Personal Data Protection and Processing Policy

CHAPTER 1 – INTRODUCTION
1.1. INTRODUCTION
1.2. PURPOSE AND SCOPE OF THE POLICY
1.3. IMPLEMENTATION OF LEGISLATION
SECTION 2 – PROCESSING OF PERSONAL DATA
2.1. GENERAL PRINCIPLES FOR PROCESSING PERSONAL DATA
2.2. CONDITIONS FOR PROCESSING PERSONAL DATA
2.2.1. Processing of General Personal Data
2.2.2. Processing of Special Categories of Personal Data
CHAPTER 3 – PROTECTION OF PERSONAL DATA
3.1. SECURITY OF PERSONAL DATA
3.1.1. Lawful Processing of Data
3.1.2. Blocking Unlawful Access
3.1.3. Storing Personal Data in a Secure Environment
3.2. AUDIT REGARDING THE IMPLEMENTATION OF LEGAL PROVISIONS
3.3. UNAUTHORIZED DISCLOSURE OF PERSONAL DATA
CHAPTER 4 – MEASURES FOR THE PROTECTION OF PERSONAL DATA
CHAPTER 5 – TRANSFER OF PERSONAL DATA TO THIRD PARTIES
CHAPTER 6 – STORAGE OF PERSONAL DATA
6.1. LEGAL OBLIGATIONS OF THE COMPANY
6.2. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
6.2.1. Deletion of Personal Data
6.2.2. Destruction of Personal Data
6.2.3. Anonymization of Personal Data
6.3. PERSONAL DATA RETENTION PERIODS
6.4. PERSONAL DATA INVENTORY
CHAPTER 7 – RIGHTS OF THE DATA SUBJECT
7.1. RIGHTS OF THE DATA SUBJECT AND CONDITIONS FOR EXERCISING THESE RIGHTS
7.2. PROTECTION OF THE RIGHTS OF THE DATA SUBJECT
7.3. CASES WHERE THE DATA SUBJECT CANNOT ASSUME ANY RIGHTS
CHAPTER 8 – PROCESSING PERSONAL DATA OF JOB APPLICANTS
CHAPTER 9 – OPERATIONS CONDUCTED WITHIN THE COMPANY FACILITIES AND THROUGH ITS WEBSITE
PERSONAL DATA PROCESSING ACTIVITIES
9.1. CAMERA SURVEILLANCE CONDUCTED AT THE ENTRANCES AND INSIDE THE COMPANY'S BUILDINGS AND FACILITIES.
ACTIVITY
9.2. MONITORING GUEST ENTRANCES AND EXITS AT THE COMPANY'S BUILDING AND FACILITY ENTRANCES
9.3. RECORDS REGARDING INTERNET ACCESS PROVIDED TO THE COMPANY'S GUESTS
STORAGE AND WEBSITE VISITORS
CHAPTER 10 – EFFECTIVE DATE AND UPDABILITY
Appendix 1: DEFINITIONS
APPENDIX 2: ABBREVIATIONS

CHAPTER 1 – INTRODUCTION

1.1. INTRODUCTION

The Law No. 6698 on the Protection of Personal Data (“KVKK”) introduces important regulations regarding the protection and lawful processing of personal data. The protection of personal data is among the top priorities of Natura Gıda Sanayi ve Ticaret A.Ş. (’the Company“).

Our company data policy is based on exercising utmost care, particularly regarding access to individuals' private lives and information, taking effective and deterrent measures in this regard; and being transparent with our customers, potential customers, visitors, company officials, all parties and institutions we cooperate with, in short, every person directly or indirectly connected to our company and whose data we process.

With this Policy, our company defines and implements our rules regarding the processing of personal data within the framework of the principles of transparency and openness.

1.2. PURPOSE AND SCOPE OF THE POLICY

The primary purpose of this policy is to protect the fundamental rights and freedoms of individuals whose personal data is processed, particularly the right to privacy, and to ensure that all activities of our Company are carried out in accordance with the rules stated herein. The scope of the provisions of this policy includes the personal data of individuals whose data we process directly or indirectly.

1.3. IMPLEMENTATION OF LEGISLATION

In case of any inconsistency between the current legislation and our policy, the law shall apply.
The existing legislation will be applied first, and there will be no more specific objectives outside of this basic policy.
If there are other policies or regulations created on the same subject, priority will be given to private policies.
The provisions containing these regulations apply. Other policies and documents are not related to this policy and its provisions.
Provisions that conflict with the legislation shall not be applied.

SECTION 2 – PROCESSING OF PERSONAL DATA

2.1. GENERAL PRINCIPLES FOR PROCESSING PERSONAL DATA

When processing personal data, the data must be obtained and processed in accordance with the law and principles of fairness. Our company processes data with the utmost care and control, in accordance with the law and principles of fairness.

The data being processed must be accurate and up-to-date. Our company verifies the accuracy of the data at every processing level and makes the necessary preparations to ensure it is up-to-date when required.

