Data Storage and Destruction Policy
DATA PROCESSING
NUTRADEÖZGÜR ŞAHİN
Address: Pınar Mah. Ilgın Sok 4/3 Sarıyer/İstanbul
Phone: 08502550211
Web: https://www.nutrade.com.tr
CONTENTS
1. INTRODUCTION 4
2. PURPOSE OF THE POLICY 4
3. SCOPE OF THE POLICY 4
4. DEFINITIONS 5
5. PURPOSES OF PROCESSING PERSONAL DATA 6
6. PROCESSING OF PERSONAL DATA 8
6.1. Principles to be Applied in the Processing of Personal Data 8
6.1.1 Processing of Personal Data in Compliance with Law and Integrity Rules 8
6.1.2 Ensuring Personal Data is Accurate and Up-to-Date Where Necessary 8
6.1.3. Processing Personal Data for Specific, Clear and Legitimate Purposes 8
6.1.4. Processing Personal Data in a Limited and Measured Way in Connection with the Purpose for Processing 9
6.1.5. Keeping Personal Data for the Period Envisaged in the Legislation or Necessary for the Purpose for which they are Processed 9
6.2. Processing of General Personal Data 9
6.2.1. Having Explicit Consent of the Personal Data Owner 9
6.2.2 Explicitly Provided in Laws 10
6.2.3. Failure to Obtain Explicit Consent Due to Actual Impossibility 10
6.2.4. Being Directly Related to the Establishment or Performance of the Contract 10
6.2.5. It is mandatory for the company to fulfill its legal responsibilities 10
6.2.6. Data Publicized by the Relevant Person Himself 10
6.2.7. Being Necessary for the Establishment, Use or Protection of a Right 11
6.2.8. Necessary for the Company's Legitimate Interests 11
6.3. Processing of Special Personal Data 11
6.4. Personal Data Processed by NUTRADE TURKEY 12
6.5. Transfer of Personal Data 13
6.5.1. Domestic Transfer of Personal Data 13
6.5.2. Transfer of Personal Data Abroad 14
7. DATA ON INTERNET ACCESS PROVIDED 15
8. PERSONAL DATA OF WEBSITE VISITORS 15
9. SECURITY OF PERSONAL DATA 16
10. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA 18
11. PERSONAL DATA OWNER'S RIGHTS AND APPLICATION TO THE COMPANY 18
11.1. Rights of Personal Data Owner 18
11.2. Exercise of Personal Data Owner's Rights 19
11.3. Exceptions to the Personal Data Owner's Right to Application 20
11.4. Answering the Applications of the Personal Data Owner 20
12. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES 21
ANNEX-1: Personal Data Categories 21
ANNEX-2 Personal Data Category and Person Group Matching 23
1. INTRODUCTION
Protection of personal data is among the most important priorities of NUTRADE/ÖZGÜR ŞAHİN (hereinafter referred to as “NUTRADE” or “Company”). Our company partners, employees, employee candidates, visitors, suppliers, supplier employees-authorities, customers, customer employees-authorities, potential customers, business partners-authorities-employees, referenced persons, family members and relatives of our employees, third parties who claim rights, and Great care is taken to protect the personal data of the attorneys or legal representatives representing them, public employees/employers, consultants, insurance companies, bank officials, experts and relevant third parties.
As stipulated in Article 20 of the Turkish Constitution; Everyone has the right to request the protection of personal data concerning him/her.
We process the personal data of our Company partners, employees, employee candidates, visitors, suppliers, supplier employees-officials, customers, customer employees-officials, potential customers, business partners-officials-employees, referenced persons, family members of our employees, whose personal data we process in line with NUTRADE activities or requirements. individuals and their relatives, third parties claiming rights and the attorneys or legal representatives representing them, public employees/employers, consultants, insurance companies, bank officials, experts and relevant third parties, the right to "Protection of Personal Data", which is a constitutional right, and development has been adopted as an institutional policy.
2. PURPOSE OF THE POLICY
This Policy is intended to ensure compliance with the Personal Data Protection Law No. 6698 (hereinafter referred to as "KVKK"), the decisions of the Personal Data Protection Board (hereinafter referred to as the "Board") and the secondary legislation in force on this matter regarding the processing and protection of personal data. It has been prepared to ensure that all activities within the Company are carried out in a harmonious manner.
In addition, it is aimed to inform the relevant persons whose personal data are processed in the most transparent and accurate way about the activities carried out by NUTRADE, the measures taken and the Company principles for the purpose of processing personal data and ensuring personal data security.
3. SCOPE OF THE POLICY
This policy covers the personal data of relevant persons; Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing use by fully or partially automatic or non-automatic means provided that it is part of any data recording system. It relates to all kinds of operations performed on data and administrative and technical measures taken for the security of personal data.
4. DEFINITIONS
In this policy,
Explicit Consent: Consent regarding a specific subject, based on being informed and expressed with free will,
Recipient Group: The category of natural or legal person to whom personal data is transferred by the data controller,
Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data,
Relevant Person: The real person whose personal data is processed,
Employee: NUTRADE personnel,
Employee Candidate: Real persons who have applied for a job to NUTRADE by any means, electronically or physically, in order to become an employee within NUTRADE, or who have opened/submitted their CV and related information to NUTRADE for review personally or through a system,
Relevant User: Persons who process personal data within the data controller organization or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,
Business Partner: Parties with which NUTRADE establishes business partnerships for purposes such as carrying out various projects together, receiving services, and increasing internal operational efficiency while carrying out its commercial activities.
Visitor: Real persons who enter the physical premises owned by NUTRADE for various purposes or visit our websites,
Company Official: NUTRADE – ÖZGÜR ŞAHİN,
Supplier: Real or legal persons who provide goods and/or services to NUTRADE, to whom NUTRADE gives orders and instructions, establishes a contractual relationship, while carrying out its commercial and operational activities,
Customer: Natural or legal persons who benefit from the products and services offered by NUTRADE.
Prospective Customers: Real or legal persons who have requested or will request to benefit from the products and services offered by our company or to purchase the relevant products and services, and who can be evaluated in accordance with the rules of commercial practice and honesty.
Destruction: Deletion, destruction or anonymization of personal data,
Law: Personal Data Protection Law No. 6698 dated 24/3/2016,
Recording Medium: Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system,
Electronic Environments: The environment where personal data can be created, processed, stored and transmitted with devices with the relevant technological infrastructure,
Other Non-Electronic Media: All kinds of written, visual and other media other than electronic media,
Service Provider: Real or legal person who provides any service within the framework of the relevant contract with NUTRADE,
Personal Data: Any information regarding an identified or identifiable natural person,
Special Quality (Sensitive) Personal Data: Regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures. data and biometric and genetic data,
Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system, Any operation performed on data such as classifying or preventing its use,
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they create by associating it with the personal data processing purposes, data category, transferred recipient group and data subject person group, and detailing the maximum period required for the purposes for which personal data are processed, personal data envisaged to be transferred to foreign countries and measures taken regarding data security,
Personal Data Storage and Destruction Policy (or simply "Destruction Policy"): The policy on which data controllers base their deletion, destruction and anonymization, as well as the process of determining the maximum period required for the purpose for which personal data are processed.
Board: Personal Data Protection Board
Institution: Personal Data Protection Authority,
Periodic Destruction: The process of deleting, destroying or anonymizing personal data specified in the personal data storage and destruction policy and to be carried out ex officio at recurring intervals in case all of the processing conditions for personal data specified in the law are eliminated.
Registry (VERBİS): Data controllers registry information system maintained by the Personal Data Protection Authority,
Data Processor: The real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Recording System: The recording system in which personal data is structured and processed according to certain criteria,
Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
For the concepts not defined in this policy, the definitions in KVKK No. 6698 and the relevant secondary legislation are essential.
5. PURPOSES OF PROCESSING PERSONAL DATA
NUTRADE; personal data, by fulfilling the relevant information obligation within the scope of KVKK Article 10, in accordance with the Company's data processing purposes, in accordance with the principles stipulated in KVKK Article 4, in accordance with at least one of the conditions stipulated in KVKK Articles 5 and Article 6, and in accordance with the relevant It operates for limited purposes.
NUTRADE's personal data processing purposes are in particular:
Conducting Emergency Management Processes
Execution of Information Security Processes
Conducting Employee Candidate / Intern / Student Selection and Placement Processes
Carrying out the application processes of employee candidates
Fulfillment of Employment Contract and Legislation Obligations for Employees
Execution of Fringe Benefits and Benefits Processes for Employees
Conducting Audit / Ethics Activities
Conducting Educational Activities
Execution of Access Authorizations
Conducting Activities in Compliance with Legislation
Carrying out Finance and Accounting Affairs
Ensuring Physical Space Security
Execution of Assignment Processes
Follow-up and Execution of Legal Affairs
Carrying out Communication Activities
Planning Human Resources Processes
Execution/Audit of Business Activities
Carrying out Occupational Health / Safety Activities
Carrying out Business Continuity Ensuring Activities
Execution of Goods / Service Purchasing Processes
Execution of Goods/Service After-Sales Support Services
Execution of Goods / Service Sales Processes
Execution of Goods / Service Production and Operation Processes
Execution of Customer Relationship Management Processes
Organization and Event Management
Conducting Marketing Analysis Studies
Execution of Advertising / Campaign / Promotion Processes
Carrying out Storage and Archive Activities
Carrying out Social Responsibility and Civil Society Activities
Execution of Contract Processes
Carrying out Sponsorship Activities
Conducting Strategic Planning Activities
Tracking of Requests / Complaints
Ensuring the Security of Movable Goods and Resources
Execution of Supply Chain Management Processes
Execution of Wage Policy
Execution of Marketing Processes of Products / Services
Ensuring the Security of Data Controller Operations
Foreign Personnel Work and Residence Permit Procedures
Execution of Investment Processes
Conducting Talent / Career Development Activities
Providing Information to Authorized Persons, Institutions and Organizations
Conducting Management Activities
Creation and Tracking of Visitor Records
6. PROCESSING OF PERSONAL DATA
6.1. Principles to be Applied in Processing Personal Data
NUTRADE acts in accordance with the Constitution, KVKK and other relevant legal legislation in the processing of personal data of data subjects. It is NUTRADE's priority to ensure that the principles set out in Article 4 of the KVKK regarding the processing of personal data are at the core of all personal data processing activities and that all personal data processing activities are carried out in accordance with these principles, and these principles taken into account in data processing processes are as follows.
6.1.1 Processing of Personal Data in Compliance with Law and Integrity Rules
The principle of compliance with the law and the rule of honesty, which is accepted as a prerequisite by NUTRADE in all data processing processes, indicates the obligation to act in accordance with the principles imposed by laws and other legal regulations in the processing of personal data. In accordance with this principle, while trying to achieve its goals in data processing, NUTRADE takes into account the interests and reasonable expectations of the relevant persons and acts to prevent the emergence of consequences that the relevant person does not expect and does not need to expect.
Within the scope of this principle, our Company aims to ensure that the data processing activity is transparent for the relevant person by informing the relevant person as necessary about how and for what purpose personal data will be processed.
6.1.2 Ensuring Personal Data is Accurate and Up-to-Date Where Necessary
If NUTRADE processes the personal data of the relevant person in any way for the purposes explained within the scope of this policy, it also takes the necessary care to ensure that the personal data is accurate and up-to-date when necessary. Apart from this, communication channels are kept open and the necessary opportunity is provided for the relevant persons to apply to NUTRADE in order to ensure that their information is accurate and up-to-date. In this context, the application form to the data controller has been announced on the company website.
