Data Policy

1.PURPOSE

We as NBI Giyim A.Ş.; the processing and data of real persons, including our members, customers, visitors, suppliers and employees, in accordance with the relevant legislation, in particular the Constitution of the Republic of Turkey, the International Conventions on human rights to which our country is a party, and the Law on the Protection of Personal Data No. 6698 (“KVKK”) is our top priority to ensure that the rights of the persons who are processed are used effectively.
As a result, it includes but is not limited to those listed below; Our employees, suppliers, customers, visitors, members, stores, users who visit our website and mobile applications, in short, the processing, recording and transferring of data regarding all personal data we obtain during our activities according to the NBI Giyim A.Ş Personal Data Protection and Processing Policy (“Policy ”).
Protecting personal data and ensuring the fundamental rights and freedoms of natural persons whose personal data are collected are the basic principles of our policy regarding the processing of personal data. For this reason, we carry out all of our activities in which personal data are processed, by protecting the privacy of private life, confidentiality of personal information, confidentiality of communication, freedom of thought and belief, and the right to use effective legal remedies.
In order to protect personal data, we implement all administrative and technical protection measures required by the nature of the data in accordance with the legislation and up-to-date technology.
This Policy, explains the methods we use to process, store, transmit, delete or anonymize personal data during our commercial, promotion-marketing or social responsibility and similar activities within the framework of the principles mentioned in the LPPD (Law on the Protection of Personal Data).

2.SCOPE

All personal data processed by the Company, including our visitors, business contacts, business partners, employees, suppliers, members, third parties are within the scope of this Policy.
Our policy is implemented in the activities related to the processing of all personal data owned or managed by the Company, and has been handled and prepared by considering the LPDD (Law on the Protection of Personal Data) and other relevant legislation regarding personal data and international standards in this field.

3.DEFINITION AND ABBREVIATION

In this section; special terms and phrases, concepts, abbreviations etc. in the policy are briefly explained.

New Balance: NBI Giyim A.Ş.

Explicit Consent: Consent relating to a specific subject, based on knowledge and free will, in a clear manner that leaves no room for doubt, given limited only to that transaction.

Anonymization: It is the making of personal data that cannot be associated with an identified or identifiable natural person in no way, even by matching with other data.

Employee: Company Personnel.

Personal Data Owner (Relevant Person): The natural person whose personal data is processed.

Personal Data: All kinds of information relating to an identified or identifiable natural person.

Sensitive Personal Data: People's race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, health information, fingerprints, clothing, association, foundation or union membership, health, sexual life, criminal conviction, and data on security measures with biometric and genetic data.

Processing of Personal Data: Such as obtaining, recording, modification, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing its use of personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system or any kind of operation performed on the data.

Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

PDP Board: Personal Data Protection Board.

PDP Authority: Personal Data Protection Authority.

LPPD: Law on the Protection of Personal Data published in the Official Gazette dated 7 April 2016 and numbered 29677.

New Balance Card (New Balance Membership System): Company and Company digital platforms membership system

4.ROLE AND LIABILITY

4.1.Board of Manager
Board of Manager is responsible for the oversight of the determination and operation of notification, inspection and sanction mechanisms in case of non-compliance with the Policy, rules and regulations.
The Policy of Protection and Processing of Personal Data has been approved by the Administrative Board.
It is the authorized approval mechanism to ensure that the policy is created, implemented and updated when necessary.  
4.2Control Unit
The Control Unit is responsible for taking the necessary measures for the compliance of the foreign service companies with the employees who are assigned to the Policy, and examining the issues in order to examine the issues contrary to the Policy.

4.3 Information Systems Commission

The Information Systems Commission is responsible for the preparation, development, execution and updating of this Policy. It evaluates this Policy in terms of timeliness and development needs when necessary. Publish the prepared document on the corporate portal is the responsibility of the Information Systems Commission Manager.

