ESTUZ Personal Data Protection and Processing Policy

  1. INTRODUCTION

As the data controller, for Estuz Eskişehir Tuz Gıda Sanayi ve Ticaret Anonim Şirketi (referred to as “Estuz” or “the Company”), the protection of personal data belonging to its customers, employees and other real persons with whom it has a relationship is of great importance. Objectives of this Policy and other written policies for the processing and protection of personal data is the following; It is the processing and protection of the personal data of the customers, potential customers, suppliers, employees, employee candidates, visitors, employees of the institution and third parties that which Estuz forms a relationship with in accordance with the law.

In this context, necessary administrative and technical measures are taken by Estuz for the processing and protection of personal data in accordance with the Personal Data Protection Law No. 6698 and the relevant legislation.

In this Policy, the following basic principles adopted by Estuz for the processing of personal data will be explained:

  • Processing of personal data within the scope of consent,
  • Processing of personal data in accordance with the law and good faith,
  • Keeping personal data accurate and up to date when necessary,
  • Processing personal data for specific, explicit and legitimate purposes,
  • Processing personal data linked to the purpose for which they are processed, limited and measured,
  • Retaining personal data for the period stipulated in the relevant legislation or for the purpose for which they are processed,
  • Enlightening and informing the persons whose personal data are processed,
  • Creating the necessary infrastructure for the relevant persons whose personal data is processed to exercise their rights,
  • Taking necessary measures to protect personal data,
  • To act in accordance with the relevant legislation and the regulations of the Personal Data Protection Board in determining and applying the purposes of processing personal data and transferring them to third parties,
  • Special arrangement of the processing and protection of sensitive personal data.

 

  1. PURPOSE OF THE POLICY

The main purpose of this Policy is to make explanations on the personal data processing activities carried out by Estuz in accordance with the law and the systems adopted for the protection of personal data, and in this context, to provide transparency towards the persons with whom our company is related.

  1. SCOPE OF THE POLICY

This Policy relates to all personal data of our customers, suppliers, employees, employee candidates, visitors, employees of the institution we cooperate with and third parties, which are processed automatically or by non-automatic means provided that they are part of any data recording system.

  1. ISSUES ON THE PROTECTION OF PERSONAL DATA

Estuz takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data, to prevent illegal access to the data and to preserve the data, in accordance with Article 12 of the Law on KVK, doing or getting the necessary inspections done in this context.

  • Measures Taken to Ensure the Legal Processing of Personal Data and Prevention of Illegal Access to Personal Data

Estuz takes technical and administrative measures according to technological possibilities and application costs in order to ensure the legal processing of personal data and to prevent illegal access.

  • Technical Precautions

 

The main technical measures taken by Estuz to ensure the legal processing of personal data and to prevent illegal access can be listed as the following:

 

  • Network security and application security are provided.
  • Enclosed system network is used for personal data transfers via network.
  • Key management is implemented.
  • Employees whose had a change in their positions or the ones that leave their jobs have their authority removed in this area.
  • Current anti-virus systems are used.
  • Firewalls are used.
  • Necessary security measures are taken for entering and exiting physical environments containing personal data.
  • Personal data are backed up and the security of backed up personal data is also ensured.
  • User account management and authorization control system is implemented and they are also monitored.
  • If personal data of special nature will be sent via e-mail, they are necessarily sent in encrypted form using KEP or corporate mail account.
  • Intrusion detection and prevention systems are used.
  • Data loss prevention software is used.

 

  • Administrative Precautions

Administrative measures taken by Estuz to legally process personal data and to prevent illegal access:

  • There are disciplinary regulations that include data security provisions for employees.
  • Training and awareness activities on data security are carried out periodically for employees.
  • Corporate policies on access, information security, use, storage and disposal issues have been prepared and implemented.
  • Confidentiality commitments are made.
  • The signed contracts contain data security provisions.
  • Extra security measures are taken for personal data transferred via paper, and the relevant documents are sent in a confidential document format.
  • Personal data security policies and procedures have been determined.
  • Personal data security problems are reported quickly.
  • Personal data security is monitored.
  • Physical environments containing personal data are secured against external risks (fire, flood, etc.).
  • The security of environments containing personal data is ensured.
  • Personal data is reduced as much as possible.
  • Current risks and threats have been identified.
  • Protocols and procedures for special quality personal data security have been determined and implemented.
  • The awareness of data processing service providers on data security is ensured.
  • Supervision of the Measures Taken for the Protection of Personal Data

