Personal Data Protection and Processing Policy

PİRLİOĞLU KURUYEMİŞ GIDA SANAYİ VE TİCARET LİMİTED ŞİRKETİ

PROTECTION OF PERSONAL DATA

AND PROCESSING POLICY


 

I. INTRODUCTION

1.1. Purpose of the Policy

In accordance with Article 20 of the Constitution on "Privacy of Private Life," Law No. 6698 on the Protection of Personal Data ("Law"), and the applicable regulations and communiqués, Pirlioğlu Kuruyemiş Gıda Sanayi ve Ticaret Limited Şirketi ("Pirlioğlu") aims to protect the fundamental rights and freedoms, including the privacy of private life, of data subjects (such as customers, potential customers, former employees, employees and job applicants, supplier officials or employees, suppliers, shareholders/partners, Pirlioğlu officials, visitors, business partners, and other third parties), and to ensure lawful processing of personal data obtained by Pirlioğlu, as well as establishing principles for the protection, retention, and, where necessary, destruction of personal data.

1.2. Scope of the Policy

Any information related to an identified or identifiable real person is considered personal data. This includes all processes such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, either entirely or partially automated or non-automated, as part of a data processing activity by Pirlioğlu in its capacity as data controller. This defines the scope of this Policy.

1.3. Application of the Policy and Relevant Legislation

This Policy has been prepared in compliance with the applicable legislation, particularly Law No. 6698 and regulations, communiqués, decisions, and guidelines published by the Personal Data Protection Board ("Board"). If there are any changes in the law or related legislation after the publication date of this Policy that render it inconsistent, the amended provisions and rules will apply. Pirlioğlu monitors all communiqués, decisions, and guidelines published by the Board and keeps the rules specified in this Policy up to date.

1.4. Effectiveness of the Policy

The Policy has been published on the website www.pirlioglu.com.tr owned by Pirlioğlu and came into effect on its publication date.

II. MATTERS REGARDING THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

As per Article 12 of Law No. 6698, the data controller shall;

● Preventing unlawful processing of personal data,

● Preventing unauthorized access to personal data,

● Ensuring the protection of personal data

by taking necessary administrative and technical measures to ensure an adequate level of security.

For the aforementioned reasons, Pirlioğlu implements security measures to prevent unlawful processing, disclosure, and unauthorized access, as well as security vulnerabilities arising through other means. Explanations regarding the administrative and technical measures taken are included in section VI. ADMINISTRATIVE AND TECHNICAL MEASURES FOR THE PROTECTION OF PERSONAL DATA.

2.2. Protection of Sensitive Personal Data

Sensitive personal data are those that, if disclosed, could lead to discrimination or harm to the individual concerned. Therefore, they require stricter protection compared to other personal data. Sensitive personal data may be processed only with the explicit consent of the individual or in the limited cases specified by law.

The law identifies sensitive personal data through specific categories, including race, ethnic origin, political opinion, philosophical belief, religion, membership of associations, foundations, or trade unions, health, sexual life, criminal record, and biometric and genetic data. It is not possible to expand the scope of sensitive personal data through analogy.

The law also distinguishes among types of sensitive personal data. Accordingly, the processing of health and sexual life-related personal data and other sensitive personal data can be conducted without explicit consent under different regulations.

According to the law, the processing of sensitive personal data is possible without the explicit consent of the individual in the following cases:

· Other types of sensitive personal data, only in cases provided by laws,

· Personal data related to health and sexual life, only by individuals or authorized institutions and organizations under a duty of confidentiality, for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, as well as for planning and management of health services and financing.

Pirlioğlu takes all necessary measures for the protection of sensitive personal data, aiming to minimize the collection and processing of such data as much as possible.

III. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Compliance with Legal Principles

According to Article 4 of the Law, the principles to be applied in the processing of your personal data are as follows:

● Compliance with the law and honesty,

● Accuracy and, where necessary, up-to-date nature,

● Processing for specific, explicit, and legitimate purposes,

● Being relevant, limited, and proportionate to the purposes for which they are processed,

● Retention for the period prescribed by relevant legislation or as necessary for the purpose for which they are processed.