6.1.3. Processing Personal Data for Specific, Clear and Legitimate Purposes
NUTRADE is sensitive about compliance with the principle of specificity and openness in contracts, legal transactions and texts in which the purposes of personal data processing are explained (Website Information Text, Supplier Information Text, Customer Information Text, Employee and Employee Candidate Information Text, Application Form to the Data Controller, etc.). Care is taken to ensure that the data processing activity is clearly understandable by the relevant person. Personal data is processed within the framework of the purposes determined, announced, notified or agreed in the contract.
6.1.4. Processing Personal Data in a Limited and Proportionate manner in Connection with the Purpose for which they are Processed
In the data processing processes carried out by NUTRADE, care is taken to ensure that the data processed are suitable for the achievement of the determined purposes; Processing of personal data that is not relevant or needed to achieve the purpose is avoided. Data is not processed to meet possible needs that may arise in the future.
6.1.5. Keeping Personal Data for the Period Envisaged in the Legislation or Necessary for the Purpose for which they are Processed
The Company retains personal data for the period stipulated in the legislation and the NUTRADE Storage and Disposal Policy, or as reported in VERBIS, or as required for the purpose for which they are processed. If the period specified in the legislation and/or Destruction Policy expires or the purpose is achieved, personal data is deleted, destroyed or anonymized ex officio or upon the request of the person concerned. Regarding the destruction of personal data, a "Personal Data Storage and Destruction Policy" has been prepared and announced on the Company website.
6.2. Processing of General Personal Data
In accordance with Article 20 of the Constitution and Article 5.1 of the KVKK, personal data cannot be processed without the explicit consent of the relevant person. In line with these legal regulations, our company always takes care to obtain the explicit consent of the relevant persons in the processing of personal data.
However, in accordance with Article 5.2 of the KVKK, the company can also process personal data without seeking the explicit consent of the relevant person, if the following conditions are met.
a) It is clearly prescribed by law.
b) It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
ç) It is mandatory for the data controller to fulfill its legal obligation.
d) It has been made public by the person concerned.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
Your personal data may be processed by NUTRADE if one or more of the following conditions are met.
6.2.1. Having Explicit Consent of the Personal Data Owner
It is NUTRADE's priority to obtain explicit consent in the processing of personal data. For this reason, the necessary methods and systems have been developed to obtain the explicit consent of the relevant persons whose personal data we process, physically and/or electronically.
Before obtaining the consent of the relevant persons for the processing of their personal data, the obligation to inform them is fulfilled in line with Article 10 of the KVKK, and it is ensured that their explicit consent, based on information and free will, is obtained regarding a certain subject.
NUTRADE, which attaches particular importance to the fact that the explicit consents received from employees are based on free will, emphasizes that its employees can refrain from giving explicit consent, ensures that the data of its employees who do not give explicit consent for the processing of certain data is not processed, and does not subject the employees who do not give explicit consent to any discrimination.
6.2.2 Explicitly Provided in Laws
The processing of personal data is lawful if it is clearly provided for by law, in which case it is not separately evaluated whether the data subject has explicit consent. In accordance with Article 75 of the Labor Law No. 4857 on Employee Personnel Files, the collection of employee data is considered within this scope. In particular, the Consumer Protection Law no. 6502, the Personal Data Protection Law no. 6698, the Turkish Code of Obligations no. 6098, the Turkish Commercial Code no. 6102, the Law no. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed through These Publications, the Occupational Health and Safety Law no. 6361. Personal data may be processed by NUTRADE without the explicit consent of the relevant person in cases stipulated in the laws, including the Security Law, the Social Insurance and General Health Insurance Law No. 5510, the Right to Information Law No. 4982, the Law No. 3071 on the Exercise of the Right to Petition and the secondary legislation related to these laws.
6.2.3. Failure to Obtain Explicit Consent Due to Actual Impossibility
In cases where consent cannot be expressed or is not valid, it is envisaged that data will be processed to protect the life or physical integrity of individuals. For example, if a worker working in a heavy duty group in the factory has a work accident and his blood type is shared with the relevant health personnel, the person will not be expected to give explicit consent. In these and similar cases, NUTRADE may process personal data without seeking explicit consent, especially by taking into account the legitimate interests of the data subject.
6.2.4. Directly Related to the Establishment or Performance of the Contract
If it is directly related to the establishment or performance of a contract, it is possible to process personal data of the parties to the contract without explicit consent. For example, in accordance with a contract, the account number of the creditor party may be obtained for payment of the fee. Therefore, in such cases, NUTRADE may process personal data without obtaining the explicit consent of the data owner.
6.2.5. It is mandatory for the company to fulfill its legal responsibilities.
If it is mandatory for the company to fulfill its legal obligations, it is possible to process personal data without explicit consent. For example, even if there is no explicit consent, information requested by court order can be submitted to the court. In such a case, NUTRADE may process people's data without seeking explicit consent.
6.2.6. Data Made Public by the Relevant Person Himself
Personal data disclosed to the public by the relevant person may be processed without explicit consent in connection with the purpose of publicization. For example, the information of a person who shares his CV on his account on websites established for the purpose of providing employment is considered as publicized data. In these and similar cases, it may be possible for NUTRADE to process personal data without the need for explicit consent.
6.2.7. Being Necessary for the Establishment, Use or Protection of a Right
If data processing is mandatory for the establishment, exercise or protection of a right, personal data may be processed without explicit consent. This includes using some data for proof in a lawsuit filed by a company employee.
6.2.8. Necessary for the Company's Legitimate Interests
Personal data may be processed without explicit consent if data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned. This includes processing the personal data of employees for their promotions, salary increases or regulation of their social rights, provided that it does not harm the fundamental rights and freedoms of the employees. For example, since NUTRADE provides orientation and professional development training to its employees and invests in this context, male candidates are asked whether they have completed their military service.
6.3. Processing of Special Personal Data
In KVKK, special importance has been given to some personal data, considering that they have the potential for discrimination and that they may cause grievance to individuals when processed unlawfully, and these data are called "personal data of special nature". (For definition, see: 4.DEFINITIONS)
The company is also sensitive in the processing of such "special categories of personal data", to which KVKK attaches special importance. Employees involved in the processing of special personal data are given training on special personal data security under the Law and related regulations, they are made to sign confidentiality agreements, their access to data is restricted, and the authorizations of employees who change their duties or leave their jobs in these areas are immediately removed.
If special personal data is to be transferred via e-mail, it is transferred only to the relevant party via an encrypted corporate e-mail account or KEP account. Security tests are carried out when deemed necessary. Adequate security measures are taken in the physical environments where sensitive personal data are stored, and unauthorized entries and exits to these environments are prevented. Fire, flood, etc. that may occur in these physical environments. Precautions have been taken against these risks. It should also be noted that the roles and responsibilities regarding the processing and preservation of special personal data have been distributed, and the persons in question have been warned about the sensitivity of the data and have been instructed to take the necessary precautions.
VPN is used in cases where transfer occurs between servers in different physical environments. If data must be transferred via paper, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in the format of "confidential documents".
Explicit consent of the relevant persons is the priority of NUTRADE for the processing of the data in question. Special categories of personal data may be processed by NUTRADE in the absence of explicit consent of the data subject, but only in the following exceptional cases specified in the KVKK.
6.4. Personal Data Processed by NUTRADE
Private and general personal data are processed by NUTRADE within the scope of the principles and purposes listed above. These data are listed as examples in ANNEX-1, which data will be processed for each data; It can be processed within the framework of the relationship established between NUTRADE and the relevant person and in line with the principles contained in this Policy:
6.5. Transfer of Personal Data
6.5.1. Transfer of Personal Data Domestically
Obtaining explicit consent for sharing personal data is NUTRADE's priority. For this reason, the necessary methods have been developed to obtain the explicit consent of the relevant persons, whose personal data we share with third parties, physically and/or electronically.
6.5.1.1. Domestic Transfer of General Personal Data
NUTRADE may transfer the personal data of the relevant persons to third parties in accordance with the principles adopted in the processing of personal data. When transferring personal data to third parties, attention is paid to obtaining the consent of the relevant person, and in case of one or more of the following situations, personal data may be transferred without explicit consent;
It is clearly prescribed by law.
It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to fulfill its legal obligation.
It has been made public by the person concerned.
Data processing is mandatory for the establishment, exercise or protection of a right.
It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
6.5.1.2. Domestic Transfer of Special Personal Data
Our company can transfer the special personal data of the relevant persons to third parties in accordance with the principles adopted in the processing of personal data.
When transferring sensitive personal data to third parties, attention is paid to obtaining the consent of the relevant person, and special personal data are transferred domestically by taking adequate technical and administrative measures. However, in the case of the following situations, adequate technical and administrative measures are taken and sensitive personal data can be processed without the express consent of the relevant person;
Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data, in cases stipulated by law,
Personal data regarding health and sexual life can only be transferred by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing. .
6.5.2. Transfer of Personal Data Abroad
When transferring personal data abroad, care is taken to obtain the explicit consent of the relevant person. For this reason, the necessary methods have been developed to obtain the explicit consent of the relevant persons physically and electronically.
Our company can transfer the personal data of relevant persons abroad in accordance with the law and the rules of honesty and by adhering to the data processing purposes.
When transferring personal data abroad, we comply with Article 9 of the KVKK and the principles and criteria specified in the Board's decision numbered 2019/125.
6.5.2.1. Transfer of General Personal Data Abroad
NUTRADE may transfer the personal data of the relevant persons (identity, communication, legal transaction, customer transaction, finance, professional experience, third party or representative information claiming rights, etc.) to third parties in accordance with the principles adopted in the processing of personal data. When transferring personal data to third parties abroad, attention is paid to obtaining the consent of the relevant person.
If there is no explicit consent of the data owner, provided that there is adequate protection in the country to which the data will be transferred or that the data controller to whom the personal data will be transferred undertakes adequate protection in writing and has the permission of the Board, by applying the principles and principles adopted by the Board in its decision numbered 2019/125, Personal data in case of one of the following conditions;
It is clearly prescribed by law.
It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to fulfill its legal obligation.
It has been made public by the person concerned.
Data processing is mandatory for the establishment, exercise or protection of a right.
It is possible to transfer data abroad if it is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
Since its shareholders operate abroad, NUTRADE can share personal data with its shareholders to the extent necessary for legitimate purposes by fulfilling the legal obligations mentioned above.
6.5.2.2 Transfer of Special Personal Data Abroad
Although NUTRADE does not currently transfer any special personal data abroad, if it does in the future, it will do so in accordance with the principles and principles below.
Provided that there is adequate protection in the country to which the data will be transferred or that the data controller to whom the personal data will be transferred makes a written commitment with sufficient protection and has the permission of the Board, in case of one of the following conditions, in accordance with the principles and principles adopted by the Board in its decision numbered 2019/125, the relevant person without needing explicit consent;
Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data, in cases stipulated by law,
Personal data regarding health and sexual life can only be transferred abroad by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. It is possible.
7. DATA CONCERNING THE INTERNET ACCESS PROVIDED
At NUTRADE, staff and guests are provided with internet access. The websites and time information that staff and guests who want to use internet access access with their name, surname, phone number, and time information, Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications and the Internet Collective Use issued based on this Law. It is stored as a legal obligation in accordance with the Regulation on Providers.
Stored records may be shared with legally authorized institutions and organizations, upon request, to fulfill legal obligations.
8. PERSONAL DATA OF WEBSITE VISITORS
Relevant clarification texts and policies within the scope of Article 10 of the KVKK regarding how and for what purpose personal data are obtained have been published on the company's website www.nutrade.com.tr and visitors have been informed about this.
In addition, the website information text directs the relevant person to information texts and Company policies that provide more detailed information according to his/her relationship with the Company, in order to ensure that the relevant person has access to the healthiest information in the simplest way regarding the steps of processing his/her personal data by the Company.
9. SECURITY OF PERSONAL DATA
NUTRADE takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data and unlawful access to personal data and to ensure the preservation of personal data.