When processing data, it is essential to clearly specify which data is being processed, how much of it is being processed, the purpose of the processing, and whether it is lawful or legitimate. Our company processes data only for legitimate purposes and takes care to ensure that the data obtained during this processing is clearly defined. To prevent the misuse of the obtained information and to avoid misunderstandings, our company processes data in a clear and transparent manner.

Data must be processed in a controlled manner that is consistent with, relevant to, limited to, and proportionate to the purpose for which it is processed. Our company processes data subjects' data only in a proportionate manner, limited to and relevant to the purpose for which it is processed.

Personal data must be stored in accordance with the retention period stipulated in the relevant legislation or the period specified for the purpose for which it was processed. In this context, our company primarily retains personal data for the periods specified in the relevant legislation, if such a retention period is stipulated. If no retention period is specified in the legislation, or if there is no legal reason requiring longer retention, our company retains personal data for as long as necessary for the purpose for which it was processed. In this way, the security of data subjects is maximized.
This is ensured. (See Section 6.4 for details). In accordance with this policy and all relevant legislation, our employees acting as data processors are subject to an unlimited confidentiality obligation regarding personal data.

2.2. CONDITIONS FOR PROCESSING PERSONAL DATA

2.2.1. Processing of General Personal Data

All personal data processed by our company that does not fall into the category of special categories of personal data is categorized as general categories of personal data.

Personal data cannot be processed without the explicit consent of the data subject. However, processing of personal data without the explicit consent of the data subject is possible if any of the following conditions exist:

a) Explicitly provided for in the laws
b) If the person is unable to express their consent due to factual impossibility or if their consent is not legally valid, and it is necessary for the protection of their own life or the life or physical integrity of another person.
c) The processing of personal data of the parties to a contract is necessary provided that it is directly related to the establishment or performance of the contract.
d) It is necessary for the data controller to fulfill its legal obligations.
e) It must have been made public by the person concerned themselves.
f) Data processing is necessary for the establishment, exercise or protection of a right.
g) The processing of data is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

2.2.2. Processing of Special Categories of Personal Data

Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are considered special categories of personal data.

Processing sensitive personal data without the explicit consent of the data subject is prohibited.
Personal data other than those related to health and sexual life, as listed in the first paragraph, may be processed without the explicit consent of the data subject in cases stipulated by law.

Our company obtains the explicit consent of data subjects when processing and storing sensitive personal data, including records of private health problems.

Personal data relating to health and sexual life may only be processed by persons or authorized institutions and organizations bound by an obligation of confidentiality, without seeking the explicit consent of the data subject, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.

When processing special categories of personal data, it is also mandatory to take adequate measures as determined by the Personal Data Protection Board.

CHAPTER 3 – PROTECTION OF PERSONAL DATA

3.1. SECURITY OF PERSONAL DATA

Our company, in accordance with Article 12 of the Law on the Protection of Personal Data, acts as the Data Controller;

• To prevent the unlawful processing of personal data.,
• To prevent unlawful access to personal data,
• To ensure the protection of personal data, companies must take all necessary technical and administrative measures to provide an appropriate level of security.

Our company takes all necessary technical and administrative measures, considering technological capabilities and implementation costs, to ensure the lawful processing of personal data. Personal data learned by data controllers and data processors cannot be disclosed to others or used for purposes other than the processing purpose, in violation of the provisions of this law.

Company personnel have received the necessary training on technical matters; awareness is raised among employees in this area, and audits are conducted. This ensures the employment of knowledgeable personnel within the company. Our company's relevant department and our contracted legal consultancy firm work in coordination on this matter.

