As Doğadan, we give utmost importance to the confidentiality and security of your Personal Data. In this regard, we would like to provide you with information about how we process, for which purposes do we process and protect the Personal Data we obtain from our customers, suppliers, business partners and their employees and authorities persons and all other third persons while we execute our business relationships.
All concepts and expressions used in this Policy shall have the meanings ascribed to them in the Law No. 6698 on the Law on Protection of Personal Data (“LPPD”) and in the other applicable legislation. The word “you” used in this Policy will mean you as we process your Personal Data. The term Personal Data will be used to include Sensitive Personal Data. Meanings of the terms and expressions used in the Policy are given in ANNEX- Abbreviations.
We would like to remind that if you do not accept this Policy you should not share your Personal Data with us. If you choose not to choose to share your Personal Data with us, for some cases we may not be able to provide you our services and products, respond to your request, or ensure the efficiency of our services and products.
We would like to remind you that it is your responsibility to ensure the personal data you shared with us is accurate, complete and updated as for your knowledge. If you share Personal Data of other persons with us, it will be your responsibility to collect such data in accordance with the legal requirements. In this case, we will assume that you had obtained all consents from this third person for us to collect, process, use and disclose his/her Personal Data and our Company will not be held liable in any manner for these activities.
As Doğadan, our mission is to be an international tea company by presenting our customers a natural, good and healthy life, constantly developing product quality and productivity while optimizing costs, following technological innovations and developments in every area with a modernist perspective while also providing source for them. We strive to achieve to the point where we create value for our customers and stakeholders, afford sustainable profitability through innovative products with high brand value.
The terms “we” or “Company” or “Doğadan” used in this Policy refers to Doğadan Gıda Ürünleri Sanayi ve Pazarlama A.Ş. which processes Personal Data as a Data Controller, registered addressed at Çınar District Duru Street. No:11 Akyurt/ANKARA and registered in Ankara Trade Registry under registration number 516-Akyurt
Personal Data processed by our Company will be processed in accordance with LPPD and other applicable legislation. You may find below fundamental principles we take into account while processing of your Personal Data pursuant to article 4 of LPPD,
• Processing of Personal Data in accordance with law and good faith: Our Company will execute Personal Data processing activities in accordance with the principles set forth under the legal arrangements and good faith. While processing of Personal Data, our Company takes into account proportionality requirements and does not use Personal Data required for the purpose of processing.
• Ensuring Personal Data to be accurate and updated: Our Company takes all necessary measures to ensure Personal Data processed to be accurate and updated by taking into account the fundamental rights of the data subjects and its own legitimate interests.
• Processing for definite, clearly defined and legitimate purposes: Our Company will determine legitimate and lawful purpose for processing in a accurate and definite manner. Our Company will process Personal Data only to the extent required to provide its products and services.
• Processing of Personal Data on a limited and reasonable basis and according to the specific purpose of processing: Our Company processes the Personal Data to the extent necessary to fulfill the specific purpose of processing and avoids processing of Personal Data that are not necessary.
• Storage of Personal Data for a time period required under the applicable legislation or for the specific purpose of processing: Our Company will maintain the Personal Data only for a time period required under the applicable legislation or for a time period needed with the specific purpose of processing. In this regard, our Company initially controls whether a specific storage period was contemplated in the applicable legislation and if such time period was determined therein, our Company will comply with it and if no time period was determined, our Company will maintain Personal Data only for a period required for the specific purpose of processing. Therefore Personal Data will be deleted, destroyed or made anonymous upon expiration of the statutory period or termination of the specific reasons of processing.
You may find in the below table categories of data subjects except from our employees (including trainees and employees of the subcontractors) whose Personal Data are processed by our Company. A separate policy was prepared and put into force about the processing of Personal Data belonging to the employees. Persons not included in below categories will be entitled to render us their requests under LPPD, which will also be evaluated by our Company under this Policy.
| RELATED PERSON CATEGORY | EXPLANATION |
|---|---|
| Customer | Real persons or legal entities buying our products and services. |
| Potential Customer | Any real person or legal entity that made a request or had an interest to buy our products and/or use our services or that was determined to have such an interest according to our evaluations made in line with the adopted practices and rules of honesty. |
| Visitor | Real persons who entered our physical premises (offices, factories etc.) owned by our Company or used to make an organization for various purposes or visited our web sites. |
| Third Person | Any third party persons related with the data subjects below that our Company processes personal data of in order to ensure security of commercial transactions performed with above mentioned parties or protect their rights and benefits (e.g. guarantors, attendants, family members or associates) or all real persons whose Personal Data was processed by our Company for a certain purpose although not specifically indicated in the Policy. |
| Employee Candidate / Trainee Candidate | Real persons who made a job application to our Company or provided their CV and relevant information to our Company for evaluation purposes. |
| Group Company Employee | Employees and representatives of the group companies of Coca Cola located in Turkey or abroad. |
| Employees, Shareholders and Authorities of the Entities with which we cooperate | Real persons including employees, shareholders and authorities of the entities with which our Company has business relations (including but not limited to business partners and suppliers). |
In principle, we will collect your Personal Data in the following circumstances:
• When you buy or use our products and/or services,
• When you sell goods or provide services to us,
• When you subscribe to our newsletters and prefer to receive marketing communications from us,
• When you contact with us with e-mail, phone etc. in order to communicate a complaint or feedback,
• When you submit a job application to us,
• When you participate into our activities, seminars, conferences and organizations,
• Indirectly with the use of “cookies” or when you personalize the software in order to adjust the relevant web site according to your preferences or while you use certain pages of the web site (i.e. your IP address) or with other methods enabling us to monitor your use of the web site,
• When you contact with us for any purpose as potential customer/supplier/business partner or sub-employer.
We will process all Personal Data obtained in the above-mentioned circumstances only in accordance with the requirements set forth in this Notification.
Personal Data processed by us about you will naturally vary depending on the type of business relations you maintain with us (e.g. customer, supplier, business partner, etc.) and the method you used to contact us (e.g. phone, e-mail, printed document etc.).
Generally Personal Data to be processed about you will be obtained when you contact us with e-mail or phone or when you participate into our business activities and questionnaires or communicate with us in any other manner. In that regard Personal Data to be processed about can be explained in the following categories:
| Data categories | Examples |
|---|---|
| Identity information | Information on identity cards such as name, surname, position, birth date etc. |
| Contact information | E-mail, phone number, address |
| Login information | Login identity and password and other security codes |
| Pictures and/or videos to be used to identify | Photos, videos and audio data processed due to security reasons when you visit our premises or when you participate into the activities organized by our Company |
| Financial information | Bank account data and invoice information, accommodation and expense information |
| Any other information you decided to share with Doğadan | Personal Data you shared with us on your own initiative, feedbacks, opinions, demands, complaints, evaluations and comments you forwarded to us via social media, online platforms or other media and our evaluations about them, uploaded files, areas of interest, and information given for our detailed review process before we establish a business relationship with you. |
| Electronic data collected automatically | When you visit our web site or our applications, subscribe to our newsletters, contact with us through other electronic channels, in addition to the information you directly forwarded to us, we may collect the electronic data sent to us from your computer, mobile phone or other access device. (e.g. device hardware model, IP address, operating system version and settings, the time and hour at which you were using our digital channel or product; your real position when you activate position-based products or features, the links you ticked, motion sensor data etc.). |
| Legal transaction and compliance information | Your Personal Data processed in order to determine and follow-up our legal receivables and rights and pay our debts and comply with our legal obligations and our Policies, including audit and inspection data. |
| Corporate customer/Supplier information | Information obtained about data subjects such as customer/supplier or employees and authorized signatories employed by the customer/supplier as a result of the operations executed by our business divisions in connection with our services. |
| Incident management and security information | Information collected and evaluations made about the incidents that could potentially affect our employees, managers and shareholders, including vehicle plate number and vehicle details, transport and travel information, organization of airport transport and transfer. |
| Personal Data collected from other sources | We may also collect your Personal Data by using publicly available databases and methods/platforms on which our business partners collect Personal Data on our behalf to the extent allowed by the applicable laws and regulations. For example before we establish a business relationship with you, we may conduct research about you by using publicly available resources in order to ensure technical, administrative and legal security of our activities and operations. Besides that, you may forward as Personal Data about third persons (e.g. Personal Data of a guarantor, attendant, family members etc.). In order to manage our technical and administrative risks, we may process your Personal Data by using methods to be selected in line with generally accepted legal and commercial practices and rules of honesty. Besides that Personal Data you shared with us on your own initiative via call center, web site and other platforms are recorded and processed by us in order to find solutions for your demands and problems (i.e. information you forwarded to us via call center about the health problems you are experiencing due the use of our products). |
In addition to the categories of Personal Data given above, we will collect Personal Data of employee candidates such as graduation, previous work experiences, disability etc. in order to understand the experiences and qualifications of the candidate and make evaluations to see whether they are appropriate for the relevant open position, control the accuracy of information provided, make research about the candidate by contacting those third persons whose contact data was given to us by the candidate, communicating with the candidate during job application process, make recruitment for open position, comply with the applicable legislation and implement our recruitment rules and human resources policies.
