POLICY ON PERSONAL DATA PROTECTION

1.1. INTRODUCTION TO THE POLICY

The protection of personal data is among the top priorities of our company, Yiğit Group Agro. This Policy is managed to address this issue, with the most crucial aspect being the protection and processing of the personal data of our customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees of the institutions we collaborate with, shareholders, officials, and third parties. The activities carried out by our company to protect the personal data of our employees are managed under the “Protection and Processing of Personal Data of Employees of YİGİT TARIM PAMUK GIDA ÜRÜNLERİ SANAYİ VE TİCARET LİMİTET ŞİRKETİ,” drafted in parallel with the principles in this Policy.

According to the Constitution of the Republic of Turkey, everyone has the right to demand the protection of their personal data. As a constitutional right, the protection of personal data is carefully handled by Yiğit Group Agro (“the Company”) in the context of this Policy, managing the protection of personal data of its customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees of collaborating institutions, shareholders, officials, and third parties. This commitment is established as a company policy.

In this context, the necessary administrative and technical measures are taken by the Company to protect the personal data processed in accordance with the relevant legislation.

This Policy will provide detailed explanations about the processing of personal data by the Company and the fundamental principles adopted, as listed below:

  1. Process personal data in compliance with the law and principles of honesty,
  2. Keep personal data accurate and up-to-date when necessary,
  3. Process personal data for specific, clear, and legitimate purposes,
  4. Process personal data in connection with the purpose of processing, in a limited and proportionate manner,
  5. Retain personal data for the period prescribed by the relevant legislation or as long as necessary for the purpose of processing,
  6. Inform and enlighten the data subjects,
  7. Establish a system for data subjects to exercise their rights,
  8. Take necessary measures to protect personal data,
  9. Comply with the relevant legislation and the regulations of the Personal Data Protection Board when transferring personal data to third parties in line with the purpose of processing,
  10. Show the necessary sensitivity in the processing and protection of special category personal data.

1.2. PURPOSE OF THE POLICY

The primary purpose of this Policy is to provide explanations about the processing of personal data carried out by the Company in a lawful manner and the systems adopted for the protection of personal data. In this context, the goal is to ensure transparency by informing individuals, including our customers, potential customers, company shareholders, company officials, visitors, employees of collaborating institutions, shareholders, officials, and third parties, whose personal data is processed by our company.

1.3. SCOPE

This Policy covers all personal data processed by our company, including our customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees of collaborating institutions, shareholders, officials, and third parties, whether processed automatically or through non-automatic means, provided that they are part of any data recording system.

The application scope of this Policy for the groups of personal data subjects mentioned above may cover the entire Policy (e.g., for Active customers who are also our visitors) or only certain provisions (e.g., for Visitors only).

1.4. IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION

Relevant legal regulations regarding the processing and protection of personal data will primarily apply. In case of any inconsistency between the current legislation and the Policy, our company acknowledges that the applicable legislation will prevail.

The Policy has been formulated by concretizing the rules set forth by the relevant legislation within the framework of company practices.

1.5. EFFECTIVENESS OF THE POLICY

This Policy was prepared and came into effect on June 15, 2020, as regulated by the Company.

ASPECTS RELATED TO THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the Law on Personal Data Protection, our company takes the necessary technical and administrative measures to prevent the unlawful processing of personal data, prevent unauthorized access to data, and ensure the preservation of data security. In this context, necessary audits are conducted or arranged.

2.1. ENSURING THE SECURITY OF PERSONAL DATA

2.1.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data

Our company takes technical and administrative measures according to technological possibilities and application costs to ensure the lawful processing of personal data.

Technical Measures Taken to Ensure Lawful Processing of Personal Data to ensure the lawful processing of personal data, our company:

2.1.2. Technical and Administrative Measures Taken to Prevent Unauthorized Access to Personal Data

Our company takes technical and administrative measures according to the nature of the protected data, technological possibilities, and application costs to prevent the disclosure, access, transfer, or any other form of unauthorized access to personal data.