There is a Personal Data Protection Committee within Estuz. In accordance with its duty arising from Article 12 of the Law, the Committee personally conducts the necessary inspections in order to ensure the implementation of the provisions of the Law in its own institution or organization, and has it done by getting support from competent organizations when needed on behalf of Estuz, responsible from data. According to the results of this audit, the detected violations, negativities and nonconformities are reported to the information security officer in the committee and the necessary measures are taken regarding these issues. In case of receiving an external service due to technical requirements regarding the storage of personal data by Estuz, additional agreements are made with the relevant companies to whom the personal data are transferred in accordance with the law and the persons to whom the personal data is transferred will take the necessary security measures in order to protect the personal data and that these measures will be followed in their own organizations. In addition, Estuz makes contracts to comply with the protection of personal data with its personnel in recruitment processes and in-house disciplinary policies.

  1. RIGHTS AND REQUESTS OF THE PERSONAL DATA OWNER

In accordance with Article 13 of the Law on KVK, Estuz, as the data controller against the requests of the individuals on the subject matter, has established the Personal Data Application and Response Procedure, which is an attachment to the personal data inventory, and the procedures for referring to the written template for the applications that do not meet the application conditions specified in the law. Technical preparations have been made in order to carry out the necessary actions in accordance with these procedures.

The requests of the individuals whose personal data are processed regarding the rights listed below; by submitting ID, by personal application, in writing or by using registered electronic mail (KEP) address, secure electronic signature, mobile signature or by using the electronic mail address previously notified to Estuz by the relevant person and registered in Estuz’s system, or if they transmit their identities to Estuz in a verifiable way through a software or application developed for the purpose of application, the company will respond to the request free of charge within thirty days at the latest, depending on the nature of the request. Detailed explanation on this matter is given below in article 20 of this policy.

The persons whose personal data are processed will be able to request all the rights in the relevant article of the law, including all the processing processes, purposes and transfer information of their personal data, by applying in accordance with this procedure.

  1. PROTECTION OF PERSONAL DATA WITH SPECIAL QUALIFICATIONS

Within the Law on KVK (Personal Data Protection), special importance has been attached to certain personal data due to the risk of illegal processing of individuals or causing discrimination. These data are biometric and genetic data regarding race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures.

Estuz acts sensitively in the protection of personal data of special nature, which are determined as “special qualifications” by the KVK (Personal Data Protection) Law and processed in accordance with the law. In this context, the technical and administrative measures taken by Estuz for the protection of personal data are carefully implemented in terms of specially qualified personal data and the necessary inspections are provided within Estuz.

  1. TRAINING OF ESTUZ EMPLOYEES ON PROTECTION AND PROCESSING OF PERSONAL DATA

Estuz ensures that necessary trainings are organized for its employees in order to raise awareness for preventing illegal processing of personal data, preventing illegal access to data, and protection of the aforementioned data.

  1. ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

Estuz, in accordance with Article 20 of the Constitution and Article 4 of the Law on KVK, regarding the processing of personal data; It performs personal data processing activities in accordance with the law and honesty regulations, with due regard for the protection of public health, correct and updated when necessary, specific, clear and legitimate purposes, in a purposeful, limited and measured manner. Estuz retains personal data for the period stipulated by law or required by the purpose of personal data processing. Estuz, related to the personal information of its customers, employees, visitors, suppliers, company employees and third parties; processes information as identity information (name, surname, TR identity number, gender, age, date of birth), contact information (e-mail address, telephone number, address information), personal data, financial data, occupational data, visual and audio data, education data , family members data, health information, information on criminal conviction and security measures, military service information, transaction security information, physical location security, and while processing this data, makes sure that the relevant persons whose personal data listed here can benefit effectively from Estuz’s services and to improve the variety of products and services and as a result of these services, marketing operates within the framework of execution of contracts, fulfilment of business and financial / legal / commercial obligations, as well as being informed about innovations.

Estuz enlightens the relevant persons whose personal data is processed in accordance with Article 10 of the KVK Law and requests the consent of the relevant persons in cases where consent is required, and processes these personal data based on the following criteria.

