Quality and Food Safety Policy

As FURİSAN GIDA, in all our activities, we aim to:

  • Satisfy customer expectations at the highest level regarding product and service quality,
  • Ensure compliance with the Turkish Food Codex and all other relevant legal and regulatory requirements,
  • Prevent and manage potential food safety hazards,
  • Effectively monitor, control, and maintain the integrity of foods,
  • Continuously develop and promote food safety and quality culture,
  • Find ideal solutions for the prevention, reduction, and recovery of food loss and waste, adopting a production approach that values the environment by generating less waste,
  • Produce high-quality, efficient, and timely products by keeping up with technological developments,
  • Bear the responsibility of being a recognized and strong brand in the industry as Furisan Gıda,
  • Ensure the continuous improvement, development, and effectiveness of occupational health, safety, and environmental sensitivity along with the FSSC 22000 Food Safety Management System.

This is our Quality and Food Safety Policy.

Employee Information Notice on the Protection of Personal Data

As the data controller, FURİSAN GIDA SANAYİ VE TİCARET LİMİTED ŞİRKETİ (Address: Kale Mah. Kılıçlar Cad. No: 4-6 Kestel / BURSA, Tel: (0224) 372 07, Website: furisan.com, Email: furisan@furisan.com, MERSIS No: 0388011439500013) has prepared this information notice to inform employees about the processing of their personal data in accordance with the Law No. 6698 on the Protection of Personal Data (referred to as "KVKK" or "Law") and the Communiqué on the Principles and Procedures to be Followed in Fulfilling the Obligation to Inform (referred to as "Communiqué").

This Information Notice can also be accessed from the "KVKK" section on our website at furisan.com.

1. FUNDAMENTAL CONCEPTS IN THE LAW

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed on personal data, whether wholly or partially by automatic means, or by non-automatic means which form part of a data filing system, such as collecting, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data.

Data Controller: The natural or legal person who determines the purposes and means of the processing of personal data and is responsible for establishing and managing the data filing system. Within the scope of this text, the data controller is Furisan Gıda San. ve Tic. Ltd. Şti., located at Kale Mah. Kılıçlar Cad. No: 4-6 Kestel / BURSA.

Data Filing System (VERBİS): The system where personal data are processed by being structured according to specific criteria.

Explicit Consent: Consent given for a specific matter, based on information and expressed with free will.

Board: Refers to the Personal Data Protection Board.

2. PERSONAL DATA OF EMPLOYEES

Personal data of employees may be processed by our company in accordance with the purposes and processing conditions specified in this text. The personal data in question will be processed:

  • In compliance with the law and the principles of honesty,
  • By ensuring that the personal data are accurate and up-to-date as reported to us,
  • For specific, clear, and legitimate purposes,
  • In a relevant, limited, and proportionate manner to the purposes for which they will be processed,
  • Retained for the period required by the relevant legislation or for the purpose for which they are processed.

Personal data subject to processing are as follows:

a. Identity Data: Name, surname, mother and father's name, date and place of birth, Turkish ID number, gender, marital status, ID card serial number, nationality, passport information (for foreign employee identification), job and title information, family relatives information.

b. Contact Data: Telephone number, email address, address information, internal communication information (company phone number, internal phone number, corporate email address, registered email address).

c. Financial Data: Bank IBAN number, payrolls, file and debt information related to enforcement tracking files.

d. Professional Experience and Education Data: Educational status, in-service training information, certificate and diploma information, language skills, attended courses, education and skills, job experience, transcript information.

e. Visual and Auditory Data: Photograph, camera recordings of the natural person.

f. Special Categories of Personal Data: Health reports and data required due to the nature of the job, blood type data, criminal record/conviction status, disability status/description/percentage, health and maternity leave documents, information on used devices and prostheses, job entry health report, lung radiograph, hearing test, eye test, job entry and periodic examination forms signed by the workplace physician, pregnancy status, pregnancy report.

g. Personnel Data: Payroll information, disciplinary investigation, job entry-exit records, CV information, performance evaluation reports, insurance information, leave departure and return dates, military service status information, department and unit.

h. Legal Process Data: Correspondence information with judicial authorities, information in case files.

i. Other Data: IP address information on corporate computers, internet site entry-exit records on corporate computers, handwritten and signature, request - complaint information, driver's license information, CV and word, excel, presentation files attached to the CV.

3. PURPOSES AND CONDITIONS OF PROCESSING YOUR PERSONAL DATA

In accordance with Article 10 of the KVKK and Article 5 of the Communiqué, the personal data of employees can be processed for the following purposes:

Identity and contact data, financial data, professional education and experience data, visual and auditory records, personnel and legal process data, and special categories of personal data related to occupational health and safety legislation;

  • For the performance of service agreements and legal obligations, fulfillment of employer responsibilities, ensuring job security, managing, auditing, and improving work processes, and evaluating suggestions for improvement.

Identity, contact, financial, legal process, and personnel data;

  • For informing about changes in service conditions, resolving employee complaints, and processing data access or correction requests.

Identity, contact, legal process, financial, personnel, and “other data” categories;

  • For organizing all records and documents that will form the basis of processing in electronic (internet/mobile, etc.) or physical environments.

Identity and contact data, financial data, professional education and experience data, visual and auditory records, personnel and legal process data, and special categories of personal data related to occupational health and safety legislation;

  • For carrying out the processes of establishing and executing contracts under the Labor Law and other legislation, explicitly stipulated by laws, exercising rights arising from the current legislation, fulfilling legal obligations in response to judicial and administrative investigations, making payments related to employees' wage garnishments in enforcement files, carrying out processes for employee benefits and rights, fulfilling obligations arising from the employment contract and legislation, conducting training activities aimed at employee satisfaction.

For the legitimate interests of our company; conducting training activities for employees, managing work activities and occupational health and safety activities, carrying out assignment processes and internal audit activities, conducting performance evaluation processes, providing information to authorized persons, institutions, and organizations, managing emergency situations and communication activities, conducting accounting and financial affairs, conducting information security processes, storage and archiving activities, controlling entries and exits to ensure workplace security and physical space security.

4. METHOD AND LEGAL BASIS OF COLLECTING YOUR PERSONAL DATA

Personal data may be obtained directly from the data subject, from third parties, and from legal authorities during the establishment of a legal relationship. In this context, personal data can be collected through written or verbal communication channels, electronic mail, application forms, and other tools, and in written, verbal, or electronic environments. Personal data may be collected to ensure that employers fulfill their obligations under the Labor and Social Security Laws and other legislation accurately and completely.

According to Article 5 of the KVKK, personal data cannot be processed without the explicit consent of the relevant person. The law specifies cases where explicit consent is not required as exceptions. Personal data may be processed by our company without explicit consent in cases where there is an explicit provision in the law, the processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract, it is necessary to fulfill a legal obligation, the personal data have been made public by the relevant person, it is necessary for the establishment, exercise, or protection of a right, or the processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

5. TO WHOM AND FOR WHAT PURPOSE YOUR PERSONAL DATA CAN BE TRANSFERRED

Your personal data may be transferred to the following persons and entities within the framework of the data transfer and processing conditions specified in Articles 8 and 9 of the Law, ensuring adequate and effective precautions, to ensure the realization of the purposes mentioned above and in accordance with the security and confidentiality principles stipulated by the legislation;

  • To storage, mail (e.g., Gmail) archiving, IT support companies (server, hosting, program, email system, cloud computing: if the infrastructure storage and data systems of such programs and software are kept abroad), legally authorized public institutions and private legal entities, and other relevant persons.

For conducting payroll and personnel affairs and updating the relevant data, data can be processed in the accounting program, where they are stored in the program's own data record environment.

To fulfill the requirements under the Banking Legislation, especially for individual pension fund deductions (BES), salary accounts, financial transactions, and other side payments, data can be shared with banks.

To ensure the processing of health data for treatment and health checks, data can be shared with the workplace physician and the necessary laboratories and healthcare institutions.

For audit activities, data can be shared with company auditors.

To fulfill legal obligations, especially to exercise our right of defense, data can be shared with our lawyers and with judicial authorities, provided that it complies with legal procedures, to fulfill court orders or legal requests.

For the management of our company, the conduct of business and transactions, the implementation of company policies, and to ensure the internal operation of our company, data can be shared with domestic and international business partners, suppliers, shareholders, authorized dealers, public institutions, and private organizations.

For necessary purposes such as security, training, audit, event and organization, transportation, vehicle supply, business card printing, etc., relevant data can be transferred to the service-providing company.

6. RETENTION PERIOD OF YOUR PERSONAL DATA

In accordance with the provisions of the KVKK, personal data processed for the purposes specified in this “Information Notice on the Processing of Personal Data” will be deleted, destroyed, or anonymized when the purpose for processing them ceases to exist and/or when the statute of limitations for the processing of data required by the relevant legislation expires, taking into account the Personal Data Retention and Destruction Policy.

7. RIGHTS

Subject to the exceptions set forth in Article 28 of the KVKK titled "Exceptions" and other relevant exceptions, you have the right to apply to Furisan Gıda San. ve Tic. Ltd. Şti. and to request;

  • To learn whether your personal data are being processed,
  • To request information regarding the processing if your personal data have been processed,
  • To learn the purpose of processing your personal data and whether they are being used appropriately,
  • To learn the third parties in Turkey or abroad to whom your personal data have been transferred,
  • To request the rectification of your personal data if they are incomplete or inaccurately processed,
  • To request the erasure or destruction of your personal data under the conditions stipulated in the relevant legislation,
  • To request the notification of the transactions made in this context to third parties to whom your personal data have been transferred,
  • To object to the processing of your personal data, exclusively by automatic means, that has an adverse effect on you,
  • To request compensation for the damage arising from the unlawful processing of your personal data.

You can submit your requests regarding your personal data via furisan@hs01.kep.tr or in writing and signed to the address of our company mentioned above. You can access the "Application Form for Data Subject" and detailed information from the "KVKK" section at furisan.com.

Employee Candidate/Intern Information Notice on the Protection of Personal Data

As the data controller, FURİSAN GIDA SANAYİ VE TİCARET LİMİTED ŞİRKETİ (Address: Kale Mah. Kılıçlar Cad. No:4-6 Kestel / BURSA, Tel: (0224) 372 07, Website: furisan.com, Email: furisan@furisan.com, MERSIS No: 0388011439500013) has prepared this information notice to inform employee candidates and interns about the processing of their personal data in accordance with the Law No. 6698 on the Protection of Personal Data (referred to as "KVKK" or "Law") and the Communiqué on the Principles and Procedures to be Followed in Fulfilling the Obligation to Inform (referred to as "Communiqué").

This Information Notice can also be accessed from the "KVKK" section on our website at furisan.com.

1. FUNDAMENTAL CONCEPTS IN THE LAW

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed on personal data, whether wholly or partially by automatic means, or by non-automatic means which form part of a data filing system, such as collecting, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data.

