AFERIN GIDA SANAYİ VE DIŞ TİCARET ANONİM ŞİRKETİ POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA UNDER LAW NO. 6698

Chapter 1. Purpose and Enforcement of the Policy

Law No. 6698 on the Protection of Personal Data (“Kanun”) entered into force on 7 April 2016. The law lays down the procedures and principles regarding the processing of personal data by natural or legal persons, who are classified as "data controllers", determine the purposes and means of processing personal data, and are responsible for the establishment and management of the data recording system.
Within the scope of the law, personal data is defined as “any information relating to an identified or identifiable natural person”; Processing refers to the acquisition, recording, storage, preservation, modification, rearrangement, disclosure, transfer, takeover, making available of personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system,
It is defined as “any kind of operation performed on data such as classification or prevention of its use”.
The law, among other regulations, imposes an obligation on data controllers to inform / enlighten the data owners whose personal data will be processed during the acquisition of personal data. According to Article 10 of the Law, data controllers;

  • Identity of the data controller and its representative, if any,
  • For what purpose personal data will be processed,
  • To whom and for what purpose the processed personal data can be transferred,
  • Method and legal reason for collecting personal data, other rights listed in Article 11 of the Law,
    He should be informed about his subjects.(eril)
    This document (“Policy”), has been written in order to enlighten the real persons whose personal data our company processes as the data controller, within the scope of the above-mentioned article. Subject of this Policy Our company's customers, corporate customers' shareholders, officials and employees, potential customers, shareholders, officials and employees of our business partners and suppliers, and our candidates, In our company, our former employees and interns, people who have retired from our Company, our visitors, company officials and shareholders, business partner and supplier candidates and other third parties and matters regarding the processing of personal data regarding our employees are regulated within the scope of a separate policy text presented to the employees in accordance with the Law.

Chapter 2. Scope of the Law and Our Company's Rights and Obligations arising from the Law

I. General Principles Regarding the Processing of Personal Data

Pursuant to Article 4 of the Law, personal data must be processed in accordance with the procedures and principles stipulated in the Law and other relevant legislation. In this context, data controllers are obliged to comply with the following general principles regarding the processing of personal data, except for the fulfillment of the obligation to inform in Section 1 above:

  • Compliance with the law and honesty rules.
  • Being accurate and up-to-date when necessary.
  • Processing for specific, explicit and legitimate purposes.
  • Being relevant, limited and proportionate to the purpose for which they are processed.
  • To be kept for the period required by the relevant legislation or for the purpose for which they are processed.

This document (“Policy”), has been written in order to enlighten the real persons whose personal data our company processes as the data controller, within the scope of the above-mentioned article. Subject of this Policy Our company's customers, corporate customers' shareholders, officials and employees, potential customers, shareholders, officials and employees of our business partners and suppliers, and our candidates, In our company, our former employees and interns, people who have retired from our Company, our visitors, company officials and shareholders, business partner and supplier candidates and other third parties and matters regarding the processing of personal data regarding our employees are regulated within the scope of a separate policy text presented to the employees in accordance with the Law.

Chapter 2. Scope of the Law and Our Company's Rights and Obligations arising from the Law

I. General Principles Regarding the Processing of Personal Data

Pursuant to Article 4 of the Law, personal data must be processed in accordance with the procedures and principles stipulated in the Law and other relevant legislation. In this context, data controllers are obliged to comply with the following general principles regarding the processing of personal data, except for the fulfillment of the obligation to inform in Section 1 above:

  • Compliance with the law and honesty rules.
  • Being accurate and up-to-date when necessary.
  • Processing for specific, explicit and legitimate purposes.
  • Being relevant, limited and proportionate to the purpose for which they are processed.
  • To be kept for the period required by the relevant legislation or for the purpose for which they are processed.

II. Purposes of Personal Data Processing and Sharing Under the Law

a. Purposes of Processing Personal Data

In accordance with the law, as a rule, personal data cannot be processed without the explicit consent of the data owner. However, within the scope of Articles 5 and 6 of the Law, certain situations in which data can be processed without express consent have been determined in terms of personal data and special quality personal data.

