Lokasyon
Change Delivery Location
or Sign Up

GÜLLÜOĞLU GIDA SANAYİ VE TİCARET ANONİM ŞİRKETİ PERSONAL DATA PROTECTION AND PROCESSING POLICY

1.1. PURPOSE OF THE POLICY

As Güllüoğlu Gıda Sanayi ve Ticaret Anonim Şirketi (the “Company”), we attach importance to the lawful processing and protection of the personal data per the Law on the Protection of Personal Data no. 6698 (“Law”). Within the framework of this Güllüoğlu Gıda Sanayi ve Ticaret Anonim Şirketi Personal Data Protection and Processing Policy (the "Policy"), the principles that are adopted in the execution of personal data processing activities carried out by our Company and the basic principles adopted in terms of compliance of our Company's data processing activities with the regulations stipulated in the Law are explained, and thus our Company provides the necessary transparency by informing the personal data owners. With full awareness of our responsibility within this scope, your personal data are processed and protected within the scope of this Policy. Within this frame, the Policy covers all personal data processing activities of the Company as listed under the Law, the owners of all personal data processed by the Company, and all personal data processed.

1.2. SCOPE

This Policy is applied by our Company in the activities that are carried out for the processing and protection of all personal data of personal data owners. Detailed information about the personal data owners in question is specified in the "Personal Data Owners" list in ANNEX 1 of this Policy.

1.3. IMPLEMENTATION OF THE POLICY

The provisions of the relevant legislation applicable regarding the processing and protection of personal data will be applied primarily. In case of inconsistency or contradiction between the provisions of the applicable legislation and the provisions of the Policy, our Company accepts that the provisions of the applicable legislation will be applied. The Policy regulates the rules laid down by the relevant legislation by concretizing them within the scope of the Company's practices.

1.4. ENFORCEABILITY OF THE POLICY

This Policy that has been issued by our Company is dated [01.01.2020]. In case the whole or certain articles of the Policy are renewed, the enforcement date of the Policy will be updated. This Policy is published on the website of our Company (https://www.karakoygulluoglu.com) and presented to the access of the relevant persons upon the request of the Personal Data Owners. The Company reserves the right to make changes in the Policy per the legal regulations.

2. TERMS ON THE PROTECTION OF PERSONAL DATA

2.1. ENSURING SECURITY OF THE PERSONAL DATA

Per article 12 of the Law, our Company takes the necessary measures according to the nature of the data to be protected to prevent the unlawful disclosure, access, transfer, or security deficiencies that may occur in other ways. Within this scope, our Company takes all necessary (i) administrative and (ii) technical measures to ensure the required level of security per the guidelines published by the Personal Data Protection Board ("Board"), (iii) conducts audits or have audits conducted within the company, and (iv) ) acts per the measures stipulated in the Law in case of unlawful disclosure of personal data.

(i) Administrative Measures Taken by our Company to Ensure Lawful Processing Of Personal Data and to Prevent Unlawful Access to Personal Data

•Our Company trains and raises awareness of its employees regarding the legislation on the protection of personal data.
•In cases where personal data is subject to transfer, it is ensured that records, which state that the party to whom the personal data is transferred will fulfil its obligations to ensure data security, are added to the contracts that are concluded by our Company with the persons to whom the personal data is transferred.
•The personal data processing activities executed by our Company are reviewed in detail, within this scope, the steps required to be taken to ensure compliance with the personal data processing conditions stipulated in the Law are determined.
•Our Company determines the practices that must be fulfilled to comply with the Law and regulates these practices with internal policies.

(ii) Technical Measures Taken by our Company to Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data

•Concerning the protection of personal data, our Company takes technical measures to the extent that technology allows, and the measures taken are updated and improved in parallel with the developments.
•Experts are employed in technical matters.
•Inspections are conducted at regular intervals for the implementation of the measures taken.
•Software and systems to ensure security are established.
•Authorization of access to personal data being processed within our Company is limited to the relevant employees per the specified processing purpose.

(iii) Executing Audit Activities Regarding the Protection of Personal Data

•The compliance of technical measures, administrative measures, and practices taken by our Company within the scope of protecting personal data and ensuring its security with the relevant legislation, policies, procedures, and instructions, and their functioning and efficiency are audited by our Company's internal audit units. Our company may perform the audit activity in question through its own organization, or may outsource to external audit companies. The results of the performed audit activities are reported. It is the primary responsibility of the process owners to regularly follow up the actions that are planned regarding the audit results.

