For İLHAN SARI ORGANİK ZEYTİN ÇİFTLİĞİ (“İLHAN SARI” or the "Company") as the data controller, the protection of personal data belonging to its customers, employees, and other real persons with whom it has a relationship is of utmost importance. This Policy and other written policies within İLHAN SARI govern the processes for the processing and protection of personal data, with the aim of ensuring the lawful processing and protection of personal data belonging to our customers, potential customers, employees, employee candidates, visitors, employees of institutions with whom we collaborate, employees of the İLHAN SARI group of companies to which we belong, and third parties.
In this context, İLHAN SARI takes the necessary administrative and technical measures for the processing and protection of personal data in accordance with Law No. 6698 and relevant legislation.
This Policy will explain the basic principles adopted by İLHAN SARI for personal data processing processes, which are listed below:
Processing personal data within the scope of consent.
Processing personal data in accordance with the law and principles of good faith.
Keeping personal data accurate and up-to-date when necessary.
Processing personal data for specific, explicit, and legitimate purposes.
Processing personal data in a manner that is relevant, limited, and proportionate to the purpose for which they are processed.
Retaining personal data for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they are processed.
Informing and enlightening personal data owners.
Establishing the necessary infrastructure for personal data owners to exercise their rights.
Taking necessary measures for the protection of personal data.
Acting in accordance with relevant legislation and KVK Board regulations in determining and implementing personal data processing purposes, and in transferring them to third parties.
Special regulation of the processing and protection of special categories of personal data.
The main purpose of this Policy is to provide explanations regarding the personal data processing activities lawfully carried out by İLHAN SARI and the adopted systems for the protection of personal data, thereby ensuring transparency by informing our customers, employees, employee candidates, visitors, shareholders and employees of collaborating institutions, and third parties.
This Policy pertains to all personal data processed automatically or non-automatically as part of any data recording system, belonging to our customers, employees, employee candidates, visitors, employees of institutions with whom we collaborate, and third parties.
Within the scope of this Policy, data subjects whose personal data are processed are categorized as follows:
|
Category |
Description |
|
Employee Candidate |
Real persons who apply for a job at the Company or make their CV and related information accessible to the Company by any means. |
|
Employee |
Persons whose employment relationship with the Company is ongoing. |
|
Former Employee |
Former employees whose employment relationship with the Company has ended. |
|
Visitors |
Real persons who have entered the Company's physical facilities for various purposes or visited its websites. |
|
Intern Candidate |
Real persons who apply for an internship at the Company or make their CV and related information accessible to the Company by any means. |
|
Intern |
Persons whose internship relationship with the Company is ongoing. |
|
Product or Service Recipient |
Persons who purchase products/services from the Company and whose personal data are obtained for this purpose. |
|
Supplier Official |
Authorized signatories of real person sole proprietorships or legal entities from whom the Company procures products/services. |
|
Supplier Employee |
Persons working for suppliers from whom the Company procures products/services. |
|
Potential Product or Service Recipient |
Persons who are potential customers of the Company, prospective customers. |
|
Shareholder/Partner |
Company shareholders. |
|
Customer Official |
Authorized signatories of real person sole proprietorships or legal entities to whom the Company sells products/services. |
|
Customer Employee |
Persons working for customers to whom the Company sells products/services. |
|
Consultant |
Individuals/organizations (academics, etc.) from whom external services are obtained in line with the Company's goals, projects, and expectations. |
|
Subcontractor Employee |
Persons working for firms that are subcontractors of the Company. |
|
Drawer-Endorser |
Real persons whose check information is processed in the Company's finance-accounting processes. |
|
Third Parties |
Other real persons, including but not limited to guarantors, family members, etc., whose personal data are processed within the framework of this Policy despite not being defined in the Policy. |
This Policy, prepared by İLHAN SARI, entered into force on 01.01.2020. This Policy is published on İLHAN SARI's website (www.ilhansari.com) and made accessible to personal data owners upon their request. İLHAN SARI may revise the policy when deemed necessary. In cases of revision, the most current version of the Policy will be published on the Company's website.
In accordance with Article 12 of the KVK Law, İLHAN SARI takes the necessary technical and administrative measures to ensure an appropriate level of security, to prevent the unlawful processing of personal data it processes, to prevent unlawful access to data, and to ensure data preservation, and conducts or arranges for necessary audits in this context.