  • Processing Data in accordance with the Law and the Rules of Honesty

Estuz acts in accordance with the principles of legal regulations and the general trust and honesty rule in the processing of personal data. In accordance with the principle of compliance with the principle of honesty, Estuz takes into account the interests and reasonable expectations of the relevant persons while trying to achieve its goals in data processing.

  • Ensuring that Personal Data is Accurate and Updated when Required

Keeping personal data accurate and up-to-date is necessary for Estuz to protect the fundamental rights and freedoms of the person concerned. Estuz has an active diligence obligation to ensure that personal data are accurate and, when necessary, updated. For this reason, all communication channels are open to keep the information of the relevant persons whose personal data is processed by Estuz in an accurate and updated manner.

  • Processing for Specified, Open and Official Reasons

Estuz clearly and precisely determines the purpose of processing personal data that is legitimate and lawful. Estuz processes as much personal data as necessary and related to the activity being carried out.

  • Being Related, Limited and Measured for the Purpose of Processing

Estuz processes personal data within the scope of its field of activity and for the purposes necessary to execute its business. For this reason, Estuz processes personal data in a way that is convenient for the realization of the specified purposes and avoids the processing of personal data that is not related to the execution of the purpose or not necessary to begin with.

  • Retaining for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are processed

Estuz retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, Estuz first determines whether a period is stipulated for the storage of personal data in the relevant legislation, If a period is determined, it acts in accordance with this period, if a period is not determined, it keeps the personal data for the period specified in the Internal Retention Policy published by Estuz, which is necessary for the purpose of processing. Estuz is based on the retention periods in the personal data inventory, and at the end of the periods specified here, personal data are deleted, destroyed or anonymized according to the nature of the data and the purpose of use within the scope of the obligations under the Law.

  2. ENLIGHTENING AND INFORMING THE PERSONAL DATA OWNER

 

Estuz enlightens the relevant persons whose personal data are processed during the acquisition of personal data, in accordance with Article 10 of the KVK Law. In this context, Estuz gives information regarding the identity of the data controller, the identity of its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of personal data collection and the legal reason and the rights of the persons whose personal data are processed according to the nature of the person concerned and the data processing process. In this context, Pre-Enlightenment Information and Enlightenment Texts are placed that can be easily seen within the company and in the common areas of use of the personnel. Along with this policy, the customer clarification text, cookie policy and application form have also been published on the Estuz website.

  1. TRANSFER OF PERSONAL DATA

Estuz is able to transfer the personal data and special quality data of the person concerned to third parties by taking the necessary security measures in line with the legal personal data processing purposes. Personal data can be transferred by Estuz to foreign countries declared to have sufficient protection by the KVK Board or to foreign countries where the data controllers in Turkey and in the relevant foreign country where an adequate protection has been undertaken in writing and where the KVK Board has permission. The transfer reasons are explained below:

  • If there is a clear regulation in the laws that personal data will be transferred,
  • If it is necessary to transfer personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
  • If personal data transfer is mandatory for Estuz to fulfill its legal obligation,
  • If the transfer of personal data is mandatory for the establishment, use or protection of a right,
  • If personal data transfer is mandatory for the legitimate interests of Estuz, provided that the fundamental rights and freedoms of the relevant person are not damaged.

 

  1. ESTUZ PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA

In Estuz, in line with the legitimate and legal personal data processing purposes of Estuz, based on and limited to one or more of the personal data processing conditions specified in Article 5 and Article 6 of the Law on KVK, primarily regarding the processing of personal data, in compliance with the general principles specified in the KVK Law and all obligations regulated in the KVK Law, including the principles specified in Article 4, and limited to the persons whose personal data are processed within the scope of this Policy, personal data in the following categories are processed by informing the relevant persons.

Estuz has created a personal data inventory in accordance with the Data Controllers Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, source of data, data processing purposes, data processing process, recipient groups to which data is transferred and storage periods. In this context, the following types of data categories are included in the Estuz personal data inventory, although they are not limited to these types.

