image

Citron Gıda Sanayi Ltd Şti. PERSONAL DATA PROTECTION POLICY

1) The Purpose of the Personal Data Protection and Processing Policy

As a requirement of its legal and social responsibility, Citron Gıda Sanayi Ltd Şti. has accepted and undertook to act in accordance with all legal legislation related to data protection laws and international standards. For Citron Gıda Sanayi Ltd Şti. (hereinafter referred to as the “Company”), this is the provision of data protection, the basis of a trusting business relationship, and the reputation of the Company.

2) Scope and modification of the Personal Data Protection and Processing Policy

This Personal Data Protection and Processing Policy covers the processing of all personal data together with the Clarification Text (statements made for the purpose of fulfilling the clarification obligation in the data collection channels) statements. Anonymized information for purposes such as statistical evaluations or analyses is not subject to this Data Protection and Processing Policy.

This Personal Data Protection and Processing Policy has been prepared in accordance with the Law on the Protection of Personal Data No. 6698 dated April 7, 2016 (“KVKK”).

This policy is related to all personal data of our customers, our potential customers, our employee candidates, our employees, the employees, shareholders, and authorities of the institutions we cooperated with, and third parties; processed through automatic means or provided that the process is a part of any data registry system, through non-automatic means.

This Personal Data Protection and Processing Policy, regulated by our Company, is dated October 07, 2016. In case of the renewal of all or certain articles of the Policy, the effective date and version of the Policy will be updated. The policy is published on the official website of our Company and is made available to relevant persons at the request of personal data owners.

3) General Principles in the Processing of Personal Data

  1. Lawfulness and conformity with rules of bona fides
    Individual rights of the persons concerned must be preserved in the processing of personal data. Personal data should be collected and processed in accordance with the law and fairly.
  2. Specific purpose limitation
    Personal data may only be processed for the purpose defined prior to the collection of the data. Additional modifications to the purpose are possible only to a limited extent and with justification.
  3. Transparency and illumination
    The individual concerned should be informed about the use of their information. Personal data is usually received directly from the individual concerned. When data is collected, the individual concerned should be aware of or informed of the following articles:
  • The identity of the data controller and its representative, if any
  • The purpose of processing personal data
  • To whom and for what purposes the processed personal data is transferred, or categories of third parties
  • Method of and Legal Reason for Collecting Personal Data
  • The rights of the person whose personal data is processed in accordance with Article 11 of the KVKK
  1. Data reduction and data economy
    Whether the process is necessary to achieve the purpose, and in what scope it is necessary is determined prior to the processing of personal data. In the case where the purpose is acceptable and proportionate, anonymous or statistical data is used.
  2. Erasure of personal data
    After the expiration of the periods related to the legal or business process, including the record-keeping obligations and the registration procedures required for proof, personal data that are no longer required are erased, destroyed, or anonymized.
  3. Accuracy and data actuality
    The personal data in the file is kept up to date if it is accurate, complete, and known. Appropriate measures have been taken by the Company to ensure the erasure, correction, completion, or updating of the inaccurate or incomplete data.
  4. Privacy and data security
    Personal data is subject to confidentiality. It must be protected by appropriate organizational and technical measures to prevent unauthorized access, illegitimate acts, sharing, accidental loss, modification, or destruction, and is kept confidential at the personal level.

4) The Purpose of Data Processing

The collection and processing of personal data will be carried out within the scope of the Clarification Text and the purposes specified below.

