Table of Contents
- Purpose. 4
- Scope. 4
- References. 4
- Definitions. 4
- General Principles applicable to the Processing of Personal Data. 6
- Conditions for Processing of Personal Data 7
- Preservation/Protection (Storage) of Personal Data 8
- Transfer of Personal Data 9
- Destruction of Personal Data 9
- Security Measures 10
- Informing the Data Subject 11
- Registry of Data Controllers (VERBİS). 12
- Revision of the Policy 12
- Announcement and Storage of the Policy 13
- Situations not specified in the Policy. 13
- Enforcement. 13
- Execution. 13
As Alanar Meyve Ve Gıda Üretim Pazarlama Sanayi Ticaret A.Ş. (Alanar Fruit), we are committed to the protection of personal data of all of the natural persons whose personal data are processed by us through any method and to the complete fulfilment of our obligations under the said Law while conducting our business activities since the date of enforcement of the Law No. 6698 on Protection of Personal Data (“KVKK” or the “Law”).
This Policy provides the principles regarding the processing by Alanar Fruit of the personal data of data subjects; and these explanations cover Alanar Fruit employees, the suppliers and customers that are in a business relationship with Alanar Fruit, their visitors and all natural persons involved in the processing of personal data by Alanar Fruit.
This policy applies to all personal data obtained from data subjects by automated or non-automated means and methods for which Alanar Fruit determines the purposes and means of processing and which are stored in digital or analogue data recording systems that Alanar Fruit is responsible for establishment and management of.
This policy is applied to any and all personal data storage and destruction activities for which Alanar Fruit is accepted as the data controller.
It is applicable for the personal data processing activities conducted by Alanar Fruit as the data processor within the framework of the data processor’s obligations specified in the Law.
The references used for preparation of the Policy:
- a) The Law no. 6698 on Protection of Personal Data
- b) Regulation on Data Controllers’ Registry
- c) Regulation on Erasure/Deletion, Destruction and Anonymization of Personal Data
- ç) Communiqué on the Procedures and Principles to be followed for the Fulfilment of the Obligation to Inform
- d) Communiqué on the Procedures and Principles regarding the Application to the Data Controller
- e) Resolutions of the Personal Data Protection Board
- f) Decisions of the Personal Data Protection Board
- g) Regulations regarding personal data and their processing as specified in other relevant legislation.
Explicit consent: The freely given specific and informed consent related to a specific matter
Group of recipients: The category of natural or legal persons that the data controller transfers personal data to
Anonymization: Rendering personal data impossible to link with an identified or identifiable natural person, even by matching them with other data
Related user: The persons processing personal data within the data controller’s organization or with the authorization and instructions obtained from the data controller, except for the person or unit responsible for technical storage, protection and backup of data
Destruction: The erasure/deletion, destruction or anonymization of personal data
Data subject: The natural person whose personal data are processed
Group of data subjects: The category of data subjects whose personal data are processed by data controllers
Contact person: The natural person notified by the data controller at the time of registration with the Registry for communications to be established with the Authority in relation to the obligations of the legal persons resident in Turkey and the representative of the legal-person data controller not resident in Turkey under the Law and the secondary legislation to be issued on the basis of this Law
Law: The Law No. 6698 on Protection of Personal Data dated 24 March 2016
Storage/Recording media: Any media containing personal data processed wholly or partly by automated means or non-automated means that are a part of any data recording system
Personal data processing inventory: The inventory established and detailed by data controllers by way of associating their personal data processing activities that they conduct depending on their business processes with personal data processing purposes, data categories, groups of recipients and groups of data subjects and elaborating the maximum storage period required for the purposes of processing of personal data, the personal data planned to be transferred to foreign countries, and the measures taken for data security
Personal data storage and destruction policy: The policy that data controllers rely on as the basis for determination of maximum storage period required for the purposes of processing of personal data and for the process of erasure/deletion, destruction, and anonymization of data
Personal data: Any information relating to an identified or identifiable natural person
Processing of personal data: Any operation or set of operations performed upon personal data, whether by automated means in part or in whole, or non-automated means that are a part of any data recording systems, such as collection, recording, storage, preservation, alteration, revision, disclosure, transmission, acquisition, retrieval, classification or blocking the use of such data
Storage of personal data: Storage of personal data following their acquisition in an environment suitable for data storage for the purpose of reprocessing of such data in terms of their contents, value or meaning subsequent to their acquisition
Board: Personal Data Protection Board
Special categories of personal data: Any personal data revealing racial or ethnic origin, political opinion, philosophical beliefs, religion, sect or other beliefs, dressing, association, foundation, or trade union membership, health, sexual life, criminal convictions and offences and related security measures and biometric and genetic data of persons
Periodic destruction: The process of deletion, destruction or anonymization, specified in the personal data storage and destruction policy, which will be performed ex officio at certain periodic intervals in the event that the conditions for processing of personal data, as specified in the Law, completely cease to exist
Registry: The registry of data controllers kept by the Presidency of the Personal Data Protection Authority
Data processor: The natural or legal person processing personal data on behalf of the data controller based on the authorization granted by the data controller
Data category: The personal data category of the group or groups of data subjects by which personal data are grouped according to their common characteristics
Data recording system: The recording system through which personal data are configured and processed according to certain criteria
Data controllers’ registry information system (VERBİS): The information processing system established and managed by the Presidency and accessible via Internet, which will be used by data controllers for application to the Registry and other operations related with the Registry
Data controller: The natural or legal person that determines the purposes and means of processing of personal data and is responsible for the establishment and management of the data recording system.
