PERSONAL DATA PROTECTION AND PROCESSING POLICY

Document No:111.7

Document name: Personal Data Protection and Processing Policy

Revision Date: 17.07.2025 / Revision No.: 02

Issuance Date: 1/2/2020

VERSION

Version 02

 

TABLE OF CONTENTS

1. PURPOSE AND SCOPE OF THE POLICY
2. DEFINITIONS
3. PRINCIPLES FOR PROCESSING OF PERSONAL DATA
4. PERSONAL DATA PROCESSING CONDITIONS AND EXCEPTIONAL CIRCUMSTANCES
5. PERSONAL DATA CATEGORIZATION
6. ENSURING SECURITY OF PERSONAL DATA
7. PERSONAL DATA PROCESSING PURPOSES
8. LOCAL AND ABROAD TRANSFER OF PERSONAL DATA
9. DESTRUCTION OF PERSONAL DATA
10. RIGHTS OF PERSONAL DATA SUBJECT
11. METHODS OF APPLICATION FOR THE DATA SUBJECT
12. FINAL PROVISIONS
13. EFFECTIVE DATE OF THE POLICY

 

1. PURPOSE AND SCOPE OF THE POLICY 

Principles and procedures, adopted and to be implemented by our Company for the purpose of ensuring compliance with the Law no. 6698 on Protection of Personal Data published in the Official Gazette no. 29677 of 07.04.2016 (“LPPD”) and applicable legal regulations, are regulated with this Poliy within the scope of the disclosure obligation of the data controller.

With respect to your personal data processed by our Company, practices and principles on your processed personal data, personal data processing principles, personal data processing purpose and conditions, local and foreign transfer of your personal data, disposal of your personal data, and your rights on your processed personal data are explained to you below.

LOTUS TEKNİK TESTİL SAN. VE TİC. A.Ş. (hereinafter, “Lotus/Company”) shall act in line with the procedures and processes set forth in this Policy with regard to compliance with the LPPD and other applicable regulations and processing, utilization, disposal, transfer of your personal data pursuant to the Law and other regulations, as well as other relevant matters.

 

2. DEFINITIONS

Explicit Consent:	Freely given, specific and informed consent.
Anonymization:	Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
Personal Data:	Any information relating to an identified or identifiable natural person.
Processing of Personal Data:	All kinds of procedures performed on all or a part of the personal data, such as obtaining, recording, storing, retaining, modifying, readjusting, disclosing, transferring, receiving, making available, classifying, or preventing the use of personal data, by automated or partially automated means or non-automated means as part of a data recording system.
Personal Data Subject:	Natural person, whose personal data is processed.
Private Personal Data:	Private personal data comprises data on race, ethnicity, political view, philosophical belief, religion, sect or other beliefs, manners of clothing, health, sex life, criminal record and safety measures of individuals, as well as biometric and genetic data.
Data Processor:	Natural or legal persons, who process personal data on behalf of the data controller based on the authority granted by the data controller.
Data Controller:	The natural or legal person who determines the purpose and means of processing personal data and is responsible for the establishment and management of the data filing system.

3. PRINCIPLES FOR PROCESSING OF PERSONAL DATA

Our Company performs personal data processing activities pursuant to the following principles and procedures in accordance with article 4 of the LPPD, which regulates the principles and procedures for processing of personal data.

a. Compliance with the Law and the Rules of Integrity

Our Company processes your personal data in compliance with the LPPD and other laws and regulations that must be observed due to the conducted business.

b. Accuracy and Currency

Our Company carries out necessary procedures and takes technical and administrative measures to prevent personal data, provided by data subjects, from being modified without authorization and contrary to facts, and to update personal data upon request by data subjects in case of a change regarding processed data.

c. Processing for Certain, Clear and Legitimate Purposes

Your personal data, which are processed by our Company, are processed in line with the purpose of processing notified to you and within the notified framework.

d. Being Linked to the Purpose of Processing, Limited, and Prudent

Our Company does not process personal data that are not compatible with its operations, not required within the scope of the Company’s operations, and which will go beyond the purpose of processing.

e. Retention As Long As Stipulated in the Relevant Legislation or Required for the Purpose of Processing

Your data, processed within the scope of the LPPD and other applicable laws and regulations, are stored as long as the periods stipulated in the applicable legislation or that require retaining due to the nature of the processed data.

4. PERSONAL DATA PROCESSING CONDITIONS AND EXCEPTIONAL CIRCUMSTANCES

– General personal data to be processed within the scope of the company’s operations can be processed without obtaining explicit consent of the data subject in the presence of any of the following circumstances;

a) Presence of explicit consent of the data subject, or

b) Express stipulation in the legislation,

c) The need for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid,

d) The need to process personal data of contractual parties, provided that it is directly related to drawing up or executing an agreement

e) The requirement to process for fulfillment of a legal obligation of the data controller

f) Being made public by the data subject:

g) Requirement to process data for establishment, exercise, or protection of a right,

h) Requirement of data processing for legitimate interests of the data controller, provided that fundamental rights and freedoms of the relevant person are not impaired.