5) Data of Customers and Business Partners

  1. Data processing for the contractual relationship
    The personal data belonging to the customer (customer and potential customers) or business partner (if the business partner is a legal person, then the authority of the business partner and its employees) can also be processed for the establishment of a contract, its implementation, and its discharge without consent. Before the contract – at the stage of starting the contract, personal data may be processed in order to ensure customer safety, customer satisfaction, the purpose and legal performance of contractual actions, and the fulfillment of contractual requests in this context. In the process of preparing a contract, data owners can be contacted in consideration of the information they provide.
  2. Data processing for advertising and informational purposes
    If the data owner makes a request for information from the Company, his/her personal data may be processed to meet this request.
    Personal data are processed for advertising or market and public opinion research only if the purpose of collecting this information is in accordance with these purposes. The data owner is informed that his/her information will be used for advertising purposes. If the information is collected only for advertising purposes, the data owners may not provide this information. The data subject is informed about his/her freedom to provide his/her information for this purpose. The consent of the person is obtained for the processing of the data subject's information for advertising purposes. The data subject can choose between the appropriate communication channels such as mail, electronic mail, or telephone call within the scope of giving this consent.
    When the data subject does not allow the use of his/her information for advertising purposes, the data is no longer used for these purposes and its use for these purposes is precluded.
  3. Data operations made due to the legal obligation of the company or as expressly stipulated in the law
    Personal data may be processed without further approval in order to clearly state the processing in the relevant legislation or to fulfill a legal obligation established by the legislation. The type and scope of data processing must be necessary for the legally permitted data processing activity and must comply with the relevant legal provisions.
  4. Processing of data in accordance with the legitimate interests of the company
    Personal data may also be processed without prior approval when it is necessary for a legitimate interest of the Company. Legitimate interests are, in general, legal (e.g. avoidance of contract violations) or economic (e.g. collection of receivables) interests.
  5. Processing of sensitive data
    Sensitive personal data are processed in the following cases, provided that adequate measures are taken, which will be determined by the Personal Data Protection Board (“Board”):
  • Sensitive personal data other than the health and sexual life of the person concerned, in cases stipulated by law;
  • And the sensitive personal data relating to the health and sexual life of the person concerned can only be processed for the purposes of public health protection, preventive medicine, medical diagnosis, treatment and care services execution, planning and management of health care and its financing, by persons under the obligation of confidentiality or authorized institutions and organizations.

In the absence of the above-mentioned data processing conditions, explicit consent is obtained from the relevant person for data processing by the Company.

  1. User information and internet
    The processing of personal data used exclusively through automated systems for the purpose of determining a number of elements cannot solely be the basis for decisions that have negative legal consequences and negatively affect the person concerned. The person concerned has the right to object to the emergence of a conclusion against the person himself by analyzing the processed data exclusively through automated systems. To prevent misjudgments, testing and reliability checks are carried out by the Company's employee.
  2. Data processed exclusively through automated systems
    In case of collection, processing, and use of personal data on websites or applications, the relevant persons should be informed with a privacy statement and, if necessary, about cookies. The privacy statement and cookie information are integrated in such a way that they are easily identifiable, directly accessible, and constantly available to the person concerned.
    In the event that usage profiles are created to evaluate the use of websites and applications, the person concerned is properly informed about this issue in the privacy statement.
    If websites or applications can access personal data in an area restricted to registered users, identification and authentication of the relevant person provide adequate protection throughout the access.

6) Employee Data

  1. Processing of data for business relationship
    In business relations, personal data is processed without further approval if it is necessary for the establishment, implementation, and termination of the employment contract. Personal data of candidates are processed when starting a business relationship. If the candidate is rejected, the information about the candidate is stored until the appropriate data retention period for a later stage of the selection, and at the end of which, it is erased, destroyed, or anonymized.
  2. Data operations that are made due to the explicit provision in the law or to the legal obligation of the Company
    Personal data belonging to the employee can be processed without further approval in order to clearly state the processing in the relevant legislation or to fulfill a legal obligation established by the legislation.
  3. Processing of data in accordance with the legitimate interest
    Personal data belonging to the employee can also be processed without prior approval if there is a legitimate interest of the Company. Legitimate interests are, in general, legal (e.g. filing, implementation, or defense of legal rights) or economic (e.g. evaluation of the company) interests.
    In personal cases where the interests of employees need to be protected, personal data is not operated for legitimate interest purposes. Whether there are interests that require protection is determined before the data are processed.
    When the data belonging to employees is processed based on the legitimate interest of the Company, it is examined whether the processing is measured or not. It is checked that the legitimate interest of the company in taking this control measure does not violate any right to be protected of the relevant employee, and it is applied only if it is measured.
  4. Processing of sensitive data
    Sensitive personal data is processed only under certain conditions. Data on race and ethnic origin, political opinion, religion, philosophical belief, sects or other beliefs, clothing, association or union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data are defined as sensitive data.
    Sensitive personal data can be processed with the explicit consent of the employee. Explicit consent can be processed according to the nature of sensitive personal data, taking into account the principles set out in this policy and the necessary administrative and technical measures.
    Sensitive personal data are processed in the following cases, provided that adequate measures are taken that will be determined by the Board, in cases where the employee does not give explicit consent:
  • Sensitive personal data other than the health and sexual life of the person concerned, in cases stipulated by law,
  • And the sensitive personal data relating to the health and sexual life of the person concerned can only be processed for the purposes of public health protection, preventive medicine, medical diagnosis, treatment and care services execution, planning and management of health care and its financing, by persons under the obligation of confidentiality or authorized institutions and organizations.
  1. Telecommunications and internet
    Telephone equipment, email addresses, intranet, and the Internet, as well as internal networks, are provided by the Company primarily for work-related tasks. They are working tools and Company resources. These tools must be used in accordance with legal regulations and internal regulations of the Company.
    There is no general audit of telephone and email communication or intranet and internet use. In order to prevent attacks against the IT infrastructure or individual users, protective measures are taken during transitions to the Company network that block technically harmful content or analyze the modeling of attacks. The use of telephone equipment, email addresses, intranet/internet, and/or on-premises social networks is stored for a limited period of time for security reasons. Evaluations of these data on an individual are carried out only if there is a concrete suspicion of violation of legal regulations. These controls are carried out by the relevant departments only on the condition that the principle of proportionality is maintained.