Personal data are processed in accordance with the general principles specified in the Law.
Pursuant to this principle, personal data processing activities are conducted in accordance with all the relevant legislation, including the Constitution and KVKK in particular, and in compliance with the rules of integrity and good faith.
Necessary measures are taken for transparency and accountability.
It takes necessary measures to ensure that the personal data are accurate when they are acquired. It takes every reasonable step as expected to ensure that they are up to date when it is required to reprocess them. It determines the appropriate methods in order to allow the data subjects to make corrections or revisions in their personal data; and shows utmost efforts to ensure ease of access to such data with minimum costs.
Personal data are processed for apparent and specific purposes only. No personal data are processed for the purposes that are contrary to the applicable laws or noncompliant with the business activities. It ensures transparency and accountability in all personal data processing activities.
Efforts are made to ensure that the personal data collected or processed are kept at minimum level and details. No personal data that are irrelevant with or not required for achievement of the processing purposes are processed, considering the processing purposes of the personal data collected. Minimum amount of data sufficient for achievement of the purpose is processed. No personal data are collected and stored for any possible needs that may arise in future.
5.4.1. Storage of data for the period as stipulated in the relevant legislation or required for their processing purposes
The maximum periods for which personal data may be stored for their processing purposes are already specified. The data are stored for the period stipulated in the relevant legislation for storage of such data, or if there is no period specified as such, for the period as required for the relevant processing purposes.
While determining the maximum storage period required for the purpose of processing of personal data, the following issues are taken into account:
- a) The period accepted as per the general practice in the sector that the data controller operates in within the scope of the processing purposes of the relevant data category;
- b) The period of the legal relationship established with the data subject, which requires the processing of personal data included in the relevant data category;
- c) The period during which the legitimate interest that the data controller may acquire or pursue will be lawful and in compliance with the rules of integrity and good faith, depending on the purpose of processing of the relevant data category;
- ç) The period during which the risks, costs and liabilities that may arise from storage of data will legally exist, depending on the purpose of processing of the relevant data category;
- d) Whether the maximum period to be determined is suitable to ensure that the relevant data category may be kept accurate and up to date, when necessary;
- e) The period during which the data controller is required to store the personal data include in the relevant data category pursuant to the data controller’s legal obligations;
- f) The prescription/limitation period determined by the data controller to claim and exercise a right related to personal data included in the relevant data category.
The conditions for processing of personal data are already set forth in the Law. Special categories of personal data and non-special categories of personal data are considered separately in terms of their processing conditions.
6.1. Conditions for Processing of Non-Special Categories of Personal Data
The basic rule is that personal data should not be processed without the explicit consent of the relevant data subject.
The Law has set forth the cases or conditions under which non-special categories of personal data may also be processed without the data subject’s explicit consent.
- a) If it is clearly provided for in the Laws;
- b) If it is required for the fulfilment of the data controller’s legal obligations;
- c) If the processing of the personal data pertaining to the contracting parties is necessary, providing that it is directly related to the conclusion, fulfilment or implementation of a contract;
- ç) If the processing of data is required for establishment, exercise, or protection of any right;
- d) If the processing is required to protect the vital interests of the data subject or of another natural person, including physical integrity or life, where the data subject is physically or legally incapable of giving consent;
- e) If the processing relates to personal data which are manifestly made public by the data subject;
- f) If the processing of data is required for protection of legitimate interests of the data controller, providing that such processing shall not violate the fundamental rights and freedoms of the data subject.
Adequate measures determined by the Board are taken in the processing of special categories of personal data.
Similarly, the basic rule is to obtain the explicit consent of the data subject for the processing of special categories of personal data.
However, special categories of personal data except for those related with health and sexual life may be processed without the relevant data subject’s explicit consent only in cases or circumstances stipulated in the laws.
Special categories of personal data related to health and sexual life may be processed by the persons subject to non-disclosure obligation (e.g. workplace doctor) or the authorized bodies, institutions or organizations without an explicit consent for the following purposes:
- a) Protection of public health;
- b) Preventive medicine;
- c) Medical diagnosis;
- ç) Provision of treatment and care services;
- d) Planning and management of healthcare services and the related financing.