3.2. Conditions for Processing Personal Data

Personal data obtained by Pirlioğlu cannot be processed without the explicit consent of the data subject, except for the exceptions stipulated in the Law. Your personal data may be processed without explicit consent in the following cases:

● When explicitly prescribed by laws,

● When it is necessary for the protection of life or bodily integrity of the data subject or another person who is unable to disclose consent due to physical impossibility or where consent is not legally valid,

● When it is necessary for the conclusion or performance of a contract directly related to the parties to the contract,

● When it is necessary for Pirlioğlu to fulfill its legal obligation,

● When disclosed by the data subject themselves,

● When processing is necessary for the establishment, exercise, or protection of a right,

● When processing is necessary for the legitimate interests pursued by the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3. Exceptions to the Obligation to Obtain Explicit Consent

a) When explicitly prescribed by laws

One of the conditions for data processing is when it is explicitly prescribed by laws. Provisions in the law regarding the processing of personal data can constitute a condition for data processing. In such cases, obtaining the explicit consent of the data subject is not required.

b) Physical impossibility

In cases where it is necessary to process the personal data of a person who is unable to disclose their consent due to physical impossibility or where consent is not legally valid for the protection of their own or another person's life or bodily integrity, personal data may be processed without obtaining explicit consent.

c) Directly related to the conclusion or performance of a contract

If processing personal data is necessary in the process of establishing or performing a contract to which the data subject is a party, personal data may be processed without obtaining explicit consent.

d) Fulfillment of Pirlioğlu's legal obligation

Personal data may be processed without obtaining explicit consent for the purpose of fulfilling the legal obligations that Pirlioğlu, as the data controller, is required to fulfill.

e) Publicly disclosed by the data subject

Personal data disclosed by the data subject, in other words, personal data that has been disclosed to the public in any way, may be processed without obtaining explicit consent. However, publicly disclosed personal data cannot be used for purposes other than its intended use.

f) Necessary for the establishment, use, or protection of a right

Personal data may be processed without the explicit consent of the data subject when it is necessary for the establishment, use, or protection of a right.

g) Necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject

Personal data may be processed without obtaining explicit consent if it is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. The benefit to the data controller should be legitimate, specific to the current activities or reasonably expected benefits in the near future.

3.4. Processing of Special Categories of Personal Data

Processing of special categories of personal data is subject to Article 6 of the Law, and processing without the explicit consent of the data subject is prohibited.

Personal data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership in association, foundation or union, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data, are special categories of personal data. These data are limited and cannot be expanded through interpretation.

Special categories of personal data, by their nature, could lead to discrimination and hardship for the data subject if disclosed. Therefore, they require stricter protection compared to other personal data.

a) Special categories of personal data other than health and sexual life

Special categories of personal data other than those related to health and sexual life may be processed without the explicit consent of the data subject in cases provided by laws.

b) Special categories of personal data related to health and sexual life

Special categories of personal data related to health and sexual life may only be processed by individuals or authorized institutions and organizations under an obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

3.5. Informing and Informing the Personal Data Owner

During the acquisition of personal data, Pirlioğlu, as the data controller or by authorized persons, informs the data subjects. The principles and procedures of the information are stated in the Privacy Statement published by Pirlioğlu regarding the Protection of Personal Data and include summarily the following elements:

● Identity of the data controller and, if any, its representative,

● Purpose of processing personal data,

● To whom and for what purpose personal data can be transferred,

● Method of personal data collection and legal reason,

● Rights of the relevant person as shown in Article 11 of the Law.

 

a) Identity of the data controller and its representative

In accordance with Article 10 of the Law, personal data obtained from data subjects (product or service recipients, potential product or service recipients, former employees, employees and employee candidates, supplier representatives or employees, suppliers, shareholders/partners, Pirlioğlu officials, visitors, business partners, and other third parties) are processed by Pirlioğlu, Pirlioğlu Kuruyemiş Gıda Sanayi ve Tic. Ltd. Şti., and communication can be obtained from the email address info@pirlioglu.com.tr or www.pirlioglu.com.tr.

b) Purposes of processing personal data

Processing of personal data is carried out with specific, clear, and legitimate purposes based on the principle of informing data subjects. The purposes for which your obtained data is processed are detailed in the section V. CATEGORIZATION AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY OUR COMPANY in the Policy.

