In accordance with the Turkish Law on Protection of Personal Data no. 6698 and General Data Protection Regulation, everyone is entitled to demand the protection of personal data concerning him. This right, includes informing, accessing, requesting correction or deletion of personal data about a person and learning whether they are used for their purposes.
We would like to inform you in detail about the protection of your personal data in accordance with the Turkish Law on Protection of Personal Data no. 6698 and General Data Protection Regulation, the manner in which your personal data is received, the purposes for which it is processed, the legal reasons and our mutual rights and obligations.
With this Policy; Clients, Employee Candidates, Real Person Subcontractors, Legal Person Subcontractor’s Employees, Employees, Workplace Doctor, Visitors, Employees, Shareholder and Authorities of the Companies that we cooperate with and the third parties are aimed to be protected. The Company’s employees are managed under the Policy on Protection of Personal Data, which is written in line with the principles in this Policy on the protection of personal data of our employees.
If there is a conflict between the Turkish Law on Protection of Personal Data no. 6698 and General Data Protection Regulation and other relevant legislation, and the Company’s Policy on Protection of Personal Data, the legislation and the Turkish Law on Protection of Personal Data no. 6698 and General Data Protection Regulation in force shall be applied.
Bluemint London LTD (‘’Company’’) prepared this Policy on Protection of Personal Data in order to protect the fundamental rights and freedoms of individuals, especially the privacy of individuals in the processing of personal data.
The Policy is intended to continue and develop the activities carried out by the Company in accordance with the principles of the Turkish Law on Protection of Personal Data no. 6698 and General Data Protection Regulation and to inform the owners of personal data.
Data subject whose personal data are processed within the scope of this Policy are categorized as follows:
Real person who make their CV and related information accessible to the Company by applying for a job or by any means
People who have a business relationship with the Company
Former employees whose business relationship with the company has ended
Real Person Subcontractors
Partnership companies or real person with who we receive contract manufacturing services
Employees of the Companies that we cooperate with
Employees of real person or legal person with whom we cooperate other than contract manufacturing
Workplace doctor working with the Company
People who do shopping on the Company’s website or by store
Legal Person Subcontractor’s Employees
Employees of the legal person with who we receive contract manufacturing services
Executives in senior management of the Company
Although it is not defined in the Policy, the guarantor, the family members including but not limited to whose personal data is processed under this Policy
Natural person who has entered the Company’s physical facilities for various purposes or who has visited websites
Freely given specific and informed consent
Rendering personal data by no means identified or identifiable with a natural person even by linking with other data
Personal Health Data
Health data related to identified or identifiable natural person
Any information about identified or identifiable natural person
Processing of Personal Data
Any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system
The Turkish Board of Protection of Personal Data or a supervisory authority in a third country
The Authority of Protection of Personal Data
Data relating to race, ethnic origin, political beliefs, philosophical beliefs, religion, denomination or other faiths, clothing and attire, membership of an association, charity or union, health, sexual life, criminal convictions and security measures and biometric and genetic data
Special Categories of Personal Data
This is the real or legal entity that processes the personal data, with the authority bestowed by the data controller, and in the name of the data controller
Natural person whose personal data are processed and determined as ‘’Related Person’’ in the Law on the Protection of Personal Data
The Application Form for data subject in the Company when using the right to request related to rights within the scope of the Article 11
Application Form of Data Subject
Natural person or a legal entity who determines the purposes and means of processing of personal data and is responsible for establishment and management of data recording system
The Registry of data controllers kept by the Presidency of the Board of Protection of Personal Data
Data Controllers’ Registry
The Inventory that the data controller must make a thorough review on its activities, determine where it uses personal data in any way and make a list of the following issues for each personal data process: the purpose of processing activity, the category of personal data, the recipient group, the data subject group, the maximum retention period, whether or not the personal data is to be transferred abroad, the precautions taken for data security
Regulation (EU) 2016/679 of The European Parliament and of The Council Of 27 April 2016 on The Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC
Pursuant to the article 4/2 of the GDPR, the processing of personal data contains any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
Personal data may only be processed in compliance with the principles as follows:
Our Company conducts its personal data processing activities in accordance with rules of bona fides and law within the scope of GDPR.