İLHAN SARI takes technical and administrative measures to ensure the lawful processing of personal data, considering technological possibilities and implementation costs.
Technical measures are taken by İLHAN SARI to ensure the lawful processing of personal data and are monitored through internal audits.
Administrative measures taken by İLHAN SARI to ensure the lawful processing of personal data include:
İLHAN SARI employees are informed and trained on personal data protection law and the lawful processing of personal data.
All personal data processing activities carried out by İLHAN SARI are conducted in accordance with the personal data inventory and its appendices, which have been created through detailed analysis of all business units.
Personal data processing activities carried out by the relevant departments within İLHAN SARI are linked to written policies and procedures by İLHAN SARI to ensure their compliance with the personal data processing conditions required by the KVKK, and each business unit has been informed about this matter, with specific considerations determined for their respective activities.
The auditing and management of personal data security within the departments of İLHAN SARI are organized by the FINANCE MANAGER. Awareness is raised to ensure legal requirements are met on a business unit basis, and the necessary administrative measures are implemented through internal company policies, procedures, and training to ensure the auditing and continuity of these practices.
Information regarding personal data and data security records are included in service contracts and related documents between İLHAN SARI and its employees, and additional protocols are made. Work has been carried out to create the necessary awareness for employees in this regard.
İLHAN SARI conducts KVKK Risk Analysis in the following situations:
For new projects involving personal data.
Before selecting a supplier to whom personal data will be transferred.
Before activities to be carried out within the scope of marketing activities.
Whenever there is any change in the activities mentioned above.
KVKK Risk Analysis is subject to the approval of the FINANCE MANAGER.
İLHAN SARI takes technical and administrative measures to prevent the inadvertent or unauthorized disclosure, access, transfer, data leakage within İLHAN SARI systems, or any other form of unlawful access to personal data, considering the class and nature of the data to be protected, technological possibilities, and implementation costs.
The main technical measures taken by İLHAN SARI to prevent unlawful access to personal data are listed below:
New technological developments are monitored, and technical measures, especially in the field of cybersecurity, are taken on systems, and the measures taken are periodically updated and renewed.
Access and authorization technical solutions are implemented within the framework of legal compliance requirements determined specifically for each department within İLHAN SARI.
Access permissions are restricted, and permissions are regularly reviewed. Access restrictions are applied to former employees, and accounts are closed.
Technical measures taken due to internal operations of İLHAN SARI are reported to relevant users, and risk-bearing issues are re-evaluated to produce necessary technological solutions.
Software and hardware including virus protection systems, data vulnerability securities, and firewalls are installed.
Expert personnel in technical matters are employed.
All information systems, including applications where personal data is collected, are regularly subjected to external penetration testing to detect security vulnerabilities, and the identified vulnerabilities are addressed based on the results of these tests.
Employees, especially relevant users processing personal data and all personnel, are trained on administrative measures to be taken to prevent unlawful access to personal data.
Within each department of İLHAN SARI, legal compliance, internal personal data access, and authorization processes are applied, considering personal data processing procedures.
In the contracts signed between İLHAN SARI and its employees, the scope of lawful personal data processing activities is explained, and commitments to act in accordance with these matters are included.
İLHAN SARI enters into additional agreements with the parties to whom personal data are lawfully transferred, including provisions that the transferees will take the necessary security measures for the protection of personal data and ensure compliance with these measures within their own organizations.
In accordance with its duty arising from Article 12 of the Law, İLHAN SARI personally conducts its necessary audits through the FINANCE MANAGER to ensure the implementation of the provisions of the Law within its own institution or organization, and, when necessary, has them carried out with the support of competent organizations. Based on the results of these audits, detected violations, negativities, and non-compliances are addressed by taking the necessary measures. If İLHAN SARI receives external services for the storage of personal data due to technical requirements, additional agreements are made with the relevant companies to whom personal data are lawfully transferred, including provisions that the transferees will take the necessary security measures for the protection of personal data and ensure compliance with these measures within their own organizations.
In accordance with Article 13 of the KVK Law, İLHAN SARI, as the data controller, has established Personal Data Application and Response Procedure as an annex to the personal data inventory for data subject requests, and a procedure for directing applications that do not meet the application conditions specified in the law to a written template. Technical preparations have been made to carry out the necessary procedures in accordance with these procedures. The systemic infrastructure to implement this procedure is available within İLHAN SARI.