c) Persons to whom personal data are transferred and purposes of transfer

In accordance with the obligation of the data controller to inform the data subject, persons to whom personal data are transferred and the purposes of transfer must be clearly stated. Personal data cannot be transferred to third parties without the explicit consent of the data subject. The recipient groups and purposes of transfer of personal data by Pirlioğlu are shown in section IV. TRANSFER OF PERSONAL DATA.

d) Method of personal data collection and legal reason

In accordance with Articles 5 and 6 of the Law, it is necessary for the data controller to clearly state on which processing condition(s) of personal data processing criteria the processing is based. The method and means of data collection are determined by the data controller. The processing conditions of personal data, i.e., legality criteria, are limitedly listed in the Law (Art. 5-6) and cannot be expanded.

The data controller Pirlioğlu evaluates whether the purpose of personal data processing primarily relies on one of the processing conditions other than explicit consent. If the purpose does not meet at least one of the processing conditions other than explicit consent as stated in the Law, then the explicit consent of the individual is obtained to continue the data processing activity.

IV. TRANSFER OF PERSONAL DATA

4.1. Domestic Transfer

Personal data cannot be transferred without the explicit consent of the data subject. However:

● As stipulated in the second paragraph of Article 5,

● Provided that adequate measures are taken, as stated in the third paragraph of Article 6,

it can be transferred without requiring the explicit consent of the data subject.

Accordingly, as explicitly mentioned in the laws (1), it is necessary to protect the life or physical integrity of the person who cannot declare their consent due to actual impossibility or whose consent is not legally valid (2), or to establish a contract or to perform it is necessary to process personal data of the parties to the contract with the right of directly directly (3), the data controller of the legal obligations to comply with the personal data in order to establish the process (4), the person concerned by themselves must have aleniştirilmiş (5), a right to establish, to use or to maintain the for data processing is necessary (6), the person concerned not to harm the fundamental rights and freedoms, the data controller's legitimate interests for data processing is necessary for the data of the person concerned will be transferred to 3.in the absence of approval.

Also, regarding personal data of special nature belonging to relevant individuals, except for health and sexual life-related personal data, in cases foreseen by laws; health and personal data related to sexual life may be transferred to third parties without the explicit consent of the data subject, provided that it is under the obligation of confidentiality by persons or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, conducting medical diagnosis, treatment, care services, planning and managing health services and their financing.

Information about the recipient groups to whom personal data processed by Pirlioğlu is transferred is included in Appendix 4 of this Policy - Third Parties to Whom Personal Data is Transferred and Purposes of Transfer.

4.2. Cross-Border Transfers

Personal data cannot be transferred abroad without the explicit consent of the data subject. However, personal data may be transferred abroad without the explicit consent of the data subject, provided that one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the Law exists and in the foreign country where the personal data will be transferred;

● Ensuring adequate protection,

● In the absence of adequate protection, the data controllers in Turkey and the relevant foreign country must undertake adequate protection in writing and obtain the permission of the Board.

The categorization and processing purposes of personal data processed by Pirlioğlu are outlined below:

Pirlioğlu's Management Activities

● Managing relationships with business partners and suppliers

● Organization and event management

● Execution of strategic planning activities

● Planning and execution of corporate communication activities

● Planning and execution of corporate governance activities

● Planning and execution of Pirlioğlu's audit activities

● Operational activities necessary for the execution of Pirlioğlu's operations in accordance with Pirlioğlu's procedures and/or relevant legislation

● Ensuring the security of Pirlioğlu's operations

● Conducting corporate and partnership law transactions

● Monitoring financial and accounting affairs

● Conducting internal audit, investigation, intelligence activities

● Conducting risk management processes

● Conducting emergency management processes

Execution of Client Relations Activities

● Execution of customer loyalty processes for company products/services

● Monitoring requests and complaints

● Execution of service marketing processes

Determination and Management of Human Resources Policies of Pirlioğlu

● Execution of employee candidate/intern/student selection and placement processes

● Execution of employee candidate application processes

● Execution of employee satisfaction and commitment processes

● Fulfillment of obligations for employees due to employment contracts and regulations