5.LEGAL OBLIGATIONS

Legal obligations within the scope of protection and processing of personal data as a data controller pursuant to LPPD are listed below:

5.1.Obligation to Inform

While collecting personal data as a data controller; we have an obligation to inform the Related Person about the issues mentioned below

• •For what purposes your personal data will be processed
• •Our identity, information about the identity of our representative, if any
• •To whom and for what purpose your processed personal data can be transferred
• •Our data collection method and legal reason
• •Rights arising from the law.

As a company, we pay attention to ensure that this Policy, which is open to the public, is clear, apprehensible and easily accessible.

5.2. Our obligation to ensure data security

As the data controller, we take the administrative and technical measures stipulated in the legislation to ensure the security of the personal data in our responsibility. Obligations and measures regarding data security are detailed in the 9th and 10th sections of this Policy.

6.CLASSIFICATION OF PERSONAL DATA

6.1. Personal Data

Personal data; denotes all kinds of information related to an identified or identifiable natural person. The protection of personal data is related to only natural persons, and does not cover information belonging to legal entities that does not contain information about the natural person. For this reason, this Policy does not apply to data belonging to legal entities.

6.2. Sensitive personal data

The race, ethnic origin, political opinion, philosophical belief, religion and sect, or other beliefs, dresses, association or trade union membership, health, sexual life, criminal convictions and security measures of persons related data and biometric and genetic data are sensitive personal data.

7.PROCESSING OF PERSONEL DATA

7.1. Our personel data processing principles

We process personal data in accordance with the principles below.

7.1.1.Processing in accordance with the law and principle of good faith

We process personal data in accordance with the principles of good faith, transparently and within the framework of our obligation to inform

7.1.2.Ensuring that personal data is accurate and up- to-date when necessary

We take the necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We also allow the Personal Data Owner to apply to us to update their existing data and, if any, to correct any errors in their processed data.

7.1.3.Processing for specific, explicit and legitimate purposes

As a company; we process the personel data within the scope of our legitimate purposes, the scope and content of which are clearly defined to continue our activities within the framework of the legislation and the ordinary course of commercial life.

7.1.4. The fact that personal data are related, limited and proportionate to the purpose for which they are processed.

We process personal data in a limited and proportionate manner, in connection with the purpose we have clearly and certainly determined. We avoid the processing of personal data that are not relevant or do not need to be

7.1.5.Recording of personal data duration of our legitimate commercial interests and stipulated by legal regulations

Many regulations in the legislation require the recording of personal data for a certain period of time. For this reason, we keep the personal data that we process, for the period stipulated in the relevant legislation or required for the purposes of processing personal data. We delete, destroy or anonymize personal data in case the retention period stipulated in the legislation expires or the purpose of processing disappears. Our principles and procedures regarding retention periods are detailed in Article 9.1. of this Policy.

We process personal data within the scope for the purposes listed below:

• •To carry out our Commercial Activities
• •To provide support services within the scope of the contract and within the framework of service standards
• •To determine the preferences and needs of our members / visitors and to shape and update the services we provide in this context
• •To ensure that our legal obligations are fulfilled as required or required by legal regulations
• •Evaluating job applications
• •To provide contact with people who are in a business relationship with the company
• •Marketing
• •To support the training, development and career processes of our employees
• •Compliance management
• •Vendor/supplier management
• •To make legal reporting
• •Invoicing
• •To carry out the New Balance Membership System
• •To provide communication between New Balance employee candidates and employers
• •Managing call center processes
• •To provide corporate communication
• •Individualizing New Balance Card favorite campaigns and making campaign and promotion suggestions according to interests
• •To provide communication between the company and the shipping or technical service after the purchase of the product specific to New Balance
• To send newsletters by SMS or electronic mail, to carry out marketing activities or to receive notifications

7.3. Processing of sensitive personal data

Sensitive personal data are processed by us by taking the administrative and technical measures stipulated by the laws and PDP Board, and if there is explicit consent or in cases where the legislation requires it.
Sensitive personal data related to health and sexual life cannot process by us except our employees data since it can be processed by individuals or authorized institutions and organizations under the obligation of keeping confidentiality for the purpose of protecting public health, preventive medicine, medical diagnosis, operating treatment and care services, planning and management of health services and finance.