The storage of personal data constitutes a personal data processing activity and is conducted in accordance with the personal data processing conditions.
Personal data may be stored in suitable environments or media only if and when it is required to store such data. If other personal data processing activities except for storage do not necessitate the storage of data, personal data are destroyed.
Personal data may be obtained or collected in physical and digital media and transferred from physical to digital media, or from digital systems to physical media. The same rules apply for the processing of personal data stored in both media to the extent appropriate.
Common digital media used for storage of personal data obtained or collected in or subsequently transformed into digital form hereunder, which can be processed by information processing systems, include the following:
- a) Servers (the devices on which digital personal data can be stored and which can be used to produce services (database, e-mail, domain, etc.)
- b) Network and information security devices (router, firewall, switch, etc.)
- c) Personal computers (Desktop, laptop, etc.)
- ç) Mobile devices (mobile phones, tablets, etc.)
- d) Removable memories (removable USB flash drives, CDs/DVDs, memory cards)
- e) Cloud
- f) Card readers, security cameras
The media used for storage of personal data obtained or collected in physical media or transformed from digital into physical media:
- a) Writing instruments like forms and notebooks and any and all papers that may contain personal data, on which personal data may be written or which are obtained by printing
- b) Any and all media other than paper (card, plaque, etc.) suitable for storage of personal data without digitalization of such data
This policy does not apply to the personal data stored in physical media that are not a part of a data recording system.
When determining the storing media for the personal data required to be stored, the minimum required media are used. If the initial media used for collection of personal data are suitable for storage, they are retained in their original media. If the initial media are not suitable for storage and do not allow for storage of data for the required storage period, or make it difficult to process or the data are at risk; it may also be decided to be stored in another media.
Personal data may be transferred to other data controllers or data processors at home or abroad. Transfer of data is performed in accordance with the legislation.
If any personal data are requested by the authorized agency or institution within the framework of Art. 28/1 of KVKK; they may be transferred to the relevant authorities without the obligation to inform and without any need for your explicit consent.
If any personal data are requested in cases explicitly specified in the laws, such data may be transferred to the authorized public authorities (administrative authorities such as ministries, Presidential boards, etc.) within the scope of the purposes and limitations stipulated in the law and by fulfilling the obligation to inform the data subject.
Personal data may be transferred to other data controllers at home in accordance with the conditions for processing of personal data. The measures stipulated by the Board shall also be taken in case of transfer of special categories of personal data. (See the Conditions for Processing of Personal Data)
Personal data are transferred abroad in case of presence of the data subject’s explicit consent.
Personal data are destroyed if and when the situations requiring storage of such data cease to exist.
With the deletion of personal data, it is aimed to destroy such data in such a manner that they are no longer reversible and reusable under any circumstances. Personal data are deleted from the media in which they are stored such as documents, files, CDs, floppy disks, hard disks, etc. in an irreversible manner.
Personal data that are stored in electronic media and can be deleted are deleted by way of deletion. After such deletion, measures are taken to prevent their retrieval or restoration.
For the personal data that are stored in electronic media, but cannot be deleted, the storage media used is destroyed.
The deletion of documents stored on paper and similar physical media is performed by covering the personal data with a dark colour in an indelible manner.
It refers to the destruction of the media used for storage of data such as documents, files, CDs, floppy disks, and hard disks, etc. in an irreversible and unusable manner.
If it is impossible to perform deletion from digital media, the method of destruction is not used. In case of optical media that cannot be erased or deleted, the method of breaking the media into small pieces is applied.
The anonymization of personal data means rendering personal data impossible to link with an identified or identifiable natural person, even by matching them with other data.
Personal data are rendered impossible to link with an identified or identifiable natural person even by using appropriate techniques in terms of storage media and the related field of activity such as reversion and/or matching of data with other data, which may be performed by data controllers or third persons.
The destruction period for personal data for which the processing conditions cease to exist with the expiry of their retention periods is maximum six months.
The personal data for which the processing conditions are based on explicit consent only are destroyed within 30 days if such explicit consent is withdrawn by the data subject. For the personal data that are processed subject to the presence of explicit consent only, but required to be destroyed for any reason other than the withdrawal of explicit consent; the destruction period is six months.
The personal data for which the specified destruction period expires before the periodic destruction time window; they are destroyed without awaiting the periodic destruction time.
The periodic destruction period is six months. Periodic destruction may be expanded over a reasonable period of a time depending on the types and numbers of personal data required to be destroyed.
Alanar Fruit takes any and all technical and organizational measures necessary to ensure adequate security level for the following purposes:
- a) to prevent unlawful processing of personal data;
- b) to prevent unlawful access to personal data;
- c) to ensure the protection of personal data.
