CHAPTER 1 – INTRODUCTION
1.1. INTRODUCTION
1.2. PURPOSE AND SCOPE OF THE POLICY
1.3. IMPLEMENTATION OF THE LEGISLATION
SECTION 2 – PROCESSING OF PERSONAL DATA
2.1. GENERAL PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
2.2. CONDITIONS FOR PROCESSING PERSONAL DATA
2.2.1. Processing of Personal Data of General Nature
2.2.2. Processing of Special Categories of Personal Data
SECTION 3 – PROTECTION OF PERSONAL DATA
3.1. SECURITY OF PERSONAL DATA
3.1.1. Lawful Processing of Data
3.1.2. Unlawful Access Blocking
3.1.3. Storing Personal Data in a Secure Environment
3.2. SUPERVISION OF THE IMPLEMENTATION OF THE PROVISIONS OF THE LAW
3.3. UNAUTHORIZED DISCLOSURE OF PERSONAL DATA
SECTION 4 – MEASURES FOR THE PROTECTION OF PERSONAL DATA
SECTION 5 – TRANSFER OF PERSONAL DATA TO THIRD PARTIES
SECTION 6 – STORAGE OF PERSONAL DATA
6.1. LEGAL OBLIGATIONS OF THE COMPANY
6.2. DELETION, DESTRUCTION and ANONYMIZATION OF PERSONAL DATA
6.2.1. Deletion of Personal Data
6.2.2. Destruction of Personal Data
6.2.3. Anonymization of Personal Data
6.3. PERSONAL DATA STORAGE PERIODS
6.4. PERSONAL DATA INVENTORY
CHAPTER 7 – RIGHTS OF THE PERSONAL DATA SUBJECT
7.1. RIGHTS OF PERSONAL DATA OWNER and TERMS FOR USING THEIR RIGHTS
7.2. OBSERVANCE OF THE RIGHTS OF THE PERSONAL DATA SUBJECT
7.3. SITUATIONS WHERE THE PERSONAL DATA OWNER CANNOT CLAIM RIGHTS
SECTION 8 – PROCESSING OF PERSONAL DATA OF PROSPECTIVE EMPLOYEES
CHAPTER 9 – THE COMPANY’S BUSINESS WITHIN THE COMPANY’S FACILITIES AND THROUGH ITS INTERNET WEBSITE
PERSONAL DATA PROCESSING ACTIVITIES
9.1. CAMERA SURVEILLANCE CONDUCTED AT ENTRANCES AND INSIDE THE COMPANY’S BUILDING FACILITIES
ACTIVITY
9.2. MONITORING OF GUEST ENTRANCES AND EXITS TO THE COMPANY’S BUILDING FACILITY ENTRANCES
9.3. RECORDS OF INTERNET ACCESS PROVIDED TO THE COMPANY’S GUESTS
STORAGE AND WEBSITE VISITORS
SECTION 10 – ENFORCEMENT and UPDATEABILITY
Annex 1: DEFINITIONS
ANNEX-2: ABBREVIATIONS

CHAPTER 1 – INTRODUCTION
1.1. INTRODUCTION

Law No. 6698 on the Protection of Personal Data (“KVKK”) introduces important regulations regarding the protection and lawful processing of personal data. Protection of personal data is among the most important priorities of Natura Gıda Sanayi ve Ticaret A.Ş. (“Company”).

In particular, it is the basis of our company data policy to show the utmost care about access to the private life and information of individuals, to take effective and deterrent measures in this regard; to be transparent to our customers, potential customers, visitors, company officials, all of the parties and institutions we cooperate with, in short, to each person who is directly or indirectly connected with our company and whose data we process.

With this Policy, our Company determines and realizes our rules for the processing of personal data within the framework of the principles of transparency and openness.

1.2. PURPOSE AND SCOPE OF THE POLICY

The main purpose of this policy is to protect the fundamental rights and freedoms of the persons whose data are processed, especially the privacy of private life in the processing of personal data, and in this sense, to ensure that every activity of our Company is carried out in accordance with the rules specified here. The scope of the provisions of this policy is the personal data of the persons whose data we process directly or indirectly.

1.3. IMPLEMENTATION OF THE LEGISLATION

In case of incompatibility between the legislation in force and our policy
legislation will be applied as a priority and more specific objectives outside of this basic policy
If there are other policies or regulations established for the same subject matter for
Articles containing provisions shall apply. Other policies and documents shall apply to this policy and related
provisions in conflict with the legislation shall not apply.

SECTION 2 – PROCESSING OF PERSONAL DATA
2.1. GENERAL PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

While processing the data of individuals, the data must be obtained and processed in accordance with the law and good faith during the processing process. Our Company processes the data with the utmost sensitivity and control in accordance with the law and honesty rules.

