Privacy Policy

ÇİFTGEYİK REN EV DEKORASYON VE KOLEKSİYON ÜRÜNLERİ TEKSTİL SAN. VE TİC. A.Ş.

Personal Data Protection and Processing Policy

1.      INTRODUCTION

ÇiftGeyik Ren Ev Dekorasyon ve Koleksiyon Ürünleri Tekstil San. ve Tic. A.Ş.  (“REN” or "Company”) This Policy prepared for and other written policies within REN ; It is aimed to process and protect the personal data of our customers, potential customers, our employees, employee candidates, visitors, institution employees we cooperate with, and third parties in accordance with the law.

In this policy text, the following basic principles adopted by REN will be explained for the personal data processing processes:
 

  1. Processing personal data within the scope of consent,
  2. Processing personal data in accordance with the law and rules of honesty,
  3. Keeping personal data accurate and up-to-date when necessary,
  4. Processing personal data for specific, clear and legitimate purposes,
  5. Processing personal data in a way that is related, limited and measured with the purpose they are processed,
  6. Keeping personal data for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed,
  7. Enlightening and informing personal data owners,
  8. Creating the necessary infrastructure for personal data owners to use their rights,
  9. Taking necessary measures to protect personal data,
  10. Complying with the relevant legislation and the regulations of the Personal Data Protection Board in determining and implementing the processing purposes of personal data, in transferring them to third parties,
  11. Specially regulating the processing and protection issues of personal data of special nature


2.        SCOPE OF THE POLICY

This policy pertains to all personal data processed through automatic or non-automatic means, as part of or not part of any data recording system, concerning our customers, employees, job applicants, visitors, employees of institutions we collaborate with, and third parties, and was enacted by REN in February 2023.


2.1.    FOR REN CUSTOMERS

Personal information of REN customers is collected directly from customers through various sources such as website visits, memberships, purchases from stores, exchanges through phone or email correspondence, workplace visits, and Ren Club loyalty program. When a customer purchases goods or services from REN or enters into a commercial or legal relationship with REN, identity data (name, surname, Turkish ID number/passport number) along with contact data (email address, address, phone numbers, IP address), data related to products purchased from stores within REN's scope of activity, purchase time information, details of utilized campaigns and discounts, as well as visual and auditory data obtained through security cameras in stores and store visit records are processed by REN in accordance with Article 5/2 of the Law, for the purposes of establishing/performing contracts, fulfilling legal obligations, and legitimate interests.

Additionally, for seamless utilization of products and services offered by REN, and for the enhancement of product and service diversity based on purchased/interested products, personal habits regarding products are analyzed through automated systems by REN, provided that the fundamental rights and freedoms are not harmed, and reports, analyses, and studies are prepared and presented for the purpose of utilizing various customer services, consumer rights, and other opportunities by REN as the Data Controller with the explicit consent of the customer, and stored. In case explicit consent and approval have not been obtained previously from the customer for personal data not falling under the lawful grounds specified in Article 5/2 of the law, consent is requested due to legal obligation. In this case, the customer can provide consent digitally along with a written signature, if applicable in our stores, or through digital means. Upon evaluation of the electronic communication consent text presented to the customer's information and REN Personal Data Processing Policy, if found appropriate, by checking the relevant consent boxes and pressing the send button, after which, a unique code generated solely for the respective customer is sent to their mobile phone, and by informing the store personnel, the consent/approval process is completed. Additionally, customers can also reach out to REN through renhome.com to complete the necessary consent/approval procedures. These consents/approvals can be withdrawn or canceled by the customer at any time. For all requests and wishes regarding these matters, REN can be contacted via phone at 444 1917 or email at "veri@renhome.com".

Personal data of customers is strictly not shared beyond the framework set by the Law. Personal data obtained directly from customers through our stores, websites, and mobile applications, and through various channels in a manner compliant with the law, is shared with authorized public institutions or organizations that have the authority to request such data, domestic and foreign institutions and business partners we collaborate with, as required by our activities, while ensuring adequate and effective measures in accordance with the security and privacy principles determined by legislation.
 