7.4.Processing of personal data collected through cookies

We use cookies to improve the functioning and usage of our websites or mobile applications, and try to make the time more productive and enjoyable you spend on our digital platforms. In addition, we also use some cookies to remember the preferences you have made on our websites and mobile applications, thus we can provide you with an improved and personalized experience.
We can collect your personal data through cookies on our digital platforms, process, transfer and store the data we collect.
Detailed information about the cookies that we use, you can find in the “New Balance Privacy Policy”.

7.5.Processing of personal data for recruitment and employment purposes

We process, store and transfer your personal data contained in your CV, diploma, photograph, and other documents that you share with us during the application process as an employee candidate for the the purpose of evaluating a job application. The processing, transfer and recording of personal data that you share as an employee candidate are within the scope of this Policy. Personal data of the Employee; it is collected, processed and recorded within the framework of NBI Human Resources, in addition to this Policy.

7.6.Processing of personal data collected within the scope of various memberships provided through the New Balance Card system

To become a member of digital platform through the New Balance Card system, visitors create a membership in the system by sharing their information mentioned below

• •Name surname
• •Email address
• •Phone number
• •Date of Birth - TR ID

Deletion, destruction or anonymization of personal data as part of this platform is within the scope of Article 9 of this Policy

7.7.Processing of personal data collected within the scope of Job Application

Application forms, CVs and personel data which obtained through applications to intermediary institutions will be recorded to be used for the evaluation of the job application.
It is recommended that they review the personal data processing and privacy policies.
Applicants create a CV by sharing their information mentioned below with the Application Form;

• •Identity information (name, surname, date of birth, TR ID number)
• •Contact information (address, e-mail address, phone number, etc.)
• •Educational information (graduated schools, etc.)
• •Work experiences
• •Foreign language
• •Computer skills
• •Certificate
• •Reference
• •Photograph
• •Health data
• •General information such as driver's license/travelability etc.

The above information is requested from the candidate who creates a CV according to the nature of the application made, in order to evaluate whether she/he is qualified for the job in question. The requested health information is processed only for employment purposes within the scope of the relevant legislation. They create a CV by sharing their knowledge. According to the nature of the application made, the employer may request additional photographic-health data from the member who creates the CV in order to evaluate whether she/he is qualified for the job in question. The requested health information is processed only for employment purposes within the scope of the relevant legislation.
The information shared by the applicants within the scope of the CV can be viewed by the employer companies. They store the identity, education and profession information of the APPLICANT and can transfer these data to solution partners, public institutions and organizations upon request within the scope of legislation. 
Deletion, destruction or anonymization of personal data as part of this platform is within the scope of Article 9 of this Policy. In case of a negative result of the job application process, the processing of the personal data shared with the employer and the data security are the responsibility of the employer.

7.8. Processing of personal data collected within the scope of Purchase Transactions

When a purchase is made, the financial information of the CUSTOMER is transferred to persons and institutions such as bank or credit card companies in order to carry out the transaction. Transferred data are data related to payment purposes, such as;

• •Credit Card Number
• •Expiration date
• •CVV2

or bank account information.
During the purchase, data such as invoice and payment information of the customer (name, surname, tr id, phone number, billing address), sent invoices and receipt samples of payments received from members, payment number, invoice amount, invoice number, invoice date are obtained. These data is processed within the scope of managing the invoicing process, accounting, after-sales services, communication, marketing, auditing, control, and payment service providers. When the purchase is made, the financial information of the customer is transferred to persons such as banks or credit card companies to execution of the transaction. Credit card information is not kept in New Balance databases.

During shopping, video recording is made in stores for security purposes and to view cashier transactions. In distance sales made by phone, voice recordings are taken in order to make safe sales.
The above-mentioned data is transferred in accordance with article 8 of this Policy and shared with third parties.
Deletion, destruction or anonymization of personal data as part of this platform is within the scope of Article 9 of this Policy.