3.1.1. Lawful Processing of Data

The main technical measures taken by our company to ensure the lawful processing of personal data are as follows:
The administrative measures are as follows:
• Personal data processing activities carried out within our company are performed using technical systems.
It is being monitored and reported to the relevant parties.
• Personal data processing activities carried out by our company's business units and this
compliance of the activities with the personal data processing conditions required by Law No. 6698
The requirements to be fulfilled for this purpose belong to each department and relevant unit.
It is determined based on the specific activity it carries out.
• Ensuring legal compliance and the procedure prepared for the relevant departments.
compliance, continuity and monitoring; administrative measures, internal company policies and training
It is implemented through this method.
3.1.2. Blocking Unlawful Access
Our company does not condone the careless or unauthorized disclosure or access of personal data.,
data to be protected to prevent its transfer or any other unlawful access
It takes technical and administrative measures according to its nature.
The main technical and administrative measures taken by our company to prevent unlawful access to personal data are:
The measures are as follows:
• Access and authorization technical solutions and technical measures taken periodically
The issues that pose risks are being reported, reassessed, and the necessary technological measures are being implemented.
Solutions are being developed. These include logging, antivirus systems, and firewalls.
Software and hardware are being installed.
• We employ staff who are knowledgeable in technical matters.
• Personal data within the company in accordance with legal compliance requirements based on business unit.
Access and authorization processes are being designed and implemented.
• Employees shall process the personal data they learn in accordance with the provisions of the Personal Data Protection Law and
not to disclose to others and the purpose of processing contrary to all other relevant legislation
they cannot use it outside of this scope and this obligation continues even after they leave their positions.
6
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
They are being informed that this will continue and are being asked to provide the necessary information accordingly.
Commitments are being obtained.
• To whom personal data has been lawfully transferred by our company
contracts concluded; persons to whom personal data is transferred, protection of personal data
provisions are added regarding taking the necessary security measures for this purpose and/or
Mutual agreements are being signed.
3.1.3. Storing Personal Data in a Secure Environment
Our company ensures that personal data is stored in secure environments and not destroyed for unlawful purposes.
necessary technical and administrative measures to prevent its destruction, loss or alteration
The main measures taken by our company to store personal data in secure environments are as follows:
The technical and administrative measures are as follows:
• In line with technological advancements, personal data is stored in secure environments.
systems are used.
• We employ staff who are experts in technical matters.
• Technical security systems are being installed for the storage areas, and the technical information received...
The measures are reported to the relevant parties, and issues posing a risk are re-evaluated.
The necessary technological solution is being developed.
• To ensure the secure storage of personal data in accordance with the law
Backup programs are used in this manner.
• Non-digital data is kept in locked cabinets and accessed only by authorized personnel.
will be accessible by individuals.
3.2. AUDIT REGARDING THE IMPLEMENTATION OF LEGAL PROVISIONS
In accordance with Article 12, paragraph 3 of the Law on the Protection of Personal Data, the Data Controller shall...
in its institution or organization, necessary to ensure the implementation of the provisions of this law.
They are obliged to conduct or have conducted the inspections.
Our company and our contracted legal consultancy firm are responsible for establishing the data security described above.
and conducts the necessary inspections to ensure the regularity and continuity of the measures taken.
and/or commissions. These audit results are relevant to the subject within the scope of our company's internal operations.
It is reported to the department or management, and necessary measures are taken to improve the situation.
Our activities comply with the Personal Data Protection Law and other relevant legislation, as well as this company policy.
It is carried out in this way.
Our company prohibits the unlawful processing of personal data, and the unlawful use of data.
to raise awareness about preventing unauthorized access and ensuring data protection
organizing necessary training for business units; conducting trainings, seminars and sessions.
Our company provides this through [the relevant channels]. Our company adapts to the updating of the relevant legislation.
They are updating and renewing their training. Regarding the protection of personal data...
Systems necessary for raising awareness are being established, and our company is conducting audits related to this issue.
This is handled by the relevant department and our contracted legal consultancy firm.
The project aims to raise awareness regarding the protection and processing of personal data.
Training results are reported to our company, and our company participates in these trainings.
It is mandated and controlled by [the relevant authorities].
7
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
3.3. UNAUTHORIZED DISCLOSURE OF PERSONAL DATA
Regarding crimes related to the unauthorized disclosure of personal data, Article 135 of the Turkish Penal Code No. 5237 applies.
The provisions of Article 140 and all relevant legislation shall apply. The provisions of all relevant legislation shall apply.
This information is provided to employees and relevant individuals by our company. Those who record personal data unlawfully,
Anyone who unlawfully gives, disseminates, or obtains personal data belonging to another person, violates the law.
Even though the specified periods have passed, they have not deleted the data from the system and have not retained Personal Data.
In violation of Article 7, Section 3 of the Protection Law; the storage of personal data or
Companies that do not delete personal data even though the reasons justifying its processing have ceased to exist, or
Individuals who fail to remain anonymous are subject to imprisonment under Article 138 of the Turkish Penal Code.
will be punished with a penalty. Deletion, destruction or anonymization of personal data