Personal Data of the employee candidates are processed through the job application form available in hardcopy or electronic environment, our Company’s electronic job application platform, applications delivered to our Company physically or by e-mail, employment and consultant companies, direct interviews or interviews made in electronic environment, controls made by our Company about the employee candidates and employment tests performed by the human resources specialists in order to evaluate the qualifications of the candidate in the recruitment process.
Before providing their Personal Data during a job application, Doğadan will provide privacy notice to employee candidates about the processing activities as required under the LPPD and we will obtain their explicit consent for the processing of their Personal Data if it is necessary.
Please read our Cookie Policy www.dogadan.com.tr/tr/kvkk in order to obtain information on how we use the cookies and other monitoring technologies. Generally “cookie” is a name given to the information sent to a user’s computer by an Internet services provider and stored in this information. The information available in the “cookies” may be used once that user returns to visit that web site again. “Cookies” may contain varied information such as the number of visits made to a web site by the user. With the use of separate session “cookies” for each user, we may monitor how you use our web site during one session. We may provide you with certain special services after determining the specific browser you use.
Information stored via cookies includes visiting date and time, pages displayed, time spent and web sites visited just before or after. Data collected via these cookies that are used during the your visit will be evaluated in order to show you some advertisements relating to the products that you might be potentially interested in during your visit to other web sites in the future.
Using the “help” function available in most of the browsers, you may learn how to prevent receipt of “cookies” by your computer and detect whether a “cookie” was sent to you in order to inactivate them completely. However we want to remind you that if you inactivate the cookies, you may not be able to use this web site fully.
In this web site, the “cookies” are used for different purposes including those listed below:
• Accessing certain personal information in order to provide you with customized content once you login to the web site;
• Monitoring the preferences, you indicated while using this web site such as date and numbering formats preferred by you. We give utmost importance to the confidentiality of your personal information and we observe the rules listed below in our efforts to achieve maximum privacy and security for your confidential information:
• This web site will not always keep “cookies” on your disk driver. Thus the “cookies” will be removed once you close the browser or leave the web site.
• Information available in all “cookies” sent to your computer from this web site will be forwarded in encrypted format.
Our Company will process the Personal Data of our visitors visiting our building and factories during entrance/exit transactions in order to ensure the physical security of our Company, our employees and visitors and inspect compliance with the worksite rules. For the purpose of following-up entrance /exit of the visitors, name/surname and ID number of the visitors will be confirmed based on their identity card and will be entered into the visitor book. However identity card of the visitor is not kept while he/she visits our offices and will be given back to the visitor once relevant details are entered into the visitor book. Before obtaining information from the visitors, an elucidation text will be given to them at the security post in order to elucidate them about processing of their Personal Data. However explicit consent will not be obtained from the visitor pursuant to article 5/2/f of LPPD since our Company has legitimate interests in this collection. This data will be only physically maintained on the visitor book and will not be forwarded to another unit unless there is a suspicious condition posing a potential threat to our security. This data will be used when necessary to prevent a crime or ensure Company’s security.
We will provide internet access upon visitors while request during their visit in our offices and factories in order to ensure security and fulfill the purposes detailed in the Policy. In such cases, log records of your internet access will be recorded in accordance with the Law numbered 5651 and imperative provisions of the legislation enacted according to this Law and these records will be processed only when they are demanded by the authorized public establishments or institutions or in order to fulfill our legal obligations during an audit to be conducted within the Company.
Log records will be accessed only by a limited number of Doğadan employees. Company’s employees having access to these records will be entitled to have access and share them with competent authorities only upon a demand from an authorized public establishment or institution or in order to use the same in the audit activities.
Surveillance cameras are used to ensure the security of our Company and our premises and Personal Data are processed in this manner. As part of the monitoring activities via surveillance cameras, our Company attempts to achieve the purposes of enhancing the quality of the service provided, ensuring life and property security of our physical premises and persons working in the Company, preventing abuses and protecting the legitimate interests of the data subjects.
Personal Data processing activities carried out by the surveillance cameras will be executed in accordance with the Constitution, LPPD, Law No. 5188 on Private Security Services and applicable legislation.
Pursuant to article 4 of KVVK, our Company will process the Personal Data only in connection to specific purpose of processing and on a limited and reasonable basis. Thus no monitoring will held if it might result in an intervention overriding the privacy of the person and relevant security reasons. In that regard, warning signs will be displayed in those common areas where CCTV recording is made in order to inform the data subjects about processing. However explicit consent will not be obtained from the relevant data subjects since our Company has legitimate interests in keeping CCTV records. And pursuant to article 12 of KVVK, technical and administrative measures are taken to ensure security of the Personal Data obtained as a result of CCTV monitoring activities.
Besides that, a procedure was put into force in connection with the areas where CCTV cameras are installed, field of vision of the cameras and time periods during which records will be retained. This procedure will be taken into account before installation of any CCTV camera. However CCTV camera will not be installed if it overrides the relevant security purposes and if it intervenes in the privacy of people to be monitored. Only a certain number of our employees may have access to the CCTV camera records and relevant authorizations are regularly reviewed by our Company. Personnel having access to these records must sign a letter of undertaking confirming that they will protect the Personal Data in accordance with law.
Images are recorded with the use of total 120 (One Hundred Twenty) surveillance cameras installed at the entrance doors, building’s façade, dining hall, cafeteria, visitor waiting room and floor corridors in order to ensure the building’s security and recording process is audited by Administration Department’s Security Unit.
Our purposes of use of your Personal Data vary depending on the type of business relationship between us (e.g. customer, supplier, business partner etc.). Our basic purposes of processing your Personal Data are detailed below. Personal Data processing activities in connection with employee candidates are already explained in the above section titled “Processing of Personal Data of Employee Candidates”.