PERSONAL DATA CATEGORIZATION PERSONAL DATA CATEGORIZATION DESCRIPTION
Communication Data It is a data group that can be used to reach the person (phone, address, e-mail).
Identity Data It is the data group that contains information about the identity of the person (name, surname, Turkish ID number, place of birth, date of birth, gender, wallet serial number, tax number, SSI number, nationality data).
Visual/Audio Data It is a data group containing visual and auditory data of the person (photograph, sound recording).
Physical Space Security Data It is the data group that contains the camera recording of the person (Camera recording).
Transaction Security Data It is a data group containing digital traces formed as a result of the processing of personal information (Log Records, IP address information).
Financial Data It is the data group containing the financial information of the person (Bank account number, IBAN number, card information, financial profile, mail order form, credit score).
Professional Experience Data It is the data group that contains information about the occupation of the person (information about the institution he / she works for, trade association registry).
Training Data It is the data group containing education data of the person (Diploma grade, diploma photocopy / scan).
Travel Data It is the data group that contains information about the person’s travels (flight information, flight card, tour route, mileage card number, accommodation data).
Company Data Personal company data (Company address).
Military Data It is the data group regarding whether the person has done military service or not (Military service status, postponement status).
Visa / Passport Data It is the data group containing the visa / passport information of the person (Visa information, passport photocopy / scanning).
Health Data It is the data group related to the health status of the person (health report, medication information, hearing and vision information, consultation report, examination information).
Criminal Convictions Data It is the data group regarding the sanctions taken in the past of the person (Criminal prosecutions, criminal record, disciplinary record).
Personal Data It is a data group containing information such as payroll information, disciplinary investigation, background information, performance evaluation reports. (Payroll information)

 

Estuz has determined in the Estuz Personal Data Inventory, which it created based on the data types used within the scope of data processing activities and within the company, as shown in the table above and with the Estuz Data Storage and Destruction Policy.

  1. PURPOSE OF PROCESSING PERSONAL DATA

Estuz processes personal data limited to the purposes and conditions within the personal data processing conditions specified in Article 5, paragraph 2 and Article 6, paragraph 3 of the KVK Law. These purposes and conditions are:

  • Execution of Emergency Management Processes
  • Execution of Information Security Processes
  • Execution of Employee Candidate / Intern / Student Selection and Placement Processes
  • Execution of Employee Candidates’ Application Processes
  • Execution of Employee Satisfaction and Loyalty Processes
  • Employee Contract and Fulfillment of Obligations Arising from Legislation
  • Execution of Fringe Benefits and Benefits Processes for Employees
  • Conducting Audit / Ethical Activities
  • Conducting Training Activities
  • Execution of Access Authorities
  • Conducting Activities in Compliance with Legislation
  • Execution of Finance and Accounting Affairs
  • Execution of Loyalty Processes to Company / Products / Services
  • Ensuring Physical Space Security
  • Execution of Assignment Processes
  • Follow-up and Execution of Legal Affairs
  • Conducting Internal Audit / Investigation / Intelligence Activities
  • Conducting Communication Activities
  • Planning of Human Resources Processes
  • Execution / Supervision of Business Activities
  • Conducting Occupational Health / Safety Activities
  • Receiving and Evaluating Suggestions for the Improvement of Business Processes
  • Ensuring Business Continuity and Conducting Activities
  • Execution of Logistics Activities
  • Execution of Goods / Service Purchase Processes
  • Execution of Goods / Service After Sales Support Services
  • Execution of Goods / Service Sales Processes
  • Execution of Goods / Service Production and Operation Processes
  • Execution of Customer Relationship Management Processes
  • Conducting Activities for Customer Satisfaction
  • Organization and Event Management within the Company
  • Conducting Marketing Analysis Studies
  • Performance Evaluation Processes
  • Execution of Advertising / Campaign / Promotion Processes
  • Execution of Risk Management Processes
  • Execution of Custody and Archive Activities
  • Social Responsibility and Execution of Civil Society Activities
  • Execution of Contract Processes
  • Conducting Sponsorship Activities
  • Conducting Strategic Planning Activities
  • Tracking of Requests / Complaints
  • Ensuring the Security of Movable Goods and Resources
  • Execution of Supply Chain Management Processes
  • Execution of Wage Policy
  • Execution of Marketing Process of Products / Services
  • Ensuring the Security of Data Supervisor Operations
  • Foreign Personnel Work and Residence Permit Procedures
  • Execution of Investment Processes
  • Conducting Talent / Career Development Activities
  • Informing Authorized Persons, Institutions and Organizations
  • Conducting Management Activities
  • Creating and Tracking Visitor Records
  • Conducting studies to improve service quality and providing better service,
  • Issuing invoices for our services,
  • Identity confirmation,
  • Answering questions and complaints,
  • Taking necessary technical and administrative measures within the scope of data security,
  • Financial agreement on products and services offered with relevant business partners and other third parties,
  • Provision of necessary information in line with the demands and audits of regulatory and supervisory institutions and official authorities,
  • Preserving information on data that should be kept in accordance with the relevant legislation,
  • Providing control over the consistency of information,
  • In terms of employees; Establishing a personal file, determining whether the job is qualified to fulfill the requirements of the job continuously, making private health insurance, creating a health file, taking occupational safety measures,
  • Fulfillment of legal obligations,
  • Execution / follow-up of Estuz financial reporting and risk management processes
  1. STORAGE PERIOD OF PERSONAL DATA