The procedures and principles regarding its introduction are regulated by regulation.
According to the amendments made to the Turkish Penal Code, personal data is used unlawfully.
Anyone who gives this data to another person, unlawfully disseminates or obtains this data shall be sentenced to two to four years in prison.
punishable by imprisonment, but also benefiting from the advantages provided by a particular profession or art.
A person who commits this crime by exploiting personal data shall be punished under the aggravated form of the crime.
companies that commit the crime of viewing, obtaining or hacking data without authorization to process it
The employee will be reported to the data subject, the public prosecutor's office and relevant authorities without delay, and action will be taken against him/her.
The necessary procedures will be carried out and the perpetrator will be punished for the aggravated form of the crime.
According to the provision regulated under the heading of Offenses in the Law on the Protection of Personal Data
Those who fail to fulfill their obligation to inform or their obligations regarding data security,
Those who fail to comply with the decisions made by the Board or who are not registered in the Data Controllers Registry
Those who fail to comply with the notification obligation will also be subject to administrative fines.
CHAPTER 4 – MEASURES FOR THE PROTECTION OF PERSONAL DATA
To ensure the implementation of our Company's Personal Data Protection and Processing Policy,
It creates a management structure.
To manage this Policy and other policies related to and connected with this Policy within the company.
A committee is being established. The committee's duties are listed below:
• Basic policies regarding the protection and processing of personal data, and where necessary.
to prepare changes to these policies
• Implementation and application of policies regarding the protection and processing of personal data.
to decide how the follow-up will be carried out
• To assign and coordinate internal company tasks.
• Measures to be taken to ensure compliance with the Personal Data Protection Law and related legislation.
to identify the necessary issues and ensure their implementation
• Protection and processing of Personal Data within the Company and in cooperation with the Company
to raise awareness among the institutions it works with and to organize trainings in this context.
• Identifying and taking necessary measures against potential risks in the company's personal data processing activities.
to ensure that measures are taken
• To resolve data subject applications at the highest level.
• To monitor developments and regulations regarding the protection of personal data and
taking the necessary actions
In addition to these tasks, the committee also performs other duties assigned by senior management.
All its activities are carried out with the approval of senior management.
8
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
Our company, together with its contracted legal consultancy firm and the Personal Data Protection Board...
designating a contact person for communication and notifying them during registration.
is responsible. The contact person(s) are assigned to perform this task within our company.
is a natural person who is a member of the department(s).
Our company defines the function of the contact person as communication in accordance with the Data Controllers Registry Regulation.
As a key point, requests that data subjects will direct to the data controller should be processed quickly and effectively.
It has limited the processing of personal data to ensuring that it is answered.
Providing the quickest and most clear answers to owners' problems or questions.
This is intended, but the contact person is not legally authorized to represent the data controller. This
For reasons other than providing information, the company contacts the data owner or contact person.
to answer the relevant party's questions in a legally compliant manner and to represent our company in this matter.
Our company contact person has no duties or authority other than providing information.
as soon as it is informed by, the authorized department appointed by our company
or the institution will take action regarding the issue as soon as possible and the necessary procedures will be followed.
will be carried out. During these processes, the personal data owner or the relevant person will be aware of all these processes and
They will be informed about the procedures and, if necessary, our company's authorized department or institution will be contacted.
Interviews will be conducted with the data owner or relevant individuals by [the relevant party].
CHAPTER 5 – TRANSFER OF PERSONAL DATA TO THIRD PARTIES
Our company, in accordance with Article 10 of the Personal Data Protection Law, lists the groups of individuals to whom personal data is transferred.
It informs the personal data owner.
Our company manages data in accordance with a policy compliant with Articles 8 and 9 of the Personal Data Protection Law (KVKK).
Personal data of the owners may be transferred to the following categories of individuals: The company's;
• To business partners
• To their suppliers
• To community companies
• To its shareholders
• To the authorities
• Legally authorized public institutions and organizations
• The aforementioned individuals to whom the transfer is made are legally authorized private legal entities.
The scope and purposes of data transfer are stated below:
Category Definition Data Transfer Purpose
Community
Companies
Jobs related to our company
It defines their partnerships. Business
Our partners are listed in the appendix.
It has been explained.
All types of commercial activities requiring company participation
to ensure the implementation of organizational measures
Shareholders are the individuals who own shares in the Company.
people
According to the relevant legal provisions, law, activity
within the scope of management and corporate communication processes
for the purpose of carrying out activities and with these activities
limited
Company Officials Company Board Members
and other authorized natural persons
According to the relevant legislation, the company's commercial
designing strategies related to activities, top
ensuring management and control at the level
limited to their purposes
Legally Authorized
Public Institutions
and Organizations
To the relevant legal provisions
information and documents from the company
public institutions authorized to receive
and organizations
Legal authority of the relevant public institutions and organizations
limited to the purpose it requested within
Legally Authorized
Private Law
People
To the relevant legal provisions
information and documents from the company
Within the legal authority of the relevant private legal entities
