Carton Box Print


Personal Data
Protection Policy


This Processing and Protection of Personal Data (“Policy”), while CARTON BOX AMBALAJ SANAYİ DIŞ TİCARET LİMİTED ŞİRKETİ, (“CARTON BOX”) (“Company”) fulfills its data protection obligations enacted by the Law on Protection of Personal Data No. 6698 and other relevant legislation. and also determines the procedures and principles that must be followed within the CARTON BOX and/or by the CARTON BOX while processing.

CARTON BOX undertakes to apply an adequate and reasonable level of security for the personal data it contains, to respect the confidentiality of the data and to comply with this Policy and the processes accordingly.




The main purpose of this Policy is to set forth the principles regarding the personal data processing activity carried out in accordance with the law and the protection of personal data, and in this context, to ensure transparency by enlightening and informing the persons whose personal data are processed by our company.



This Policy; It covers all departments of CARTON BOX, its employees, and third parties such as customers and suppliers.

This Policy; It will cover all activities in which CARTON BOX processes personal data and will be applied in all kinds of events and actions.

In the event that it is determined by new legislation, CARTON BOX will provide a higher level of security on personal data in accordance with the new legislation and comply with the legislative requirements.

In cases where it is deemed that there is a legal obstacle in the implementation of this Policy by CARTON BOXCARTON BOX will re-determine the steps to be taken, in consultation with the Board, if deemed necessary.




The definitions used in this Policy are as follows:

Express Consent Consent on a particular subject, based on information and expressed with free will
Anonymization Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data
Personal Data Any information relating to an identified or identifiable natural person
Processing of personal data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data fully or partially by automatic or non-automatic means provided that it is a part of any data recording system. All kinds of operations performed on data, such as blocking
KVK Law Law No. 6698 on the Protection of Personal Data
KVK Board Personal Data Protection Board
KVK Institution Personal Data Protection Authority
Special categories of personal data Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data
Data processor The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him/her.
Personal data owner The natural person whose personal data is processed and who is deemed to be the “relevant person” in the KVK Law
Data controller The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
Data Controllers Registry Data controllers registry (VERBIS) kept by the Presidency under the supervision of the Personal Data Protection Board
Data Inventory Personal data processing activities carried out in connection with CARTON BOX business processes; personal data processing purposes, the recipient group to which the personal data is transferred, and the inventory created and detailed by associating with the relevant personal data owner group.



Before CARTON BOX; In line with CARTON BOX‘s legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the KVK Law, in particular the principles specified in Article 4 regarding the processing of personal data, KVKK’ Personal data owners (Customers, Potential Customers, Employees, Employee Candidates, Interns, Supplier Employees We Cooperate with, Supplier Authorities, References, Shareholders/Partners, Relatives of Employees, Limited to reference etc.);

  • Fulfilling the requirements of commercial activities carried out by our company, and ensuring that the relevant persons benefit from the products and services offered by our company,
  • Carrying out the necessary work by the relevant business units of our company, conducting the related business processes and making reports,
  • Personal data received for Production/Sales services,
  • Determining and implementing our company’s commercial, operational and business strategies,
  • Ensuring the legal and commercial security of third parties who have a business relationship with our company and/or the products and services offered by our company and/or our suppliers, following the legal processes and establishing, using and protecting the rights arising from the legislation,
  • Ensuring that our company activities are carried out in accordance with company procedures or relevant legislation,
  • Planning, auditing and execution of corporate sustainability, corporate management, strategic planning and information security processes, ensuring business continuity,
  • Execution of the work carried out with our business partners and management of relations,
  • Fulfilling the information sharing, reporting and informing obligations stipulated by the Public Institutions and all authorities,
  • Fulfillment of information and document retention obligations arising from legal legislation,
  • Carrying out the planning and statistical activities required by our company,
  • Determining and implementing our company’s commercial and business strategies,
  • Execution of finance, communication, market research and purchasing operations,
  • Maintaining in-house system and application management operations,
  • Planning and executing the marketing processes of products and/or services,
  • Planning and/or executing the processes of establishing and/or increasing loyalty to the products and/or services offered by the company,

It will be processed in accordance with the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law No. 6698, in order to manage our legal processes and to provide you with an uninterrupted better and reliable service.