Personal data pursuant to Article 5,

  • Data processing is clearly stipulated in the law,
  • Fiili imkânsızlık nedeniyle rızasını açıklayamayacak durumda bulunan veya rızasına hukuki geçerlilik tanınmayan kişinin kendisinin ya da bir başkasının hayatı veya beden bütünlüğünün korunması için ilgili verilerin işlenmesinin zorunlu olması,
  • Bir sözleşmenin kurulması veya ifasıyla doğrudan doğruya ilgili olması kaydıyla, sözleşmenin taraflarına ait kişisel verilerin işlenmesinin gerekli olması,
  • Veri sorumlusunun hukuki yükümlülüğünü yerine getirebilmesi için veri işlemenin zorunlu olması,
  • The personal data has been made public by the person concerned,
  • Data processing is mandatory for the establishment, exercise or protection of a right,
  • Provided that it does not harm the fundamental rights and freedoms of the data subject, data processing may be required for the legitimate interests of the data controller, even if there is no prior explicit consent of the data owner (provided that the necessary illumination has been made). The above cases can be processed even if the data owner does not have a prior express consent (provided that the necessary illumination is made). On the other hand, the Law includes biometric data regarding the race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures. and genetic data as "special quality" or "sensitive" personal data and stipulated more severe conditions for their processing. Accordingly, special categories of personal data can only be processed under the following conditions, except in cases where explicit consent has been obtained from the data owner:
  • Data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data of individuals may be processed in the cases stipulated by the laws.
  • Personal data related to health and sexual life can only be processed by persons or authorized institutions and organizations that are under the obligation of confidentiality for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

b. Purposes of Sharing Personal Data

In accordance with data processing, the sharing (transfer) of personal data with a third party is also subject to the explicit consent of the relevant data owner. However, data transfer can also be carried out under the conditions where data processing is allowed according to Article 8 of the Law, and accordingly, in the presence of the conditions specified in Section 2. II.a above, personal data or sensitive personal data can be transferred even without the consent of the data owner.
Regarding the transfer of personal data to third parties, the law makes the transfer abroad subject to special conditions. Accordingly, personal data;

  • In case of explicit consent of the data owner,
  • In cases where there is no explicit consent of the data owner, but one or more of the other conditions mentioned above are met;
    • There is adequate protection in the country to which the data is transferred, and
    • In the event that there is no adequate protection in the country where the data is transferred, provided that the data controller undertakes in writing with the data controller in the relevant foreign country and obtains the permission of the Personal Data Protection Board.

It can be transferred abroad.

III. Circumstances Outside the Scope of the Law

Pursuant to Article 28 of the Law, the Law will not be applied in the following cases:

  • Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
  • Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
  • Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
  • Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

Section 3. Processing of Personal Data by Our Company

I. Categories of Personal Data Processed by Our Company

Personal data is processed by our company under the following categories:

Data Category Personal Data Categories Description
Credentials Driver's license, identity card, residence, passport, attorney ID,
Information contained in documents such as marriage certificate (eg TCKN,
passport no., identity card serial no., name-surname, photograph, place of birth,
date of birth, age, place of birth, birth certificate
example etc.)
Communication information Information used to contact the person (e.g. e-mail)

address, phone number, mobile phone number, address)

Location Data Data to identify the location of the data subject (e.g. vehicle

location data acquired during use)

Customer information Information about customers who benefit from our products and services (eg.

customer number, profession information, etc.)

Customer Transaction Information By customers who use our products and services
information on any transaction performed (e.g. request and
instructions, order and cart information, etc.)
Physical Space Security Information Entering the physical space, during the stay in the physical space
personal data on records and documents received (e.g. entry and exit
records, visit information, camera recordings, etc.)
Transaction Security Information Our company and related parties are technical, administrative, legal and commercial.
Personal data processed in order to ensure security (e.g. personal data)
to match that person with the transaction associated with the data subject and
Website password and password showing that you are authorized to perform the transaction
information such as)
Risk Yönetimi Bilgisi In order to manage the commercial, technical and administrative risks of our company

processed personal data (eg IP address, Mac ID, etc. records)