 

 

The main technical measures taken by our Company to prevent unlawful access to personal data are listed below:

 

The main administrative measures taken by our Company to prevent unlawful access to personal data are listed below:

2.1.3. Storage of Personal Data in Secure Environments

Our company takes the necessary technical and administrative measures according to technological possibilities and application costs to store personal data in secure environments and prevent its destruction, loss, or alteration for unlawful purposes.

The main technical measures taken by our Company to store personal data in secure environments are listed below:

 

The main administrative measures taken by our Company to store personal data in secure environments are listed below:

2.1.4. Audit of Measures Taken for the Protection of Personal Data

In accordance with Article 12 of the Law on Personal Data Protection, our company conducts or arranges necessary periodic and sampling audits within its structure. The results of these audits, which reveal non-compliance detected within the company’s internal functioning, are reported, and activities are carried out to improve the measures taken. The Board of Directors of the Company is informed about the audit results.

2.1.5. Measures to Be Taken in Case of Unauthorized Disclosure of Personal Data

In accordance with Article 12 of the Law on Personal Data Protection, our company implements a system that ensures the notification of the unauthorized acquisition of personal data by others through illegal means as soon as possible and, at the latest, within 72 hours from the moment it is learned, to the relevant personal data owner and the Data Protection Board.

If deemed necessary by the Data Protection Board, this situation may be announced on the Board’s website or through another method.

2.2. PROTECTING THE RIGHTS OF THE DATA SUBJECT; ESTABLISHING CHANNELS TO CONVEY THESE RIGHTS TO OUR COMPANY AND EVALUATING REQUESTS OF DATA SUBJECTS

Our company, in accordance with Article 13 of the Law on Personal Data Protection, operates the necessary channels, internal procedures, and administrative and technical regulations to evaluate the rights of data subjects and provide the required information.

Detailed information about the rights of personal data subjects is provided in Section 10 of this Policy.

2.3. PROTECTION OF PERSONAL DATA OF SPECIAL NATURE

The Law on Personal Data Protection gives special importance to certain personal data due to the risk of causing harm or discrimination to individuals when processed unlawfully.

These data include race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, association, foundation, or union membership, health, sexual life, data related to criminal convictions and security measures, as well as biometric and genetic data.

Our company treats with sensitivity the protection of personal data of special nature, as defined by the Law on Personal Data Protection, which is processed in accordance with the law. In this context, the technical and administrative measures taken by our company for the protection of personal data are carefully implemented regarding special qualified personal data, and necessary audits are conducted within the company.

Detailed information about the processing of special qualified personal data is provided in Section 3 of this Policy.

2.4. INCREASING AWARENESS AND AUDIT OF PERSONAL DATA PROTECTION AND PROCESSING IN BUSINESS UNITS

Our company ensures necessary information and training sessions for business units to increase awareness about preventing the unlawful processing of personal data, preventing unauthorized access to data, and ensuring data protection.

To create awareness among the existing employees and new employees within the business units about the protection of personal data, necessary arrangements are made in the Company Working Principles regarding basic obligations, and employees are informed and obligated accordingly. The awareness is sustained through annual electronic review and testing processes of the Working Principles.

Participation in training is reported to relevant managers. Our company evaluates the participation in relevant training sessions, seminars, and informative sessions and conducts or commissions necessary audits in this regard. Our company updates and renews its training in line with updates to relevant legislation.

2.5. INCREASING AWARENESS OF BUSINESS PARTNERS AND SUPPLIERS ABOUT THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our company regularly informs business partners to prevent the unlawful processing of personal data, prevent unauthorized access to data, and ensure data protection.

  1. MATTERS RELATED TO THE PROCESSING OF PERSONAL DATA

In accordance with Article 20 of the Constitution and Article 4 of the Law on Personal Data Protection, our company processes personal data in compliance with the principles of legality and fairness; accuracy and, when necessary, updating; processing for specific, clear, and legitimate purposes; processing in connection with the purpose, limited, and measured; retaining personal data for the period specified in the relevant legislation or the time required for the purpose of processing personal data.