CARTON BOX has created a personal data inventory in accordance with the Data Controllers Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, data source, data processing purposes, data processing process, recipient groups to which data is transferred, and retention periods.

In this context, the following types of data categories are included in the CARTON BOX, but are not limited to these types;

Identity information, contact information, personal information, legal transaction information, customer transaction information, physical space security information, financial information, professional experience information, marketing sales information, audio-visual recording information, race and ethnicity information, religious information (in the old identity ), health information, criminal conviction and security measures information and other information (room registration number, signature, education status of the employee’s relative) data category.



Legal Compliance

Our company carries out its personal data processing activities in accordance with the law and honesty rules, in accordance with the KVKK and relevant legislation, especially the Constitution.


Accurate and up-to-date data when necessary

Our company; It ensures that the personal data it processes are correct and up-to-date, taking into account the fundamental rights of personal data owners and their own legitimate interests, and takes the necessary measures in this direction. In this context, data on all categories of persons are tried to be kept up-to-date, and all kinds of administrative and technical measures are taken to ensure accuracy and up-to-date.


Definite, Legitimate and Clear Purpose

Our company; It processes personal data only for clearly and precisely determined legitimate purposes and does not process data other than these purposes. The purpose for which personal data will be processed by our company is determined before the processing activity and is also processed in the “Personal Data Inventory”.


Relating to the Purpose for which the Data is Processed, Limited

Personal data is processed by our company to the extent necessary to achieve the determined purposes. Data processing is not carried out with the assumption that it can be used later. In this context, processes are constantly reviewed and the principle of reducing personal data is tried to be implemented.


Retention of Personal Data as Necessary and Deletion Afterward

Our company retains personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, our Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period. In the event that the period expires or the reasons requiring its processing disappear, personal data is deleted, destroyed or anonymized in accordance with our Company’s “Data Destruction Policy”.



Personal data may only be collected, processed or used within the scope of the legal bases set out below.

Open Consent

The protection of personal data is a constitutional right, and fundamental rights and freedoms can only be limited by law, without affecting their essence, only depending on the reasons specified in the relevant articles of the Constitution. Pursuant to the third paragraph of Article 20 of the Constitution, personal data can only be processed in cases stipulated by the law or with the explicit consent of the individual. Personal data is processed by our company without seeking the explicit consent of the person concerned, only if the following conditions are met;

  • Explicit consent should be given with free will, otherwise it is void.
  • Explicit consent will be obtained from the relevant person in writing or electronically. In addition to these cases, verbal consent may also be accepted in cases where registration is taken. In this way, express consent will be recorded in a provable manner. Before obtaining explicit consent, persons will be informed of their respective rights.
  • In cases where it is necessary to process special categories of personal data, explicit consent will be obtained in a provable way.
  • Departments that process personal data are obliged to control the existence and validity of the explicit consent of the relevant data owner while collecting the personal data they process. In the event that it is determined that there is no explicit consent, the data processing activity will be stopped.

Processing of Personal Data without Obtaining Express Consent

  • Expressly stipulated in laws,
  • It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid,
  • It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the conclusion or performance of a contract.
  • It is obligatory for the data controller to fulfill its legal obligations,
  • The data owner has made it public,
  • Data processing is compulsory for the establishment, use or protection of a right,
  • Data processing is compulsory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.