The inventory of personal data processing activities conducted under the roof of Alanar Fruit has been established. All activities have been reviewed and necessary changes have been made. The inventory is revised and updated when necessary.
It is ensured that other natural or legal persons processing personal data on behalf of Alanar Fruit also take the same measures.
Alanar Fruit conducts the necessary training activities in its institution or organization for the purpose of raising awareness about the protection of personal data and the protection of the rights and interests of data subjects. It is ensured that those processing personal data are aware of the requirement that they may not disclose the personal data that they learn to others and that this obligation survives even after they leave their jobs.
The compliance with specified rules is audited through in-house and external periodic or instantaneous audits.
The procedures and principles that will apply in case of a data breach have been determined.
Alanar Fruit aims to inform the data subjects whose personal data are processed by providing them with process-based, straightforward and sufficiently detailed information in compliance with the legislation, through appropriate methods, and in a reasonable period of time. In cases where personal data processing is subject to explicit consent, the company attaches importance to provision of correct information to the relevant data subject about the consequences of his/her explicit consent.
Data subjects must firstly apply to the data controller in order to exercise their rights related to their personal data. Pursuant to article 14 of the Law, data subjects may not file a complaint directly with the Personal Data Protection Board.
Pursuant to the Law, data subjects are entitled to exercise the following rights:
- a) To learn whether their personal data are processed or not;
- b) If their personal data are processed, to request information regarding such processing;
- c) To learn the purpose of processing of their personal data and whether their data have been used for intended purposes;
- ç) To know the third parties to whom their personal data are transferred at home or abroad;
- d) To request for correction of their personal data if they have been processed incompletely or inaccurately;
- e) To request for erasure/deletion or destruction of their personal data in case the reasons requiring the processing of their personal data cease to exist;
- f) To request for notification of such actions taken pursuant to subparagraphs (d) and (e) to third parties to whom their personal data have been transferred;
- g) To object to the analysis of their personal data processed, exclusively by automated means or systems, which leads to an unfavourable consequence for them;
- ğ) To request compensation for any loss or damage arising from the unlawful processing of their personal data.
Data subjects may notify their claims to exercise such rights by using the methods specified in the relevant informative texts.
Except for the right to claim for compensation of their loss or damages, data subjects may not exercise their right to apply to the data controller in case of the following circumstances:
- a) If the processing of personal data is required for prevention of a crime or a criminal investigation.
- b) If the processing relates to the personal data which are manifestly made public by the data subject.
- c) If the processing of personal data is required by the commissioned or authorized public institutions and organizations or professional bodies or institutions that are public institutions based on the authorization granted by the law for the purpose of conducting their supervisory or regulatory duties or a disciplinary inquiry or investigation.
- ç) If the processing of personal data is necessary to safeguard the economic and financial interests of the State with respect to budgetary, tax-related and financial issues.
The applications of data subjects are reviewed with due attention and responded in accordance with the data subject’s request or through another method that will be deemed appropriate, as soon as possible, and, in any event, within 30 days at the latest. No fee is claimed for such a response. However, if such process requires any additional cost, the fee specified in the tariff determined by the Board may be charged to the applicant.
Additional information or documents may be requested from the applicant for the purposes of identity verification or for any other reasons in order to meet the applicant’s requests.
Alanar Fruit is registered in the Registry of Data Controllers stipulated in the Law and kept by the Personal Data Protection Authority. The registry records prepared on the basis of personal data processing inventory is publicly accessible by everyone. (https://verbis.kvkk.gov.tr)
VERBİS registration contains the following information;
- a) Groups of data subjects;
- b) Personal data categories;
- c) Processing purposes;
- ç) Maximum storage periods;
- d) The persons to whom personal data are transferred;
- e) Personal data categories transferred abroad;
- f) Security measures.
The registry records are revised and updated, when necessary, in accordance with the legislation.
The policy is reviewed once a year and revised and updated in case of identification of any need for changes required to be made. In addition, the policy is also revised and updated when there are any changes made in the personal data processing inventory requiring the revision of the policy.
The revisions made in the Policy and the related dates of such revisions are indicated in the table below.
|1.4.2020||First version prepared||Announcement of the first version issued|
Since the Policy is open to the public, it is published on the company’s website.
The Policy is stored and retained by the Legal Consultancy.
References will be used in case of any issues not specified in the Policy or any disputes likely to arise from implementation of the Policy. The relevant legal regulations in force governing the processing and protection of personal data shall prevail.
The effective date of this Policy is 31.12.2020. The version that was arranged by Alanar Fruit and entered into force on 21.12.2017 has been replaced and renewed as of the effective date of this Policy.
The Policy is executed by the Legal Consultancy.