Data Controller: The natural or legal person who determines the purposes and means of the processing of personal data and is responsible for establishing and managing the data filing system. Within the scope of this text, the data controller is Furisan Gıda San. ve Tic. Ltd. Şti., located at Kale Mah. Kılıçlar Cad. No:4-6 Kestel / BURSA.

Data Filing System (VERBİS): The system where personal data are processed by being structured according to specific criteria.

Explicit Consent: Consent given for a specific matter, based on information and expressed with free will.

Board: Refers to the Personal Data Protection Board.

2. PERSONAL DATA OF EMPLOYEE CANDIDATES/INTERNS

Personal data of employee candidates and interns may be processed by our company in accordance with the purposes and processing conditions specified in this text. The personal data in question will be processed:

  • In compliance with the law and the principles of honesty,
  • By ensuring that the personal data are accurate and up-to-date as reported to us,
  • For specific, clear, and legitimate purposes,
  • In a relevant, limited, and proportionate manner to the purposes for which they will be processed,
  • Retained for the period required by the relevant legislation or for the purpose for which they are processed.

Personal data subject to processing are as follows:

a. Identity Data: Name-surname, date of birth (age information), gender.

b. Contact Data: Telephone number, email address, address information.

c. Visual and Auditory Data: Photograph in the resume, camera recordings.

d. Special Categories of Personal Data: Disability status and health data in the resume.

e. Education Data: Educational status, certificate and diploma information, language skills, education and skills, seminars and courses.

f. Work Experience Data: Total experience, working status and title, work experiences (company names, periods of employment, job descriptions).

g. Other Data: Driver's license information, hobbies, military status, reference information (name, surname, title, workplace, phone number, email address of the reference person) and word files attached to the CV.

3. METHOD AND LEGAL BASIS OF COLLECTING PERSONAL DATA

Personal data may be obtained directly from the data subject, third parties, and legal authorities during the establishment of a legal relationship or application. In this context, personal data can be collected through written or verbal communication channels, electronic mail, application forms on job application platforms, and other tools, and in written, verbal, or electronic environments. Visual data are collected from photo resumes and cameras placed for legitimate interests to ensure the company's security.

According to Article 5 of the KVKK, personal data cannot be processed without the explicit consent of the relevant person. The law specifies cases where explicit consent is not required as exceptions. Personal data may be processed by our company without explicit consent in cases where there is an explicit provision in the law, the processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract, it is necessary to fulfill a legal obligation, the personal data have been made public by the relevant person, it is necessary for the establishment, exercise, or protection of a right, or the processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Personal data of employee candidates/interns are processed within the framework of the personal data processing conditions and purposes specified in Articles 5 and 6 of the KVKK, and in accordance with the principles and procedures stipulated by the relevant legislation to ensure the purposes specified in this Information Notice and to fulfill legal obligations.

4. PURPOSES OF PROCESSING YOUR PERSONAL DATA

In accordance with Article 10 of the KVKK and Article 5 of the Communiqué, personal data of employee candidates can be processed for the following purposes:

  • Recruiting new employees, reviewing candidates, and identifying new candidates to be recruited,
  • Verifying the data and information provided by contacting the references mentioned in the resumes,
  • Recording resume information to assess suitability for the applied position and for future reference,
  • Ensuring security within the company,
  • Managing the application processes of employee candidates,
  • Conducting employee candidate/intern/student selection and placement processes.

Your personal data will be retained for the maximum period specified in the relevant legislation or for the period required for the purposes for which they are processed, and in any case, for the legal statute of limitations.

5. TO WHOM AND FOR WHAT PURPOSE YOUR PERSONAL DATA CAN BE TRANSFERRED

Personal data obtained from employee candidates may be shared within the company solely for the purpose of evaluating the relevant department and verifying the suitability for the position.

6. RETENTION PERIOD OF YOUR PERSONAL DATA

In accordance with the provisions of the KVKK, personal data processed for the purposes specified in this “Information Notice on the Protection of Personal Data for Employee Candidates” will be stored in the personnel file if the recruitment takes place, and if the employment relationship is not established, it will be deleted, destroyed, or anonymized 6 months after the processing date, taking into account the Personal Data Retention and Destruction Policy.

7. RIGHTS

Subject to the exceptions set forth in Article 28 of the KVKK titled "Exceptions" and other relevant exceptions, you have the right to apply to Furisan Gıda San. ve Tic. Ltd. Şti. and to request:

  • To learn whether your personal data are being processed,
  • To request information regarding the processing if your personal data have been processed,
  • To learn the purpose of processing your personal data and whether they are being used appropriately,
  • To learn the third parties in Turkey or abroad to whom your personal data have been transferred,
  • To request the rectification of your personal data if they are incomplete or inaccurately processed,
  • To request the erasure or destruction of your personal data under the conditions stipulated in the relevant legislation,
  • To request the notification of the transactions made in this context to third parties to whom your personal data have been transferred,
  • To object to the processing of your personal data, exclusively by automatic means, that has an adverse effect on you,
  • To request compensation for the damage arising from the unlawful processing of your personal data.

You can submit your requests regarding your personal data via furisan@hs01.kep.tr or in writing and signed to the address of our company mentioned above. You can access the "Application Form for Data Subject" and detailed information from the "KVKK" section at furisan.com.

General Information Notice on the Protection of Personal Data

Furisan Gıda San. ve Tic. Ltd. Şti.
General Information Notice on the Protection of Personal Data

As FURİSAN GIDA SAN. VE TİC. LTD. ŞTİ. (Hereinafter referred to as “FURİSAN” or “COMPANY”), we highly value and carefully protect your personal data. In this context, we demonstrate all due diligence and take all necessary security measures to ensure that your personal data are processed and protected in accordance with the Personal Data Protection Law (“KVKK” or “Law”), secondary regulations, and decisions of the Personal Data Protection Board.

This Information Notice (“Information Notice”) has been prepared by “FURİSAN” as a “data controller” to inform you about the scope and types of personal data processing activities and to explain the collection methods, processing purposes, shared and transferred parties, legal reasons, and your rights regarding your personal data in accordance with Article 10 of the Personal Data Protection Law No. 6698 (“Law”) and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform (“Communiqué”). Our goal is to transparently inform you about the collection methods, processing purposes, shared and transferred parties, legal reasons, and your rights concerning your personal data in line with your satisfaction.

1. DATA CONTROLLER

Pursuant to the Personal Data Protection Law No. 6698, your personal data are collected and processed by “FURİSAN” as a data controller within the scope of the purposes and limited to the extent specified below and in accordance with the law and relevant legislation.

2. PURPOSES OF PROCESSING PERSONAL DATA

As “FURİSAN,” we collect personal data from our customers, potential customers, employees, employee candidates, representatives and employees of official institutions, business partners, and suppliers in the categories of “Identity Information, Contact Information, Customer Information, Customer Transaction Information, Health Information (limited to the purpose of collection and processing), Performance Information, Transaction Security Information, Legal Process and Compliance Information, Marketing and Sales Information,” including a very limited amount of special category personal data.

The collected personal data are processed for the following purposes:

  • To ensure the continuity of the products and services offered by our company, to improve product and service quality, to fulfill our obligations to you, to organize records and documents, and to comply with information retention, reporting, informing, tax, and other obligations stipulated by national and international legal regulations.
  • To carry out accounting transactions of our employees within our company.
  • To conduct recruitment processes.
  • To manage sales and marketing activities aimed at improving product and service quality.
  • To communicate with you regarding the necessary information about the products and services you receive and to fulfill information processing requirements, system structure, and information processing support services.
  • To ensure the security of physical spaces.
  • To measure and improve customer satisfaction, manage complaints, seek your opinions on new services and products, receive your problem/error notifications, provide you with information about products and services, and respond to your complaints and requests.
  • To communicate with you, receive your orders, process your payments, collaborate with third parties for logistics and product delivery.
  • To use your personal data in any product and service provided to you under the laws and relevant regulations governing the activities specified in the company's main contract, as disclosed to “FURİSAN.”
  • To comply with information retention, reporting, and informing obligations stipulated by official institutions, to fulfill the requirements of contracts, and to perform the legal obligations that “FURİSAN” is subject to regarding the use of these services.
  • To determine and implement “FURİSAN”'s commercial and business strategies, manage finance operations, communication, market research, and purchasing operations (request, offer, evaluation, order, budgeting, contract), manage company internal system and application operations, and handle legal operations.
  • To examine, evaluate, and respond to requests from official authorities or yourself.

3. TRANSFER OF PERSONAL DATA

Your collected personal data are transferred within the limits specified in the Law and the limitations provided by KVKK legislation for the purposes specified in Article 2 above:

  • To “FURİSAN”'s business partners, shareholders, and subsidiaries.
  • To persons or organizations permitted or directed by the provisions of the Tax Procedure Law, Social Security Institution Legislation, Occupational Health and Safety Legislation, Turkish Commercial Code, Turkish Code of Obligations, and other legislation.
  • To legally authorized public institutions and organizations, administrative and legal authorities, and relevant public authorities.
  • To foreign companies and subsidiaries, if necessary, in connection with the purchase and sale of products and services.
  • To natural or legal persons, program partner institutions and organizations, information processing and system security support service providers, institutions with which we have agreements for sending communications to our customers, and cargo companies that deliver orders to you, for the purposes of comparison, analysis, evaluation, advertising, and fulfillment of the above-mentioned purposes.

4. METHOD OF COLLECTING PERSONAL DATA AND LEGAL REASON

Your Personal Data are collected by fully or partially automated methods and by non-automated methods that are part of a data recording system; directly by you or by authorized persons acting on your behalf; through applications made on contracted websites, by FURİSAN headquarters and management personnel, institutions with which we provide/receive support services, and any real and/or legal persons with whom transactions are carried out under any legislation or contract, and directly through automated systems (our website, communication channels, social media accounts), verbally, in writing, or electronically, within the scope of the legal reasons specified in Articles 5 and 6 of the Law:

  • Explicitly stipulated in the laws,
  • Required for the company to fulfill its legal obligations,
  • Necessary for the establishment or performance of a contract,
  • Necessary for the legitimate interests of the company, provided that it does not harm your fundamental rights and freedoms,
  • Disclosed by you,
  • Necessary for the establishment, use, or protection of a right,
  • With your explicit consent.

5. RIGHTS OF THE PERSONAL DATA OWNER UNDER LAW NO. 6698

As personal data owners, if you submit your requests regarding your rights, as specified below, to “FURİSAN” using the methods set out below, “FURİSAN” will evaluate the request and finalize it within the shortest possible time and no later than thirty days. No fee will be charged for responses up to ten pages. A processing fee of 1 Turkish Lira will be charged for each page over ten pages. If the response to the application is provided in a recording medium such as a CD or flash memory, the fee to be requested by our company will not exceed the cost of the recording medium. Within this scope, personal data owners have the right to:

  • Learn whether personal data are processed or not,
  • Request information if personal data are processed,
  • Learn the purpose of processing personal data and whether they are used for their intended purpose,
  • Know the third parties to whom personal data are transferred, whether in Turkey or abroad,
  • Request the correction of personal data if they are incomplete or inaccurately processed and to request notification of the correction to third parties to whom personal data have been transferred,
  • Request the deletion or destruction of personal data if the reasons for processing no longer exist, despite being processed in accordance with the provisions of Law No. 6698 and other relevant laws, and to request notification of the deletion or destruction to third parties to whom personal data have been transferred,
  • Object to the occurrence of a result against the person by analyzing the processed data exclusively through automated systems,
  • Request compensation for damages arising from the unlawful processing of personal data.