2.2.     FOR REN EMPLOYEES

Subject to the provisions specified in Article 6/2 of the Law, personal data included in the personnel files of employees, regulated by Article 75 of the Labor Law No. 4857, are considered within the scope of personal data protection. This includes but is not limited to: photocopy of identification (including themselves, spouses, and children), population registry copy or identity card copy, criminal record, residence certificate, photograph, CV, diploma, military service status document, health reports (entry and other reports), blood type card, bank account number, entry and exit declarations, monthly premium and service certificates, employment certificate, family status declaration, marriage certificate copy, disability report, tax deduction letter, and educational documents. These personal data, which are part of the employment relationship, are collected, processed, and shared with necessary parties such as business partners, group companies, suppliers of goods and services, within the scope of the employment relationship as required. Additionally, sensitive personal health data of employees protected under the Law due to health services provided within REN, are collected and processed only by the relevant health department within the scope of explicit consent, in accordance with legal obligations and the conditions set forth in this policy.
Furthermore, REN has informed all employees about the implementation, continuity, and functionality of biometric identity verification systems installed for security, control, and supervision purposes within the workplace premises and extensions, where biometric data (image, fingerprint, palm and retinal scanning) of employees are collected and processed. Within this scope, cameras with sound and image recording features can monitor, record, and store the entire workplace for the duration prescribed by law. REN only uses personal data of employees for the operation of security and biometric identity verification systems and does not share them with third parties except in cases legally required.
Moreover, within both internal and external activities, REN shares visual data such as photographs, images, and video recordings of employees for purposes such as news, information, and promotion on internal channels and REN social media accounts with the consent of the employee.
Additionally, REN has established a performance management system for employees under the name "MYREN". Within this application, employees can access their performance results (such as sales volume, earned bonuses, etc.) and the performance status of other colleagues in the same department by logging into the system with their personal email address and password. The data generated within this application and the application itself are used with the explicit consent of the employee, in the interest of both REN and the employee.
All personal data of employees (excluding health data) processed by REN are processed within the legitimate interests of REN and the employment contract, in accordance with the legislation of the Republic of Turkey. Therefore, separate consent is not required due to the existence of this legal basis. However, in cases where additional consent is required due to developments in legislation and practice, separate employee consent may be requested for the processing of personal data requiring consent.
As necessary for the commercial activities of REN, personal data of employees can be transferred to business partners mentioned in section 2.1, suppliers of goods and services, and upon request, to public institutions and organizations.


2.3.    FOR REN JOB APPLICANTS

Personal data obtained from and processed for job applicants within the scope of job applications are stored by REN in its automatic systems or physical environments, in company-written standards, for a period of 2 years, which is considered reasonable for the possibility of establishing a job relationship with the job applicants.


Along with the information text attached to the job application form, job applicants are requested consent for the processing and storage of their personal data (including special categories of personal data such as health data, criminal record data, and association membership data) shared with REN during the job application process, together with the reference research and personal data consent text, for a period of 2 years.


Personal data shared by job applicants are used for obtaining information about the applicant's work history, conducting background checks, and communicating with the references provided in the CV or application form obtained from career sites. The information shared by job applicants is processed within the scope of REN human resources policies and processes, including personnel recruitment and management of business processes, in accordance with the conditions for processing personal data specified in Article 5 of the Law on Protection of Personal Data No. 6698, based on the explicit consent of the job applicant for sensitive data mentioned in Article 6 (Health, Association Membership, Religion), and in compliance with the principle of purpose limitation. The mentioned personal data may be shared with our business partners, who are third-party consultancy, training, or job placement firms, to ensure a thorough evaluation.


2.4.    FOR REN VISITORS

During the visits of individuals to our company, personal data consisting of identity data and visual data is processed by REN for the purpose of ensuring the security of visitors and the company by creating visitor records and capturing images with security cameras. These personal data are not shared with any third parties under any circumstances other than contractual obligations, legal requirements, and written requests from public authorities. Necessary legal warnings and information are provided at our facility entrances and on our website's privacy notice. Likewise, visitors are regularly informed through information texts placed in our stores.

Within this context, for the purpose of ensuring security by REN and for other purposes specified in this Policy; internet access may be provided to Visitors who request it during their stay within REN buildings and facilities. In this case, log records of internet access are kept in accordance with the provisions of Law No. 5651 and the relevant legislation, and these records are processed only upon request by authorized public institutions and organizations or to fulfill our legal obligations within REN during audit processes.


3.    MATTERS RELATED TO THE PROTECTION OF PERSONAL DATA

REN takes necessary administrative and technical measures in accordance with Article 12 of the Personal Data Protection Law.

