POLICY ON DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA

CHAPTER 1 INTRODUCTION

1.1 Introduction

Protection of personal data is among the most important priorities of Fazla Gıda Anonim Şirketi (“FG” or “Company“) and it makes maximum effort to comply with all applicable legislation in this regard. Within the framework of this FG Personal Data Protection Policy (“Policy“), the principles adopted in the execution of personal data processing activities carried out by the Company and the general principles adopted in terms of compliance of the Company’s data processing activities with the regulations in the Personal Data Protection Law No. 6698 (“Law“) are explained and thus, the Company provides the necessary transparency by informing the data subjects. With the awareness of Company’s responsibility, your personal data is processed and protected within the scope of this Policy 

1.2 Scope  

This Policy relates to all personal data of the data subjects that are fully or partially automated or processed by non-automated means, provided that they are part of any data recording system.

1.3 Implementation of the Policy and Related Legislation  

The relevant legal regulations in force regarding the processing and protection of personal data is applied first. In case of any incompatibility between the legislation in force and the Policy, the Company accepts that the legislation in force is applied. The Policy regulates the rules set forth by the relevant legislation by concretizing them within the scope of Company practices.  

1.4 Enforcement of the Policy  

The effective date of this Policy is 01/11/2022 . The Policy is published on fazla.com and made available to the data subjects upon their request.

CHAPTER 2 – INFORMATION RELATED TO THE PROTECTION OF PERSONAL DATA  

2.1. Ensuring the Security of Personal Data  

In accordance with Article 12 of the Law, the Company takes the necessary measures according to the nature of the data to be protected in order to prevent unlawful disclosure, access, transfer or other security deficiencies that may occur in other ways. In this context, the Company takes administrative measures to ensure the necessary level of security in accordance with the guidelines published by the Personal Data Protection Board (“Board“), conducts audits or has them conducted.

2.2. Protection of Special Categories of Personal Data  

The Law attaches special importance to certain personal data due to the risk of causing victimization or discrimination when processed unlawfully. These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures and biometric and genetic data. FG acts sensitively in the protection of special categories of personal data that are determined as “special categories” by the Law and processed in accordance with the law. In this context, technical and administrative measures taken by FG for the protection of personal data are carefully implemented in terms of sensitive personal data and necessary audits are provided within FG. Detailed information on the processing of sensitive personal data is provided in section 3.3 (“Processing of Sensitive Personal Data”) of this Policy.

2.3. Increasing the Awareness and Audit of Business Units about the Protection and Processing of Personal Data  

FG ensures that necessary trainings for business units to raise awareness to prevent unlawful processing of personal data, unlawful access to personal data and to ensure the protection of personal data. Necessary systems are established to ensure that FG employees are aware of the protection of personal data, and consultants are hired in case of need. Accordingly, the Company evaluates the participation in relevant trainings, seminars and information sessions and updates and renews its trainings in parallel with the updates in the relevant legislation.

CHAPTER 3 – INFORMATION RELATED TO THE PROCESSING OF PERSONAL DATA  

3.1. Processing of Personal Data in Compliance with the Principles Stipulated in the Legislation  

 

3.1.1. Processing in accordance with the Law and Fairness  

FG acts in accordance with the principles introduced by regulations and the general rule of trust and honesty in the processing of personal data. Within this framework, personal data are processed to the extent and limited to the extent required by the business activities of the Company.  

 

3.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary  

FG takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the period of processing and establishes the necessary mechanisms to ensure the accuracy and currency of personal data for certain periods of time.  

 

3.1.3. Processing for Specific, Explicit and Legitimate Purposes  

FG clearly sets out the purposes of processing personal data and processes it within the scope of purposes related to these activities in line with its business activities.

 

3.1.4. Being Relevant, Limited and Proportionate to The Purpose For Which They Are Processed  

FG collects personal data only to the extent and quality required by its business activities and processes it limited to the specified purposes.  

 

3.1.5. Being Stored for The Period Laid Down by Relevant Legislation Or The Period Required For The Purpose For Which The Personal Data Are Processed  

FG stores personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the legal legislation to which the relevant activity is subject. In this context, the Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or in accordance with the application of the data subject and with the specified destruction methods (deletion and/or destruction and/or anonymization).  

 

3.2. Conditions for Processing Personal Data  

Except for the explicit consent of the data subject, the basis of the personal data processing activity may be only one of the following conditions, or more than one condition may be the basis of the same personal data processing activity. In the event that the processed data is personal data of special categories, the conditions set out in section 3.3 of this Policy (“Processing of Personal Data of Special Categories”) shall apply.