● Execution of processes for new rights and benefits for employees

● Planning and execution of access authorization for employees

● Monitoring and/or supervision of employee business activities

● Execution of assignment processes

● Execution of wage policy

● Execution of performance evaluation processes

● Planning and execution of internal training activities of Pirlioğlu

● Planning and execution of internal orientation activities of Pirlioğlu

● Execution of talent and career development activities

Execution of Technical and Physical Security Processes of Pirlioğlu

● Execution of information security processes

● Establishment and management of information technology infrastructure

● Execution of audit / ethical activities

● Execution of access authorization processes

● Ensuring compliance of activities with legislation

● Provision of physical space security

● Monitoring and execution of legal affairs

● Execution of storage and archive activities

● Ensuring the security of movable property and resources

● Ensuring the security of data controller operations

● Providing information to authorized persons, institutions, and organizations

● Creation and monitoring of visitor records

Personal data processed by Pirlioğlu is categorized and processed in accordance with the personal data processing conditions specified in the Law and relevant legislation. The categorization of processed personal data is shown in Appendix 3 of this Policy - Personal Data Categories.

VI. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

Administrative and technical measures are taken by Pirlioğlu to securely store personal data and prevent unlawful processing and access to personal data.

In order to ensure the security of personal data processed by Pirlioğlu, the likelihood of risks associated with the protection of all personal data is being determined. When identifying these risks, considerations include whether the personal data is sensitive personal data (1), the degree of confidentiality required by its nature (2), and the nature and extent of harm that may arise for the data subject in case of a security breach (3).

After identifying and prioritizing these risks, control and resolution alternatives to reduce or eliminate these risks are evaluated based on principles of cost-effectiveness and feasibility, and necessary technical and administrative measures are planned and implemented.

6.1. Administrative Measures

It is crucial for employees, even with limited knowledge, to take initial action against attacks that may compromise personal data security. Therefore, as the data controller, awareness and informative campaigns are conducted within our organization.

Training employees on matters such as not disclosing or sharing personal data unlawfully, conducting awareness campaigns for employees, and creating an environment where security risks can be identified are ensured. Roles and responsibilities regarding personal data security for everyone within the organization, regardless of their position, are defined in job descriptions to ensure employees are aware of their roles and responsibilities.

Additionally, privacy agreements are signed as part of the employee hiring process, and a disciplinary process is implemented in case employees do not comply with security policies and procedures.

If there are any changes to the policies and procedures regarding personal data security, training sessions are conducted to inform employees and keep them updated on data security and threats.

Personal data must be accurate and up-to-date as required by Articles 4(b) and (d) of the Law, and retained for the period specified in the relevant legislation or necessary for the purpose for which they are processed. Within this scope, the processed data is handled in accordance with the principles and rules that must be followed in data processing activities, and retained for the period necessary for the purpose of processing. Storage periods for personal data processed by Pirlioğlu are indicated in Section VIII. STORAGE AND DISPOSAL OF PERSONAL DATA of this Policy.

The following table provides a summary of the administrative measures taken to ensure data security:

Administrative Measures
Corporate Policies (Access, Information Security, Use, Storage and Disposal, etc.)
Contracts (Between Data Controller-Data Controller, Data Controller-Data Processor)
Privacy Commitments
Internal Periodic and/or Random Audits
Risk Analyses
Employment Contracts, Discipline Regulations (Addition of Legal Provisions for Compliance)
Corporate Communication (Crisis Management, Informing the Board and Relevant Individuals, Reputation Management, etc.)
Education and Awareness Activities (Information Security and Law)
Personal Data Security Policies and Procedures
Prompt Reporting of Personal Data Security Issues
Monitoring of Personal Data Security
Establishment of Discipline Regulations Including Data Security Provisions for Employees
Minimization of Personal Data Wherever Possible
Preparation and Implementation of Corporate Policies on Access, Information Security, Use, Storage, and Disposal
Revocation of Permissions for Employees with Job Changes or Departures
Inclusion of Data Security Provisions in Signed Contracts
Identification of Current Risks and Threats
Internal Periodic and/or Random Audits are Conducted and Mandated
Protocols and Procedures for Special Category Personal Data Security are Established and Implemented
Awareness of Data Security Provided to Data Processing Service Providers

6.2. Technical Measures

To protect information technology systems containing personal data from unauthorized access and threats via the internet, security measures such as firewalls and network gateways are employed. The firewall used prevents breaches into the information network, and the network gateway restricts employees' access to internet sites or online platforms posing threats to personal data security.