As REN, we implement the necessary technical and administrative measures within the required technological infrastructure to ensure the protection and retention of your personal data processed within the scope of our company activities in accordance with the Personal Data Protection Law and relevant legislation. In this regard, we take precautions against data breaches, unauthorized access, data loss, unauthorized alteration of data, and other threats and perform necessary audits.

Within this context, we identify existing risks and threats, raise awareness among our employees through awareness-raising activities, determine policies and procedures regarding personal data security, ensure data minimization, create necessary confidentiality agreements with data processors, use security firewalls and up-to-date antivirus programs for cybersecurity, configure our existing software and hardware, perform software updates and audits, ensure the security of physical and electronic environments containing personal data, and take necessary measures to prevent unauthorized access to your data through key management, access logs, user account management, penetration testing, and encryption methods.

3.1    Audit of Measures Taken for Personal Data Protection

REN has a Personal Data Protection Officer. The Personal Data Privacy Officer, in accordance with the duties arising from Article 12 of the Law, personally conducts the necessary audits in his/her own institution or organization to ensure the implementation of the provisions of the law on behalf of the data controller REN, or if necessary, arranges for audits to be carried out by competent authorities.


4.    RIGHTS AND REQUESTS OF THE DATA SUBJECT

REN has established the Personal Data Application and Response Procedure, which is an annex to the personal data inventory, as the data controller in response to requests from the data subjects in accordance with Article 13 of the Personal Data Protection Law. In accordance with this procedure, a data inventory has been created, and a system has been put into operation to perform the necessary procedures. The rights of the data subject are detailed in Article 12 of this policy.


5.    PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Special categories of personal data, which are limitedly defined in the Personal Data Protection Law, are attributed special importance due to the risk of causing harm or discrimination to individuals if processed unlawfully. These data include race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, membership of associations, foundations, or trade unions, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.

REN handles special categories of personal data, as determined by the Personal Data Protection Law and processed lawfully, with sensitivity. Privacy agreements have been signed with relevant users engaged in processing activities related to special categories of data, and training has been provided to employees. Additionally, technical measures have been taken for data protection. The implementation of administrative and technical measures prescribed by law is carried out.


6.    ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

REN, in accordance with Article 20 of the Constitution and Article 4 of the Personal Data Protection Law, processes personal data in compliance with the law and principles of honesty; accurately and up-to-date when necessary; for specific, clear, and legitimate purposes; in a manner connected with the purpose of processing, limited, and measured. REN retains personal data for the period required by law or the purpose of processing personal data.

REN informs the data subjects in accordance with Article 10 of the Personal Data Protection Law and, in cases where consent is required, obtains consent from the data subjects to process personal data based on the criteria specified below.

   
7.    INFORMING AND NOTIFYING THE DATA SUBJECT

REN informs the data subjects during the collection of personal data in accordance with Article 10 of the Personal Data Protection Law. In this context, REN provides information to the data subjects, depending on the nature of the data subject and the data processing process, about the identity of REN or its representative if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal reason of personal data collection, and the rights of the data subject. Information texts have been published in all stores and websites, and the necessary information processes have been completed for employees and visitors.


8.    TRANSFER OF PERSONAL DATA

REN, by taking necessary security measures in line with the lawful purpose of personal data processing, may transfer the personal data and special categories of personal data of the data subject to third parties rarely due to business needs. REN may transfer personal data to foreign countries declared to have sufficient protection by the Data Protection Board or to foreign countries where sufficient protection is not available, provided that data controllers in Turkey and the relevant foreign country provide sufficient protection in writing and permission is obtained from the Data Protection Board.

As the basis for transfer, primarily the explicit consent of the data subject is considered. In the absence of explicit consent, measures determined by the institution are taken into account in accordance with Article 5, Paragraph 2, and Article 6, Paragraph 2 of the Law.


9.    PERSONAL DATA INVENTORY OF REN AND CLASSIFICATION OF PERSONAL DATA

REN has completed the necessary audits within the company and created a personal data inventory in accordance with the reasons arising from the law and the Data Controllers Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, data sources, purposes of data processing, data processing process, recipient groups to whom the data is transferred, retention periods, reasons for retention periods, and data protection measures. In this context, REN has data categories including but not limited to the following types.