In accordance with Articles 20 of the Constitution and 5 of the Law on Personal Data Protection, our company processes personal data based on one or more of the conditions specified in Article 5 of the Law on Personal Data Protection.

In accordance with Articles 20 of the Constitution and 10 of the Law on Personal Data Protection, our company informs personal data subjects and provides necessary information when personal data subjects request it.

In accordance with Article 6 of the Law on Personal Data Protection, our company acts in compliance with the regulations regarding the processing of special qualified personal data.

In accordance with Articles 8 and 9 of the Law on Personal Data Protection, our company behaves in compliance with the regulations set forth in the law and by the Personal Data Protection Board regarding the transfer of personal data.

3.1. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH PRINCIPLES ENVISAGED IN THE LEGISLATION

3.1.1. Processing in Compliance with the Rule of Law and Fairness

Our company acts in accordance with the principles introduced by legal regulations and the general trust and fairness rule in the processing of personal data. In this context, our company considers the requirements of proportionality in the processing of personal data, and personal data is not used beyond what is required by the purpose.

3.1.2. Ensuring the Accuracy and, When Necessary, Updating of Personal Data

Our company ensures that the processed personal data is accurate and up-to-date, taking into account the fundamental rights of personal data subjects and their legitimate interests. Necessary measures are taken in this regard. For example, a system has been established by the Company to allow personal data subjects to correct and confirm the accuracy of their personal data. Detailed information on this topic is provided in Section 10 of this Policy.

3.1.3. Processing for Specific, Clear, and Legitimate Purposes

Our company clearly and precisely determines the legitimate and legal purpose of processing personal data. Our company processes personal data only as much as necessary in connection with the services and products it offers. The purpose for which personal data will be processed is stated before the personal data processing activity begins.

3.1.4. Processing in Connection with the Purpose, Limited, and Measured

Our company processes personal data in a way that is suitable for the realization of the specified purposes and avoids processing personal data that is not related to or necessary for the purpose. For example, personal data processing activities are not carried out to meet potential future needs.

3.1.5. Retaining Personal Data for the Period Specified in the Relevant Legislation or as Long as Necessary for the Purpose of Processing

Our company retains personal data only for the period specified in the relevant legislation or as long as necessary for the purpose for which personal data is processed. In this context, our company first determines whether there is a period specified in the relevant legislation for the retention of personal data. If a period is specified, our company acts in accordance with this period, and if no period is specified, personal data is retained for the time required for the purpose of processing. When the period expires or the reasons requiring the processing cease to exist, personal data is deleted, destroyed, or anonymized by our company. Our company does not store personal data for future use.

3.2. PROCESSING OF PERSONAL DATA BASED ON ONE OR MORE OF THE CONDITIONS SPECIFIED IN ARTICLE 5 OF THE LAW ON PERSONAL DATA PROTECTION AND LIMITED TO THESE CONDITIONS

Our company processes personal data only in cases specified in the law or with the explicit consent of the individual. Detailed information on this topic is provided in Section 7 of this Policy.

3.3. INFORMING AND NOTIFYING THE PERSONAL DATA SUBJECT

Our company informs the personal data subjects in accordance with Article 10 of the Law on Personal Data Protection during the acquisition of personal data. In this context, information is provided about the identity of the Company and its representative if any, the purpose for which personal data will be processed, to whom and for what purpose processed personal data may be transferred, the method of collecting personal data and its legal basis, and the rights of the personal data subject. Detailed information on this topic is provided in Section 10 of this Policy. Our company provides necessary information when personal data subjects request it, in accordance with Articles 11 of the Law on Personal Data Protection. Detailed information on this topic is provided in Section 10 of this Policy.