 

i. Explicit Consent of the Data Subject 

One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be related to a specific subject, based on information and with free will. In the presence of the following personal data processing conditions, personal data may be processed without the explicit consent of the data subject.

 

ii. Expressly Provided by the Laws 

If the personal data of the data subject is explicitly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, the existence of this data processing condition may be mentioned.

 

iii. Failure to Obtain the Explicit Consent of the Data Subject Due to Actual Impossibility  

The personal data may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself/herself or another person.

 

iv. Direct Relevance to The Establishment or Performance of The Contract. 

Provided that it is directly related to the establishment or performance of a contract to which the data subject is a party, this condition may be deemed to be fulfilled if the processing of personal data is necessary.

 

v. Fulfillment of Legal Obligations by the Company

Personal data of the data subject may be processed if processing is mandatory for the Company to fulfill its legal obligations.

 

vi. Personal data have been made public by the Data Subject

If the data subject has made his/her personal data public, the relevant personal data may be processed limited to the purpose of making public.

 

vii. Data Processing is Necessary for The Establishment, Exercise or Protection of Any Right

Personal data of the data subject may be processed if data processing is necessary for the establishment, exercise or protection of a right.

 

viii. Data Processing is Necessary for the Legitimate Interest of the Company  

Provided that it does not harm the fundamental rights and freedoms of the person concerned, the personal data of the person concerned may be processed if data processing is necessary for the legitimate interests of the Company.

 

3.3. Processing of Special Categories of Personal Data  

Special categories of personal data are processed by the Company in accordance with the principles set forth in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

 

(i) Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data subject if it is explicitly stipulated in the law, in other words, if there is an explicit provision regarding the processing of personal data in the law to which the relevant activity is subject. Otherwise, the explicit consent of the data subject shall be obtained in order to process such special categories of personal data.  

 

(ii) Special categories of personal data relating to health and sexual life may be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health services and financing, without seeking explicit consent. Otherwise, the explicit consent of the data subject shall be obtained for the processing of such special categories of personal data.  

 

3.4. Informing the Data Subject  

FG informs the data subjects in accordance with Article 10 of the Law and secondary legislation. In this context, FG, as the data controller, informs the data subjects about who processes personal data, for what purposes, with whom it is shared for what purposes, by which methods it is collected and its legal reason and the rights of the data subjects within the scope of the processing of their personal data.

 

3.5. Transfer of Personal Data  

The Company may transfer the personal data and special categories of personal data of the data subject to third parties (third party companies, public and private authorities, third real persons) by taking the necessary security measures in line with the lawful personal data processing purposes. In this respect, the Company acts in accordance with the regulations stipulated in Article 8 of the Law.  

 

3.5.1 Transfer of Personal Data  

Personal data may be transferred to third parties in the event that one or more of the following conditions exist, by taking all necessary care by the Company and taking all necessary security measures, including the methods stipulated by the Board, without the explicit consent of the data subject:

 

  • The relevant activities regarding the transfer of personal data are clearly stipulated in the laws,
  • The transfer of personal data by the Company is directly related and necessary for the establishment or performance of a contract,
  • The transfer of personal data is necessary for the Company to fulfill its legal obligation,
  • Transfer of personal data by the Company in a manner limited to the purpose of making public, provided that the personal data has been made public by the person concerned,
  • The transfer of personal data by the Company is necessary for the establishment, use or protection of the rights of the Company or the data subject or third parties,
  • It is mandatory to carry out personal data transfer activity for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject,
  • It is necessary for the protection of the life or physical integrity of the person who is unable to explain his/her consent due to actual impossibility or whose consent is not legally valid.  

 

In addition to the above, personal data may be transferred to foreign countries declared to have adequate protection by the Board (“Foreign Country with Adequate Protection”) in the presence of any of the above conditions. In the absence of adequate protection, in line with the data transfer conditions stipulated in the legislation, the data may be transferred to foreign countries (“Foreign Country Where the Data Controller Committing to Adequate Protection is Located“) where the data controllers in Turkey and the relevant foreign country have committed in writing to adequate protection and where the Board has permission.  

 

3.5.2 Transfer of Special Categories of Personal Data  

Special categories of personal data may be transferred by the Company in accordance with the principles set forth in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

 

(i) Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data subject if it is explicitly stipulated in the law, in other words, if there is an explicit provision regarding the processing of personal data in the law to which the relevant activity is subject. Otherwise, the explicit consent of the data subject shall be obtained in order to process such special categories of personal data. 

