyed in accordance with international conventions, law and other relevant legislation. 

2. SCOPE OF DATA PROTECTION, STORAGE AND DISPOSAL POLICY

This Policy is implemented in Hashtag Tekstil Ticaret Limited Şirketi.

Personal data belonging to Hashtag Kids employees, employee candidates, customers, service providers, visitors and other third parties are within the scope of this Policy, and this Policy is applied in all recording environments where personal data owned or managed by our Company are processed, and in activities for personal data processing.

The policy may be updated from time to time. Therefore, in order to reach the most up-to-date version of the Policy, regularly www.hashtag-kids.comPlease visit  

3. DEFINITIONS

Law/KVKK

Law No. 6698 on the Protection of Personal Data

Board/Institution

Personal Data Protection Board/Personal Data Protection Agency

Personal Data

Any information relating to an identified or identifiable natural person.

Related person

Natural person whose personal data is processed

Buyer Group

Natural or legal person category to whom personal data is transferred by the Data Controller

Service provider

Real or legal person who provides services within the framework of a certain contract with our company

Open Consent

Consent on a particular subject, based on information and expressed with free will

Making Anonymous

Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Deletion of Personal Data

Deletion of personal data; making personal data inaccessible and unusable for Relevant Users in any way

Destruction of Personal Data

The process of making personal data inaccessible, irretrievable and reusable by anyone in any way.

Processing of Personal Data

Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data completely or partially by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.

Data Processor

The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.

Data Controller

The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

Special Qualified Personal Data
(Sensitive Data)

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data

Lighting Obligation

During the acquisition of personal data, the data controller or the person authorized by it, to the relevant persons; To provide information on the identity of the data controller and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, other rights listed in Article 11 of the Law.

Data Controllers Registry Information System

An information system, accessible over the internet, created and managed by the Presidency, to be used by data controllers in the application to the Registry and other related transactions related to the Registry.

Data Recording System

The registration system in which personal data is processed and structured according to certain criteria.

Personal Data Processing Inventory

Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the purposes of processing, the data category, the transferred recipient group and the data subject group, explaining the maximum time required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security.

Policy

Personal Data Retention and Disposal Policy

regulation

Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224

Destruction

Deletion, destruction or anonymization of personal data

Periodic Destruction

In the event that all of the personal data processing conditions in the law are eliminated, the deletion, destruction or anonymization process to be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy.

Recording Media

Any environment where personal data is processed wholly or partially automatically or non-automatically, provided that it is a part of any data recording system.

 

4. RESPONSIBILITY AND PERSONAL DATA PROTECTION COMMITTEE

Hashtag Kids has established a Personal Data Committee (''Committee'') within the company. Committee; It is authorized and in charge of carrying out the necessary procedures and supervising the processes for the storage and processing of the data of the persons concerned in accordance with the law, the Personal Data Processing and Protection Policy and this Policy.

All employees of Hashtag Kids support the Committee in the proper implementation of the technical and administrative measures taken by the Committee within the scope of the Policy.

Committee; It consists of three people, a manager, an administrative expert and a technical expert. The titles and job descriptions of Hashtag Kids employees in the committee are as follows:

UNIT

TITLE

TASK DESCRIPTION

General manager

 

Personal Data Protection Committee

manager

To direct all kinds of planning, analysis, research and risk determination studies in the projects carried out in the process of compliance with the law; It is obliged to manage the processes to be carried out in accordance with the Law, the Personal Data Processing and Protection Policy and the Personal Data Retention and Disposal Policy and to decide on the requests received by the relevant persons.

IT Specialist

Lawyer

 

KVKK Specialist (Technical and Administrative)

Reporting the requests of the persons concerned to the Personal Data Committee Manager for review and evaluation; Fulfilling the transactions regarding the requests of the persons evaluated and decided by the Personal Data Committee Manager in accordance with the decision of the Personal Data Committee Manager; auditing the storage and destruction processes and reporting these audits to the Personal Data Committee Manager; Responsible for the execution of storage and destruction processes.