– Private personal data to be processed within the scope of the company’s operations;

Shall not be processed unless explicit consent is obtained from the data subject. However, such private personal data can be processed without obtaining explicit consent of the relevant entity in the presence of the following circumstances;

• Express stipulation in the legislation,
• The need for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid,
• Pertinence to personal data made public by the Data Subject and conformity with the public disclosure will,
• Requirement for establishment, exercise, or protection of a right,
• Requirement by entities under confidentiality obligation or authorized institutions and organizations for the purposes of protection of public health, preventive medicine, performance of medical diagnosis, treatment and care services, and planning, management, and financing of health services,
• The need for fulfillment of legal obligations in employment, occupational health and safety, social security, social services, and social welfare,
• Being aimed at current or former members and affiliates of foundations, associations, and other non-profit organizations or entities established with political, philosophical, religious, or union purposes, or other individuals in regular contact with these organizations and entities, provided that processing is in line with the legislation governing them and fit for their purposes, limited to their areas of activity, and not disclosed to third parties,

provided that adequate measures are taken as determined by the Board.

5. PERSONAL DATA CATEGORIZATION 

 

Identity Information	Name, surname, mother’s name, father’s name, date of birth, place of birth, marital status, religion, blood type, registration province, district, neighborhood written on your ID card, as well as other details written on your ID card including but not limited to these.
Contact Details	Contact data such as home telephone number, mobile telephone number, residence address or other address detail, e-mail address that are requested from you or that you provide in order to enable contacting you.
Personnel Information	Photocopy of identity card, Civil registry extract, Residence certificate, Medical report, Diploma photocopy, Criminal record, Passport sized photograph, Family status certificate, Military service status document, Employment Contract / Service Contract, SSI statement of employment, Your criminal record, Information and documents on your medical status.
Bank Account Details	Bank account number, IBAN, other credit card and debit card details.
CV Details	Your educational background, school details, certificate details, educational status, and information on trainings you received, which are written in your CV, requested by our Company, or provided by you, Location, date, and duration details concerning your work experience, details on your previous job and duty, any details on your work experience, which are written in your CV, requested by our Company, or provided by you, Your photograph, which is available in your CV, requested by our Company, or provided by you, Your driving license and details written on your driving license, which are available in your CV, requested by our Company, or provided by you, Your references and detail of your references, which are available in your CV, requested by our Company, or provided by you,
Visitor Details	Name, surname, and visiting hours of visitors to the company, as well as vehicle license plate, visited person, and other details, if available.

 

 6. ENSURING SECURITY OF PERSONAL DATA

As Lotus, we take technical and administrative measures, which are deemed necessary to ensure storage and security of your personal data that we process within the scope of the Company’s operations, within the confines of the required technological infrastructure pursuant to the LPPD and applicable legislation; accordingly, we take measures and conduct audits against data breach, unauthorized access, data loss, unauthorized modification of data, and other threats.

In this context; we identify existing risks and threats, we train our employees and carry out awareness efforts, determine policies and procedures on personal data security, ensure personal data minimization, establish necessary confidentiality agreements with data processors, use firewalls and current antivirus software to ensure cyber security, structure our existing software and hardware, perform software updates and inspections, ensure security of physical and electronic media containing personal data, take necessary measures with key management, access logs, user account management, penetration audit, and encryption methods to prevent breach of our data security by unauthorized persons.

 

7. PERSONAL DATA PROCESSING PURPOSES

Processing purposes for your personal data are limited to performance of the Company’s operations and fulfillment of obligations arising from the law.

Accordingly,

a. In Terms of Personal Data Belonging to Customers, Potential Customers, and Business and Solution Partners

• Your contact details and other personal data, provided to us and requested by us, can be processed for the purposes of;
  Providing more effective services with our suppliers and business partners, conducting legal and financial processes,
• Ensuring workplace safety, commercial safety, and economic safety,
• Ensuring occupational health and safety, and fulfillment of our existing obligations pursuant to the applicable legislation,
• Auditing compliance of business operations, conducted by authorized private law real and legal entities, with social compliance and ethics criteria within the scope of Social Compliance-Ethics audits,
• Having necessary work flow processes conducted by our relevant departments to improve the service offered by our Company and ensure customer satisfaction,
• Including images in corporate social media accounts with respect to organizations and other activities of our Company,
• Fulfillment of obligations arising from the law and the agreement .
• Auditing compliance of business operations, conducted by authorized private law real and legal entities, within the scope of audits,

b. In Terms of Personal Data Belonging to Visitors

• Personal data pertaining to visitors to the Company, such as information on identity details such as name and surname, entry-exit times, vehicle license plates, visited employee, and purpose of visit, are processed on electronic and physical media in order to ensure order and safety of life and property within the Company.