 

(ii) Special personal data relating to health and sexual life may be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health services and financing, without seeking explicit consent. Otherwise, the explicit consent of the data subject shall be obtained for the processing of such special categories of personal data.

 

In addition to the above, personal data may be transferred to Foreign Countries with Adequate Protection in the presence of any of the above conditions. In the absence of adequate protection, personal data may be transferred to Foreign Countries where there is a Data Controller Committed to Adequate Protection in line with the data transfer conditions stipulated in the legislation.  

 

CHAPTER 4 – CATEGORIZING AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY THE COMPANY  

In accordance with Article 10 of the Law and secondary legislation, personal data are processed by the Company by informing data subject in line with the personal data processing purposes of the Company, based on and limited to at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, in accordance with the general principles specified in the Law, especially the principles specified in Article 4 of the Law regarding the processing of personal data.   

 

Our Employees

Detailed information about the personal data of employees has been published within the Company in a manner accessible only to our employees.

You can submit your requests regarding your personal data processed by using one of the application methods in this Notice and exercise your rights. 

Employee Candidates  
Processed Personal DataPurpose of Processing Personal Data 
  • Identification Data
  • Communication Data
  • Professional Experience Data
  • Information on References
  • Military Service Status 

 

  • Carrying out the Application Processes of Employee Candidates,
  • Planning of Human Resources Processes,
  • Conducting Communication Activities,
  • Reference Research 

Legal Reason:

Processing of data is necessary for the legitimate interests pursued by the data controller.

Association Officer 
Detailed information on the processing of personal data has been provided to them in a manner accessible to the Association officials.
You can submit your requests regarding your personal data processed by using one of the application methods in this Notice and exercise your rights.
Employees/ Authorized Officers of our Customers (Legal Entity) 
Processed Personal Data Purposes of Processing Personal Data 
  • Identification Data
  • Communication Data
  • Customer Transaction Information
  • Location Data
  • Process Security Data
  • Other (type/amount of donation) 

 

  • Execution of Business Activities
  • Tracking User Movements
  • Execution of Finance and Accounting Affairs
  • Execution of Goods/Service Production and Operation Processes
  • Execution of Business Continuity Ensuring Activities
  • Execution of Contract Processes
  • Execution of Logistics Activities
  • Execution of Social Responsibility and Civil Society Activities
  • Opening Current Account
  • Execution of Goods/Service Sales Processes  

Legal Reason: 

Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract, it is necessary for compliance with a legal obligation to which the data controller is subject; processing of data is necessary for the legitimate interests pursued by the data controller; data processing is necessary for the establishment, exercise or protection of any right, explicit consent (location data).

Customers (Natural Person) 
Processed Personal DataPurposes of Processing Personal Data 
  • Identification Data
  • Communication Data
  • Financial Data
  • Customer Transaction Data
  • Other (type/amount of donation)
  • Location Data
  • Transaction Security Data
  • Execution of Information Security Processes
  • Execution of Goods/Service Sales Processes
  • Execution of Finance and Accounting Affairs
  • Execution of Communication Activities
  • Execution of Business Activities
  • Execution of Contract Processes
  • Execution of Logistics Activities
  • Execution of Social Responsibility and Civil Society Activities
  • Management of Customer Relationship Management Processes
  • Execution of Goods-Service Production and Operation Processes
  • Receiving Requests/Complaints
  • Tracking User Movements 

Legal Reason: 

Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract; it is necessary for compliance with a legal obligation to which the data controller is subject, data processing is necessary for the establishment, exercise or protection of any right, explicit consent (location data).

Employees/Authorities of our Suppliers (Legal Entity)  
Processed Personal Data Purposes of Processing Personal Data 
  • Identification Data
  • Communication Data
  • Execution of Goods / Service Procurement Processes
  • Execution of Training Activities
  • Execution of Supply Chain Management Processes
  • Execution of Contract Processes
  • Monitoring and Execution of Legal Affairs
  • Execution of Communication Activities
  • Execution/Supervision of Business Activities
  • Execution of Logistics Activities 

Legal Reason: 

Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract, processing of data is necessary for the legitimate interests pursued by the data controller.

Websites Visitors 
Processed Personal Data Purposes of Processing Personal Data 
  • Identification Data
  • Communication Data
  • Transaction Security Data 
  • Execution of Business Activities
  • Execution of Goods / Services Production and Operation Processes
  • Execution of Communication Activities
  • Execution of Potential Customer Relationship Management Processes
  • Execution of Information Security Processes
  • Tracking User Movements 

Legal Reason: 

Processing of data is necessary for the legitimate interests pursued by the data controller; it is necessary for compliance with a legal obligation to which the data controller is subject.

