KVKK POLICY

1. Introduction

As SARDUNYA GIDA MUTFAK İŞLETMELERİ TİCARET ANONİM ŞİRKETİ ("the Company"), we adopt the principles relating to the protection and processing of Personal Data within the scope of the legislation and take all necessary administrative and technical measures to ensure compliance with the Personal Data Protection Law (KVKK) No. 6698 ("the Law").

Within this scope, we present this Policy on the Processing and Protection of Personal Data ("the Policy") to Data Subjects in order to fulfill the obligation of disclosure regulated under Article 10 of the Law and to inform them of all administrative and technical measures we have taken for the processing and protection of Personal Data. Any changes to this Policy and the effective date of such changes will be published on our website at [].

2. Purpose of the Policy

The fundamental purpose of this Policy is to provide explanations regarding systems for the processing and protection of Personal Data in accordance with the relevant legislation, and within this scope to inform Data Subjects whose Personal Data is processed by our Company, including but not limited to our Shareholders; Authorized Representatives; Employees; Job Applicants; Customers; Prospective Customers; Consumers; Visitors; Natural Person Business Partners; Natural Person Business Partner Candidates; and the shareholders, authorized representatives, employees, and third parties of our Business Partners and/or Business Partner Candidates. In this manner, it is intended to protect all rights of Data Subjects arising from the legislation concerning Personal Data and to ensure that they are aware of these rights.

3. Scope of the Policy and Data Subjects

This Policy has been prepared for the natural persons defined as Data Subjects below. Our Company informs the relevant Data Subjects about the applicable legislation by publishing this Policy on its website and maintaining it at the Company headquarters.

No. Data Subject Groups Description
1 Shareholder/Partner Natural persons who are shareholders and/or partners of the Company and/or Group Companies.
2 Authorized Representative Natural persons who are members of the board of directors of the Company and/or Group Companies and/or who are authorized to represent and bind the Company and/or Group Companies.
3 Employee Insured persons employed by the Company and/or Group Companies.
4 Intern Natural persons working within the Company and/or Group Companies for internship purposes.
5 Job Applicant Natural persons who have applied for employment with the Company and/or Group Companies by any means or who have submitted their curriculum vitae and related information.

4. Definitions

The concepts contained in this Policy are used in accordance with the following definitions.

Term Definition
Our Company SARDUNYA GIDA MUTFAK İŞLETMELERİ TİCARET A.Ş.
Personal Data Any information relating to an identified or identifiable natural person.
Special Categories of Personal Data Data concerning race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Processing of Personal Data Any operation performed on data, such as obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of Personal Data, whether wholly or partly by automated means or by non-automated means provided that it forms part of a data recording system.
Data Subject/Data Owner Refers to the natural persons listed in Article 3 of this Policy whose Personal Data is processed by the Company.
Data Recording System Refers to the recording system in which Personal Data is processed by being structured according to specific criteria.
Data Controller The natural or legal person who determines the purposes and means of processing Personal Data and is responsible for establishing and managing the data recording system.
Data Processor The natural or legal person who processes Personal Data on behalf of the data controller based on the authority granted by the data controller.
Explicit Consent Consent given on a specific subject, based on being informed, and expressed with free will.
Anonymization Making data that was previously associated with a person incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Law Refers to the Personal Data Protection Law (KVKK) No. 6698.
PDPA Board The Personal Data Protection Authority Board.

5. Processing and Transfer of Personal Data

5.1 General Principles in the Processing of Personal Data

The Constitution provides that Personal Data may only be processed in cases stipulated by law or with the explicit consent of the person, thereby safeguarding the protection of Personal Data. In line with the rights granted to Data Subjects, our Company processes Personal Data in accordance with the principles set forth in the relevant legislation or, in cases where the explicit consent of Data Subjects is required, in accordance with the following principles:

  • • Processing in Compliance with the Law and the Rules of Good Faith
  • • Ensuring that Personal Data is Accurate and, Where Necessary, Kept Up to Date
  • • Processing for Specific, Explicit and Legitimate Purposes
  • • Being Relevant, Limited and Proportionate to the Purposes for Which They Are Processed
  • • Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for Which They Are Processed

5.2 Cases Where Explicit Consent Is Not Required for Processing Data Subjects' Personal Data

Where one of the conditions listed and exemplified below exists, Personal Data may be processed without seeking the explicit consent of the Data Subject.