To exercise your rights stipulated in Article 11 of KVKK and mentioned above, you can access detailed information and the request application form in the “KVKK” section of our website at furisan.com.

It is necessary to provide the information and documents that will allow identity verification completely and accurately to process your request. If the requested information and documents are not provided as required, there may be issues in conducting a full and qualified investigation based on your request by “FURİSAN.” In this case, “FURİSAN” declares that it reserves its legal rights. Therefore, your application must be sent in full, including the required information and documents, based on the nature of your request.

“FURİSAN” will conclude your application requests in accordance with Article 13 of KVKK within a maximum of 30 (thirty) days based on the nature of the request. If the process incurs a cost, the tariff determined by the Personal Data Protection Board will be applied. If your request is rejected, the reason(s) for the rejection will be communicated to you within a maximum of 30 (thirty) days.

Furisan Gıda San. ve Tic. Ltd. Şti.

Personal Data Protection and Processing Policy

Approval of Publication

Decision by the Board of Directors

Version No 1


1. Introduction:

1.1. Purpose of the Policy:

Furisan Gıda Sanayi ve Ticaret Limited Şirketi (hereinafter referred to as "FURİSAN"); commits to comply with the principles and rules brought by the Constitution of the Republic of Turkey, the Law on the Protection of Personal Data No. 6698 (“KVKK/Law”), and other related legislation, and to protect the rights of relevant individuals in line with the “Personal Data Protection and Processing Policy.” To achieve this, a written personal data protection policy and system have been adopted to be implemented and developed.

The purpose of the Personal Data Protection and Processing Policy is to ensure that FURİSAN creates and implements its standards in managing personal data; defines and supports organizational goals and obligations; establishes control mechanisms in line with FURİSAN's acceptable risk level; complies with the obligations it is subject to under international treaties, the Constitution, laws, contracts, and professional rules in the field of personal data protection; and best protects individuals' interests.

1.2. Scope of the Policy:

This policy has been prepared for FURİSAN and covers the services provided within the institution. The provisions of the policy include all information systems and sub-information, contracts, environments, physical areas, and all systems and arrangements produced for the processing of personal data in FURİSAN's fields of activity. This policy covers the board of directors of FURİSAN, all departments, directorates, employees of firms providing any service, interns, and contracted personnel. Any action violating KVKK or this policy is evaluated within the scope of relevant legislation and sanctions are applied accordingly.

Solution partners, public institutions, insurance companies, and all third parties working with FURİSAN who have access to or might access personal data are invited to read and comply with this policy. Third parties must ensure the protection of personal data with a system at least as robust and adequate as that of FURİSAN. A written confidentiality agreement covering the obligations related to the protection of personal data and the right to audit these obligations will be signed between third parties and FURİSAN. Third parties cannot access the personal data processed by FURİSAN without signing the confidentiality agreement. The Personal Data Protection and Processing Policy will ensure the sustainability of FURİSAN's data security principles.

1.3. Objective of the Policy:

The objective of this Policy is to establish the necessary systems to create awareness within the company regarding the lawful processing and protection of personal data and to ensure compliance with the legislation. Within this scope, the aim is to implement the regulations introduced by KVKK and related legislation.

1.4. Definitions and Abbreviations:

Company: Furisan Gıda Sanayi ve Ticaret Limited Şirketi (FURİSAN)

Explicit Consent: Consent given regarding a specific issue, based on information and free will, without any doubt, limited to the specified transaction.

Anonymization: Rendering personal data in such a way that it can no longer be associated with an identified or identifiable person, even when matched with other data.

Employee: Company personnel.

Data Subject: The real person whose personal data is processed.

Personal Data: Any information relating to an identified or identifiable real person.

Special Categories of Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or trade union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

Processing of Personal Data: Any operation performed on personal data, such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, taking over, making available, classification, or preventing its use, fully or partially by automated means or by non-automated means provided that it is part of a data recording system.

Data Processor: The real or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Controller: The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

KVK Board: The Personal Data Protection Board.

KVK Compliance Process: The program implemented by FURİSAN to ensure compliance with the personal data protection legislation.

KVK Authority: The Personal Data Protection Authority.

KVKK: The Law on the Protection of Personal Data No. 6698, published in the Official Gazette dated April 7, 2016, and numbered 29677.

Policy: Furisan Gıda Sanayi ve Ticaret Limited Şirketi Personal Data Protection and Processing Policy.

Personal Data Retention and Destruction Policy: The "Furisan Personal Data Retention and Destruction Policy" is the basis for determining the maximum period required for the purposes of processing personal data and for deletion, destruction, and anonymization in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.

Periodic Destruction: The deletion, destruction, or anonymization of personal data at recurring intervals if all the conditions for processing personal data in the law are eliminated.

Registered Electronic Mail (KEP): A system that protects commercial and legal correspondence and document sharing in the form sent, ensures the identity of the recipient, prevents content alteration, and makes the content legally valid and secure.

Data Controllers Registry Information System: The information system created and managed by the Presidency, which data controllers use for registry applications and other relevant processes.

VERBIS: Data Controllers Registry Information System.

1.5. Distribution of Duties Related to Personal Data:

Title: Distribution of Duties Related to the Protection of Personal Data

Position: Unit

Task:

Board of Directors: Members of the Furisan Board of Directors

  • Ensuring that business and operations are conducted in accordance with the company policy.

KVK Committee: Committee consisting of individuals designated by the company for the compliance process related to personal data protection

  • Responsible for preparing, developing, implementing, publishing, and updating the policy in relevant environments.

Department Heads: Human Resources, Accounting-Finance, Purchasing, Sales, Sales Support, Information Technology, Quality Assurance, Warehouse Unit

  • Responsible for implementing the policy in accordance with their duties and confidentiality agreements.

Contact Person: Person appointed by the data controller

  • Responsible for arranging and notifying the matters specified in the policy in compliance with the VERBIS system.

2. Matters Concerning the Protection of Personal Data:

2.1. Ensuring the Security of Personal Data:

All personnel and employees are obliged to ensure that the data processed by FURİSAN and under their responsibility are securely kept and not disclosed to third parties without signing a confidentiality agreement.

Only those who need access to personal data can access them. Information about individual access rights cannot be shared with third parties. Any incident related to information security of personal data is reported to the KVK Committee within the shortest time and no later than 72 hours after its determination. Additionally, the measures stated under the title "Actions to Be Taken in Case of Violation" in Article 12 of this policy are taken.

2.2. Environments Where Personal Data is Stored:

Electronic Environments:

  • Servers (Domain, backup, email, database, web, file sharing, etc.)
  • Software
  • Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
  • Personal computers (desktop, laptop)
  • Mobile devices (phone, tablet, etc.)
  • Optical disks (CD, DVD, etc.)
  • Removable memory (USB, memory card, etc.)
  • Printer, scanner, photocopier

Non-Electronic Environments:

  • Paper
  • Manual data recording systems (survey forms, visitor entry log)
  • Written, printed, visual media
  • Unit cabinets

2.3. Observing the Rights of the Data Subject:

Data subjects have the rights explicitly stated in Article 11 of the Law on the Protection of Personal Data and Article 1 of Section 11 of this policy concerning the data processing activities and records at FURİSAN. FURİSAN conducts its activities by observing all the rights of data subjects during the processing of personal data.

2.4. Increasing Awareness and Supervision of Departments on Personal Data Protection and Processing:

FURİSAN organizes necessary awareness training for its employees to prevent unlawful processing of personal data, prevent unlawful access to data, and ensure the protection of data. Awareness posters are displayed within the premises to increase awareness in line with KVKK.

2.5. Increasing Awareness and Supervision of Business Partners and/or Suppliers on Personal Data Protection and Processing:

FURİSAN ensures that necessary documents are prepared to increase the awareness of business partners and/or suppliers to prevent unlawful processing of personal data, prevent unlawful access to data, and ensure the protection of data. Additionally, confidentiality agreements are signed to ensure mutual awareness.

3. Principles and Rules to be Followed in Processing Personal Data:

3.1. Processing Personal Data in Compliance with the Principles Set Out in the Legislation:

Processing in Compliance with the Law and Rules of Honesty:

Personal data of data subjects are processed in compliance with the principles of lawfulness, transparency, and the obligation to inform within FURİSAN.

Ensuring Personal Data is Accurate and Up-to-Date When Necessary:

Necessary measures are taken in the data processing procedures to ensure that processed data is accurate and up-to-date. The data subject is provided with the opportunity to update their data and correct any errors in the processed data.

Processing for Specific, Explicit, and Legitimate Purposes:

Personal data are processed within the scope of clearly defined purposes by FURİSAN, based on legitimate purposes determined in line with the legislation and the normal course of commercial life.

Being Relevant, Limited, and Proportionate to the Purposes for which they are Processed:

Personal data are processed in a manner that is relevant, limited, and proportionate to the explicitly stated purposes. The processing of unrelated or unnecessary personal data is avoided. Therefore, unless required by law, special category personal data are not processed or, if necessary, explicit consent is obtained with related disclosures.

Retention for the Necessary Period for the Purpose for which they are Processed or as Prescribed by the Relevant Legislation:

The legislation requires the retention of personal data for a certain period. Therefore, personal data processed by FURİSAN are retained for the period prescribed by the relevant legislation or necessary for the purpose of processing. When the retention period prescribed by the legislation ends or the processing purpose ceases to exist, personal data are deleted, destroyed, or anonymized. The principles and processes related to retention periods are detailed in Article 4.3 of this policy.

3.2. Processing Personal Data Limited to the Conditions Set Out in Article 5 of KVKK:

Personal data are processed under the conditions set out in Article 5 of KVKK, such as:

  • Explicitly provided for by laws.
  • Necessary for the protection of life or physical integrity of the person or another person who is unable to express his consent due to actual impossibility or whose consent is not legally valid.
  • Necessary for the performance of a contract to which the data subject is a party.
  • Necessary for the data controller to fulfill its legal obligation.
  • Data made public by the data subject.
  • Necessary for the establishment, exercise, or protection of a right.
  • Necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3. Informing and Notifying the Data Subject:

When personal data are collected by FURİSAN, the data subjects are explicitly informed and notified in compliance with Article 10 of KVKK and the Communiqué on the Procedures and Principles to Be Followed in Fulfilling the Obligation to Inform. The information notices include:

  • The title, full address, and contact details of the company,
  • Personal data categories,
  • The purpose of processing personal data,
  • To whom and for what purposes processed personal data may be transferred,
  • The method and legal basis of collecting personal data,
  • The rights of the data subject as listed in Article 11 of KVKK.