 

5. RECORDING MEDIA WHERE PERSONAL DATA IS STORED

Your personal data within the body of Hashtag Kids are stored safely in accordance with the law in the recording media listed below in accordance with the nature of the data and our legal obligations.

 

Electronic Media

Non-Electronic Media

  • Servers (domain, backup, email, database, web, file sharing, etc.)

  • Software (office software, portal,)

  • Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)

  • Video recording and audio recording

  • Personal computers (desktop, laptop)

  • cloud system

  • Mobile devices (phone, tablet, etc.)

  • Optical discs (CD, DVD, etc.)

  • Removable memory (USB, memory card, etc.)

  • Printer, scanner, copier

 

  • Paper

  • Manual data recording systems (survey forms, visitor logbook)

  • Written, printed, visual media

 

6. SECURING RECORDING MEDIA

 

Hashtag Kids takes all necessary technical and administrative measures for the safe storage of your personal data, the prevention of unlawful processing and access, and the destruction of your personal data in accordance with the law.

 

6.1. Technical Measures

Hashtag Kids takes the following technical measures in the environments where your personal data is stored, to the extent that they comply with the characteristics of the relevant data and the environment in which it is kept:

  • System security is being improved.

  • Measures are taken for the physical security of the information systems equipment, software and data of the institution.  

  • In order to ensure the security of information systems against environmental threats, hardware (access control system allowing only authorized personnel to enter the system room, 24/7 employee monitoring system, fire extinguishing system) and software (firewalls, attack prevention systems, network access control, preventing malware) systems etc.) precautions are taken.  

  • Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and technical controls are carried out for the measures taken.  

  • Hashtag Kids takes the necessary measures to make the deleted personal data inaccessible and reusable for the relevant users.  

  • Passwords are used in electronic media where personal data is processed.

  • Secure record keeping (logging) systems are (partially) used in electronic environments where personal data is processed.  

  • Security measures are taken in physical environments where sensitive personal data is processed, stored and/or accessed.

  • Destruction of personal data; are provided in a way that cannot be recycled and leaves no audit trail.

 

6.2. Administrative Measures

 

The administrative measures taken by Hashtag Kids regarding your processed personal data are listed below:

  • In order to ensure effective compliance with the legislation on the protection of personal data, a Personal Data Protection Committee has been established by the Board of Directors, with the ultimate responsibility of the Board of Directors.

  • Compliance with KVKK obligations is periodically audited by the Internal Audit unit.

  • Access authorization restrictions are foreseen.

  • Data minimization is provided.

  • Data retention periods have been determined.

  • The business and operational processes of Hashtag Kids have been harmonized with the Law.

  • With the data inventory, it has been determined in which situations the data processing conditions are fulfilled.

  • The provisions on the Protection of Personal Data have been added to the agreements made with our employees and all third parties.

  • Special quality personal data security trainings have been provided for employees involved in special quality personal data processing, confidentiality agreements have been made, and the authorizations of users who have access to data have been defined.

  • On the Hashtag Kids website, necessary directions are given to obtain the applications of the persons concerned about their personal data, and an application form is included.

 

7. EXPLANATIONS RELATING TO THE REASONS REQUESTING STORAGE AND DISPOSAL

By Hashtag Kids; Personal data belonging to third parties who have a relationship with our company as employees, employee candidates, visitors and suppliers/service providers; It is stored and destroyed in accordance with the Law, the Regulation, the Hashtag Kids Personal Data Protection and Processing Policy and this Policy.

 

Hashtag Kids retains your personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, first of all, it is determined whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, this period is acted upon.

 

In the event that the period expires or the reasons requiring it to be processed disappear, your personal data is deleted, destroyed or anonymized in accordance with the Hashtag Kids Policy, unless there is a legal reason allowing them to be processed for a longer period of time. 