7.9. Exceptional cases where explicit consent is not sought in the processing of personal data

In exceptional cases listed below and arising from the law, we may process personal data without express consent:

• •It is clearly stipulated in the law
• •It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract
• •Data processing is obligatory for the establishment, exercise or protection of a right
• •It is obligatory for us to process your data for our legitimate interests as data controller, provided that it does not harm fundamental rights and freedoms.

Exceptional cases in which sensitive personal data can be processed without the explicit consent of the Relevant Person are specified in Article 7.3 of this Policy

8.TRANSFERRING OF PERSONAL DATA

8.1. Transferring of personal data into the Domestic Country

As a company, we act in line with the decisions and regulations stipulated in the LPPD and taken by the PDP Board regarding the transfer of personal data.
Without prejudice to the exceptional circumstances set out in the legislation, personal data and sensitive personal data are not transferred to other real persons or legal entities without the explicit consent of the Relevant Person.
In exceptional cases stipulated by the LPPD and other legislation, the data may be transferred to an authorized administrative or judicial institution or organization in the manner stipulated in the legislation and within the limits, without the explicit consent of the Relevant Person.
In addition, with the exceptional cases stipulated by the legislation;

• •In cases described in the Policy
• •Regarding the special categories of personal data, in the cases listed in the Policy
• •The personal data related to the health of the Relevant Person and the sensitive personal data can be transferred to persons or authorized institutions and organizations under the obligation of keeping secrets for the purpose of management, without seeking explicit consent for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing by taking the measures stipulated by the KVK Board and the relevant legislation in the cases listed in the Policy regarding special quality personal data.

8.2. Transferring of personal data to abroad

As a rule, personal data is not transferred abroad without the explicit consent of the Relevant Person. However, in cases where one of the exceptional cases of this Policy exists, personal data of third parties in abroad can only:

• •To the countries where there is sufficient protection declared by the PDP Board
• •In case of it is located in countries where there is no adequate protection, personal data may be transferred abroad without explicit consent, provided that the data controllers in Turkey and foreign country in question undertake to provide adequate protection in writing, have the permission of the PDP Board

8.2.1. Transferring of personal data to abroad for the purposes of providing our services and marketing activities

We work with service providers who located abroad, for purposes such as developing the website and digital platforms, conducting surveys, increasing the variety of products and services according to the preferences of visitors and members, and measuring user experience. It is recommended to examine the relevant policies of the service providers with whom it cooperates regarding the processing and protection of personal data.

8.3. Institutions and organizations to which personal data is transferred

Personal data can be transferred to;

• •Our suppliers
• •Our business partners and business contacts
• •Technical services
• •Transport companies
• •Courier companies
• •Legally authorized public institutions and organizations
• •Legally authorized private legal persons -Independent audit firms
• •Our partners according to the principles and rules described above
• •Independent audit firms

8.4.Measures we take regarding the legal transfer of personal data

8.4.1. Technical measures

To protect personal data, but not limited to those listed; we

• •make in-house technical organization for the processing and retention of personal data in accordance with the legislation
• •create the technical infrastructure to ensure the security of the databases where your personal data will be stored
• •follow and control the processes of the technical infrastructure created
• •determine the procedures for reporting the technical measures and audit processes we take
• •periodically update and renew technical measures.
• •re-examine Risky situations and secure that necessary technological solutions are produced.
• •use virus protection systems, firewalls and similar software or hardware security products and establishes security systems in line with technological developments
• •employ employees who are experts in technical issues.

