Linkedin Instagram

Privacy Policy

Personal Data Protection Policy

Policy, Scope and Purpose

The Board of Directors and management undertake to comply with the principles and rules set forth by the Constitution of the Republic of Turkey, the Personal Data Protection Law No. 6698 (KVKK) and other legislation regarding the protection of personal data and to protect the rights and freedoms of individuals whose data is processed by Zabun Group. For this purpose, the Board of Directors has adopted a written personal data protection policy and system to be implemented and developed.

Scope

The policy provisions cover all information systems and sub-information, contracts, environmental and physical areas involved in the processing of personal data in the fields of activity and work of Zabun Group, and the systems and regulations produced for all these.
This policy covers all units of Zabun Group, personnel of companies providing support services, visitors, third parties, interns and contract personnel.

Purposes of the Personal Data Protection Policy and System

The purpose of the Personal Data Protection Policy and System is to ensure that Zabun Group establishes and implements its own standards in the management of personal data; to determine and support organizational goals and obligations, to establish control mechanisms in line with Zabun Group’s acceptable risk level; to fulfill the obligations to which ‘Zabun Group’ is subject in accordance with international agreements, the Constitution, laws, contracts and professional rules in the field of personal data protection and to protect the interests of individuals in the best possible way.

Zabun Group will comply with personal data protection legislation and data protection principles. The data protection principles adopted by Zabun Group include:

Processing personal data only if it is clearly necessary for legitimate business purposes;

To process the minimum amount of personal data necessary for these purposes and not to process more data than necessary;

To provide clear information to individuals about who uses their personal data and how they are used;

Only process relevant and appropriate personal data;

To process personal data fairly and legally;

To maintain an inventory of the categories of personal data processed by Zabun Group;

Keeping personal data accurate and up to date when necessary;

Store personal data only for the period required by legal regulations, Zabun Group’s legal obligations or legitimate corporate interests;

Respecting the rights of individuals regarding their personal data, including the right of access;

Keeping all personal data secure;

Transferring personal data abroad only if there is adequate protection;

To apply the exceptions permitted under the legislation;

Establish and implement the personal data protection system for the implementation of the policy;

When necessary, to determine the internal and external stakeholders who are parties to the personal data protection system and the extent to which they are involved in Zabun Group’s personal data protection system;

To determine personnel with special authority and responsibility regarding the personal data protection system.


Notifications

Zabun Group informs the Personal Data Protection Board (“PDP Board”) about the fact that it is the data controller and the categories of personal data it processes in this capacity. Zabun Group determines all personal data categories it processes in its personal data inventory.

Notification is made in accordance with the procedure and method determined by the Personal Data Protection Board and a copy of the notification is kept by Zabun Group.

If necessary, notifications are repeated periodically.

In order to identify potential changes that may occur in the notification made to the KVKK Board, Zabun Group’s data processing activities and changes therein are reviewed annually and, if necessary, the KVKK Board is informed.


Zabun Group’s disciplinary regulations will be applied to any actions of Zabun Group units, support service company personnel, interns and contract personnel that violate this policy, and if the violation constitutes a crime or misdemeanor, the situation will be reported to the relevant authorities as soon as possible.

Zabun Group’s solution partners who have access to personal data or are likely to access it, and all third parties working with Zabun Group are invited to read and comply with this policy. No third party may access personal data processed by Zabun Group without a written confidentiality agreement that includes obligations with standards at least as strong as Zabun Group’s regarding the protection of personal data, and Zabun Group’s right to audit the same.

Definitions

Explicit consent: Consent based on information and expressed with free will on a specific subject.
Anonymization: Making personal data in a way that it cannot be associated with an identified or identifiable natural person, even when matched with other data.
Relevant person: The natural person whose personal data is processed,
Personal data: Any information relating to an identified or identifiable natural person,
Sensitive personal data: Data regarding individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Processing of personal data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, in whole or in part, by automatic means or non-automatic means provided that it is part of any data recording system.
KVKK: Personal Data Protection Law No. 6698,
KVKK Board: Personal Data Protection Board,
KVKK Authority: Personal Data Protection Authority,
Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him,
Data recording system: The recording system in which personal data is structured and processed according to certain criteria.
Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
expresses.

Duties and Responsibilities

Zabun Group is the data controller in accordance with the KVKK.

