PRIVACY NOTICE ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
1. DATA CONTROLLER
With this Privacy Notice on the Protection and Processing of Personal Data (“Privacy Notice”), Hansel Kozmetik Turizm Tekstil Ticaret Limited Şirketi (the “Company”) hereby informs our valued customers, in our capacity as Data Controller, within the scope of our obligation to inform under the Law on the Protection of Personal Data No. 6698 (“LPPD”).
Under the LPPD, personal data means any information relating to an identified or identifiable natural person (“Personal Data”). A special category of personal data (“Special Categories of Personal Data”) refers to data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, dress and appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. Accordingly, references to Personal Data in this Notice also cover your Special Categories of Personal Data.
2. METHODS OF COLLECTING PERSONAL DATA AND LEGAL GROUNDS FOR PROCESSING
Your Personal Data are collected in connection with your transactions with the Company and, for the purposes and within the scope set out in Section 4 below, by automated or non-automated means, verbally, in writing or electronically, and through the methods below and third parties contracted by the Company:
i. Verbally or in writing at cash registers as a result of purchases made during your store visits,
ii. Through your visits, memberships, registrations and purchases via the Company’s websites,
iii. Through sales made at contracted sales points where Company specialists work, via Company personnel at those locations and information forms completed there,
iv. Via closed-circuit camera systems located within the stores,
v. Through verbal and written complaints submitted by customers via all sales channels, social media and complaint platforms, globally or to the Customer Contact Center.
The legal grounds for processing Personal Data as specified in Articles 5 and 6 of the LPPD are as follows:
i. Your explicit consent,
ii. Processing clearly provided for by laws,
iii. Necessity to protect the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not legally valid,
iv. Necessity for the establishment or performance of a contract,
v. Necessity for compliance with our legal obligations,
vi. Data made public by the data subject,
vii. Necessity for the establishment, exercise or protection of a right, and
viii. Necessity for the legitimate interests of the Company, provided that it does not harm your fundamental rights and freedoms.
3. PERSONAL DATA WE COLLECT
The Personal Data we collect from you are processed proportionately for the processing purposes we indicate in Section 4 below.
4. PURPOSES OF PROCESSING PERSONAL DATA
Your Personal Data are processed by the Company based on your explicit consent or in other cases legally permitted under the LPPD for the following purposes:
i. Ensuring activities are carried out in compliance with legislation, issuing invoices after sales to customers, fulfilling tax and other legal obligations (identity, contact, customer transaction, legal transaction information).
Legal ground: expressly provided by law, performance of a contract, necessity for establishment/exercise/protection of a right.
ii. Conducting finance and accounting transactions within retail sales and suspicious transaction control (identity, contact, customer transaction, financial information).
Legal ground: legitimate interest.
iii. Conducting loyalty processes, providing various benefits and loyalty cards to customers within a loyalty program and providing related information (identity, contact, location, customer transaction, transaction security information, marketing information, hobby information, cosmetic product usage information, device MAC address, network information, device information).
Legal ground: explicit consent.
iv. Planning and executing customized marketing activities by analyzing past shopping habits and trends (identity, contact, location, customer transaction, professional experience, marketing, cosmetic product usage information, customer hobbies, device MAC address, network information, device information).
Legal ground: explicit consent.
v. Sending electronic commercial messages within advertising/campaign/promotion and marketing and communication activities (e.g., campaigns, advertisements, promotions, gift codes, single-use personalized codes, compensation codes, customized ads) via phone, SMS, MMS, e-mail (printed) or other means (identity, contact, location, customer transaction information, transaction security, professional experience, marketing, cosmetic product usage information, social media account information, device MAC address, network information, device information).
Legal ground: explicit consent.
vi. Product marketing activities (identity, contact, marketing, social media account information, customer transaction, cosmetic product usage information, transaction security, location, device MAC address, network information, device information).
Legal ground: explicit consent.
vii. Ensuring physical space security and occupational health and safety, ensuring store security (physical space security information, visual and audio recordings).