 

Individuals to Whom Data Can Be Transferred Definition Data Transfer Purpose
Business Partner It defines the parties with which our company establishes partnerships for purposes such as the sale, promotion, and marketing of our company’s products and services, post-sales support, and the execution of joint customer loyalty programs, while conducting our company’s commercial activities,

 

 

 

 

Limitedly, to ensure the fulfillment of the purposes for which the partnership is established
Supplier  

It defines the parties that provide services to our company on a contract basis in accordance with our company’s orders and instructions while conducting our company’s commercial activities.

 

 

To ensure the provision of services necessary for our company’s commercial activities, which are externally sourced from suppliers, in a limited capacity.

Our Subsidiaries  

Companies in which our company is a shareholder

Limited to ensuring the conduct of commercial activities that may involve the participation of future subsidiaries of our company.
Our Shareholders  

The main shareholders who are authorized to design the strategies and audit activities related to our company’s commercial operations in accordance with relevant legal provisions

Limited to designing strategies related to our company’s commercial activities and for audit purposes in accordance with relevant legal provisions.
Legally Authorised Public Institutions and Organisations Authorized public institutions and organizations, entitled to receive information and documents from our company in accordance with relevant legal provisions. Limited to the purpose requested within the legal authority of the relevant public institutions and organizations.
Legally Authorised Private Law Persons Authorized private legal entities to request information and documents from our company in accordance with relevant legal provisions Limited to the purpose requested within the legal authority of the relevant private legal entities

 

In the transfers carried out by our company, compliance with the issues regulated in the 2nd and 3rd Sections of the Policy is ensured.

PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW

Our company informs the data subject about the processing of personal data in accordance with Article 10 of the Law on Personal Data Protection.

7.1. Processing of Personal Data and Sensitive Personal Data

7.1.1. Processing of Personal Data

Explicit consent of the data subject is only one of the legal bases that make the lawful processing of personal data possible. In addition to explicit consent, personal data can be processed if any of the other conditions listed below exists. The legal basis for personal data processing activities can be one or more of the conditions listed below. In the case of processing data with special qualities, the conditions specified under the heading 7.1.2. are applied.

Although the legal bases for the processing of personal data by our company may vary, all personal data processing activities are carried out in accordance with the general principles specified in Article 4 of the Law No. 6698 (See Section 3.1).

  1. Processing Based on the Explicit Consent of the Data Subject

One of the conditions for the processing of personal data is the explicit consent of the data subject. The explicit consent of the data subject must be based on specific information, given with informed consent, and freely made. If none of the conditions (ii), (iii), (iv), (v), (vi), (vii), and (viii) under this title regarding the reasons for obtaining personal data is met, our company processes this personal data based on the explicit consent of the data subject.

For the processing of personal data based on the explicit consent of the data subject, explicit consent is obtained by legal methods determined by the Company.

  1. Explicit Provision in the Law

Personal data can be processed in a lawful manner if it is explicitly provided for in the law.

If obtaining explicit consent is impossible due to actual impossibility, personal data may be processed if it is necessary to process the personal data of the data subject or another person to protect their life or physical integrity. Example: Providing the blood type information of a customer who fainted to doctors by friends.

1.Direct Relevance to the Establishment or Performance of the Contract

If the processing of personal data is necessary for the establishment or performance of a contract and is directly related to the parties of the contract, personal data can be processed. Example: Obtaining the name and contact information of a person purchasing a product.

2.Fulfillment of Legal Obligations of the Company

If processing of personal data is mandatory for our company, acting as the data controller, to fulfill its legal obligations, the personal data of the data subject can be processed. Example: Submitting information requested by a court with a court decision.

3.Publicisation of Personal Data by the Personal Data Owner

If the data subject has publicly disclosed their personal data, the relevant personal data can be processed.

Personal data of the data subject may be processed if processing is mandatory for the establishment, exercise, or protection of a right. Example: Storing and using data with probative value (sales contract, invoice) when necessary.