The processed data must be accurate and up-to-date. Our Company checks the accuracy of the processed data at each processing level and makes the necessary preparations to keep it up to date when necessary.

During the processing of data, it must be clear which data is processed, how much of it is processed, and for what purpose it is processed, and it must be lawful, i.e. legitimate. Our company processes data only for legitimate purposes and takes care to ensure that the data to be obtained during this processing is specific. Our Company processes the data in a clear and unambiguous manner in order not to use the information obtained for different purposes and not to cause misunderstanding.

The data must be processed in a controlled manner that is loyal to the purpose of processing, limited to the purpose related to that purpose and in a measured manner. Our company processes the data of data subjects in a measured manner, only for the purpose for which they are processed and limited to that purpose.

Processed personal data must be stored in accordance with the period in the relevant legislation or the period specified in the relevant purpose. In this context, our company primarily retains personal data limited to these periods if a period of time is stipulated in the relevant legislation for the retention of personal data. If a period of time is not specified in the legislation or there is no legal reason for keeping the data for a longer period of time, our company keeps personal data for the period required for the purpose for which they are processed. Thus, the security of data subjects is maximized
(Section 6.4 for detailed information). In accordance with the provisions of this policy and all relevant legislation, our employees who carry the title of data processor are under an unlimited confidentiality obligation regarding personal data.

2.2. CONDITIONS FOR PROCESSING PERSONAL DATA
2.2.1. Processing of Personal Data of General Nature

All kinds of personal data processed by our Company that do not fall into the category of special categories of personal data are in the general category of personal data.

Personal data cannot be processed without the explicit consent of the data subject. In the presence of one of the following conditions, it is possible to process personal data without the explicit consent of the data subject:

a) Explicitly stipulated in the law
b) It is mandatory for the protection of the life or bodily integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid, or of another person
c) Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract
d) It is mandatory for the data controller to fulfill its legal obligation
e) It has been made public by the person concerned
f) Data processing is mandatory for the establishment, exercise or protection of a right
g) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject

2.2.2. Processing of Special Categories of Personal Data

Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data.

It is prohibited to process sensitive personal data without the explicit consent of the data subject.
Personal data other than health and sexual life listed in the first paragraph can be processed without the explicit consent of the person concerned in cases stipulated by law.

Our Company obtains the explicit consent of the relevant data subjects while processing and storing special quality data for keeping records of private health problems.

Personal data relating to health and sexual life can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the data subject.

In the processing of special categories of personal data, adequate measures determined by the Personal Data Protection Board must also be taken.

SECTION 3 – PROTECTION OF PERSONAL DATA
3.1. SECURITY OF PERSONAL DATA

In accordance with Article 12 of the Law on the Protection of Personal Data, our Company, in its capacity as Data Controller;

To prevent unlawful processing of personal data,
To prevent unlawful access to personal data,
In order to ensure the protection of personal data, it is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security.

In order to ensure that personal data is processed in accordance with the law by our Company, all kinds of technical and administrative measures are taken according to technological possibilities and implementation cost. Personal data learned by data controllers and data processors cannot be disclosed to others in violation of the provisions of this law and cannot be used for purposes other than processing.

Necessary training has been provided to the company personnel on technical issues; awareness of the employees on this issue is created and audits are carried out. This ensures the employment of knowledgeable personnel within the company. The relevant department of our company and our contracted legal consultancy company work in coordination in this regard.