| Our Purposes of Processing your Personal Data | Examples |
|---|---|
| Evaluation of potential suppliers/ business partners | Execution of reviewing and conflict of interests process pursuant to our risk rules |
| Establishment and management of customer relations | Performance of sales transactions for the goods and services provided by our Company, presentation of quotations/offers, supply of goods, invoicing, conclusion and performance of contracts, ensuring security of legal transactions after the contract, shipment of goods and products, management of logistics processes, development of new products and services, evaluation of new technologies and equipment, determining and applying our Company’s commercial and business strategies, management of our operations (claims, offers, evaluations, order placement, budgeting, contracting), product/project/manufacturing/ investment quality processes and operations, in-house system and application management operations, financial operations, management of financial affairs. |
| Execution and finalization of the contractual process with our suppliers and business partners | Supply of goods and services, invoicing, conclusion and performance of contracts, ensuring security of legal transactions after the contract, shipment of goods and products, management of logistics processes, development of new products and services, evaluation of new technologies and equipment, determining and applying our Company’s commercial and business strategies, management of our operations (claims, offers, evaluations, order placement, budgeting, contracting), product/project/manufacturing/ investment quality processes and operations, in-house system and application management operations, financial operations, management of financial affairs. |
| Execution of direct marketing processes | Sending marketing communications about our services provided via e-mail and phone, performance of customer satisfaction surveys or evaluation of your opinions, complaints and comments you forwarded to us on social media, online platforms or other media, providing feedbacks to the same, informing our customers about innovations and campaigns of our Company, and execution of the campaigns and contests, developing the special promotional activities designed for the specific customer portfolios and carrying out activities for customer “classification” in connection with preventing undesired e-mails and also advertising, promotion and marketing activities to be designed according to personal information, determining and implementation of our commercial and business strategies and organization planning. |
| Communication and support (upon your request) | Responding to the requests to obtain information about our services; providing support to the demands made through our communication channels and updating our records and database |
| Compliance with the legal obligations | Execution of taxation and insurance processes; fulfillment of our legal obligations arising from the applicable legislation including specifically Law No. 5651 and similar legislation, Law No 6563 on the Regulation of Electronic Trade, Turkish Criminal Code numbered 5237 and Law No. 6698 on the Protection of Personal Data; execution of necessary processes to comply with the laws and regulations affecting us such as execution of the procedures with the official establishments, fulfillment of record keeping and information supply obligations, compliance and audits, audits and inspections made by competent authorities, follow-up and finalization our legal rights and legal actions and disclosure of data at the request of authorities; and meeting the requirements about fulfillment of our legal obligations defined in LPPD and as required by the regulatory and auditing organizations. |
| Protection of our interest and ensuring security | Execution of necessary audit activities in order to protect our benefits and rights, making controls about conflict of interests, ensuring lawful and commercial security of those persons having business relations with our Company, keeping CCTV camera records to protect our devices and assets, taking technical and administrative security measures; executing works to develop our services, implementation and auditing the implementation of worksite rules, management of quality processes, planning and execution of social responsibility activities, protection of commercial reputation and security established by Doğadan and Coca Cola Group, reporting and intervening into all kinds of incidents occurring within the building such as accidents, complaints, losses and stealing etc., taking measures against the same, communicating the rules to be observed during hazardous situations that may arise in the maintenance and repair activities, measuring professional qualifications of the subcontractors, ensuring an order in the entrance and exit of our employees and obtaining necessary security information, performance of quality audits and audits to check compliance with the standards and fulfillment of our reporting obligations and similar obligations required by the applicable laws and regulations. |
| Planning and execution of our commercial operations | Budgeting, communication, market research and social responsibility activities and procurement operations in order to determine, plan and apply our short, mid and long term commercial policies and determine and apply our commercial and business strategies. |
| Reporting and audits | Ensuring communication with the group companies of Coca Cola located in Turkey and at abroad and execution of necessary activities, internal audits and reporting process |
| Protection of rights and benefits | Defending against the legal claims made against our Company including legal actions/investigations etc. |
As a rule, we will obtain your prior consent for processing your Personal Data since marketing activities are not considered as an exception as regulated in articles 5/2 and 6/3 of LPPD. Our Company may regularly send you promotional communications about our products, services, activities and promotions. These promotional communications may be forwarded to you via different channels such as e-mail, phone, SMS message, postal services or social networks operated by the third persons.
These communications may be sometimes be adapted to your preferences in order to provide you with the best customized experience (for example, based on the results we obtain from your visits to our web site or on the links you ticked in our e-mails).
We will execute marketing activities by processing your Personal Data in order to provide you with the offers relating to customized products and services including internet advertising, targeting, re-targeting, cross sale, campaigns, offer and product/service advertisements; we will be using cookies for that purpose and develop commercial offers based on your recent purchases; we will follow-up your usage habits and offer you customized products based on your previous records kept when you visit the applications; we will process your Personal Data for presenting customized advertisements, campaigns, advantages and other benefits to you as part of our sales and marketing activities and for executing similar marketing activities and CRM studies and also for developing new product and service models and sending electronic commercial posts (campaigns, newsletters, customer satisfaction surveys, product and service advertisements) as well as gifts and promotional items and organizing corporate communications and various activities and invitations and providing information about the same.
We will obtain your prior consent before starting above mentioned activities if this consent is required under the applicable legislation. We will also offer you the chance to withdraw (suspend) your consent at any time. You can always stop receiving marketing communications from us if you follow the instructions given in the e-mail or SMS message for the cancellation of subscription.
If you login to a Doğadan account, in the relevant section of our web site or application, an option may be provided to you to change your communication preferences. You may always contact with us to stop receipt of marketing communications from us (you may find the contract details in the section titled “What are your Rights about your Personal Data?).
We will process your Personal Data for the legal reasons as stipulated under article 5 of LPPD including specifically Turkish Commercial Code numbered 6102, Turkish Code of Obligations numbered 6098, Tax Procedure Law numbered 213 and legislation on electronic trade:
| Legal Reason | Examples |
|---|---|
| We will process your Personal Data after obtaining your prior consent if this is required under KVVK and other applicable legislation (we also remind you that you may withdraw your consent at any time) | We will obtain your prior consent to carry out our marketing activities |
| Any case allowed under the applicable legislation | Giving the name of relevant person on the invoice pursuant to article 230 of the Tax Procedure Law |
| A requirement to protect the benefits of any persons having critical importance | Giving to the physician health details of the director who fainted at the board meeting |
| Conclusion and performance of a contract with you and fulfillment of our contractual obligations | Obtaining bank account details from the customer in a contractual relationship with him/her |
| Fulfillment of our legal obligations | Fulfillment of our taxation obligations and presenting the information required under a court order |
| When your Personal Data was made overt by you | Sending of an e-mail by you for us to contact you; entering by the employee candidate of the communication details into the internet site collecting job applications; using your Personal Data that you made overt in social media and other channels |
| Establishment or protection of a right; exercising our legal rights and making defense about the claims made against us | Retaining the evidencing/proving documents and using them when necessary |
| Requirements relating to our legitimate interests provided that no harm is given to your fundamental rights and freedoms | Conducting research in order to ensure security of our communication networks and information, execute our activities, determine suspicious transactions and comply with our risk rules; benefiting from storage, hosting, maintenance and support services in order to provide IT services securely; using cloud technology to ensure efficiency in our operations and benefit from the technological facilities. |
In those cases which your Personal Data are processed with your explicit consent, we would like to remind you that if you withdraw this explicit consent, you will be removed from the commercial membership program and you will not anymore benefit from the advantages offered to you since they require processing of your Personal Data.
Transfer of Personal Data within the Country
In the transfer of Personal Data, our Company is responsible to act in accordance with the resolutions and arrangements contemplated in LPPD and taken by the Board including specifically article 8 of LPPD. As a rule, Personal Data and Special Personal Data owned by the data subjects may not be transferred to any real person or legal entity without the prior explicit consent of the relevant data subject.
We will transfer your Personal Data without your explicit consent in those cases contemplated under articles 5 and 6 of LPPD. Our Company may transfer Personal Data to third persons in Turkey and to the group companies of Coca Cola in compliance with the conditions set forth in LPPD and other applicable legislation and after taking the security measures required in the applicable legislation unless it is required contrary in the Law or applicable legislation (in the contract, if any, signed with the data subject).
Transfer of Personal Data to Abroad
Our Company may transfer Personal Data to the third persons in Turkey and to abroad after they are processed in Turkey or they are processed and retained at abroad and after taking necessary security measures including use of outsourcing as required in the Law and in the applicable legislation. After taking necessary technical and administrative measures, we transfer your Personal Data to abroad with the use of cloud information technology in order to execute our operations in the most efficient manner and use the opportunities provided by the technology.
Pursuant to article 9 of LPPD, we require explicit consent from the data subjects before we transfer their Personal Data to abroad. However pursuant to article 9 of LPPD and if any of the conditions set out in article 5/2 of 6/3 of KVVK are relevant, we may transfer Personal Data without such explicit consent from the data subject if:
a) There is sufficient data protection in the relevant foreign country, or
b) Data controllers in Turkey and in the relevant foreign country undertake in writing sufficient protection and the Board grants permission for that transfer if there is not sufficient data protection in that foreign country.
In those exceptional cases where above mentioned explicit consent is not required for the transfer of Personal Data, our Company requires existence of sufficient data protection in the foreign country in accordance with LPPD in addition to meeting of the conditions stipulated for processing without consent and for the transfer. Personal Data Protection Board will determine whether sufficient data protection is provided and if there is not sufficient data protection, data controllers both in Turkey and in the relevant foreign country must undertake that protection in writing and permission must have been granted by the Personal Data Protection Board.
Please follow the link www.dogadan.com.tr/kvkk to see the service providers whose headquarters is located abroad and from which we procure services.
Parties with whom Personal Data is shared in and out of the country
We will share your Personal Data only for the purposes detailed below. We take care not to share your Personal Data in other circumstances. You may find below those parties with whom we share your Personal Data.
• Coca Cola group companies: As we are operating as an entity under Coca Cola group companies, your Personal Data may be shared with or made accessible to Coca Cola group companies located in Turkey. However Personal Data will be shared only with the authorized employees of group companies of Coca Cola. However, we would like to remind that data transfer with the group companies of Coca Cola does not contain any Personal Data and will be related to the financial reporting about the company’s operations including profitability and efficiency of the Company. In certain special cases, we may share Personal Data with Coca Cola instead of anonymous data (for example when it is necessary to share the damage details for opening insurance damage file). A Data Sharing Contract is signed for the transfer of your Personal Data to group companies of Coca Cola and relevant measures are started to be applied.