The information notices are also available in the "KVKK" section of the https://furisan.com website.

3.4. Processing Special Categories of Personal Data:

Special categories of personal data are limited by law. These data are protected by taking the necessary administrative and technical measures required by the law and the KVK Board. Processing special categories of personal data without explicit consent is prohibited by law. Special categories of personal data, excluding those related to health and sexual life, may be processed without explicit consent in cases provided for by law. Personal data related to health and sexual life may be processed without explicit consent only by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.

4. Classification, Processing Purposes, and Retention Periods of Personal Data Processed by FURİSAN:

4.1. Classification of Personal Data:

4.1.1. Personal Data:

Personal data are any information relating to an identified or identifiable real person. The protection of personal data only concerns real persons, and information related to legal entities without personal data is excluded from personal data protection. Therefore, this Policy does not apply to data related to legal entities.

Categories of Personal Data

Subcategories and Descriptions:

Identity:

Information such as name, surname, T.C. identification number, nationality information, mother's name, father's name, place of birth, date of birth, gender included in documents such as license, identity card, and passport, as well as tax number, SGK number, signature information, vehicle plate number, etc.

Contact:

Contact information such as phone number, address, email address, etc.

Personnel:

Payroll information, disciplinary investigation, employment entry-exit document records, resume information, performance evaluation reports, etc.

Legal Process:

Correspondence information with judicial authorities, information in case files.

Customer Transaction:

Invoice, promissory note, check information, request information, order information, etc., related to customers.

Physical Space Security:

Entry and exit records of employees and visitors, camera records.

Transaction Security:

Password and access information.

Finance:

Balance sheet information, asset information.

Professional Experience:

Diploma information, attended courses, in-service training information, transcript information, certificates.

Visual and Auditory Records:

Visual and auditory records.

Special Categories of Personal Data:

Data specified in Article 6 of KVKK (e.g., blood type, health data, including disability status, criminal record).

4.2. Purposes of Processing Personal Data:

As a company, we process personal data for the following purposes:

  • Emergency Management Processes
  • Information Security Processes
  • Employee Candidate / Intern / Student Application Processes
  • Employee Satisfaction and Loyalty Processes
  • Compliance with Obligations from Employment Contract and Legislation for Employees
  • Employee Benefits and Compensation Processes
  • Audit / Ethical Activities
  • Warehouse Management
  • Training Activities
  • Electronic Sales Processes
  • Access Authorization Processes
  • Conducting Activities in Compliance with the Legislation
  • Finance and Accounting Affairs
  • Conducting Loyalty Processes for Company / Product / Services
  • Ensuring Physical Space Security
  • Follow-up and Execution of Legal Affairs
  • Fulfillment of Legal Obligations
  • Conducting Internal Audit / Investigation / Intelligence Activities
  • Conducting Communication Activities
  • Planning Human Resources Processes
  • Conducting Business Activities / Supervision
  • Conducting Occupational Health / Safety Activities
  • Receiving and Evaluating Suggestions for Improvement of Business Processes
  • Conducting Business Continuity Activities
  • Conducting Logistics Activities
  • Ensuring Quality Standards
  • Controlling Entrances and Exits to the Institution Building and Preventing Unauthorized Entries
  • Conducting Goods / Services Procurement Processes
  • Conducting Goods / Services Sales Processes
  • Conducting Goods / Services Production and Operation Processes
  • Conducting Customer Relationship Management Processes
  • Ensuring the Security of Property Resources
  • Increasing Reliability with Customers
  • Conducting Marketing Analysis Studies
  • Conducting Performance Evaluation Processes
  • Conducting Risk Management Processes
  • Conducting Retention and Archiving Activities
  • Conducting Purchasing Processes
  • Conducting Strategic Planning Activities
  • Conducting Contract Processes
  • Follow-up of Requests / Complaints
  • Ensuring the Security of Movable Property and Resources
  • Conducting Supply Chain and Relationship Management Processes
  • Conducting Wage Policy and Issuing Product Invoices
  • Conducting Marketing Processes of Products / Services
  • Providing Information to Authorized Persons, Institutions, and Organizations
  • Conducting Management Activities
  • Creating and Tracking Visitor Records

4.3. Retention Periods for Personal Data:

Personal data are retained for the period required for the purposes for which they are processed or as prescribed by the relevant legislation. The details of the retention and destruction periods are provided in the "Furisan Gıda Sanayi ve Ticaret Şirketi Retention and Destruction Policy," published on the official website.

If personal data are processed for multiple purposes, they will be deleted, destroyed, or anonymized when the purposes for processing no longer exist, or if the data subject requests deletion and there is no legal obstacle. The legal provisions and decisions of the KVK Board are followed in matters of deletion, destruction, or anonymization.

4.3.1. Measures Taken for the Retention of Personal Data:

4.3.1.1. Technical Measures:

The technical measures taken for the protection of personal data are listed below.

  • Network security and application security are ensured.
  • Closed system network is used for personal data transfers via the network.
  • Security measures within the scope of information technology systems procurement, development, and maintenance are taken.
  • An authority matrix is created for employees.
  • Corporate policies on access, information security, usage, retention, and destruction have been prepared and implemented.
  • Data masking is applied when necessary.
  • The access rights of employees who have changed positions or left the company are removed.
  • Up-to-date antivirus systems are used.
  • Firewalls are used.
  • Personal data are backed up and the security of backed-up personal data is also ensured.
  • User account management and authorization control system are implemented and monitored.
  • Periodic and/or random internal audits are conducted and outsourced.
  • Log records are kept in a way that cannot be altered by users.
  • Attack detection and prevention systems are used.
  • Cybersecurity measures are taken and their implementation is monitored.
  • Encryption is applied.
  • Data processors are periodically audited for data security.
  • Data processors are made aware of data security.

4.3.1.2. Administrative Measures:

The administrative measures taken for the protection of personal data are listed below.

  • Information Notices (Employee, Employee Candidate/Intern, Camera Systems) and Explicit Consent Notices have been prepared.
  • There are disciplinary regulations containing data security provisions for employees.
  • Periodic training and awareness activities are conducted for employees on data security.
  • Departmental Access Rights have been arranged.
  • Training was provided to protect certain personal data.
  • Confidentiality commitments are made.
  • Signed contracts contain data security provisions.
  • Camera Information Notices are posted in areas with cameras.
  • Employees are informed about the technical and administrative risks related to the retention of personal data, and a personal data processing inventory is prepared.
  • Personal Data Protection Committee was established.
  • Personal data security policies and procedures have been determined.
  • Personal data security issues are promptly reported.
  • Personal data security is monitored.
  • Necessary security measures are taken for entry and exit to physical environments containing personal data.
  • Security against external risks (fire, flood, etc.) is ensured for environments containing personal data.
  • Security of environments containing personal data is ensured.
  • Personal data are minimized as much as possible.
  • Protocols and procedures for the security of special categories of personal data have been determined and implemented.
  • Contracts are aligned with KVKK.

5. Ensuring the Security of Personal Data:

5.1. Responsibilities Regarding the Security of Personal Data:

Technological capabilities and application costs are taken into account by FURİSAN in ensuring the following aspects for personal data:

  • Prevention of unlawful processing of personal data,
  • Prevention of unlawful access to personal data,
  • Ensuring the lawful retention of personal data.

5.2. Measures Taken to Prevent Unlawful Processing of Personal Data:

  • Random and/or periodic internal audits are conducted.
  • Periodic awareness training is provided to employees on the protection of personal data.
  • The activities carried out by the company are evaluated in detail for all departments, and personal data is processed specifically for the activities of the relevant units based on the evaluations.
  • When collaborating with third parties for personal data processing, the contracts include provisions requiring the third parties to take necessary administrative and technical measures for data security.
  • If personal data are unlawfully disclosed or a data breach occurs, the situation is reported to the KVK Board within 72 hours, and necessary examinations and measures are taken.

5.2.1. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data:

To prevent unlawful access to personal data:

  • Technical measures are periodically updated and renewed.
  • Access authorization procedures are established within the company.
  • Procedures for reporting technical measures and audit processes are determined.
  • Data recording systems used within the company are created in compliance with the legislation and periodically audited.
  • Employees receive training and information on access and authorization to personal data.
  • Confidentiality agreements are made when collaborating with third parties for personal data processing.
  • Technological advancements are utilized to establish security systems to prevent unlawful access to personal data.

5.2.2. Measures Taken in Case of Unlawful Disclosure of Personal Data:

Administrative and technical measures are taken, and related procedures are updated to prevent unlawful disclosure of personal data. If it is determined that personal data have been disclosed without authorization, systems and infrastructure are established to notify the data subject and the KVK Board of the situation.

In the event of an unlawful disclosure, the KVK Board may, if deemed necessary, announce the situation on its website or notify the data subject directly.

6. Groups of Persons Whose Personal Data Are Processed by FURİSAN:

Personal data processed by FURİSAN belong to the following groups of persons:

  • Employees
  • Employee Candidates / Interns
  • Private Law Persons Receiving Services
  • Potential Product or Service Recipients
  • Suppliers / Supplier Employees
  • Customers and Their Authorized Representatives
  • Members of the Board of Directors
  • Visitors

7. Processing of Personal Data and Special Categories of Personal Data:

7.1. Processing of Personal Data:

According to the Law on the Protection of Personal Data No. 6698, "Personal Data Cannot Be Processed Without the Explicit Consent of the Data Subject." However, personal data can be processed without the data subject's consent under the following conditions:

  • It is explicitly provided for by law.
  • It is necessary to protect the life or physical integrity of the data subject or another person who cannot express consent due to actual impossibility or whose consent is not legally valid.
  • It is necessary for the establishment or performance of a contract to which the data subject is a party.
  • It is necessary for the data controller to fulfill its legal obligations.
  • The data subject has made the data public.
  • It is necessary for the establishment, exercise, or protection of a right.
  • It is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

7.2. Processing of Special Categories of Personal Data:

Special categories of personal data (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or trade union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data) cannot be processed without the explicit consent of the data subject. Special categories of personal data, excluding those related to health and sexual life, may be processed without explicit consent in cases provided for by law. Personal data related to health and sexual life may be processed without explicit consent only by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.

8. Third Parties to Whom Personal Data Processed by FURİSAN are Transferred and the Purposes of Transfer:

Purposes of Transferring Personal Data are as follows:

  • Conducting activities,
  • Providing support services to customers within the scope of the contract and service standards,
  • Determining the preferences and needs of customers and shaping and updating the provided service accordingly,
  • Fulfilling legal obligations as required or mandated by legal regulations,
  • Conducting market research and statistical studies,
  • Evaluating job applications,
  • Maintaining contact with individuals with whom the company has business relationships,
  • Managing marketing processes,
  • Managing seller/supplier relationships,
  • Completing legal reporting and invoicing processes.