 

All transactions made by our Company regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least 3 (three) years, excluding other legal obligations.

7.1. Reasons for Containment

  • Being directly related to the establishment and performance of contracts,

  • In order to establish, exercise or protect a right,

  • Due to the necessity of keeping Hashtag Kids for their legitimate interests, provided that it does not harm the fundamental rights and freedoms of individuals,

  • In order for Hashtag Kids to fulfill its legal obligations,

  • Due to the legislation expressly stipulating the storage of personal data;

  • Law No. 6698 on the Protection of Personal Data 

  • Turkish Code of Obligations No. 6098

  • Social Insurance and General Health Insurance Law No. 5510

  • Occupational Health and Safety Law No. 6331

  • Law on Access to Information No. 4982

  • Labor Law No. 4857

  • Turkish Commercial Code No. 6102 and other secondary regulations in force in accordance with these laws

 

  • In terms of storage activities that require the explicit consent of the data owners, they are stored due to the explicit consent of the data owners.

 

7.2. Reasons for Destruction

In accordance with the Regulation, the personal data of the data owners are deleted, destroyed or anonymized by Hashtag Kids ex officio or upon request in the following cases: 

  • Changing or repealing the provisions of the relevant legislation, which is the basis for the processing or storage of personal data,

  • The disappearance of the purpose that requires the processing or storage of personal data,

  • Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law,

  • In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his consent,

  • The data controller accepts the application made by the data subject regarding the deletion, destruction or anonymization of his personal data within the framework of the rights in subparagraphs (e) and (f) of Article 11 of the Law,

  • In cases where the data controller rejects the application made by the data subject to the request for the deletion, destruction or anonymization of his personal data, his response is found to be insufficient or he does not respond within the time stipulated in the Law; Complaining to the Board and approval of this request by the Board,

  • Although the maximum period for keeping personal data has passed, there are no conditions to justify keeping personal data for a longer period of time,

 

8. PERSONAL DATA DISPOSAL METHODS

At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data is destroyed by Hashtag Kids ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, with the following techniques.

 

8.1. Deletion of Personal Data

Deletion of personal data is the process of making personal data inaccessible and unusable in any way. The deletion methods applied by Hashtag Kids are as follows:

Deletion Methods for Personal Data Held in Physical Environment

Blackout

  • Personal data in the printed media are deleted using the blackout method. The blackening process is done by cutting the personal data on the relevant document when possible, and making it invisible by using fixed ink in a way that it cannot be readable with technological solutions, in cases where it is not possible.

  • Personal data kept in the physical environment is made inaccessible and non-reusable in any way for other employees, except for the unit manager responsible for the document archive, for those whose period of time has expired. In addition, the process of blackening is applied by drawing/painting/erasing in a way that cannot be read.

Deletion Methods for Personal Data Held in Electronic Media

Safely Delete from Software

  • While deleting data processed by fully or partially automated means and stored in digital media; Methods for deleting the data from the relevant software are used so that it cannot be accessed and reused in any way for the relevant users. 

  • Deletion of relevant data in the cloud system by issuing a delete command; removing the access rights of the relevant user on the file or the directory where the file is located on the central server; It is done by deleting the relevant rows in databases with database commands or by deleting the data in the portable media, that is, in the flash media, using appropriate software.

8.2. Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. The deletion methods applied by Hashtag Kids are as follows:

Destruction Methods for Personal Data Held in Physical Environment

Physical Destruction

Personal data in the paper media are clipped and destroyed irreversibly.

Deletion Methods for Personal Data Held in Electronic Media

Physical Destruction

It is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting, incinerating, pulverizing, or passing through a metal grinder to optical or magnetic media.

 

8.3. Anonymization of Personal Data

Anonymization is making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching it with other data. Hashtag Kids does not use any of the methods of anonymization of personal data.