limited to the purpose it requested
9
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
private law authorised to acquire
people
Suppliers
The company's commercial activities
while executing the company's orders
in accordance with the instructions
contract-based to the company
service providers
The company procures from the supplier and the company's commercial and
to carry out organizational activities
in order to provide the necessary services
CHAPTER 6 – STORAGE OF PERSONAL DATA
6.1. LEGAL OBLIGATIONS OF THE COMPANY
Our company complies with Article 7 of the Law No. 6698 on the Protection of Personal Data and the Turkish Penal Code No. 5237.
Processed in accordance with the explanations in Article 138 of the Law, and subsequently processed and stored.
Personal data whose purpose has ceased to exist, rights arising from the Turkish Commercial Code, and all related matters.
the rights granted by the provisions of legislation and the principles set forth in this policy (See section
2.2.1 (f) and (g)) by the decision it will make or in the interests of our company in its commercial life
In accordance with the Personal Data Protection Law, with the explicit request of the data owner, in a way that will not cause harm.
As stated in Article 7, it deletes, destroys, or anonymizes.
6.2. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
6.2.1. Deletion of Personal Data
The deletion of personal data is stipulated in Article 8 of the regulation as follows: "personal data shall be deleted for the relevant users."
"It is the process of making it completely inaccessible and unusable."
Personal data is defined and can be deleted using the following methods:
Application-as-a-Service Cloud Solutions
Data in the cloud system is deleted by issuing a delete command. The relevant parties are involved in this process.
Users do not have the authority to recover deleted data from the cloud system.
Personal Data in Paper Format
Personal data in paper format is deleted using the redaction method. The redaction method...,
Personal data on the relevant documents should be omitted where possible, and where not possible...
In these cases, the fixed parts are irreversible and cannot be read using technological solutions.
This is done by using ink to make the relevant users invisible.
Office files located on the central server.
The file is deleted using the delete command in the operating system, or the file or the file located therein is deleted.
The relevant user's access rights are revoked on the directory.
Personal Data Contained on Portable Media
Personal data on flash-based storage media is stored encrypted and in accordance with regulations suitable for these media.
It is deleted using software.
Databases
The relevant rows containing personal data are deleted using database commands. This process...
The person who performed this action is not the database administrator.
10
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
6.2.2. Destruction of Personal Data
The destruction of personal data is stated in Article 9 of the regulation as follows: "No one shall disclose personal data..."
making it completely inaccessible, irretrievable, and unusable
Personal data is defined as "the process." Personal data can be destroyed using the following methods:
Physical Destruction
Personal data may be recorded in a non-automated manner as part of a data recording system.
It can also be processed through these methods. When such data is destroyed, personal data is subsequently recovered.
The practice involves physically destroying the vehicle in a way that renders it unusable.
Demagnetization
Magnetic media is passed through a special device and exposed to a high-strength magnetic field.
It is the process of rendering the data on a device unintelligible and unreadable by leaving it lying around.
Paper Media
The destruction processes in this environment reach unimaginable proportions with paper shredding and cutting machines.
It is a method of bringing them in and destroying them.
6.2.3. Anonymization of Personal Data
The anonymization of personal data is defined in Article 10 of the regulation as "personal data being transferred to other parties".
Even if matched with data, under no circumstances should it be used to identify a specific or identifiable natural person.
It is defined as "making it impossible to link the data to the following." Personal data includes the following:
It can be anonymized using the following methods:
Masking Method
By removing or deleting the distinctive titles or characteristics of the data subjects whose data is being processed
It is a method of anonymization provided.
Example: Extracting information that identifies the data subject, such as Turkish National Identity Number (TC Kimlik No).
preventing the identification of the data subject through this method
Data Shuffling Permutation
This method replaces some of the information of data owners whose data is within the system.
The aim is to anonymize the data by modifying it.
Example: In employee information, alongside the data considered as the main category, there are also sub-categories.
Ensuring the data owner cannot be identified by altering the information.
Data Derivation Method
Adding or subtracting certain amounts from the variables in the data within the system.
This process ensures that the information becomes undetectable or unidentifiable.
Example: Instead of providing a detailed description of the domicile of the personal data owner whose data is being processed, providing the address where they live.
specifying the neighborhood or district
Aggregation Method
This is a method of converting relevant personal data from a specific value to a general value. With this method, data...
generalizations are being made and personal data is being rendered incapable of being linked to any single individual.
This is done by providing an example: Instead of listing the neighborhoods where employees live one by one, X is provided.
It is stated that Y number of employees live in the neighborhood.
11
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
One or more of the anonymization methods described above are subject to all relevant legislation and regulations.
In accordance with the interests of our company in business, this policy is adopted by the company.
The selection will be made by the committee established to ensure its implementation. Details regarding the committee are available.
This information was explained in the previous section. (See Chapter 4)
The anonymization method to be chosen will be determined by the committee taking into consideration the following:
This will be determined by taking the following:
• Data quality
• Data size
• The nature of data's presence in physical environments
• Data diversity
• The purpose of data processing