8.1. Transfer of Personal Data:

8.1.1. Conditions for Transferring Personal Data Domestically:

FURİSAN acts in compliance with the provisions of KVKK and the decisions and regulations of the KVK Board regarding the transfer of personal data.

Unless provided by law, personal data and special categories of personal data are not transferred to other real or legal persons by FURİSAN without the explicit consent of the data subject.

In exceptional cases specified by the legislation, personal data may be transferred without the explicit consent of the data subject to administrative/judicial institutions or organizations authorized by the legislation within the limits specified by the legislation.

8.1.2. Conditions for Transferring Personal Data Abroad:

As a rule, personal data are not transferred abroad without the explicit consent of the data subject.

However, in exceptional cases, if one of the following conditions is met:

  • If the foreign country to which personal data will be transferred has adequate protection as declared by the KVK Board,
  • If there is no adequate protection in the foreign country where the personal data will be transferred, but both the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and the KVK Board grants permission, personal data may be transferred abroad without explicit consent.

8.1.2.1. Institutions and Organizations to Which Personal Data are Transferred:

Personal data may be transferred to the following institutions and organizations in accordance with the principles and conditions mentioned above:

  • Mediation Department,
  • Real persons or private law legal entities,
  • Shareholders,
  • Private law persons receiving services,
  • Public institutions and organizations authorized by law,
  • Business partners,
  • Social Security Institution,
  • Suppliers.

8.2. Transfer of Special Categories of Personal Data:

8.2.1. Conditions for Transferring Special Categories of Personal Data Domestically:

FURİSAN may transfer special categories of personal data obtained lawfully to third parties for processing purposes, provided that necessary administrative and technical measures are taken. In this regard, special categories of personal data can be transferred to third parties under the conditions specified in the above section and the conditions specified below.

Additionally, in exceptional cases specified by the legislation and the measures prescribed by the KVK Board, special categories of personal data related to health and sexual life can be transferred without explicit consent to persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.

8.2.2. Conditions for Transferring Special Categories of Personal Data Abroad:

FURİSAN may transfer special categories of personal data to foreign countries with adequate protection or countries where the data controller in the foreign country guarantees adequate protection by taking necessary care and administrative and technical measures and the necessary measures prescribed by the Board.

Special categories of personal data can be transferred abroad under the following conditions:

  • If the data subject's explicit consent is obtained,
  • If the data subject's explicit consent is not obtained:
    • Special categories of personal data excluding those related to health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or trade union membership, criminal convictions, and security measures, as well as biometric and genetic data) can be processed in cases provided for by law,
    • Special categories of personal data related to health and sexual life can be processed without explicit consent by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.

9. Data Processing Activities for Workplace and Website Visitors:

9.1. Camera Surveillance Activities Conducted in the Workplace:

Camera surveillance activities are conducted in compliance with the principles of personal data protection to ensure the security of the workplace, employees, visitors, and customers.

Information notices about camera surveillance activities, the security of the data obtained, the retention period of the data obtained from the camera surveillance activities, and who can access this information and to whom it can be transferred are added to the layered information notices as determined by the KVK Board and displayed in all areas with camera systems.

9.2. Tracking Visitor Entry and Exit Records at the Workplace:

The company provides internet access to visitors upon request during their stay within the workplace to ensure security and for other purposes stated in this Policy. In this case, log records related to internet access are kept in compliance with the provisions of Law No. 5651 and the relevant legislation. These records are processed only if requested by authorized public institutions and organizations or during internal audits of the company to fulfill the legal obligations.

10. Conditions for Deleting, Destroying, and Anonymizing Personal Data:

According to Article 138 of the Turkish Penal Code, Article 7 of the KVK Law, and the "Regulation on the Deletion, Destruction, and Anonymization of Personal Data," personal data that have been processed in compliance with the law but whose processing purposes have ceased are deleted, destroyed, or anonymized by FURİSAN upon its decision or upon the request of the data subject. FURİSAN has established a policy on this matter and performs deletion, destruction, or anonymization processes based on the nature of the data in accordance with this policy. FURİSAN has determined periodic destruction dates according to the Regulation, and a schedule has been established to perform periodic destruction at various intervals starting from the commencement of the obligation.

10.1. Obligation to Delete, Destroy, or Anonymize Personal Data:

According to Articles 5 and 6 of the KVKK, if all conditions for processing personal data no longer exist, personal data must be deleted, destroyed, or anonymized by the data controller ex officio or upon the request of the data subject. In deleting, destroying, or anonymizing personal data, the general principles specified in Article 4 of the Law, the technical and administrative measures required by Article 12, relevant legal provisions, the decisions of the Board, and the personal data retention and destruction policy must be followed. The data controller is obliged to explain the methods applied for the deletion, destruction, or anonymization of personal data in its policies and procedures. In accordance with Article 7 of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, FURİSAN has also created a Furisan Retention and Destruction Policy.

10.2. Techniques for Deleting, Destroying, and Anonymizing Personal Data:

10.2.1. Techniques for Deleting and Destroying Personal Data:

  • Physical Destruction
  • Secure Deletion Software
  • Secure Deletion by a Specialist

10.2.2. Techniques for Anonymizing Personal Data:

  • Masking
  • Aggregation
  • Data Derivation
  • Data Shuffling

11. Rights of the Data Subject; Exercise and Evaluation of These Rights:

11.1. Rights of the Data Subject and Exercise of These Rights:

Rights of the Data Subject:

Under the obligation to inform, FURİSAN informs the data subject and establishes systems and infrastructure for this purpose. The data subject is provided with necessary technical and administrative arrangements to exercise their rights over their personal data.

The data subject has the following rights over their personal data:

  • Learning whether personal data are processed,
  • Requesting information if personal data are processed,
  • Learning the purpose of processing personal data and whether they are used in accordance with the purpose,
  • Knowing the third parties to whom personal data are transferred in the country or abroad,
  • Requesting the correction of incomplete or inaccurate personal data,
  • Requesting the deletion or destruction of personal data in case the reasons requiring their processing disappear,
  • Requesting notification of the actions taken under subparagraphs (d) and (e) to third parties to whom personal data are transferred,
  • Objecting to a result that is detrimental to the data subject arising from the analysis of processed data exclusively by automated systems,
  • Requesting the compensation of the damage in case of loss due to unlawful processing of personal data.

Procedure for Submitting a Request by the Data Subject:

The data subject can submit their requests regarding the above-mentioned rights to FURİSAN in accordance with the procedure specified in the "Communiqué on the Procedures and Principles of Application to the Data Controller."

Requests within the scope of the rights specified in Article 11 of the Personal Data Protection Law No. 6698 can be made by filling out the form available in the "KVKK" section at https://furisan.com/ and using one of the following methods:

Requests submitted to the company will be answered within 30 days from the date of receipt by the company, as stipulated in Article 13/2 of KVKK. Responses to the application will be delivered to the applicant in written or electronic form in accordance with Article 13 of KVKK.

APPLICATION METHOD

ADDRESS FOR APPLICATION

INFORMATION TO BE PROVIDED FOR APPLICATION

Personal Application (Applicant's visit with a document proving their identity)

Kale Mah. Kılıçlar Cad. No:4/6 Kestel / BURSA

Envelope must be labeled "Request for Information under the Personal Data Protection Law."

Notification via Notary

Kale Mah. Kılıçlar Cad. No:4/6 Kestel / BURSA

Envelope must be labeled "Request for Information under the Personal Data Protection Law."

Using a secure electronic signature

furisan@hs01.kep.tr

Email subject line must state "Request for Information under the Personal Data Protection Law."

Right of the Data Subject to Lodge a Complaint with the Personal Data Protection Board:

In case of rejection of the application, finding the response insufficient, or failure to respond within the specified time, the data subject has the right to lodge a complaint with the KVK Board within 30 days from the date of learning the response and within 60 days from the date of application.

11.2. Cases Where the Data Subject Cannot Exercise Their Rights:

Under Article 28/2 of KVKK, the data subjects cannot exercise their rights specified in Article 11 of the Law, except for the right to claim compensation, in the following cases:

  • Processing of personal data is necessary for the prevention of crime or for criminal investigation.
  • Processing of personal data is necessary for the protection of the life or physical integrity of the data subject or another person who is unable to give consent due to actual impossibility or whose consent is not legally valid.

12. Actions to Be Taken in Case of Violation:

If a violation occurs despite all technical and administrative measures taken by FURİSAN, the situation will be reported to the KVK Authority through the contact person as soon as possible and no later than 72 hours after learning of the violation. The same sensitivity will be shown to the data subjects who may be affected by the violation. The notification will be made to the data subject in a clear and plain language. This notification will include:

  • The date of the occurrence of the violation,
  • The categories of personal data affected by the violation (personal data / special category personal data distinction),
  • The possible consequences of the personal data breach,
  • Measures taken or suggested to mitigate the negative effects of the data breach,
  • Names and contact details of contact persons from whom data subjects can get information about the data breach.

13. FURİSAN Personal Data Protection and Processing Policy Management Structure:

A KVK Committee has been established by the decision of the Board of Directors to manage this policy and other related policies within FURİSAN.

The duties of this Committee related to the protection of personal data are listed below:

  • Preparing, developing, implementing, publishing, and updating the fundamental policies related to the protection and processing of personal data and submitting them to the Board of Directors for approval,
  • Deciding how to implement and supervise the policies related to the protection and processing of personal data and submitting these matters to the Board of Directors for approval and ensuring coordination within the company,
  • Identifying the necessary actions for compliance with the KVK Law and related legislation and submitting them to the Board of Directors for approval, overseeing and coordinating their implementation,
  • Increasing awareness within the company and among institutions collaborating with the company regarding the protection and processing of personal data,
  • Identifying the risks that may arise in FURİSAN's personal data processing activities and ensuring that necessary measures are taken, and submitting improvement suggestions to the Board of Directors for approval,
  • Ensuring that training is organized to inform the relevant persons about their rights and personal data processing activities,
  • Deciding on the applications of data subjects,
  • Following developments and regulations related to personal data protection and taking necessary measures within the company accordingly,
  • Managing relations with the KVK Board and Authority,
  • Executing other duties assigned by the Board of Directors related to the protection of personal data.

Furisan Gıda San. ve Tic. Ltd. Şti.

Personal Data Owner's Application Form to the Data Controller

GENERAL EXPLANATIONS:

Pursuant to the Personal Data Protection Law No. 6698 (“Law”), certain rights have been granted to personal data owners (“Data Subjects” hereinafter) regarding the processing of their personal data as specified in Article 11 of the Law. According to the first paragraph of Article 13 of the Law, applications regarding these rights must be submitted to our company, which is the data controller, in writing or by other methods determined by the Personal Data Protection Board (“Board”).