3.1.1. Lawful Processing of Data

The main technical and technical measures taken by our company to ensure that personal data is processed in accordance with the law
administrative measures are as follows:
– Personal data processing activities carried out within our company are carried out with technical systems
audited and reported to the relevant persons.
– The personal data processing activities carried out by the business units of our Company and these
compliance of the activities with the personal data processing conditions required by Law No. 6698
The requirements to be fulfilled in order to ensure that each department and the relevant unit
is determined specific to the activity it carries out.
– To ensure compliance with the law and to comply with the procedure prepared for the relevant departments
compliance, continuity and supervision; administrative measures, internal policies and trainings
through the use of the Internet.
3.1.2. Blocking Unlawful Access
Our Company may prevent the disclosure or access of personal data in an imprudent or unauthorized manner,
of the data to be protected in order to prevent its transfer or any other form of unlawful access
takes technical and administrative measures according to their nature.
The main technical and administrative measures taken by our Company to prevent unlawful access to personal data
The measures are as follows
– Access and authorization technical solutions and technical measures taken periodically
the issues that pose a risk are re-evaluated and the necessary technological
solution is produced. Including logging, virus protection systems and firewalls
software and hardware are installed.
– Technically knowledgeable personnel are employed.
– In accordance with business unit-based legal compliance requirements, personal data is accessed within the company.
access and authorization processes are designed and implemented.
– Employees may use the personal data they learn in accordance with the provisions of the Personal Data Protection Law and
disclose to others in violation of all other relevant legislation and for the purpose of processing
and that this obligation shall not continue after they leave office.
6
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
will continue and accordingly, they are informed of the necessary
commitments are received.
– With the persons to whom personal data are transferred by our Company in accordance with the law
to the contracts concluded; the persons to whom personal data are transferred, the protection of personal data
to take the necessary security measures for the purpose of the security measures to be taken and/or
mutual memorandums of understanding are signed.
3.1.3. Storage of Personal Data in a Secure Environment
Our Company ensures that personal data are stored in secure environments and destroyed for unlawful purposes.
the technical and administrative measures necessary to prevent the loss, destruction or alteration of
is taken. The main measures taken by our Company to store personal data in secure environments
technical and administrative measures are as follows:
– In order to store personal data in secure environments, technological developments
systems are used.
– Personnel specialized in technical issues are employed.
– Technical security systems are established for storage areas and technical
measures are reported to the relevant person, the issues that pose a risk are re-evaluated
necessary technological solution is produced.
– In order to ensure that personal data is stored securely, a lawful
backup programs are used.
– Non-digital data is kept in locked cabinets and only authorized
will be accessible by individuals.
3.2. SUPERVISION OF THE IMPLEMENTATION OF THE PROVISIONS OF THE LAW
Pursuant to paragraph 3 of Article 12 of the Law on the Protection of Personal Data, the Data Controller
institution or organization, necessary to ensure the implementation of the provisions of this law
audits or have them done.
Our company and our contracted legal consultancy company are responsible for the establishment of the above-mentioned data security
and conducts the necessary inspections to ensure the regularity and continuity of the measures taken
and/or have it done. The results of these audits shall be reviewed within the scope of the internal functioning of our company.
department or management and necessary measures are taken to improve the measures taken.
activities in accordance with the Personal Data Protection Law and other legislation and this company policy
is carried out in this way.
Our Company prohibits unlawful processing of personal data, unlawful access to data
to raise awareness to prevent access and ensure data protection
trainings, seminars and sessions conducted to organize necessary trainings for business units
through the Company. In parallel with the updating of the relevant legislation
updates and renews its trainings. On the protection of personal data
necessary systems are established to raise awareness, and audits on the subject are conducted by our company.
relevant department and our contracted legal consultancy company.
The activities carried out to raise awareness on the protection and processing of personal data
training results are reported to our company and participation in such trainings is reported to our company.
and controlled by the Ministry of Environment and Urbanization.
7
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
3.3. UNAUTHORIZED DISCLOSURE OF PERSONAL DATA
In terms of crimes related to unauthorized disclosure of personal data, the Turkish Penal Code No. 5237 No. 135
The provisions of Articles 140 to 140 and all relevant legislation shall apply. The provisions of all relevant legislation
Our company notifies employees and relevant persons. Records personal data in violation of the law,
unlawfully transfers, disseminates or obtains personal data to another person, in violation of the laws
does not destroy the data within the system despite the expiry of the deadlines determined by the Personal Data
contrary to the provision of Article 7 Article 3 of the Protection Law; storing personal data or
does not delete personal data despite the disappearance of the reasons that legitimize the processing of personal data or
real persons who do not anonymize the company are subject to imprisonment pursuant to Article 138 of the Turkish Penal Code.
shall be punished with a fine. Deletion, destruction or anonymization of personal data
The procedures and principles regarding the introduction of personal data shall be regulated by regulation.
According to the regulations made in the Turkish Penal Code, personal data may be illegally transferred to a
The person who gives this data to another person, disseminates or obtains this data illegally, shall be sentenced to two years to four years
shall be sentenced to imprisonment for a term of imprisonment which may extend to imprisonment for a term of imprisonment up to
The person who commits this offense by taking advantage of the personal data shall be punished with the qualified form of the penalty. Personal data
the company that commits the offense of viewing, obtaining or hacking data without authorization to process it
employee will be notified to the personal data subject, prosecutor’s office and relevant authorities without delay and
necessary procedures will be carried out and will be punished for the qualified form of the crime.
Pursuant to the provision regulated under the title of Misdemeanors in the Personal Data Protection Law