Our Visitors
Processed Personal Data Purposes of Processing Personal Data 
  • Physical Space Security Records 
  • Ensuring the Security of Movable Property and Resources
  • Ensuring Physical Space Security

Legal Reason: 

Processing of data is necessary for the legitimate interests pursued by the data controller.

Social Media Users  
Processed Personal Data Purposes of Processing Personal Data 
  • Other (username, request/complaint information, award information)
  • Management of Customer Relationship Management Processes
  • Receiving Requests / Complaints
  • Organization and Event Management

Legal Reason: 

Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data belonging to the parties to the contract; processing of data is necessary for the legitimate interests pursued by the data controller.

Our Application Users  
You can find detailed information about personal data processed through our application at fazla.com. 

 

CHAPTER 5 – STORAGE AND DESTRUCTION OF PERSONAL DATA  

The Company stores personal data for the period required for the purpose for which they are processed and in accordance with the minimum periods stipulated in the legal legislation to which the relevant activity is subject. In this context, the Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or in accordance with the application of the relevant person and with the specified destruction methods (deletion and/or destruction and/or anonymization).  

 

CHAPTER 6 – RIGHTS OF PERSONAL DATA SUBJECTS AND EXERCISE OF THE RIGHTS 

6.1. Rights of the Data Subject  

 

The rights you have set forth in the PDPL with regards to your personal data are:

(1) To learn whether your personal data have been processed or not,
(2) To demand for information if your personal data has been processed,
(3) To learn the purpose for processing your personal data and whether these personal data were used in compliance with the purpose,
(4) To know the third parties to whom your personal data is transferred in country or abroad,
(5) To request the rectification of the incomplete or inaccurate data, if any,
(6) to request the erasure or destruction of your personal data under the conditions referred in the PDPL,
(7) When you request the correction of incomplete or inaccurate data and the deletion or destruction of your personal data, to request that this situation be notified to third parties to whom we transfer your personal data,
(8) To object to the occurrence of a result against you by analyzing the data processed solely through automated systems,
(9) To claim compensation for the damage arising from the unlawful processing of your personal data.

 

6.2. Exercise of the Data Subject’s Rights  

Data subjects may submit their requests regarding their rights listed in section 6.1. (“Rights of the Data Subject”) to the Company through the methods determined by the Board. In this regard, they will be able to benefit from the “Data Subject Application Form” available at fazla.com.

 

6.3. The Company’s Response to Applications  

The Company takes the necessary administrative and technical measures to finalize the applications to be made by the data subject in accordance with the Law and secondary legislation. In the event that the data subject duly submits his/her request regarding the rights set out in section 6.1. (“Rights of the Data Subject”) to the Company, the Company will conclude the relevant request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

 

CHAPTER 7 – SPECIAL CASES WHERE PERSONAL DATA ARE PROCESSED  

 

7.1. Personal Data Processing Activities for Website Visitors 

Pursuant to Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications and the relevant legislation in force, FG processes the log records of website visitors in order to fulfill the obligations arising from the law and to ensure information security. In addition, in accordance with Article 4 of the Law, FG processes personal data in a limited and proportionate manner in connection with the purpose for which they are processed.

 

7.2. Camera Surveillance Activities Carried Out Inside the Building 

FG carries out security camera surveillance activities in order to ensure building security, for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the Law. In accordance with Article 10 of the Law, FG informs data subject about the surveillance activity by more than one way. Furthermore, in accordance with Article 4 of the Law, FG processes personal data in a limited and proportionate manner that is connected with the purpose for which they are processed. The purpose of video camera surveillance by FG is limited to the purposes listed in this Policy.
In this direction, the monitoring areas, the number of security cameras and when they will be monitored are implemented in a limited and sufficient way to achieve the security purpose. Areas that may result in interference with a person’s privacy in excess of security purposes (e.g. toilets) are not subject to monitoring. Only a limited number of FG employees have access to live camera footage and digitally recorded and stored records. The limited number of persons who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.  

 

CHAPTER 8 – THE RELATIONSHIP BETWEEN THE PROTECTION OF PERSONAL DATA POLICY OF FG AND ITS OTHER POLICIES  

FG establishes sub-policies for internal use on the protection of personal data related to the principles set forth in this Policy. The principles of FG’s internal policies are reflected in publicly available policies to the extent relevant, and it is aimed to inform the relevant parties within this framework and to ensure transparency and accountability regarding the personal data processing activities carried out by FG.