Processing of Personal Data of Special Quality

  • Special categories of personal data can only be processed in cases where the data subject has a demonstrable explicit consent or where it is expressly stipulated by law.
  • Personal data related to health and sexual life can only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without obtaining explicit consent. In the case of such processing, the data processor is under the obligation to keep confidential.
  • Adequate measures determined by the Board will be taken while processing sensitive personal data.
  • In any case where special categories of personal data need to be processed, the KVKK Committee will be informed.

Processing Data of Employees

  • All personal data processing principles specified above will also be applied to the personal data of the employees.
  • The personal data of people who apply for a job without using CV collection channels can be processed after their explicit consent form is read and signed in the annex of the employee candidate clarification text to initiate the business relationship. In case of the explicit consent of the employee candidate, it can be stored for the period specified in the form.
  • The employee who is connected with the employment relationship and is related to the performance of the contract; Personal data may be processed without the explicit consent of the employees. Otherwise, the employee’s approval, legal conviction, legitimate interest and a similar justification must be present.



Transfer to Third Persons Located in Turkey

Personal data can only be transferred to third parties in Turkey in cases where the person concerned has express consent. Personal data may be transferred to third parties in Turkey without the person’s explicit consent, provided that at least one of the conditions specified in paragraph 2 of Article 5 of the law are valid. The relevant department that makes the transfer is responsible for ensuring compliance with the obligations to be complied with during the transfer of personal data in Turkey.


Transfer to Third Parties Abroad

With regard to the transfer of personal data abroad, the explicit consent of the data owner is sought in accordance with Article 9 of the KVKK. However, in the presence of conditions that allow the processing of personal data, including sensitive personal data, without the explicit consent of the data owner, personal data can be transferred abroad without the explicit consent of the data owner, provided that adequate protection is available in the foreign country where the personal data will be transferred.

If the country to be transferred is not determined by the Board among the countries with adequate protection, CARTON BOX and the data controller/processor in the relevant country will undertake in writing to provide adequate protection and permission will be obtained from the Board.



All personal data processed within the CARTON BOX within the scope of the law are confidential. Employees can only carry out collection, processing, transfer, use, deletion, destruction, anonymization activities on personal data within the authorization defined for them. In addition, employees may not use personal data for personal or commercial purposes.



The security of personal data is the responsibility of the employee and the department respectively. It is necessary to protect personal data against loss, unlawful processing, abuse, and any kind of processing by unauthorized persons. These security measures cover all of the personal data that is stored electronically and physically.

CARTON BOX takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data is processed lawfully.



CARTON BOX has taken all kinds of technical and technological security measures in order to protect your personal data and protects your personal data against possible risks. Some of the security measures include;

  • Network and application security are provided.
  • Security measures are taken within the scope of the supply, development and maintenance of information technology systems.
  • Up-to-date anti-virus systems are used.
  • Firewalls are used.
  • Attack detection and prevention systems are used.
  • Encryption is in progress. Access to systems containing personal data is provided by using username and password.
  • An authority matrix has been created for employees
  • Institutional policies regarding access, information security, use, storage and destruction have been prepared and implemented.
  • Encryption is in progress. Access to systems containing personal data is provided using a user name and password.
  • Training and awareness activities are carried out at regular intervals on data security for employees.
  • There are disciplinary arrangements for employees that include data security provisions.
  • Necessary security measures are taken for entry and exit to physical environments containing personal data.
  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  • The security of environments that contain personal data is ensured.
  • Personal data is reduced to the extent possible.