9. STORAGE AND DISPOSAL TIMES

9.1. Storage Times

PERIOD

STORAGE PERIOD

Planning and Execution of Corporate Communication Activities

10 Years after the termination of the employment relationship

Answering Court/Executive Information Requests Regarding Personnel

10 Years after the termination of the employment relationship

Preparation of Contracts

10 Years after the termination of the employment relationship

Recruitment Documents and Social Security Institution; Personnel Data Based on Notifications Regarding Term of Service and Fee

10 Years after the termination of the employment relationship

Occupational Health and Safety Practices

10 Years after the termination of the employment relationship

Identity Information, Contact Information, Financial Information, Business Partner/ Solution Partner/Consultant Employee Data Regarding the Execution of the Commercial Relationship Between Business Partner/Solution Partner/Consultant and Hashtag Kids

10 Years from the end of and during the business/commercial relationship of the Business Partner/Solution Partner/Consultant with  Hashtag Kids 

Customer's Name, Surname, TCKN, Contact Information, Payment Information and Methods, Navigational Movements Information, Product/Service Preferences, Transaction History

10 years from the delivery of each product/service that the Customer has purchased 

Identity Information, Contact Information, Financial Information on the Execution of the Commercial Relationship between the Institutions/Companies with which Hashtag Kids is in Collaboration and Hashtag Kids, Data of the Employee of the Institution/Company with which Hashtag Kids is in Collaboration

10 Years from the end of the business/commercial relationship of the Institutions/Companies with which Hashtag Kids is in Collaboration with Hashtag Kids

Payment Transactions

10 Years after the termination of the employment relationship

Personnel Financing Processes

10 Years after the termination of the employment relationship

Security Camera Records in Hashtag Kids Buildings

20 days

 

 

9.2. Disposal Times

Hashtag Kids is obliged to delete, destroy or anonymize the personal data it is responsible for in accordance with the law, relevant legislation, Hashtag Kids Personal Data Processing and Protection Policy and this Personal Data Retention and Destruction Policy; in the first periodical destruction process following the date of emergence (within 180 days following the storage period at the latest).

When the person concerned requests the deletion or destruction of his/her personal data by applying to Hashtag Kids pursuant to Article 13 of the Law;

If all the conditions for processing personal data have disappeared; Hashtag Kids deletes, destroys or anonymizes the personal data subject to the request with the appropriate destruction method, explaining the reason within 30 (thirty) days from the day it receives the request. In order for Hashtag Kids to be deemed to have received the request, the person concerned must have made the request in accordance with the Personal Data Processing and Protection Policy. Hashtag Kids informs the relevant person in line with the transactions.

If all the conditions for processing personal data have not been eliminated, this request may be rejected by Hashtag Kids by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the refusal will be notified to the relevant person in writing or electronically within thirty days at the latest.

10. PERIODIC DISPOSAL

Paragraph 2 of Article 11 of the Regulation: “The time interval for periodic destruction is determined by the data controller in the personal data storage and destruction policy. This period cannot exceed six months in any case. '' is the ruling.

In accordance with the regulation, Hashtag Kids has determined the period of periodic destruction as 6 (six) months. Accordingly, Hashtag Kids Periodic destruction processes start for the first time on 30.12.2020 and repeat every 6 (six) months. Periodic destruction is carried out in June and December each year.

11. PUBLISHING AND UPDATING THE POLICY

This Policy, prepared by Hashtag Kids, entered into force on 30.09.2020.

This Policy is also published on the Company's website at www.Hashtag-kids.com and is made available to personal data owners upon request. In case of inconsistency between KVKK and other relevant legislation provisions and this Policy, KVKK and other relevant legislation provisions will be applied first.

This Policy is updated as and when necessary. In case of a change in the Policy, the effective date of the Policy and the relevant articles will be updated accordingly.

Regards.

Hashtag Textile Trade Limited Company.

bottom of page