Within this framework, written applications to our company can be delivered by:

  1. The Data Subject applying in person
  2. Through a notary
  3. By signing with a “secure electronic signature” defined in the Electronic Signature Law No. 5070 and sending it to the company's registered electronic mail address

The information on how to deliver written applications is provided below:

APPLICATION METHOD ADDRESS TO APPLY INFORMATION TO BE SPECIFIED IN THE APPLICATION
In-Person Application (The applicant must apply in person with an identity document) Kale Mah. Kılıçlar Cad. No:4/6 Kestel / BURSA The envelope should be marked “Information Request under the Personal Data Protection Law”.
Notification via Notary Kale Mah. Kılıçlar Cad. No:4/6 Kestel / BURSA The notification envelope should be marked “Information Request under the Personal Data Protection Law”.
Using Secure Electronic Signature furisan@hs01.kep.tr The subject of the email should be “Information Request under the Personal Data Protection Law”.

Additionally, once other methods determined by the Board are announced, our company will inform how applications will be received via those methods. Applications delivered to us will be responded to within thirty (30) days from the date of receipt by the method described above, depending on the nature of the request, pursuant to Article 13/2 of the KVKK. Our responses will be sent in writing or electronically in accordance with Article 13 of the KVK Law.

Information to identify the applicant and to establish communication about their application:

NAME:
SURNAME:
T.R. ID NUMBER:
PHONE NUMBER:
EMAIL (Providing this will allow us to respond more quickly):
ADDRESS:

Please indicate your relationship with our company (Customer, Business Partner, Employee Candidate, Former Employee, Third Party Company Employee, Shareholder, etc.):

  • Customer
  • Visitor
  • Business Partner
  • Employee
  • Former employee
    Years of employment: _______________
  • Job application / CV sharing
    Date: _______________
  • Third-party company employee
    Please specify the company you work for and your position: _______________
  • Other: _______________

Please specify your request under the KVKK in detail:





Please select the method by which you wish to be notified of our response to your application:

  • I want it sent to my address.
  • I want it sent to my email address. (Selecting the email method will allow us to respond more quickly)
  • I want to collect it in person. (If collecting in person by proxy, a notarized power of attorney or authorization document is required.)

This application form has been prepared to determine your relationship with our company, to fully identify your personal data processed by our company if any, and to respond to your relevant application correctly and within the legal time frame. Our company reserves the right to request additional documents and information (such as a copy of your ID or driver’s license) to verify your identity and authority, to eliminate the legal risks that may arise from unlawful and unjust data sharing, and to ensure the security of your personal data. In case the information regarding your requests submitted within this form is not correct or up-to-date, or if an unauthorized application is made, our company does not accept liability for such incorrect information or unauthorized applications.

Applicant (Personal Data Owner)

Name Surname:
Application Date:
Signature:

 

SPECIAL CATEGORY PERSONAL DATA PROCESSING AND PROTECTION POLICY

TABLE OF CONTENTS

  1. Introduction
  2. Purpose of the Policy
  3. Scope of the Policy
  4. Definitions
  5. Protection of Special Category Personal Data
  6. Processing of Special Category Personal Data
  7. Purposes of Processing Special Category Personal Data
  8. Transfer of Special Category Personal Data
  9. Conditions for Transferring Special Category Personal Data 9.a. Conditions for Domestic Transfer of Special Category Personal Data 9.b. Conditions for International Transfer of Special Category Personal Data
  10. Retention and Disposal Periods for Special Category Personal Data 10.a. Retention Period for Special Category Personal Data 10.b. Disposal Period for Special Category Personal Data
  11. Periodic Disposal
  12. Security of Special Category Personal Data 12.a. Measures for Employees Involved in Processing Special Category Personal Data 12.b. Measures for Electronic Environments Where Special Category Personal Data is Processed, Stored, and/or Accessed 12.c. Measures for Physical Environments Where Special Category Personal Data is Processed, Stored, and/or Accessed 12.d. Measures for Transferring Special Category Personal Data
  13. Publication and Storage of the Policy
  14. Update Period of the Policy

Chapter One

Introduction, Purpose, Scope, and Definitions

1. Introduction:

Furisan Gıda San. ve Tic. Ltd. Şti. (“FURİSAN/Company”), acting as the data controller, attaches great importance to the lawful protection and processing of personal data in accordance with the Personal Data Protection Law No. 6698 (“Law”) and takes utmost care in all planning and activities. The Company meticulously takes all necessary administrative and technical measures to protect personal data. Special category personal data, given its nature and sensitivity, requires additional administrative and technical measures for its processing and protection beyond those applied to general personal data.

2. Purpose of the Policy:

The purpose of the “Special Category Personal Data Processing and Protection Policy” (“Policy”) is to ensure that FURİSAN, which aims to conduct all its activities in compliance with the law, takes necessary technical and administrative measures for the processing, protection, and security of special category personal data in accordance with the Constitution, the Personal Data Protection Law No. 6698, relevant legislation, and decisions of the Personal Data Protection Board, and to inform relevant persons by fulfilling its obligations regarding the special category personal data it holds as a data controller.

3. Scope of the Policy:

This Policy covers all real persons whose special category personal data is processed by FURİSAN, including company partners, shareholders, company officials, employees, employee candidates, interns, intern candidates, company customers, company customers' officials and employees, potential product or service buyers, supplier employees, supplier officials, visitors, consultants, and third parties, and the activities related to the processing, protection, and security of their special category personal data.

The Policy is applied to all recording environments where special category personal data is processed by FURİSAN, whether fully or partially automated or manually as part of any data recording system.

4. Definitions:

  • Explicit Consent: The consent given by the relevant person, based on being informed and freely given, for the processing of their personal data for a specific purpose.
  • Law: Personal Data Protection Law No. 6698.
  • Recording Medium: Any environment where personal data that is processed by fully or partially automated or non-automated means, as part of any data recording system, is kept.
  • Personal Data: Any information relating to an identified or identifiable real person.
  • Personal Data Owner/Relevant Person: The real person whose personal data is processed.
  • Processing of Personal Data: Any operation performed on personal data such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, taking over, making available, classification, or preventing the use of such data by fully or partially automated means or non-automated means provided that they are part of any data recording system.
  • Personal Data Processing Inventory: The inventory created by data controllers, explaining the personal data processing activities they carry out depending on their business processes, the purposes of processing personal data, the data category, the transferred recipient group, and the data subject group, and detailing the maximum retention period required for the purposes for which the personal data are processed, the personal data to be transferred to foreign countries, and the measures taken regarding data security.
  • Board: The Personal Data Protection Board.
  • Special Category Personal Data: Data related to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
  • Policy: This Policy.
  • Registry: The Data Controllers Registry kept by the Personal Data Protection Authority.
  • Company: Furisan Gıda San. ve Tic. Ltd. Şti.
  • Data Controller: The real or legal person who determines the purposes and means of processing personal data, and is responsible for establishing and managing the data recording system.
  • VERBIS: Data Controllers Registry Information System.

The definitions not provided in the Policy should be interpreted as defined in the Law and relevant legislation.


Chapter Two

Protection, Processing, and Purposes of Processing Special Category Personal Data

5. Protection of Special Category Personal Data:

Special category personal data includes information about individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. Because this data can cause discrimination or victimization if learned, FURİSAN takes additional administrative and technical measures to protect such data, beyond those applied to general personal data, and conducts necessary audits. Furthermore, activities are carried out in accordance with sufficient measures determined by the Board for the processing of special category personal data.

6. Processing of Special Category Personal Data:

The processing of special category personal data, as listed in the Law, is conducted in accordance with the general principles stated in the “Furisan Personal Data Processing and Protection Policy” and relevant legislation.

Within this scope, the processing of special category personal data without the explicit consent of the data subject is prohibited by law. However, special category personal data, excluding health and sexual life data, can be processed without explicit consent if specified by laws. Health and sexual life data can only be processed without explicit consent by persons under confidentiality obligation or authorized institutions and organizations, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and financing.

Furisan Gıda San. ve Tic. Ltd. Şti. ensures the security of special category personal data by taking necessary administrative and technical measures specified by the legislation and the Board, while conducting processing, protection, and security activities related to special category personal data.

7. Purposes of Processing Special Category Personal Data:

Special category personal data is processed in compliance with the principles specified in Article 4 of the Law and the procedures and principles stated in relevant legislation, in accordance with the conditions for processing personal data specified in Articles 5 and 6 of the Law. The special category personal data collected by FURİSAN through lawful methods is processed within the scope of business relations, products, services, or commercial activities or other relationships with relevant persons, for the purposes specified below and stored accordingly.

Purposes of processing special category personal data include:

  • Conducting Emergency Management Processes
  • Fulfilling Obligations Arising from Employment Contracts and Legislation for Employees
  • Conducting Employee Benefits and Rights Processes
  • Conducting Business Activities for Employees
  • Evaluating Employee Application Processes
  • Ensuring Compliance with Legislation
  • Planning Human Resources Activities
  • Conducting Occupational Health and Safety Activities
  • Providing Information to Authorized Persons, Institutions, and Organizations

Chapter Three

Transfer of Special Category Personal Data and Conditions

8. Transfer of Special Category Personal Data:

FURİSAN takes necessary measures with due care during the transfer processes of legally processed special category personal data, given that such data can cause discrimination or victimization of the relevant person if learned by others. In this context, FURİSAN can transfer special category personal data to third parties for processing purposes, by taking necessary administrative and technical measures in accordance with the legislation.

9. Conditions for Transferring Special Category Personal Data:

9.a. Conditions for Domestic Transfer of Special Category Personal Data:

FURİSAN can transfer special category personal data to third parties within the country for processing purposes, provided that the explicit consent of the relevant person is obtained and necessary administrative and technical measures are taken in accordance with the legislation. As a rule, special category personal data cannot be transferred to third parties within the country without the explicit consent of the data subject.

However, special category personal data excluding health and sexual life data can be transferred without explicit consent if specified by laws. Health and sexual life data can be transferred without explicit consent if one of the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing is present.

9.b. Conditions for International Transfer of Special Category Personal Data:

FURİSAN can transfer special category personal data abroad by taking necessary administrative and technical measures specified by the legislation and the Board, and ensuring sufficient protection, for legitimate and lawful data processing purposes. As a rule, special category personal data cannot be transferred abroad without explicit consent.

However, special category personal data excluding health and sexual life data can be transferred without explicit consent if specified by laws, and if the country receiving the data provides sufficient protection determined by the Board. If sufficient protection is not provided, personal data can be transferred abroad only if data controllers in Turkey and the foreign country guarantee sufficient protection in writing and the Board grants permission.

Health and sexual life data can be transferred without explicit consent if one of the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing is present, and if the country receiving the data provides sufficient protection determined by the Board. If sufficient protection is not provided, data can be transferred abroad only if data controllers guarantee sufficient protection in writing and the Board grants permission.


Chapter Four

Retention and Disposal Periods, Periodic Disposal of Special Category Personal Data

10. Retention and Disposal Periods for Special Category Personal Data:

10.a. Retention Period for Special Category Personal Data:

FURİSAN retains special category personal data for the duration specified by relevant legislation or as required for the purposes of processing. Initially, the retention period specified by relevant legislation is determined, and if a period is specified, special category personal data is retained for that duration. If no period is specified, special category personal data is retained for the necessary duration required for processing purposes. Once the determined retention periods expire, the method of disposal is determined, and special category personal data is deleted, destroyed, or anonymized.