 

 

PERSONAL DATA CATEGORIZATION EXPLANATION OF PERSONAL DATA CATEGORIZATION
Contact Data A data group that can be used to reach the individual. (Phone number, address, email, fax number, IP address)
Identity Data A data group containing information about the individual's identity. (Full name, ID number, mother's name, father's name, place of birth, date of birth, gender, ID card serial number, ID card copy, tax number, social security number, nationality data, marriage certificate copy/scan, employee card)
Health Data A data group containing the individual's health information. (Blood type, medical history, check-up results, consultation report, diet form, foot and body measurements)
Vehicle Data A data group containing the individual's vehicle information. (License plate number, chassis number, engine number, registration information)
Location Data A data group containing the individual's location data. (GPS location)
Visual/Audio Data A data group containing the individual's visual and audio data. (Photograph, voice recording, camera recording, driver's license copy/scan, ID card copy/scan, passport copy/scan)
Digital Trace Data A data group containing digital traces resulting from the processing of information, especially in electronic environments. (Logs)
Financial Data A data group containing the individual's financial information. (Bank account number, IBAN, card information, bank name, financial profile, mail order form, credit score)
Occupational Data A data group containing information related to the individual's profession. (Employer information, professional chamber registration)
Educational Data A data group containing the individual's educational data. (Diploma grade, diploma copy/scan)
Asset Data A data group containing information about the individual's assets. (Title deed copy/scan, vehicle registration copy/scan)
Travel Data A data group containing information about the individual's travels. (Flight information, boarding pass, tour itinerary, miles card number, accommodation data)
Company Data Data of sole proprietorships. (Company address)
Signature Data A data group containing information about the individual's signature. (Wet signature, e-signature, signature copy/scan)
Visa/Passport Data A data group containing information about the individual's visa/passport. (Visa information, passport copy/scan)
Sanction Data A data group containing data related to sanctions received by the individual in the past. (Criminal prosecutions, Criminal record, Discipline record)
Shopping Habits and Purchased Product Data Refers to records of products and services purchased by the data subject from the data controller, as well as data related to keeping records of previous purchases. (Purchased product, Purchase dates, Exchange dates)



10.    STORAGE PERIODS OF PERSONAL DATA

REN stores personal data for the periods specified in relevant laws and regulations when required.

If there is no specified period for storing personal data in the legislation, personal data is stored for the duration required by REN's practices and industry customs related to the activity conducted by REN when processing that data. Later, according to the nature of the data, it is deleted, destroyed, or anonymized in accordance with the relevant policy established by REN.

When the purpose of processing personal data ends, and the storage periods determined by the relevant legislation and REN are completed, personal data may only be stored for possible legal disputes to serve as evidence or for asserting or defending the relevant right related to personal data, even after the expiration of the statutory limitation periods. In determining these periods, examples from previous requests addressed to REN concerning the assertion of the right in question and the expiration of statutory limitation periods are taken into account. In this case, access to the stored personal data is not provided for any other purpose, and access to the relevant personal data is only provided when necessary for the relevant legal dispute.



11.    CONDITIONS FOR ERASURE OF PERSONAL DATA (DELETION, DESTRUCTION, AND ANONYMIZATION)

In accordance with Article 138 of the Turkish Penal Code, Article 7 of the Personal Data Protection Law, and the Regulation on the Deletion, Destruction, and Anonymization of Personal Data issued by the Personal Data Protection Authority, personal data is deleted, destroyed, or anonymized by REN at its own decision or upon the request of the data subject, even if it has been processed in compliance with relevant laws but the reasons requiring its processing have ceased.



12.        RIGHTS OF DATA SUBJECTS AND EXERCISE OF THESE RIGHTS

REN informs individuals about their rights in accordance with Article 10 of the Personal Data Protection Law and guides them on how to exercise these rights. Additionally, REN carries out the necessary channels, internal procedures, and administrative and technical regulations for the evaluation of data subjects' rights and the provision of necessary information to data subjects, in accordance with Article 13 of the Personal Data Protection Law.

12.1 Rights of Data Subjects
 
Data subjects have the following rights:

  1. To learn whether personal data is being processed,
  2. To request information if personal data has been processed,
  3. To learn the purpose of processing personal data and whether they are used in accordance with this purpose,
  4. To know the third parties to whom personal data are transferred, whether domestically or abroad,
  5. If personal data are incomplete or incorrectly processed, to request their correction and to request that the transaction made within this scope be notified to third parties to whom personal data are transferred,
  6. To request the deletion, destruction, or anonymization of personal data in case the reasons requiring their processing have ceased, even though they have been processed in compliance with the provisions of the Personal Data Protection Law and other relevant laws, and to request that the transaction made within this scope be notified to third parties to whom personal data are transferred,
  7. If a result that is to the detriment of the individual emerges by analyzing the processed data exclusively through automated systems, to object to this result,
  8. In case personal data are processed unlawfully and the data subject incurs damages as a result, to demand the compensation of the damages.