Our company carries out all kinds of administrative and technical measures to ensure the accuracy and being up to date of the personal data during the process.
Before starting the processing of personal data, our Company determines its legitimate purpose for processing personal data precisely and explicitly within the framework of informative document.
Personal data are processed by our Company as necessary to achieve the specified purposes. Assuming that it can be used later, data processing is not carried out.
Our Company retains personal data for a limited period of time as required by the GDPR and related legislation or for purposes related to data processing.
Our company ensures appropriate security of personal data that it processes.
Personal data and Special Categories of Personal Data can be processed and transmitted with explicit consent of data subject or without any explicit consent in the conditions specified in Articles 6 and 7 and 9 of the GDPR.
As a rule, our Company processes your personal data based on your explicit consent. However, we conduct personal data processing without seeking your explicit consent in accordance with the data processing conditions specified in Article 6 of the GDPR:
Our Company conducts the processing of personal data which is considered to be of a special nature, which carries the risk of discrimination when processed unlawfully, in accordance with the data processing conditions set forth in Article 9 of the GDPR. It is forbidden to process personal data of a Special Categories of Personal Data without the express consent of the data owner. However, Special Categories of Personal Data may be processed even if the data owner does not have explicit consent in the following cases:
Personal health data can be processed when (I) the necessary permissions are taken by Health Ministry, (ii) complying with general provisions, (iii) under confidentiality obligation, if one of the following conditions are present, personal health data can be processed:
-The explicit consent of the data subject
-Taking necessary precautions for the purpose of occupational and obey the obligations arising from the legislation,
-Public Health Protection
-Medical diagnosis, treatment and care services
-Planning and management of health care and financing
With this scope of data will be possible in case of the existing of data owner’s explicit consent and situations foreseen in law.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be allowed if one of the following applies:
Pursuant to Article 32 of the GDPR, our Company takes all necessary technical and administrative precautions to prevent the illegal processing and getting access of the personal data and to ensure to provide the protection of personal data with regard to ensure the proper level.
7.1. Technical precautions taken to ensure the legal processing of personal data and to prevent illegal Access
The Company has taken all sort of technical and technological security precautions in order to protect your personal data and has protected your personal data against all possible risks.
Technical precautions are taken in accordance with the developments in technology, and the preventions are updated periodically and renewed. Software and hardware are available, which includes virus protection systems and firewalls. Employees have been informed that they will not be able to disclose the personal data they have learned in contrary to the provisions of the Law and they cannot use it for any purpose other than for processing purposes, and that this obligation will continue even they leave their job, and the necessary commitments have been taken from the employees in this direction and policies, in particular in the workplace, have been issued to the employees. In order to store personal data in secure medium, systems correspondent with technological developments are used.
Administrative Precautions Taken To Ensure the Legal Processing Of Personal Data and To Prevent Unlawful Access
- Training and raising the awareness of the Company’s employees regarding the GDPR,
- When the personal data transfer is in question, to ensure that the person to whom the personal data is transferred and the agreements concluded, that the data from which the personal data is transferred will be added to the data security,
- Determining the requirements to be fulfilled in order to comply with the GDPR and preparing domestic policies for their executions,
- Using software and hardware that includes virus protection systems and firewalls to prevent unauthorized access.
7.2. Preventions to Be Taken In Case Of Illegal Disclosure of Personal Data
If the processed personal data is obtained by another person by illegal ways despite the necessary security preventions, our Company will notify the data owner and the Board within 72 hours from the date of the announcement by means of the contact information been found in the Company.
8.1. Purposes of the Processing Personal Data
Personal Data which were found in our company; planning and execution of commercial activities, informing the authorized institutions and organizations originating from the law, getting technological services in areas which are not directly provided by us and not in our field of expertise, reaching financial agreement with our business partners and / or third parties regarding our products and services, execution/pursuit of financial reporting and risk management transactions / planning and execution of the necessary audit activities to ensure the conduct of the activities in accordance with the relevant procedures and the Company's procedures, the execution of the corporate sustainability activities, the execution of activities for the protection of the reputation of our company, and complaint management, planning and execution of corporate governance and communication activities. delivery of invoices, invoicing, sending commercial electronic messages in case of your consent, organizing campaigns within the scope of the loyalty card program and signing scores, resolving complaints about products, personalizing our advertising and marketing communications and being more relevant to you and improve, customize and measure the website and our services, measure the performance of marketing campaigns we perform through e-mail, analyze e-mail opening and click-through rates, monitor and improve the information security of the website, and improve our website in third-party websites limited to the law and the rules of honesty and to the purpose for which they are committed, shall be processed in accordance with the principles of retention for the time period required by the relevant legislation or for the purpose for which they are processed.
