Suglobal Textile and Garment Inc. – Personal Data Retention, Processing and Destruction Policy

Purpose and Scope

The protection of personal data and securing it as a constitutional right is a matter of high sensitivity for Suglobal Tekstil ve Konfeksiyon San. A.Ş. (“Suglobal” or “Company”) and is among our corporate priorities. We, as Suglobal, are fully aware of our responsibility in this regard and we place great importance on the safe processing of your personal data.

The purpose of this Personal Data Retention, Processing and Destruction Policy (“Policy”) is to ensure that Suglobal processes, transfers and protects personal data in accordance with the Personal Data Protection Law No. 6698 (“KVKK”), published in the Official Gazette dated April 7, 2016 and numbered 29677, and the relevant secondary legislation. Additionally, this Policy aims to outline the methods and principles that will be followed to protect the privacy of private life and other fundamental rights and freedoms of natural persons, and to explain the rights of Relevant Persons under the KVKK and current secondary legislation.

This Policy applies to all activities carried out by Suglobal regarding processing, transferring, storing, destroying, and protecting personal data.

In this context, Suglobal takes all required administrative and technical measures for the protection of personal data processed in accordance with the relevant legislation. The Company reserves the right to make amendments to this Policy when deemed necessary.

Definitions

All definitions and terms used in this KVKK Policy shall bear the meanings set out in the KVKK and its relevant secondary legislation. Accordingly:

  • Explicit Consent: Consent that is based on being informed and declared with free will on a specific subject.

  • Relevant Person: A natural person whose personal data is processed.

  • Personal Data: Any information relating to an identified or identifiable natural person.

  • Processing of Personal Data: Any operation performed on personal data through fully or partially automated means, or non-automated methods provided that it is part of a data recording system, such as obtaining, recording, storing, retaining, altering, rearranging, disclosing, transferring, taking over, making available, classifying or preventing its use.

  • Board: The Personal Data Protection Board.

  • Authority: The Personal Data Protection Authority.

  • Personal Data Inventory: A detailed inventory created by data controllers that outlines personal data processing purposes, legal grounds, categories, transfer recipients, subject groups, maximum retention period, foreign transfers, and security measures.

  • Recording Environment: Any environment where personal data is processed, whether fully or partially automated, or non-automated where the data forms part of a recording system.

  • KVKK: Personal Data Protection Law No. 6698.

  • Destruction: Deletion, destruction or anonymization of personal data.

  • Periodic Destruction: Automatic deletion, destruction or anonymization at specified intervals, when processing conditions no longer apply, under a personal data retention and destruction policy.

  • Special-Category Personal Data: Data on race, ethnicity, political opinion, philosophical belief, religion, sect, appearance, association/union memberships, health, sexual life, criminal records, security measures, biometric or genetic data.

  • Data Controller: Party determining the purposes and means of processing and responsible for the data recording system.

  • VERBIS: Data Controllers Registry Information System.

  • Data Processor: Any natural or legal person who processes personal data on behalf of the Data Controller.

  • Regulation: Regulation on Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette on 28 October 2017.

Relevant Persons and Categories of Personal Data Processed

Suglobal may collect or process personal data belonging to:

  • Customers, subcontractors, suppliers, business contacts and potential customers (and/or persons associated with them), and other business partners;

  • Real persons whose personal data are obtained in the course of professional services provided to customers (e.g., employees, clients, suppliers, and their references);

  • Suglobal employees, employee family members, job applicants and their references;

  • Visitors of Suglobal’s websites and social media followers;

  • Third parties.

Data categories may include but are not limited to: identity information, contact information, financial information, special-category data, educational and visual data, family information—processed for purposes that require such data, in a limited and proportional manner under Articles 5 and 6 of KVKK.

(Table of data categories translated below remains intact for legal structure — refer to

pasted

)

Data Controller

As the Data Controller, Suglobal may process, record, store, reorganize and transfer personal data domestically or internationally, within the limits permitted by KVKK and on the basis of explicit consent where necessary.

Suglobal takes necessary technical and administrative measures to prevent unlawful access, unlawful processing, and to ensure secure retention of personal data, and performs or commissions regular audits accordingly.

Implementation of Policy & Related Legislation

In case of any conflict between this Policy and applicable legislation, the provisions of the legislation shall prevail and be applied.

Suglobal performs its preparations and systems in accordance with legal timelines provided in the KVKK.

Principles for Processing Personal Data

As per Article 4 of the KVKK, Suglobal processes data in accordance with these principles:

  • Lawfulness and fairness

  • Accuracy and up-to-date where necessary

  • Specific, explicit, and legitimate purposes

  • Relevant, limited, and proportionate to purpose

  • Retained only for necessary time or as required by legislation

Under Article 5 of KVKK, personal data cannot be processed without consent unless specific legal grounds apply (e.g., law requirement, contract necessity, public interest, legitimate interest, protection of life when consent cannot be given, etc.).

Special-category data is only processed with explicit consent or under strict conditions and security obligations as determined by KVKK and the Board.

Recording Environments

Electronic environments: servers, email, databases, laptops, mobile devices, optical media, USB memory, printers, scanners, security systems, etc.
Non-electronic environments: paper files, manual logs, physical archives, print materials, visual media.

Methods of Collecting Personal Data & Legal Basis

Personal data may be collected through:

  • Company departments and communication channels

  • Website, Wi-Fi access, SMS, email, social media

  • Meetings, events, business partners, public databases

  • Third-party service providers

  • Public institutions, contractual relationships

Data is stored for durations required by KVKK, Regulation, Turkish Commercial Code, Turkish Code of Obligations, Labor Law, SSI legislation, tax law, and archive regulations.

Retention and Destruction of Personal Data

Data is retained only for as long as:

  • Required by legislation;

  • Necessary for stated purpose of processing;

  • Needed to fulfill legal or contractual obligations or defend legal rights.

Personal data is deleted, destroyed, or anonymized when:

  • Legal grounds expire;

  • Processing purpose is eliminated;

  • Person withdraws explicit consent;

  • KVKK Article 11 request is accepted by Suglobal or the Board;

  • Maximum retention timeline has passed.

Periodic destruction period – every 6 months.

Measures for Data Protection

Technical: cybersecurity systems, restricted access, encryption, threat monitoring, antivirus, internal audits.
Administrative: confidentiality agreements, policy and procedures, employee training, internal discipline rules.

Transfer of Personal Data

Domestic transfers may be made only within limits of KVKK or explicit consent where required.

International transfer may occur only:

  • To countries with Board-approved adequate protection; or

  • With written commitment + Board approval where protection is insufficient.

Rights of the Data Subject

Every person whose data is processed may contact info@denimvillage.com to:

  • Learn whether data is processed;

  • Request information;

  • Learn processing purpose and compliance;

  • Request correction, deletion, destruction, anonymization;

  • Object to adverse outcomes by automated processing;

  • Request compensation for unlawful processing.

Under Article 28 KVKK, rights do not apply where processing relates to:
national security, public order, statistics, judicial investigations, etc.

Amendments and Enforcement

The Company reserves the right to update or amend this Policy.
Updated versions will be published on the official website.