In this context, first of all, studies were carried out to determine the personal data processed by NUTRADE, workshops were held and the necessary technical and administrative measures were taken to reduce or eliminate the risks by determining the risks that may arise regarding the protection of these data, taking into account whether the personal data processed were special categories of personal data. has been put into practice.
Internal policies and procedures have been adopted to regulate the processing, preservation, storage, destruction and other processes of personal data in accordance with the law, legislation and relevant security measures.
In order to ensure personal data security, to prevent unlawful disclosure and sharing of personal data, and to raise awareness about KVKK, regular training is provided to employees and managers.
In addition, employees who are involved in personal data processing processes are asked to sign confidentiality agreements and commitments as part of their business processes, and it is important to remind that the necessary disciplinary process will be applied if it is determined that employees have acted contrary to security policies and procedures.
With NUTRADE, data processors, employees, customers, suppliers, business partners, etc. The contracts made between the companies were examined, revisions were made within the scope of KVKK and other legislation, and additional protocols were prepared.
Access to personal data included in the data processing processes of the company has been limited on a personnel basis, and a limited number of personnel have been granted access to personal data related to the business processes they carry out. Data processing activities carried out by personnel are recorded. The authorizations of personnel who change their duties or leave their jobs are immediately removed.
In order to prevent unlawful processing of personal data and unlawful access to personal data, technical systems have been established to monitor and control the processes related to the processing of personal data. Network security and data flow security studies have been carried out, and existing software has been updated to prevent data loss. Internal audits have been carried out to prevent unlawful processing of personal data and unlawful access to personal data.
System security gaps are monitored, patches are installed and information systems are kept up to date to ensure the appropriate security level.
Our website is protected by the https security protocol.
Following the studies on personal data held by NUTRADE, the personal data identified was analyzed and examined within the scope of the legislation. In this context, unnecessary data was deleted and the principle of reducing data as much as possible was adopted.
In order to prevent unlawful access to personal data and to ensure that personal data is stored in secure environments, technical methods with appropriate security levels are used and these methods are updated in accordance with developing technology.
In case of an internal or external attack on the company's data recording system, a system has been established to detect this situation early and intervene early. Which software and services are running in the IT networks and whether there is any infiltration or any movement that should not occur in the IT networks is regularly checked. Transactions of all users are kept regularly.
In case personal data is unlawfully acquired by others, NUTRADE has established a suitable system and infrastructure in order to notify the relevant person and the Board, and a procedure has been adopted by NUTRADE.
In order to ensure the security of information and IT systems against environmental risks, ensuring that only authorized personnel enter the system room, having the keys of locked data storage units in certain persons, ensuring the physical security of the edge switches that make up the local area network, fire extinguishing system, cooling system for the correct operation of the server, security walls, attack prevention systems, network access control, anti-virus systems, etc. Many precautions are taken such as.
10. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
In accordance with Article 7 of the KVKK, NUTRADE deletes, destroys or anonymizes personal data ex officio or upon the request of the data subject, if the reasons requiring processing are eliminated or the period stipulated in the legislation expires, even though it has been processed in accordance with the legal legislation.
Personal data stored in physical environments and digital data recording systems are deleted, destroyed or anonymized, ex officio or upon the request of the person concerned, if the purpose of data processing is achieved or the period stipulated in the legislation expires.
Anonymised personal data can be used for purposes such as research, statistics and planning, can be stored indefinitely and can be transferred domestically and internationally.
Regarding the destruction of personal data, a "Personal Data Storage and Destruction Policy" has been prepared and announced on the website www.nutrade.com.tr. Please review for detailed information.
11. PERSONAL DATA OWNER'S RIGHTS AND APPLICATION TO THE COMPANY
Our company informs the relevant persons whose personal data we process about their rights and how they can exercise their rights within the scope of Article 10 of the KVKK.
11.1. Rights of Personal Data Owner
The relevant person who is the owner of personal data, within the scope of Article 11 of the Personal Data Protection Law;
Learning whether personal data is being processed or not,
Requesting information if personal data has been processed,
Learning the purpose of processing personal data and whether they are used for their intended purpose,
Knowing the third parties to whom personal data is transferred at home or abroad,
Requesting that personal data be corrected if personal data has been processed incompletely or incorrectly, and that the correction be notified to third parties to whom personal data has been transferred,
Requesting the deletion or destruction of your personal data within the framework of the conditions stipulated in Article 7 of the Law, excluding legal limits, and requesting that the deletion and destruction be notified to third parties to whom personal data has been transferred,
Object to the emergence of an unfavorable result by analyzing the processed data exclusively through automatic systems,
They have the right to request compensation for the damage if they suffer damage due to unlawful processing of their personal data.
11.2. Exercise of Personal Data Owner's Rights
The relevant person may submit his requests within the scope of his rights specified in Article 11 of the Law, in writing with a wet signature or by using the registered electronic mail (KEP) address, secure electronic signature, mobile signature or the e-mail address previously notified to our Company by the relevant person and registered in our Company's system. It must be forwarded to the Company by: For applications to be made in writing, the address is the address above.
The minimum information that must be included in the application of the relevant person is as follows;
Name, surname and signature if the application is written,
TR ID number for citizens of the Republic of Turkey, nationality, passport number or identification number, if any, for foreigners,
Residence or workplace address subject to notification,
E-mail address, telephone and fax number for notification, if any,
Demand
Additionally, relevant information and documents should be added to the application. An Application Form has been prepared and announced on the website for applicants to use during their applications.
In order for a person other than the personal data owner to make a request, there must be a special power of attorney issued by the personal data owner on behalf of the person making the application.
11.3. Exceptions to the Personal Data Owner's Right of Application
Pursuant to Article 28 of the Law, since the following situations are excluded from the scope of the Law, Data Owners;
Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with.
Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public safety, public order or economic security.
They cannot assert their rights in cases where personal data is processed by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or enforcement proceedings.
NUTRADE's Disclosure Obligation, Article 28/2 of the Law. In accordance with the article;
Processing of personal data is necessary for the prevention of crime or criminal investigation.
Processing of personal data made public by the data subject.
Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by the law.
It is not applied in cases where personal data processing is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters.
11.4. Answering the Applications of the Personal Data Owner
NUTRADE takes all necessary administrative and technical measures to finalize the applications made by the relevant person within the scope of Article 11 of the KVKK effectively, in accordance with the law and the rule of honesty.
If the applications are submitted to NUTRADE in accordance with the procedures and principles stated above, NUTRADE will finalize the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. If the answer is more than ten pages, a processing fee of 1 Turkish Lira may be charged for each page over ten pages. If the answer to the application is given on a recording medium such as CD or flash memory, the cost of the data recording medium may be requested.
NUTRADE may request additional information if it deems it necessary to determine whether the applicant is the owner of personal data and to evaluate the requests, and may ask questions to the personal data owner regarding his application in order to clarify the issues stated in the application.
12. RESPONSIBILITIES AND DUTIES DISTRIBUTION
NUTRADE, all its units and employees, ensures the proper implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy, training and awareness raising of unit employees, monitoring and continuous supervision, preventing unlawful processing of personal data and unlawful access to personal data, and It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure that personal data is stored in accordance with the law. The distribution of the titles, units and job descriptions of those involved in the processing of personal data is given in ANNEX-4. The persons in this table include the members of the NUTRADE Personal Data Protection Commission.
DATA STORAGE AND DESTRUCTION POLICY
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
NUTRADE ÖZGÜR ŞAHİN
15/08/2022
1. INTRODUCTION 3
2. PURPOSE OF THE POLICY 3
3. SCOPE OF THE POLICY 3
4. DEFINITIONS 4
5. RECORDING MEDIA 6
6. REASONS THAT REQUIRE THE STORAGE AND DESTRUCTION OF PERSONAL DATA 6
7. SECURITY OF PERSONAL DATA 7
8. DESTRUCTION OF PERSONAL DATA 10
8.1. Reasons Requiring Destruction of Personal Data 10
8.2 Deletion of Personal Data 10
8.3 Destruction of Personal Data 11
8.4 Anonymization of Personal Data 11
8.5 Responsible Personnel Involved in Personal Data Storage and Destruction Processes 11
8.6. Personal Data Categories 12
8.7. Personal Data Category and Person Group Matching 14
8.8. Storage and Destruction Periods 14
8.10 Periodic Destruction Periods 15
ENTRANCE
1.1. NUTRADE ÖZGÜR ŞAHİN. Protection of personal data is of great importance for (“NUTRADE”). NUTRADE attaches importance to the protection of the personal data of our company partners, employees, prospective employees, customers, prospective customers, company officials, various business partners including the suppliers and healthcare professionals we work with, employees of our service providers, officials, visitors and third parties.
1.2. The "Personal Data Protection and Processing Policy", which sets out the principles adopted by NUTRADE regarding the processing and protection of personal data, is presented to the information of relevant persons on our internet website.
2. PURPOSE OF THE POLICY
2.1. Personal Data Storage and Destruction Policy (“Policy”) has been prepared to determine the procedures and principles regarding the work and/or transactions regarding the storage, destruction, destruction and anonymization of personal data carried out by NUTRADE.
2.2. Work and/or transactions regarding the storage, destruction, destruction and anonymization of personal data are carried out in accordance with the Policy prepared accordingly by NUTRADE.
3. SCOPE OF THE POLICY
3.1. This Policy; wholly or partially automatic or It covers all kinds of personal data processed by non-automatic means, provided that it is part of any data recording system.
3.2. This Policy applies to the relevant recording environments owned or managed by NUTRADE, where personal data are processed, and to the business, transactions and activities related to personal data.
4. DEFINITIONS
In this Policy,
Explicit Consent: Consent regarding a specific subject, based on being informed and expressed with free will,
Recipient Group: The category of natural or legal person to whom personal data is transferred by the data controller,
Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data,
Relevant Person: The real person whose personal data is processed,
Employee: NUTRADE personnel,
Employee Candidate: Real persons who have applied for a job to NUTRADE by any means, electronically or physically, in order to become an employee within NUTRADE, or who have opened/submitted their CV and related information to NUTRADE for review personally or through a system,
Relevant User: Persons who process personal data within the data controller organization or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,
Visitor: Real persons who enter the physical premises owned by NUTRADE for various purposes or visit our websites,
Business Partner: Parties with which NUTRADE establishes a business partnership for purposes such as carrying out various projects together and receiving services while carrying out its commercial activities,
Company Official: NUTRADE board member and other authorized persons,
Company Partners: NUTRADE partner real persons,
Customer: Real or legal persons who benefit from the products and services offered by NUTRADE,
Prospective Customers: Real or legal persons who have requested or will request to benefit from the products and services offered by our company or to purchase the relevant products and services, and who can be evaluated in accordance with the rules of commercial practice and honesty,
Destruction: Deletion, destruction or anonymization of personal data,
Law: Personal Data Protection Law No. 6698 dated 24/3/2016,
Regulation: Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on 28 October 2017,
Recording Medium: Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system,
Electronic Environments: The environment where personal data can be created, processed, stored and transmitted with devices with the relevant technological infrastructure,
Other Non-Electronic Media: All kinds of written, visual and other media other than electronic media,
Service Provider: Real or legal person who provides any service within the framework of the relevant contract with NUTRADE,
Personal Data: Any information regarding an identified or identifiable natural person,
Special Quality (Sensitive) Personal Data: Regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures. data and biometric and genetic data,
Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system, Any operation performed on data such as classifying or preventing its use,
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they create by associating it with the personal data processing purposes, data category, transferred recipient group and data subject person group and detailing the maximum period required for the purposes for which personal data is processed, personal data intended to be transferred to foreign countries and measures taken regarding data security,
Personal data storage and destruction policy: The policy on which data controllers base their deletion, destruction and anonymization, as well as the process of determining the maximum period required for the purpose for which personal data are processed.