CHAPTER 1 INTRODUCTION

1.1 Introduction

Protection of personal data is among the most important priorities of Fazla Gıda Anonim Şirketi (“FG” or “Company“) and it makes maximum effort to comply with all applicable legislation in this regard. Within the framework of this FG Personal Data Protection Policy (“Policy“), the principles adopted in the execution of personal data processing activities carried out by the Company and the general principles adopted in terms of compliance of the Company’s data processing activities with the regulations in the Personal Data Protection Law No. 6698 (“Law“) are explained and thus, the Company provides the necessary transparency by informing the data subjects. With the awareness of Company’s responsibility, your personal data is processed and protected within the scope of this Policy  1.2 Scope   This Policy relates to all personal data of the data subjects that are fully or partially automated or processed by non-automated means, provided that they are part of any data recording system. 1.3 Implementation of the Policy and Related Legislation   The relevant legal regulations in force regarding the processing and protection of personal data is applied first. In case of any incompatibility between the legislation in force and the Policy, the Company accepts that the legislation in force is applied. The Policy regulates the rules set forth by the relevant legislation by concretizing them within the scope of Company practices.   1.4 Enforcement of the Policy   The effective date of this Policy is 01/11/2022 . The Policy is published on fazla.com and made available to the data subjects upon their request.

CHAPTER 2 – INFORMATION RELATED TO THE PROTECTION OF PERSONAL DATA  

2.1. Ensuring the Security of Personal Data   In accordance with Article 12 of the Law, the Company takes the necessary measures according to the nature of the data to be protected in order to prevent unlawful disclosure, access, transfer or other security deficiencies that may occur in other ways. In this context, the Company takes administrative measures to ensure the necessary level of security in accordance with the guidelines published by the Personal Data Protection Board (“Board“), conducts audits or has them conducted. 2.2. Protection of Special Categories of Personal Data   The Law attaches special importance to certain personal data due to the risk of causing victimization or discrimination when processed unlawfully. These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures and biometric and genetic data. FG acts sensitively in the protection of special categories of personal data that are determined as “special categories” by the Law and processed in accordance with the law. In this context, technical and administrative measures taken by FG for the protection of personal data are carefully implemented in terms of sensitive personal data and necessary audits are provided within FG. Detailed information on the processing of sensitive personal data is provided in section 3.3 (“Processing of Sensitive Personal Data”) of this Policy. 2.3. Increasing the Awareness and Audit of Business Units about the Protection and Processing of Personal Data   FG ensures that necessary trainings for business units to raise awareness to prevent unlawful processing of personal data, unlawful access to personal data and to ensure the protection of personal data. Necessary systems are established to ensure that FG employees are aware of the protection of personal data, and consultants are hired in case of need. Accordingly, the Company evaluates the participation in relevant trainings, seminars and information sessions and updates and renews its trainings in parallel with the updates in the relevant legislation.