Personal data owners, by making an application in accordance with this procedure, will be able to request all their rights under the relevant article of the law, including all processing processes, purposes, and transfer information of their personal data. If personal data owners submit their requests regarding their rights listed below in a verifiable manner to İLHAN SARI via a notary public, in person with identity verification, in writing, or by using a registered electronic mail (KEP) address, secure electronic signature, mobile signature, or an electronic mail address previously notified to İLHAN SARI and registered in İLHAN SARI's system, or through a software or application developed for the purpose of the application, İLHAN SARI will respond to the request free of charge within a maximum of thirty days, depending on the nature of the request. Detailed explanation on this matter is provided below in Article 20 of this policy.
The KVK Law attaches special importance to certain personal data due to the risk of causing victimisation or discrimination if processed unlawfully. These data include race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
İLHAN SARI acts with sensitivity in the protection of special categories of personal data, which are designated as “special categories” by the KVK Law and processed lawfully. In this context, İLHAN SARI diligently applies the technical and administrative measures taken for personal data protection to special categories of personal data, and ensures necessary audits within İLHAN SARI.
In this context, İLHAN SARI processes employees' health data due to the occupational health service it receives externally, and provides necessary training to personnel who can access these special categories of personal data, defines the scope and duration of their access authority, conducts periodic audits, and signs confidentiality agreements. If the relevant personnel leave their job, their access authority is immediately revoked.
Physical files containing employees' personal health data, stored physically in health files, are kept in locked areas accessible only to infirmary personnel. No unit other than infirmary personnel can access employees' health data.
İLHAN SARI ensures that necessary training is organized for its employees to increase awareness regarding the prevention of unlawful processing of personal data, unlawful access to data, and ensuring data preservation.
İLHAN SARI processes personal data in accordance with Article 20 of the Constitution and Article 4 of the KVK Law, with the following principles:
In accordance with the law and good faith rules.
Accurate and, when necessary, up-to-date.
Processed for specific, explicit, and legitimate purposes.
Relevant to the purpose, limited, and proportionate.
İLHAN SARI retains personal data for the period stipulated in the laws or required by the purpose of personal data processing. İLHAN SARI processes personal data of its customers, employees, visitors, supplier company employees, and third parties, such as identity information (name, surname, Turkish ID number, gender, age, date of birth), contact information (email address, phone number, address information, IP address), vehicle features, license plate information, chassis information, all kinds of product usage habits, preferences, tastes and user habits on the vehicle, occupation data, visual and auditory data, education data, family member data, health data, and while processing this data, aims to enable effective utilization of İLHAN SARI's goods and services by these personal data owners, to develop product and service diversity, to ensure data-specific technological development and innovation in vehicles, to provide the best service to its customers and to inform them about marketing, promotions and innovations as a result of these services, as well as for the performance of contracts, carrying out work, and within the scope of financial/legal/commercial obligations.
İLHAN SARI informs data subjects in accordance with Article 10 of the KVK Law and, in cases where consent is required, requests consent from data subjects, and processes these personal data based on the criteria specified below.
İLHAN SARI acts in accordance with the principles introduced by legal regulations and the general rule of trust and good faith in the processing of personal data. In accordance with the principle of good faith, İLHAN SARI considers the interests and reasonable expectations of the data subjects while striving to achieve its data processing goals.
Keeping personal data accurate and up-to-date is necessary for İLHAN SARI in terms of protecting the fundamental rights and freedoms of the data subject. İLHAN SARI has an active duty of care in ensuring personal data is accurate and up-to-date. Therefore, all communication channels are open for İLHAN SARI to keep the data subject's information accurate and up-to-date.
İLHAN SARI explicitly and clearly defines its legitimate and lawful personal data processing purposes. İLHAN SARI processes personal data to the extent necessary for and related to its commercial activities.
İLHAN SARI processes personal data for purposes related to its field of activity and necessary for carrying out its business. Therefore, İLHAN SARI processes personal data in a manner suitable for achieving the determined purposes and avoids processing personal data that are not related to the purpose or are not needed. For example, personal data processing activities for the purpose of meeting potential future needs are not carried out.
İLHAN SARI retains personal data only for the period specified in the relevant legislation or for the period necessary for the purpose for which they are processed. In this context, İLHAN SARI first determines whether a period is stipulated in the relevant legislation for the storage of personal data; if a period is determined, it acts in accordance with this period; if no period is determined, it stores personal data for the period necessary for the purpose for which they are processed.