Legal ground: compliance with legal obligations, necessity for establishment/exercise/protection of a right.
viii. Managing company loyalty processes by enabling customer memberships via the website and sending a welcome e-mail based on such memberships (identity, contact, transaction security information, visual and audio recordings).
Legal ground: explicit consent.
ix. Managing the procurement and sale of goods and services, enabling customers to reserve products online for in-store pickup and completing sales transactions for purchased products (identity, contact, customer transaction, financial, transaction security information).
Legal ground: conclusion and performance of a contract.
x. Sending Company e-newsletters for marketing processes (identity, contact, marketing, customer transaction information).
Legal ground: explicit consent.
xi. Conducting website re-engagement activities for members who have not purchased products online (identity, contact, marketing, customer transaction, location information, device MAC address, network information, device information).
Legal ground: explicit consent.
xii. Within company loyalty processes, ensuring continuity of customer relationships by providing gift cards and discount coupons (identity, contact, marketing, location, customer transaction information, device MAC address, network information, device information).
Legal ground: explicit consent.
xiii. Directing customers via QR codes placed in-store or on customer cards to relevant websites for services/products they wish to benefit from or purchase (transaction security, device information).
Legal ground: performance of a contract, legitimate interest.
xiv. Conducting customer satisfaction activities, responding to questions about product use and care appointments, conducting online product trials, and fulfilling online consultancy requests (identity, contact, customer transaction, transaction security, cosmetic product usage information, professional experience, social media account information, visual and audio recordings).
Legal ground: explicit consent, performance of a contract, legitimate interest.
xv. Managing after-sales support services, including processes related to unsatisfactory and returned products (identity, contact, customer transaction, transaction security, cosmetic product usage information, finance, social media account information).
Legal ground: performance of a contract, compliance with legal obligations, establishment/exercise/protection of a right, data made public by the data subject.
xvi. Conducting hair and scalp consultations using a hair camera and prescribing products within marketing processes (identity, contact, cosmetic product usage).
Legal ground: explicit consent.
xvii. Managing advertising processes by sending products (identity, contact, social media account information).
Legal ground: explicit consent.
xviii. Sending products to participants who win competitions conducted via social media platforms within advertising processes (identity, contact, social media account information).
Legal ground: explicit consent.
xix. Managing customer relationship processes and tracking customer requests/complaints (identity, contact, marketing, cosmetic product usage information, transaction security, finance, professional experience, customer transaction and social media account information, customer hobbies information).
Legal ground: performance of a contract, compliance with legal obligations, establishment/exercise/protection of a right, data made public by the data subject.
xx. Managing legal affairs for complaint processes pursued before legal platforms (identity, contact, customer transaction, legal transaction, cosmetic product usage information, professional experience information).
Legal ground: performance of a contract, establishment/exercise/protection of a right, data made public by the data subject, legitimate interest.
xxi. Managing marketing and loyalty processes and, in this context, creating customer cards during store visits to ensure customer tracking and loyalty, and inviting customers to care days to be held at various sales points (belonging to the Company or third parties contracted by the Company) within the scope of organization and event management (identity, contact, professional experience, marketing, customer transaction and social media account information, cosmetic product usage information, customer hobbies, wedding anniversary, skin type/condition).
Legal ground: explicit consent.
xxii. Conducting communication activities with customers through Company specialists (identity, contact, marketing information, professional experience, customer transaction, social media account information, cosmetic product usage information, customer hobbies).
Legal ground: explicit consent.
xxiii. Carrying out customer segmentation based on purchased products within marketing activities, conducting marketing analysis studies and other customer relationship analyses (identity, contact, marketing, customer transaction, professional experience, social media account information, customer hobbies, cosmetic product usage information).
Legal ground: explicit consent.
xxiv. Fulfilling legal obligations and requests of competent administrative authorities by providing information to authorized persons, institutions and organizations (identity, contact, physical space security information, location, customer transaction, finance, transaction security, visual and audio recordings, legal transaction information, device MAC address, network information, device information).