fail to fulfill the disclosure obligation or obligations regarding data security,
Those who fail to fulfill the decisions taken by the Board or who fail to register with the Data Controllers Registry and
Administrative fines are also imposed on those who violate the notification obligation.
CHAPTER 4 – MEASURES FOR THE PROTECTION OF PERSONAL DATA
In order to ensure the enforcement of our Company’s Policy on the Protection and Processing of Personal Data, a
management structure.
In order to manage this Policy and other policies connected and related to this Policy within the Company
committee is being established. The duties of the committee are stated below:
– To review the basic policies on the Protection and Processing of Personal Data and, if necessary
to prepare amendments to these policies
– Implementation and enforcement of policies on the Protection and Processing of Personal Data
to decide how the follow-up will be carried out
– Making internal assignments and ensuring coordination
– To ensure compliance with the Law on the Protection of Personal Data and related legislation
to determine the necessary matters and to ensure the implementation of these matters
– Cooperation within and with the Company on the Protection and Processing of Personal Data
to raise awareness among institutions and organize trainings in this context
– By identifying the risks that may arise in the personal data processing activities of the company, necessary
to ensure that measures are taken
– To resolve the applications of personal data subjects at the highest level
– To follow developments and regulations on the protection of personal data and
take necessary actions
In addition to these duties, the Committee also fulfills other duties assigned by the senior management. Committee
All activities are carried out with the approval of the senior management.
8
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
Our Company, the contracted legal consultancy company and the Personal Data Protection Board
designate a Contact Person for the communication to be established and notify the registry at the time of registration
is obliged. The contact person(s) is/are authorized to do this work within our company.
is a real person who is a member of the department(s).
According to the Data Controllers Registry Regulation, our Company defines the function of the contact person as
As a point, the requests of the data subjects to the data controller should be processed quickly and effectively.
to ensure that the data subject’s personal data are answered. The data whose personal data are processed in this way
responding to the problems or questions of the owners in the fastest and most explanatory manner
intended, but the contact person is not legally authorized to represent the data controller. This
contacting the company and the data subject or contact person, except to provide information for cause
to answer the questions of the relevant person in accordance with the law and to inform our company about this matter
has no duty or authorization other than informing. Our Company contact person
authorized department assigned by our company as soon as it is informed by
or organization will take action on the problem as soon as possible and the necessary procedure
will be carried out. During these procedures, the personal data owner or the person concerned will be informed about all these procedures and
will be informed about the procedures and, if necessary, the authorized department or institution of our company
personal data owner or the relevant persons will be interviewed by the Personal Data Protection Unit.
SECTION 5 – TRANSFER OF PERSONAL DATA TO THIRD PARTIES
In accordance with Article 10 of the KVK Law, our Company identifies the groups of persons to whom personal data are transferred
notifies the personal data owner.
Our company, in accordance with Articles 8 and 9 of the KVKK Law, the data managed by the policy
The personal data of the owners may be transferred to the categories of persons listed below: The Company;
– To business partners
– Suppliers
– Group companies
– Shareholders
– Authorities
– Legally authorized public institutions and organizations
– The above-mentioned persons to whom transfers are made to legally authorized private law persons
The scope and purposes of data transfer are set out below:
Category Description Purpose of Data Transfer
Community
Companies
Our company’s affiliated business
defines partnerships. Business
our partners in the appendix
explained.
All kinds of commercial and
ensure the execution of the organizational measure
Shareholders Real persons who are shareholders of the Company
individuals
Law, effectiveness according to the provisions of the relevant legislation
management and corporate communication processes
for the purpose of carrying out the activities and with these activities
limited to
Company Officials Company Board Members
and other authorized natural persons
According to the provisions of the relevant legislation, the company’s commercial
designing strategies for the activities of the highest
ensuring management and supervision at the level
limited to its purposes
Legally Authorized
Public Institution
and Organizations
Provisions of the relevant legislation
information and documents from the company according to
public institutions authorized to receive
and organizations
Legal authority of relevant public institutions and organizations
limited to the purpose for which it is requested within
Legally Authorized
Private Law
Persons
Provisions of the relevant legislation
information and documents from the company according to
Within the legal jurisdiction of the relevant private law persons
limited to the purpose for which it is requested
9
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
authorized private law
persons
Suppliers
Company’s commercial activities
while executing the company’s orders and
in accordance with the instructions
contract-based company
parties providing services
The Company’s commercial and financial assets and liabilities that the Company procures from the supplier
to fulfill its organizational activities
to provide the necessary services
SECTION 6 – STORAGE OF PERSONAL DATA
6.1. LEGAL OBLIGATIONS OF THE COMPANY
Our Company, Article 7 of the Law No. 6698 on the Protection of Personal Data and Turkish Penal Code No. 5237
processed and subsequently processed and stored in accordance with the disclosures in Article 138 of the Law
personal data whose purpose has disappeared, rights arising from the Turkish Commercial Code, all relevant
the rights granted by the provisions of the legislation and the principles set out in this policy (See section
2.2.1 (f) and (g)) or by the decision to be taken by the Company or by the interests of our Company in its commercial life
Upon the explicit request of the data subject, the Law on the Protection of Personal Data
Deletes or destroys or anonymizes as specified in Article 7.
6.2. DELETION, DESTRUCTION and ANONYMIZATION OF PERSONAL DATA
6.2.1. Deletion of Personal Data
Deletion of personal data is defined in Article 8 of the regulation as “the deletion of personal data for the relevant users”.
is the process of making it inaccessible and unusable in any way”.
defined. Personal data may be deleted by the following methods:
Application Type Cloud Solutions as a Service
Data in the cloud system is deleted by issuing a delete command. While the aforementioned process is taking place, the related
The user is not authorized to retrieve deleted data on the cloud system.