  • Expressly provided for by laws: The obligation to include the name of the relevant natural person on an invoice pursuant to the Tax Procedure Law, etc.
  • Being necessary for the protection of the life or physical integrity of the person or of another person where the data subject is physically or legally incapable of giving consent: Cases where emergency medical intervention is required for the Data Subject, etc.
  • Being necessary for the processing of Personal Data belonging to the parties to a contract, provided that it is directly related to the establishment or performance of a contract: Obtaining address information for product shipment pursuant to a concluded contract, etc.
  • Being necessary for the data controller to fulfill its legal obligation: Conducting activity and audit in information systems to prevent unlawful access to Personal Data, etc.
  • Being made public by the Data Subject: The data subject sharing their Personal Data through a publicly accessible social media account, etc.
  • Being necessary for the establishment, exercise or protection of a right: Reporting the personnel information of Company employees to the Social Security Institution, etc.
  • Being necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the Data Subject are not harmed: Processing the Personal Data of employees during the organization of the Company's organizational structure, etc.

5.3 Conditions for Processing Special Categories of Personal Data

Our Company does not process Special Categories of Personal Data without the explicit consent of the data subject. However, Personal Data other than those relating to health and sexual life may be processed without seeking the explicit consent of the data subject in cases provided for by laws. Personal Data relating to health and sexual life may be processed by the Company without seeking the explicit consent of the data subject only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing, by persons under an obligation of confidentiality or by our Company.

5.4 Conditions for Transfer of Personal Data and Special Categories of Personal Data

Our Company does not transfer Personal Data without the explicit consent of Data Subjects. However, in the presence of the exceptions set forth in Articles 5.2 and, subject to adequate measures being taken, 5.3 of this Policy in accordance with the Law, such Personal Data may be transferred by our Company without seeking the explicit consent of Data Subjects.

5.5 Conditions for Transfer of Personal Data and Special Categories of Personal Data Abroad

Our Company may transfer the Personal Data and Special Categories of Personal Data of Data Subjects to third parties abroad, taking the necessary security measures and in compliance with the provisions of the legislation, in line with its Personal Data processing purposes.

In accordance with the Law, in the presence of the exceptions set forth in Articles 5.2 and, subject to adequate measures being taken, 5.3 of this Policy, our Company may transfer Personal Data abroad without seeking the explicit consent of the Data Subject, provided that adequate protection exists in the foreign country to which the Personal Data will be transferred, or where adequate protection does not exist, the data controllers in Turkey and in the relevant foreign country undertake adequate protection in writing and the consent of the Personal Data Protection Authority Board is obtained.

6. Classification, Processing Purposes, and Recipients of Personal Data

6.1 Classification of Personal Data

In accordance with Article 10 of the Law, our Company processes Personal Data in line with lawful personal data processing purposes;

  • Based on one or more of the personal data processing conditions specified in Article 5 of the Law and limited thereto,
  • In compliance with the general principles specified in Article 4 of the Law on the processing of Personal Data and other principles and obligations set forth in the legislation,
  • Limited to the Data Subjects classified under this Policy,
  • By indicating which of the Data Subjects classified under this Policy they relate to,
  • By informing the Data Subjects.

The Personal Data processed by our Company in compliance with the legislation are classified below:

PERSONAL DATA CLASSIFICATION EXPLANATION OF PERSONAL DATA CLASSIFICATION
Identity Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including information such as name/surname, Turkish ID number, nationality, mother's/father's name/surname, place of birth, date of birth, gender, marital status contained in documents such as identity card, driver's license, passport, as well as tax number, social security number, signature, etc.
Contact Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including mobile phone number, home phone number, home address, business address, workplace information, email address, fax number, IP address, etc.
Customer Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including records relating to the commencement, continuation and termination of the provision of goods and/or services, but not limited thereto, and records relating to the use of the Company's products and/or services or services provided to customers through the Company; personal information, identity information, financial information, contact information, instructions, requests, etc. required for the customer's use of products and/or services.
Location Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including GPS location, travel data, physical and digital connection locations, etc. that determine the location of employees of the Company or Company Business Partners while using vehicles of the Company or Company Business Partners during the use of products and/or services offered within the scope of the Company's activities.
Personnel Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including curriculum vitae, family status declaration, education and employment status, health report, criminal record, salary information, military service status, disability status, documents relating to courses or training attended by personnel, references, employment contract, consent forms, concluded contracts, motor vehicle license plate, union/association/foundation memberships, blood type, clothing and body measurements, ID photo, family registry, marriage certificate, performance evaluation reports, salary garnishment notices, disciplinary warnings, notices, penalties, etc. obtained for our Company to fulfill its legal and contractual obligations.
Transaction Security Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including information required to ensure technical, administrative, financial, legal and commercial security while carrying out the Company's activities, log records, IP address, search records, etc.
Risk Management Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including information relating to the monitoring of risky transactions and operations and measures and sanctions to be applied in the event of risk materialization, etc.
Family Members and Close Contacts Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including identity information, contact information, etc. concerning family members, close contacts, and other persons to be contacted or recommended for contact in emergencies of Data Subjects, in connection with products and/or services offered within the scope of the Company's activities or to protect all interests of the Company and Data Subjects.
Physical Premises (Workplace) Security Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including camera recordings, fingerprint records, records taken at security checkpoints, etc. relating to entry to locations belonging to and/or used by the Company and/or Group Companies and during presence within such locations.
Financial Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including Personal Data processed relating to information, documents and records showing any financial outcome created according to the type of legal relationship established between the Company and the Data Subject, as well as bank account number, IBAN number, credit card information, financial profile, asset data, income information, etc.
Visual and Audio Data Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including photographs, CCTV recordings, camera recordings (excluding records falling within Physical Premises Security Information), audio recordings, etc.
Legal Transaction and Compliance Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including information relating to the Company's legal transactions and operations, determination and follow-up of receivables and rights and fulfillment of debts, and information processed within the scope of statutory and/or contractual obligations and compliance with Company policies, etc.
Special Categories of Personal Data Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including health data (health reports, chronic illnesses, previous illnesses and surgeries, regularly used medications, blood type, disability status), biometric data, swab analyses, clothing size, etc. as set forth in Article 6 of the Law.
Incident Management Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including information collected relating to incidents with potential impact on the Company, Company Personnel, and Company Shareholders associated with Data Subjects, for taking necessary measures, conducting investigations or research within the scope of lawsuits, and properly informing the public, etc.
Marketing Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including data processed for marketing products and/or services offered within the scope of the Company's activities customized in line with the usage habits, preferences and needs of Data Subjects, and reports, surveys, evaluations, etc. created based on such data.
Request and Complaint Management Information Data clearly belonging to an identified or identifiable natural person; processed wholly or partly by automated means or by non-automated means as part of a data recording system; including information relating to the receipt and evaluation of any request or complaint directed to the Company, etc.