İLHAN SARI enters into contractual relationships with supplier and service sector companies within the scope of its activities and carries out its services through these persons. In this context, İLHAN SARI obtains personal data from supplier and service provider companies by fulfilling its obligation to inform and obtaining consent from individuals, and this data is transferred to İLHAN SARI. This data can be processed by İLHAN SARI for the purpose of carrying out the work. If the relationship regarding personal data sharing between İLHAN SARI and its supplier and service provider companies occurs as a transfer of personal data from a data processor to a data controller within the scope of the KVK Law, the data subject is informed, at the stage of collecting their personal data, that these personal data may be sent to İLHAN SARI.
İLHAN SARI informs personal data owners during the acquisition of personal data in accordance with Article 10 of the KVK Law. In this context, İLHAN SARI provides enlightenment regarding the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal reason for collecting personal data, and the rights of the personal data owner, based on the nature of the data owner and the data processing process. In this context, Illumination Texts have been placed in easily visible areas for customers in its factories. Along with this policy, the Illumination Text, Privacy and Cookie Policy, and application form have also been published on the www.ilhansari.com website.
İLHAN SARI may transfer the personal data and special categories of personal data of the personal data owner to third parties, taking necessary security measures, in line with lawful personal data processing purposes. The reasons for transfer are explained below:
If there is an explicit regulation in the laws regarding the transfer of personal data.
If the transfer of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the establishment or performance of a contract.
If personal data transfer is mandatory for İLHAN SARI to fulfill its legal obligation.
If personal data transfer is mandatory for the establishment, exercise, or protection of a right.
If personal data transfer is mandatory for İLHAN SARI's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
At İLHAN SARI, in line with İLHAN SARI's legitimate and lawful personal data processing purposes, based on one or more of the personal data processing conditions specified in Article 5 of the KVK Law and limited to these, personal data in the categories specified below are processed by informing the data subjects within the scope of this Policy (Customers, employees, visitors, third parties, employee candidates, employees of institutions with whom we collaborate), primarily adhering to the principles stated in Article 4 regarding personal data processing, general principles specified in the KVK Law, and all obligations regulated in the KVK Law.
İLHAN SARI has created a personal data inventory in accordance with the Data Controllers' Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, data source, data processing purposes, data processing process, recipient groups to whom data are transferred, and retention periods. In this context, İLHAN SARI's personal data inventory includes, but is not limited to, the following types of data categories:
|
PERSONAL DATA CATEGORIZATION |
DESCRIPTION |
|
Contact Data |
Data group that can be used to reach a person (Phone, address, email, fax number, IP address). |
|
Identity Data |
Data group containing information about a person's identity (Name, surname, TR ID No, mother's name, father's name, place of birth, date of birth, gender, wallet serial no, ID photocopy, tax no, SGK no, nationality data, marriage certificate photocopy/scan, employee card). |
|
Health Data |
Data group containing a person's health information (Blood type, medical history, check-up results, consultation report, diet form). |
|
Visual/Auditory Data |
Data group containing visual and auditory data belonging to a person (Photograph, audio recording, camera recording, driver's license photocopy/scan, ID photocopy/scan, passport photocopy/scan). |
|
Digital Footprint Data |
Data group containing digital footprints generated as a result of processing personal information (Logs). |
|
Financial Data |
Data group containing a person's financial information (Bank account no, IBAN no, card information, bank name, financial profile, mail order form, credit score). |
|
Professional Data |
Data group containing information about a person's profession (Employer information, professional chamber registration). |
|
Education Data |
Data group containing a person's educational data (GPA, diploma photocopy/scan). |
|
Travel Data |
Data group containing information about a person's travels (Flight information, boarding pass, tour route, frequent flyer card no, accommodation data). |
|
Company Data |
Sole proprietorship data (Company address). |
|
Race/Religion Information |
Data group containing information about a person's origin and belief (Race/religion information). |
|
Association Membership Information |
Data group containing information about a person's memberships and affiliated associations (All association memberships). |
|
Signature Data |
Data group containing a person's signature information (Wet signature, e-signature, signature photocopy/scan). |
|
Visa/Passport Data |
Data group containing a person's visa/passport information (Visa information, passport photocopy/scan). |
|
Sanction Data |
Data group regarding sanctions received by the person in the past (Criminal Prosecutions, Criminal Record, Disciplinary Record). |
İLHAN SARI stores the personal data it obtains within the scope of data processing activities for the periods and under the conditions stipulated by Law No. 6698.