• Service providers and business partners: These are the parties with whom our Company has established a business partnership for the purpose of selling, introducing and marketing our services and providing support after sales as conducting our commercial operations. As many other companies, we may work with third persons such as providers of information and communication technology, consulting services providers, cargo firms and travel agencies and share data with them in order to execute our functions and services in the most efficient manner and by using advanced technology during certain data processing activities. However data transfer will be made on a limited basis in order to fulfill the purpose of establishment and performance of business partnership. We use cloud information technologies in order to execute our operations in the most efficient manner and use technological means to the maximum extent and we sometimes process your Personal Data in and out of the country through the firms providing cloud information service. Marketing services supporting firm with which we share the data may be organized at abroad and data transfer to abroad will be made in accordance with relevant provisions of articles 8 and 9 of LPPD concerning transfer of Personal Data to abroad.
• Public authorities: We may share your Personal Data with official, judicial and administrative authorities (e.g. tax offices, police, courts and enforcement offices) when it is required by law or it is necessary to protect our rights.
• Persons subject to private law: We may share Personal Data on a limited basis for the purposes requested by those persons subject to private law authorized to obtain information and documents from our Company in accordance with the provisions of the applicable legislation (e.g. Occupational Health and Safety Company).
• Professional consultants: We may share your Personal Data with the banks, insurance companies, auditors, lawyers, financial advisors and other professional consultants.
• Other persons related to corporate transactions: We may share your Personal Data from time to time in order to execute our corporate transactions such as sale of an enterprise owned by our Company, restructuring, merger, joint venture or disposal of our business, assets or shares (including those related to any bankruptcy process or similar procedure).
Our web pages use “social add-ins” coming from the social networks specifically including the “Share” button of the “Facebook” provider on page facebook.com operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. Usually these add-ins have Facebook logo. In addition to Facebook, we use add-ins of “Google+” (provider: Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA), “YouTube” (provider: YouTube LLC, 01 Cherry Avenue, San Bruno, CA 94066, USA), “Twitter” (provider: Twitter, Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA), “Pinterest” (provider: Pinterest Inc., 808 Brannan Street, San Francisco, CA 94103, USA), “LinkedIn” (provider of customer residing outside of the USA: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland).
Due to our concerns for confidentiality, we consciously decided not to use the add-ins directly coming from the social networks in our web page. Instead of that, we are using an alternative solution allowing you to decide when and how this information will be given to the operators and these social networks. We never provide any information automatically to the social networks such as Facebook, Google, Twitter or Pinterest after your visit to our web pages. However if you actively click on the relevant button, your Internet browser will connect to the servers of the specific social network. When you click on that button, it will mean that you clicked on these elements and later on the symbol of that social network and in this manner, it will be deemed that you have given your consent to the communication to be established between your Internet provider and servers of the social network and sending to the operator of the user data relating to that network. At this point, we would like to remind you that we have no influence howsoever on the type and scope of the data collected by the social networks. Please consult to the relevant privacy policies of these social networks in order to get information about the purpose and scope of data collecting activities and processing of data and use of such data by the relevant networks and about your rights and options arising from confidentiality requirements applicable for the Personal Data.
You may have access to the privacy policy of Facebook at
facebook.com/about/privacy/ and facebook.com/help
You may have access to further information about the use of data use for “Google+,” “Youtube” or “Twitter” at policies.google.com/privacy or twitter.com/privacy for Pinterest at pinterest.com/tr/privacy-policy and for LinkedIn at linkedin.com/legal/privacy-policy
Google Maps
We suggest you to use Google Maps in order to see the maps and develop directions that will facilitate your trip. Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. These pages have been tagged as relevant.
When you use this service, it will be deemed that you have granted your consent to Google to in order collect, process and use the information about you. Conditions relating to use of Google Maps can be found at google.com/intl/de_de/help/terms_maps
Web analysis via Google Analytics
This web page uses Google Analytics, a web analysis service provided by Google Inc. (“Google”). Google Analytics uses “cookies” as text files recorded on your computer in order to analyze your use of the web page. The information created by the cookie in connection with your use of that web page (including short form of IP address) is then transferred to and recorded by one Google server located in the United States of America. Google will use that information in order to analyze your use of the web page, collect reports on the web page activity for use by the web page operators and provide additional services in connection with the use of web page and Internet. Google will also forward that information to the third parties whenever needed for legal reasons or when such parties process this information on behalf of Google. However Google will never correlate the IP address with your IP address.
Finally, you may prevent use of your information by Google Analytics by installing an add-in to your browser. In order to access to the relevant Google page, you may clink at the following link http://tools.google.com/dlpage/gaoptout?hl=de
Logging in to the web site
Each time you login to the web site, recording information will be created and processed for statistical purposes and in this manner, the user remains anonymous:
• The web page enabling you to access this web site when you click the reference link
• Search phrases (when the reference is a search engine)
• IP analysis to be performed to determine the relevant country and provider
• Browser, operating system, installed ad-ins and screen resolution
• Time spent on pages
• Above mentioned data will be processed by us for following legal purposes based on LPPD:
• Providing an unproblematic connection to the web page,
• Guaranteeing easy use of the web page,
• Evaluation of system security and stability and other administrative purposes.
If we detect certain signs of illegal use, we reserve the right to control relevant information retrospectively. Subject to the purpose, we immediately delete such data whenever they are not needed and in any case after six months.
We will store your Personal Data only for the time period required to fulfill specific purpose of collection. We will determine these periods separately for each business process and we will destroy your Personal Data in accordance with LPPD if there is no other reason to retain them upon expiration of these time periods.
We will take into account following criteria when determining the time periods after which your Personal Data will be destroyed by us:
• Time period accepted because of general practices in the sector in which Data Controller operates and pursuant to the specific processing purpose of the relevant data category,
• Time period during which legal relation established with the relevant persons persists, requiring processing of Personal Data in the relevant category,
• Time period during which legitimate interests will be valid in line with law and rules of honesty depending on the specific purpose of processing of relevant data category,
• Time period during which risks, costs and responsibilities arising from the storage of relevant data category will legally continue depending on the specific purpose of processing of relevant data category,
• Whether maximum time of storage is appropriate to keep the relevant data category correct and updated, if necessary,
• Time period during which Data Controller is obliged to maintain Personal Data in the relevant data category,
• Prescription determined for claiming by the Data Controller of a right relating to the Personal Data in the relevant category.
Pursuant to article 138 of Turkish Criminal Code and article 7 of LPPD, Personal Data will be deleted, destroyed or made anonymous at the discretion of our Company or upon the request of the data subject when the reasons requiring processing of Personal Data cease to exist although they have been processed in accordance with the relevant legal provisions.
For that purpose, the Policy for Storage and Destruction of Personal Data was developed. In those cases where our Company is entitled and/or obliged to keep Personal Data pursuant to the provisions of the applicable legislation, our Company reserves the right not to fulfill the request made by the data subject. If Personal Data are processed by non-automated means which should part of any data recording system, a system will be applied ensuring physical destruction of the data without any possibility of future use. If our Company recanted an agreement with a person or entity for the processing of Personal Data, Personal Data will be safely deleted by this person or entity without any possibility of recovery. Our Company may also make anonymous all Personal Data when the reasons requiring their processing cease to exist.
PERSONAL DATA DESTRUCTION METHODS
Deletion of Personal Data
Personal Data will be deleted at the discretion of our Company or upon the request of the data subject when the reasons requiring processing of Personal Data cease to exist although they have been processed in accordance with the relevant legal provisions. Deletion of Personal Data means rendering them inaccessible or unusable by the relevant users. Our Company will take all technical and administrative measures to render Personal Data inaccessible and unusable for the relevant users.
Deletion Process of Personal Data
The process to be followed in the deletion of Personal Data is described below:
• Determining the Personal Data to be deleted.
• Determining relevant users of Personal Data by using access authorization and control matrix or similar system.
• Determining the authorities and methods of relevant users employed in accessing, recovery and reuse of Personal Data.
• Closing or terminating access, recovery and reuse authorities and methods of relevant users in respect to Personal Data.