CHAPTER 3 – INFORMATION RELATED TO THE PROCESSING OF PERSONAL DATA  

3.1. Processing of Personal Data in Compliance with the Principles Stipulated in the Legislation   3.1.1. Processing in accordance with the Law and Fairness   FG acts in accordance with the principles introduced by regulations and the general rule of trust and honesty in the processing of personal data. Within this framework, personal data are processed to the extent and limited to the extent required by the business activities of the Company.   3.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary   FG takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the period of processing and establishes the necessary mechanisms to ensure the accuracy and currency of personal data for certain periods of time.   3.1.3. Processing for Specific, Explicit and Legitimate Purposes   FG clearly sets out the purposes of processing personal data and processes it within the scope of purposes related to these activities in line with its business activities. 3.1.4. Being Relevant, Limited and Proportionate to The Purpose For Which They Are Processed   FG collects personal data only to the extent and quality required by its business activities and processes it limited to the specified purposes.   3.1.5. Being Stored for The Period Laid Down by Relevant Legislation Or The Period Required For The Purpose For Which The Personal Data Are Processed   FG stores personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the legal legislation to which the relevant activity is subject. In this context, the Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or in accordance with the application of the data subject and with the specified destruction methods (deletion and/or destruction and/or anonymization).   3.2. Conditions for Processing Personal Data   Except for the explicit consent of the data subject, the basis of the personal data processing activity may be only one of the following conditions, or more than one condition may be the basis of the same personal data processing activity. In the event that the processed data is personal data of special categories, the conditions set out in section 3.3 of this Policy (“Processing of Personal Data of Special Categories”) shall apply. i. Explicit Consent of the Data Subject  One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be related to a specific subject, based on information and with free will. In the presence of the following personal data processing conditions, personal data may be processed without the explicit consent of the data subject. ii. Expressly Provided by the Laws  If the personal data of the data subject is explicitly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, the existence of this data processing condition may be mentioned. iii. Failure to Obtain the Explicit Consent of the Data Subject Due to Actual Impossibility   The personal data may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself/herself or another person. iv. Direct Relevance to The Establishment or Performance of The Contract.  Provided that it is directly related to the establishment or performance of a contract to which the data subject is a party, this condition may be deemed to be fulfilled if the processing of personal data is necessary. v. Fulfillment of Legal Obligations by the Company Personal data of the data subject may be processed if processing is mandatory for the Company to fulfill its legal obligations. vi. Personal data have been made public by the Data Subject If the data subject has made his/her personal data public, the relevant personal data may be processed limited to the purpose of making public. vii. Data Processing is Necessary for The Establishment, Exercise or Protection of Any Right Personal data of the data subject may be processed if data processing is necessary for the establishment, exercise or protection of a right. viii. Data Processing is Necessary for the Legitimate Interest of the Company   Provided that it does not harm the fundamental rights and freedoms of the person concerned, the personal data of the person concerned may be processed if data processing is necessary for the legitimate interests of the Company. 3.3. Processing of Special Categories of Personal Data   Special categories of personal data are processed by the Company in accordance with the principles set forth in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions: (i) Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data subject if it is explicitly stipulated in the law, in other words, if there is an explicit provision regarding the processing of personal data in the law to which the relevant activity is subject. Otherwise, the explicit consent of the data subject shall be obtained in order to process such special categories of personal data.   (ii) Special categories of personal data relating to health and sexual life may be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health services and financing, without seeking explicit consent. Otherwise, the explicit consent of the data subject shall be obtained for the processing of such special categories of personal data.   3.4. Informing the Data Subject   FG informs the data subjects in accordance with Article 10 of the Law and secondary legislation. In this context, FG, as the data controller, informs the data subjects about who processes personal data, for what purposes, with whom it is shared for what purposes, by which methods it is collected and its legal reason and the rights of the data subjects within the scope of the processing of their personal data. 3.5. Transfer of Personal Data   The Company may transfer the personal data and special categories of personal data of the data subject to third parties (third party companies, public and private authorities, third real persons) by taking the necessary security measures in line with the lawful personal data processing purposes. In this respect, the Company acts in accordance with the regulations stipulated in Article 8 of the Law.   3.5.1 Transfer of Personal Data   Personal data may be transferred to third parties in the event that one or more of the following conditions exist, by taking all necessary care by the Company and taking all necessary security measures, including the methods stipulated by the Board, without the explicit consent of the data subject:
  • The relevant activities regarding the transfer of personal data are clearly stipulated in the laws,
  • The transfer of personal data by the Company is directly related and necessary for the establishment or performance of a contract,
  • The transfer of personal data is necessary for the Company to fulfill its legal obligation,
  • Transfer of personal data by the Company in a manner limited to the purpose of making public, provided that the personal data has been made public by the person concerned,
  • The transfer of personal data by the Company is necessary for the establishment, use or protection of the rights of the Company or the data subject or third parties,
  • It is mandatory to carry out personal data transfer activity for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject,
  • It is necessary for the protection of the life or physical integrity of the person who is unable to explain his/her consent due to actual impossibility or whose consent is not legally valid.  
In addition to the above, personal data may be transferred to foreign countries declared to have adequate protection by the Board (“Foreign Country with Adequate Protection”) in the presence of any of the above conditions. In the absence of adequate protection, in line with the data transfer conditions stipulated in the legislation, the data may be transferred to foreign countries (“Foreign Country Where the Data Controller Committing to Adequate Protection is Located“) where the data controllers in Turkey and the relevant foreign country have committed in writing to adequate protection and where the Board has permission.   3.5.2 Transfer of Special Categories of Personal Data   Special categories of personal data may be transferred by the Company in accordance with the principles set forth in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions: (i) Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data subject if it is explicitly stipulated in the law, in other words, if there is an explicit provision regarding the processing of personal data in the law to which the relevant activity is subject. Otherwise, the explicit consent of the data subject shall be obtained in order to process such special categories of personal data.  (ii) Special personal data relating to health and sexual life may be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health services and financing, without seeking explicit consent. Otherwise, the explicit consent of the data subject shall be obtained for the processing of such special categories of personal data. In addition to the above, personal data may be transferred to Foreign Countries with Adequate Protection in the presence of any of the above conditions. In the absence of adequate protection, personal data may be transferred to Foreign Countries where there is a Data Controller Committed to Adequate Protection in line with the data transfer conditions stipulated in the legislation.  