Legal ground: compliance with legal obligations.
xxv. Protecting the rights of the Company and its employees and defending such rights before competent authorities and courts (identity, contact, cosmetic product usage information, physical space security information).
Legal ground: necessity for the establishment, exercise or protection of a right.
xxvi. Providing internet access to customers in stores (identity, contact, location, transaction security, cosmetic product usage information, device MAC address, network information, device information).
Legal ground: explicit consent, compliance with legal obligations.
xxvii. Ensuring cybersecurity in online channels and preventing unlawful access on the internet (identity, location, transaction security, device MAC information, network information, device information).
Legal ground: compliance with legal obligations, necessity for the establishment/exercise/protection of a right, legitimate interest.
In addition, for the purpose of completing payment transactions, your credit card and bank card information are processed (under security measures) by our licensed business partners.
5. TRANSFER OF PERSONAL DATA: RECIPIENTS AND PURPOSES
Based on your explicit consent or in other cases legally permitted (within the purposes and legal grounds set out in Section 4), the Company may transfer your Personal Data within Turkey or abroad to group companies with which the Company cooperates and/or from which it receives services; consultancy and support firms providing services in areas such as security, software, law, logistics and tax; other third parties supporting the Company’s activities for the above-mentioned purposes (including firms providing SMS and e-mail delivery, e-invoice and e-archive services, CRM (Customer Relationship Management), advertising and public relations, cloud computing, backup and software support); and, for the resolution of legal disputes and fulfillment of statutory obligations, to competent authorities and, upon request, to judicial bodies or relevant law enforcement agencies; and/or may grant access to such parties.
6. RIGHTS OF THE DATA SUBJECT UNDER ARTICLE 11 OF THE LPPD
As a data subject, you may, at any time, request the following from the Company, acting as Data Controller, pursuant to Article 11 of the LPPD. Your rights are:
i. To learn whether your Personal Data are being processed,
ii. If processed, to request information regarding such processing,
iii. To learn the purpose of processing and whether your data are used in accordance with that purpose,
iv. To know the third parties to whom Personal Data are transferred, domestically or abroad,
v. To request rectification if Personal Data are processed incompletely or inaccurately and to request that third parties to whom data have been transferred be informed of such rectification,
vi. Even if processed in compliance with the LPPD and other relevant legislation, to request deletion, destruction or anonymization of Personal Data within 30 (thirty) days if the reasons requiring processing no longer exist, and to request that third parties to whom data have been transferred be informed of such actions,
vii. To object to any result to your detriment arising from analysis of data exclusively by automated systems,
viii. To request compensation for damages in case of loss due to unlawful processing of Personal Data.
The above requests shall be submitted to the Company, as Data Controller, in writing or by other methods to be determined by the Personal Data Protection Board (“Board”).
In this context, you may submit your request regarding the above rights to the e-mail address provided below (which may change from time to time) via your registered e-mail (KEP) address, by secure electronic signature or mobile signature, or by using the e-mail address previously notified to the Company and registered in the Company’s system (attaching documents identifying your identity). Alternatively, you may deliver a petition bearing your wet signature together with identity documents to our postal address below (which may change from time to time) in person or send it via notary public.
In your application to exercise your rights, which should include explanations regarding the right(s) you wish to exercise, the matter requested must be clear and understandable; the request must concern you, or if you are acting on behalf of someone else, you must be specifically authorized in this regard and provide documentation of such authority; and the application must include your identity and address information.
The Company will finalize the requests included in the application as soon as possible and within thirty days at the latest, free of charge (if there is no cost). However, if the process requires an additional cost, a fee may be charged according to the tariff determined by the Personal Data Protection Board. If the response to the application exceeds 10 (ten) pages, an administrative fee of 1.00 TRY per page will be charged. If the response is requested to be provided on a recording medium such as CD or flash drive, a fee will be charged based on the cost of the requested medium.
Data Controller: Hansel Kozmetik Turizm Tekstil Ticaret Limited Şirketi
Postal address: Andifli Mah. Hastane Cad. No:4/B Kaş Antalya
E-mail address: [email protected]