Board: Personal Data Protection Board
Institution: Personal Data Protection Authority,
Periodic Destruction: The process of deleting, destroying or anonymizing personal data specified in the personal data storage and destruction policy and to be carried out ex officio at recurring intervals in case all of the processing conditions for personal data specified in the law are eliminated.
Registry (VERBİS): Data controllers registry information system maintained by the Personal Data Protection Authority,
Data Processor: Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
Data Recording System: The recording system in which personal data is structured and processed according to certain criteria,
Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
For definitions not included in this Policy, the definitions in Law No. 6698 and relevant legislation apply.
5. RECORDING MEDIA
Recording environments where personal data is kept by NUTRADE; Servers, software, information security devices (firewall, antivirus, periodic log files, etc.) used on behalf of/by NUTRADE, personal computers, mobile devices (smart tablets, smartphones), electronic programs used, communication infrastructures, MSSQL Systems, Back Up software, transfer programs and servers, VPN server data, shared/non-shared disk drives used for data storage on the network, other carriers with data storage features such as CD, DVD, USB, external disk, memory card, printers and scanners, paper, unit cabinets, archives. .
In addition to the recording media listed, NUTRADE will include other recording media it may use in the Destruction Policy without delay.
6. REASONS THAT REQUIRE THE STORAGE AND DESTRUCTION OF PERSONAL DATA
NUTRADE,
Conducting Emergency Management Processes
Execution of Information Security Processes
Conducting Employee Candidate / Intern / Student Selection and Placement Processes
Carrying out the application processes of employee candidates
Fulfillment of Employment Contract and Legislation Obligations for Employees
Execution of Fringe Benefits and Benefits Processes for Employees
Conducting Audit / Ethics Activities
Conducting Educational Activities
Execution of Access Authorizations
Conducting Activities in Compliance with Legislation
Carrying out Finance and Accounting Affairs
Execution of Commitment Processes for Company / Product / Services
Execution of Assignment Processes
Follow-up and Execution of Legal Affairs
Carrying out Communication Activities
Planning Human Resources Processes
Execution/Audit of Business Activities
Carrying out Occupational Health / Safety Activities
Receiving and Evaluating Suggestions for Improving Business Processes
Carrying out Business Continuity Ensuring Activities
Execution of Goods / Service Purchasing Processes
Execution of Goods/Service After-Sales Support Services
Execution of Goods / Service Sales Processes
Execution of Customer Relationship Management Processes
Carrying out Activities for Customer Satisfaction
Organization and Event Management
Conducting Performance Evaluation Processes
Execution of Advertising / Campaign / Promotion Processes
Conducting Risk Management Processes
Carrying out Storage and Archive Activities
Carrying out Social Responsibility and Civil Society Activities
Execution of Contract Processes
Carrying out Sponsorship Activities
Tracking of Requests / Complaints
Ensuring the Security of Movable Goods and Resources
Execution of Supply Chain Management Processes
Execution of Wage Policy
Execution of Marketing Processes of Products / Services
Ensuring the Security of Data Controller Operations
Conducting Talent / Career Development Activities
Providing Information to Authorized Persons, Institutions and Organizations
Your personal data may be processed if one or more of the following conditions are met: To get detailed information about the processing of personal data, you can review the Personal Data Processing and Privacy Policies on our website.
A. Legal Reasons Requiring Storage
Relevant personal data is retained by NUTRADE for the period stipulated in the relevant or relevant legislation. In this context, personal data:
Personal Data Protection Law No. 6698,
Turkish Code of Obligations No. 6098,
Turkish Commercial Code No. 6102,
Law No. 5651 on Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications,
Occupational Health and Safety Law No. 6361,
Social Insurance and General Health Insurance Law No. 5510,
Right to Information Law No. 4982,
Labor Law No. 4857,
Data is stored in accordance with the retention periods stipulated within the scope of the Law No. 3071 on the Exercise of the Right to Petition and the secondary legislation related to these laws.
The personal data of the relevant persons may be processed by NUTRADE if the reasons for processing personal data listed above are eliminated, if the legislation forming the basis for processing is changed or abolished, if the application made by the relevant person regarding the deletion, destruction or anonymization of personal data in accordance with KVKK article 11 No. 6698. In the event that NUTRADE rejects the application made by the relevant person requesting the deletion, destruction or anonymization of his personal data, finds the answer given insufficient, or does not respond within the period stipulated in KVKK No. 6698; It is destroyed during the first periodic destruction to be carried out in cases where the relevant person files a complaint with the Board and this request is deemed appropriate by the Board. All transactions regarding the deletion, destruction and anonymization of personal data are recorded in minutes, and such records are kept for at least three years from the date of destruction.
7. SECURITY OF PERSONAL DATA
NUTRADE takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data and unlawful access to personal data and to ensure the preservation of personal data.
In this context, first of all, studies were carried out to determine the personal data processed by NUTRADE, workshops were held and the necessary technical and administrative measures were taken to reduce or eliminate the risks by determining the risks that may arise regarding the protection of these data, taking into account whether the personal data processed were special categories of personal data. has been put into practice.
Internal policies and procedures have been adopted to regulate the processing, preservation, storage, destruction and other processes of personal data in accordance with the law, legislation and relevant security measures.
In order to ensure personal data security, to prevent unlawful disclosure and sharing of personal data, and to raise awareness about KVKK, regular training is provided to employees and managers.
In addition, employees who are involved in personal data processing processes are asked to sign confidentiality agreements and commitments as a part of their business processes, and it is important to remind that the necessary disciplinary process will be applied if employees are detected to have acted contrary to security policies and procedures.
NUTRADE employees, suppliers, business partners, etc. The contracts made between the companies and the data processors and NUTRADE were examined and in this context, revision studies were carried out, especially within the scope of KVKK and other legislation, and additional protocols were prepared.
Access to personal data included in the data processing processes of the company has been limited on a personnel basis, and a limited number of personnel have been granted access to personal data related to the business processes they carry out. Data processing activities carried out by personnel are recorded. Data processing activities carried out by personnel are recorded.
In order to prevent unlawful processing of personal data and unlawful access to personal data, technical systems have been established to monitor and control the processes related to the processing of personal data. Network security and data flow security studies have been carried out, and existing software will be updated to prevent data loss. Regular internal audits will be carried out to prevent unlawful processing of personal data and unlawful access to personal data.
Penetration tests are carried out at specified intervals and in line with the instructions of the board member responsible for information technologies.
System security gaps are monitored, patches are installed and information systems are kept up to date to ensure the appropriate security level.
Our website is protected by the https security protocol.
Following the studies on personal data held by NUTRADE, the identified personal data were analyzed and examined within the scope of the legislation. In this context, unnecessary data was deleted and the principle of reducing data as much as possible was adopted.
In order to prevent unlawful access to personal data and to ensure that personal data is stored in secure environments, technical methods with appropriate security levels are used and these methods are updated in accordance with developing technology.
In case of an internal or external attack on the company's data recording system, a system has been established to detect this situation early and intervene early. Which software and services are running in the IT networks and whether there is any infiltration or any movement that should not occur in the IT networks is regularly checked. Transactions of all users are kept regularly.
In case personal data is unlawfully acquired by others, NUTRADE has established a suitable system and infrastructure in order to notify the relevant person and the Board, and a procedure has been adopted by NUTRADE.
If special personal data is to be transferred via e-mail, it is transferred through an encrypted corporate e-mail account or KEP account. If transfer is made between servers in different physical environments, data is transferred between the servers using the VPN method. If data transfer takes place physically, necessary precautions are taken against risks such as theft, damage, loss or seizure of the document by unauthorized persons, and the document is sent in closed files and in a "confidential" format so that it cannot be read from the outside.
In order to ensure the security of information and IT systems against environmental risks, ensuring that only authorized personnel enter the system room, having the keys of locked data storage units in certain persons, ensuring the physical security of the edge switches that make up the local area network, fire extinguishing system, cooling system for the correct operation of the server, security walls, attack prevention systems, network access control, antivirus systems, etc. Many precautions are taken such as.
8. DESTRUCTION OF PERSONAL DATA
8.1. Reasons Requiring Destruction of Personal Data
In accordance with Article 7 of KVKK No. 6698, the Company deletes, destroys or anonymizes personal data ex officio or upon the request of the data subject, if the reasons requiring processing are eliminated or the period stipulated in the legislation expires, even though it has been processed in accordance with the legal legislation.
In the destruction of personal data, the Company chooses the appropriate method of deletion, destruction or anonymization and takes all necessary technical and administrative measures to delete, destroy and anonymize personal data in accordance with the law.
8.2 Deletion of Personal Data
Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way. The Company takes all necessary technical and administrative measures to ensure that deleted personal data is inaccessible and unusable for relevant users.
In the process of deleting personal data, the personal data that will be subject to deletion is determined, the relevant users who have access to the personal data in question and their authority over the personal data are determined, and the access, recovery and reuse authorizations of the relevant users within the scope of the personal data in question are removed. Personal data on paper is deleted using the blackout method. Blackout is the process of making the personal data on the relevant document invisible to the relevant users by using fixed ink or cutting it in a way that is irreversible and unreadable with technological solutions.
In databases containing personal data, the relevant lines containing personal data are deleted with database commands (Delete etc.), for personal data in the file operating system, the personal data can be deleted with the delete command in the operating system of the file or the relevant user can access the file or the directory where the file is located. Deletion is done by removing the rights.
8.3 Destruction of Personal Data
Destruction of personal data is the process of making personal data inaccessible, irretrievable and unusable by anyone. The company takes all necessary technical and administrative measures regarding the destruction of personal data.
In order to destroy personal data, all copies of the data are identified, depending on the type of systems where the data is located, de-magnetization for data containing magnetic media, melting, burning or pulverizing optical media and magnetic media, or passing them through a metal grinder, paper media. For the personal data found, the appropriate one of the paper screening methods is used.
8.4 Anonymization of Personal Data
Anonymization of personal data means making it impossible to associate personal data with an identified or identifiable natural person in any way, even if it is matched with other data.
The purpose of anonymization is to break the connection between the data and the person to whom this data is defined. Methods such as automatic or non-automatic grouping, masking, derivation, generalization, and randomization applied to the records in the data recording system where personal data are kept are some of the anonymization methods.
Responsible for implementing the Personal Data Storage and Destruction Policy
Title Duty Responsibility
Responsible for the Protection of Personal Data Responsible for Compliance with the Personal Data Protection Law, Personal Data, Processing, Storage and Destruction Policy Ensuring and supervising compliance with the Personal Data Protection Law, secondary legislation, Board decisions throughout NUTRADE, ensuring compliance with the Personal Data Storage and Destruction Policy To manage personal data destruction processes in accordance with periodic destruction periods by ensuring
Marketing Officer Responsible for implementing the Personal Data Storage and Destruction Policy. Regarding the processes within his/her duty, ensuring compliance with the Personal Data Storage and Destruction Policy and managing personal data destruction processes in accordance with periodic destruction periods.
Human Resources Officer is responsible for implementing the Personal Data Storage and Destruction Policy. Regarding the processes within his/her duty, ensuring compliance with the Personal Data Storage and Destruction Policy and managing personal data destruction processes in accordance with periodic destruction periods.
8.6. Personal Data Categories You can access up-to-date information on Personal Data Category and Person Group Matching at www.verbis.kvkk.gov.tr.
8.10 Periodic Destruction Periods
In accordance with KVKK article 7 no. 6698, personal data is periodically destroyed if the reasons requiring processing disappear or the period stipulated in the legislation expires, even though it has been processed in accordance with the legal legislation. Our company deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises. Periodic destruction is carried out for all personal data at 6-month intervals, twice a year.