7) Transfer of Personal Data

The transfer of personal data to third parties other than the Company will be carried out within the scope of the purposes specified in the Clarification Text and the purposes specified below.
The Company will be able to transfer personal data to the following persons and institutions for certain purposes;

  • To the suppliers of our company, limited to provide necessary services that our company procured exogenously from the suppliers of our Company and that are necessary for our Company to fulfill its commercial activity, to our Company,
  • To subsidiaries, limited to procuring the execution of commercial activity of our Company, to which the participation of subsidiaries is necessary,
  • To legally authorized public institutions and organizations, limited to the purpose requested by the relevant public institutions and organizations within the scope of their legal authority,
  • To legally authorized private entities, limited to the purpose requested by the relevant private entities within the scope of their legal authority.

After the Board declares foreign countries with sufficient protection, personal data will be transferred by our Company only to those countries. For countries that have been declared to lack adequate protection; personal data will be transferred when data controllers in Turkey and the relevant foreign country have committed to adequate protection in writing and have the permission of the Board or when the data subject has given their consent.

8) The Rights of the Person Concerned

All data subjects have the following rights. In case of exercising the rights given to the data subject and submitting a request to the Company, the Company provides the necessary information; with this data privacy regulation, the Company informs the data subject about how to use this right and how to evaluate the issues related to the information request.

  • The right to find out if personal data has been processed,
  • To request information about his/her personal data in case it has been processed,
  • To find out the purpose of processing personal data and whether they are used for their intended purpose,
  • To request correction of personal data in case of incomplete or incorrect processing, and to request reporting of the operation made in this regard to the third parties to whom the personal data was transferred,
  • To request the destruction or erasure of his/her personal data and to request the reporting of the operation made in this regard to the third parties to whom the personal data were transferred, in cases where the reasons requiring processing are no longer apparent, even though personal data were processed under the provisions of the KVKK and other relevant laws,
  • To object to the emergence of a conclusion against the person himself by analyzing the processed data exclusively through automated systems,
  • To request compensation for damages if personal data is damaged due to unlawful processing.

For the cases that are excluded from the scope of the KVKK listed below, the relevant persons cannot assert their rights mentioned above in these matters, and therefore the Company is not under any obligation to fulfill the requests submitted within this scope:

  • Personal data is processed for the purpose of official statistics and for research, planning, and statistical purposes after having been anonymized.
  • Personal data is processed for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy, or personal rights are not violated or they are processed so as not to constitute a crime.
  • Personal data is processed within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations duly authorized and assigned to maintain national defence, national security, public security, public order, or economic security.
  • Personal data is processed by judicial authorities or execution authorities with regard to the investigation, prosecution, criminal proceedings, or execution proceedings.

Under the KVKK, the persons concerned cannot assert their other rights in the following cases, except for the right to demand compensation for the damage in the following cases:

  • The processing of personal data is necessary for the prevention of a crime or criminal investigation.
  • Processing of personal data made public by the personal data subject himself.
  • The processing of personal data is required by authorized public institutions and organizations, as well as professional organizations of a public institution nature, based on the authority granted by law, for the performance of supervisory or regulatory duties, as well as for disciplinary investigation or prosecution.
  • The processing of personal data is necessary for the protection of the economic and financial interests of the State concerning budgetary, tax, and financial issues.

Personal data subjects can submit their requests regarding the aforementioned rights by filling out the form which can be found at the Company's official internet address www.citron.com.tr, in full and signing it with a wet-ink signature, and sending it to the address Gayrettepe Mah., Barbaros Bulvarı Pınar Apt., No: 163/10 Beşiktaş / Istanbul, Turkey; together with a registered and reply paid letter and copies of identity card (only a front-facing copy for the identity card). In order for a person other than the personal data subject to make a request, there must be a special power of attorney issued by the personal data subject on behalf of the person who will submit the request.