(iv) Measures to be taken in Case of Disclosure of Personal Data in Illegal Ways

•Within the scope of the personal data processing activity carried out by our Company, in case the personal data is obtained by unauthorized persons unlawfully, the situation is notified to the Board and the relevant data owners without any delay.

2.2. INCREASING AWARENESS AND AUDIT OF BUSINESS UNITS ABOUT PROTECTION AND PROCESSING OF PERSONAL DATA

All organs and departments of our Company are responsible for observing compliance with this Policy. Our Company provides necessary trainings for business units to raise awareness to prevent unlawful processing of personal data, to prevent unlawful access to data, and to protect data. Our Company establishes necessary systems to raise awareness of existing employees and new employees about the protection of personal data and works with consultants if deemed necessary for the subject.

3. TERMS ON THE PROCESSING OF PERSONAL DATA

3.1. PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

Personal data are processed by our Company in accordance with the procedures and principles stipulated in the Law and this Policy. Our Company acts with the following principles when processing personal data:

(i) Processing in Accordance with the Law and Good Faith

Our Company acts in accordance with the laws, secondary regulations and general principles of the law for the processing of your personal data; attaches importance to processing personal data as limited to the purpose of processing and considers the reasonable expectations of data owners.

(ii) Ensuring Accuracy and Up-to-Dateness, if Required, of Personal Data

Our Company takes the necessary measures to keep personal data accurate and up-to-date during the processing of personal data, and Personal Data Owners are entitled to request correction or deletion of their incorrect and outdated data.

(iii) Processing for Specific, Explicit, and Legitimate Purposes

Our Company reveals the purposes of processing personal data and processes within the scope of the purposes related to these activities in accordance with its business activities

(iv) Being Associable, Limited and Measurable with the Purpose of Processing

Our Company limits its data processing activity with the personal data required to achieve the purpose of collection and collects personal data only in nature and extent required by the business activities and processes for the determined purposes.

(v) Retaining for the Period Stipulated in the Relevant Legislation or Required for the Purpose of Processing

Our Company retains personal data for the time required for the purpose of processing and for the minimum period stipulated in the relevant legal legislation. Within this scope, our Company initially determines whether a period is stipulated for the storage of personal data in the relevant legislation or not, and if a period is specified, acts in accordance with such period. If there is no legal period, personal data are stored for the time required for the purpose of processing. Personal data are destroyed at the end of the stated storage periods in accordance with the periodic destruction periods or to the application of the data owner and through the determined destruction methods (deletion and/or destruction and/or anonymization).

3.2. CONDITIONS FOR PROCESSING PERSONAL DATA

Personal data of Personal Data Owners are processed by our Company in the presence of at least one of the personal data processing conditions that have been provided in article 5 of the Law. Explanations regarding these conditions are as follows:

(i) Obtaining the Explicit Consent of the Personal Data Owner

One of the conditions for processing personal data is the explicit consent of the data owner. Personal data processing activity is carried out by our Company in case the Personal Data Owner gives consent to the processing of data about him/herself freely, by having adequate information on the subject, explicitly as to not leave any room for doubt and by being limited only to that transaction. The explicit consent of the Personal Data Owner should be explained on a specific subject, as based on the information and with free will. In the presence of the following personal data processing conditions, personal data can be processed without the explicit consent of the data owner.

(ii) Being Clearly Stipulated in the Laws

If the personal data of the data owner is explicitly stipulated in the law, in other words, if there is an explicit provision regarding the processing of personal data in the relevant law, then the presence of this data processing requirement may be mentioned. In this case, the Company will process personal data within the framework of the relevant legal regulation.

(iii) Failure to Obtain Explicit Consent of the Relevant Person Due to Actual Impossibility

Personal data that are belonging to the data owner who is unable to disclose his/her consent due to the actual impossibility or to whom no validity can be granted for the consent may be processed by our Company if it is compulsory to process the personal data of the data owner or another person to protect his/her life or bodily integrity.

(iv) Being Directly Related to the Establishment or Execution of the Contract

Provided that it is directly related to the establishment or execution of a contract between the data owner and our Company, personal data processing activity will be performed if it is necessary to process personal data.