İLHAN SARI processes personal data for purposes and under conditions limited to the personal data processing conditions specified in Article 5, Paragraph 2 and Article 6, Paragraph 3 of the KVK Law. These purposes and conditions are:
Product sales.
Performance of after-sales services.
Execution of collection transactions, including mail order and transfer instructions.
Providing customers with product-service promotions, information, personalized advertisements, campaigns, and other benefits, sending commercial electronic messages within loyalty programs, conducting surveys and telesales applications, and providing various advantages through statistical analyses.
Conducting studies to improve service quality and provide better service.
Issuing invoices for our services.
Obtaining services from external sources.
Providing customers with the benefits of expert organizations for matters not within our area of expertise and for obtaining technology services.
Identity verification.
Answering questions and complaints.
Taking necessary technical and administrative measures within the scope of data security.
Ensuring financial reconciliation with relevant business partners and other third parties regarding offered products and services.
Providing necessary information in accordance with requests and audits from regulatory and supervisory bodies and official authorities.
Retaining information related to data that must be stored in accordance with relevant legislation.
Ensuring consistency of information through auditing.
Measuring customer satisfaction.
For employees: creating personnel files, determining eligibility for continuous fulfillment of job requirements, arranging private health insurance, creating health files, taking occupational safety measures.
Using data obtained via website or social media channels for marketing purposes through third-party agencies.
Fulfilling legal obligations.
Executing/monitoring İLHAN SARI's financial reporting and risk management processes.
Executing/monitoring İLHAN SARI's legal affairs.
Creating and tracking visitor records.
İLHAN SARI stores personal data for the period specified in the relevant laws and regulations, if applicable.
If no retention period is regulated in the legislation for how long personal data should be stored, personal data is stored for the period required by İLHAN SARI's practices and industry customs, depending on the activity İLHAN SARI carries out while processing that data. After that, the data is deleted, destroyed, or anonymized in accordance with the relevant policy created by İLHAN SARI, depending on the nature of the data.
If the purpose of processing personal data has ended, and the retention periods determined by the relevant legislation and İLHAN SARI have also expired, personal data may only be retained for the purpose of constituting evidence in potential legal disputes or for asserting or defending a related right pertaining to the personal data. In determining these periods, the statute of limitations periods for asserting the aforementioned right and examples from previous requests made to İLHAN SARI on the same matters, even after the statute of limitations periods have passed, are taken as a basis for determining retention periods. In this case, the stored personal data is not accessed for any other purpose and access is provided to the relevant personal data only when it is necessary to use them in the relevant legal dispute. After the mentioned period also ends, the personal data is deleted, destroyed, or anonymized.
İLHAN SARI informs the personal data owner of the groups of persons to whom personal data is transferred, in accordance with Article 10 of the KVK Law.
İLHAN SARI may transfer the personal data and special categories of personal data of the data subjects governed by this Policy to the stakeholder categories listed below, in accordance with Articles 8 and 9 of the KVK Law:
İLHAN SARI business partners,
Banks and insurance companies (including intermediaries)
Joint Health and Safety Units
Travel agencies
Institutions and organizations providing health services to employees
Hotels
Training companies
İLHAN SARI suppliers,
İLHAN SARI group companies
İLHAN SARI company officials,
Legally authorized public institutions and organizations.
The scope of transfer and purposes of data transfer are specified below:
|
Persons to Whom Data Can Be Transferred |
Definition |
Purpose of Data Transfer |
|
Business Partner |
Defines the parties with whom İLHAN SARI establishes business partnerships for purposes such as carrying out various projects or obtaining services while conducting its commercial activities. |
Transferred solely to ensure the fulfillment of the purposes of the business partnership. |
|
Supplier |
Defines the parties who provide services to İLHAN SARI on a contract basis, in accordance with İLHAN SARI's commands and instructions, while İLHAN SARI conducts its commercial activities. |
Transferred solely to ensure the provision of services obtained by İLHAN SARI from the supplier as external resources, and which are necessary for İLHAN SARI to carry out its commercial activities. |
|
Group Companies |
Defines İLHAN SARI group companies. |
Necessary data are transferred between İLHAN SARI group companies. |
|
Authorized Public Institutions and Organizations |
Defines public institutions and organizations authorized to obtain information and documents from İLHAN SARI according to legal provisions. |
Transferred solely for the purpose in situations where public institutions and organizations request and provide legal basis for the data. |
The explicit consent of the personal data owner is only one of the legal grounds that enable the lawful processing of personal data. In addition to explicit consent, personal data may also be processed if one of the conditions specified in the law exists. The basis of the personal data processing activity may be only one of the conditions specified below, or more than one of these conditions may be the basis for the same personal data processing activity.