Methods of Deletion used for Personal Data
| Data recording medium | Explanation |
|---|---|
| Personal Data kept in the servers | System manager will cancel the access authority granted to the relevant users in respect to the Personal Data which are kept in the servers and whose storage time has expired and then delete them. |
| Personal Data kept in electronic environment | Personal Data which are kept in electronic environment and whose storage time has expired shall be made inaccessible and unusable for the employees (relevant users) except for the database manager. |
| Personal Data kept in physical environment | Personal Data which are kept in physical environment and whose storage time has expired shall be made inaccessible and unusable for the employees (relevant users) except for the department manager responsible for the archive. Besides that, such data shall be blackened by means of striking out/painting/deletion |
| Personal Data kept on portable media | Personal Data which are kept in flash based storage media and whose storage time has expired shall be encrypted by the system manager and kept in safe environments with encryption keys, with the access authority to be granted only to the system manager. |
Since Personal Data may be kept in different recording environments, they must be deleted by using methods appropriate for the specific recording environment. Examples of deletion are given below:
Cloud Solutions provided as Service (such as Office 365 Salesforce, Dropbox): Personal Data retained in cloud system must be deleted by giving a deletion command. During this deletion process, it should be remembered that relevant user has no authority to recover the Personal Data deleted on cloud system.
Personal Data in hardcopy format: Personal Data in hardcopy format must be deleted by using blackening method. Blackening process will be made by cutting the part containing Personal Data on the relevant document and if this is not possible, they are made non-visible for the relevant users by using indelible ink so that they cannot be recovered or read even with technological solutions.
Office files kept in the central server: The file must be deleted by giving a deletion command in the operating system or by cancelling the access authorities of relevant user in respect to the relevant file or on the index containing the file. When this process is applied, care must be taken whether relevant user is a system manager at the same time.
Personal Data kept on a portable medium: Personal Data kept at flash based storage medium must be kept in encrypted form and must be deleted by using software suitable for such medium.
Databases: Relevant lines containing Personal Data must be deleted by giving database commands (DELETE etc.). When this process is applied, care must be taken whether relevant user is a system manager at the same time.
Destruction of Personal Data
Personal Data will be destroyed at the discretion of our Company or upon the request of the data subject when the reasons requiring processing of Personal Data cease to exist although they have been processed in accordance with the relevant legal provisions. Destruction of Personal Data means rendering them inaccessible, unrecoverable or unusable by the relevant users. Data Controller will be obliged take all technical and administrative measures required for the destruction of Personal Data.
| Data recording environment | Explanation |
|---|---|
| Personal Data kept in physical environment | Personal Data which are kept in hardcopy format and whose storage period has expired will be destroyed without any possibility of recovery by using shredder. |
| Personal Data kept in optical/magnetic media | Personal Data which are kept in optic and magnetic media and whose storage time has expired will be physically destroyed by using the methods of melting, burning or pulverizing. Besides that, magnetic media shall be passed through a special device subjecting them to high magnetic area to render them unreadable. |
Physical destruction: Personal Data may be also processed by non-automated means that are part of any data recording system. While deleting/destroying such data, the method of physical destruction is applied to prevent any future use.
Secure deletion on the software: In the deletion/destruction of Personal Data processed by automated means and kept in digital environments in part or in whole, methods involving deletion of data on the software will be user to prevent any future recovery.
Secure deletion made by an expert: In certain cases, our Company may delegate an expert to delete the Personal Data on its own behalf. In such a case, Personal Data will be deleted/destroyed by this expert without any possibility of future recovery.
Blackening: This is a method of physically rendering Personal Data unreadable again.
Methods of Destruction used for Personal Data
For the destruction Personal Data, all copies thereof must be determined and destroyed one by one by using one or several of the methods described below depending on the type of systems containing the data:
Local Systems: One or several of the methods described below must be used to destroy the data in these systems: i) De-magnetizing: Magnetic media shall be passed through a special device subjecting them to high magnetic area to render them unreadable. ii) Physical destruction: The process of physical destruction by means of melting, burning or pulverizing optic or magnetic media. Data will be rendered inaccessible by melting, burning, pulverizing or passing through a metal shredder such optic or magnetic media. If write-over or de-magnetizing process cannot yield the desired result for the solid disks, they must be physically destroyed. iii) Writing-over: Random data comprising of 0 and 1 will be overwritten on the magnetic medium or re-writeable optic medium in order to prevent recovery of old data. This process is completed by using special software.
Environmental Systems: Destruction methods that could be used according to the type of environment are given below: i) Network devices (switch, router vb.): Storage medium in these devices is fixed. The products mostly contain a deletion command but they cannot be destroyed. They must be destroyed by using one or several of the methods referred to in (a). ii) Flash based environments: Flash based hard disks having ATA (SATA, PATA etc.), SCSI (SCSI Express etc.) interface must be destroyed by using the command
Paper and Microchip environments: Personal Data kept in these environments are written on the environment permanently and physically and for that reason, main environment must be destroyed. In this process, the medium must be torn down to small pieces vertically and horizontally if possible by using shredder so that it cannot be recombined. Personal Data transferred to electronic environment after scanning the original paper must be destroyed by using one or several of the methods referred to in (a) depending on the relevant medium.
Cloud Environment: During storage and utilization of Personal Data kept in these systems, they must be encrypted by using cryptographic methods and separate encryption keys must be used for each cloud solution to the extent possible. When cloud information service relation expires, all copies of necessary encryption keys must be destroyed to render Personal Data usable. In addition to above mentioned environments, destruction of Personal Data contained in the devices that are defected or sent to maintenance shall be made as follows: i) Destruction of Personal Data contained in these devices must be destroyed by using one or several of the methods referred to in (a) before the device is sent to the manufacturer, service station or other third party for the purpose of maintenance or repair, ii) when destruction is not possible or suitable, data keeping medium must be removed and retained and other defect parts must be sent to the manufacturer, service station or other third party, iii) Measures must be taken to prevent the outsourced personnel used for repair and maintenance purposes from copying the Personal Data and taking them out of our premises.
Making Personal Data Anonymous
Making Personal Data anonymous means eliminating all possibilities of correlating them with an identified or identifiable person even when they are matched with other data Our Company may make Personal Data anonymous once legal reasons of processing them cease to exist. For the Personal Data to become anonymous, all possibilities of correlating such data with an identified or identifiable person must be eliminated by using techniques suitable for the recording medium and relevant activity so that they cannot be recovered and/or matched with other data by the Data Controller or recipient groups. Our Company will take any and all technical and administrative measures to make Personal Data anonymous.
In accordance with article 28 of LPPD, Personal Data that was made anonymous may be processed for certain purposes such as research, planning and statistics. Such procedures are outside the scope of LPPD and do not require the explicit consent of the data subject.
Methods used to make Personal Data anonymous
Making Personal Data anonymous means eliminating all possibilities of correlating them with an identified or identifiable person even when they are matched with other data
For the Personal Data to become anonymous, all possibilities of correlating such data with an identified or identifiable person must be eliminated by using techniques suitable for the recording medium and relevant activity so that they cannot be recovered and/or matched with other data by the Data Controller or third persons.
Making anonymous involves removal or modification of all direct and/or indirect definers in a data set in order to prevent identification of relevant person or his/her distinguishing in a crowd or group without any possibility of correlation to a real person. After preventing and eliminating these features, data not pointing towards a certain person shall be deemed as to have been made anonymous. In other words, while Personal Data made anonymous could determine a certain real person before that process, they are made impossible to be correlated to a real person after that process and all correlations to the persons are eliminated. The purpose of making anonymous is to eliminate all correlations existing between the data and person defined by that data. All of correlation elimination procedures executed with certain methods including automated or non-automated grouping, masking, deriving, generalizing and making random which are applied to the records retained in the data recording system where Personal Data are stored are called making anonymous. The data obtained with the use of these methods should be incapable of identifying a specific person.
Certain methods used to make anonymous are listed below:
Methods of making anonymous not providing value irregularity: In the methods not providing value irregularity, no change, addition or subtraction will be applied to the values that the data set has but instead, changes are made to the totality of the lines and columns in the data set. In this manner, a change occurs generally in the data but values in the areas retain their original condition.
Removal of variables
This is a method of making anonymous by complete deletion and removal from the table one or several variables. In such a case, whole column of the table will be removed. This method will be used when variable is a high degree identifier, if a better solution cannot be found or when the variable constitutes a sensitive data that could not be disclosed to public or does not serve to analytical purposes.
Removal of records
In this method, anonymous feature is enhanced by removal of a line containing a unique data in the data set and the possibility of developing assumptions about the data set is minimized. Generally records removed will be those not sharing a common value with the other records which could be easily predicted by the persons having an idea about the data set. For example assume that in a data set containing the results of a survey, only one person was included in the survey from any sector. In this case, it may be preferred to remove the records relating to this person only instead of removing the “sector” variable from all survey results.