Special Category Personal Data Retention Periods:

Data Subject Group Special Category Personal Data Retention Period
Employee Information on Disability Status Retained for 15 years from the termination of the employment contract (Regulation on Occupational Health and Safety Services, Article 7)
Employee Blood Group Information Retained for 10 years from the termination of the employment contract
Employee Personal Health Information (Health records, health reports, birth leave documents, etc.) Retained for 10 years from the termination of the employment contract
Employee Information on Used Devices and Prostheses Retained for 10 years from the termination of the employment contract
Employee Information on Criminal Convictions (Criminal record) Retained for 10 years from the termination of the employment contract

10.b. Disposal Period for Special Category Personal Data:

If no legal circumstances prevent the statute of limitations from being suspended or interrupted, FURİSAN deletes, destroys, or anonymizes special category personal data at the first periodic disposal process following the date when the obligation to delete, destroy, or anonymize arises, as specified in the Personal Data Processing Inventory and mentioned above.

If the data subject requests the anonymization, deletion, or destruction of their special category personal data pursuant to Article 13 of the Law, and if all conditions for processing special category personal data no longer exist, FURİSAN deletes, destroys, or anonymizes the special category personal data within 30 days from the date of receiving the request and informs the data subject accordingly. If all conditions for processing special category personal data no longer exist and the personal data has been transferred to third parties, this situation is communicated to the third party, and necessary actions are taken. If all conditions for processing special category personal data do not cease to exist, this request may be rejected by FURİSAN by explaining the reason in accordance with Article 13/3 of the Law, and the rejection is communicated to the data subject in writing or electronically within 30 days at the latest.

11. Periodic Disposal:

If all conditions for processing special category personal data cease to exist, FURİSAN deletes, destroys, or anonymizes the special category personal data through a periodic disposal process at six-month intervals, as specified in this Policy. Accordingly, Furisan Gıda San. ve Tic. Ltd. Şti. conducts periodic disposal processes every June and December.


Chapter Five

Security of Special Category Personal Data

12. Security of Special Category Personal Data:

FURİSAN takes necessary administrative and technical measures to securely store special category personal data, to prevent unlawful processing and access, and to ensure the lawful disposal of personal data in accordance with the obligations specified in Article 12 of the Law and the sufficient measures determined and announced by the Board for special category personal data under Article 6/4 of the Law. In this context, the technical and administrative measures taken by the Company are specified in the “Personal Data Processing and Protection Policy” and the “Personal Data Retention and Disposal Policy.” In addition to the measures stated in these policies, FURİSAN also takes the following measures in the processing, security, and protection of special category personal data.

12.a. Measures for Employees Involved in Processing Special Category Personal Data:

  • Training is provided to employees on the processing, security, protection, and storage of special category personal data and other data security issues.
  • Confidentiality agreements are signed with employees, and disciplinary procedures are applied.
  • The scope and duration of the authority of employees who have access to special category personal data are defined.
  • Periodic audits are conducted on authorities.
  • The authority of employees who change roles or leave the job is immediately revoked, and the assigned inventory, if any, is retrieved.

12.b. Measures for Electronic Environments Where Special Category Personal Data is Processed, Stored, and/or Accessed:

  • Security updates for the environments where data is stored are continuously monitored.
  • If the data is accessed via software, user authorizations for this software are managed, security tests are regularly performed or commissioned, and the test results are recorded.

12.c. Measures for Physical Environments Where Special Category Personal Data is Processed, Stored, and/or Accessed:

  • Physical environments (cabinets, archives, etc.) where special category personal data is stored are locked.
  • Adequate security measures are taken based on the nature of the environment (protection against electrical leakage, fire, flood, theft, etc.).
  • The physical security of these environments is ensured to prevent unauthorized access.

12.d. Measures for Transferring Special Category Personal Data:

  • If special category personal data needs to be transferred via email, these data are sent in an encrypted format using corporate email addresses or a Registered Electronic Mail (KEP) account.
  • If special category personal data needs to be transferred in paper format, necessary measures are taken against risks such as theft, loss, or viewing by unauthorized persons, and they are sent in a secure format.

Chapter Six

Other Provisions

13. Publication and Storage of the Policy:

The Policy is published in both wet-signed (printed paper) and electronic formats and made available to the public on the “KVKK” section of the https://furisan.com website. A printed copy is also kept in the file of the contact person.

14. Update Period of the Policy:

The Policy is reviewed when necessary, and the required sections are updated. Changes made to this Policy are immediately incorporated into the text, and explanations regarding the changes are added to Table 2 below. Updates are also published on the https://furisan.com website. The update period is specified in Table 2:

Table 2: Update Period:

Update Date Scope of Changes
............. Preparation and publication of Furisan Gıda San. ve Tic. Ltd. Şti. Special Category Personal Data Processing and Protection Policy

The Policy is published indefinitely on the https://furisan.com website and can be directly provided to the relevant person upon request via text or access link sharing. If it is decided to repeal the Policy, the wet-signed old copies of this Policy will be signed and canceled by the relevant department and stored for 5 years.

PERSONAL DATA RETENTION AND DISPOSAL POLICY

Approval of Publication

Board of Directors Decision dated …………..

Policy Version

Version No: ………..

1. Introduction:

1.1. Purpose of the Policy:

This “Personal Data Retention and Disposal Policy” is prepared by Furisan Gıda Sanayi ve Ticaret Limited Şirketi (referred to as “FURİSAN/Company”) as the data controller, to determine the procedures and principles to be applied by FURİSAN for the retention, deletion, destruction, or anonymization of personal data held in accordance with the Personal Data Protection Law No. 6698 and other relevant legislation.

In this context, the personal data of employees, employee candidates, customers, visitors, and all real persons whose personal data is held by FURİSAN for any reason are managed in compliance with the “Furisan Personal Data Protection and Processing Policy” and this “Personal Data Retention and Disposal Policy.”

1.2. Scope of the Policy:

This policy covers all real persons whose personal data is processed by FURİSAN, including company shareholders, company officials, employees, employee candidates, interns, intern candidates, company customers, company customers' officials and employees, potential product or service buyers, supplier employees, supplier officials, visitors, consultants, and third parties.

FURİSAN publishes this policy in the “KVKK” section of https://furisan.com/ to fulfill its obligation under Article 16 of the Personal Data Protection Law and Article 5 of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data and to inform these personal data owners.

This Policy applies to all recording environments where personal data is processed by FURİSAN, whether fully or partially automated or manually as part of any data recording system.

1.3. Definitions

  • Explicit Consent: The consent given by the relevant person, based on being informed and freely given, for the processing of their personal data for a specific purpose.
  • Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.
  • Electronic Environment: Environments where personal data can be created, read, modified, and written via electronic devices.
  • Non-Electronic Environment: All written, printed, visual, etc., environments other than electronic environments.
  • Disposal: The deletion, destruction, or anonymization of personal data.
  • Law: The Personal Data Protection Law No. 6698.
  • Recording Medium: Any medium where personal data is processed fully or partially automatically or manually as part of any data recording system.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Personal Data Owner/Relevant Person: The natural person whose personal data is processed.
  • Processing of Personal Data: Any operation performed on personal data, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or preventing its use.
  • Personal Data Processing Inventory: The inventory created by data controllers by associating their personal data processing activities with the purposes, data category, recipient group, and data subject group, explaining the maximum retention period required for the purposes for which personal data is processed, the personal data envisaged to be transferred to foreign countries, and the measures taken regarding data security.
  • Anonymization of Personal Data: The process of making personal data impossible to link with an identified or identifiable natural person, even through matching with other data.
  • Deletion of Personal Data: The process of making personal data inaccessible and unusable for the relevant users.
  • Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable, and unusable by anyone.
  • Board: The Personal Data Protection Board.
  • Special Categories of Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, dress and clothing, association, foundation, or trade union membership, health, sexual life, criminal convictions, and security measures, and biometric and genetic data.
  • Periodic Disposal: The process of deleting, destroying, or anonymizing personal data to be carried out ex officio at repetitive intervals specified in the personal data retention and disposal policy when all conditions for processing personal data in the law are eliminated.
  • Personal Data Processing and Protection Policy: The policy determining the procedures and principles for managing personal data held by FURİSAN, accessible through the “KVKK” section of https://furisan.com/.
  • Registry: The data controllers registry maintained by the Personal Data Protection Authority.
  • Company: Furisan Gıda Sanayi ve Ticaret Limited Şirketi (referred to as “FURİSAN” or “Company”).
  • Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
  • Data Recording System: The recording system where personal data is processed by structuring according to certain criteria.
  • Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
  • VERBIS: Data Controllers Registry Information System.
  • Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017. Definitions not included in this Policy are subject to the definitions in the Law and the Regulation.

2. Recording Environments:

Personal data is securely stored by FURİSAN in the environments specified below in compliance with the law.

Table 1: Recording Environments

Electronic Environments Non-Electronic Environments
Network devices Archive
Shared/unshared disk drives used for data storage on the network Paper
Information security devices (firewall, intrusion detection and prevention, log files, antivirus, etc.) Manual Data Recording Systems (survey forms)
Removable Disks (USB, Memory Card, etc.) Written, printed, visual environments
Personal Computers (Desktop, Laptop) Unit cabinets
Mobile Devices (phone, tablet, etc.)  
Optical Disks (CD, DVD, etc.)  
Servers (Domain, backup, email, database, web, file sharing, etc.)  
Printers, scanners, photocopiers  

3. Explanations on Retention and Disposal:

Personal data of company shareholders, company officials, employees, employee candidates, interns, intern candidates, company customers, customer candidates, customer officials and employees, potential product or service buyers, suppliers, supplier employees, supplier officials, visitors, consultants, and third parties, business partners, persons receiving products or services, and all real persons whose personal data is held by FURİSAN for any reason are processed, retained, and disposed of in accordance with the procedures and principles set out in the law, regulations, and relevant legislation.

The explanations regarding retention and disposal are given below.

3.1. Explanations on Retention:

Article 3 of the KVKK defines the concept of processing personal data, and Article 4 states that personal data must be processed in connection with, limited to, and proportionate to the purposes for which they are processed, and must be retained for the period required by the relevant legislation or for the purpose for which they are processed. Articles 5 and 6 enumerate the conditions for processing personal data. Accordingly, personal data is retained by FURİSAN for the period specified in the relevant legislation or for the period required for the purposes for which they are processed.

3.1.1. Legal Reasons for Retention:

Personal data processed within the scope of FURİSAN's activities are retained for the period specified in the relevant legislation. Personal data can be processed based on the following legal reasons specified in Articles 5 and 6 of the KVKK.