(v) Fulfilment of Legal Obligation by the Company

The personal data of the data owner can be processed if it is compulsory to process data for enabling our Company fulfil its legal obligations.

(vi) Publicizing Personal Data of Personal Data Owner

If the data owner has made his/her personal data public in any manner, then the relevant personal data may be processed in a limited way for the purpose of publicizing.

(vii) Being Compulsory to Process Data for the Establishment or Protection of a Right. The personal data of the data owner can be processed if it is compulsory to process data for the establishment, use, or protection of a right.

Bir hakkın tesisi, kullanılması veya korunması için veri işlemenin zorunlu olması halinde veri sahibinin kişisel verileri işlenebilecektir.

(viii) Being Compulsory to Process Data for the Legitimate Interest of our Company, Provided to not Harm the Fundamental Rights and Freedoms of the Data Owner

Provided that the balance of interests of our Company and the data owner is observed, the personal data of the data owner can be processed if it is compulsory to process data for the legitimate interests of our Company, provided to not harm the fundamental rights and freedoms of the Personal Data Owner.

3.3. PROCESSING SENSITIVE PERSONAL DATA

3.3. General Approach to the Processing of Sensitive Personal Data

Special attention has been referred to sensitive personal data in the context of the Law due to the risk of victimization or discrimination of people when processed illegally. These "sensitive" personal data are; race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures related data, and biometric and genetic data.
Sensitive personal data is processed by our Company in accordance with the principles set out in this Policy and in the presence of the following conditions:
•Sensitive personal data other than health and sexual life may be processed without the explicit consent of the data owner, provided that it is clearly stipulated by the law, in other words, if there is a clear provision in the law on the processing of personal data in another way. Otherwise, the explicit consent of the data owner shall be obtained.
. •Sensitive personal data concerning the health and sexual life shall be processed without the explicit consent by the persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, protecting physicians, executing medical diagnosis, treatment and care services, planning and managing health services and financing. Otherwise, the explicit consent of the data owner shall be obtained.
Our Company performs the necessary procedures to take the administrative and technical measures that have been determined by the Board in the processing of the Sensitive Personal Data.

3.3.2 General Approach to the Processing of Employees' Health Data Not Processing Health Data Unless It Is Compulsory and Storing Separately

•Not Processing Health Data Unless It Is Compulsory and Storing Separately

Health data are among the sensitive personal data. The health data of the employees, particularly the accident, health, and illness reports of the employees, are stored separately from other personal data. The use of the health data of the employee is avoided as much as possible when using the information regarding the days of absence or the accident and other incidents involving the employee.

•Processing Health Data as Associated, Limited, and Measurable to the Stated Purpose

Our Company ensures that only the really required information is collected during the health tests and examinations of the employees and pays attention not to ask for unnecessary information.

•Identifying the Persons to Process Health Data

It is ensured that the Company's employees who will process the health data or authorize employees to process the health data are informed about the relevant legislation and established policies. The health data of the employee are analysed by people who are competent to perform this task. Our Company pays attention to clearly inform the employees for what purposes the health data are used and who accessed these data for what purposes.

•Sharing Health Data and Accessing Such Data

The legal obligations imposed for sensitive personal data are taken into consideration when sharing the health data and the sharing proceedings are performed in accordance with these obligations.

• Processing of Health Data Obtained from Examinations and Tests

•Notification of Company's Policy Regarding Processing Health Data to Employees

Our Company pays attention to ensure that policies that are followed regarding the processing of employee health data are transparent. Our Company determines the conditions regarding the places where the health tests will be performed, the quality of the tests, and how the data obtained from the test will be used and protected. Pays attention to inform the employees about these conditions.

•Processing of Health Data of Potential Candidates to be Recruited via Examinations and Tests

Our Company may request the performance of tests to the relevant candidate to decide on whether the potential candidate to be recruited is appropriate for such job or not. It may also perform these tests to fulfil any of its legal obligations or to identify the type of insurance to which the potential employee will subject. Our Company priorly determines the purposes of the examination and tests. Also by considering the purposes, our Company follows methods to involve the health data of the person at the minimum level. The medical examination or health test is carried out during the recruitment process if only the recruitment possibility of the person is high. During the initial period of the job application process, our Company informs the candidate on the performance of the health examination or test if the recruitment possibility is high.