All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for three years, excluding other legal obligations.
NUTRADEÖZGÜR ŞAHİN
Address: Pınar Mah. Ilgın Sok 4/3 Sarıyer/İstanbul
Phone: 08502550211
Web: https://www.nutrade.com.tr
CONTENTS
1. INTRODUCTION 4
2. PURPOSE OF THE POLICY 4
3. SCOPE OF THE POLICY 4
4. DEFINITIONS 5
5. PURPOSES OF PROCESSING PERSONAL DATA 6
6. PROCESSING OF PERSONAL DATA 8
6.1. Principles to be Applied in the Processing of Personal Data 8
6.1.1 Processing of Personal Data in Compliance with Law and Integrity Rules 8
6.1.2 Ensuring Personal Data is Accurate and Up-to-Date Where Necessary 8
6.1.3. Processing Personal Data for Specific, Clear and Legitimate Purposes 8
6.1.4. Processing Personal Data in a Limited and Measured Way in Connection with the Purpose for Processing 9
6.1.5. Keeping Personal Data for the Period Envisaged in the Legislation or Necessary for the Purpose for which they are Processed 9
6.2. Processing of General Personal Data 9
6.2.1. Having Explicit Consent of the Personal Data Owner 9
6.2.2 Explicitly Provided in Laws 10
6.2.3. Failure to Obtain Explicit Consent Due to Actual Impossibility 10
6.2.4. Being Directly Related to the Establishment or Performance of the Contract 10
6.2.5. It is mandatory for the company to fulfill its legal responsibilities 10
6.2.6. Data Publicized by the Relevant Person Himself 10
6.2.7. Being Necessary for the Establishment, Use or Protection of a Right 11
6.2.8. Necessary for the Company's Legitimate Interests 11
6.3. Processing of Special Personal Data 11
6.4. Personal Data Processed by NUTRADE TURKEY 12
6.5. Transfer of Personal Data 13
6.5.1. Domestic Transfer of Personal Data 13
6.5.2. Transfer of Personal Data Abroad 14
7. DATA ON INTERNET ACCESS PROVIDED 15
8. PERSONAL DATA OF WEBSITE VISITORS 15
9. SECURITY OF PERSONAL DATA 16
10. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA 18
11. PERSONAL DATA OWNER'S RIGHTS AND APPLICATION TO THE COMPANY 18
11.1. Rights of Personal Data Owner 18
11.2. Exercise of Personal Data Owner's Rights 19
11.3. Exceptions to the Personal Data Owner's Right to Application 20
11.4. Answering the Applications of the Personal Data Owner 20
12. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES 21
ANNEX-1: Personal Data Categories 21
ANNEX-2 Personal Data Category and Person Group Matching 23
1. INTRODUCTION
Protection of personal data is among the most important priorities of NUTRADE/ÖZGÜR ŞAHİN (hereinafter referred to as “NUTRADE” or “Company”). Our company partners, employees, employee candidates, visitors, suppliers, supplier employees-authorities, customers, customer employees-authorities, potential customers, business partners-authorities-employees, referenced persons, family members and relatives of our employees, third parties who claim rights, and Great care is taken to protect the personal data of the attorneys or legal representatives representing them, public employees/employers, consultants, insurance companies, bank officials, experts and relevant third parties.
As stipulated in Article 20 of the Turkish Constitution; Everyone has the right to request the protection of personal data concerning him/her.
We process the personal data of our Company partners, employees, employee candidates, visitors, suppliers, supplier employees-officials, customers, customer employees-officials, potential customers, business partners-officials-employees, referenced persons, family members of our employees, whose personal data we process in line with NUTRADE activities or requirements. individuals and their relatives, third parties claiming rights and the attorneys or legal representatives representing them, public employees/employers, consultants, insurance companies, bank officials, experts and relevant third parties, the right to "Protection of Personal Data", which is a constitutional right, and development has been adopted as an institutional policy.
2. PURPOSE OF THE POLICY
This Policy is intended to ensure compliance with the Personal Data Protection Law No. 6698 (hereinafter referred to as "KVKK"), the decisions of the Personal Data Protection Board (hereinafter referred to as the "Board") and the secondary legislation in force on this matter regarding the processing and protection of personal data. It has been prepared to ensure that all activities within the Company are carried out in a harmonious manner.
In addition, it is aimed to inform the relevant persons whose personal data are processed in the most transparent and accurate way about the activities carried out by NUTRADE, the measures taken and the Company principles for the purpose of processing personal data and ensuring personal data security.
3. SCOPE OF THE POLICY
This policy covers the personal data of relevant persons; Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing use by fully or partially automatic or non-automatic means provided that it is part of any data recording system. It relates to all kinds of operations performed on data and administrative and technical measures taken for the security of personal data.
4. DEFINITIONS
In this policy,
Explicit Consent: Consent regarding a specific subject, based on being informed and expressed with free will,
Recipient Group: The category of natural or legal person to whom personal data is transferred by the data controller,
Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data,
Relevant Person: The real person whose personal data is processed,
Employee: NUTRADE personnel,
Employee Candidate: Real persons who have applied for a job to NUTRADE by any means, electronically or physically, in order to become an employee within NUTRADE, or who have opened/submitted their CV and related information to NUTRADE for review personally or through a system,
Relevant User: Persons who process personal data within the data controller organization or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,
Business Partner: Parties with which NUTRADE establishes business partnerships for purposes such as carrying out various projects together, receiving services, and increasing internal operational efficiency while carrying out its commercial activities.
Visitor: Real persons who enter the physical premises owned by NUTRADE for various purposes or visit our websites,
Company Official: NUTRADE – ÖZGÜR ŞAHİN,
Supplier: Real or legal persons who provide goods and/or services to NUTRADE, to whom NUTRADE gives orders and instructions, establishes a contractual relationship, while carrying out its commercial and operational activities,
Customer: Natural or legal persons who benefit from the products and services offered by NUTRADE.
Prospective Customers: Real or legal persons who have requested or will request to benefit from the products and services offered by our company or to purchase the relevant products and services, and who can be evaluated in accordance with the rules of commercial practice and honesty.
Destruction: Deletion, destruction or anonymization of personal data,
Law: Personal Data Protection Law No. 6698 dated 24/3/2016,
Recording Medium: Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system,
Electronic Environments: The environment where personal data can be created, processed, stored and transmitted with devices with the relevant technological infrastructure,
Other Non-Electronic Media: All kinds of written, visual and other media other than electronic media,
Service Provider: Real or legal person who provides any service within the framework of the relevant contract with NUTRADE,
Personal Data: Any information regarding an identified or identifiable natural person,
Special Quality (Sensitive) Personal Data: Regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures. data and biometric and genetic data,
Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system, Any operation performed on data such as classifying or preventing its use,
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they create by associating it with the personal data processing purposes, data category, transferred recipient group and data subject person group, and detailing the maximum period required for the purposes for which personal data are processed, personal data envisaged to be transferred to foreign countries and measures taken regarding data security,
Personal Data Storage and Destruction Policy (or simply "Destruction Policy"): The policy on which data controllers base their deletion, destruction and anonymization, as well as the process of determining the maximum period required for the purpose for which personal data are processed.
Board: Personal Data Protection Board
Institution: Personal Data Protection Authority,
Periodic Destruction: The process of deleting, destroying or anonymizing personal data specified in the personal data storage and destruction policy and to be carried out ex officio at recurring intervals in case all of the processing conditions for personal data specified in the law are eliminated.
Registry (VERBİS): Data controllers registry information system maintained by the Personal Data Protection Authority,
Data Processor: The real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Recording System: The recording system in which personal data is structured and processed according to certain criteria,
Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
For the concepts not defined in this policy, the definitions in KVKK No. 6698 and the relevant secondary legislation are essential.
5. PURPOSES OF PROCESSING PERSONAL DATA
NUTRADE; personal data, by fulfilling the relevant information obligation within the scope of KVKK Article 10, in accordance with the Company's data processing purposes, in accordance with the principles stipulated in KVKK Article 4, in accordance with at least one of the conditions stipulated in KVKK Articles 5 and Article 6, and in accordance with the relevant It operates for limited purposes.
NUTRADE's personal data processing purposes are in particular:
Conducting Emergency Management Processes
Execution of Information Security Processes
Conducting Employee Candidate / Intern / Student Selection and Placement Processes
Carrying out the application processes of employee candidates
Fulfillment of Employment Contract and Legislation Obligations for Employees
Execution of Fringe Benefits and Benefits Processes for Employees
Conducting Audit / Ethics Activities
Conducting Educational Activities
Execution of Access Authorizations
Conducting Activities in Compliance with Legislation
Carrying out Finance and Accounting Affairs
Ensuring Physical Space Security
Execution of Assignment Processes
Follow-up and Execution of Legal Affairs
Carrying out Communication Activities
Planning Human Resources Processes
Execution/Audit of Business Activities
Carrying out Occupational Health / Safety Activities
Carrying out Business Continuity Ensuring Activities
Execution of Goods / Service Purchasing Processes
Execution of Goods/Service After-Sales Support Services
Execution of Goods / Service Sales Processes
Execution of Goods / Service Production and Operation Processes
Execution of Customer Relationship Management Processes
Organization and Event Management
Conducting Marketing Analysis Studies
Execution of Advertising / Campaign / Promotion Processes
Carrying out Storage and Archive Activities
Carrying out Social Responsibility and Civil Society Activities
Execution of Contract Processes
Carrying out Sponsorship Activities
Conducting Strategic Planning Activities
Tracking of Requests / Complaints
Ensuring the Security of Movable Goods and Resources
Execution of Supply Chain Management Processes
Execution of Wage Policy
Execution of Marketing Processes of Products / Services
Ensuring the Security of Data Controller Operations
Foreign Personnel Work and Residence Permit Procedures
Execution of Investment Processes
Conducting Talent / Career Development Activities
Providing Information to Authorized Persons, Institutions and Organizations
Conducting Management Activities
Creation and Tracking of Visitor Records
6. PROCESSING OF PERSONAL DATA
6.1. Principles to be Applied in Processing Personal Data
NUTRADE acts in accordance with the Constitution, KVKK and other relevant legal legislation in the processing of personal data of data subjects. It is NUTRADE's priority to ensure that the principles set out in Article 4 of the KVKK regarding the processing of personal data are at the core of all personal data processing activities and that all personal data processing activities are carried out in accordance with these principles, and these principles taken into account in data processing processes are as follows.
6.1.1 Processing of Personal Data in Compliance with Law and Integrity Rules
The principle of compliance with the law and the rule of honesty, which is accepted as a prerequisite by NUTRADE in all data processing processes, indicates the obligation to act in accordance with the principles imposed by laws and other legal regulations in the processing of personal data. In accordance with this principle, while trying to achieve its goals in data processing, NUTRADE takes into account the interests and reasonable expectations of the relevant persons and acts to prevent the emergence of consequences that the relevant person does not expect and does not need to expect.
Within the scope of this principle, our Company aims to ensure that the data processing activity is transparent for the relevant person by informing the relevant person as necessary about how and for what purpose personal data will be processed.
6.1.2 Ensuring Personal Data is Accurate and Up-to-Date Where Necessary
If NUTRADE processes the personal data of the relevant person in any way for the purposes explained within the scope of this policy, it also takes the necessary care to ensure that the personal data is accurate and up-to-date when necessary. Apart from this, communication channels are kept open and the necessary opportunity is provided for the relevant persons to apply to NUTRADE in order to ensure that their information is accurate and up-to-date. In this context, the application form to the data controller has been announced on the company website.