Financial Information created according to the type of legal relationship with the personal data owner.
information, documents and records showing all kinds of financial results
personal data within the scope of (For example: the data owner's
information showing the financial result of transactions, credit amount, card information,
loan payments, amount and rate of interest payable, balance of debt, receivable
balance etc.)
Personal Information Establishing the personal rights of the employees of the suppliers of the Company
essential personal data (which must be entered in the personal file by law)
all kinds of information and documents)
Employee Candidate Information To apply for a job at our company,
in the application evaluation process of the data owners who share
personal data used (e.g. resume, interview notes, personality tests)
results etc.)
Employee Process Information All kinds of work-related activities performed by the supplier employees of the Company.
personal data related to the transaction (e.g. entry-exit records, business trips,
information about the meetings attended, security query, monitoring of e-mail traffic
information, vehicle usage information, company card expenditure information)
Employee Performance and Career Development Information Measuring the performance of the company's supplier employees and
career development within the scope of human resources policies
Personal data processed for the purpose of planning and execution (eg.
performance evaluation reports, interview results, career
development training)
Benefits and Benefits Information The side rights and benefits offered to the supplier employees of the Company
follow-up and supplier employees
personal data processed for the benefit (e.g. private health
insurance, vehicle allocation)
Marketing Information Data to be used by our company in marketing activities
(e.g. the person collected for marketing purposes
reports and evaluations showing habits, tastes,
targeting information, cookie records, data enrichment
activities)
Legal Process and Compliance Information Determination and follow-up of legal receivables and rights, debt and legal
Personal data processed for the purpose of fulfilling obligations (e.g. court
and data contained in documents such as administrative authority decision)
Audit and Inspection Information Information about our company's legal obligations and company policies
uyumu kapsamında işlenen kişisel veriler (örn. denetim ve teftiş
reports, related interview records and similar records)
Special Qualified Personal Data Race, ethnic origin, political thought, philosophical belief, religion,
sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and
data on security measures and biometric and genetic data
Request/Complaint Management Information Receiving all kinds of requests or complaints directed to our company
and personal data related to its evaluation (e.g. for the Company)
requests and complaints, related records and reports)
Visual and Audio Data Visual and audio recordings associated with the personal data owner (eg.

photographs, camera recordings and audio recordings)

II. Purposes of Processing Personal Data by Our Company

Our company processes personal data within the scope specified above for the following purposes:

  • Planning, auditing and execution of information security processes
  • Creation and management of information technology infrastructure
  • Planning and execution of fringe benefits and benefits for employees
  • Planning and/or execution of corporate communication for employees and/or corporate social responsibility and/or non-governmental organizations activities in which employees participate
  • Çalışanların bilgiye erişim yetkilerinin planlanması ve icrası
  • Monitoring and/or supervision of employees' business activities
  • Follow-up of finance and/or accounting works
  • Follow-up of legal affairs
  • Planning of human resources processes
  • Planning and/or execution of efficiency/efficiency and/or appropriateness analyzes of business activities
  • Planning and execution of business activities
  • Planning and execution of information access authorizations of business partners and/or suppliers
  • Management of relations with business partners and/or suppliers
  • Planning and/or execution of occupational health and/or safety processes
  • Planning and/or execution of business continuity activities
  • Planning and execution of corporate communication activities
  • Planning and execution of corporate governance activities
  • Planning and execution of logistics activities
  • Planning and execution of customer relationship management processes
  • Planning and/or execution of customer satisfaction activities
  • Follow-up of customer requests and/or complaints
  • Execution of personnel procurement processes
  • Fulfillment of obligations arising from employment contracts and/or legislation for company employees
  • Planning and execution of company audit activities
  • Planning and execution of external training activities
  • Planning and execution of necessary operational activities to ensure that company activities are carried out in accordance with company procedures and/or relevant legislation
  • Planning and/or execution of in-company training activities
  • Planning and execution of in-house orientation activities
  • Ensuring the security of company operations
  • Within the scope of our company's Shopping Loan service and similar services, your TCN information and other necessary information are shared with our business partners in the Shopping Loan process, especially the banks, so that your pre-approved credit limits can be questioned by banks and your pre-approved credit limits can be shown to you during your shopping.
  • Ensuring the security of company premises and/or facilities
  • Planning and/or execution of the processes of establishing and/or increasing loyalty to the products and/or services offered by the company
  • Planning and/or execution of the company's production and/or operational risk processes
  • Realization of corporate and partnership law transactions
  • Follow-up of contract processes and/or legal requests
  • Execution of strategic planning activities
  • Planning and execution of supply chain management processes
  • Compensation Management
  • Planning and execution of production and/or operation processes
  • Planning and execution of market research activities for sales and marketing of products and services
  • Planning and execution of marketing processes of products and/or services
  • Planning and execution of sales processes of products and / or services
  • Ensuring data is accurate and up-to-date
  • Giving information to authorized institutions based on legislation
  • Creating and tracking visitor records

III. Transfer of Personal Data by Our Company and Categories of Data Transferred Parties

Personal data by our company for the above-mentioned purposes Aferin Food Industry and Foreign Trade Joint Stock Company It can be transferred to our Company, Company officials, affiliates, business partners, suppliers, shareholders, legally authorized public institutions and organizations and private institutions.