Regional hiding
The purpose of regional hiding is to render a data set safer and reduce the risk of predictability. If the combination created by the values relating to a certain record results in a rare condition and if this condition will increase the probability of distinguishing that person in the relevant group, the value creating exceptional condition will be changed as “unknown”.
Generalizing
This is the process of converting the special value of the relevant Personal Data into a general value. This method is mostly used in the production of cumulative reports and in the operations conducted on total figures. As a result, new values obtained will show the total values or statistics belonging to a group, which makes accessing to a real person impossible. For example, let’s assume that a real person with ID Number 12345678901 purchased napkins from an e-trade platform and then wet wipes. In making anonymous process, a conclusion may be reached that xx% of persons purchasing napkins on the e-trade platform also purchase wet wipes if generalization method is used.
Lower and upper limit coding
In the method of lower and upper limit coding, a category is defined for a certain variable and values present in the grouping created by this category are combined. Generally lower and upper values of a certain variable are combined together and a new definition is made to these values.
Global coding
Global coding method is used in cases where the method of lower and upper limit coding cannot be used and is applied on the data sets not containing any numerical values or containing values that could not be sequenced numerically. It is generally used in cases where grouping of certain values makes prediction or assumptions easier. A common new group is created for the selected values and all records in the data set are changed by using this new definition.
Sampling
In the sampling method, a subset taken from the set is disclosed or shared instead the whole data set. In this manner, the risk of making correct predictions about the person will be reduced since it is not known whether that person who was known to be included in a whole data set is in the disclosed or shared subset. Simple statistical methods are used in determining the subset from which sampling will be made. For example if a data set containing information about the demographic details, occupations and health conditions of women living in Istanbul is made anonymous and then disclosed or shared, it might be meaningful to make scans and predictions in the data set relating to a certain woman known to live in Istanbul. However if the records of women whose civil registry is kept under Istanbul city are retained in the relevant data set and women whose civil registry is kept under other cities are removed from the data set in order to apply the process of making anonymous and if this data is then disclosed or shared, a malicious person accessing the data cannot predict whether civil registry of a woman known to live in Istanbul was kept under Istanbul city and as a consequence, he will not be able to make a reliable prediction about whether information belonging to this known person was included in the data in his possession.
Methods of making anonymous providing a value irregularity: As distinct from the methods mentioned above, existing values are changed in order to make a disruption in the values of the data set if methods providing value irregularity are used. However as in this case, the values to which records are transferred will change, benefits planned to be derived from the relevant data set must be calculated correctly. It may be continued to derive benefits from the data set by ensuring integrity of the total statistics even if values in the data set are changed.
Micro combination
In this method, first all records in a data set are aligned according to a meaningful sequence and later all set is divided into a certain number of subsets. Then average of values relating to a variable determined in each subset is taken and value of the subset relating to that variable is replaced with the average value. In this manner, average value of the variable applicable for that data set will not change.
Data exchange
Data exchange method involves record changes achieved with the exchange of a variable in the pairs selected from the records with the values belonging to the subset. In general, this method is used for the variables that can be categorized and is based on the principle idea involving transformation of the database by changing the values of variables between the records belonging to individuals.
Noise adding
In this method, additions and subtractions are made in order to ensure a certain degree of disruption in the selected variable. This method is mostly applied to the data sets containing numerical values. Disruption must be applied equally to each value.
Statistical methods enhancing the effect of making anonymous
As a result of combining certain values in the records present in the data sets that were made anonymous with unique scenarios, it may possible to identify the persons indicated in these records or produce assumptions about their Personal Data.
For that reason, anonymous effect is enhanced by minimizing the unique items in the records present in a data set with the application of various statistical methods on the data set that were made anonymous. Basic purpose in these methods is to minimize any disruption in the anonymous effect and to keep the benefits to be derived from the data set at a certain level.
K-Anonymous
If indirect definers come together with correct combinations in the data sets that were made anonymous, it may be possible to identify the persons indicated in the records or to easily predict the information relating to a certain person and these problems inevitably reduce the trust felt for the processes involving making data anonymous. As a consequence, it became necessary to render the data sets that were made anonymous more reliable by using various statistical methods. Thus K-Anonymous was developed to ensure identification of multiple persons by using certain areas in a data set so that revealing of information belonging to persons showing unique features in certain combinations can be prevented. If there are multiple records for the combinations created by combining certain variables in a data set, the probability of detecting the identity of persons corresponding to these combinations will be reduced.
L-Variability
L-variability method developed as a result of the studies made on defects of K-anonymous method takes into account the variability created by sensitive variables corresponding to the same variable combinations.
T-Proximity
Although the method of L-variability brings for variable in Personal Data, it does not deal with the content and sensitivity degree of Personal Data and so it cannot provide sufficient protection in certain cases. T-proximity method involves calculation of proximity degree inherent in the values and division of the data set to subclasses according to these proximity degrees in order to make them anonymous.
Selecting the specific method of making anonymous
Our Company will decide which method will be used among the above mentioned methods by controlling the data in its possession and taking into account below mentioned characteristics of the relevant data set:
Nature of the data
Data size
Means used to keep the data in physical environments
Data variability
Benefit derived from the data/ processing purpose
Frequency of data processing
Reliability of the party to whom data will be transferred
The effort to be spent to make the data anonymous being meaningful
Extent of the loss that might ensue when anonymous quality of the data is disrupted area of impact
Distributed/centrality rate of the data
Control of access authorities of the users to the relevant data and
The effort to be spent to build and activate a scenario that would disrupt anonymous quality of the data being meaningful
While making a data anonymous, our Company will control with the contracts to be concluded and with the risk analyses to be conducted whether such data may be used again to identify a certain person with the use of information known to be available to other entities and companies to which Personal Data was transferred by our Company or of publicly available information.
Assurance of anonymous effect
While deciding to make Personal Data anonymous instead of deleting or destroying it, our Company pays attention to whether anonymous effect of a data could be disrupted with the combination of the data set that was anonymous with another data set; whether one value or multiple values create a meaningful unit rendering a record unique and whether values in the data set that was made anonymous could combine to produce an assumption or result. Thus our Company will carry out controls in order to be sure about retaining of anonymous effect at each time the features of the data sets indicated in this section change.
Risks of elimination of anonymous effect resulting from the reverse processing of the data that was made anonymous
Our Company will take all technical and administrative measures in accordance with the requirements of Personal Data Security Manual that was published by KVK Establishment; develops procedures to be implemented within the Company; prepares elucidation texts and texts to be used to grant explicit consent; and conducts or procures the conduct of audits to ensure implementation of LPPD provisions pursuant to article 12/3 of LPPD in order to protect and prevent any unauthorized access to your Personal Data. Results of such audits will be evaluated through internal mechanisms and necessary actions will be taken in order to improve the measures taken.
Technical Measures
In the protection of collected Personal Data, we are using generally accepted standard technologies and operational security methods including the standard technology designated as Secure Socket Layer (SSL). However because of the specific features of the Internet, unauthorized persons are sometimes able to access Personal Data through the networks if security measures are not available. We will take all technical and administrative measures to protect your Personal Data against risks of unauthorized destruction, loss, alteration, disclosure or access depending on the current technological status, costs of technology uses and nature of the Personal Data to be protected. In that regard, we will conclude contracts for data security with our service providers.
1) Ensuring cyber security: We are using cyber security products to ensure security of your Personal Data although technical measures we take are not limited to these products only. The initial defense line against the attacks made online is developed through certain measures such as firewall and gateway. Apart from that, every software and hardware is made subject to certain installation and structuring processes. Taking into account potential security gaps arising from especially old version of certain widely used software, unused software and services are removed from the devices. For that reason, our Company prefers deletion of unused software and services instead of keeping them in the devices. Through patch management and software updates, proper operation of software and hardware and sufficiency of the security measures taken for the systems are regularly controlled.
2) Access limitations: Access authorities for the systems containing Personal Data are limited and regularly reviewed. In that regard, the employees are granted access authorities to the relevant systems only to the extent necessary to perform their jobs and tasks and to exercise their powers and fulfill their responsibilities within the Company. Access to these systems is enabled through user names and passwords. While creating such passwords, combinations including lower and uppercase, numbers and symbols are preferred rather than any series of letters and numbers related to the personal information that will be easily predictable. In addition, access authorities and control matrix is created.