All personnel, especially those in Senior Management, manager and auditor positions, are responsible for developing and promoting correct practices in the processing of personal data within Zabun Group, as well as other obligations related to this issue included in their individual job descriptions.

The KVK Committee was established as the unit responsible for managing the personal data protection system and ensuring and documenting compliance with the KVKK and other relevant legislation, and is accountable to the Board of Directors on these matters.

KVK Committee

The members of the KVK Committee are selected by the Board of Directors to have expertise and experience in personal data protection legislation and practices.
is appointed taking into consideration the above and reports directly to the Board of Directors.

Duties and Responsibilities of the KVK Committee

The Committee should inform the Board of Directors about Personal Data Protection legislation and developments.

The Committee is responsible for ensuring that Zabun Group’s policies and procedures are up to date and that data processing audits are carried out in accordance with the planned schedule and are in compliance with relevant legislation.

The Committee acts together with all relevant personnel on personal data protection issues.

The main duties and responsibilities of the Committee are as follows:

To provide information and advice to Zabun Group, its relevant partners and suppliers providing support services on personal data protection legislation and compliance issues.

To provide information and advice to Zabun Group personnel regarding their obligations under personal data protection legislation.

To monitor the compliance of Zabun Group’s data processing activities with personal data protection legislation.

To contribute to the development and maintenance of Zabun Group’s personal data protection policy and related procedures and processes.

To assign responsibilities within Zabun Group in the context of compliance with personal data protection legislation.

To ensure that the necessary training and awareness are provided to all personnel involved in personal data processing processes.

To monitor compliance with personal data protection legislation by conducting regular audits and to report to the Board of Directors.

To act in cooperation and contact with the KVK Board.

To determine the persons responsible who will act as the contact point and representative of Zabun Group before the Personal Data Protection Board.

Developing a formal procedure for reporting personal data breach incidents and investigations to the Board.

Contributing to the business continuity plan process.

Providing information and advice on the retention of corporate records.

To ensure the extent to which personal data is collected, kept and used within Zabun Group and the conditions for their storage in accordance with the relevant legislation.

To monitor and evaluate the suitability, reasonableness, security practices and other controls that may be necessary regarding the protection of personal data.

Identify and implement controls to ensure the confidentiality, integrity and availability of personal data and recommend additional controls that may be necessary.

To present the issues that pose potential risks regarding personal data within Zabun Group and the relevant suggestions to the Board of Directors.

The Personal Data Protection Committee has the authority to audit all systems related to the collection, processing and storage of personal data of Zabun Group. The Personal Data Protection Committee may request cooperation from all personnel, including access to systems and records, while performing its duties. If this cooperation is not provided, the Committee reports the situation to the Board of Directors.

All personnel of Zabun Group who process personal data are responsible for acting in accordance with the Personal Data Protection legislation.

The Human Resources unit is responsible for providing the necessary notifications and training to ensure that all personnel are aware of their responsibilities in the field of protection of personal data and have the necessary awareness.

Zabun Group personnel are responsible for ensuring the accuracy and up-to-dateness of all personal data provided to Zabun Group by them or relating to them.

Data Protection Principles

All personal data processing activities must be carried out in accordance with the following data protection principles. Zabun Group’s policies and procedures aim to ensure compliance with these principles:

Being in compliance with the law and the rules of honesty.

Being accurate and up to date when necessary.

Processing for specified, explicit and legitimate purposes.

Being relevant, limited and proportionate to the purpose for which they are processed.

Preservation for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

Personal data is processed in a transparent manner and in accordance with the law and the rule of honesty.

In this context, Zabun Group includes information text/privacy notices in data collection channels and related areas regarding the personal data processing activities it carries out. The areas where these notices, which include clear and understandable information about which data is processed by Zabun Group and for what purposes, will be included and announced are determined. The following points are included in these notices:

The identity and contact information of Zabun Group as the data controller,

Types of personal data processed,

Purposes of processing personal data,

The anticipated storage period of personal data,

Rights of the data owner,

Third parties with whom data may be shared.

Personal data may only be processed for specified, explicit and legitimate purposes.

The grounds/purposes for processing personal data are determined in the personal data inventory, and personal data cannot be used for purposes other than those specified without another legal justification or the explicit consent of the data owner.

If conditions arise that require the use of personal data for purposes other than those specified in the personal data inventory, this situation is reported to the KVK Committee by the relevant personnel/unit. The KVK Committee checks the suitability of the new purpose and, if necessary, ensures that the data owner is informed about the new purpose and the new data processing activity.