CHAPTER 4 – CATEGORIZING AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY THE COMPANY  

In accordance with Article 10 of the Law and secondary legislation, personal data are processed by the Company by informing data subject in line with the personal data processing purposes of the Company, based on and limited to at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, in accordance with the general principles specified in the Law, especially the principles specified in Article 4 of the Law regarding the processing of personal data.   
Our Employees
Detailed information about the personal data of employees has been published within the Company in a manner accessible only to our employees. You can submit your requests regarding your personal data processed by using one of the application methods in this Notice and exercise your rights. 
Employee Candidates  
Processed Personal Data Purpose of Processing Personal Data 
  • Identification Data
  • Communication Data
  • Professional Experience Data
  • Information on References
  • Military Service Status 
 
  • Carrying out the Application Processes of Employee Candidates,
  • Planning of Human Resources Processes,
  • Conducting Communication Activities,
  • Reference Research 
Legal Reason: Processing of data is necessary for the legitimate interests pursued by the data controller.
Association Officer 
Detailed information on the processing of personal data has been provided to them in a manner accessible to the Association officials. You can submit your requests regarding your personal data processed by using one of the application methods in this Notice and exercise your rights.
Employees/ Authorized Officers of our Customers (Legal Entity) 
Processed Personal Data  Purposes of Processing Personal Data 
  • Identification Data
  • Communication Data
  • Customer Transaction Information
  • Location Data
  • Process Security Data
  • Other (type/amount of donation) 
 
  • Execution of Business Activities
  • Tracking User Movements
  • Execution of Finance and Accounting Affairs
  • Execution of Goods/Service Production and Operation Processes
  • Execution of Business Continuity Ensuring Activities
  • Execution of Contract Processes
  • Execution of Logistics Activities
  • Execution of Social Responsibility and Civil Society Activities
  • Opening Current Account
  • Execution of Goods/Service Sales Processes  
Legal Reason:  Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract, it is necessary for compliance with a legal obligation to which the data controller is subject; processing of data is necessary for the legitimate interests pursued by the data controller; data processing is necessary for the establishment, exercise or protection of any right, explicit consent (location data).
Customers (Natural Person) 
Processed Personal Data Purposes of Processing Personal Data 
  • Identification Data
  • Communication Data
  • Financial Data
  • Customer Transaction Data
  • Other (type/amount of donation)
  • Location Data
  • Transaction Security Data
  • Execution of Information Security Processes
  • Execution of Goods/Service Sales Processes
  • Execution of Finance and Accounting Affairs
  • Execution of Communication Activities
  • Execution of Business Activities
  • Execution of Contract Processes
  • Execution of Logistics Activities
  • Execution of Social Responsibility and Civil Society Activities
  • Management of Customer Relationship Management Processes
  • Execution of Goods-Service Production and Operation Processes
  • Receiving Requests/Complaints
  • Tracking User Movements 
Legal Reason:  Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract; it is necessary for compliance with a legal obligation to which the data controller is subject, data processing is necessary for the establishment, exercise or protection of any right, explicit consent (location data).
Employees/Authorities of our Suppliers (Legal Entity)  
Processed Personal Data  Purposes of Processing Personal Data 
  • Identification Data
  • Communication Data
  • Execution of Goods / Service Procurement Processes
  • Execution of Training Activities
  • Execution of Supply Chain Management Processes
  • Execution of Contract Processes
  • Monitoring and Execution of Legal Affairs
  • Execution of Communication Activities
  • Execution/Supervision of Business Activities
  • Execution of Logistics Activities 
Legal Reason:  Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract, processing of data is necessary for the legitimate interests pursued by the data controller.
Websites Visitors 
Processed Personal Data  Purposes of Processing Personal Data 
  • Identification Data
  • Communication Data
  • Transaction Security Data 
  • Execution of Business Activities
  • Execution of Goods / Services Production and Operation Processes
  • Execution of Communication Activities
  • Execution of Potential Customer Relationship Management Processes
  • Execution of Information Security Processes
  • Tracking User Movements 
Legal Reason:  Processing of data is necessary for the legitimate interests pursued by the data controller; it is necessary for compliance with a legal obligation to which the data controller is subject.
Our Visitors
Processed Personal Data  Purposes of Processing Personal Data 
  • Physical Space Security Records 
  • Ensuring the Security of Movable Property and Resources
  • Ensuring Physical Space Security
Legal Reason:  Processing of data is necessary for the legitimate interests pursued by the data controller.
Social Media Users  
Processed Personal Data  Purposes of Processing Personal Data 
  • Other (username, request/complaint information, award information)
  • Management of Customer Relationship Management Processes
  • Receiving Requests / Complaints
  • Organization and Event Management
Legal Reason:  Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data belonging to the parties to the contract; processing of data is necessary for the legitimate interests pursued by the data controller.
Our Application Users  
You can find detailed information about personal data processed through our application at fazla.com. 
CHAPTER 5 – STORAGE AND DESTRUCTION OF PERSONAL DATA   The Company stores personal data for the period required for the purpose for which they are processed and in accordance with the minimum periods stipulated in the legal legislation to which the relevant activity is subject. In this context, the Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or in accordance with the application of the relevant person and with the specified destruction methods (deletion and/or destruction and/or anonymization).  

