Version 1.1
1. Introduction
Bluefun Apparels Tekstil Sanayi ve Dış Tic. Ltd. Şti. ("Bluefun") is a data controller under Turkish Law No. 6698 on the Protection of Personal Data (KVKK). We take the protection of personal data belonging to our employees, job applicants, customers, prospective customers, shareholders, officers, visitors, suppliers, partners' employees, and other third parties seriously.
Article 20 of the Turkish Constitution grants every person the right to request that their personal data be protected. Bluefun treats that right as a constitutional one and administers it through this Policy and the administrative and technical measures described below.
This Policy sets out the principles that guide every processing activity at Bluefun: lawfulness and fairness; accuracy and currency; specified, explicit, and legitimate purposes; relevance, limitation, and proportionality; retention only for as long as needed; transparency; a system for the exercise of data subject rights; appropriate safeguards; lawful transfer; and heightened care for special-category data.
2. Definitions
- KVKK: Turkish Law No. 6698 on the Protection of Personal Data.
- Constitution: the Turkish Constitution, dated 18 October 1982, No. 2709.
- Board: the Personal Data Protection Board (Kişisel Verileri Koruma Kurulu).
- Policy: this Personal Data Protection and Processing Policy.
- Turkish Criminal Code: Law No. 5237 of 26 September 2004.
- Explicit consent: consent relating to a specific subject, based on information, and expressed by free will.
- Anonymisation: rendering personal data such that it cannot be linked to an identified or identifiable natural person, even when combined with other data.
- Data subject: the natural person whose personal data are being processed.
- Personal data: any information relating to an identified or identifiable natural person.
- Special-category personal data: data concerning race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
- Processing of personal data: any operation performed on personal data, wholly or partly automated or otherwise forming part of a data filing system, such as collection, recording, storage, adaptation, retrieval, disclosure, transfer, use, or restriction.
- Data processor: a natural or legal person who processes personal data on behalf of a data controller, based on the authority granted by the controller.
- Data controller: a natural or legal person who determines the purposes and means of processing and is responsible for the data filing system.
3. Purpose, scope, and application
The purpose of this Policy is to describe how Bluefun processes personal data lawfully and the systems it uses to protect them, and to inform those whose personal data we hold.
This Policy applies to all personal data of customers, prospective customers, interns, shareholders, company officers, visitors, employees of our business partners, suppliers, third parties, and our own employees, processed by automated means or as part of a data filing system. Parts of the Policy may apply to some groups and not others, depending on the relationship.
Where applicable legislation and this Policy conflict, applicable legislation prevails. This Policy reflects our operational implementation of the rules set by KVKK.
4. Implementation principles for the protection of personal data
In line with Article 12 KVKK, Bluefun takes the technical and administrative measures needed to prevent the unlawful processing of personal data, to prevent unlawful access, and to preserve personal data. Measures include access controls, training and confidentiality commitments for employees, contractual requirements on processors, secure storage, internal audits, and a breach-response process that includes notification to the data subject and the Board where required.
Data subject rights
We maintain the channels, internal procedures, and technical arrangements needed to evaluate data subject requests under Article 13 KVKK. Applications are resolved within thirty days. Where the Board's tariff requires a fee (for example for responses on physical media), it may be charged. Applications by a third party on behalf of a data subject require a special power of attorney.
Special-category data
We apply heightened care to special-category personal data and process them only under the conditions set out in Article 6 KVKK, with the safeguards determined by the Board.
Informing data subjects
In line with Article 10 KVKK, we inform data subjects at the point of collection about our identity, the purpose of processing, to whom data may be transferred and for what purposes, the method and legal basis of collection, and their rights under Article 11. This Policy, the separate Privacy Notice, and our public communications together constitute that disclosure.
5. Processing of personal data
We process personal data lawfully and fairly, keep them accurate and up to date, process them for specified, explicit, and legitimate purposes, and keep processing relevant, limited, and proportionate to those purposes. We retain personal data only for as long as the law or the purpose requires.