6.1.3. Processing Personal Data for Specific, Clear and Legitimate Purposes
NUTRADE is sensitive about compliance with the principle of specificity and openness in contracts, legal transactions and texts in which the purposes of personal data processing are explained (Website Information Text, Supplier Information Text, Customer Information Text, Employee and Employee Candidate Information Text, Application Form to the Data Controller, etc.). Care is taken to ensure that the data processing activity is clearly understandable by the relevant person. Personal data is processed within the framework of the purposes determined, announced, notified or agreed in the contract.
6.1.4. Processing Personal Data in a Limited and Proportionate manner in Connection with the Purpose for which they are Processed
In the data processing processes carried out by NUTRADE, care is taken to ensure that the data processed are suitable for the achievement of the determined purposes; Processing of personal data that is not relevant or needed to achieve the purpose is avoided. Data is not processed to meet possible needs that may arise in the future.
6.1.5. Keeping Personal Data for the Period Envisaged in the Legislation or Necessary for the Purpose for which they are Processed
The Company retains personal data for the period stipulated in the legislation and the NUTRADE Storage and Disposal Policy, or as reported in VERBIS, or as required for the purpose for which they are processed. If the period specified in the legislation and/or Destruction Policy expires or the purpose is achieved, personal data is deleted, destroyed or anonymized ex officio or upon the request of the person concerned. Regarding the destruction of personal data, a "Personal Data Storage and Destruction Policy" has been prepared and announced on the Company website.
6.2. Processing of General Personal Data
In accordance with Article 20 of the Constitution and Article 5.1 of the KVKK, personal data cannot be processed without the explicit consent of the relevant person. In line with these legal regulations, our company always takes care to obtain the explicit consent of the relevant persons in the processing of personal data.
However, in accordance with Article 5.2 of the KVKK, the company can also process personal data without seeking the explicit consent of the relevant person, if the following conditions are met.
a) It is clearly prescribed by law.
b) It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
ç) It is mandatory for the data controller to fulfill its legal obligation.
d) It has been made public by the person concerned.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
Your personal data may be processed by NUTRADE if one or more of the following conditions are met.
6.2.1. Having Explicit Consent of the Personal Data Owner
It is NUTRADE's priority to obtain explicit consent in the processing of personal data. For this reason, the necessary methods and systems have been developed to obtain the explicit consent of the relevant persons whose personal data we process, physically and/or electronically.
Before obtaining the consent of the relevant persons for the processing of their personal data, the obligation to inform them is fulfilled in line with Article 10 of the KVKK, and it is ensured that their explicit consent, based on information and free will, is obtained regarding a certain subject.
NUTRADE, which attaches particular importance to the fact that the explicit consents received from employees are based on free will, emphasizes that its employees can refrain from giving explicit consent, ensures that the data of its employees who do not give explicit consent for the processing of certain data is not processed, and does not subject the employees who do not give explicit consent to any discrimination.
6.2.2 Explicitly Provided in Laws
The processing of personal data is lawful if it is clearly provided for by law, in which case it is not separately evaluated whether the data subject has explicit consent. In accordance with Article 75 of the Labor Law No. 4857 on Employee Personnel Files, the collection of employee data is considered within this scope. In particular, the Consumer Protection Law no. 6502, the Personal Data Protection Law no. 6698, the Turkish Code of Obligations no. 6098, the Turkish Commercial Code no. 6102, the Law no. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed through These Publications, the Occupational Health and Safety Law no. 6361. Personal data may be processed by NUTRADE without the explicit consent of the relevant person in cases stipulated in the laws, including the Security Law, the Social Insurance and General Health Insurance Law No. 5510, the Right to Information Law No. 4982, the Law No. 3071 on the Exercise of the Right to Petition and the secondary legislation related to these laws.
6.2.3. Failure to Obtain Explicit Consent Due to Actual Impossibility
In cases where consent cannot be expressed or is not valid, it is envisaged that data will be processed to protect the life or physical integrity of individuals. For example, if a worker working in a heavy duty group in the factory has a work accident and his blood type is shared with the relevant health personnel, the person will not be expected to give explicit consent. In these and similar cases, NUTRADE may process personal data without seeking explicit consent, especially by taking into account the legitimate interests of the data subject.
6.2.4. Directly Related to the Establishment or Performance of the Contract
If it is directly related to the establishment or performance of a contract, it is possible to process personal data of the parties to the contract without explicit consent. For example, in accordance with a contract, the account number of the creditor party may be obtained for payment of the fee. Therefore, in such cases, NUTRADE may process personal data without obtaining the explicit consent of the data owner.
6.2.5. It is mandatory for the company to fulfill its legal responsibilities.
If it is mandatory for the company to fulfill its legal obligations, it is possible to process personal data without explicit consent. For example, even if there is no explicit consent, information requested by court order can be submitted to the court. In such a case, NUTRADE may process people's data without seeking explicit consent.
6.2.6. Data Made Public by the Relevant Person Himself
Personal data disclosed to the public by the relevant person may be processed without explicit consent in connection with the purpose of publicization. For example, the information of a person who shares his CV on his account on websites established for the purpose of providing employment is considered as publicized data. In these and similar cases, it may be possible for NUTRADE to process personal data without the need for explicit consent.
6.2.7. Being Necessary for the Establishment, Use or Protection of a Right
If data processing is mandatory for the establishment, exercise or protection of a right, personal data may be processed without explicit consent. This includes using some data for proof in a lawsuit filed by a company employee.
6.2.8. Necessary for the Company's Legitimate Interests
Personal data may be processed without explicit consent if data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned. This includes processing the personal data of employees for their promotions, salary increases or regulation of their social rights, provided that it does not harm the fundamental rights and freedoms of the employees. For example, since NUTRADE provides orientation and professional development training to its employees and invests in this context, male candidates are asked whether they have completed their military service.
6.3. Processing of Special Personal Data
In KVKK, special importance has been given to some personal data, considering that they have the potential for discrimination and that they may cause grievance to individuals when processed unlawfully, and these data are called "personal data of special nature". (For definition, see: 4.DEFINITIONS)
The company is also sensitive in the processing of such "special categories of personal data", to which KVKK attaches special importance. Employees involved in the processing of special personal data are given training on special personal data security under the Law and related regulations, they are made to sign confidentiality agreements, their access to data is restricted, and the authorizations of employees who change their duties or leave their jobs in these areas are immediately removed.
If special personal data is to be transferred via e-mail, it is transferred only to the relevant party via an encrypted corporate e-mail account or KEP account. Security tests are carried out when deemed necessary. Adequate security measures are taken in the physical environments where sensitive personal data are stored, and unauthorized entries and exits to these environments are prevented. Fire, flood, etc. that may occur in these physical environments. Precautions have been taken against these risks. It should also be noted that the roles and responsibilities regarding the processing and preservation of special personal data have been distributed, and the persons in question have been warned about the sensitivity of the data and have been instructed to take the necessary precautions.
VPN is used in cases where transfer occurs between servers in different physical environments. If data must be transferred via paper, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in the format of "confidential documents".
Explicit consent of the relevant persons is the priority of NUTRADE for the processing of the data in question. Special categories of personal data may be processed by NUTRADE in the absence of explicit consent of the data subject, but only in the following exceptional cases specified in the KVKK.
6.4. Personal Data Processed by NUTRADE
Private and general personal data are processed by NUTRADE within the scope of the principles and purposes listed above. These data are listed as examples in ANNEX-1, which data will be processed for each data; It can be processed within the framework of the relationship established between NUTRADE and the relevant person and in line with the principles contained in this Policy:
6.5. Transfer of Personal Data
6.5.1. Transfer of Personal Data Domestically
Obtaining explicit consent for sharing personal data is NUTRADE's priority. For this reason, the necessary methods have been developed to obtain the explicit consent of the relevant persons, whose personal data we share with third parties, physically and/or electronically.
6.5.1.1. Domestic Transfer of General Personal Data
NUTRADE may transfer the personal data of the relevant persons to third parties in accordance with the principles adopted in the processing of personal data. When transferring personal data to third parties, attention is paid to obtaining the consent of the relevant person, and in case of one or more of the following situations, personal data may be transferred without explicit consent;
It is clearly prescribed by law.
It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to fulfill its legal obligation.
It has been made public by the person concerned.
Data processing is mandatory for the establishment, exercise or protection of a right.
It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
6.5.1.2. Domestic Transfer of Special Personal Data
Our company can transfer the special personal data of the relevant persons to third parties in accordance with the principles adopted in the processing of personal data.
When transferring sensitive personal data to third parties, attention is paid to obtaining the consent of the relevant person, and special personal data are transferred domestically by taking adequate technical and administrative measures. However, in the case of the following situations, adequate technical and administrative measures are taken and sensitive personal data can be processed without the express consent of the relevant person;
Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data, in cases stipulated by law,
Personal data regarding health and sexual life can only be transferred by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing. .
6.5.2. Transfer of Personal Data Abroad
When transferring personal data abroad, care is taken to obtain the explicit consent of the relevant person. For this reason, the necessary methods have been developed to obtain the explicit consent of the relevant persons physically and electronically.
Our company can transfer the personal data of relevant persons abroad in accordance with the law and the rules of honesty and by adhering to the data processing purposes.
When transferring personal data abroad, we comply with Article 9 of the KVKK and the principles and criteria specified in the Board's decision numbered 2019/125.
6.5.2.1. Transfer of General Personal Data Abroad
NUTRADE may transfer the personal data of the relevant persons (identity, communication, legal transaction, customer transaction, finance, professional experience, third party or representative information claiming rights, etc.) to third parties in accordance with the principles adopted in the processing of personal data. When transferring personal data to third parties abroad, attention is paid to obtaining the consent of the relevant person.
If there is no explicit consent of the data owner, provided that there is adequate protection in the country to which the data will be transferred or that the data controller to whom the personal data will be transferred undertakes adequate protection in writing and has the permission of the Board, by applying the principles and principles adopted by the Board in its decision numbered 2019/125, Personal data in case of one of the following conditions;
It is clearly prescribed by law.
It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to fulfill its legal obligation.
It has been made public by the person concerned.
Data processing is mandatory for the establishment, exercise or protection of a right.
It is possible to transfer data abroad if it is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
Since its shareholders operate abroad, NUTRADE can share personal data with its shareholders to the extent necessary for legitimate purposes by fulfilling the legal obligations mentioned above.
6.5.2.2 Transfer of Special Personal Data Abroad
Although NUTRADE does not currently transfer any special personal data abroad, if it does in the future, it will do so in accordance with the principles and principles below.
Provided that there is adequate protection in the country to which the data will be transferred or that the data controller to whom the personal data will be transferred makes a written commitment with sufficient protection and has the permission of the Board, in case of one of the following conditions, in accordance with the principles and principles adopted by the Board in its decision numbered 2019/125, the relevant person without needing explicit consent;
Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data, in cases stipulated by law,
Personal data regarding health and sexual life can only be transferred abroad by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. It is possible.
7. DATA CONCERNING THE INTERNET ACCESS PROVIDED
At NUTRADE, staff and guests are provided with internet access. The websites and time information that staff and guests who want to use internet access access with their name, surname, phone number, and time information, Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications and the Internet Collective Use issued based on this Law. It is stored as a legal obligation in accordance with the Regulation on Providers.
Stored records may be shared with legally authorized institutions and organizations, upon request, to fulfill legal obligations.
8. PERSONAL DATA OF WEBSITE VISITORS
Relevant clarification texts and policies within the scope of Article 10 of the KVKK regarding how and for what purpose personal data are obtained have been published on the company's website www.nutrade.com.tr and visitors have been informed about this.
In addition, the website information text directs the relevant person to information texts and Company policies that provide more detailed information according to his/her relationship with the Company, in order to ensure that the relevant person has access to the healthiest information in the simplest way regarding the steps of processing his/her personal data by the Company.
9. SECURITY OF PERSONAL DATA
NUTRADE takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data and unlawful access to personal data and to ensure the preservation of personal data.