CHAPTER 6 – RIGHTS OF PERSONAL DATA SUBJECTS AND EXERCISE OF THE RIGHTS 

6.1. Rights of the Data Subject   The rights you have set forth in the PDPL with regards to your personal data are: (1) To learn whether your personal data have been processed or not, (2) To demand for information if your personal data has been processed, (3) To learn the purpose for processing your personal data and whether these personal data were used in compliance with the purpose, (4) To know the third parties to whom your personal data is transferred in country or abroad, (5) To request the rectification of the incomplete or inaccurate data, if any, (6) to request the erasure or destruction of your personal data under the conditions referred in the PDPL, (7) When you request the correction of incomplete or inaccurate data and the deletion or destruction of your personal data, to request that this situation be notified to third parties to whom we transfer your personal data, (8) To object to the occurrence of a result against you by analyzing the data processed solely through automated systems, (9) To claim compensation for the damage arising from the unlawful processing of your personal data. 6.2. Exercise of the Data Subject’s Rights   Data subjects may submit their requests regarding their rights listed in section 6.1. (“Rights of the Data Subject”) to the Company through the methods determined by the Board. In this regard, they will be able to benefit from the “Data Subject Application Form” available at fazla.com. 6.3. The Company’s Response to Applications   The Company takes the necessary administrative and technical measures to finalize the applications to be made by the data subject in accordance with the Law and secondary legislation. In the event that the data subject duly submits his/her request regarding the rights set out in section 6.1. (“Rights of the Data Subject”) to the Company, the Company will conclude the relevant request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

CHAPTER 7 – SPECIAL CASES WHERE PERSONAL DATA ARE PROCESSED  

7.1. Personal Data Processing Activities for Website Visitors  Pursuant to Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications and the relevant legislation in force, FG processes the log records of website visitors in order to fulfill the obligations arising from the law and to ensure information security. In addition, in accordance with Article 4 of the Law, FG processes personal data in a limited and proportionate manner in connection with the purpose for which they are processed. 7.2. Camera Surveillance Activities Carried Out Inside the Building  FG carries out security camera surveillance activities in order to ensure building security, for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the Law. In accordance with Article 10 of the Law, FG informs data subject about the surveillance activity by more than one way. Furthermore, in accordance with Article 4 of the Law, FG processes personal data in a limited and proportionate manner that is connected with the purpose for which they are processed. The purpose of video camera surveillance by FG is limited to the purposes listed in this Policy. In this direction, the monitoring areas, the number of security cameras and when they will be monitored are implemented in a limited and sufficient way to achieve the security purpose. Areas that may result in interference with a person’s privacy in excess of security purposes (e.g. toilets) are not subject to monitoring. Only a limited number of FG employees have access to live camera footage and digitally recorded and stored records. The limited number of persons who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.  

CHAPTER 8 – THE RELATIONSHIP BETWEEN THE PROTECTION OF PERSONAL DATA POLICY OF FG AND ITS OTHER POLICIES  

FG establishes sub-policies for internal use on the protection of personal data related to the principles set forth in this Policy. The principles of FG’s internal policies are reflected in publicly available policies to the extent relevant, and it is aimed to inform the relevant parties within this framework and to ensure transparency and accountability regarding the personal data processing activities carried out by FG.