The types of Personal Data processed for the Data Subjects specified in Article 3 of this Policy are listed individually in the table below:

PERSONAL DATA CLASS DATA SUBJECTS TO WHOM THE RELEVANT PERSONAL DATA RELATES
Identity Information Company Shareholder; Company Authorized Representative; Company Employee; Intern; Company Job Applicant; Company Customers; Company Prospective Customers; Consumer; Visitor; Company Natural Person Business Partners; Natural Person Business Partner Candidates; Shareholders, Authorized Representatives, Employees and Third Parties of Company Business Partners
Contact Information Company Shareholder; Company Authorized Representative; Company Employee; Intern; Company Job Applicant; Company Customers; Company Prospective Customers; Consumer; Visitor; Company Natural Person Business Partners; Natural Person Business Partner Candidates; Shareholders, Authorized Representatives, Employees and Third Parties of Company Business Partners
Customer Information Company Customers; Company Prospective Customers; Shareholders, Authorized Representatives, Employees of Customers and Prospective Customers; Consumer
Location Data Company Shareholder; Company Authorized Representative; Company Employee and Company Business Partner Employee.
Personnel Information Company Shareholder; Company Authorized Representative; Company Employee; Intern; Company Job Applicant; Company Business Partner Authorized Representative; Company Business Partner Employee
Transaction Security Information Company Shareholder; Company Authorized Representative; Company Employee; Intern; Company Job Applicant; Company Customers; Company Prospective Customers; Consumer; Visitor; Company Natural Person Business Partners; Shareholders, Authorized Representatives, Employees and Third Parties of Company Business Partners.
Risk Management Information Company Shareholder; Company Authorized Representative; Company Employee; Company Job Applicant; Company Customers; Company Prospective Customers; Consumer; Visitor; Company Natural Person Business Partners; Natural Person Business Partner Candidates; Shareholders, Authorized Representatives, Employees and Third Parties of Company Business Partners
Family Members and Close Contacts Information Company Shareholder; Company Authorized Representative and Company Employee; Intern; Business Partner Employee
Physical Premises Security Information Company Shareholder; Company Authorized Representative; Company Employee; Company Job Applicant; Company Customers; Company Prospective Customers; Consumer; Visitor; Company Natural Person Business Partners; Natural Person Business Partner Candidates; Shareholders, Authorized Representatives, Employees and Third Parties of Company Business Partners.
Financial Information Company Shareholder; Company Authorized Representative; Company Employee; Intern; Company Customers; Company Prospective Customers; Company Natural Person Business Partners; Natural Person Business Partner Candidates and Third Parties.
Visual and Audio Information Company Shareholder; Company Authorized Representative; Company Employee; Intern; Company Job Applicant; Company Customers; Company Prospective Customers; Consumer; Visitor; Company Natural Person Business Partners; Natural Person Business Partner Candidates; Shareholders, Authorized Representatives, Employees and Third Parties of Company Business Partners.
Legal Transaction Information Company Shareholder; Company Authorized Representative; Company Employee; Intern; Company Job Applicant; Company Customers; Company Prospective Customers; Consumer; Visitor; Company Natural Person Business Partners; Natural Person Business Partner Candidates; Shareholders, Authorized Representatives, Employees and Third Parties of Company Business Partners
Special Categories of Personal Data Company Shareholder; Company Authorized Representative; Company Employee; Company Job Applicant; Company Customers; Consumers; Company Business Partner Employee
Request and Complaint Management Information Company Shareholder; Company Authorized Representative; Company Job Applicant; Company Customers; Company Prospective Customers; Consumer; Visitor and Third Parties.
Incident Management Information Company Shareholder; Company Authorized Representative; Company Job Applicant; Company Customers; Company Prospective Customers; Consumer; Visitor and Third Parties.
Marketing Information Company Customers; Company Prospective Customers; Company Natural Person Business Partners; Natural Person Business Partner Candidates and Third Parties.