In this context, first of all, studies were carried out to determine the personal data processed by NUTRADE, workshops were held and the necessary technical and administrative measures were taken to reduce or eliminate the risks by determining the risks that may arise regarding the protection of these data, taking into account whether the personal data processed were special categories of personal data. has been put into practice.
Internal policies and procedures have been adopted to regulate the processing, preservation, storage, destruction and other processes of personal data in accordance with the law, legislation and relevant security measures.
In order to ensure personal data security, to prevent unlawful disclosure and sharing of personal data, and to raise awareness about KVKK, regular training is provided to employees and managers.
In addition, employees who are involved in personal data processing processes are asked to sign confidentiality agreements and commitments as part of their business processes, and it is important to remind that the necessary disciplinary process will be applied if it is determined that employees have acted contrary to security policies and procedures.
With NUTRADE, data processors, employees, customers, suppliers, business partners, etc. The contracts made between the companies were examined, revisions were made within the scope of KVKK and other legislation, and additional protocols were prepared.
Access to personal data included in the data processing processes of the company has been limited on a personnel basis, and a limited number of personnel have been granted access to personal data related to the business processes they carry out. Data processing activities carried out by personnel are recorded. The authorizations of personnel who change their duties or leave their jobs are immediately removed.
In order to prevent unlawful processing of personal data and unlawful access to personal data, technical systems have been established to monitor and control the processes related to the processing of personal data. Network security and data flow security studies have been carried out, and existing software has been updated to prevent data loss. Internal audits have been carried out to prevent unlawful processing of personal data and unlawful access to personal data.
System security gaps are monitored, patches are installed and information systems are kept up to date to ensure the appropriate security level.
Our website is protected by the https security protocol.
Following the studies on personal data held by NUTRADE, the personal data identified was analyzed and examined within the scope of the legislation. In this context, unnecessary data was deleted and the principle of reducing data as much as possible was adopted.
In order to prevent unlawful access to personal data and to ensure that personal data is stored in secure environments, technical methods with appropriate security levels are used and these methods are updated in accordance with developing technology.
In case of an internal or external attack on the company's data recording system, a system has been established to detect this situation early and intervene early. Which software and services are running in the IT networks and whether there is any infiltration or any movement that should not occur in the IT networks is regularly checked. Transactions of all users are kept regularly.
In case personal data is unlawfully acquired by others, NUTRADE has established a suitable system and infrastructure in order to notify the relevant person and the Board, and a procedure has been adopted by NUTRADE.
In order to ensure the security of information and IT systems against environmental risks, ensuring that only authorized personnel enter the system room, having the keys of locked data storage units in certain persons, ensuring the physical security of the edge switches that make up the local area network, fire extinguishing system, cooling system for the correct operation of the server, security walls, attack prevention systems, network access control, anti-virus systems, etc. Many precautions are taken such as.
10. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
In accordance with Article 7 of the KVKK, NUTRADE deletes, destroys or anonymizes personal data ex officio or upon the request of the data subject, if the reasons requiring processing are eliminated or the period stipulated in the legislation expires, even though it has been processed in accordance with the legal legislation.
Personal data stored in physical environments and digital data recording systems are deleted, destroyed or anonymized, ex officio or upon the request of the person concerned, if the purpose of data processing is achieved or the period stipulated in the legislation expires.
Anonymised personal data can be used for purposes such as research, statistics and planning, can be stored indefinitely and can be transferred domestically and internationally.
Regarding the destruction of personal data, a "Personal Data Storage and Destruction Policy" has been prepared and announced on the website www.nutrade.com.tr. Please review for detailed information.
11. PERSONAL DATA OWNER'S RIGHTS AND APPLICATION TO THE COMPANY
Our company informs the relevant persons whose personal data we process about their rights and how they can exercise their rights within the scope of Article 10 of the KVKK.
11.1. Rights of Personal Data Owner
The relevant person who is the owner of personal data, within the scope of Article 11 of the Personal Data Protection Law;
Learning whether personal data is being processed or not,
Requesting information if personal data has been processed,
Learning the purpose of processing personal data and whether they are used for their intended purpose,
Knowing the third parties to whom personal data is transferred at home or abroad,
Requesting that personal data be corrected if personal data has been processed incompletely or incorrectly, and that the correction be notified to third parties to whom personal data has been transferred,
Requesting the deletion or destruction of your personal data within the framework of the conditions stipulated in Article 7 of the Law, excluding legal limits, and requesting that the deletion and destruction be notified to third parties to whom personal data has been transferred,
Object to the emergence of an unfavorable result by analyzing the processed data exclusively through automatic systems,
They have the right to request compensation for the damage if they suffer damage due to unlawful processing of their personal data.
11.2. Exercise of Personal Data Owner's Rights
The relevant person may submit his requests within the scope of his rights specified in Article 11 of the Law, in writing with a wet signature or by using the registered electronic mail (KEP) address, secure electronic signature, mobile signature or the e-mail address previously notified to our Company by the relevant person and registered in our Company's system. It must be forwarded to the Company by: For applications to be made in writing, the address is the address above.
The minimum information that must be included in the application of the relevant person is as follows;
Name, surname and signature if the application is written,
TR ID number for citizens of the Republic of Turkey, nationality, passport number or identification number, if any, for foreigners,
Residence or workplace address subject to notification,
E-mail address, telephone and fax number for notification, if any,
Demand
Additionally, relevant information and documents should be added to the application. An Application Form has been prepared and announced on the website for applicants to use during their applications.
In order for a person other than the personal data owner to make a request, there must be a special power of attorney issued by the personal data owner on behalf of the person making the application.
11.3. Exceptions to the Personal Data Owner's Right of Application
Pursuant to Article 28 of the Law, since the following situations are excluded from the scope of the Law, Data Owners;
Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with.
Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public safety, public order or economic security.
They cannot assert their rights in cases where personal data is processed by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or enforcement proceedings.
NUTRADE's Disclosure Obligation, Article 28/2 of the Law. In accordance with the article;
Processing of personal data is necessary for the prevention of crime or criminal investigation.
Processing of personal data made public by the data subject.
Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by the law.
It is not applied in cases where personal data processing is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters.
11.4. Answering the Applications of the Personal Data Owner
NUTRADE takes all necessary administrative and technical measures to finalize the applications made by the relevant person within the scope of Article 11 of the KVKK effectively, in accordance with the law and the rule of honesty.
If the applications are submitted to NUTRADE in accordance with the procedures and principles stated above, NUTRADE will finalize the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. If the answer is more than ten pages, a processing fee of 1 Turkish Lira may be charged for each page over ten pages. If the answer to the application is given on a recording medium such as CD or flash memory, the cost of the data recording medium may be requested.
NUTRADE may request additional information if it deems it necessary to determine whether the applicant is the owner of personal data and to evaluate the requests, and may ask questions to the personal data owner regarding his application in order to clarify the issues stated in the application.
12. RESPONSIBILITIES AND DUTIES DISTRIBUTION
NUTRADE, all its units and employees, ensures the proper implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy, training and awareness raising of unit employees, monitoring and continuous supervision, preventing unlawful processing of personal data and unlawful access to personal data, and It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure that personal data is stored in accordance with the law. The distribution of the titles, units and job descriptions of those involved in the processing of personal data is given in ANNEX-4. The persons in this table include the members of the NUTRADE Personal Data Protection Commission.
DATA STORAGE AND DESTRUCTION POLICY
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
NUTRADE ÖZGÜR ŞAHİN
15/08/2022
1. INTRODUCTION 3
2. PURPOSE OF THE POLICY 3
3. SCOPE OF THE POLICY 3
4. DEFINITIONS 4
5. RECORDING MEDIA 6
6. REASONS THAT REQUIRE THE STORAGE AND DESTRUCTION OF PERSONAL DATA 6
7. SECURITY OF PERSONAL DATA 7
8. DESTRUCTION OF PERSONAL DATA 10
8.1. Reasons Requiring Destruction of Personal Data 10
8.2 Deletion of Personal Data 10
8.3 Destruction of Personal Data 11
8.4 Anonymization of Personal Data 11
8.5 Responsible Personnel Involved in Personal Data Storage and Destruction Processes 11
8.6. Personal Data Categories 12
8.7. Personal Data Category and Person Group Matching 14
8.8. Storage and Destruction Periods 14
8.10 Periodic Destruction Periods 15
ENTRANCE
1.1. NUTRADE ÖZGÜR ŞAHİN. Protection of personal data is of great importance for (“NUTRADE”). NUTRADE attaches importance to the protection of the personal data of our company partners, employees, prospective employees, customers, prospective customers, company officials, various business partners including the suppliers and healthcare professionals we work with, employees of our service providers, officials, visitors and third parties.
1.2. The "Personal Data Protection and Processing Policy", which sets out the principles adopted by NUTRADE regarding the processing and protection of personal data, is presented to the information of relevant persons on our internet website.
2. PURPOSE OF THE POLICY
2.1. Personal Data Storage and Destruction Policy (“Policy”) has been prepared to determine the procedures and principles regarding the work and/or transactions regarding the storage, destruction, destruction and anonymization of personal data carried out by NUTRADE.
2.2. Work and/or transactions regarding the storage, destruction, destruction and anonymization of personal data are carried out in accordance with the Policy prepared accordingly by NUTRADE.
3. SCOPE OF THE POLICY
3.1. This Policy; wholly or partially automatic or It covers all kinds of personal data processed by non-automatic means, provided that it is part of any data recording system.
3.2. This Policy applies to the relevant recording environments owned or managed by NUTRADE, where personal data are processed, and to the business, transactions and activities related to personal data.
4. DEFINITIONS
In this Policy,
Explicit Consent: Consent regarding a specific subject, based on being informed and expressed with free will,
Recipient Group: The category of natural or legal person to whom personal data is transferred by the data controller,
Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data,
Relevant Person: The real person whose personal data is processed,
Employee: NUTRADE personnel,
Employee Candidate: Real persons who have applied for a job to NUTRADE by any means, electronically or physically, in order to become an employee within NUTRADE, or who have opened/submitted their CV and related information to NUTRADE for review personally or through a system,
Relevant User: Persons who process personal data within the data controller organization or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,
Visitor: Real persons who enter the physical premises owned by NUTRADE for various purposes or visit our websites,
Business Partner: Parties with which NUTRADE establishes a business partnership for purposes such as carrying out various projects together and receiving services while carrying out its commercial activities,
Company Official: NUTRADE board member and other authorized persons,
Company Partners: NUTRADE partner real persons,
Customer: Real or legal persons who benefit from the products and services offered by NUTRADE,
Prospective Customers: Real or legal persons who have requested or will request to benefit from the products and services offered by our company or to purchase the relevant products and services, and who can be evaluated in accordance with the rules of commercial practice and honesty,
Destruction: Deletion, destruction or anonymization of personal data,
Law: Personal Data Protection Law No. 6698 dated 24/3/2016,
Regulation: Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on 28 October 2017,
Recording Medium: Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system,
Electronic Environments: The environment where personal data can be created, processed, stored and transmitted with devices with the relevant technological infrastructure,
Other Non-Electronic Media: All kinds of written, visual and other media other than electronic media,
Service Provider: Real or legal person who provides any service within the framework of the relevant contract with NUTRADE,
Personal Data: Any information regarding an identified or identifiable natural person,
Special Quality (Sensitive) Personal Data: Regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures. data and biometric and genetic data,
Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system, Any operation performed on data such as classifying or preventing its use,
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they create by associating it with the personal data processing purposes, data category, transferred recipient group and data subject person group and detailing the maximum period required for the purposes for which personal data is processed, personal data intended to be transferred to foreign countries and measures taken regarding data security,
Personal data storage and destruction policy: The policy on which data controllers base their deletion, destruction and anonymization, as well as the process of determining the maximum period required for the purpose for which personal data are processed.