8.2. The Preservation Period of Personal Data
Our Company determines whether or not a period is stipulated in the relevant legislation for the preservation of personal data. If a period is foreseen in the relevant legislation, it shall comply with this period; if a period of time is not foreseen, it will retain the personal data for the time which is required for the purpose for which it was processed. If the purpose of the processing of personal data has expired and the relevant legislation and / or the retention periods set by our Company have been reached, they may be kept only for the purpose of providing evidence in the event of possible legal disputes, for claiming the right related to personal data or establishing the defense. Personal data is not stored by our Company based on the possibility of future use.
According to the article 17 of the GDPR, although personal data are processed in accordance with the relevant legislation, if reasons required processing are eliminated, personal data are deleted, destroyed or made anonymized by the Company upon the request of the person or personal data owner.
The procedures and principles regarding this matter shall be fulfilled in accordance with the GDPR.
It deletes, destroys or makes anonymized personal data in the first periodic destruction following the date of our obligation of deleting, destroying or making anonymized personal data,
Personal data will be deleted, destroyed or made anonymous within 3 (three) months of the date on which our obligation of deleting, destroying or making anonymized personal data arises.
The period of time for periodic destruction is six months.
When you contact our company and request that your personal data are deleted or destroyed;
9.1 Deletion and Destruction of Personal Data Techniques
Deletion of personal data is process of making personal data inaccessible and reusable fort he uses concerned.
Extinguish of personal data is the process of making personal data inaccessible reusable by anyone.
Example: extinguish as physically, secure deletion from software, secure deletion by the expert etc.
Anonymization Technics for Personal Data
It means rendering personal data by no means identified or identifiable with a natural person even by linking with other data.
Example: camouflage, data generation, using nickname, consolidation, data hash etc.
Third Parties whom Personal Data is transferred and Transfer Objectives
The procedures and principles to be applied in the transfer of personal data are regulated in article 8 and 9 of the Personal Data Protection Law and the personal data of the personal data owner and private personal data can be transferred to third parties at home and abroad.
For the performance of its services your personal data may be limited to the law and other legislation (including the Law on the Identification of Identity No. 1774, the Law on Consumer Protection No:6502, and other regulations regarding these infrastructure providers, trainers, third parties, travel agencies, e-archives, e-waybills and e-invoices. Legal entities providing archival services, server service received from abroad for our websites, insurance companies, banks/financing companies, collection of receivables, real- estate physician, real and legal persons with whom we have a Proxy relationship may be shared with our business partners. However, in any case, personal data cannot be transferred without the explicit consent of the personal data owner with the exception of the exceptions set out in the GDPR.
9.2 Domestic Data Transfer
Pursuant to the Articles 44 – 50 of the GDPR, the transfer of personal data domestically shall be possible provided that one of the conditions set out in section 6 of the “Conditions for the Processing of Personal Data of this Policy is met.
9.3 Abroad Data Transfer
In accordance with Articles 44 – 50 of the GDPR, in case personal data are transferred abroad, the conditions for domestic transfers met and one of the following matters is required:
- sufficient protection is provided in the foreign country where the data is to be transferred,
- the controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided.
9.4 Personal Data Transfer Groups by our Company
In accordance with Articles 44 – 50 of the GDPR, our Company may transfer the personal data holders within the scope of this Policy to the following groups of persons for the specified purposes:
Public Institutions and Organizations Legally Authorized
Public institutions and organizations authorized to obtain information and documents of our Company in accordance with the provisions of the relevant legislation
Within the scope of the legal authority of the relevant public institutions and organizations for the requested purpose
Private Person Legally Authorized
Private person authorized to obtain information and documents of our Company in accordance with the provisions of the relevant legislation
Within the scope of the legal authority of the private person for the requested purpose
In accordance with Article 13 of the GDPR, our Company should inform personal data owners during the collection of personal data. In this context, our Company fulfils its obligation to inform the following subjects:
- the identity of the controller and of his representative, if any,
- the purpose of data processing;
- to whom and for what purposes the processed data may be transferred,
- the method and legal reason of collection of personal data,
- other rights referred to in the articles 12 – 23 of the GDPR.