  • A management framework has been set up to initiate and control information security operation and implementation within the organization. A contact person was assigned and job descriptions were determined.
  • KVKK Application channels are determined.
  • Violation, request/complaint management workflows are determined.
  • The main principles, policies and procedures regarding the processing and protection of personal data are determined.
  • Data Processing and Retention Policy Has Been Established.
  • Personal Data Processing and Protection Policy has been established.
  • Information Security Management Policy has been created.
  • Existing risks and threats within the scope of processed personal data have been determined.
  • Roles and responsibilities related to data security and job descriptions have been determined in order to ensure that employees and contractors are aware of and fulfill their information security responsibilities.
  • There is a disciplinary process for employees who do not comply with the security policy, guidelines and procedures.
  • Confidentiality undertakings are made.
  • Employee, customer, supplier etc. Illumination texts were prepared for
  • The processes that require explicit consent are determined and implemented.
  • Periodic and/or random inspections are carried out and are made. It eliminates the confidentiality and security vulnerabilities that arise as a result of the audits.
  • It is evaluated whether there is a need for the aforementioned personal data in terms of the purpose of processing, and personal data is reduced as much as possible.
  • In the event that the data is obtained by others unlawfully, necessary measures are taken by the employees to inform the relevant person and the Board within 72 hours.

Measures to be Taken in Case of Disclosure of Personal Data by Unlawful Ways

In the event that the processed personal data is obtained by others through illegal means, our Company will notify the relevant data owner and the Board as soon as possible (within 72 hours).



In order to ensure security by CARTON BOX, personal data processing activities are carried out for monitoring the entrance and exit of the guests with security cameras in the buildings. Personal data processing activities are carried out by CARTON BOX using security cameras.

Within the scope of monitoring activities with CARTON BOX security camera; It aims to protect the interests of the company and other persons regarding the safety of the company. This monitoring activity is carried out in accordance with KVKK and the Law on Private Security Services and relevant legislation. In this context, the information that camera monitoring is being done is announced to all employees and visitors, and people are enlightened. Notifications are posted at the entrances of the areas where monitoring is performed.

Necessary technical and administrative measures are taken by CARTON BOX in accordance with Article 12 of the KVK Law to ensure the security of personal data obtained as a result of camera surveillance.



Pursuant to Article 138 of the Turkish Penal Code, Article 7 of the KVK Law and the “Regulation on Deletion, Destruction and Anonymization of Personal Data” issued by the Institution; Although it has been processed in accordance with the provisions of the relevant law, in the event that the reasons for its processing disappear, personal data is deleted, destroyed or anonymized at the CARTON BOX‘s own decision or upon the request of the personal data owner. CARTON BOX has created a Policy in accordance with the provisions of the regulation on this subject and in accordance with this Policy, destruction is made according to the quality of the data. In accordance with this regulation, periodic destruction dates have been determined by CARTON BOX, and a calendar has been established according to which periodic destruction will be made at various intervals with the commencement of the obligation.



Each employee working at CARTON BOX is obliged to inform the department managers in writing, as soon as he realizes the situation, of an action or event that he thinks is contrary to the restrictions set forth in the Law on Protection of Personal Data No. 6698 and this Policy. The damage and penal liability that may arise in the event of failure to transfer may be recourse to the employee.

As a result of the information provided, the CARTON BOX KVKK committee is obliged to notify the relevant person or authorized institution regarding the acts or events of violation, taking into account the legislation.



In CARTON BOX, the responsibilities are in the form of employee and department, respectively. Within this scope;

Employees are responsible for all personal data in printed or computer media within their work areas and will comply with the conditions set forth in the law and this Policy in any processing on this data.

Department managers are responsible for all personal data, printed or computerized, processed by the employees in their departments and guarantee that the department works in accordance with the conditions specified in the law and this Policy for any processing on this data.

Employees in managerial positions are responsible for personal data processing activities within their own field and will ensure that personal data is processed in accordance with the law and this Policy.

The departments are obliged to inform the CARTON BOX KVKK Committee in all cases of new data processing, data deletion, uncertainty and similar cases regarding personal data. In case of failure to inform, the damage and penal liability that may arise may be recourse to the employee.



A management structure has been established in order to ensure that CARTON BOX complies with the KVKK regulations and enforces the Personal Data Protection and Processing Standard from the implementation of this Policy.



This Policy came into effect on 17.12.2021.

Your Views Are Valuable To Us

Fill in the Contact Form, We’ll Contact You in a Short Time.