Board: Personal Data Protection Board
Institution: Personal Data Protection Authority,
Periodic Destruction: The process of deleting, destroying or anonymizing personal data specified in the personal data storage and destruction policy and to be carried out ex officio at recurring intervals in case all of the processing conditions for personal data specified in the law are eliminated.
Registry (VERBİS): Data controllers registry information system maintained by the Personal Data Protection Authority,
Data Processor: Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
Data Recording System: The recording system in which personal data is structured and processed according to certain criteria,
Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
For definitions not included in this Policy, the definitions in Law No. 6698 and relevant legislation apply.
5. RECORDING MEDIA
Recording environments where personal data is kept by NUTRADE; Servers, software, information security devices (firewall, antivirus, periodic log files, etc.) used on behalf of/by NUTRADE, personal computers, mobile devices (smart tablets, smartphones), electronic programs used, communication infrastructures, MSSQL Systems, Back Up software, transfer programs and servers, VPN server data, shared/non-shared disk drives used for data storage on the network, other carriers with data storage features such as CD, DVD, USB, external disk, memory card, printers and scanners, paper, unit cabinets, archives. .
In addition to the recording media listed, NUTRADE will include other recording media it may use in the Destruction Policy without delay.
6. REASONS THAT REQUIRE THE STORAGE AND DESTRUCTION OF PERSONAL DATA
NUTRADE,
Conducting Emergency Management Processes
Execution of Information Security Processes
Conducting Employee Candidate / Intern / Student Selection and Placement Processes
Carrying out the application processes of employee candidates
Fulfillment of Employment Contract and Legislation Obligations for Employees
Execution of Fringe Benefits and Benefits Processes for Employees
Conducting Audit / Ethics Activities
Conducting Educational Activities
Execution of Access Authorizations
Conducting Activities in Compliance with Legislation
Carrying out Finance and Accounting Affairs
Execution of Commitment Processes for Company / Product / Services
Execution of Assignment Processes
Follow-up and Execution of Legal Affairs
Carrying out Communication Activities
Planning Human Resources Processes
Execution/Audit of Business Activities
Carrying out Occupational Health / Safety Activities
Receiving and Evaluating Suggestions for Improving Business Processes
Carrying out Business Continuity Ensuring Activities
Execution of Goods / Service Purchasing Processes
Execution of Goods/Service After-Sales Support Services
Execution of Goods / Service Sales Processes
Execution of Customer Relationship Management Processes
Carrying out Activities for Customer Satisfaction
Organization and Event Management
Conducting Performance Evaluation Processes
Execution of Advertising / Campaign / Promotion Processes
Conducting Risk Management Processes
Carrying out Storage and Archive Activities
Carrying out Social Responsibility and Civil Society Activities
Execution of Contract Processes
Carrying out Sponsorship Activities
Tracking of Requests / Complaints
Ensuring the Security of Movable Goods and Resources
Execution of Supply Chain Management Processes
Execution of Wage Policy
Execution of Marketing Processes of Products / Services
Ensuring the Security of Data Controller Operations
Conducting Talent / Career Development Activities
Providing Information to Authorized Persons, Institutions and Organizations
Your personal data may be processed if one or more of the following conditions are met: To get detailed information about the processing of personal data, you can review the Personal Data Processing and Privacy Policies on our website.
A. Legal Reasons Requiring Storage
Relevant personal data is retained by NUTRADE for the period stipulated in the relevant or relevant legislation. In this context, personal data:
Personal Data Protection Law No. 6698,
Turkish Code of Obligations No. 6098,
Turkish Commercial Code No. 6102,
Law No. 5651 on Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications,
Occupational Health and Safety Law No. 6361,
Social Insurance and General Health Insurance Law No. 5510,
Right to Information Law No. 4982,
Labor Law No. 4857,
Data is stored in accordance with the retention periods stipulated within the scope of the Law No. 3071 on the Exercise of the Right to Petition and the secondary legislation related to these laws.
The personal data of the relevant persons may be processed by NUTRADE if the reasons for processing personal data listed above are eliminated, if the legislation forming the basis for processing is changed or abolished, if the application made by the relevant person regarding the deletion, destruction or anonymization of personal data in accordance with KVKK article 11 No. 6698. In the event that NUTRADE rejects the application made by the relevant person requesting the deletion, destruction or anonymization of his personal data, finds the answer given insufficient, or does not respond within the period stipulated in KVKK No. 6698; It is destroyed during the first periodic destruction to be carried out in cases where the relevant person files a complaint with the Board and this request is deemed appropriate by the Board. All transactions regarding the deletion, destruction and anonymization of personal data are recorded in minutes, and such records are kept for at least three years from the date of destruction.
7. SECURITY OF PERSONAL DATA
NUTRADE takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data and unlawful access to personal data and to ensure the preservation of personal data.
In this context, first of all, studies were carried out to determine the personal data processed by NUTRADE, workshops were held and the necessary technical and administrative measures were taken to reduce or eliminate the risks by determining the risks that may arise regarding the protection of these data, taking into account whether the personal data processed were special categories of personal data. has been put into practice.
Internal policies and procedures have been adopted to regulate the processing, preservation, storage, destruction and other processes of personal data in accordance with the law, legislation and relevant security measures.
In order to ensure personal data security, to prevent unlawful disclosure and sharing of personal data, and to raise awareness about KVKK, regular training is provided to employees and managers.
In addition, employees who are involved in personal data processing processes are asked to sign confidentiality agreements and commitments as a part of their business processes, and it is important to remind that the necessary disciplinary process will be applied if employees are detected to have acted contrary to security policies and procedures.
NUTRADE employees, suppliers, business partners, etc. The contracts made between the companies and the data processors and NUTRADE were examined and in this context, revision studies were carried out, especially within the scope of KVKK and other legislation, and additional protocols were prepared.
Access to personal data included in the data processing processes of the company has been limited on a personnel basis, and a limited number of personnel have been granted access to personal data related to the business processes they carry out. Data processing activities carried out by personnel are recorded. Data processing activities carried out by personnel are recorded.
In order to prevent unlawful processing of personal data and unlawful access to personal data, technical systems have been established to monitor and control the processes related to the processing of personal data. Network security and data flow security studies have been carried out, and existing software will be updated to prevent data loss. Regular internal audits will be carried out to prevent unlawful processing of personal data and unlawful access to personal data.
Penetration tests are carried out at specified intervals and in line with the instructions of the board member responsible for information technologies.
System security gaps are monitored, patches are installed and information systems are kept up to date to ensure the appropriate security level.
Our website is protected by the https security protocol.
Following the studies on personal data held by NUTRADE, the identified personal data were analyzed and examined within the scope of the legislation. In this context, unnecessary data was deleted and the principle of reducing data as much as possible was adopted.
In order to prevent unlawful access to personal data and to ensure that personal data is stored in secure environments, technical methods with appropriate security levels are used and these methods are updated in accordance with developing technology.
In case of an internal or external attack on the company's data recording system, a system has been established to detect this situation early and intervene early. Which software and services are running in the IT networks and whether there is any infiltration or any movement that should not occur in the IT networks is regularly checked. Transactions of all users are kept regularly.
In case personal data is unlawfully acquired by others, NUTRADE has established a suitable system and infrastructure in order to notify the relevant person and the Board, and a procedure has been adopted by NUTRADE.
If special personal data is to be transferred via e-mail, it is transferred through an encrypted corporate e-mail account or KEP account. If transfer is made between servers in different physical environments, data is transferred between the servers using the VPN method. If data transfer takes place physically, necessary precautions are taken against risks such as theft, damage, loss or seizure of the document by unauthorized persons, and the document is sent in closed files and in a "confidential" format so that it cannot be read from the outside.
In order to ensure the security of information and IT systems against environmental risks, ensuring that only authorized personnel enter the system room, having the keys of locked data storage units in certain persons, ensuring the physical security of the edge switches that make up the local area network, fire extinguishing system, cooling system for the correct operation of the server, security walls, attack prevention systems, network access control, antivirus systems, etc. Many precautions are taken such as.
8. DESTRUCTION OF PERSONAL DATA
8.1. Reasons Requiring Destruction of Personal Data
In accordance with Article 7 of KVKK No. 6698, the Company deletes, destroys or anonymizes personal data ex officio or upon the request of the data subject, if the reasons requiring processing are eliminated or the period stipulated in the legislation expires, even though it has been processed in accordance with the legal legislation.
In the destruction of personal data, the Company chooses the appropriate method of deletion, destruction or anonymization and takes all necessary technical and administrative measures to delete, destroy and anonymize personal data in accordance with the law.
8.2 Deletion of Personal Data
Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way. The Company takes all necessary technical and administrative measures to ensure that deleted personal data is inaccessible and unusable for relevant users.
In the process of deleting personal data, the personal data that will be subject to deletion is determined, the relevant users who have access to the personal data in question and their authority over the personal data are determined, and the access, recovery and reuse authorizations of the relevant users within the scope of the personal data in question are removed. Personal data on paper is deleted using the blackout method. Blackout is the process of making the personal data on the relevant document invisible to the relevant users by using fixed ink or cutting it in a way that is irreversible and unreadable with technological solutions.
In databases containing personal data, the relevant lines containing personal data are deleted with database commands (Delete etc.), for personal data in the file operating system, the personal data can be deleted with the delete command in the operating system of the file or the relevant user can access the file or the directory where the file is located. Deletion is done by removing the rights.
8.3 Destruction of Personal Data
Destruction of personal data is the process of making personal data inaccessible, irretrievable and unusable by anyone. The company takes all necessary technical and administrative measures regarding the destruction of personal data.
In order to destroy personal data, all copies of the data are identified, depending on the type of systems where the data is located, de-magnetization for data containing magnetic media, melting, burning or pulverizing optical media and magnetic media, or passing them through a metal grinder, paper media. For the personal data found, the appropriate one of the paper screening methods is used.
8.4 Anonymization of Personal Data
Anonymization of personal data means making it impossible to associate personal data with an identified or identifiable natural person in any way, even if it is matched with other data.
The purpose of anonymization is to break the connection between the data and the person to whom this data is defined. Methods such as automatic or non-automatic grouping, masking, derivation, generalization, and randomization applied to the records in the data recording system where personal data are kept are some of the anonymization methods.
Responsible for implementing the Personal Data Storage and Destruction Policy
Title Duty Responsibility
Responsible for the Protection of Personal Data Responsible for Compliance with the Personal Data Protection Law, Personal Data, Processing, Storage and Destruction Policy Ensuring and supervising compliance with the Personal Data Protection Law, secondary legislation, Board decisions throughout NUTRADE, ensuring compliance with the Personal Data Storage and Destruction Policy To manage personal data destruction processes in accordance with periodic destruction periods by ensuring
Marketing Officer Responsible for implementing the Personal Data Storage and Destruction Policy. Regarding the processes within his/her duty, ensuring compliance with the Personal Data Storage and Destruction Policy and managing personal data destruction processes in accordance with periodic destruction periods.
Human Resources Officer is responsible for implementing the Personal Data Storage and Destruction Policy. Regarding the processes within his/her duty, ensuring compliance with the Personal Data Storage and Destruction Policy and managing personal data destruction processes in accordance with periodic destruction periods.
8.6. Personal Data Categories You can access up-to-date information on Personal Data Category and Person Group Matching at www.verbis.kvkk.gov.tr.
8.10 Periodic Destruction Periods
In accordance with KVKK article 7 no. 6698, personal data is periodically destroyed if the reasons requiring processing disappear or the period stipulated in the legislation expires, even though it has been processed in accordance with the legal legislation. Our company deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises. Periodic destruction is carried out for all personal data at 6-month intervals, twice a year.
All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for three years, excluding other legal obligations.