6.2 Conditions and Purposes for Processing Personal Data

As a rule, Personal Data may only be processed where the explicit consent of the Data Subject exists. The explicit consent of the Data Subject must be given on a specific subject, based on being informed, and expressed with free will. In addition, where one or more of the conditions set forth in Article 5.2 of this Policy exist, Personal Data may be processed without obtaining the explicit consent of the Data Subject.

Our Company processes Personal Data in all cases in accordance with the general principles set forth in Article 4 of the Law for the purposes and conditions specified below. Where the processing activity carried out for such purposes does not meet any of the conditions envisaged in Article 5.2 of this Policy, the explicit consent of the Data Subject will be obtained by our Company for the relevant processing process.

Personal Data is processed by our Company, limited to the following purposes:

  • • Fulfillment of the statutory and contractual obligations that must be performed by our Company,
  • • Establishing communication with Customers and Prospective Customers regarding products and/or services within the field of activity of our Company and group companies, conducting visits, concluding contracts;
  • • Creating portfolios of Customers, Prospective Customers and Business Partners, provided that access is limited to authorized persons within our Company;
  • • Enabling the provision of products and/or services within the field of activity of our Company and group companies to the relevant parties, carrying out necessary work by our Company's business units to enable Data Subjects to benefit from products and/or services, conducting marketing, procurement and all operational activities; enabling reconciliation, payment and collection transactions; establishing communication with Data Subjects for the performance of these transactions, sending/providing relevant documents and information,
  • • Conducting, managing and auditing the financial and accounting processes of our Company; conducting financial audit reviews and completing financial audit forms;
  • • Preparing current account cards as a basis for legal books and records kept by our Company,
  • • Enabling access to records created by Data Subjects with our Company in subsequent business relationships, issuing invoices automatically;
  • • Meeting the requests of credit and financial institutions providing financing to identify, analyze and verify their customers;
  • • Preparing required documents (contracts, invoices, delivery notes, checks, signature circulars, powers of attorney, etc.) within the scope of activities carried out by our Company,
  • • Organizing business travel to be made for business reasons within the scope of our Company's activities and arranging required documents for travel (visa, work permit, flight, vehicle and hotel reservations, etc.);
  • • Adding necessary information to contracts to be signed with business partners, sharing information that must be shared with business partners under such contracts or obtaining relevant information from business partners, and carrying out required operations with business partners of our Company,
  • • Participating in public and private sector tenders by our Company, submitting bids and carrying out works, and establishing communication for these purposes;
  • • Preparing tender documentation in tenders in which our Company participates and/or in which it remains within the scope of its field of activity,
  • • Conducting administrative and legal transactions, audits, recording incoming correspondence and distributing it to relevant departments; conducting legal correspondence and processes for the fulfillment of the legal and commercial obligations of our Company;
  • • Carrying out operations relating to production, procurement, delivery, etc. regarding products and/or services offered by our Company and sharing related notifications of negotiation processes via mail, email, SMS and telephone,
  • • In the sales and/or after-sales process and in new sales of products and/or services offered within the field of activity of our Company; renewing purchased products and/or services where necessary, meeting complaint or review requests relating to purchased products and/or services, and conducting information and audit in this regard,
  • • In line with the purpose of determining and implementing the commercial and business strategies of our Company; conducting and managing internal system and application management operations, communication, market research and social responsibility activities, and financial operations as well as product/project/manufacturing/investment/quality processes by our Company,
  • • Planning and/or implementing customer relationship management processes, including planning and/or implementing customer satisfaction activities; reaching customers, customer employees and/or consumers via mail, email and telephone in this direction; conducting service evaluation surveys;
  • • Contacting Data Subjects who submit requests and complaints to our Company and ensuring the tracking and management of requests and complaints,
  • • Conducting necessary information technology activities to ensure the security of data held by our Company, including obtaining external technical support services within this scope;
  • • Where need arises within the scope of our Company's activities; contacting third parties, concluding contracts, obtaining services and ensuring their performance in areas such as training, transportation, information technology and similar fields;
  • • Managing activities aimed at ensuring the physical security and supervision of locations belonging to our Company,
  • • Identifying Visitors/Employees entering workplaces belonging to our Company, creating and tracking Visitor/Employee records,