3) Encryption: In addition to the use of strong passwords, access will be limited by using certain methods such as Brutal Force Algorithm (BFA) including limiting the password entry attempts, ensuring periodic change of passwords, opening the manager account and admin authority only when it is necessary to use them and deleting the account or terminating logins in respect to the employees whose relations with the data controller were terminated.
4) Antivirus software: Products such as antivirus and anti-spam that could regularly scan the information system network and detect the threats are used in order to be protected from malicious software and updated versions of these products are used in order to scan the files. If Personal Data is to be extracted from different internet sites and/or mobile applications, connections will be made via SSL or other secure methods.
5) Monitoring the security of Personal Data: For the purpose of this monitoring, it will be checked which software and services are operating in the information networks; it will be determined whether there is any leakage in the information networks or any movement not normally expected; transaction records of all users will be regularly kept (such as login records) and security problems will be reported as soon as possible. An official reporting procedure is also developed for the employees to notify any security gaps detected in the systems and services and threats that could be made with the use of these security gaps. Evidences will be collected and safely retained if undesirable incidents occur such as collapse of the information system, malicious software, attacks made to inactivate the systems, entry of incomplete or inaccurate data, breaches of confidentiality and integrity or abuse of the information system.
6) Ensuring security of environments containing Personal Data: If Personal Data are stored in the devices of data controllers or in hardcopy format, physical security measures will be taken against risks of loss or stealing of these devices and papers. Physical environments where Personal Data are retained will be protected against external risks (fire, flood etc.) and entrance/exit to/from these environments is controlled.
If Personal Data is retained in an electronic environment, access between the network components can be limited or components will be segregated in order to prevent breach of the security with Personal Data. For example if Personal Data are processed in a certain area of the network that was segregated only for that purpose, available resources may be segregated in order to ensure the security of only this area rather than the whole network.
Same degree of security measures will be taken for the places where hardcopy of documents are maintained including any electronic environments and devices used to store Personal Data but located outside our premises. Security breaches involving Personal Data are mostly seen when devices containing Personal Data are lost or stolen (such as laptop computers, mobile phones, flash disks etc.). Besides that, Personal Data to be forwarded by e-mail or postal service will be sent carefully after taking necessary security measures. If the employees access to the information system network by using their personal electronic devices, sufficient security measures will be also taken for these devices.
Against risks of loss or stealing of devices containing Personal Data, access control authorization and/or encryption methods are used. In that regard, encryption key is kept in an environment accessible to authorized personnel only in order to prevent any unauthorized access.
Documents containing Personal Data are maintained in locked cabinets in rooms accessible to authorized personnel only in order to prevent any unauthorized access to these documents.
Pursuant to article 12 of LPPD, our Company will notify KVK Board and data subjects without delay if Personal Data are obtained illegally by others. If deems necessary, KVK Board will announce that breach on its internet site or by using another method.
7) Storage of Personal Data in the cloud: If Personal Data are stored in the cloud, the Company will evaluate the sufficiency of security measures taken by the provider of cloud storage service. In that regard, specific Personal Data stored in the cloud must be known in detail and such Personal Data shall be backed-up and synchronized and two layers identification control must be applied for distant access to the Personal Data when necessary. During storage and usage of the Personal Data retained in these systems, the data will be encrypted by using cryptographic methods and will be transferred to the cloud only after encryption and separate encryption keys will be used in those areas in which Personal Data are retained and especially for each cloud solution provided to our Company. Once cloud information services relation terminates, all copies of the encryption keys that could be used to render Personal Data usable will be destroyed. Accesses to the data storage areas where Personal Data are retained are logged in order to notify any improper access or accessing attempts to the authorities on momentary basis.
8) Supply, development and maintenance of information technologies systems: The Company will take into consideration all kinds of security requirements while determining the need to procure or develop new systems or to improve existing systems.
9) Backup of Personal Data: If Personal Data are harmed, lost or stolen, the Company will use the backed up data in order to ensure continuity in its business. Personal Data that were backed up will be accessed only by the system manager and backups of data sets will be retained outside of the network.
Administrative Measures
• All activities conducted by our Company have been analyzed in detail in respect to each business department and as a result of this analysis, a processed based Personal Data processing inventory has been prepared. Risky areas in this inventory are determined regularly so that necessary legal and technical measures can be taken. (For example, documents to be prepared pursuant to KVVK requirements have been prepared after taking into account the risks affecting this inventory.)
• Our Company carries out the activities of Personal Data processing are audited through information security systems, technical systems and legal methods. Policies and procedures are developed to ensure security of Personal Data and periodic controls are made for this purpose.
• From time to time, our Company procures the services of external service providers in order to meet its information technology requirements. Delegation of these service providers is made only after our Company confirms that at least same degree of security measures are taken by these service providers for the protection of Personal Data. In such cases, a written contract will be signed with the data processor which includes the below mentioned requirements as minimum:
• The data processer acts only in accordance with the instructions of data controller and with the purpose and scope of data processing as stipulated in that contract and in line with the requirements of LPPD and other applicable legislation,
• The data processer acts in accordance with the Policy for Storage and Destruction of Personal Data,
• The data processor is subject to an obligation of maintaining the confidentially of processed data indefinitely,
• In the event of a data breach, the data processor is obliged to inform the data controller immediately about that breach,
• Our Company is entitled to conduct or procure conduct of audits on the systems of the data processor used to process the Personal Data and to make an onsite examination of the audit reports and of the premises of the service provider,
• Data processor takes all technical and administrative measures to ensure security of the Personal Data; and
• Categories and types of Personal Data forwarded to the data processor will be detailed in another sector to the extent allowed by our relationship with the data processor.
• As already emphasized by the organization in its manuals and other publications, Personal Data are minimized as much as possible based on the data minimization principle and Personal Data that are not really necessary or not updated or not serving to a specie purpose will not be collected and if such data had been collected before the enactment of LPPD, they will be destroyed in accordance with the Policy for Storage and Destruction of Personal Data.
• Only expert personnel are employed in connection with technical issues.
• Provisions on confidentiality and data security are incorporated into the Employment Contracts to be signed with the employees during the recruitment process and the employees are required to comply with these provisions. The employees are regularly informed and trained about the law on protection of Personal Data and about taking necessary measures in accordance with this law. Roles and responsibilities of the employees are reviewed and their job definitions are revised for that purpose.
• Technical measures are taken in line with the technological developments and these measures are periodically controlled, updated and renewed.
• Access authorities are limited and regularly reviewed.
• Technical measures taken are regularly reported to the superiors and any risky matters are reviewed again to produce necessary technological solutions.
• Software and hardware containing antivirus systems and firewalls are installed.
• Backup programs are used to securely store the Personal Data.
• Security systems specifically developed for data storage areas are used; technical measures taken are regularly reported to the relevant personnel as part of the internal controls and any risky matters are reviewed again to produce necessary technological solutions. Any files/printouts to be kept in a physical environment are stored through the suppliers and are later destroyed in accordance with the applicable procedures.
• Top management gives utmost importance to the protection of Personal Data and a special committee is created (KVK Committee) for that purpose. A management policy is developed to regulate the work principles for KVK Committee and all tasks of KVK Committee are explained in detail in this policy.
A separate policy has been prepared and put into effect for the processing and protection of special Personal Data.
Under article 6 of LPPD, data related to race, ethnical origin, political thoughts, philosophical beliefs, religion, sect and other faiths, dressing/clothing styles, membership to foundation, associations or trade union, health condition, sexual life, criminal convictions and security measures as well as biometric and genetic data are accepted as special Personal Data since they pose a risk of unfair treatment and discrimination in the event they are processed unlawfully and processing of these data are made subject to more stringent rules.
In line with the requirements of article 10 of LPPD, related persons are informed when of special Personal Data are to be obtained. Special Personal Data will be processed only after taking relevant measures and conducting/procuring conduct of necessary audits required under LPPD. Another condition to be met in order to process special Personal Data is to obtain explicit consent from the data subject. Our Company offers the possibility to the data subjects to declare their explicit consents in connection with certain data only or based on prior notification and exercising their free will.
As a rule, our Company obtains explicit consent from the Related Persons for the processing of special Personal Data only in writing. However explicit consent from Related Persons will not be required pursuant to article 6/3 of LPPD if any of the conditions mentioned in article 5/2 of LPPD are relevant. Besides that, article 6/3 of LPPD stipulates that data concerning health condition and sexual life can be processed by authorized persons and establishments/organizations subject to a duty of confidentiality without obtaining explicit consent from the related persons for the purpose of protecting public health, executing protective physician, medical diagnosis, treatment and care services as well as planning the financing of and managing health-care services. Irrespective of the specific reason of processing, general data processing principles will be taken into account and will be complied with during the processing activities.