IV. Procedure of Processing Personal Data by Our Company

Our company, as a data controller, informs the data owners in line with Article 10 of the Law before obtaining their personal data from the data owners, within the scope of its obligations arising from the Law. If any data processing process carried out by our company does not meet the conditions specified in the Law and detailed in Section 2.II.a and b above, explicit consent is obtained from the data owners and the relevant processes are carried out.
It is carried out within the framework of the aforementioned express consent.

Within the scope of the law, express consent is defined as “consent related to a certain subject, based on information and expressed with free will”, and accordingly, our Company provides their explicit consent after informing the data owners in accordance with Article 10 of the Law.

Our company anonymizes, deletes or destroys personal data in accordance with the Law when the purpose of processing the relevant personal data disappears within the scope of any process, including the expiration of the aforementioned periods. Within the scope of the law, anonymization is defined as “making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching them with other data”.
way is carried out.

V. Personal Data Security

In order to ensure the security of personal data, our company takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, deliberate deletion or damage to data. In this context, at least the following actions are taken by our Company:

  • Taking software and hardware security measures in accordance with the processed personal data
  • Carrying out the inspections stipulated under the law
  • Ensuring compliance of the Company and employees with the Law through in-company trainings, policies and procedures
  • Ensuring and recording access to information on the basis of necessity with in-house authorizations
  • Follow-up of personal data processing activities on a process basis
  • Obtaining contractual commitments regarding the protection and security of personal data in relations with suppliers

Chapter 4. Rights of Data Owners Arising from the Law

I. Rights of Data Subjects

According to Article 11 of the Law, personal data owners;

  • To learn whether personal data about himself is processed,
  • If personal data about him/her is processed, requesting information about it,
  • Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
  • Knowing the third parties to whom personal data is transferred at home or abroad,
  • Requesting correction of personal data in case of incomplete or incorrect processing,
  • Requesting the deletion or destruction of personal data in the event that the reasons requiring processing disappear, although it has been processed in accordance with the provisions of the law and other relevant laws,
  • Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
  • To request the compensation of the damage in case of loss due to the unlawful processing of personal data,

It has its rights.

Paragraph 2 of Article 28 of the Law regulates that in certain circumstances, the data owner cannot make a claim from the data controller other than the compensation of his losses. According to this,

  • Personal data processing is necessary for the prevention of crime or for criminal investigation,
  • İlgili kişinin kendisi tarafından alenileştirilmiş kişisel verilerin işlenmesi,
  • Personal data processing is necessary for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law,
  • Personal data processing is necessary for the protection of the economic and financial interests of the State with regard to budget, tax and financial matters,

In such cases, the above-mentioned rights cannot be used for the relevant data.

II. Exercise of Rights

To exercise the above-mentioned rights, data owners Başvuru Formunu kullanabileceklerdir.

Applications, together with documents that will determine the identity of the relevant data owner, your form forwarding a wet-signed copy to the address Mesudiye Mahallesi Yıldırım Caddesi No: 45 İnegöl/BURSA by hand or through a notary public or other methods specified in the Law, or 5070
It can be done by sending an e-mail registered to aferin@hs01.kep.tr by signing with a secure electronic signature regulated under the Electronic Signature Law No. If a method other than the aforementioned methods is foreseen by the Personal Data Protection Board, the applications are
method can be transmitted.

Requests of data subjects transmitted by one of the methods mentioned above are evaluated and answered by our Company within a maximum of thirty days. Our company reserves the right to request additional information and documents from the applicant, especially in order to evaluate whether the applicant is the relevant data owner.

As a rule, data subject applications are evaluated by our Company free of charge. However, if a fee has been determined by the Personal Data Protection Board regarding the request of the data owner, our Company will have the right to demand payment over this fee.