|
Processing Conditions |
Scope |
Example |
|
Legal Provision |
Tax Legislation, Labor Legislation, Commercial Legislation, etc. |
Employee's personnel information must be kept as required by legislation. |
|
Performance of Contract |
Employment Contract, Sales Contract, Transport Contract, Work Contract, etc. |
Recording the company's address information for delivery. |
|
Actual Impossibility |
A person who cannot give consent due to actual impossibility or who lacks the capacity to discern. |
Contact or address information of an unconscious person. Location information of a kidnapped person. |
|
Legal Responsibility of the Data Controller |
Financial Audits, Security Regulations |
... (The original text cuts off here, but this likely refers to data processed due to legal obligations for audits or security.) |
İLHAN SARI engages in personal data processing activities for security purposes at İLHAN SARI Farms, buildings, factories, and physical premises, through security camera monitoring and tracking of visitor entries and exits.
Personal data processing is carried out by İLHAN SARI through the use of security cameras and recording visitor entries and exits.
İLHAN SARI aims to protect its own interests and the security of other individuals within the scope of security camera monitoring activities. This monitoring activity is conducted in accordance with the KVKK, the Law on Private Security Services, and relevant legislation. In this context, information about camera surveillance is announced to all employees and visitors, and individuals are informed. Notification signs are placed at the entrances of monitored areas. İLHAN SARI takes the necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring activities, in accordance with Article 12 of the KVK Law.
İLHAN SARI engages in personal data processing activities for tracking guest entries and exits at İLHAN SARI buildings, factories, and physical premises, for security purposes and other purposes stated in this Policy. When obtaining identity data of individuals entering İLHAN SARI buildings as guests, or through texts posted at İLHAN SARI or otherwise made accessible to guests, these personal data owners are informed in this context. Data obtained for the purpose of tracking guest entries and exits are processed only for this purpose, and the relevant personal data are recorded in a physical data recording system.
İLHAN SARI may provide internet access to requesting visitors during their stay within its buildings, factories, and physical premises, for security purposes and other purposes stated in this Policy. In such cases, log records related to internet access are kept in accordance with Law No. 5651 and the commanding provisions of the legislation enacted under this Law. These records are processed only when requested by authorized public institutions and organizations, or to fulfill relevant legal obligations during internal audit processes at İLHAN SARI.
In accordance with Article 138 of the Turkish Penal Code, Article 7 of the KVK Law, and the "Regulation on the Deletion, Destruction, and Anonymization of Personal Data" issued by the Board, even though personal data has been processed in accordance with relevant legal provisions, if the reasons requiring its processing cease to exist, personal data will be deleted, destroyed, or anonymized based on İLHAN SARI's own decision or upon the request of the personal data owner. İLHAN SARI has established a procedure in this regard in accordance with the provisions of the regulation and destroys data according to its nature in accordance with this policy. In accordance with this regulation, İLHAN SARI has determined periodic destruction dates, and a calendar has been created for periodic destruction to be carried out at various intervals starting from the commencement of the obligation.
İLHAN SARI informs the personal data owner of their rights in accordance with Article 10 of the KVK Law and guides the personal data owner on how to exercise these rights regulated in Article 11. İLHAN SARI implements the necessary channels, internal procedures, administrative and technical arrangements in accordance with Article 13 of the KVK Law for the evaluation of personal data owners' rights and for providing necessary information to personal data owners.
Personal data owners have the following rights: a. To learn whether personal data is processed.
To request information if personal data has been processed.
To learn the purpose of personal data processing and whether they are used in accordance with their purpose.
To know the third parties to whom personal data are transferred, both domestically and abroad.
To request the rectification of incomplete or inaccurate personal data and to request that the operation carried out in this context be notified to third parties to whom personal data has been transferred.