Personal data of the data subject may be processed if it is mandatory for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the data subject. Example: Processing personal data for accounting calculations.

7.1.2. Processing of Sensitive Personal Data

Our company processes sensitive personal data only with the explicit consent of the data subject unless sufficient measures determined by the Personal Data Protection Board (PDPB) are taken, under the following conditions:

  1. Sensitive personal data, except for the data subject’s health and sexual life, can be processed in cases specified in the laws.
  2. Sensitive personal data related to the health and sexual life of the data subject can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality, for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and financing, within the framework of the powers and duties of those responsible for privacy.

 

  1. PROCESSING OF PERSONAL DATA IN BUILDING, FACILITY ENTRIES, PERSONAL DATA PROCESSING ACTIVITIES INSIDE THE BUILDING FACILITY, AND WEBSITE VISITORS

 

Personal data processing activities carried out by our company at building and facility entrances are conducted in accordance with the Constitution, the Law on Personal Data Protection, and other relevant legislation.

Our company carries out personal data processing activities related to monitoring entrances with security cameras and monitoring guest entrances in order to ensure security.

8.1. PERSONAL DATA PROCESSING ACTIVITY WITH CAMERA MONITORING AT COMPANY BUILDING AND FACILITY ENTRANCES

In this section, explanations regarding our company’s camera monitoring system will be made, and information will be provided on how the privacy of personal data and the basic rights of individuals are protected.

Our company, within the scope of camera monitoring activity for security purposes, aims to increase the quality and reliability of the provided service, ensure the life and safety of the company, data subject, and other individuals, and protect their legitimate interests.

8.1.1. Legal Basis for Camera Monitoring Activity

The camera monitoring activity carried out by our company is conducted in accordance with the Law on Private Security Services and other relevant legislation.

8.1.2. Camera Monitoring According to the Law on Personal Data Protection

Camera monitoring activity for security purposes by our company is carried out in compliance with the regulations specified in the Law on Personal Data Protection.

Our company performs camera monitoring in its buildings and facilities for security purposes, and processes personal data in accordance with the purposes specified in the laws and the processing conditions for personal data specified in the Law on Personal Data Protection.

8.1.3. Notification of Camera Monitoring Activity

In accordance with Article 10 of the Law on Personal Data Protection, the data subject is informed by our company.

Our company provides notification of camera monitoring activity in multiple ways, in addition to the general information provided (See Section 3/Title 3.3). Thus, the prevention of harm to the fundamental rights and freedoms of the data subject, ensuring transparency, and informing the data subject are aimed.

Regarding camera monitoring activity, our company publishes this Policy on its website (online Policy arrangement), and a notification letter stating that monitoring will be carried out at the entrances of the monitored areas is posted (on-site notification).

8.1.4. Purpose of Camera Monitoring Activity and Purpose Limitation

Our company processes personal data in a connected, limited, and measured manner, in accordance with Article 4 of the Law on Personal Data Protection.

The purpose of our company’s camera monitoring activity is limited to the purposes listed in this Policy. In this context, the monitoring areas, the number of cameras, and when monitoring will be carried out are implemented in a sufficient and limited manner to achieve the security objective. Monitoring is not conducted in areas that could result in interference with the individual’s privacy beyond security purposes (e.g., toilets).

8.1.5. Ensuring the Security of Obtained Data

Our company takes the necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring activity, in accordance with Article 12 of the Law on Personal Data Protection (See Section 2/Title 2.1).

8.1.6. Retention Period of Personal Data Obtained Through Camera Monitoring Activity

Detailed information about the retention period of personal data obtained through camera monitoring activity is provided in Article 4.3 of this Policy, titled “Storage Periods of Personal Data.”

8.1.7. Accessibility to Information Obtained Through Monitoring and Transfer of Such Information

Digital records recorded and stored in the company are accessible only to a limited number of company employees. Live camera images can be monitored by externally contracted security personnel. Those with access to the records are obliged to protect the privacy of the data under a confidentiality agreement.