8.4.2.Administrative measures

To protect your personal data, but not limited to those listed; we

• •establish policies and procedures for accessing personal data, including company and subsidiary employees within our company
• •inform and train our employees on the legal protection and processing of personal data
• •record the measures to be taken in case of unlawful processing of personal data by our employees in the contracts we make with our employees and/or the Policies we create
• •audit the processing of personal data of the data processors we work with or the partners of the data processors

9.RECORDING OF PERSONAL DATA

9.1. Safe keeping personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

We keep personal data for as long as required by the purpose of processing personal data, provided that the retention periods stipulated in the legislation. In cases where we process personal data for more than one purpose, the data is deleted, destroyed or stored anonymously if the processing purposes of the data disappear or there is no legal obstacle in the legislation to the deletion of the data upon the request of the Relevant Person. In matters of destruction, deletion or anonymization, the provisions of the legislation and the decisions of the PDP Board are complied with.

• •create technical infrastructures and control mechanisms related to the deletion, destruction and anonymization of personal data/li>
• •take necessary measures to keep personal data safe, employ employees who have technical expertise,
• •Employing employees with technical expertise
• •create business continuity and emergency plans against possible risks and develops systems for their implementation and
• •install security systems in accordance with technological developments regarding the storage areas of personal data.

9.2.2. Administrative measures

We are raising awareness by informing our employees about the technical and administrative risks related to the storage of personal data

In case of cooperation with third parties for the storage of personal data, we include the agreements concluded with the companies to which personal data is transferred; provisions on taking the necessary security measures for the protection and safe storage of the transferred personal data of the persons to whom personal data is transferred.

10.SECURITY OF PERSONAL DATA

10.1. Our obligations regarding the security of personal data

We take administrative and technical measures according to technological possibilities and implementation costs in order to

• •prevent illegal processing,
• •prevent illegal access,
• •ensure that they are stored in accordance with the law

10.2.Measures we take in order to prevent unlawful processing of personal data

• •We comply with the standards mentioned below:
• •To carry out and has the necessary inspections made within our company,
• •To train and inform our employees about the legal processing of personal data
• •To evaluate the activities carried out by our company in detail for all business units, and as a result of the said evaluation, to process personal data for the commercial activities carried out by the relevant units,
• •To ensure the existence of the provisions regarding taking of necessary security measures by the persons who process personal data for conclusion of contract with the companies that process personal data in cases of cooperation is made with third parties for the processing personal data;
• •In case of unlawful disclosure of personal data or data leakage, we notify the PDP Board about the situation and carry out the investigations stipulated by the legislation and take the measures in this regard.

10.2.1.Technical and administrative measures taken to prevent unlawful access to personal data

• •employ employees with technical expertise,
• •periodically update and renew the technical measures
• •establish access authorization procedures within our company,
• •determine the procedures for reporting the technical measures and audit processes we have taken,
• •establish the data recording systems used in our company in accordance with the legislation and conducts periodic audits,
• •create emergency aid plans against the risks that may occur and to develop systems for their implementation,
• •educate and inform our employees about accessing and authorizing personal data
• •ensure the existence of provisions regarding taking the necessary security measures of persons accessing personal data for conclusion of contract with companies that provide access to personal data, in cases where cooperation with third parties is made for activities such as processing and retention of personal data,
• •establish security systems within the scope of technological developments in order to prevent unlawful access to personal data

10.2.2.Measures we take in case of unlawful disclosure of personal data

We are taking administrative and technical measures to prevent the unlawful disclosure of personal data and updating them in accordance with our relevant procedures. If we determine that personal data has been disclosed unauthorized, we create systems and infrastructures to notify the Related Person and the PDP Board about this situation.
In case of an unlawful disclosure oncurring despite all the administrative and technical measures taken, this stituation may be announced on the website of the PDP Board or by another method, if deemed necessary by the PDP Board.

11.RIGHTS OF PERSONAL DATA OWNER

We inform the Personal Data Owner within the scope of our disclosure obligation and we establish systems and infrastructures related to this information. We are making the technical and administrative arrangements necessary for the Personal Data Owner to exercise their rights regarding their personal data.