Under Article 20 of the Constitution, personal data may be processed only where permitted by law or with the data subject's explicit consent. We rely on one or more of the grounds in Article 5 KVKK: explicit consent of the data subject; express authorisation by law; protection of the life or physical integrity of a person who is unable to give consent; direct necessity for the conclusion or performance of a contract; compliance with a legal obligation; data already made public by the data subject; establishment, exercise, or protection of a right; and our legitimate interests, provided they do not override the fundamental rights of the data subject.
Special-category personal data are processed only with the data subject's explicit consent, or, where the law permits, in the narrower set of cases described in Article 6 KVKK (and, for health and sexual-life data, only by persons or bodies under a duty of confidentiality, for medical or public health purposes).
Personal data may be transferred to third parties (business partners, processors, professional advisors, public authorities) in line with Articles 8 and 9 KVKK and the related regulations issued by the Board, under appropriate technical and contractual safeguards.
Cross-border transfers
Bluefun may, in limited circumstances, transfer personal data outside Türkiye. Typical examples are the use of cloud e-mail, website hosting, or form-processing providers whose infrastructure is located abroad. Cross-border transfers are carried out under Article 9 KVKK and the Regulation on the Transfer of Personal Data Abroad (Resmi Gazete, 10 July 2024): on the basis of an adequacy decision by the Board (where one exists), on the basis of appropriate safeguards such as standard contractual clauses or binding corporate rules, or, where no other basis applies, with the data subject's explicit consent given after disclosure of the relevant risks. We do not carry out cross-border transfers beyond what is needed to run the services described in this Policy and our Privacy Notice.
6. Purposes of processing and retention periods
We process personal data within the conditions set out in Article 5(2) and Article 6(3) KVKK, consistent with the general principles of Article 4 KVKK, and inform data subjects in accordance with Article 10.
Typical purposes include: managing relationships with business partners and suppliers; running recruitment and career evaluation processes; running human-resources processes; financial reporting and risk management; legal follow-up; corporate communication; corporate governance; finance, accounting, and payroll; statutory reporting to authorities; creating and maintaining visitor records; planning and carrying out business activities; business-continuity planning; audit; information-security management; IT infrastructure; employee benefits and performance; emergency management; and operational-risk management. Where none of the lawful grounds in KVKK applies, explicit consent is obtained.
We retain personal data for the periods set by applicable law. Where the law is silent, we retain them for as long as the processing purpose requires. After that, we may retain data only to the extent necessary to defend or establish legal claims, for the duration of the applicable statute of limitations. Data are then deleted, destroyed, or anonymised. Access during the extended retention period is restricted to authorised personnel.
7. Deletion, destruction, and anonymisation
In line with Article 138 of the Turkish Criminal Code and Article 7 KVKK, personal data processed lawfully are deleted, destroyed, or anonymised once the reasons for processing no longer exist, either on our own decision or at the data subject's request. We maintain internal procedures and train the relevant teams.
Techniques used include: physical destruction for non-automated records (destroying the medium so the data cannot be reconstructed); secure software deletion for digital records (methods that make recovery impossible); and secure deletion by a specialist where appropriate. For anonymisation, we use masking (removing the key identifier from the record), aggregation (combining records so individuals cannot be singled out), derivation (replacing a value with a more general one), and shuffling (breaking the link between values and individuals).
8. Data subject categories
Personal data are processed, in part or in whole, for the following categories of data subjects: employees; job applicants and interns; customers and prospective customers; suppliers; business partners and their employees, shareholders, and officers; visitors; shareholders and officers of Bluefun; and third parties whose data come into our possession in the ordinary course of business.
9. Contact
For questions about this Policy, or to exercise your rights under KVKK, please use the application form on this site, or contact us at the addresses set out in the Privacy Notice.