Personal data must be appropriate and relevant, and processed to a limited extent for the purpose.

Zabun Group is obliged to ensure that personal data that is not clearly necessary for the purpose of processing is not collected and processed.

Zabun Group periodically checks whether the data processed through the personal data inventory is appropriate and relevant.

Zabun Group verifies that all data processing methods are appropriate and relevant through an internal audit and/or external audit to be conducted on an annual basis.

Zabun Group is responsible for stopping the data processing activity in respect of personal data that it determines to be inappropriate or irrelevant or excessive in terms of the processing purpose and for securely destroying the processed data in accordance with the storage and destruction procedure.

Personal data must be accurate and up-to-date.

Data kept for long periods of time should be reviewed for accuracy and timeliness.

The manager of the Human Resources unit is responsible for training all personnel on the collection and keeping of personal data accurately and up-to-date.

The accuracy and up-to-dateness of the data kept regarding personnel is the responsibility of the relevant personnel.

Personnel/customers and other relevant persons must inform Zabun Group to update the processed personal data. Upon such notification, the correction and updating of the record in question is the responsibility of the relevant unit.

The KVK Committee may instruct the relevant unit to review the accuracy or currency of certain data by evaluating the type, storage period and amount of processed data through the data inventory.

Personal data should only be processed if it is necessary for the purpose of data processing.

In cases where personal data is stored beyond the required period due to requirements such as back-up, personal data should be encrypted or anonymized/masked to protect the status and freedoms of individuals in cases of data security weakness.

The processing of personal data after the periods determined in accordance with the Storage and Destruction Policy is subject to the written approval of the Personal Data Protection Committee.

Rights of Data Owners

Data owners have the following rights regarding data processing activities and records about them at Zabun Group:

To learn whether your personal data is being processed,

To request information regarding the processing of personal data,

To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

To know the third parties to whom personal data is transferred, either domestically or abroad,

To request correction of personal data if it is processed incompletely or incorrectly,

Request the deletion or destruction of personal data for which there is no legal justification or basis for processing in accordance with the KVKK or this policy,

To request that the correction or deletion processes made upon request be notified to third parties to whom personal data has been transferred,

To object to a result that is to the detriment of the person himself/herself, as a result of the analysis of the processed data exclusively through automatic systems,

To request compensation in case of damages due to unlawful processing of personal data.



Data owners may request access to their personal data and exercise their rights listed above. These requests will be responded to within 30 days. The processes for receiving, forwarding and finalizing requests are carried out in accordance with the Request Management Procedure.

Zabun Group, all personnel, regardless of their job description, are obliged to guide data owners on the correct application method for data owner access requests directed to them. Zabun Group personnel must be informed and trained on how to act regarding requests from data owners.

Obtaining Explicit Consent

Zabun Group accepts the consent given by the data owner regarding certain data processing activities, based on information and with free will, expressing the will to process data about him/her, expressed through written/oral declaration or clear confirmatory action as express consent. In terms of sensitive data, express consent must be obtained in writing. Express consent can be withdrawn by the data owner at any time.

Explicit consent can be obtained by having the data owner sign the explicit consent form template or by including the elements in this template in a contract or electronic form to be made with the data owner. Explicit consent is obtained through the relevant contracts or forms for routinely processed personal data related to personnel, personnel candidates and customers.

If the data processing activity based on explicit consent is to be continuous or repeated, the relevant unit shall keep a single list of persons whose explicit consent has been obtained. The up-to-dateness and accuracy of this list is the responsibility of the relevant unit. The explicit consent forms or other relevant means of proof regarding the data processing activity based on explicit consent shall be kept by the relevant unit.

Data Security

All personnel are responsible for ensuring that personal data processed by Zabun Group, which is their responsibility, is kept secure.

Only those who need to access personal data should have access to it. The security of personal data is ensured in accordance with Zabun Group’s Personal Data Protection Policy and related documents.

Information security incidents regarding personal data are reported to the Personal Data Protection Board and the relevant person by Zabun Group as soon as possible.

Data Sharing

Personal data can only be shared with third parties in accordance with law and equity. Accordingly, in order for personal data to be shared, one of the following conditions must be met:

The explicit consent of the data owner has been obtained.

It is clearly provided for in the laws.

If it is necessary for the protection of the life or physical integrity of a person or someone else who is unable to give his consent due to a physical impossibility or whose consent is not legally valid.