Duly submitted requests to the Company will be finalized no later than thirty days. If the conclusion of these requests also requires a cost, the applicant will be charged by the Company at the tariff established by the Board.

The company may request additional information to determine whether the person who made the request is the personal data subject, and may pose questions to the data subject in order to clarify the issues stated in the requisition, the owner can ask the questions on the application of personal data.

9) Confidentiality of the Operations

Personal data are subject to confidentiality. Employees are prohibited from collecting, processing, or using data without permission. Unauthorized use is an unauthorized data processing that employees perform outside their legitimate duties. Employees can access personal data only if it corresponds to the scope and nature of the task in question.

Employees are prohibited from using personal data for private or commercial purposes, distributing it to unauthorized persons, or making it accessible through different means. Managers should inform their employees about the obligations related to data protection at the beginning time of the employment relationship. This obligation continues also after the termination of the employment relationship.

10) Operation Security

The Company takes necessary measures and controls of processed personal data, to prevent illegitimate data processing, prevent illegitimate access to the data, and provide protection of the data and the Company does inspections or provides inspections in this scope. This applies regardless of whether the data processing is done electronically or in writing. Especially before starting new methods of data processing in the transition to new IT systems, technical and organizational measures for the protection of personal data are defined and implemented. These measures are based on the latest developments, the risks of the operation, and the need to protect the data, determined by the information classification process. Technical and organizational measures related to the protection of personal data are part of the Company's information security management and are constantly being adapted to technical developments and organizational changes.

11) Data Protection Control

Compliance with the Personal Data Protection and Processing Policy and KVKK is ensured by regular data protection inspections and other controls. The company conducts or makes conducted the necessary inspections within its system.

12) Data Breaches Method

The Company operates this Personal Data Protection and Processing Policy or a system that ensures that if personal data processed under the KVKK is obtained by others through illegitimate means, it will be notified to the relevant person and the Board as soon as possible. If deemed necessary by the Board, this situation may be announced on the Board's website or by any other means.

13) Definitions

  • If no one can trace the personal data or if the personal identity can be recreated at an unreasonable time, expense, and labor force, the data is considered anonymized.
  • Data breaches are incidents in which there are justified suspicions of illegitimate seizure, collection, modification, copying, distribution, or use of personal data. This may concern third parties and persons.
  • A contact person is a natural person whose personal data has been processed.
  • Sensitive data are data on race and ethnic origin, political opinion, religion, philosophical belief, sects or other beliefs, clothing, association or union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
  • Personal data is any kind of information that determines the identity of a real person or makes his/her identity identifiable. A person can be identified, for example, if his/her personal relationship can be determined using a combination of information, even with possible additional information.
  • Processing of personal data is any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification, or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.

14) Privacy And Consent

Your personal information will be used only for the requirements of the service, to access personal information about you, or to contact you. This information will not be shared with third parties or published anywhere. Automatically Recorded Information (non-personal data) When you enter the website, general non-personal information (Internet Browser used, number of visitors, average time spent on site, pages viewed) is saved automatically (as separate from membership registration). This information is used to improve the overall quality of our site. Your information is not further processed and it is not transmitted to third parties. In this sense, please note that with your mentioned approval, you are approving the processing, the use and sharing limited to the processing purpose in the scope of the related period, storing for the necessary period of your sensitive personal data (telephone, e-mail, address, and your other contact information) by Citron Gıda Sanayi Ltd Şti. Tur.İşl.San.ve Tic.A.Ş group companies, subsidiaries, and affiliates, in accordance with the related provisions of the Law on the Protection of Personal Data No. 6698 (“KVKK”), and approving to be contacted as subject to activities in the scope of the electronic commerce legislation by means of SMS, e-mail, and call. You also approve that the necessary clarification was made to you in this regard, that you have read and understood this text.

15) Scope

This Policy and all approvals and permissions within the policy are applied to Citron Gıda Sanayi Ltd Şti. Tur.İşl.San.ve Tic.A.Ş group companies, subsidiaries, and affiliates, and these data may be processed by all of these companies and are considered electronic commerce activities in the determined scope.

Commercial Title: Citron Gıda Sanayi Ltd Şti.

Address: Tömük mah. 813 sok. No: 6 Erdemli/Mersin

Telephone: +90 0324 336 49 68

E-mail: info@citron.com.tr