The anonymization process is governed by the retention periods and personal data inventory outlined in this policy.
It will be carried out in parallel with the principles stated in the sections.
6.3. PERSONAL DATA RETENTION PERIODS
Our company maintains its personal data inventory in accordance with the timeframes stipulated in all relevant legislation.
It stores data.
If there is no time limit specified in the relevant legislation regarding these periods
Our company operates in accordance with the customs, laws, and regulations of the sector in which it operates.
provided that personal data is collected within the timeframes determined by our company in accordance with its interests.
It stores the data; when storage is no longer necessary, the data is stored as described above.
They are deleted, destroyed, or anonymized in various ways.
The purpose for processing and storing personal data has ceased to exist, and all relevant provisions regarding personal data...
in accordance with the legislation and the principles set forth in this policy by our company (See Section 2.2.1 (f) and
If the periods determined pursuant to (g)) have expired, in any legal disputes that may arise in the future
Personal data may also be stored for use in other ways. The personal data mentioned in this section...
It is kept for use only in legal disputes and for no other purpose.
unusable. In accordance with the above explanations, our company may, foreseeably
All necessary precautions and measures are being taken.
For example, a lawsuit against an employee who leaves the workplace, arising from the unfair termination of the contract.
In order to determine the competent court in the case to be filed, the employee's place of residence must be considered.
This includes using the information in the data system to make the identification.
It can be evaluated. (The scope of the above explanations is not limited to the example given.)
6.4. PERSONAL DATA INVENTORY
Personal Data Inventory, in accordance with the Personal Data Protection Law (KVKK) and the Regulation on the Registry of Data Controllers.
data collected and processed separately in each department within our company,
As explained above, the deletion, destruction, and anonymization process complies with legislation and the company.
carried out in accordance with its policy and which can be submitted to the Personal Data Protection Authority when necessary.
It refers to data (MS Word, Excel, etc.).
According to the definition in the regulation, the following must be included in a personal data inventory:
They are listed as follows:
12
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
• Purposes of personal data processing
• Data category
• Created by associating the transferred recipient group and data subject group, and personalized.
maximum time periods required for data processing
• Personal periods planned for transfer to foreign countries
• Measures taken regarding data security
Taking the criteria mentioned above into consideration, the following will be done with regard to personal data:
Information regarding transactions will be collected in the relevant inventory. The inventory content will comply with our company's legal requirements and...
in accordance with the legislation and in their own interests, using digital media such as MS Word and Excel
Content that cannot be stored digitally is stored in paper format.
It can also be hidden.
The processes of deleting, destroying, and anonymizing personal data described in Section 6 are carried out by our company.
personal data inventory by or by an authorized representative of our company
is carried out.
If there are provisions in the relevant legislation regarding the procedure for preparing the Personal Data Inventory, then personal data
The inventory will be prepared by our company in accordance with these provisions. Personal Data
In cases where there are no provisions in the relevant legislation regarding the procedure for preparing the inventory, our company,
personal data inventory, taking into account its own internal work discipline and internal work processes
They are free to choose which method to use for preparation.
CHAPTER 7 – RIGHTS OF THE DATA SUBJECT
7.1. RIGHTS OF THE DATA SUBJECT AND CONDITIONS FOR EXERCISING THESE RIGHTS
Our company evaluates the rights of personal data owners and provides information to personal data owners.
In order to provide the necessary information, in accordance with Article 13 of the Personal Data Protection Law...
It implements the necessary channels, internal procedures, administrative and technical arrangements accordingly.
Data subjects may submit their requests regarding the rights listed below to our company in writing.
If they submit the request, our company will process the request free of charge within a maximum of thirty days, depending on the nature of the request.
This concludes the matter. However, the Personal Data Protection Board prescribes a fee.
In this case, our company will request the personal data from the applicant as determined by the Personal Data Protection Board.
The fee specified in the tariff will be charged. Personal data owners;
• To find out if your personal data is being processed
• Requesting information regarding the processing of personal data.
• The purpose of processing personal data and whether it is used appropriately for that purpose.
learning
• Knowing the third parties to whom personal data is transferred, whether domestically or internationally.
• Requesting the correction of personal data if it has been processed incompletely or inaccurately.
and notifying third parties to whom personal data has been transferred of the process carried out within this scope.
request
• Processed in accordance with the Personal Data Protection Law and other relevant laws.
However, personal data may be processed if the reasons requiring its processing cease to exist.
the right to request the deletion or destruction of data and the processing of such data shall be considered personal.
requesting that third parties to whom the data has been transferred be notified
13
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
• By analyzing the processed data exclusively through automated systems.
objection to an outcome that is detrimental to oneself
• In case of damage suffered due to the unlawful processing of personal data
They have the right to claim compensation for the damage.
In accordance with Article 13 of the Personal Data Protection Law, personal data owners have the right to use the information mentioned above.
Requests regarding the exercise of their stated rights must be submitted "in writing" or via the Personal Data Protection Law.
They must submit it to our Company through other methods determined by the Board.
Right of Access to Personal Data
Individuals have the right to access their personal data free of charge. The company