c. In Terms of Personal Data Belonging to Prospective Employees

• CV details, identity details, contact details, and other data of prospective employees are processed in line with the purposes and methods of;
  Submission of job applications and CVs to the relevant department, checking eligibility for the job, and progressing to the interview process,
• Identification of whether you fulfill adequate and necessary qualifications regarding the role, for which you are applying, as well as performance and scrutinization of tests during any procedure to be carried out at the moment of job application, in the process of job application, and throughout the job application,
• Calling your references and obtaining referrals about you,
• Your job placement in the workplace if the job interview is concluded favorably as a result of the job application process,
• Informing you about the job opportunity upon performance of necessary assessments again when a suitable position opens subsequently if the job interview is concluded unfavorably as a result of the job application process.

d. In Terms of Personal Data Belonging to Employees

• Your identity details, CV details, personnel details, bank account details, communication details, contact details, and other details can be processed in line with the purposes and methods of;
  Ensuring order, peace in the workplace, and security within the Company,
• Processing of personal data pertaining to employees for fulfillment of legal obligations such as generation and retention of personnel files and disclosing to auditor public institutions and organizations and authorized private law real or legal entities during workplace audits,
• Recording all actions, performed by employees on the fileserver system, by means of logging,
• Processing employee data by using software approved by the Company within the scope of performance of commercial and other activities of the Company,
• Including images in corporate social media accounts with respect to organizations and other activities of our Company,
• Using methods for determination of entry-exit times of employees and other electronic surveillance methods for the purposes of ensuring security of workplace and employees, protecting safety of life and property,
• Disclosing personal data belonging to employees with a private insurance company acting as a business partner if it is required to take out personal accident insurance and complementary health insurance for employees and to establish another right,
• Disclosing personal data belonging to employees, assigned for the purpose of temporarily providing services in the relevant customer within the scope of maintenance and repair services provided to customers, with the relevant customers upon request of the customer,
• Recording personal data pertaining to employees by the Company and transfer to local or foreign third parties within the scope of making necessary organizations for provision of activities such as fair, seminar, training, conference, trip, and social event, as well as accommodation and transportation services, by the Company and/or by third parties on behalf of the Company, carrying out visa procedures, providing information on developments about the Company, contacting them and their relatives in necessary cases, offering motivational rewards (such as gifts and promotions), promotional and advertising in respect of the Company’s activities, and other purposes,
• Processing other personal data of employees for the purpose of transferring personal data belonging to employees to third parties in contractual relationship with the Company to perform shuttle services offered to employees and fulfill relevant procedures,
• Processing general and private personal data of employees, as well as disclosure of these to occupational physician and medical staff, within the scope of documents and papers that should be retained within the scope of OHS activities,
• Disclosing personal details belonging to employees, who shall drive vehicles, with companies that provide vehicle rental services,
• Recording fuel consumption and HGS details in terms of the utilization of vehicles, allocated by the Company to the Employees to perform their duties, depending on the nature of performed work,
• Recording correspondences, made by means of the corporate e-mail account allocated to the employee, and e-mail files containing such correspondences in a cloud system located abroad.

e. In Terms of Personal Data Belonging to Subcontractors

• Your identity details, personnel details, bank account details, communication details, contact details, and other personal data can be processed in line with the purposes and methods of;
  Processing for fulfillment of legal obligations such as generation and retention of personnel file and disclosing to auditor public institutions and organizations and authorized private law real or legal entities during workplace audits,
• Processing general and private personal data of subcontractors, as well as disclosure of these to occupational physician and medical staff, within the scope of documents and papers that should be retained within the scope of OHS activities,
• Using methods for determination of entry-exit times of employees and other electronic surveillance methods for the purposes of ensuring security of workplace and employees, protecting safety of life and property.

8. LOCAL AND ABROAD TRANSFER OF PERSONAL DATA

 Local Transfer

Your personal data can be transferred to;

• Our Group Companies, Tetra Pazarlama ve Dış Ticaret A.Ş. & Multipak Ambalaj San. ve Tic. A.Ş. & Lotus Teknik Tekstil San. ve Tic. A.Ş. & CM Holding A.Ş., for the purposes of efficiency of our Company, developing employment policies, ensuring sustainability, and ensuring coordination within the scope of business activities, with limitation to and in association with this purpose.