In addition, regular checks are conducted to ensure proper operation of software and hardware and adequacy of security measures for systems. Access to systems containing personal data is restricted, and access authorization is granted to employees to the extent necessary for their duties and responsibilities using usernames and passwords. Passwords are created without direct association to personal information and avoiding easily guessed sequences of numbers or letters.

Access authorization and control matrices are established within the data controller organization, and products such as antivirus and antispam are used to protect against malicious software. The information system network is regularly scanned and dangers are identified.

To ensure data security, paper documents containing personal data, servers, backup devices, CDs, DVDs, USBs, and similar storage devices are accessible only to authorized personnel, and necessary measures are taken to enhance physical security.

Below is a summary of administrative measures taken to ensure data security:

Technical Measures
Authorization Matrix
Authorization Control
User Account Management
Network Security
Application Security
Logging with Non-User Alterable Records
Encryption
Data Loss Prevention Software
Backup
Firewalls
Up-to-date Anti-Virus Systems
Deletion, Destruction, or Anonymization
Key Management
 

VII. PROCESSING OF PERSONAL DATA AT BUILDING, FACILITY ENTRANCES AND INSIDE BUILDINGS AND FACILITIES

7.1. Monitoring Activity with Cameras Conducted at Building, Facility Entrances and Inside Buildings and Facilities

Under the Private Security Services Law, monitoring activities with cameras are conducted at Pirlioğlu buildings, workplaces, annexes, parking areas, and surroundings to ensure security and protect the interests of Pirlioğlu and other individuals. Camera monitoring activities are conducted in compliance with the law, within the data processing conditions specified in both the law and this policy.

7.2. Tracking Guest Entries and Exits at Building, Facility Entrances and Inside

The control and tracking of entries and exits to Pirlioğlu buildings and facilities for visiting guests' identity information are subject to personal data processing activities to ensure security. Personal data processed within this activity is limited to the entry and exit of guests and is recorded in electronic or physical data recording systems.

VIII. STORAGE AND DESTRUCTION OF PERSONAL DATA

8.1. Periods for Storing Personal Data

Your personal data held by Pirlioğlu is retained for as long as necessary for data processing activities; upon the obligation to delete, destroy, or anonymize personal data arises, it is deleted, destroyed, or anonymized within the first periodic destruction period following the date when this obligation arises.

The interval for periodic destruction is limited to a maximum of 6 months.

Pirlioğlu complies with the general principles stated in Article 4 and the technical and administrative measures stated in Article 12 of the Law regarding the deletion, destruction, or anonymization of your personal data.

All operations related to the deletion, destruction, or anonymization of personal data are recorded and kept for at least 3 years as required by legal obligations.

The personnel appointed by Pirlioğlu for the storage and destruction of personal data are responsible for implementing and supervising the personal data storage and destruction policy.

8.2. Obligation to Delete, Destroy and Anonymize Personal Data

Personal data processed by Pirlioğlu is deleted, destroyed, or anonymized ex officio or upon the request of the relevant data subject, upon the reasons requiring processing under the Law's 7th Article cease to exist.

a) Deletion of personal data

Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users.

All necessary technical and administrative measures are taken to ensure that deleted personal data is inaccessible and cannot be reused by relevant users.

b) Destruction of personal data

Destruction of personal data is the process of making personal data inaccessible, irretrievable, and unusable by anyone. The data controller is obliged to take all necessary technical and administrative measures for the destruction of personal data.

c) Anonymization of personal data

Anonymization of personal data is the process of rendering personal data unattributable to a specific or identifiable natural person, even if matched with other data.

Your personal data is anonymized by Pirlioğlu using all necessary technical and administrative measures and in accordance with our personal data storage and destruction policy.

8.3. Techniques for Deleting, Destroying and Anonymizing Personal Data

Techniques for deleting, destroying, or anonymizing personal data processed by Pirlioğlu are shown below; the technique applied may vary depending on the nature of the processed personal data.

Firstly, identification of personal data subject to deletion, destruction, or anonymization (1), determination of relevant users using an access authorization and control matrix or similar system for each personal data (2), determination of access, retrieval, reuse rights, and methods of relevant users for personal data (3), closure and elimination of access, retrieval, reuse rights, and methods of relevant users regarding personal data (4) is required.