•Collecting Health Data of Employees via Examinations and Tests

Our Company may collect the health data of the employee through medical examinations and tests within the scope of the occupational health and safety program. Participation in examinations and tests other than compulsory examinations and tests according to legal regulations is left to the own choice of the employee. Our Company priorly determines the purposes of the examination and tests.

•Not Using the Samples Obtained from the Examination Besides for the Specified Purpose of Processing

Our Company clearly informs the employees about the purpose of health checks and tests. Under any circumstances, our Company does not collect the biometric/genetic samples (fingerprints, hair, etc.) belonging to the employee in a secret manner. Activities that are carried out by basing on the legal reasons constitute an exception

3.4. TRANSFER OF PERSONAL DATA

Our Company is entitled to transfer personal data and sensitive personal data of the personal data owner to third parties (third party companies, group companies, third real persons) within the home country [or abroad] by taking the necessary security measures in accordance with the legal personal data processing purposes. In this direction, our Company acts in accordance with the regulations stipulated in Articles 8 and 9 of the Law and additional regulations that have been determined by the Board. Detailed information on this subject is provided in the "Third Persons to whom Personal Data Is Transferred by Our Company and Purposes of Transfer" titled document given in ANNEX 2 of this Policy.

3.4.1 Transfer of Personal Data

In accordance with the additional regulations that have been listed in Articles 8 and 9 of the Law and determined by the Board; if there are conditions to transfer personal data, our Company may transfer personal data within the home country or abroad.
• Transfer of personal data to third parties within the home country: In case one or more of the data processing conditions that have been specified in Article 5 and 6 of the Law and explained under the 3.2 numbered heading of this Policy are present, then the personal data can be transferred to third persons through the due diligence of our Company and taking all security measures required, including the methods foreseen by the Board.
• Transfer of personal data to third parties at abroad: In case one or more of the data processing conditions that have been specified in Article 5 and 6 of the Law and explained under the 3.2 numbered heading of this Policy are present, then the personal data can be transferred to abroad through the due diligence of our Company and taking all security measures required, including the methods foreseen by the Board, provided that the country to which the transfer will be performed is among the countries that have sufficient protection as announced by the Board or if the relevant foreign country does not have sufficient protection, the data controllers in Turkey and relevant foreign country guarantee sufficient protection in written and get the approval of the Board.


3.4.2. Transfer of Sensitive Personal Data

Sensitive personal data can be transferred by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:
•Sensitive personal data other than health and sexual life may be processed without the explicit consent of the data owner, provided that it is clearly stipulated by the law, in other words, if there is a clear provision in the law on the processing of personal data in another way. Otherwise, the explicit consent of the data owner shall be obtained.
•Sensitive personal data concerning the health and sexual life shall be processed without the explicit consent by the persons or authorized institutions and organizations under the obligation of confidentiality to protect public health, protecting physicians, executing medical diagnosis, treatment and care services, planning and managing health services and financing. Otherwise, the explicit consent of the data owner shall be obtained.
If the country to which the transfer will be performed is not among the safe countries to be announced by the Board, then the sensitive personal data can be transferred to third parties abroad upon the permission of the Board following the written commitment of the Company and data controller in the relevant country on sufficient protection.

4. CATEGORIZATION AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY OUR COMPANY

The personal data are processed by at our Company through informing the related persons in accordance with article 10 of the Law and the secondary legislation, and according to the personal data processing purposes of our Company, by basing on and being limited to at least one of the personal data processing conditions stipulated in articles 5 and 6 of the Law, and according to the general principles stipulated in the Law, including the principles stated in the article 4 of the Law for the processing of personal data. Within the framework of the purposes and conditions specified in this Policy, the processed personal data categories and detailed information about categories are specified in the "Personal Data Categories" document given in ANNEX 3 of the Policy.
Detailed information regarding the processing purposes of personal data processed by our Company is specified in the "Personal Data Processing Purposes" document given in ANNEX 4 of the Policy.

5. THE METHOD AND LEGAL REASON OF COLLECTING PERSONAL DATA, DELETION, DESTRUCTION AND ANONYMIZATION AND STORAGE TIME

5.1. METHOD AND LEGAL REASON OF COLLECTING PERSONAL DATA

To check its compliance with Article 1 regulating the purpose of the Law and Article 2 regulating the scope of the Law, the Personal Data is collected in any verbal, written, electronic platform; via technical and similar methods, through the call centre, Company's internet site, etc. manners, to achieve the objectives stipulated in the Policy and/or for the complete and accurate fulfilment of the liabilities arising from the law within the framework of the legislation, contract, request, and optional legal reasons, and they are processed by the Company and/or the data processors who are commissioned by the Company.

