PRIVACY AND PERSONAL DATA PROTECTION PRINCIPLES
1. PURPOSE AND SCOPE
These Privacy and Personal Data Protection Principles (hereinafter referred to as the "Principles") set forth the fundamental data protection principles adopted by BNS Gıda ve Turizm Hizmetleri Anonim Şirketi and its group companies (hereinafter referred to as the "Company") and aim to inform all relevant data subjects within the scope of Law No. 6698 on the Protection of Personal Data (hereinafter referred to as "Law No. 6698").
2. PRINCIPLES OF PERSONAL DATA PROCESSING
As the Data Controller, our Company processes personal data in accordance with the following principles:
2.1 Processing in Compliance with Law and the Principle of Good Faith
The processing of personal data is carried out in compliance with legal regulations, as well as the general principles of trust and good faith. In this regard, we strive to achieve our personal data processing purposes while considering the interests and reasonable expectations of data subjects, refraining from any misuse of rights, and ensuring transparency in our data processing activities.
2.2 Ensuring Accuracy and Keeping Personal Data Updated When Necessary
Recognizing the importance of data accuracy and timeliness, our Company periodically reviews and updates processed personal data to ensure that they remain accurate and up to date in line with legitimate interests. We have established internal mechanisms to verify the accuracy of data sources and implement necessary corrections when needed. Additionally, requests regarding inaccurate personal data are taken into account. This principle is fully aligned with the right to request the rectification of personal data as stipulated in Law No. 6698.
2.3 Processing for Specific, Explicit, and Legitimate Purposes
Personal data is processed for specific, explicit, and legitimate purposes. In this regard, we ensure that our data processing activities are clear and understandable to relevant individuals and explicitly state the purposes and legal bases for data processing under Article 3 of these Principles.
2.4 Processing Data in a Manner That is Relevant, Limited, and Proportionate to the Purpose
Personal data is processed in a limited and proportionate manner, strictly to achieve the intended purposes. We do not process personal data that is irrelevant to the stated purposes or unnecessary for fulfilling the processing objective. Furthermore, we do not collect or process personal data for speculative or potential future purposes that are not clearly defined at the time of collection.
2.5 Retention for the Period Prescribed by Law or Required for the Purpose of Processing
Your personal data is retained only for the period prescribed by the relevant legislation or as long as necessary for the purpose of processing. In this regard, the Company takes and implements the necessary administrative and technical measures. Within this scope, it is first determined whether a retention period for personal data is stipulated in the relevant legislation; if such a period is specified, compliance is ensured accordingly. If no specific period is determined, personal data is retained only for as long as necessary for the purpose for which it is processed. When the necessity for the relevant processes ceases to exist, access to your personal data by unrelated departments is prevented in accordance with the deletion procedure stipulated under Law No. 6698. Upon the expiration of the retention period or the elimination of the reasons necessitating processing, if there is no legal basis allowing for a longer retention period, your personal data is securely deleted or anonymized in compliance with the personal data protection legislation.
3. CONDITIONS FOR PROCESSING PERSONAL DATA
Your personal and special categories of personal data may be processed under the following conditions in accordance with Law No. 6698.
3.1 Explicitly Stipulated by Laws
The fundamental rule is that personal data cannot be processed without the explicit consent of the data subject. However, if personal data processing is explicitly stipulated by law, such data may be processed without the explicit consent of the data subject.
3.2 Inability to Obtain Explicit Consent Due to Actual Impossibility
If processing of personal data is necessary to protect the life or physical integrity of the data subject or another person who is unable to express consent due to actual impossibility or whose consent is not deemed legally valid, personal data may be processed without explicit consent.
3.3 Processing Required for the Establishment or Performance of a Contracta
If personal data processing is directly related to the establishment or performance of a contract and is necessary for the execution of obligations under such contract, personal data may be processed without explicit consent.
3.4 Compliance with the Company’s Legal Obligations
If processing is mandatory for the Company to fulfill its legal obligations under applicable laws, regulations, contracts, or similar legal requirements, personal data may be processed without explicit consent.
3.5 Publicly Disclosed Personal Data
If personal data has been made public by the data subject, such data may be processed in a manner that is limited to and proportionate with the purpose of the disclosure.
3.6 Necessity for the Establishment, Exercise, or Protection of a Legal Right
If data processing is necessary for the establishment, exercise, or protection of a legal or commercial right belonging to the Company, personal data may be processed without explicit consent.
3.7 Processing Based on Legitimate Interests
If data processing is necessary for the legitimate interests of the Company, personal data may be processed without explicit consent. However, in such cases, the Company carefully evaluates the potential impact on the fundamental rights and freedoms of the data subject and makes a decision accordingly.