The process for deletion of personal data is as follows:

● Cloud or application-based solutions: issuing deletion commands,

● Physical documents: obscuring, cutting, or rendering them unreadable,

● Portable media: using appropriate software to delete data.

The process for destruction of personal data is as follows:

● Optical and magnetic media: melting, burning, or pulverizing to physically destroy them,

● Other destruction methods for paper or electronic media.

IX. RIGHTS OF THE DATA SUBJECT AND EXERCISE OF THESE RIGHTS

9.1. Rights of the Data Subject

Under Law No. 6698, as a data subject, you have the right to:

● Learn if your personal data is being processed,

● Request information if your personal data has been processed,

● Learn the purpose of processing your personal data and whether they are used in accordance with this purpose,

● Know the third parties to whom your personal data is transferred within the country or abroad,

● Request correction of your personal data if it is incomplete or incorrect,

● Request deletion or destruction of your personal data under the conditions specified in Article 7,

● Request notification of corrections, deletions, or destructions to third parties to whom your personal data has been transferred, in case of incomplete or incorrect processing,

● Object to the occurrence of a result against you due to the analysis of your processed data solely through automated systems,

● Demand compensation for damages in case of unlawful processing of your personal data.

9.2. Exercise of the Rights of the Data Subject

Requests related to the implementation of the Law by the data subject should be submitted to Pirlioğlu in writing via the email address info@pirlioglu.com.tr or to [address]. The "Data Subject Application Form" published on the website of Pirlioğlu must be used for application requests.

9.3. Response to Applications by Pirlioğlu

Depending on the nature of the application request, it is resolved by Pirlioğlu as soon as possible. This period does not exceed 30 days from the date of receipt of the application. However, if the process requires any cost, fees may be charged according to the tariff determined by the Personal Data Protection Board.

APPENDIX - 1: Definitions

Explicit consent: Consent based on informed and freely given decision on a specific subject,

Anonymization: Rendering personal data unidentifiable or untraceable to a specific or identifiable natural person by combining with other data,

Recipient group: Categories of individuals or legal entities to whom personal data is transferred by the data controller,

Direct identifiers: Identifiers that directly reveal, disclose, and distinguish the person they are related to, on their own,

Indirect identifiers: Identifiers that, when combined with other identifiers, reveal, disclose, and distinguish the person they are related to,

Concerned person: The natural person whose personal data is processed,

Related user: Natural or legal persons processing personal data within the data controller organization, excluding those responsible for technical storage, protection, and backup of data, or individuals authorized by and under the instructions of the data controller,

Destruction: Deletion, destruction, or anonymization of personal data,

Law: Law No. 6698 on Protection of Personal Data dated 24/3/2016,

Masking: Actions such as scratching, painting, and frosting the entirety of personal data so that they cannot be associated with an identifiable natural person,

Record medium: Any medium containing personal data processed by automatic or non-automatic means, either completely or partially,

Personal data: Any information related to a specific or identifiable natural person,

Processing of personal data: Any operation performed on data such as obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of data,

Board: Personal Data Protection Board,

Institution: Personal Data Protection Institution,

Data processor: Natural or legal persons processing personal data on behalf of the data controller based on authorization provided by them,

Data recording system: Record system where personal data are structured and processed according to specific criteria,

Data controller: Natural or legal person who determines the purposes and means of processing personal data, and who establishes and manages the data recording system,

expresses.

 

APPENDIX - 2: Data Subjects

Data Subject Categories
Explanation
Employee
Refers to individuals working within Pirlioğlu,
Employee Candidate
Refers to individuals who apply to Pirlioğlu by sending their resumes or through other methods,
Intern
Refers to individuals who practice within Pirlioğlu to gain practical experience and knowledge of their profession,
Product or Service Receiver
Refers to individuals benefiting from services or products provided by Pirlioğlu,
Potential Product or Service Receiver
Refers to individuals showing interest in Pirlioğlu's services or products with potential to become customers,
Supplier
Refers to individuals, both natural and legal persons, from whom services are procured,
Shareholders/Partners
Refers to individuals owning at least one share of Pirlioğlu,
Company Representative
Refers to authorized individuals acting on behalf of Pirlioğlu in designated matters,
Visitor
Refers to third parties visiting the workplace and website of Pirlioğlu,
Business Partners
Refers to individuals, both natural and legal persons, with whom business and transactions are conducted for service development and other commercial activities,
 