To request the deletion or destruction of personal data in the event that the reasons for its processing cease to exist, despite having been processed in accordance with the KVK Law and other relevant laws, and to request that the operation carried out in this context be notified to third parties to whom personal data has been transferred.
To object to a result against the person themselves by analyzing the processed data exclusively through automated systems.
To demand compensation for damages if personal data is processed unlawfully.
Personal data owners cannot assert the rights listed in 20.1.1 in the following cases, as they are excluded from the scope of the KVK Law pursuant to Article 28 of the KVK Law:
Processing personal data for purposes such as research, planning, and statistics by making them anonymous with official statistics.
Processing personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, the privacy of private life, or personal rights, or constitute a crime.
Processing personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law for national defense, national security, public security, public order, or economic security.
Processing personal data by judicial authorities or enforcement authorities concerning investigation, prosecution, judgment, or execution procedures.
Pursuant to Article 28/2 of the KVK Law; in the following cases, personal data owners cannot assert their other rights listed in 20.1.1, except for the right to demand compensation for damages:
When personal data processing is necessary for the prevention of crime or for criminal investigation.
When personal data made public by the personal data owner themselves is processed.
When personal data processing is necessary for the execution of auditing or regulatory duties or for disciplinary investigation or prosecution by public institutions and organizations and professional organizations with public institution status, which are authorized by law.
When personal data processing is necessary for the protection of the economic and financial interests of the State concerning budget, tax, and financial matters.
Personal data owners can submit their requests regarding their rights specified in this Policy to İLHAN SARI free of charge by filling out and signing the Application Form with information and documents that verify their identity and by using the methods specified below or other methods determined by the Personal Data Protection Board.
Filling out the form available at www.ilhansari.com and sending a wet-signed copy in person or by registered mail with return receipt to Mestanlı Köyü, Köprübaşı / MANİSA – TÜRKİYE, or by applying in person.
Filling out the form available at www.ilhansari.com and sending the form signed with a "secure electronic signature" within the scope of Law No. 5070 on Electronic Signature to kvkk@ilhansari.com via registered electronic mail, or by using a secure electronic signature, mobile signature, or an electronic mail address previously notified to İLHAN SARI by the relevant person and registered in İLHAN SARI's system, or by applying via a software or application developed for the purpose of the application to kvkk@ilhansari.com.
Making the application through official channels via a notary public.
For an application to be considered valid, in accordance with the Communiqué on the Procedures and Principles for Applications to the Data Controller, the application must include the following information of the data subject: a) Name, surname, and signature if the application is written,
For Turkish citizens, T.R. ID number; for foreigners, nationality, passport number, or ID number if available,
Residential or business address for notification purposes,
Electronic mail address, phone, and fax number for notification purposes, if any,
Subject of the request.
Otherwise, the application will not be considered a valid application. For applications made without filling out the application form, the matters listed here must be fully communicated to İLHAN SARI.
For third parties to make an application request on behalf of personal data owners, a special power of attorney issued by a notary public on behalf of the person making the application must be available.
The basic policies, procedures, and instructions that have been/will be drafted regarding the protection and processing of personal data, which are related to the principles set forth by İLHAN SARI in this Policy, have been linked to this Policy. By establishing a connection between these policies, procedures, and instructions and the main processes carried out by İLHAN SARI in other areas, consistency is ensured between processes operated by İLHAN SARI with similar purposes but different policy principles.
İLHAN SARI has established a management structure to ensure compliance with KVK Law regulations and the implementation of the Personal Data Protection and Processing Policy.
Within İLHAN SARI, a "Personal Data Protection Board" has been formed by a decision of the Company's senior management to manage this Policy and other policies linked and related to it.
The Board consists of the units with the titles, roles in business units, and job descriptions listed below, and the Board's duties are generally as follows:
| Unit/Title | Job Description | | FIN FINANCE MANAGER | Responsible for convening the Board, implementing and carrying out the policies, providing secretarial services, informing the Board of Directors about the process, following up with the Personal Data Protection Board, following up on Board Decisions, implementing and managing the processes. Representing the Company before the Board. | | IT RESPONSIBLE | Responsible for establishing, monitoring, implementing, destroying, and anonymizing information systems, creating necessary mechanisms for domestic and international transfer, ensuring data security, proposing and implementing data security systems. | | HUMAN RESOURCES RESPONSIBLE | The Human Resources Responsible is responsible for carrying out and planning İLHAN SARI's human resources operations, executing policies in accordance with their duties, and appropriately protecting personal data. | | QUALITY ASSURANCE RESPONSIBLE | Responsible for preparing, developing, executing, publishing, and updating the Policies in relevant environments. |
The duties of the Personal Data Protection Board regarding the protection of personal data are specified below:
To prepare and implement basic policies regarding the protection and processing of personal data and their amendments when necessary, and to submit them for the approval of the senior management.