Estuz keeps personal data for the period specified in these regulations, in case it is stipulated in the relevant laws and regulations.

If a period of time is not regulated in the legislation regarding how long personal data should be stored, the personal data are stored for the period required by Estuz in accordance with the practices of Estuz and the industry’s practices, depending on the activity of Estuz while processing that data, and then it was created by Estuz in accordance with the nature of the data. It is deleted, destroyed or anonymized in accordance with the Personal Data Storage and Destruction Policy.

If the purpose of processing personal data has expired and the retention periods determined by the relevant legislation and Estuz have come to an end, personal data can only be stored for the purpose of providing evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. In the establishment of the periods here, although the time-out periods for the claiming of the mentioned right and the time-out periods have passed, the storage periods are determined based on the examples in the requests made to Estuz before on the same issues. In this case, the stored personal data is not accessed for any other purpose, and access to relevant personal data is provided only when it is required to be used in the relevant legal dispute. Here, after the aforementioned period expires, personal data are deleted, destroyed or anonymized.

  1. THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERED BY ESTUZ AND THE PURPOSE OF TRANSFER

Estuz informs the person groups to whom personal data is transferred in accordance with Article 10 of the KVK Law to the relevant person whose personal data is processed.

Estuz, in accordance with Articles 8 and 9 of the KVK Law, can transfer the personal data of the relevant persons whose personal data is managed with this Policy to the following stakeholder categories:

 

  • Estuz business partners
  • Estuz Çiğli branch
  • Banks and insurance companies
  • Travel agencies
  • Hotels
  • Training firms
  • Estuz suppliers
  • Estuz company officials
  • Lawyers and auditor companies
  • Legally authorized public institutions and organizations

 The transfer scope and data transfer purposes are as follows:

Persons for Data Transfer Description Purpose of Data Transfer
Business Partner It defines the parties that Estuz has established business partnerships with for purposes such as carrying out various projects and receiving services while carrying out its commercial activities. It is transferred in limited amounts in order to ensure the fulfillment of the objectives of the establishment of the business partnership.
Supplier It defines the parties that provide Estuz services on a contract basis, in accordance with Estuz’s orders and instructions while conducting the commercial activities of Estuz. In order to provide Estuz with the services that Estuz procures from the supplier as external sources and necessary to fulfill the commercial activities of Estuz, It is transferred in a limited way.
Authorized Public Institutions and Organizations It defines public institutions and organizations authorized to receive information and documents from Estuz in accordance with the legislation provisions. In cases where public institutions and organizations request and provide a legal basis, it is transferred for a limited purpose.

 

  1. PROCESSING PERSONAL DATA
    • Processing Personal Data

The explicit consent of the person whose personal data is processed is only one of the legal bases that enable the processing of personal data in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the conditions specified in the law. The basis of the personal data processing activity can be only one of the conditions stated below, and more than one of these conditions can also be the basis of the same personal data processing activity.