Personal Data on Paper Media
Personal data on paper media is erased using the blackout method. Blackout method,
personal data on the relevant documents should be truncated where possible, and where not possible
in cases that are irreversible and unreadable by technological solutions.
ink is used to render the relevant users invisible.
Office Files on the Central Server
The file is deleted with the delete command in the operating system, or the file or the
The access rights of the relevant user on the directory are removed.
Personal Data on Portable Media
Personal data on Flash-based storage media are stored encrypted and are suitable for
is deleted using software.
Databases
The relevant rows containing personal data are deleted by database commands. The aforementioned operation
the relevant person performing the realization is not the database administrator.
10
This document may not be reproduced and distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
6.2.2. Destruction of Personal Data
Destruction of personal data is defined in Article 9 of the regulation as “personal data should not be
to render it inaccessible, unrecoverable and unusable by any means
is defined as “a process”. Personal data can be destroyed by the following methods:
Physical Destruction
Personal data are non-automatic, provided that they are part of any data recording system
can also be processed in other ways. When destroying such data, the personal data is subsequently
physically destroying it so that it cannot be used.
De-magnetization
Magnetic media is passed through a special device and exposed to a high magnetic field
is the process of rendering the data on it incomprehensible and unreadable.
Paper Media
Destruction processes in this environment can reduce paper to incomprehensible sizes with shredding and clipping machines.
is the method of destroying personal data.
6.2.3. Anonymization of Personal Data
Anonymization of personal data is defined in Article 10 of the regulation as “the anonymization of personal data by
Even if it is matched with data, under no circumstances with an identified or identifiable natural person
It is defined as ”making it impossible to associate it. Personal data is defined as
can be anonymized with methods:
Masking
By removing or deleting the distinctive titles or characteristics of the data subjects whose data are processed
is an anonymization method provided.
Example: Removing information such as TR Identity Number etc. that enables the identification of the personal data subject
preventing the recognition of the data subject through
Data Shuffling Permutation
With this method, some of the information of the data owners whose data are in the system is replaced
to anonymize the data by modifying it.
Example: In employee information, in addition to the data evaluated as the main category, sub-valued
Ensuring that the personal data owner is not recognized by changing the location of the information
Data Derivation
Adding or subtracting variables in the data in the system to certain extent
making the information undetectable or unidentifiable.
Example: Instead of the detailed disclosure of the residence of the personal data owner whose data is processed
specifying the neighborhood or district
Aggregation Method
It is a method of converting the relevant personal data from a specific value to a general value. With this method, the data
generalized and personal data cannot be associated with any individual
is being introduced. Example: Instead of counting the neighborhoods where employees live one by one, X
indicating that Y number of employees live in the neighborhood
11
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
One or more of the anonymization methods described above may be used in accordance with all relevant legislation and
In line with the interests of our company in business life, this policy has been approved by the company.
will be selected by the committee established to ensure its enforcement. More details about the committee
information is described in the previous chapter (see Chapter 4).
The method of anonymization to be selected shall be determined by the committee taking into account the following considerations
will be determined:
– The nature of the data
– Size of the data
– The structure of data in physical environments
– Diversity of data
– Purpose of processing the data
Anonymization process retention periods of this policy and personal data inventory
in parallel with the principles specified in the sections.
6.3. PERSONAL DATA STORAGE PERIODS
Our Company, in accordance with the periods specified in all relevant legislation, will keep your personal data in its data inventory.
retains the data.
In case there is no period determined in the relevant legislation regarding these periods
To be in compliance with the customs arising from the sector in which our Company operates and the laws and regulations
personal data within the periods determined in accordance with the interests of our company, provided that
data is retained, and in cases where there is no need for storage, the data is discarded in accordance with the above-mentioned procedure
the personal data is erased or destroyed or anonymized in any manner.
The purpose of processing and storing personal data has ceased to exist and all relevant
the principles set forth in the legislation and by our company in this policy (See Section 2.2.1 (f) and
(g))) for any legal disputes that may arise in the future if the periods determined in accordance with (g)) have elapsed
Personal data may also be stored for the purpose of use. Personal data specified in this section
stored solely for use in legal disputes and for any other purpose
cannot be used. In line with the above explanations, our company may foresee
all measures and precautions are taken.
For example, against the employee who leaves the workplace, due to unfair termination of the contract
for the purpose of determining the competent court for the lawsuit to be filed
Using the information available in the data system to make the determination in this context
(The scope of the above explanations is not limited to the example given).
6.4. PERSONAL DATA INVENTORY
Personal Data Inventory, in accordance with the KVKK and the Regulation on the Data Controllers’ Registry
the data processed separately in each department within our company are collected and
The deletion, destruction, anonymization process as described above is subject to the legislation and the company
policy and can be submitted to the KVK Institution when necessary.
data (MS Word, Excel, etc.).
According to the definition in the Regulation, a personal data inventory should include the following
are listed:
12
This document may not be reproduced and distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
– Purposes of personal data processing
– Data category
– Personal data created by associating with the transferred recipient group and the data subject group
the maximum periods required for the processing of data
– Personal time periods foreseen to be transferred to foreign countries
– Measures taken regarding data security
Taking into account the above-mentioned criteria, in relation to personal data, it will be made with this data
Information on transactions will be collected in the relevant inventory. The content of the inventory will be based on our company’s compliance with the law and
in digital media such as MS Word, Excel for their own benefit in accordance with the legislation
content that cannot be stored in digital media can be stored in paper media.