• •Learning whether personal data is processed
• •Requesting information if personal data has been processed,
• •Learning the purpose of processing personal data and whether they are used in accordance with the purpose
• •Knowing the third parties to whom personal data is transferred in domestic or abroad
• •Requesting correction of personal data if it is incomplete or incorrectly processed
• •Requesting the deletion or destruction of personal data in case the reasons requiring the processing of personal data disappear
• •Requesting notification of the above-mentioned correction, deletion or destruction processes to third parties to whom personal data has been transferred
• •Objecting to the emergence of an unfavorable result by analyzing the processed data exclusively through automated systems
• •Requesting the compensation of the damage in case of damage caused due to unlawful processing of personal data

has the rights.

11.1.Exercise of the rights regarding personal data

Personal Data Owner may submit their request regarding personal data to

• •"Maslak Neighborhood, Maslak Meydan St., Beybi Giz Plaza, 1 55 Sarıyer / İstanbul" in writing and with wet signature,
• nbigiyim@hs01.kep.tr which is a registered e-mail address,
• •If your e-mail address is registered in your system, you can forward it to "iletisim@newbalance.com.tr" e-mail account can be forwarded to your e-mail account.

In the application
a) Name, surname and signature if the application is written,
b) ) For citizens of the Republic of Turkey T.R. identification number, nationality for foreigners, passport number or identification number if any,
c) Domicile or workplace address for notification,
ç) If available, the e-mail address, telephone and fax number for notification,
d) Subject of the request, must be present.

(3) Information and documents related to the subject are attached to the application.
(4) In written applications, the date of notification is the application date. 
(5) In applications made by other methods; The date on which the application reaches us is the application date.

These requests will be made individually and the requests made by unauthorized third parties regarding personal data will not be taken into consideration.

11.2.Evaluation of the application/b>

11.2.1.Application response period

Requests regarding personal data are concluded as soon as possible and in any case within 30 (thirty) days at the latest, free of charge, or in case of occurrence of conditions in the tariff to be published by the PDP Board regarding the fee, in accordance with the fee in the tariff. Additional information and documents may be requested during the application or while the application is being evaluated.

11.2.Our right to refuse the application

Applications regarding personal data will be rejected with justification in the following cases:

• •In case of processing personal data for purposes such as research, marketing, planning and statistics by anonymizing with official statistics
• Kis¸isel verilerin özel hayatın gizliligˆini veya kis¸ilik haklarını ihlal etmemek ya da suç tes¸kil etmemek kaydıyla, sanat, tarih, edebiyat veya bilimsel amaçlarla ya da ifade özgürlügˆü kapsamında is¸lenmesi
• •In case of processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate privacy or personal rights or constitute a crime
• •In case of processing of personal data made public by the Personal Data Owner
• •In the event that the application is not based on a justifiable reason,
• •In the event that the application contains a request contrary to the relevant legislation
• •In case of the failure to comply with the application procedure

In such cases, it is rejected with justification.

 

11.3.Evaluation procedure of the application

In order for the response period specified in this Policy to begin, you must send the requests made using the methods in Article 11.1 and with information and documents confirming the applicant's identity. If the request is accepted, the relevant action is applied and a notification is made in written or electronic form. In case of rejection of the request, the applicant is notified in writing or electronically by explaining the reason.

11.4. Right to complain to the Personal Data Protection Board

In cases where the application is rejected, the answer we give is found insufficient or the answer is not given on time; The applicant has the right to complain to the PDP Board within 30 (thirty) days from the date of learning the answer and in any case within 60 (sixty) days from the date of application.

12.PUBLISHING AND SAFE KEEPING OF THE DOCUMENT

This Policy keep in two different media, printed paper and electronic media.

13.UPDATE PERIOD

This Policy is reviewed at least once every two years and updated in accordance with the principles if required

14.ENFORCEMENT

This Policy is considered to have entered into force after its publication on the Company's website.

15.ABOLITION

In case it is decided to abolition, the old copies of this Policy with wet signature are cancelled by the Legal Unit with the written approval of the Department Manager (by the cancellation stamp or writing the cancellation) and are kept by the Legal Unit for a period of 5 years.