Processing Conditions Scope Example
Law provision Tax Legislation, Labor Legislation, Trade Legislation etc. Keeping the personal information of the employee in accordance with the legislation.
Execution of the Contract Employment Contract, Sales Contract, Service Contract, Contracts etc. Making a sales contract on Estuz’s products.
Legal Liability of the Data Controller Financial and Administrative Audits, Social Security Legislation, Compliance with Sector Oriented Regulations. Sharing information during special audits in areas such as the Social Security Institution.
Gaining Publicity The relevant person submitting his / her information to the public. The person declaring his/her contact information to be reached in case of emergency.
Establishment, Protection and Use of Right Compulsory data to be used in jobs such as filing a lawsuit and requesting/complaint. Keeping the necessary information of an employee who left the job during the time limit of the case.
Legitimate Interest Provided that the fundamental rights of the data subject are not harmed, the data can be processed if it is necessary for the legitimate interest of the data controller. Data processing to apply rewards and bonuses that increase employee loyalty.

 

  1. PERSONAL DATA PROCESSING ACTIVITIES WITH ESTUZ COMPANY BUILDING ENTRIES AND INSIDE THE BUILDING

In order to ensure security, Estuz conducts personal data processing activities for monitoring guest entrances and exits with security cameras in Estuz buildings and facilities.

Estuz carries out personal data processing by using security cameras and recording guest entrance and exits.

Estuz has the purpose of protecting the interests of the company and other people regarding security within the scope of surveillance activities. This monitoring activity is carried out in accordance with the KVKK and the Law on Private Security Services and the relevant legislation. In this context, the information about camera monitoring is announced to all employees and visitors, and people are enlightened. Notification letters are hung at the entrances of the areas where the monitoring is done. In accordance with Article 12 of the KVK Law, Estuz takes the necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera surveillance.

  • Tracking of Guest Entrances and Exits in Estuz Building, Facility Entrances and Inside

Estuz conducts personal data processing activities for the purpose of ensuring security and for tracking guest entrances and exits in Estuz buildings and facilities for other purposes specified in this Policy. The relevant persons are enlightened within this scope while obtaining the identity data of the persons who come to Estuz buildings as guests, or through texts posted in Estuz or made available to the guests in other ways. The data obtained for the purpose of tracking guest entry and exit are processed only for this purpose and the personal data of the relevant person is recorded in the data recording system in a physical environment.

  • Keeping Log Records Regarding Access to Software Provided to Personnel in Estuz Facilities

For the purpose of ensuring security by Estuz and for other purposes specified in this Policy, internet access can be provided to visitors who request during their stay in buildings and facilities. In this case, log records regarding internet access are kept in accordance with the provisions of Law No. 5651 and the governing provisions of the legislation regulated according to this Law, and these records are processed only if requested by the authorized public institutions and organizations or in order to fulfill the relevant legal obligation in the audit processes to be carried out within Estuz.

  1. TERMS OF DISPOSAL (DELETION, DESTRUCTION AND ANONYMIZATION) OF PERSONAL DATA

In accordance with Article 138 of the Turkish Penal Code, Article 7 of the KVK Law and the “Regulation on Deletion, Destruction and Anonymization of Personal Data” issued by the Board, although it has been processed in accordance with the provisions of the relevant law, in case the reasons for its processing disappear, the personal data will be deleted, destroyed or anonymized upon the decision of Estuz or upon the request of the related individual to the personal data. Estuz has created a policy in this regard in accordance with the provisions of the regulation, and in accordance with this policy, it destroys according to the nature of the data.

  1. RIGHTS OF PERSONAL DATA OWNERS; EXERCISE OF THESE RIGHTS

Estuz informs him about the rights of the personal data subject in accordance with Article 10 of the KVK Law and guides the person whose personal data is processed on how to use these rights regulated in Article 11 and Estuz carries out the necessary channels, internal operation, administrative and technical regulations in accordance with Article 13 of the KVK Law in order to evaluate the rights of the relevant persons and to inform the relevant persons.

  • Related Person’s Rights and Exercises of These Rights
    • Rights of the person whose personal data is processed

The persons whose personal data are processed have the following rights:

  1. Learning whether personal data is processed,
  2. If personal data has been processed, to request information regarding this,
  3. Learning the purpose of processing personal data and whether they are used appropriately for their purpose,
  4. To know the third parties to whom personal data are transferred domestically or abroad,
  5. To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data are transferred,
  6. Although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons for its processing disappear, and to request notification of the transaction made within this scope to third parties to whom personal data has been transferred,
  7. To object to this result in the event of a result against the person himself by analysing the processed data exclusively through automated systems,
  8. To demand the compensation of the damage in case of damage due to the processing of personal data illegally.