its legitimate right to retain the data and its interest in it is governed by the Personal Data Protection Law and related legislation.
It is protected under this scope; the right to modify and delete is observed. Our company provides the relevant person with;
• To find out whether your personal data is being processed.
• Requesting information regarding the processing of personal data.
• The purpose for which your personal data is processed and whether it will be used in accordance with that purpose.
learning that it is not being used
• The desire to know the third parties to whom personal data is transferred, whether domestically or internationally.
It provides information that they have the right to be there.
Right to Modify or Delete Your Personal Data
Individuals have the right to modify or delete their personal data without incurring any fee.
It is located there. In this context, the relevant person;
• Correction of personal data if it has been processed incompletely or inaccurately.
request
• Personal data will be processed if the reasons requiring its processing cease to exist.
requesting the deletion or destruction of data
• The aforementioned correction, deletion, or destruction processes affect your personal data.
requesting that the third parties to whom it has been transferred be notified and
• By analyzing the processed data exclusively through automated systems.
They have the right to appeal against an unfavorable outcome.
In accordance with the Personal Data Protection Law, personal data must be accurate and up-to-date when necessary.
There is an obligation to ensure that personal data is accurate and up-to-date.
For the purposes of keeping records, the relevant party must inform our company of any changes to the current situation.
This is necessary unless the data change is notified to our company in writing by the relevant person.
Any damage that has arisen or may arise due to the failure to update the data and
Our company is not responsible for the sanctions.
7.2. PROTECTION OF THE RIGHTS OF THE DATA SUBJECT
According to Article 12 of the Personal Data Protection Law, the data controller is:;
• To prevent the unlawful processing of personal data,
• To prevent unlawful access to personal data and
• To ensure the protection of personal data, an appropriate level of security is provided.
It must take all necessary technical and administrative measures to achieve this.
14
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
In accordance with the relevant law, our company may not share personal data with another natural person or another party acting on its behalf.
If the crime is committed by a legal entity, the measures specified in the first paragraph shall be taken.
These individuals are jointly and severally liable. Our company, through its own institution or...
to ensure the implementation of these legal provisions in its establishment, the necessary audits
is doing.
This provision shall be added by the company to all contracts, commitments, and agreements.
The policy's Section 5 has been shared with those who can transfer the data; practical impossibility.
contract or agreement due to: or because it is not in accordance with the ordinary course of life
In cases where the text cannot be generated, this policy can be found on the naturagida.com.tr website.
It is visible because it has been made public.
7.3. CASES WHERE THE DATA SUBJECT CANNOT ASSUME ANY RIGHTS
Data subjects may exercise their rights under Article 28 of the Personal Data Protection Law in the following cases:
Since they are excluded from the scope of the relevant law, personal data owners have the right to make the following statements regarding these matters:
They cannot assert their rights:
• Personal data is used for research and planning through official statistics and anonymization.
and processing for purposes such as statistics.
• Personal data related to national defense, national security, public safety, public order,
not to violate economic security, privacy or personal rights or commit a crime
provided that it does not constitute an act of art, history, literature or science, or expression.
processing within the scope of freedom
• Personal data may be used to protect national defense, national security, public safety, public order, or
public institutions that have been given duties and powers by law to ensure economic security.
preventive, protective and intelligence activities carried out by institutions and organizations
processing within the scope of and
• Personal data relating to investigation, prosecution, trial or execution proceedings
committed by judicial authorities or enforcement agencies
In accordance with Article 28 of the Law on the Protection of Personal Data; personal data may be collected in the following cases:
Data owners cannot exercise any rights other than the right to claim compensation for damages.
• Personal data processing is necessary for the prevention of crime or for criminal investigation.
being
• Processing of personal data that has been made public by the data subject.
• Personal data processing is carried out by authorized and competent public authorities based on the authority granted by law.
auditing by institutions and organizations and professional organizations with the status of public institutions
or the performance of regulatory duties and disciplinary investigation or prosecution
necessary for
CHAPTER 8 – PROCESSING PERSONAL DATA OF JOB APPLICANTS
Personal data collected from job applicants during the recruitment process, as well as special data collected according to the nature of the job.
Qualified personal data is processed by the Company for the purposes stated and listed below:
• The candidate's qualifications, experience, and interests are suitable for the open position.
to evaluate
15
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
• If necessary, verify the accuracy of the information provided by the job applicant.
or contact third parties to research the job applicant
• To contact the job candidate regarding the application and recruitment process, or if appropriate
If so, for any position subsequently opened domestically or internationally
contact the candidate
• To meet the requirements of relevant legislation or the requests of authorized institutions or organizations.
• To develop and improve the recruitment principles applied by our company.
Job applicants' personal data may be collected through the following methods and means:
• Digital application form published in written or electronic format
• Job applicants can contact the Company via email, mail, referrals, and similar methods.
resumes they submitted
• Employment or consulting companies; Job seekers also have data as their data subjects.
They will be able to submit their claims regarding their rights arising from this situation using the method described.
