Privacy and Data Protection
Personal Data Protection and Processing Policy
Pursuant to the provision set forth in Article 20 of the Constitution of the Republic of Turkey, everyone has the right to request the protection of personal data concerning them. This right includes being informed about personal data related to the person, accessing such data, requesting their correction or deletion, and learning whether they are being used in line with their intended purposes.
The Law on the Protection of Personal Data No. 6698 (“Law”), which entered into force upon its publication in the Official Gazette on April 7, 2016, regulates the protection of the fundamental rights and freedoms of individuals in the processing of personal data, as well as the obligations of natural and legal persons who process personal data and the procedures and principles to be complied with. The purpose of this Policy, prepared in this regard, is to ensure compliance with the obligations related to the provisions of the Law.
This Personal Data Protection and Processing Policy (“Policy”) contains the statements and explanations of Arsen Yarman regarding the processing, within the scope of the Law, of the personal data of natural persons, primarily visitors and other third parties.
The right to make amendments to this Policy is reserved for the purpose of providing up-to-date information on practices and legal regulations regarding the protection of personal data. In the event of material changes to the Policy, Data Subjects will be informed through various channels.
The definitions of the terms used within the scope of this Policy, taking into account the legislation on the protection of personal data, are provided below.
1. Definitions
Pursuant to the provision set forth in Article 20 of the Constitution of the Republic of Turkey, everyone has the right to request the protection of personal data concerning them. This right includes being informed about personal data related to the person, accessing such data, requesting their correction or deletion, and learning whether they are being used in line with their intended purposes.
The Law on the Protection of Personal Data No. 6698 (“Law”), which entered into force upon its publication in the Official Gazette on April 7, 2016, regulates the protection of the fundamental rights and freedoms of individuals in the processing of personal data, as well as the obligations of natural and legal persons who process personal data and the procedures and principles to be complied with. The purpose of this Policy, prepared in this regard, is to ensure compliance with the obligations related to the provisions of the Law.
This Personal Data Protection and Processing Policy (“Policy”) contains the statements and explanations of Arsen Yarman regarding the processing, within the scope of the Law, of the personal data of natural persons, primarily visitors and other third parties.
The right to make amendments to this Policy is reserved for the purpose of providing up-to-date information on practices and legal regulations regarding the protection of personal data. In the event of material changes to the Policy, Data Subjects will be informed through various channels.
The definitions of the terms used within the scope of this Policy, taking into account the legislation on the protection of personal data, are provided below.
THE CONCEPTS | THE DEFINITIONS |
Explicit Consent | Refers to the declaration of will regarding a specific subject, based on being informed, and freely expressed by Data Subjects. |
Anonymization | Refers to rendering Personal Data impossible to be associated with an identified or identifiable natural person in any way, even by matching with other data. |
Data Subject | Refers to the natural person whose personal data are processed. |
Personal Data | Refers to any information relating to an identified or identifiable natural person. |
Processing of Personal Data | Refers to any operation performed on data such as obtaining, recording, storing, retaining, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of Personal Data, whether wholly or partially by automatic means, or by non-automatic means provided that it is part of any Data Recording System. |
Data Recording System | Refers to the recording system in which Personal Data are processed by being structured according to specific criteria. |
Data Controller | Refers to the natural or legal person who determines the purposes and means of processing Personal Data, and is responsible for the establishment and management of the Data Recording System. |
Data Processor | Refers to the natural or legal person who processes Personal Data on behalf of the Data Controller, based on the authority granted by the Data Controller. |
2. Principles Regarding Data Privacy
Pursuant to Article 3 of the Law, any operation performed on data such as obtaining, recording, storing, retaining, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, whether wholly or partially by automatic means, or by non-automatic means provided that it is part of any data recording system, falls within the scope of processing personal data. Within the scope of Personal Data Processing activities, actions are carried out in accordance with the general principles set out below.
Compliance with the law and the rules of good faith: Personal data processing activities are carried out in compliance with the Constitution, primarily, as well as the Law on the Protection of Personal Data and the relevant legislation, and in accordance with the law and the rules of good faith.