12.2 Situations Where Data Subjects Cannot Assert Their Rights

Data subjects cannot assert their rights as stated in Article 12.1 in the following cases, as these cases are excluded from the scope of the Personal Data Protection Law in accordance with Article 28 of the Law:
 

  1. Processing of personal data for research, planning, and statistical purposes by anonymizing them through official statistics.
  2. Processing of personal data for art, history, literature, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights, and does not constitute a crime.
  3. Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized and authorized by law to ensure national defense, national security, public security, public order, or economic security.
  4. Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial, or execution proceedings.


In accordance with Article 28, paragraph 2 of the Personal Data Protection Law, data subjects cannot assert their rights as stated in Article 12.1, except for the right to claim compensation for damages in the following cases:
 

  1. Processing of personal data is necessary for the prevention of a crime or for conducting criminal investigations.
  2. Processing of personal data that has been made public by the data subject.
  3. Processing of personal data by public institutions and organizations authorized and authorized by law, and professional organizations of public nature, for the purpose of carrying out supervision or regulatory duties, or for disciplinary investigation or prosecution.
  4. Processing of personal data is necessary for the protection of the economic and financial interests of the State concerning budget, tax, and financial matters.


12.3 Exercising Data Subject Rights

Data subjects can submit their requests regarding their rights specified in this policy to REN by filling out and signing the application form with the information and documents identifying their identity and by the methods specified below or by the other methods determined by the Personal Data Protection Board.

After filling out the application form available at renhome.com or after signing another written document containing the necessary information required by legislation, the wet-signed copy of the document should be personally delivered or sent by registered mail to the address Meşrutiyet Mh. Ebe Kızı Sk. Akhan Blok No:17A Şişli, Istanbul,

After filling out the form available at renhome.com or signing another written document containing the necessary information required by legislation, or the content of the email, after being signed with your secure electronic signature within the scope of Law No. 5070 on Electronic Signatures, the securely signed electronic form should be sent to the email address veri@renhome.com or, if registered, to the same email address via your registered email.

If the data subject submits their request to REN in accordance with the procedure, REN will conclude the relevant request free of charge within thirty days at the latest, depending on the nature of the request. However, if the response to the request exceeds the 10-page criterion, a fee of 1 TL per page determined by the Personal Data Protection Board or, if requested electronically, the cost of the media recording device will be charged to the data subject.

ÇiftGeyik Ren Ev Dekorasyon ve Koleksiyon Ürünleri Tekstil San. ve Tic. A.Ş. (Data Controller)
Address – Meşrutiyet Mh. Ebe Kızı Sk. Akhan Blok No:17A Şişli, Istanbul
Mersis - 0255095611200001
renhome.com
veri@renhome.com
444 1917


Attachment-1 Definitions

Explicit Consent     :     Consent based on informed decision on a specific subject and given by free will.
Anonymization     :     Changing personal data in a way that it loses its personal data nature and cannot be taken back. For example: Masking, aggregation, data distortion, etc.
Application Form     :     "Application Form to be Submitted to the Data Controller by the Data Subject (Data Owner) in Accordance with the Law No. 6698 on the Protection of Personal Data Regarding the Rights of the Data Subject (Data Owner)" containing the application to exercise the rights of data subjects.
Job Candidate     :     Individuals who have applied for a job in any way to REN or have submitted their resumes and related information.
Employees, Shareholders, and Authorities of the Institutions We Collaborate with     :     Real persons, including employees, shareholders, and authorities of the institutions with which REN has any business relationship (such as business partner, supplier, etc., but not limited to these), REN is involved in.
Business Partner     :     Parties with whom REN has entered into partnership agreements for various purposes such as carrying out various projects with the Group Companies, receiving services, etc.
Processing of Personal Data     :     Any operation performed on personal data, wholly or partially automated or non-automated, provided that it is part of any data recording system, including obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of data.
Data Subject     :     The natural person whose personal data are processed. For example; Customer, Employee, Visitor
Personal Data     :     Any information relating to an identified or identifiable natural person. Therefore, processing information related to legal entities is not within the scope of the Law. For