• Interviews conducted via video conference, telephone, or in person.
• To verify the accuracy of the information provided by the job applicant.
audits and investigations conducted by the company
• Skills and abilities assessed and analyzed by experienced experts.
recruitment tests that identify personality traits
CHAPTER 9 – OPERATIONS CONDUCTED WITHIN THE COMPANY FACILITIES AND THROUGH ITS WEBSITE
PERSONAL DATA PROCESSING ACTIVITIES
Personal data processing carried out by the company at building entrances and within the premises.
its activities are in accordance with the Constitution, the Personal Data Protection Law, and other relevant legislation.
is being carried out.
For security purposes, the company provides security in its buildings and facilities.
Personal data processing for monitoring guest entry and exit through camera surveillance activities.
Activities are being carried out.
By using security cameras and recording guest entries and exits.
The company has engaged in personal data processing activities.
9.1. CAMERA SURVEILLANCE CONDUCTED AT THE ENTRANCES AND INSIDE THE COMPANY'S BUILDINGS AND FACILITIES.
ACTIVITY
This section will provide explanations regarding the Company's camera surveillance system and personal information.
how data, privacy and fundamental rights of the individual are protected
Information will be provided. The company's activities include security camera surveillance;
such as protecting the interests of the company and other individuals in ensuring their safety
It has purposes.
The camera surveillance activity carried out by the company is related to Private Security Services.
It is conducted in accordance with the law and relevant regulations.
16
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
The company's use of cameras for security purposes complies with GDPR regulations.
We are acting in accordance with the regulations contained in the law. The company, building and
in order to ensure security in the facilities, in accordance with the relevant legislation in force
for the intended purposes and in accordance with the personal data processing conditions stipulated in the Personal Data Protection Law.
It is engaged in security camera monitoring activities.
In accordance with Article 10 of the Personal Data Protection Law, the company informs the personal data owner...
This is being illuminated. The company provides general information through camera surveillance.
It provides notification regarding monitoring activities through multiple methods. Thus,
to prevent harm to the fundamental rights and freedoms of the personal data owner,
The aim is to ensure transparency and inform the data subject.
Regarding the company's camera surveillance activities, the company's website states the following:
This Policy is published (online policy regulation) and monitoring is carried out.
Notices are posted at the entrances to the areas stating that monitoring will be carried out (on-site).
lighting).
In accordance with Article 4 of the Personal Data Protection Law, the company processes personal data for the purposes for which they are processed.
It operates in a connected, limited, and measured manner.
The purpose of the company's video surveillance activity is this.
It is limited to the purposes listed in the policy. Accordingly, security camera monitoring
The areas, number, and timing of monitoring are sufficient to achieve the security objective.
It is implemented only for this purpose. The security of the individual's privacy.
in areas where interference that goes beyond their intended purpose may result (for example, in toilets)
It is not subject to monitoring.
In accordance with Article 12 of the Personal Data Protection Law, the company uses cameras for surveillance.
technical measures necessary to ensure the security of personal data obtained as a result of the activity.
and administrative measures are being taken.
The company's retention period for personal data obtained through camera surveillance activities.
Detailed information can be found in section 6.3 of this Policy, titled "Personal Data Retention Periods".
It has been given.
Live camera footage and digitally recorded and stored footage
Only a limited number of company employees have access to the records. Those with limited access to the records...
A number of people have signed a confidentiality agreement stating that they will protect the confidentiality of the data they access.
is doing.
9.2. MONITORING GUEST ENTRANCES AND EXITS AT THE COMPANY'S BUILDING AND FACILITY ENTRANCES
For the purposes of ensuring security and as stated in this Policy, the company
Personal data processing for tracking guest entries and exits in buildings and facilities.
Activities are being carried out.
17
This document may not be reproduced or distributed without the written permission of Natura Gıda Sanayi ve Ticaret A.Ş.
When obtaining the names and surnames of individuals who visit company buildings as guests, or when the company...
through texts posted on the premises or otherwise made accessible to visitors
The data subjects concerned are informed within this scope. Guest check-in/check-out
Data obtained for the purpose of monitoring are processed solely for this purpose and the relevant personal information is shared with the public.
The data is recorded in a physical data recording system.

9.3. RECORDS REGARDING INTERNET ACCESS PROVIDED TO THE COMPANY'S GUESTS
STORAGE AND WEBSITE VISITORS

For security purposes and as stated in this Policy, our company may record logs of internet access used by guests during their stay on our premises, in accordance with the provisions of Law No. 5651 and the regulations issued pursuant to this Law.

Only a limited number of our company employees have access to the log records obtained within this framework. These records are processed and shared with third parties only when requested by authorized public institutions and organizations, or in order to fulfill our relevant legal obligations and/or protect our legal rights and establish our company's defense rights during audit processes carried out within the company.

The company uses technical means (e.g., cookies) to record internet activity on its websites in order to ensure that visitors' visits are consistent with their purposes, to display personalized content, and to conduct online advertising activities.

Detailed explanations regarding the protection and processing of personal data related to these activities carried out by the company can be found in the "Company Website Privacy Policy" texts on the relevant websites.

CHAPTER 10 – EFFECTIVE DATE AND UPDABILITY

This Policy was prepared and entered into force by the Company on July 31, 2020. The Policy, in whole or in part, may be updated. The Policy is published on the Company's website, naturagida.com, and is made available to data subjects upon request.