Accuracy and up-to-datedness: Data Subjects are provided with the opportunity to update their Personal Data, and the necessary measures are taken to ensure the correct transfer of data into databases.
Processing for specific, explicit, and legitimate purposes: Personal Data Processing activities are limited to specific and legitimate purposes, and Data Subjects are clearly informed about these purposes through clarification texts.
Being relevant, limited, and proportionate to the purpose for which they are processed: Personal Data are processed to the extent necessary, relevant, and limited to the purpose notified to the Data Subject at the time they are obtained.
Retention for the period stipulated in the relevant legislation or as required for the relevant purpose: Personal Data are stored only for the period stipulated in the Law and relevant legislation, or for as long as required by the purposes of the data processing activity. Upon the expiry of these periods, the data are deleted, destroyed, or anonymized.
3. Conditions of Processing Personal Data
Apart from the explicit consent of the personal data subject, the legal basis for a personal data processing activity may consist of only one of the conditions set out below, or more than one condition may serve as the basis for the same personal data processing activity. In cases where the processed data are special categories of personal data, the conditions relating thereto as specified below shall apply.
(i) Existence of the Explicit Consent of the Personal Data Subject
One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the personal data subject must be related to a specific subject, based on being informed, and declared with free will.
Where any of the personal data processing conditions listed below is present, personal data may be processed without the explicit consent of the data subject.
(ii) Explicitly Stipulated by Laws
If the personal data of the data subject are explicitly stipulated by law, in other words, if the relevant law contains an express provision regarding the processing of personal data, this data processing condition shall be deemed to exist.
(iii) Inability to Obtain the Explicit Consent of the Data Subject Due to Actual Impossibility
If it is compulsory to process the personal data of a person who is unable to express consent due to actual impossibility, or whose consent cannot be deemed valid, in order to protect the life or physical integrity of that person or another person, the personal data of the data subject may be processed.
(iv) Being Directly Related to the Establishment or Performance of a Contract
Provided that it is directly related to the establishment or performance of a contract to which the data subject is a party, if the processing of personal data is necessary, this condition shall be deemed fulfilled.
(v) Fulfilment of a Legal Obligation
If processing is mandatory for the fulfilment of legal obligations, the personal data of the data subject may be processed.
(vi) Personal Data Made Public by the Data Subject
If the data subject has made their personal data public, the relevant personal data may be processed to the extent limited to the purpose of making them public.
(vii) Processing of Data Being Mandatory for the Establishment or Protection of a Right
If data processing is mandatory for the establishment, exercise, or protection of a right, the personal data of the data subject may be processed.
(viii) Processing of Data Being Mandatory for Legitimate Interests
Provided that it does not harm the fundamental rights and freedoms of the personal data subject, if data processing is mandatory for legitimate interests, the personal data of the data subject may be processed.
Informing the Personal Data Subject
In accordance with Article 10 of the Law and the secondary legislation, personal data subjects are informed about by whom, for what purposes their personal data are processed as the data controller, with whom and for what purposes their data are shared, by which methods they are collected and the legal basis thereof, as well as the rights they have within the scope of the processing of their personal data.
4. Your Collected Personal Data
The Personal Data collected from you may vary depending on the nature of your relationship with our website and legal obligations.
Your Collected Personal Data may include the following:
- Device and Access Information: Technical data such as IP address, device operating system and browser type, screen resolution, and language preferences.
- Session Information: Session ID, time spent on the page, navigation path (click-stream), and click data.
The listed types of Personal Data do not cover all data processed, and other types of Personal Data similar to those listed may also be processed.
5. Our Purposes for Processing Personal Data
The Personal Data obtained from you may be processed in compliance with the Personal Data Processing conditions set forth in Articles 5 and 6 of the Law, and for the purposes listed below:
Main Purposes | Sub-Purposes |
Ensuring Website Functionality, Security, and Error Management | · Preserving the user session ID through mandatory cookies · Detecting unauthorized access, bot traffic, and fraud attempts using IP address and browser information · Early detection of system errors and speeding up the intervention process |
6. Retention of Personal Data
When determining the retention periods of personal data, consideration is given to the applicable legislation and the purposes for which the data in question are processed. In this context, legal obligations and statutory limitation periods relating to the Personal Data Processing activity are always taken into account where applicable. If the purpose of processing Personal Data no longer exists, the data are deleted, destroyed, or anonymized, unless there is another legal reason or basis allowing the retention of the Personal Data.