8.2. Monitoring of Guest Entries and Exits in Company Buildings and Facilities

Our company engages in the processing of personal data for monitoring guest entries and exits in company buildings and facilities to ensure security and for the purposes stated in this Policy.

Personal data of individuals visiting company buildings is collected when entering, and individuals are informed within the scope of privacy through texts displayed or made available to guests in various forms. Data obtained for guest entry-exit tracking is processed solely for this purpose and recorded in the data recording system in physical and/or electronic form.

8.3. Storage of Records Regarding Internet Access Provided to Our Visitors in Company Buildings and Facilities

For the purpose of security and as stated in this Policy, our company provides internet access to visitors during their stay in our buildings and facilities. In this case, log records of internet accesses are kept in accordance with the relevant legislation, and these records are processed only for the purpose of fulfilling our legal obligations or in response to requests from authorized public institutions and organizations.

Only a limited number of company employees have access to these records. Employees with access to these records are obliged to maintain the privacy of the data they access under a confidentiality agreement.

8.4. WEBSITE VISITORS

Our company, on its owned websites, records the online activities of individuals visiting these sites using technical means (e.g., cookies) to ensure that visitors use the sites for their intended purposes, display personalized content, and engage in online advertising activities.

Detailed explanations regarding the protection and processing of personal data for these activities are included in the “Company Website Privacy Policy” texts on the relevant websites.

  1. CONDITIONS FOR DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

9.1. COMPANY’S OBLIGATION TO DELETE, DESTROY, AND ANONYMIZE PERSONAL DATA

In accordance with Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law even if the personal data has been processed in compliance with the relevant legal provisions, if the reasons necessitating processing cease to exist, the Company may, at its own discretion or upon the request of the data subject, delete, destroy, or anonymize personal data.

The Company reserves the right not to fulfill the data subject’s request in cases where there is an obligation to retain personal data under Article 5, paragraph (2) of the Law on Personal Data Protection.

9.2. TECHNIQUES FOR DELETING, DESTROYING, AND ANONYMIZING PERSONAL DATA

9.2.1. Techniques for Deleting and Destroying Personal Data

The deletion or destruction of personal data by the Company employs the following techniques:

1.Physical Destruction:

Personal data, if processed as part of any data recording system, is physically destroyed in a manner that renders the data unusable.

2.Secure Deletion from Software:

When digitally stored data, processed either entirely or partially through automated means, is deleted or destroyed, methods are used to ensure that the data cannot be recovered from the relevant software.

3.Secure Deletion by an Expert:

In certain cases, the Company may engage an expert to delete personal data on its behalf. In such cases, the personal data is securely deleted or destroyed by the designated expert in a way that cannot be recovered.

9.2.2. Techniques for Anonymizing Personal Data

Anonymizing personal data refers to rendering personal data unidentifiable or associable with any real person by matching it with other data. The Company can anonymize processed personal data when the reasons necessitating processing cease to exist.

In accordance with Article 28 of the Law on Personal Data Protection, anonymized personal data can be processed for purposes such as research, planning, and statistics. Such processing falls outside the scope of the Law on Personal Data Protection, and explicit consent of the data subject is not required. As a result, the rights specified in Section 10 of the Policy do not apply to these anonymized data.

The anonymization techniques most used by the Company include:

1.Masking: Removing the essential identifying information of personal data from a dataset, making it impossible to identify the data subject. For example, converting a dataset in which the identification of the data subject, such as name or national ID, is removed.

2.Aggregation: Aggregating multiple data points, making personal data untraceable to any individual. For example, revealing that there are customers aged between X and Z without showing individual ages.

3.Data Derivation: Creating a more general content from the content of personal data, making it impossible to associate personal data with any person. For example, indicating ages instead of birthdates or indicating the region of residence instead of the specific address.

4.Data Mixing: Mixing values within a personal data set to sever the connection between values and individuals. For example, altering the quality of voice recordings to make it impossible to associate them with the data subject.