can also be stored.
Our company deletes, destroys, anonymizes personal data described in Section 6
or by an officer authorized by our company in the personal data inventory
is realized.
If there is a provision in the relevant legislation regarding the method of preparation of the Personal Data Inventory, personal data
inventory will be prepared by our company in accordance with these provisions. Personal Data
In cases where there is no provision in the relevant legislation regarding the preparation procedure of the Inventory, our company,
personal data inventory, taking into account its own internal working discipline and internal working processes
is free to choose which procedure it will choose for preparation.
CHAPTER 7 – RIGHTS OF THE PERSONAL DATA SUBJECT
7.1. RIGHTS OF PERSONAL DATA OWNER and TERMS FOR USING THEIR RIGHTS
Our company, evaluation of the rights of personal data owners and personal data owners
Article 13 of the Personal Data Protection Law to provide the necessary information
It carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance.
Personal data owners may submit their requests regarding their rights listed below in writing to our company
in the event that they submit their request, our company will respond to the request free of charge within thirty days at the latest, depending on the nature of the request.
as a finalization process. However, if a fee is stipulated by the Personal Data Protection Board
in the case, our company will ask the applicant to provide the personal data determined by the Personal Data Protection Board.
the fee in the tariff will be charged. Personal data subjects;
– Learn whether personal data is processed or not
– Request information if personal data has been processed
– The purpose of processing personal data and whether they are used for their intended purpose
learning
– To know the third parties to whom personal data are transferred domestically or abroad
– To request correction of personal data in case of incomplete or incorrect processing
and to notify third parties to whom personal data are transferred of the transaction made within this scope
don’t ask
– Processed in accordance with the provisions of the Personal Data Protection Law and other relevant laws
Although it has been processed, if the reasons requiring its processing disappear, the personal
to request the deletion or destruction of the data and to request that the transaction made within this scope
to request notification to third parties to whom the data is transferred
13
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
– By analyzing the processed data exclusively through automated systems
to object to a result that is unfavorable to oneself
– In case of damage due to unlawful processing of personal data
have the right to demand compensation for the damage.
Pursuant to Article 13 of the Personal Data Protection Law, personal data owners have the right to
to exercise their stated rights in “written” or in accordance with the provisions of the Law on the Protection of Personal Data
They are required to forward it to our Company by other methods determined by the Board.
Right of Access to Personal Data
Data subjects have a right of access to their personal data without charge. The Company’s
interest and legitimate right to keep the data Personal Data Protection Law and related legislation
protected within the scope; the right to change and delete is observed. Our Company gives the relevant person the right
– Learn whether his/her personal data is being processed
– Request information if personal data has been processed
– The purpose of processing personal data and whether they are used in accordance with their purpose
learning that it is not used
– In the request to know the third parties to whom personal data are transferred domestically or abroad
that he/she has the right to make a request.
Right to Change or Delete Personal Data
The right of data subjects to have their personal data amended or erased without incurring a fee
are available. In this context, the person concerned;
– Correction of personal data in case of incomplete or incorrect processing
don’t ask
– In the event that the reasons requiring the processing of personal data disappear
request deletion or destruction of data
– The aforementioned correction, deletion or destruction of personal data
to be notified to third parties to whom it has been transferred and
– By analyzing the processed data exclusively through automated systems
to object to the occurrence of an unfavorable result.
Pursuant to the Personal Data Protection Law, personal data must be accurate and, where necessary, up-to-date.
to ensure that personal data is accurate and up to date, therefore, personal data must be accurate and up to date.
Notification of changes in the current situation to our company by the relevant party in order to keep the current situation
is required. If the data change is not notified to our company in writing by the data subject
any damages and losses arising or that may arise due to failure to update the data
Our company is not responsible for the sanction.
7.2. OBSERVING THE RIGHTS OF THE PERSONAL DATA OWNER
Pursuant to Article 12 of the Personal Data Protection Law, the data controller
– Prevent unlawful processing of personal data,
– To prevent unlawful access to personal data and
– Ensure the appropriate level of security in order to ensure the protection of personal data
to take all necessary technical and administrative measures.
14
This document may not be reproduced and distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
Pursuant to the relevant article of law, our Company may not disclose personal data to any other real or legal person on its behalf.
to take the measures specified in the first paragraph if it is committed by a legal person
is jointly and severally liable together with these persons. Our Company shall not be liable to its own institutions or
necessary audits to ensure the implementation of the provisions of this law in its establishment
is made.
This provision is hereby added by the Company to all contracts, commitments and memorandums of understanding.
shared with those who can transfer data in Section 5 of the policy; actual impossibility
or because it is not in accordance with the ordinary course of life.
In cases where the text cannot be created, this policy can be found on the naturagida.com.tr website.
can be seen as it has been made publicly available.
7.3. SITUATIONS WHERE THE PERSONAL DATA OWNER CANNOT CLAIM RIGHTS
Pursuant to Article 28 of the Law on the Protection of Personal Data, personal data owners are entitled to
As personal data subjects are excluded from the scope of the relevant law, personal data subjects are subject to the following procedures in these matters
cannot assert their rights:
– The anonymization of personal data by official statistics and research, planning
and processing for purposes such as statistics
– Personal data may be used to protect national defense, national security, public safety, public order,
violate economic security, privacy or personal rights, or criminal offenses
for artistic, historical, literary or scientific purposes or for expression
committed within the scope of freedom
– Personal data may be used to protect national defense, national security, public safety, public security, public order or
public authorities authorized by law to ensure economic security
preventive, protective and intelligence activities carried out by institutions and organizations