  • • Enabling entry of Employees and/or Business Partner Employees to workplaces belonging to our Company's Customers;
  • • Ensuring field audits at workplaces belonging to our Company and at customer workplaces where our Company provides services;
  • • Presenting the activities and previous works of our Company and group companies to Prospective Customers as references;
  • • Conducting advertising and promotional processes within the scope of activities of our Company and group companies, conducting interviews, preparing news, establishing communication with persons featured in the news;
  • • Creating personnel information of employees in accordance with the employment contract between the employee and our Company, keeping such information up to date, preserving it and storing it for the statute of limitations period stipulated by the legislation,
  • • Paying the salary earned by the employee in return for their duties and documenting and controlling the payment, tracking advance payments and expenses made;
  • • Providing information to relatives, health institutions or authorized authorities regarding employees in emergency situations, primarily for health reasons but not limited thereto;
  • • Implementing the human resources policies of our Company, including conducting employee orientations and assignments; conducting employee competency and performance evaluations and auditing suitability for work; conducting career planning and promotion procedures; fulfilling statutory notification obligations; conducting field audits; managing employee leave procedures; organizing social activities and events aimed at increasing solidarity and motivation, announcing such social activities and events in the work environment, preparing bulletins; conducting social responsibility projects,
  • • Evaluating employees in open positions outside the units in which they work in accordance with the human resources policies of our Company and temporarily or permanently assigning employees to relevant positions within the scope of employment contracts;
  • • Providing work clothing to employees where required by their duties,
  • • Ensuring employee transportation and making related planning within our Company;
  • • Enabling employees to enter and exit the workplace, determining employee entry and exit times and absence status;
  • • Enabling employees to enter and exit the customer workplace where they will provide on-site services;
  • • Providing training to employees conducted within or outside the Company and preserving records relating to training in personnel files;
  • • Setting up and backing up email accounts allocated to employees by our Company for use within the scope of our Company's activities, creating user accounts and passwords required for employee access to digital environments and software, implementing authorization limitations, allocating mobile phone lines and fixed lines and tracking them, and providing technical support within or outside the Company for these purposes;
  • • Allocating vehicles and equipment to employees by our Company for use within the scope of our Company's activities, conducting vehicle location tracking and completing inventory forms;
  • • Making employee assignments for planning, conducting, tracking and auditing works and transactions to be carried out within the scope of our Company's activities, creating records of employees assigned to follow up on work and updating them regularly;
  • • Preparing required documents, announcements, information and information technology records for identification of employees as personnel of our Company by third parties or within our Company;
  • • Ensuring occupational health and safety within our Company or within works followed within the scope of our Company's activities, providing training to employees within this scope, and fulfilling the statutory obligations of our Company and taking necessary measures regarding occupational health and safety, without being limited thereto;
  • • Auditing the suitability of employees for work in terms of health status, tracking employee health reports within this scope, and conducting health checks upon return to work and periodically,
  • • Conducting administrative and legal transactions and disciplinary investigations for the fulfillment of the legal and commercial obligations of our Company;
  • • Establishing communication with employees via mail, email and telephone;
  • • Evaluating and determining whether job applicants possess the necessary qualifications considering the position for which they applied or which was offered to them;
  • • Evaluating and determining whether the health status of job applicants is suitable for the position for which they applied or which was offered to them;
  • • Enabling job applicants to be evaluated in the event of an open position within our Company or, if approved, our Group Companies in the future;
  • • Contacting the authorized representatives of natural and/or legal persons indicated as references by job applicants to request information regarding the position previously held by the job applicant;
  • • Fulfilling statutory obligations in line with possible employment contracts to be established with job applicants;
  • • Establishing communication with job applicants via mail, email and telephone;
  • • Contacting Data Subject job applicants who submit requests to our Company and ensuring the tracking and management of their requests

within the scope of the personal data processing conditions set forth in Articles 5 and 6 of the Law.

6.3 Recipients to Whom Personal Data May Be Transferred

Personal Data belonging to Data Subjects may be transferred to the person categories listed below for the purposes set forth below, in compliance with the law and the purpose of the Law:

PERSONS TO WHOM DATA MAY BE TRANSFERRED PURPOSE OF DATA TRANSFER
Group Companies Our Company may transfer Personal Data, limited to the purposes of carrying out various projects, obtaining services, and meeting the sales and after-sales requests and needs of customers while conducting its commercial activities and human resources policies.
Company Business Partners and Shareholders, Authorized Representatives, Employees of Business Partners Our Company may transfer Personal Data, limited to the purposes of ensuring fulfillment of the purposes for which contracts concluded for carrying out various projects, obtaining services/products, etc. while conducting its commercial activities and human resources policies were concluded; meeting the sales and after-sales requests and needs of customers; and enabling Data Subjects to carry out insurance, banking, etc. transactions.
Customers/Prospective Customers Our Company and group companies may transfer Personal Data, limited to the purposes of fulfilling obligations arising from law while conducting their commercial activities; providing statutory notifications; ensuring fulfillment of the purposes for which contracts concluded for providing services/products were concluded; demonstrating capacity to fulfill committed work; and presenting previous works and transactions as references.
Company Shareholders Our Company may transfer Personal Data, limited to the purposes of carrying out activities conducted within the scope of legislation compliance, event management and corporate communication processes of our Company in accordance with the provisions of the relevant legislation.
Company Authorized Representatives Our Company may transfer Personal Data, limited to the purposes of designing strategies relating to the commercial activities of our Company and ensuring and supervising top-level management in accordance with the provisions of the relevant legislation.
Legally Authorized Public Institutions and Organizations Our Company may transfer Personal Data, limited to the purposes for which they are requested within the legal authority of the relevant public institutions and organizations.
Legally Authorized Private Law Persons Our Company may transfer Personal Data, limited to the purposes for which they are requested within the legal authority of the relevant private law persons in accordance with the provisions of the legislation.
Public Personal Data may be transferred, limited to the purposes of publishing magazines, interviews or news covering advertising and promotional processes within the scope of activities of our Company and group companies.

7. Method and Legal Basis for Collection of Personal Data, Deletion, Destruction, Anonymization and Retention Period

7.1 Method and Legal Basis for Collection of Personal Data

Personal Data is collected and processed by our Company or data processors appointed by our Company through all verbal, written and electronic means, by technical and other methods, through various channels such as call centers and websites, within the framework of legal grounds based on legislation, contracts or requests, for monitoring compliance with Articles 1 and 2 of the Law regulating purpose and scope, for achieving the purposes set forth in the Policy and in Articles 5 and 6 of the Law, and in order to fulfill statutory obligations completely and accurately.

7.2 Deletion, Destruction or Anonymization of Personal Data

Without prejudice to the provisions contained in the legislation regarding the deletion, destruction or anonymization of Personal Data, our Company deletes, destroys or anonymizes Personal Data ex officio or upon request of the Data Subject where the purposes requiring processing cease to exist, despite having been processed in accordance with the Law and the provisions of the relevant legislation. Pursuant to the Regulation on Deletion, Destruction or Anonymization of Personal Data;

  • • Deletion of Personal Data means making Personal Data inaccessible and unusable in any way for relevant users;
  • • Destruction of Personal Data means making Personal Data inaccessible, irretrievable and unusable in any way by any person;
  • • Anonymization of Personal Data means making Personal Data incapable of being associated with an identified or identifiable natural person under any circumstances, even if matched with other data

as defined.

7.3 Retention Period of Personal Data

Our Company retains Personal Data for the period stipulated in the legislation where such a period is provided. However, where no period is stipulated for the retention of Personal Data, Personal Data is retained for the period required for processing in connection with the purpose for which our Company processes such data, in accordance with our Company's practices and commercial customs, or until the time when the Data Subject may make a request; thereafter it is deleted, destroyed or anonymized.

Personal Data for which the processing purpose has ended and Personal Data for which deletion/destruction/anonymization has been requested by Data Subjects may be retained only to serve as evidence in possible legal disputes or to enable the assertion of the relevant right connected to the Personal Data or establishment of a defense, where the relevant legislation and the retention periods determined by our Company have also expired. Our Company bases retention periods on statute of limitations periods provided for in the relevant legislation when determining retention periods for Personal Data. Personal Data retained for this purpose is accessed only by limited persons when required for the relevant legal dispute and cannot be accessed for any other purpose. At the end of this period, Personal Data is deleted, destroyed or anonymized.

8. Protection of Personal Data and Special Categories of Personal Data

In accordance with Article 12 of the Law, our Company takes the necessary technical and administrative measures required by the relevant legislation and to be announced by the Personal Data Protection Authority Board to prevent unlawful processing of Personal Data it processes, prevent unlawful access to Personal Data, and ensure the preservation of Personal Data, and conducts or has conducted the necessary audits within this scope. In this direction, our Company takes technical and administrative measures at a reasonable level, taking into account technological possibilities and implementation costs, for the lawful processing of Personal Data, secure storage, prevention of unauthorized access risks and all other unlawful access, prevention of accidental data loss, and prevention of intentional harm to and deletion of Personal Data.

Furthermore, certain Personal Data enumerated in a limited manner in the Law are accorded separate importance because unlawful processing may cause harm and/or discrimination to persons. Personal Data of this nature is enumerated individually in Article 6 of the Law and in Article 4 of this Policy. Maximum sensitivity is shown by our Company regarding the protection of Special Categories of Personal Data. Within this scope, the technical and administrative measures taken by our Company for the protection of Personal Data are applied with maximum care for Special Categories of Personal Data, and necessary audits are ensured within the Company in this regard.