 

 

 

 

APPENDIX - 3: Personal Data Categories

Identity Information
 

Personal identity information data of individuals. Information found in documents such as driver's license, identity card, residence permit, passport, lawyer ID, marriage certificate (e.g., TCKN, passport number, identity card serial number, name-surname, photo, place of birth, date of birth, age, place registered in the population registry, civil registry certificate)

 
Contact Information
 

Information used by Pirlioğlu to establish communication with individuals (e.g., phone number, email address, residential address)

 
Summary Information
 

Pirlioğlu suppliers, business partners, employees' personal data related to their legal rights (information included in personal data under legislation)

 
Legal Transaction and

Compliance Information
 

Data processed for fulfilling legal obligations arising from legislation and for other legal transactions and debt collection purposes (e.g., data included in court orders or administrative decisions)

 
Customer Transaction Information
 

Data obtained from Pirlioğlu clients (e.g., name, surname, nickname, IBAN information, etc.)

 
Physical Space

Security Information
 

Personal data collected during entry and exit to Pirlioğlu premises and during stay within physical space (e.g., visitor information, camera recordings, etc.)

 
Transaction Security Information
 

Personal data processed for ensuring information security, administrative, legal, and commercial security of Pirlioğlu

 
Financial Asset Information
 

All kinds of documents and records showing financial information of the data subject with legal relationship established with Pirlioğlu (e.g., current account, other receivables-payables balances, account and card information)

 
Employee Candidate Information
 

Name, surname, date of birth, place of birth, signature, marital status, address, telephone, mobile phone, significant illness information, health status, emergency contact person, emergency contact phone number, certificate information possessed, education status information, foreign language proficiency information, professional experience information, reference information, information contained in the curriculum vitae submitted, interview notes data

 
Employee Information
 

Data related to qualification certificates obtained from our employees (e.g., education certificate information, certificate name, institution where the education certificate was obtained, education location, name of the seminar/training attended, certificate date, faculty/department, name of the educational institution attended, city of education, end date of education, level of education, type of educational institution where education was received, department worked in, name of the institution worked, city worked in, country worked in, field of activity where the company operates, area worked in the institution, date started working at the institution, etc.)

 
 

Employee Transaction Information
 

All kinds of personal data processed due to the activities carried out by our employees within Pirlioğlu (e.g., Pirlioğlu expenditure expenses information, overseas travel information, email correspondence, entry-exit records, meeting attendance information, etc.)

 
Employee Performance

and Career Development

Information
 

Personal data processed in the management of employee performance evaluation and career development process (e.g., in-service training, performance evaluation reports, etc.)

 
Family Status Data
 

Information about the family status of employees

 
Marketing Information
 

All kinds of personal data that can be used in marketing activities targeting individuals by Pirlioğlu, serving the purpose of marketing Pirlioğlu's products and services (habitual information, targeting information, cookie records, etc.)

 
Visual and Auditory Data
 

Visual and auditory recordings associated with the data subject (e.g., photograph, camera and audio recordings, etc.)

 
Audit and Inspection

Information
 

Data processed within the scope of legal obligations arising from legislation and compliance with Pirlioğlu policies (e.g., inspection reports, relevant interview records, etc.)

 
Request/Complaint

Management Information
 

Personal data processed in the management and evaluation process of any request or complaint directed to Pirlioğlu

 
Special Categories of Personal

Data
 

Data related to health, criminal conviction, and security measures

 
 

 

ANNEX - 4: Third Parties to Whom Personal Data is Transferred and Purposes of Transfer

Transferred Person/Unit
Scope
Purpose of Transfer
Shareholders
Pirlioğlu shareholders
Limited transfer of personal data for fulfilling information flow among Pirlioğlu shareholders
Business Partners
Parties with whom commercial activities are conducted by Pirlioğlu
Limited transfer of personal data for ensuring the performance of activities with business partners
Authorized public institutions and organizations
Legal relationships between legally authorized public institutions and Pirlioğlu
Limited sharing/transferring of information and documents requested by relevant public institutions from Pirlioğlu
Suppliers
Parties from whom services are procured for the continuity of Pirlioğlu's commercial activities
Limited transfer of personal data for the procurement of services from supplier parties
 

Turkish English العربية
×