processing within the scope and
– Personal data relating to the investigation, prosecution, judgment or execution of personal data
committed by judicial or enforcement authorities
Pursuant to Article 28 of the Personal Data Protection Law; in the cases listed below, personal
data subjects cannot assert their rights other than the right to demand compensation for the damage:
– The processing of personal data is necessary for the prevention of crime or for the investigation of crime
to be
– Processing of personal data made public by the personal data subject himself/herself
– The authorized and authorized public authorities based on the authority granted by law to process personal data
institutions and organizations and professional organizations in the nature of public institutions, auditing
or regulatory duties and disciplinary investigation or prosecution
to be necessary for
SECTION 8 – PROCESSING OF PERSONAL DATA OF PROSPECTIVE EMPLOYEES
Personal data of employee candidates collected during the recruitment process and private data collected according to the nature of the job
Qualified personal data are processed by the Company for the purposes specified and listed below:
– The qualification, experience and interest of the employee candidate and his/her suitability for the vacant position
evaluate
15
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
– If necessary, to check the accuracy of the information provided by the prospective employee
or contacting third parties and conducting research about the Employee candidate
– To contact the prospective employee about the application and recruitment process, or to
for any position subsequently opened at home or abroad.
contacting the candidate
– To meet the requirements of the relevant legislation or the demands of authorized institutions or organizations
– To develop and improve the recruitment principles applied by our company
Personal data of prospective employees may be collected through the following methods and means
– Digital application form published in writing or electronically
– Employee candidates may contact the Company via e-mail, cargo, reference and similar methods.
resumes they have submitted
– Recruitment or consulting companies; as prospective employees are also data subjects
their requests related to their rights arising from the interview process by using the method described above.
– Interviews via video conferencing, telephone or face-to-face interviews
– A survey conducted to verify the accuracy of the information provided by the employee candidate
controls and investigations carried out by the company
– Skills and skills assessments conducted and results analyzed by experienced experts
recruitment tests to identify personality traits
CHAPTER 9 – THE COMPANY’S BUSINESS WITHIN THE COMPANY’S FACILITIES AND THROUGH ITS INTERNET WEBSITE
PERSONAL DATA PROCESSING ACTIVITIES
Personal data processing carried out by the Company at building facility entrances and within the facility
activities in accordance with the Constitution, the PDP Law and other relevant legislation
is carried out.
In order to ensure security, the Company provides security at the Company buildings and facilities.
personal data processing for tracking guest entrances and exits with the camera surveillance activity
activities are carried out.
Through the use of security cameras and the recording of guest entrances and exits
Personal data processing activity is carried out by the Company.
9.1. CAMERA SURVEILLANCE CARRIED OUT AT THE ENTRANCES AND INSIDE THE COMPANY’S BUILDING FACILITIES
ACTIVITY
In this section, explanations regarding the Company’s camera surveillance system will be made and personal
how data, privacy and fundamental rights of the individual are protected
information will be provided. Within the scope of security camera surveillance activity;
such as protecting the interests of the company and other persons regarding ensuring the security of the company and other persons
purposes.
The camera surveillance activity carried out by the Company is a part of the
It is carried out in accordance with the Law and relevant legislation.
16
This document may not be reproduced and distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
In the execution of camera surveillance activities by the Company for security purposes, the KVK
The Company acts in accordance with the regulations set forth in the Law. The Company maintains its buildings and
In order to ensure security in its facilities, in the relevant legislation in force
for the purposes stipulated and in accordance with the personal data processing conditions listed in the KVK Law
as a security camera monitoring activity.
In accordance with Article 10 of the KVK Law by the Company, the personal data owner
is illuminated. The Company has made disclosures on general issues through the camera.
notify the monitoring activity through more than one method. Thus,
preventing harm to the fundamental rights and freedoms of the personal data subject,
It is aimed to ensure transparency and enlightenment of the personal data owner.
For the camera surveillance activity by the Company; On the Company website
this Policy is published (online policy regulation) and monitored
notification of monitoring is posted at the entrances of the areas (on-site
illumination).
The Company, in accordance with Article 4 of the KVK Law, personal data for the purpose for which they are processed
in a connected, limited and measured manner.
The purpose of the Company’s video camera surveillance is for this purpose.
It is limited to the purposes listed in the Policy. Accordingly, monitoring of security cameras
areas, number and when monitoring will be conducted, adequate to achieve the security objective and
is limited to this purpose. Security of personal privacy
in areas that may result in interference beyond their intended purpose (e.g. in toilets)
monitoring is not subject to surveillance.
Camera surveillance by the Company in accordance with Article 12 of the KVK Law
the technical means necessary to ensure the security of personal data obtained as a result of the activity
and administrative measures are taken.
Regarding the retention period of the Company’s personal data obtained through camera surveillance activities
detailed information can be found in Article 6.3 of this Policy titled Personal Data Retention Periods
given.
Live camera footage and digitally recorded and preserved records
only a limited number of company employees have access. The limited number with access to records
a number of people declare that they will protect the confidentiality of the data they access with a confidentiality undertaking
is in progress.
9.2. MONITORING OF GUEST ENTRANCES AND EXITS TO THE COMPANY’S BUILDING FACILITY ENTRANCES
By the Company; to ensure security and for the purposes specified in this Policy, the Company
Personal data processing for the tracking of guest entrances and exits in its buildings and facilities
activities are carried out.
17
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
While obtaining the names and surnames of the persons who come to the company premises as guests, or while obtaining the names and surnames of
through texts posted in the premises or otherwise made available to guests
such personal data owners are enlightened within this scope. Guest check-in and check-out
data obtained for the purpose of follow-up are processed only for this purpose and the relevant personal
data are physically recorded in the data recording system.