3.8 Processing Based on Explicit Consent
As a general rule, personal data is processed based on explicit consent. However, when any of the conditions listed in this article exist, personal data is processed without the need for explicit consent. Otherwise, it may constitute an abuse of rights. In this context, if none of the processing conditions set forth in these Principles apply, your personal data will be processed based on your explicit consent.
3.9 Processing of Special Categories of Personal Data
We process your special categories of personal data in accordance with Article 6 of Law No. 6698, provided that your explicit consent is obtained, it is explicitly stipulated by laws, it relates to personal data made public by the data subject and is in line with the intent of disclosure, it is necessary for the establishment, exercise, or protection of a legal right, or it is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance.
4. TRANSFER OF PERSONAL DATA
Your personal and special categories of personal data may be transferred to domestic business partners, public institutions and organizations, or similar entities, as well as to foreign business partners, within the scope of Article 2 of these Principles. During such transfers, the Company ensures compliance with Articles 8 and 9 of Law No. 6698. If required, your explicit consent will be obtained before the transfer is carried out.
5. PRIVACY AND PERSONAL DATA PROTECTION PRINCIPLES
The Company takes all reasonable administrative and technical measures to ensure the security of personal data, prevent its unlawful processing, and protect against risks such as unauthorized access, accidental data loss, intentional deletion, or damage.
Necessary technical and physical measures are taken to prevent unauthorized access to personal data by individuals who do not have the appropriate authorization. In this regard, an authorization system is designed to ensure that individuals and systems cannot access personal data beyond what is required.
The Company conducts and ensures audits within its institution to ensure compliance with the provisions of Law No. 6698 (KVKK).
The security measures taken include the following:
o Network security and application security are ensured.
o A closed network system is used for personal data transfers over the network.
o Key management is implemented.
o Security measures are applied within the scope of IT system procurement, development, and maintenance.
o The security of personal data stored in the cloud is ensured.
o Disciplinary regulations that include data security provisions for employees are in place.
o Employees receive periodic training and awareness programs on data security.
o An authorization matrix has been established for employees.
o Access logs are regularly maintained.
o Institutional policies on access, information security, usage, retention, and destruction have been prepared and implemented.
o Confidentiality agreements are signed.
o The access rights of employees who change roles or leave the company are revoked.
o Up-to-date antivirus systems are used.
o Firewalls are implemented.
o Signed contracts include data security provisions.
o Personal data security policies and procedures have been established.
o Personal data security issues are reported promptly.
o The monitoring of personal data security is conducted.
o Necessary security measures are taken regarding physical access to environments containing personal data.
o Security measures are implemented to protect physical environments containing personal data from external risks (e.g., fire, flood).
o The security of environments containing personal data is ensured.
o The amount of personal data collected is minimized as much as possible.
o Personal data is backed up, and the security of backed-up personal data is ensured.
o User account management and authorization control systems are applied and monitored.
o Internal periodic and/or random audits are conducted.
o Existing risks and threats have been identified.
o Protocols and procedures for the security of sensitive personal data have been established and implemented.
o Intrusion detection and prevention systems are used.
o Penetration testing is conducted.
o Cybersecurity measures have been taken and are continuously monitored.
o Data encryption is implemented.
o Service providers processing data are periodically audited for data security compliance.
o Awareness is raised among service providers processing data regarding data security.
o Data loss prevention software is used.
6. RIGHTS OF DATA SUBJECTS, APPLICATION PROCEDURE, AND REQUIREMENTS
As a data subject, if you have a request regarding your rights under Article 11 of Law No. 6698 (KVKK), and if you are a citizen of the European Union, you may exercise your rights under the General Data Protection Regulation (GDPR), including withdrawing your explicit consent, obtaining information regarding your data and accessing it, rectifying, deleting, or restricting the processing of your personal data in certain cases, requesting data portability under specific conditions, objecting to the processing of your personal data, and other related rights.You can submit your requests by filling out the Personal Data Protection Application Form, which can be obtained from our website, or through an application that meets the minimum requirements specified in the Communiqué on the Procedures and Principles of Application to the Data Controller, using the methods outlined below.The Company will process your request as soon as possible and within a maximum of thirty (30) days, free of charge, depending on the nature of your request. However, if the request requires additional costs, a fee will be charged according to the tariff determined by the Personal Data Protection Board.If your request is rejected, if you find the response inadequate, or if you do not receive a response within the specified time, you may notify us regarding this matter. Additionally, as a data subject, you have the right to apply to the competent data protection authority in your country within thirty (30) days from the date you receive our response, and in any case, within sixty (60) days from the date you submitted your application in compliance with the applicable regulations.
Application Method |
Application Address |
Electronic communication via KEP (Registered Electronic Mail) |
|
Communication sent via a registered email address in our system, or with a secure electronic signature or mobile signature |
|
Written application submitted in person or via notary |
Küçükbakkalköy, Hazar Sk. No:17, 34758 - Ataşehir / İstanbul / Türkiye |