 

  • Cases where the person whose personal data is processed cannot assert his rights

Persons whose personal data are processed cannot claim their rights enumerated in 20.1.1, since the following cases are excluded from the scope of KVK Law in accordance with Article 28 of the KVK Law:

  1. Processing personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,
  2. Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime,
  3. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public security, public order or economic security,
  4. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

In accordance with Article 28/2 of the KVK Law, the persons whose personal data are processed in the following cases cannot claim their other rights listed in 20.1.1, except the right to demand compensation for the damage:

  1. Personal data processing is necessary for the prevention of crime or for criminal investigation,
  2. Processing personal data that is made public by the person concerned whose personal data is processed,
  3. Processing of personal data is necessary for the execution of supervision or regulation duties and for disciplinary investigation or prosecution by official and authorized public institutions and organizations and professional organizations that have the quality of public institutions, based on the authority granted by law,
  4. Processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial issues.

 

  • Use of the rights of the person whose personal data is processed

The persons whose personal data are processed will be able to submit their requests regarding their rights specified in this Policy to Estuz free of charge by filling and signing the Application Form with the information and documents that will determine their identity and by the methods specified below or by other methods determined by the Personal Data Protection Board. A comprehensive arrangement in this regard has been made within the Estuz Personal Data Application and Response Procedure and the Estuz customer disclosure text.

  • After filling the form on www.estuz.com, sending a copy with wet signature personally or in writing to the address “75. Yıl Organize Sanayi Bölgesi Mah. 111 Cad. No: 3 Odunpazarı / ESKİŞEHİR” or filing a personal application,
  • Filling in the form available at www.estuz.com and sending the form with a secure electronic signature by registered e-mail to the Kep address with the number …………… after being signed with a “secure electronic signature” within the scope of Electronic Signature Law No. 5070.

In order for the above mentioned application to be accepted as a valid application, in accordance with the Communiqué on Application Procedures to the Data Controller, the person concerned;

  1. a) Name, surname and signature if application is in writing,
  2. b) For citizens of the Republic of Turkey; T.R. identification number, nationality for foreigners, passport number or identification number, if any,
  3. c) Place of residence or workplace address for notification,
  4. d) E-mail address, telephone and fax number for notification, if any,
  5. e) Subject of request

 

It is mandatory to specify the aforementioned information. Otherwise, the application will not be considered as a valid application. In applications to be made without filling the application form, the issues listed here must be submitted to Estuz in full.

In order for third parties to make an application on behalf of the persons whose personal data is processed, a special power of attorney issued by the relevant person through a notary public must be available on behalf of the applicant.

 

  1. RELATIONSHIP OF ESTUZ PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES

 

Estuz has established the principles set forth in this document on the basis of policies regarding other data assets within Estuz and sub-procedures for internal use regarding the protection and processing of personal data.

  1. ESTUZ PERSONAL DATA PROTECTION AND PROCESSING PROCESSES COORDINATION

 

A management structure has been established by Estuz in order to comply with the regulations of the KVK Law and to ensure the enforcement of the Personal Data Protection and Processing Policy.

The Personal Data Protection Committee has been appointed in accordance with the decision of the Company’s senior management to manage this Policy and other policies related to this Policy within the body of Estuz.

The duties of this Committee regarding the protection of personal data are as follows:

 

  • To prepare and put into effect the basic policies regarding the protection and processing of personal data and changes when necessary, and submit them to the approval of the senior management,
  • To decide how the implementation and supervision of the policies regarding the protection and processing of personal data will be carried out, and to submit the issues of internal assignment and coordination within this framework to the approval of the senior management,
  • To determine the issues to be done in order to comply with the KVK Law and the relevant legislation and to submit them to the approval of the senior management, to observe its implementation and to ensure its coordination,
  • To increase awareness of the protection and processing of personal data within Estuz and among the institutions that Estuz cooperates with,
  • To raise awareness of Estuz personnel regarding the protection and processing of personal data and to carry out regular inspections,
  • Identifying the risks that may occur in the personal data processing activities of Estuz, ensuring that the necessary measures are taken, and submitting the improvement suggestions to the approval of the senior management,
  • To organize trainings on the protection of personal data and the implementation and dissemination of policies, to ensure that the persons whose personal data are processed are informed about their personal data processing activities and their legal rights,
  • To decide on the applications of the persons whose personal data is processed, at the highest level,
  • To follow the developments and regulations on the protection of personal data, to receive suggestions on what to do within Estuz in accordance with these developments and regulations,
  • Managing relations with the KVK Board and Institution,
  • To perform other duties assigned by the senior management of the company to protect personal data.