Our Company takes special measures for ensuring the security of special Personal Data. In line with the data minimization principle, special Personal Data will not be collected unless required for a business process and will be processed only to the extent necessary. In the event of processing special Personal Data, technical and administrative measures will be taken in order to comply with the legal obligations and ensure adaptation to the measures set forth by KVK Board.
Pursuant to article 11 of LPPD, as data subjects, you will have the rights listed below in connection with the Personal Data:
• Learning whether your Personal Data has been processed,
• Demanding information about processing if your Personal Data was processed
• Learning the specific purpose of processing and whether they are used in accordance with relevant purposes,
• Learning the third persons to whom Personal Data was transferred in or out of the country,
• Requiring correction of your Personal Data if they had been processed inaccurately or deficiently and notification of this process to the third persons to whom Personal Data was transferred,
• Requiring deletion or destruction of your Personal Data under the relevant conditions and notification of this process to the third persons to whom Personal Data was transferred,
• Raising an objection against the results detrimental to you due to analysis of your Personal Data exclusively by automated means, or
• Claiming remedy for the losses incurred by you due to illegal processing of your Personal Data.
You may forward these demands to our Company without any charge by using any of the following methods stipulated under Application Communiqué:
1) After completing the form given at the address www.dogadan.com.tr/kvkk and putting your wet signature thereon, you shall personally deliver the form to the address Doğadan Çınar Mah. Duru Cad. No:11, Akyurt/Ankara (we remind that you shall also submit your identity card).
2) After completing the form given at the address www.dogadan.com.tr/kvkk and putting your wet signature thereon, you shall deliver the form to the address Doğadan Çınar Mah. Duru Cad. No:11, Akyurt/Ankara via a notary public.
3) After completing the form given at the address www.dogadan.com.tr/kvkk and putting your electronic signature thereon by using your “safe electronic signature” under the Law No. 5070 on Electronic Signature, you shall e-mail the form to the registered electronic mail address dogadan@hs02.kep.tr
4) You may forward the form in writing by using your e-mail address notified to our Company before and recorded in our system.
In this application, following information must be given:
Name, surname and signature if the application is in written form and ID Number for the citizens of Republic of Turkey, nationality, passport number or identification number, if any, for the foreigners; residence address or work address for notifications, electronic mail address, if any, for notifications, phone and fax number and subject of the request. Any information and documents supporting the application must be also enclosed.
It is not possible for the third persons to file an application on behalf of the Personal Data subjects. In order for a third person to make an application on behalf of the Personal Data subject, there must be a wet signed and notary public attested special power of attorney issued in the name of the person who will apply on his/her behalf. In the application you will make in order to exercise your above mentioned rights available to you as Personal Data subject, containing your explanations about the right you demanded to exercise, the matter in connection with which you make the demand must be given clearly and in an easily understandable manner and this matter must be directly related to you or if you are acting on behalf of another person, you must have been specifically authorized and this authority must have been documented and the application must contain identity and address details with documents confirming your identity to be enclosed to the application.
Your application will be finalized as soon as possible or at latest within 30 days. These applications are free of charge. However if the process requires the payment of extra costs, a fee defined on the tariff determined by the KVK Board may be charged.
If the Personal Data subject forwards his/her request to our Company by following the procedure detailed above, our Company will finalize the request without any charge as soon as possible or at latest within 30 days. However if the process requires the payment of extra costs, a fee defined on the tariff determined by the KVK Board will be charged to the applicant. Our Company may also demand information from the applicant in order to be sure that he/she is a Personal Data subject. Our Company may direct questions to the Personal Data subject about his/her application in order to clarify the matters indicated in the application.
Pursuant to article 14 of LPPD, you may file a complaint to the KVK Boarrd within thirty (30) days after you learn the response given by our Company or within sixty (60) days after the application date if your application is rejected by our Company or if you find our response insufficient or if we fail to respond to your application in a timely manner.
Pursuant to article 28 of LPPD, owner of Personal Data will not be entitled to claim any rights in connection with the following conditions since they are not subject to LPPD requirements:
• Processing of Personal Data for the purposes of art, history, literature or science or as part of freedom of expression provided that such processing does not breach national defense, national security, public security, public order, economic security, confidentiality of private life or personality rights and that it does not constitute a crime.
• Processing of Personal Data for the purposes of research, planning or statistics after making the same anonymous through official statistics.
• Processing of Personal Data within the scope of preventive, protective or intelligence activities carried out public establishments and institutions authorized and delegated by law for the purpose ensuring national defense, national security, public security, public order or economic security.
• Processing of Personal Data by judicial authorities or enforcement officers in connection with an investigation, prosecution, trial or enforcement process.
Pursuant to article 28/2 of LPPD, owner of Personal Data will not be entitled to exercise any of their rights in the following conditions except for the right to claim remedy for the losses suffered after processing:
• If processing of Personal Data was necessary to prevent commitment of a crime or to execute a criminal investigation.
• If Personal Data to be processed was made anonymous by the relevant data subject.
• If processing of Personal Data is to be made by delegated and authorized public establishments and institutions or professional organizations with the authority of law in order to perform audit or regulation activities or conduct a disciplinary investigation or prosecution.
• If processing of Personal Data is necessary to protect the economic and financial benefits of the State in connection with budgeting, taxation and financial affairs.
As already explained in detail above, your Personal Data may be stored and kept; classified as part of a market research or in relation to financial and operational processes or marketing activities; updated in different periods and transferred to 3rd persons and/or suppliers and/or service providers and/or our foreign shareholders to the extent allowed under the applicable legislation and in accordance with relevant laws and confidentiality principles and information may be forwarded and stored pursuant to the policies that are binding for us and due to reasons to be raised by competent authorities and may be also processed by means of reporting and records and documents may be issued to support the processing in hardcopy format.
In the event of a discrepancy between LPPD and other applicable legislation and this Policy, provision of LPPD and other applicable legislation shall prevail.
This Policy prepared by our Company was put into force as per a resolution rendered by the Board.
We would like to remind that we may make revisions in this Policy in line with the changes made from time to time in the applicable legislation and in our company policies. We will publish the most current version of this Notification in our web site.
Before login to the web site, the user/users irrevocably agreed, declared and undertook that they have read this Policy of the Protection of Personal Data; they will comply with all matters stipulated herein; and all consents of the web site and all electronic environment and computer records belonging to our Company will serve as conclusive evidence pursuant to article 193 of the Civil Procedure Law.
| ABBREVIATIONS | |
|---|---|
| Law No 5651 | Law on Arrangement of Publications made in the Internet and Struggling with the Crimes Committed through these Publications as published in and put into effect with the Official Gazette dated 23.05.2007 and numbered 26530. |
| Constitution of Republic of Turkey | Constitution of Republic of Turkey dated 07.11.1982 and numbered 2709 as published in the Official Gazette dated 09.11.1982 and numbered 17863. |
| Application Communiqué | Communiqué on the Methods and Principles for Applications to the Data Controller as published in and put into effect with the Official Gazette dated 10.03.2018 and numbered 30356. |
| Relevant Person/Relevant Persons or Data subject | Real person whose Personal Data is processed including but not limited to customers of Doğadan and/or of the group companies of Doğadan, its corporate customers with whom it has commercial relations, business partners, shareholders, authorities, employee candidates, trainees, visitors, suppliers, employees of the entities cooperating with Doğadan, third persons and other people. |
| Regulation on the Deletion, Destruction and Making Anonymous of Personal Data | Regulation on the Deletion, Destruction and Making Anonymous of Personal Data as published in the Official Gazette dated 28.10.2017 and numbered 30224 and put into effect on 01.01.2018. |
| LPPD | The Law on the Protection of Personal Data dated 24.03.2016 and numbered 6698 as published in the Official Gazette dated 07.04.2016 and numbered 29677. |
| KVK Board | Personal Data Protection Board |
| KVK Establishment | Personal Data Protection Establishment |
| m. | Article |
| Örn. | Example |
| Policy | This Doğadan Policy on the Protection of Personal Data and Confidentiality |
| Company | Doğadan Gıda Ürünleri Sanayi ve Pazarlama A.Ş. |
| Turkish Criminal Code | Turkish Criminal Code dated 26.09.2004 and numbered 5237 as published in the Official Gazette dated 12.09.2004 and numbered 25611. |
| Doğadan | Doğadan Gıda Ürünleri Sanayi ve Pazarlama A.Ş. |