7. Transfer of Personal Data
Your Personal Data may be shared, for the purposes stated above, in accordance with the personal data transfer conditions set out in Articles 8 and 9 of Law No. 6698, as indicated in the table below. In such cases where your Personal Data are shared, necessary measures are taken to ensure that the party with whom the data are shared carries out processing and transfer activities in compliance with the rules set forth in this Policy and the provisions of the legislation.
The transfer of your Personal Data abroad may take place only if the conditions set forth in Article 9 of the Law are met, namely:
- If one of the exceptions allowing personal data to be processed without explicit consent, as set out in Articles 5 and 6 of the Law and explained above, is present, and there is an adequacy decision regarding the country to which the transfer will be made; or
- If there is no adequacy decision regarding the country to which the data will be transferred, but the exceptions set out in Articles 5 and 6 of the Law are met, and in such countries there is the possibility for individuals to exercise their rights and apply for effective legal remedies, and a standard contractual clause has been signed with the party to whom the transfer will be made; or
- If neither of the above situations exists, the transfer may be carried out on an incidental basis in accordance with subparagraph 6 of Article 9 of the Law.
DATA TRANSFER PARTIES | DEFINITON-SCOPE | PURPOSE |
Legally Authorized Public Institution | Refers to public institutions and organizations authorized to request information and documents pursuant to the applicable legal regulations..
| Personal data are shared in a limited manner for the purpose of responding to requests referred by authorized public institutions. |
Legally Authorized Private Persons | Refers to private law persons authorized to request information and documents pursuant to the applicable legal regulations. | Personal data are shared in a limited manner for the purpose of responding to requests referred by authorized private persons. |
8. Data Security
In order to ensure the security of your Personal Data, reasonable technical and administrative measures are taken to prevent risks of unauthorized access, accidental data loss, intentional deletion, or damage to the data.
9. Rights of Data Subjects
Pursuant to Article 11 of the Law, Data Subjects have the following rights against the Data Controller:
- To learn whether Personal Data relating to them are processed, and if so, to request information regarding such processing.
- To learn the purpose of processing Personal Data and whether they are used in accordance with their purpose.
- To know the third parties to whom Personal Data are transferred domestically or abroad.
- To request the correction of Personal Data if they are incomplete or incorrectly processed.
- To request the deletion or destruction of Personal Data within the framework of the conditions stipulated in the relevant legislation, and to request that the transactions carried out be notified to third parties to whom the Personal Data have been transferred.
- To object to the occurrence of a result against the person by analysing the processed data exclusively through automated systems.
- To request compensation for damages in the event of suffering damage due to the unlawful processing of Personal Data.
Paragraph 2 of Article 28 of the Law lists the circumstances in which data subjects do not have the right to make a request. Within this scope, except for the right to request compensation for damages regarding the data, the rights set out above cannot be exercised in the following cases:
- Where the processing of Personal Data is necessary for the prevention of crime or for a criminal investigation,
- Where the processing of Personal Data relates to personal data made public by the Data Subject,
- Where the processing of Personal Data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations in the nature of public institutions, based on the authority granted by the law,
- Where the processing of Personal Data is necessary for the protection of the State’s economic and financial interests in relation to budgetary, tax, and financial matters.
10. Exercise of Rights by Data Subjects
For the effective exercise of these rights, you may send your request, including the necessary information to verify your identity, any other required details, and explanations regarding the specific right you wish to exercise under Article 11 of the Law, to the e-mail address info@armeniangoldsmiths.com.
For third parties to be able to submit an application on your behalf, you must grant such third party a special power of attorney issued by a notary public.
In order to verify whether the applicant is the Data Subject, the Relevant Person may be requested to provide information, and questions may be asked to the Data Subject to clarify matters stated in the application.