The measures and audits applied by our Company within this scope are listed below:

  • • Preparation of corporate policies on Personal Data security, Personal Data processing, storage and destruction;
  • • Auditing the Personal Data processing activities of our Company through established technical systems, remedying confidentiality and security deficiencies and errors identified as a result of audits;
  • • Taking security measures within established systems, ensuring necessary internal controls; conducting periodic reporting regarding technical measures taken;
  • • Informing and training personnel processing Personal Data within our Company on the relevant legislation and lawful processing of Personal Data;
  • • Raising awareness in relevant business units and determining application rules to ensure legal compliance requirements determined on a business unit basis, auditing these matters and arranging internal policies and training to ensure sustainability;
  • • Implementing access and authorizations in accordance with legal compliance requirements determined on a business unit basis and limiting access authorizations accordingly;
  • • Including provisions in contracts and documents governing the legal relationship between our Company and employees imposing obligations not to process, disclose or use Personal Data except under our Company's instructions and exceptions provided by the legislation, and raising employee awareness in this regard;
  • • Ensuring that Personal Data kept in digital form within our Company is accessed only by predetermined persons by reason of their duties, providing digital access through individual accounts and limiting it to the user through encryption, ensuring audit, creating an authorization matrix for employees, and removing authorizations of employees whose duties change or who leave employment;
  • • Storing Personal Data kept physically within our Company in locked and closed cabinets in closed files, granting access authorization only to authorized specific persons;
  • • Storing personal data with network security and application security, using closed system network and key method for personal data transfers over the network;
  • • Taking security measures within the scope of procurement, development and maintenance of information technology systems;
  • • Keeping access authorizations of employees working in information technology units under control regarding Personal Data;
  • • Using up-to-date antivirus systems, firewalls, intrusion detection and prevention systems, applying penetration testing;
  • • Providing technical infrastructure that will prevent or monitor leakage of Personal Data outside the Company and creating relevant matrices, applying data masking measures where necessary;
  • • Applying confidential document format for physically transferred personal data;
  • • Taking necessary security measures regarding entry and exit to physical environments containing personal data, ensuring security against external risks (fire, flood, etc.), identifying existing risks and threats;
  • • Sending special categories of personal data by email only in encrypted form and using registered electronic mail or corporate email accounts; using secure encryption/cryptographic keys for special categories of personal data and managing them by different units; encrypting special categories of personal data transferred on portable memory, CD, DVD media;
  • • Installing and operating software and hardware including programs protecting information systems and firewalls;
  • • Adding provisions to contracts concluded with Business Partners and third parties from whom our Company obtains external services for storage of Personal Data due to technical requirements, including persons to whom Personal Data is lawfully transferred, that they will take necessary security measures for the protection of Personal Data and ensure compliance with these measures within their organizations;
  • • Maintaining log records without user intervention;
  • • Establishing technical security systems for storage areas using lawful backup programs.

Our Company will ensure that, in accordance with Article 12 of the Law, where processed Personal Data is obtained by others through unlawful means, this situation is notified to the relevant Data Subject and the Personal Data Protection Authority Board as soon as possible. If deemed necessary by the Personal Data Protection Authority Board, this situation may also be announced on the website of the Personal Data Protection Authority Board or by another method.

9. Rights of the Data Subject, Exercise and Evaluation of Rights

9.1. Disclosure to the Data Subject

In accordance with Article 10 of the Law, our Company discloses information to Data Subjects at the time Personal Data is obtained. Within this scope, where applicable, it provides disclosure regarding the title and identity of the representative of our Company, the purposes for which Personal Data will be processed, to whom and for what purposes processed Personal Data may be transferred, the method and legal basis of Personal Data collection, and the rights of the Data Subject.

9.2. Rights of the Data Subject Under the Law

In accordance with Article 10 of the Law, our Company informs Data Subjects of their rights, guides them on how to exercise such rights, and implements the necessary internal procedures, administrative, legal and technical arrangements for all of these. In accordance with Article 11 of the Law, our Company informs Data Subjects whose Personal Data is processed by our Company that they have the right to:

  • • Learn whether their Personal Data is being processed,
  • • Request information if their Personal Data has been processed,
  • • Learn the purpose of processing of their Personal Data and whether they are used in accordance with their purpose,
  • • Know the third parties to whom their Personal Data is transferred domestically or abroad,
  • • Request correction of their Personal Data if it is incomplete or inaccurate,
  • • Request deletion or destruction of Personal Data if the reasons requiring processing cease to exist despite being processed in accordance with the provisions of the relevant legislation,
  • • Request notification to third parties to whom Personal Data has been transferred of operations carried out pursuant to the right to request correction if Personal Data is incomplete or inaccurate, and pursuant to the right to request deletion or destruction if the purposes requiring processing cease to exist despite being processed in accordance with the provisions of the relevant legislation,
  • • Object to the emergence of a result against themselves by analyzing processed Personal Data exclusively through automated systems,
  • • Request compensation for damage if they suffer damage due to unlawful processing of their Personal Data

as explained.