If it is directly related to the establishment or performance of a contract to which Zabun Group is or will be a party, the processing of personal data belonging to the parties to the contract is necessary.

It is mandatory for Zabun Group to fulfill its legal obligations.

It has been made public by the relevant person himself.

Data processing is necessary for the establishment, exercise or protection of Zabun Group rights.

Data processing is mandatory for the legitimate interests of Zabun Group, provided that it does not harm the fundamental rights and freedoms of the person concerned.

Personal data may only be transferred abroad provided that the above conditions are met, adequate protection is provided in the target country, and the explicit consent of the data subject for such transfer is obtained.

When transferring personal data abroad, the list of countries with adequate protection determined by the Personal Data Protection Board is taken into account.
When it comes to transferring personal data abroad, the necessary permissions and notifications are made to the KVK Board in accordance with the KVKK and relevant legislation.

If there is a regular data sharing relationship without a legal basis or legal obligation, a KVKK Commitment is made with the party in question, which specifies the conditions of data sharing. The KVKK Commitment includes, at a minimum, the following:

The purpose or purposes of sharing;

Potential third party recipients or type of recipient and access rights conditions;

What categories of data will be shared (this should be kept to the minimum necessary for your purposes);

General principles regarding data processing;

Data security measures;

The retention period of shared data;

Data subject rights, access requests, procedures for responding to applications and complaints;

Reviewing the termination of the sharing agreement and

Liability and sanctions for non-compliance with the contract or individual violations by staff.

Purposes of Processing Personal Data Processed within the Scope of Personal Data Processing Activities Conducted by Zabun Group, Personal Data Owners, Personal Data Categories and Shared Party Categories

Purposes of Processing Personal Data


The purposes of data processing within the scope of personal data processing activities carried out by Zabun Group within the scope of the Data Controllers Registry Information System are as follows:

Execution of Emergency Management Processes

Execution of Information Security Processes

Conducting the Application Process of Employee Candidates

Fulfillment of Employment Contract and Legislative Obligations for Employees

Implementation of Employee Satisfaction and Loyalty Processes

Fulfillment of Employment Contract and Legislative Obligations for Employees

Conducting Employee Benefits and Side Benefits Processes

Conducting Audit / Ethics Activities

Conducting Training Activities

Execution of Access Permissions

Carrying out activities in accordance with legislation

Carrying out financial and accounting affairs

Ensuring Physical Space Security

Execution of Loyalty Processes to Company / Products / Services

Conducting Assignment Processes

Monitoring and Execution of Legal Affairs

Conducting Communication Activities

Planning Human Resources Processes

Conducting/Supervising Business Activities

Conducting Occupational Health / Safety Activities

Carrying out activities to ensure business continuity

Carrying out the purchasing processes of goods / services

Carrying out After-Sales Support Services for Goods/Services

Execution of Goods / Services Sales Processes

Execution of Customer Relationship Management Processes

Carrying out activities aimed at customer satisfaction

Organization and Event Management

Conducting Marketing Analysis Studies

Conducting Performance Evaluation Processes

Carrying out advertising / campaign / promotion processes

Execution of Risk Management Processes

Execution of Contract Processes

Ensuring the Security of Movable Goods and Resources

Tracking of Requests / Complaints

Execution of Supply Chain Management Processes

Implementation of the Wage Policy

Implementation of the Wage Policy

Carrying out management activities

Creating and Tracking Visitor Records

Personal Data Owners

Personal Data Categories

Shared Party Categories

Management of Records


Personal data cannot be kept for longer than the period necessary for the purposes for which it is processed. The classification of records containing personal data and their storage periods are determined in accordance with the Storage and Destruction Policy.

Personal data that has expired for the purposes required for processing or upon the legitimate request of the data owner are anonymized or deleted or destroyed in a manner that prevents the identification of the natural person who owns the data and in accordance with the Storage and Destruction Policy.

Document Ownership and Approval

The PDP Committee owns this document and is responsible for regularly reviewing this policy in accordance with the review requirements set out above.

The current version of this document is made available to all Zabun Group personnel via common areas and published on the company website.



Instagram Linkedin-in

Menu

Contact

Address

Moving forward with confidence and stability,
It forms the basis of Zabun Group‘s success. We achieve sustainable growth and success through strong ties with both our customers and our employees.

2025 © All Rights Reserved.

Privacy Policy
Cookie Policy