9.3. RECORDS RELATED TO INTERNET ACCESS PROVIDED TO THE COMPANY’S GUESTS
STORAGE AND WEBSITE VISITORS

For the purposes of ensuring security by our Company and for the purposes specified in this Policy; log records regarding the internet access of guests during their stay in our facilities can be recorded in accordance with the Law No. 5651 and the mandatory provisions of the legislation regulated in accordance with this Law.

Only a limited number of Company employees have access to the log records obtained within this framework. These records are processed and shared with third parties only upon request by authorized public institutions and organizations or in order to fulfill our legal obligations in the audit processes to be carried out within the Company and/or to protect our legal rights and to establish the defense rights of our Company.

On the websites owned by the Company; In order to ensure that the people who visit these sites perform their visits on the sites in accordance with their visit purposes; In order to show them customized content and to carry out online advertising activities, internet movements within the site are recorded by technical means (such as cookies).

Detailed explanations regarding the protection and processing of personal data regarding these activities carried out by the Company are included in the “Company’s Website Privacy Policy” texts of the relevant websites.

SECTION 10 – ENFORCEMENT and UPDATEABILITY

This Policy was issued and entered into force by the Company on 31.07.2020. The Policy may be updated in whole or in part. The Policy is published on the Company’s naturagida.com website and made available to the relevant persons upon the request of the personal data owners.