RIGHTS OF DATA SUBJECTS; METHODOLOGY FOR EXERCISING AND EVALUATING THESE RIGHTS

The Company informs the data subject of their rights in accordance with Article 10 of the Law on Personal Data Protection, guides the data subject on how to exercise these rights, and, in compliance with Article 13 of the Law on Personal Data Protection, manages the necessary channels, internal processes, and administrative and technical regulations for the assessment of the rights of data subjects and the provision of necessary information to them.

10.1. DATA SUBJECT RIGHTS AND EXERCISING THESE RIGHTS

10.1.1. Rights of the Data Subject

Data subjects have the following rights:

10.1.2. Instances Where the Data Subject Cannot Invoke Their Rights

Since the situations listed below are excluded from the scope of the Law, data subjects cannot assert their rights mentioned in 10.1.1. in these cases, according to Article 28 of the Law:

According to Article 28/2 of the Law, data subjects cannot assert their rights, except for the right to request the remedy of damages, in the following cases:

10.1.3. Exercising Data Subject Rights

Data subjects can submit their requests related to the rights listed in section 10.1.1. by using the KVKK Application Form available on our website through the following methods:

It is not possible for third parties to make requests on behalf of data subjects. For someone else to make a request, a special power of attorney issued by the data subject for that person should be presented.

In their applications to exercise their rights, data subjects should fill out the “Application Form for Requests to Data Controller by the Relevant Person (Data Subject) Pursuant to the Law on Protection of Personal Data No. 6698.” The method of making the application is detailed in this form.

No fee will be charged for responses up to ten pages. An processing fee of 1 Turkish Lira will be charged for each page exceeding ten pages. If the response is provided on a recording medium such as a CD or flash drive, the fee charged by our company will not exceed the cost of the recording medium. Applications will not be considered if this fee is not paid.

10.1.4. Right of the Data Subject to File a Complaint with the Personal Data Protection Board (KVKK Board)

In case the application is rejected, the response is found to be insufficient, or no response is provided within the specified period according to Article 14 of the Personal Data Protection Law (KVKK), the data subject can file a complaint with the KVKK Board within thirty days from the date they learn about the Company’s response, and in any case, within sixty days from the application date.

10.2. Responding to Applications by the Company

10.2.1. Procedure and Period for Responding to Applications by the Company

If the data subject submits their request to the Company in accordance with the procedure specified in section 10.1.3., the Company will conclude the relevant request as soon as possible and at the latest within thirty days, depending on the nature of the request.

10.2.2. Information the Company Can Request from the Data Subject Applying

To determine whether the person applying is the data subject, the Company may request information from the relevant person.

To clarify the issues raised in the data subject’s application, the Company may ask the data subject questions related to their application.

10.2.3. Company’s Right to Reject the Data Subject’s Application

The Company may reject the application of the person applying in the following cases, explaining the reasons:

RELATIONSHIP OF THE COMPANY’S DATA PROTECTION AND PROCESSING POLICY WITH OTHER COMPANY DOCUMENTS

The fundamental principles set out by the Company in this Policy related to the protection and processing of personal data are associated with the fundamental policies, procedures, and instructions on the protection and processing of personal data drafted or to be drafted. This policy, procedures, and instructions are correlated with the core processes the Company operates in other areas, ensuring compatibility between the processes run by the Company with different policy principles for similar purposes.