In accordance with the articles 12 – 23 of the GDPR, the assessment of the rights of personal data owners and the necessary information to personal data owners are carried out through the Company Personal Data Application Form as well as this Policy. Personal data holders may submit their complaints or requests regarding the processing of their personal data to us within the framework of the principles specified in the relevant form.
11.1 Right of Application
Pursuant to the articles 12 -23 of the GDPR, anyone whose personal data has been processed can apply to our Company and make requests regarding the following matters:
11.2 Exceptions to the Right of Application
Pursuant to the article 23 of the GDPR, personal data owners will not be able to assert their rights if:
11.3. The Procedure of Response
Pursuant to Article 19 of the GDPR, our Company will finalize the application requests submitted by the personal data holder as soon as possible according to the nature of the request and within 30 (thirty) days at the latest. Pursuant to the article 19 of the GDPR, your application must be submitted to our Company in writing or by other methods to be determined by the Board.
The application of the personal data holder may be rejected in the following cases:
12.1 Camera Monitoring in the Company
In order to protect the interests of our Company and other person for ensuring their safety, camera monitoring is carried out within our Company and our factory.
Pursuant to the regulations stipulated in the GDPR, this Policy is published on our website by the Company in relation to camera monitoring activities and the notification letter indicating that monitoring is being made at the entrances of the areas where monitoring is performed.
There is no monitoring in areas that may result from interference with the privacy of the person. Only a limited number of Company employees and, if required, the security company employees have access to the security camera recordings. Those persons who have access to the records declare that they will protect the confidentiality of the data that they access with the confidentiality commitment signed.
12.2. Incoming and Outgoing Visitors of the Company
Personal data processing is carried out to monitor the entrance and exit of our guests. While the name and surname information of the persons who come to our company is obtained, the data is processed only for this purpose and the relevant personal data is recorded in the recording system in the physical environment.
12.3. Visitors of the Website
In case the persons who make membership on the website or make purchases without membership, create an account on the website; name, surname, gender, date of birth, e-mail address; if he purchases from the website, his name, surname, e-mail, telephone number, address and credit card information; cookies are loaded into the electronic device through the browser used and the IP number, in addition to the above, is processed in order to planning and execution of commercial activities, informing the authorized institutions and organizations from the legislation, obtaining technological services in areas not directly provided by us and not in our field of expertise, obtaining financial agreement with our business partners and/or third parties regarding our products and services, execution of financial reporting and risk management transactions/planning and execution of the necessary audit activities to ensure the conduct of the activities in accordance with the procedures and the Company's procedures, planning and executing corporate sustainability activities, carrying out activities to protect the reputation of our company, managing demand and complaint processes, planning and executing corporate governance and communication activities, delivering the purchased product to you, issuing invoices, sending commercial electronic messages if you give consent, organizing campaigns and score points within the scope of the loyalty card program if you become a member of the loyalty card program, resolve complaints about products, personalize our advertising and marketing communications, and make them more relevant to you, customize, measure and improve our website and services, measure the performance of our marketing campaigns via e-mail, analyze e-mail opening and click-through rates, monitor and improve the information security of the website, enable you to see advertisements about our website and services on third party websites.
12.5. Personal Data Protection Office
In order to fulfil the obligations of the GDPR, the Company makes the necessary assignments and establishes procedures accordingly for the implementation of the issues specified in this Policy. The Office for the Protection of Personal Data was established by the Company to manage this Policy and the procedures attached to this Policy under the GDPR.
The office has duties such as distribution of duties necessary to increase internal awareness, monitoring of the audits to be performed, taking the necessary actions to solve the applications of the persons concerned, and conducting relations with the Board.
This Policy may be revised by the Company if deemed necessary. In case of revision, the most up-to-date version of the Policy will be posted on the Company's website.