5.2. STORAGE PERIOD OF PERSONAL DATA

Our Company retains personal data for the time required for the purpose of processing and for the minimum period stipulated in the relevant legal legislation. Within this scope, our Company initially determines whether a period is stipulated for the storage of personal data in the relevant legislation or not, and if a period is specified, acts in accordance with such period. If there is no legal period, personal data are stored for the time required for the purpose of processing. Personal data are destroyed at the end of the stated storage periods in accordance with the periodic destruction periods or to the application of the data owner and through the determined destruction methods (deletion and/or destruction and/or anonymization).
If the purpose of processing personal data has expired; if the storage periods determined by the relevant legislation and our Company have ended; then the personal data can only be stored to constitute evidence for potential legal conflicts or for the purpose of claiming a personal data related right or to establish a defence. For the establishment of the periods hereof, the storage periods are determined by basing on the time-out periods for the claiming of the mentioned right and the examples in the requests that have been directed to our Company previously for the same subjects although the time-out periods have expired. In this case, the stored personal data is not accessed for any other purpose, and access to relevant personal data is provided only when it is required to be used in the relevant legal dispute. Here, also, the personal data are deleted, destroyed, or anonymized after the expiry of the aforementioned period.


5.3. DELETION, DESTRUCTION OR ANONYMIZING OF PERSONAL DATA

Provided that the provisions of other laws regarding the deletion, destruction, or anonymization of personal data are reserved, the Company deletes, destructs or anonymizes the personal data ex officio or upon the request of the data owner in case the reasons for processing are eliminated, although the Company has processed in accordance with the provisions of the Law and other laws. Following the deletion of personal data, these data are destructed in a way that they cannot be used and retrieved in any way. Accordingly, personal data are deleted from tools such as documents, files, CDs, floppy disks, hard disks in which they are recorded in a way that they cannot be recycled. Destruction of personal data refers to the destruction of materials appropriate for data storage such as documents, files, CDs, floppy disks, hard disks in which the data are recorded in a way that the information cannot be retrieved and used. The anonymization of data means the process of making personal data non-linkable with an identified or identifiable natural person under any circumstances, even if they are matched with other data.

6. RIGHTS OF PERSONAL DATA OWNERS AND THE USE OF THESE RIGHTS

6.1. CLARIFICATION OF PERSONAL DATA OWNER

Our Company carries out the necessary processes to ensure that data owners are informed during the acquisition of personal data in accordance with Article 10 of the Law and secondary legislation. Within this scope, the information listed below is included in the clarification texts provided by our Company to data owners:
•The title of our company,
•For what purpose the personal data of data owners will be processed by our Company,
•To whom and for what purpose can the processed personal data be transferred,
•The method and legal reason for collecting personal data,
•Other rights of the data owner listed in Article 11 of the Law.

6.2. RIGHTS OF PERSONAL DATA OWNER

Our Company informs Personal Data Owners about their rights in accordance with Article 10 of the Law; provides guidance on how to use their rights in question and performs the necessary internal functioning, administrative and technical regulations for all of these. Pursuant to Article 11 of the Law, Personal Data Owners have the following rights:
•To learn whether their personal data is processed or not,
•To ask for information about personal data if their personal data are processed,
•To learn the purpose of processing their personal data and whether they are used as intended or not,
•To know the third person to whom their personal data is transferred at home or abroad,
•In case of the incomplete or inaccurate processing of personal data, to request the rectification of the incomplete or inaccurate data, and to ask for the notification of such to the third parties to whom their personal data have been transferred,
•Although the fact that it has been processed in accordance with the provisions of the Law and other relevant laws, in case the reasons requiring its processing cease to be, then to request the deletion or destruction of their personal data and to notify the third parties to whom the personal data has been transferred,
• To object to the occurrence of a result against the person through analysing the processed data exclusively through automated systems,
•To demand the damage be compensated in the event of damage due to the processing of personal data unlawfully.

BULLETIN

Hear about our innovations and specialties.

Click on our newsletter to get our innovations and latest news directly to your mailbox. Sign up.