ANNEX-1 ABBREVIATIONS

 

Law No. 6698/ Law : Law on the Protection of Personal Data dated 24 March 2016 and numbered 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677.
EU : European Union
Constitution : Constitution of the Republic of Turkey dated 7 November 1982 and numbered 2709, published in the Official Gazette dated 9 November 1982 and numbered 17863.
KVKK Board : Personal Data Protection Board
KVKK Authority : Personal Data Protection Authority
Politics : Personal Data Protection and Processing Policy
Turkish Code of Obligations : Turkish Code of Obligations dated 11 January 2011 and numbered 6098, published in the Official Gazette dated 4 February 2011 and numbered 27836.
Turkish Penal Code : Turkish Penal Code dated 26 September 2004 and numbered 5237; published in the Official Gazette dated 12 October 2004 and numbered 25611.
Turkish Commercial Code       Turkish Commercial Code dated 13 January 2011 and numbered 6102, published in the Official Gazette dated 14 February 2011 and numbered 27846

 

ANNEX-2 DATES OF IMPORTANCE FOR THE IMPLEMENTATION OF THE LAW

 

7 April 2016 As of April 7, 2016, our Company is acting in accordance with the following obligations:(i)            General rules and principles regarding the processing of personal data

(ii)           (ii) Obligations related to informing the data subjects

(iii)          (iii) Obligations related to ensuring data security

7 October 2016  

As of October 7, 2016, the following regulations will come into effect, and our Company will act in compliance with these regulations:

(iv) Provisions regarding the transfer of personal data to third parties and abroad

(v) Regulations concerning the rights of the data subject, who is the owner of personal data, to exercise their rights (to learn whether their personal data is processed, request information, learn the recipients to whom the data is transferred, request correction) and file complaints with the Personal Data Protection Board.

7 April 2017  

(vi) Consents obtained legally before April 7, 2016, will be considered in compliance with the Personal Data Protection Law as of April 7, 2017, unless the data subject declares otherwise.

(vii) As of April 7, 2017, the Regulations related to the Personal Data Protection Law will come into effect, and our Company will act in accordance with these regulations.

7 April 2018 Personal data processed before April 7, 2016, will be made compliant with the Personal Data Protection Law by our company or will be deleted or anonymized by April 7, 2018.

 

ANNEX-3 PROCESSING OF PERSONAL DATA OF EMPLOYEE CANDIDATES AND EMPLOYEES OF BUSINESS PARTNERS

 

PERSONAL DATA OWNER COLLECTION AND PROCESSING OF PERSONAL DATA EXERCISE OF RIGHTS AND APPLICATION
Employee Candidates The personal data of employee candidates collected during the recruitment process, as well as the special categories of personal data collected based on the nature of the job, are processed by our company for the purposes specified in sections 4.2 and 7 of the Policy, as listed below:

  • Assessing the qualifications, experience, and interest of the candidate for compatibility with the open position,
  • If necessary, verifying the accuracy of the information provided by the candidate or contacting third parties to conduct research about the candidate,
  • Communicating with the candidate about the application and recruitment process, or if applicable, contacting the candidate for any position opened domestically or internationally at a later date,
  • Fulfilling the requirements of relevant legislation or responding to requests from authorized institutions or organizations,
  • Improving and enhancing the recruitment principles applied by our company.

Employee candidates’ personal data can be collected through the following methods and means:

·         Digital application forms published in written or electronic form;

·         Resumes sent to our company by candidates via email, mail, references, and similar methods;

·         Employment or consulting firms;

·         In cases where interviews are conducted through tools such as video conferencing, telephone, or face-to-face, during the interview;

·         Checks conducted to verify the accuracy of information provided by the candidate and investigations carried out by our company;

·         Job recruitment tests determining skills and personality traits, conducted by experienced professionals, and the results analyzed.

 

Job candidates, as data subjects, can submit their requests related to their rights arising from being data subjects to our company using the method explained in Section 10 of this Policy.

 

 

 

 

Employees of Work Partners In the context of fulfilling commercial activities established with business partners, our company may process personal data of employees of business partners for the purposes outlined in Sections 4.2 and 7 of the Policy.

 

 

 

 

 

Employee candidates can submit their requests related to their rights as data subjects to our company through the method described in Section 10 of this Policy.

 

[1] Personal data refers to data that is related to an identified or identifiable natural person, processed either entirely or partially through automated means or as part of a non-automated data recording system, and is explicitly associated with the individual’s identity.