• Banks, Social Security Institution, and other institutions and organizations for fulfillment of the employer’s obligations within the scope of the employment contract,

• Microsoft Office applications, cloud solutions, IFS applications and backup systems, databases of which are located abroad, for administration and management of operations within the Company, performance of businesses of the Company, implementation of Company policies, efficient management and conduct of work flow,

• Our business partners, suppliers, third parties providing services within the scope of Company’s activities, and abroad for provision of products and services.

• Your personal data can be disclosed as necessary to debt enforcement offices or courts (at every level and degree), as well as relevant Ministries, directorates, Social Security Institution, and other entities upon request or in line with our legal obligations.

Abroad Transfer

Your personal data shall not be transferred abroad under any circumstances.

9. DESTRUCTION OF PERSONAL DATA

 

Personal data, processed within the scope of our Company’s operations, are retained as part of the processing purpose and for periods required to achieve such purpose, and throughout the retention period stipulated in the applicable legislation.

Data which lost functionality, retention period of which has expired, or which are requested by the data subject to be disposed if possible under the legislation, are disposed using the suitable method listed in article 7 of the LPPD, i.e. deletion, destruction, or anonymization.

Deletion of personal data is rendering personal data inaccessible and nonreusable by relevant users.

Destruction of Personal Data is rendering the data inaccessible, nonrestorable and nonreusable by anyone.

Anonymization of personal data is ensuring that personal data can by no means be associated with a real person whose identity is known or identifiable, even if they are matched with other data.

All operations performed within the scope of disposal are recorded by the Company with data disposal reports and such records are retained for at least 3 (three) years, except for other legal obligations. The Company reserves the right to retain personal data due to its other legal obligations.

10. YOUR RIGHTS AS THE DATA SUBJECT

 

In respect of personal data processed within the scope of our Company’s activities, under their rights specified in article 11 of the LPPD, the data subject is entitled to apply to our Company to;

a) find out whether their personal data was processed,

b) request pertinent information if personal data was processed,

c) find out the purpose of processing and whether personal data was purposefully used,

d) find out local and foreign third parties to whom personal data was transferred,

e) request correction of personal data if they were processed incompletely or incorrectly,

f) request deletion or destruction of personal data pursuant to the terms stipulated in article 7 of the LPPD,

g) request notification of procedures carried out pursuant to clauses (d) and (e) to third parties, to whom personal data was transferred,

h) object to an outcome against the person due to the analysis of processed data exclusively by means of automated systems,

i) request compensation if losses are incurred due to unlawful processing of personal data.

11. METHODS OF APPLICATION FOR THE DATA SUBJECT

You can make your applications regarding your aforementioned rights pursuant to the application procedures stipulated in the Communiqué on Principles and Procedures for Application to the Data Controller. In order to exercise your rights within the scope of the LPPD, you should file an application as follows, accompanied by identification documents;

• In case of application in person, written application shall be made to the Company’s address, Ortaköy Mah. İlter Bulvarı No: 27 34592 Silivri, İstanbul / Türkiye, by writing “Information Request Pursuant to the Law on Protection of Personal Data” on the envelope.
• In case of application by service of notice through notary public, written application shall be made to the Company’s address, Ortaköy Mah. İlter Bulvarı No: 27 34592 Silivri, İstanbul / Türkiye, by writing “Information Request Pursuant to the Law on Protection of Personal Data” on the envelope.

• In case of application by E-Mail signed by secure electronic signature, written application shall be made to  kvkk@lotustekstil.com.tr e-mail account, by writing “Information Request Pursuant to the Law on Protection of Personal Data” in the subject field of the e-mail.

In addition, upon announcement of other methods to be determined by the Board, our Company shall further announce how applications shall be received by such methods.

12. FINAL PROVISIONS

If you exercise your rights mentioned above and file an application with our Company regarding aforementioned matters, your requests in your application shall be finalized at no charge at the latest within thirty (30) business days depending on the nature of request. However, if the procedure requires the Company to incur further costs, the fee in the tariff established by the Personal Data Protection Board may be charged.

You should submit your applications on matters in respect of processing of your personal data to our Company by completing and signing the application form on the Company’s website and personally identifying yourself.

Lotus Teknik Tekstil San. ve Tic. A.Ş. Contact Details

Head Office Address: Ortaköy Mah. İlter Bulvarı No: 27 34592 Silivri, İstanbul / Türkiye

Contact E-Mail:  kvkk@lotustekstil.com.tr

Website address: http://www.lotustekstil.com.tr/

13. EFFECTIVE DATE OF THE POLICY

This Policy took effect on 17/07/2025 upon updating and approval by the Company’s Board of Directors for implementation regarding all personal data processing activities of the Company.

In case of a discrepancy between the Turkish version, which this Policy was issued in, and the translation in another language published by the Company, Turkish version shall prevail.

Ceyhun ZİNCİRKIRAN
Chairman of the Board of Directors