To decide how the implementation and supervision of policies regarding the protection and processing of personal data will be carried out and to submit to the senior management for approval the assignment of internal duties and the ensuring of coordination within this framework.
To identify matters that need to be done to ensure compliance with the KVK Law and relevant legislation and to submit them for the approval of the senior management, to oversee their implementation, and to ensure coordination.
To increase awareness within İLHAN SARI and among institutions with which İLHAN SARI collaborates regarding the protection and processing of personal data.
To identify risks that may arise in İLHAN SARI's personal data processing activities and ensure that necessary measures are taken, and to submit improvement proposals for the approval of the senior management.
To ensure that trainings are organized to inform personal data owners about personal data processing activities and legal rights concerning the protection of personal data and the implementation and dissemination of policies.
To finalize personal data owners' applications at the highest level.
To follow developments and regulations regarding personal data protection, and to receive suggestions on what needs to be done within İLHAN SARI in accordance with these developments and regulations.
To carry out relations with the KVK Board and Institution.
To perform other duties assigned by the Company's senior management regarding personal data protection.
This Policy may be revised by the Company when deemed necessary. In cases of revision, the most current version of the Policy will be published on the Company's website.
Revision Date: 01.01.2020 İLHAN SARI ORGANİK ZEYTİN ÇİFTLİĞİ Mestanlı Köyü, Köprübaşı / MANİSA - TÜRKİYE MersisNo: 1342386104200026
Explicit Consent: Consent that relates to a specific matter, is based on information, and is declared with free will.
Anonymization: The process of changing personal data in such a way that it loses its personal data characteristic and cannot be reversed. E.g.: Making personal data unassociable with a real person through techniques such as masking, aggregation, data corruption, etc.
Application Form: The "Application Form for Applications to be Made to the Data Controller by the Data Subject (Personal Data Owner) in Accordance with the Law on the Protection of Personal Data No. 6698" which contains the application that personal data owners will make to exercise their rights.
Employee Candidate: Real persons who have applied for a job at İLHAN SARI by any means or have made their CV and related information available.
Employees, Shareholders, and Officials of Collaborating Institutions: Real persons, including employees, shareholders, and officials of institutions with which İLHAN SARI has all kinds of business relationships (such as, but not limited to, business partners, suppliers).
Business Partner: Parties with whom İLHAN SARI establishes business partnerships for purposes such as carrying out various projects or obtaining services, either directly or together with Group Companies, while conducting its commercial activities.
Personal Data Processing: Any operation performed upon personal data, wholly or partly by automatic means, or otherwise than by automatic means, which forms part of a data recording system, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of such data.
Personal Data Owner: The real person whose personal data is processed. For example; customer, personnel.
Personal Data: Any information relating to an identified or identifiable natural person. Therefore, the processing of information relating to legal persons is not within the scope of the Law. For example; name-surname, TR ID number, e-mail, address, date of birth, credit card number, etc.
Special Categories of Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Supplier: Parties that provide services to İLHAN SARI on a contract basis, in accordance with İLHAN SARI’s commands and instructions, while İLHAN SARI conducts its commercial activities.
Third Person: Real persons whose personal data are processed within the scope of the Policy and who are not defined otherwise within the Policy (e.g., family members, former employees).
Data Processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. For example, suppliers, legal advisors, cloud computing companies that store İLHAN SARI's data.
Data Controller: The person who determines the purposes and means of processing personal data, and who manages the place where the data is systematically kept (data recording system). Within the scope of this policy, İLHAN SARI ORGANİK ZEYTİN ÇİFTLİĞİ is the data controller.
Deletion of Data: Refers to the situation where all relevant users within the Company are prevented from accessing personal data by encryption, and only the data protection officer has this password.
Destruction of Data: Refers to the situation where personal data is completely and irrevocably eliminated physically or by technological methods.
Visitor: Real persons who have entered İLHAN SARI's physical premises for various purposes or have visited our websites.