9.3. Cases Where the Data Subject Cannot Exercise Their Rights

Pursuant to Article 28 of the Law, the following cases are excluded from the scope of the Law, and Data Subjects cannot exercise the rights listed in Article 9.2 of this Policy in such cases:

  • • Processing of Personal Data within the scope of activities of natural persons relating entirely to themselves or family members living in the same household, provided that the data is not given to third parties and obligations relating to data security are complied with,
  • • Processing of Personal Data for purposes such as research, planning and statistics by anonymizing them for official statistics,
  • • Processing of Personal Data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personality rights or constitute a crime,
  • • Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,
  • • Processing of Personal Data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

Again, pursuant to paragraph 2 of Article 28 of the Law; in the cases listed below, Data Subjects cannot exercise the rights listed in Article 9.2 of this Policy, except for the right to request compensation for damage:

  • • Processing of Personal Data being necessary for the prevention of crime or criminal investigation;
  • • Processing of Personal Data made public by the Data Subject;
  • • Processing of Personal Data being necessary for authorized public institutions and organizations and professional organizations with public institution status to carry out supervisory or regulatory duties and disciplinary investigation or prosecution;
  • • Processing of Personal Data being necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters.

9.4. Exercise of Rights by the Data Subject

Information requests made by Data Subjects in line with their right to obtain information, among the rights specified above, regarding Personal Data relating to themselves in accordance with Article 20 of the Constitution are fulfilled by our Company in compliance with the legislation.

Our Company conducts the necessary channels, internal procedures, administrative and technical arrangements in accordance with Article 13 of the Law for the purpose of making necessary disclosures to Data Subjects. In this direction, where Data Subjects communicate their requests relating to the rights specified in Article 9.2 of this Policy to our Company, our Company provides an acceptance or reasoned rejection response to the request free of charge within 30 (thirty) days at the latest, depending on the nature of the request. However, where the transaction requires a separate cost, our Company may charge the fee in the tariff determined by the Personal Data Protection Authority Board. Data Subjects may communicate their requests to our Company through the "Application Form" set forth in the ANNEX.

Applications to be made by Data Subjects will be carried out through one of the following methods together with documents identifying the identity of the Data Subject:

  • • Delivery of the completed form with wet signature in person, through a notary or by registered mail with return receipt to Ömerli Mah. Adnan Kahveci Cad. N.24 Arnavutköy/İstanbul,
  • • Sending the form signed with secure electronic signature within the scope of the Electronic Signature Law No. 5070 to the registered email address at [],
  • • Following a method envisaged or to be envisaged by the Personal Data Protection Authority Board.

For third parties to submit an application request on behalf of Data Subjects, a special power of attorney issued through a notary for the person who will apply on behalf of the Data Subject must be available.

Where the application is rejected, the response given is found insufficient, or no response is given to the application within 30 (thirty) days from the application, the Data Subject may apply to the Personal Data Protection Authority Board within 30 (thirty) days from learning our Company's response and in any case within 60 (sixty) days from the application date, pursuant to Article 14 of the Law.

10. Governance Structure Under Our Company's Policy on Processing and Protection of Personal Data

A Personal Data Committee has been established within our Company by decision of senior management to manage this Policy and other policies connected and related to this Policy. The duties of the Personal Data Committee are;

  • • Creating, updating and putting into effect basic policies relating to the protection and processing of Personal Data,
  • • Taking actions relating to the implementation and audit of policies on the protection and processing of Personal Data, making internal assignments in this regard and ensuring coordination,
  • • Following developments relating to the protection and processing of Personal Data and ensuring that necessary actions are taken within this framework to ensure compliance with the relevant legislation,
  • • Increasing awareness within our Company and at institutions with which our Company cooperates regarding the protection and processing of Personal Data,
  • • Evaluating applications of Data Subjects and reaching lawful solutions,
  • • Identifying risks that may arise in the Personal Data processing activities of our Company and ensuring that necessary measures are taken,
  • • Managing relations with the Personal Data Protection Authority Board and Institution.

11. Updates, Compliance and Changes

Our Company reserves the right to make changes to this Policy and other policies connected and related to this Policy due to amendments to the Law, pursuant to decisions of the Personal Data Protection Authority Board, or in line with developments in the sector or information technology field.

Changes made to this Policy are immediately incorporated into the text and explanations regarding changes are stated at the end of the Policy.

SARDUNYA GIDA MUTFAK İŞLETMELERİ TİCARET ANONİM ŞİRKETİ

ANNEX: Application Form