 

Estuz Eskişehir Tuz Gıda Sanayi ve Ticaret Anonim Şirketi (Responsible from Data)

75.Yıl Organize Sanayi Bölgesi Mah. 111 Cad. No:3 Odunpazarı/ESKİŞEHİR

Mersis No: 0377004454400019

ANNEX-1 DEFINITIONS

Open Consent: Consent regarding a specific subject, based on information and expressed with free will.

Anonymization: It is the change of personal data in a way that loses the quality of personal data and this situation cannot be recovered. For example: Making personal data unrelated to a real person by means of masking, aggregation, data corruption, etc. techniques.

Application Form: “Application Form Regarding Applications Made to the Data Officer by the Relevant Person pursuant to the Law on Protection of Personal Data No. 6698”, which includes the application to be made by the concerned persons whose personal data is processed to exercise their rights.

Employee Candidate: Real persons who have applied for a job to Estuz in any way or who have opened their CV and related information.

Employees, Shareholders and Authorities of Cooperated Institutions: Real and legal persons, including the shareholders and officials of these institutions, working in institutions (such as business partners, suppliers, but not limited to) with which Estuz has all kinds of business relations.

Business Partner: Parties that Estuz has established business partnerships with for purposes such as carrying out various projects and receiving services in person or with him while carrying out his commercial activities.

Processing of Personal Data: Provided that personal data are fully or partially automated or part of any data recording system; Any transaction performed on data such as non-automatic acquisition, recording, storage, storage, modification, rearrangement, disclosure, transfer, taking over, making available, classifying or preventing use.

Related person: Real person whose personal data is processed. For example: Customer, staff…

Personal Data: All kinds of information regarding an identified or identifiable natural person. Therefore, the processing of information on legal persons is not covered by the Law. For example: Name-surname, TR ID, e-mail, address, date of birth, credit card number etc.

Special Quality Personal Data; Data on race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress code, membership of associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Supplier: Parties that provide Estuz’s services on a contract basis, in accordance with Estuz’s orders and instructions while conducting Estuz’s commercial activities.

Third Party: Real persons whose personal data are processed within the scope of the policy, who are not defined differently within the scope of the policy. For example: Family members, former employees …

Data Processor: Real and legal person who processes personal data on behalf of the data controller based on the authority given by him. For example: Departments working under Estuz …

Data Supervisor: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system). Within the scope of this policy, Estuz Eskişehir Tuz Gıda Sanayi ve Ticaret Anonim Şirketi is the data controller.

Deletion of Data: It means that all relevant users within the company are encrypted in such a way that access to personal data is blocked and only the data protection officer has this password.

Destruction of Data: It refers to the complete elimination of personal data, physically or by technological methods, in an irreversible manner.

Visitor: Real persons who have entered the physical campuses owned by Estuz for various purposes or visited our websites.

ANNEX-2 DATES THAT ARE IMPORTANT FOR THE IMPLEMENTATION OF THE KVK LAW

As of April 7, 2016, Estuz complies with the following obligations: (i) General rules and principles regarding the processing of personal data, (ii) Obligations regarding the disclosure of the persons whose personal data are processed, (iii) Obligations regarding the provision of data security.

As of October 7, 2016, the following regulations will come into force and Estuz will act in accordance with these regulations: (i) Provisions regarding the transfer of personal data to third parties and abroad; (ii) Regulations regarding the use of their application rights against Estuz (to learn whether their personal data is processed, to request information, to learn the persons to whom they are transferred, to request correction) and to complain to the KVK Board by the persons whose personal data is processed.

As of April 7, 2017 (i) Consents obtained in accordance with the law before April 7, 2016 will be deemed in accordance with the Law on KVK, unless otherwise stated by the persons whose personal data are processed. (ii) Regulations regarding the KVK Law will enter into force.

Personal data processed before April 7, 2016 will be made compliant with the KVK Law, deleted or anonymized by Estuz until April 7, 2018.