  • Explicit consent of the data subject.
  • Clearly provided for by the laws (Personal Data Protection Law No. 6698, Turkish Code of Obligations No. 6098, Law on the Protection of Consumers No. 6502, Banking Law No. 5411, Regulation on Employment of Disabled Persons, Ex-Convicts, and Terror Victims, Turkish Commercial Code No. 6102, Tax Procedure Law No. 213, Regulation on Internet Collective Use Providers, Enforcement and Bankruptcy Law No. 2004, Social Insurance and General Health Insurance Law No. 5510, Occupational Health and Safety Law No. 6331, Regulation on Occupational Health and Safety Services, Labor Law No. 4857, Law on the Regulation of Publications on the Internet and Suppression of Crimes Committed by means of Such Publications No. 5651, Law on the Regulation of Electronic Commerce No. 6563, International Labor Force Law No. 6735, Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Extensions, Regulation on Archive Services, and other regulations in force under these laws).
  • The necessity to protect the life or physical integrity of the person who is unable to disclose their consent due to actual impossibility or whose consent is not legally valid.
  • The necessity to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract.
  • The necessity to fulfill a legal obligation of the data controller.
  • The personal data being made public by the data subject.
  • The necessity for the establishment, exercise, or protection of a right.
  • The necessity for processing personal data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.1.2. Purposes Requiring Retention:

FURİSAN retains personal data processed within the scope of its activities for the following purposes.

  • Conducting Emergency Management Processes
  • Conducting Information Security Processes
  • Conducting Employee Candidate / Intern / Student Application Processes
  • Conducting Employee Satisfaction and Loyalty Processes
  • Fulfilling Obligations Arising from Employment Contracts and Legislation for Employees
  • Conducting Benefits and Rights Processes for Employees
  • Conducting Audit / Ethical Activities
  • Ensuring Warehouse Management
  • Conducting Training Activities
  • Ensuring Compliance with Legislation
  • Conducting Financial and Accounting Affairs
  • Conducting Loyalty Processes for Company / Product / Services
  • Ensuring Physical Space Security
  • Conducting Assignment Processes
  • Following and Conducting Legal Affairs
  • Fulfilling Legal Obligations
  • Conducting Internal Audit/Investigation/Intelligence Activities
  • Conducting Communication Activities
  • Planning Human Resources Processes
  • Conducting Occupational Health / Safety Activities
  • Receiving and Evaluating Suggestions for Improvement of Business Processes
  • Conducting and Auditing Business Continuity Activities
  • Conducting Logistics Activities
  • Ensuring Quality Standards
  • Controlling Entry and Exit to the Company Building and Preventing Unauthorized Entries
  • Conducting Goods / Service Procurement Processes
  • Conducting Sales and After-Sales Support Services of Goods / Services
  • Conducting Production and Operation Processes of Goods / Services
  • Conducting Customer Relationship Management Processes
  • Ensuring the Security of Movable Property and Resources
  • Conducting Activities for Customer Satisfaction
  • Increasing Reliability with the Customer
  • Conducting Marketing Analysis Studies
  • Conducting Performance Evaluation Processes
  • Conducting Risk Management Processes
  • Conducting Retention and Archive Activities
  • Conducting Procurement Processes
  • Conducting Strategic Planning Activities
  • Conducting Social Responsibility and Civil Society Activities
  • Conducting Contract Processes
  • Following Up Requests / Complaints
  • Ensuring the Security of Movable Property and Resources
  • Conducting Supply Chain Management Processes
  • Conducting Supplier Relations Management Processes
  • Conducting Wage Policy and Issuing Product Invoices
  • Conducting Marketing Processes of Products / Services
  • Providing Information to Authorized Persons, Institutions, and Organizations
  • Conducting Management Activities
  • Creating and Tracking Visitor Records

3.2. Reasons Requiring Disposal:

Personal data will be deleted, destroyed, or anonymized by FURİSAN upon the request of the data subject or ex officio under the following conditions:

  • Amendment or abolition of the relevant legislation provisions that constitute the basis for processing.
  • Disappearance of the purpose requiring processing or retention.
  • Processing personal data only based on explicit consent, and the data subject withdrawing their explicit consent.
  • Acceptance of the relevant person's request regarding the deletion or destruction of personal data within the framework of the rights stipulated in Article 11 of the KVKK.
  • Disappearance of all conditions for processing personal data specified in Articles 5 and 6 of the Law.
  • If FURİSAN rejects the request of the data subject to delete, destroy, or anonymize personal data, finds the response inadequate, or fails to respond within the period stipulated in the KVKK, and the data subject complains to the Board and this request is deemed appropriate by the Board.
  • Expiry of the maximum period requiring the retention of personal data and the absence of any conditions justifying further retention.

4. Personal Data Disposal Techniques:

Personal data will be disposed of by FURİSAN ex officio or upon the request of the relevant person, again in compliance with the provisions of the relevant legislation, using the techniques specified below, at the end of the retention period stipulated in the relevant legislation or required for the purpose for which they are processed.

Unless otherwise decided by the Board, FURİSAN will select an appropriate method of deleting, destroying, or anonymizing personal data on its own. However, the appropriate method will be chosen by explaining the justification upon the request of the relevant person.

4.1. Deletion of Personal Data:

Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users. Personal data processed by FURİSAN is deleted from the recording environments specified in Table 2 below.

Table 2: Deletion of Personal Data:

Data Recording Environment Explanations
Personal Data on Servers Personal data on servers, for which the retention period has expired, is deleted by removing access authorization for the relevant users.
Personal Data in Electronic Environments Personal data in electronic environments, for which the retention period has expired, is made inaccessible and unusable for other employees (relevant users) except the database administrator.
Personal Data in Physical Environments Personal data in physical environments, for which the retention period has expired, is made inaccessible and unusable for other employees except the unit manager responsible for the archive. Additionally, a blackening process is applied by drawing, painting, or erasing over it, making it unreadable.
Personal Data on Portable Media Personal data in flash-based storage environments, for which the retention period has expired, is stored securely by being encrypted by the system administrator, with access authorization given only to the system administrator.
Personal Data in Databases The relevant rows containing personal data are deleted with database commands (DELETE, etc.).

4.2. Destruction of Personal Data:

Destruction of personal data is the process of making personal data inaccessible, unrecoverable, and unusable by anyone. Personal data processed by FURİSAN is destroyed from the recording environments specified in Table 3 below.

Table 3: Destruction of Personal Data:

Data Recording Environment Explanations
Personal Data in Physical Environments Physical Destruction: Personal data on paper, for which the retention period has expired, is destroyed irretrievably in shredding machines.
Personal Data in Local Digital Environments Physical Destruction: Optic and magnetic media containing personal data is destroyed physically by melting, burning, or pulverizing. Making data inaccessible by melting, burning, pulverizing, or passing the optical or magnetic media through a metal shredder.
Personal Data in Cloud Environments Secure Deletion from Software: Personal data stored in the cloud environment is deleted with a digital command to make it irrecoverable, and when the cloud service relationship ends, all copies of the encryption keys required to make personal data usable are destroyed. Thus, the deleted data cannot be retrieved.

4.3. Anonymization of Personal Data:

Anonymization of personal data is the process of making personal data impossible to link with an identified or identifiable natural person, even through matching with other data. Personal data processed by FURİSAN is anonymized from the recording environments specified in Table 4 below.

Table 4: Anonymization of Personal Data:

Data Recording Environment Explanations
Regional Concealment Concealing distinctive information in a data table containing anonymous data collectively within exceptional cases.
Variable Removal Removing one or more direct identifiers that can identify the relevant person from the personal data set. This method can be used to anonymize personal data or to remove information that is not suitable for the data processing purpose.
Generalization Combining personal data belonging to many people and removing distinguishing information to turn it into statistical data.
Masking Data masking involves removing the primary identifying information from the data set to anonymize personal data.

5. Retention and Disposal Period:

FURİSAN considers legal obligations while determining the retention periods for personal data. Beyond legal regulations, the retention period is determined based on the purposes of processing personal data and the legitimate interests of FURİSAN in processing the data. In this context, it is first determined whether a retention period for personal data is stipulated in the relevant legislation, and if a period is specified, personal data is retained for this period. If no period is specified in the relevant legislation, personal data is retained for the period necessary for the purpose for which they are processed. Unless otherwise decided by the Board, FURİSAN will select an appropriate method of deleting, destroying, or anonymizing personal data.

Table 5: Retention Periods:

Data Subject Group Data Category Retention Period
Employee Identity, Contact, Location, Personnel, Legal Transaction, Physical Space Security, Transaction Security, Professional Experience, Visual-Audio Records, Duty and Title Data Retained for 10 (ten) years after the termination of the employment contract.
Employee Health Retained for 15 (fifteen) years after the termination of the employment contract (Occupational Health and Safety Services Regulation, Article 7).
Employee Candidate Identity, Contact, Legal Transaction, Professional Experience, Visual-Audio Records, Duty and Title Data Retained for 6 months from the application date, 10 years after the termination of the employment contract.
Product/Service Buyer Identity, Contact, Transaction Security, Customer Transaction Retained for 10 (ten) years from the delivery of each product/service purchased by the customer, in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.
Product/Service Buyer, Supplier, Employee, Intern Physical Space Security Retained for 1 month from the date of recording during normal times, for the statute of limitations in legal cases.
Institutions/Firms in Cooperation with FURİSAN (Suppliers) Identity, Contact Information, Financial Information Retained for 10 years during and after the end of the business/commercial relationship, in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.

If a longer period is stipulated by the legislation or for statute of limitations, expiration, retention periods, etc., the periods in the legislation are accepted as the maximum retention period.

5.1. Disposal Periods:

FURİSAN will delete, destroy, or anonymize personal data during the first periodic disposal process following the date when the obligation to delete, destroy, or anonymize personal data arises under the KVKK, relevant legislation, “Personal Data Processing and Protection Policy,” and this “Personal Data Retention and Disposal Policy.” If the relevant person requests the deletion or destruction of their personal data under Article 13 of the KVKK:

  • If all conditions for processing personal data have disappeared, FURİSAN will delete, destroy, or anonymize the personal data within 30 (thirty) days from the date of receipt of the request, by explaining the justification. The request will be deemed to have been received by FURİSAN if the relevant person makes the request in accordance with the “Furisan Personal Data Processing and Protection Policy” announced on the official website. In any case, FURİSAN will inform the relevant person about the action taken.
  • If all conditions for processing personal data have not disappeared, this request may be rejected by FURİSAN, with the justification explained, within 30 (thirty) days at the latest, and the rejection response will be notified to the relevant person in writing or electronically.

5.2. Periodic Disposal:

If all conditions for processing personal data specified in the law have disappeared, FURİSAN will delete, destroy, or anonymize personal data through a recurring process specified in this “Personal Data Retention and Disposal Policy.” FURİSAN has determined the periodic disposal period as 6 months under Article 11 of the Regulation.

6. Publication and Storage of the Policy:

The policy is published in two different media: wet-signed (printed) and electronic, and is publicly disclosed on the internet site.

7. Update Period of the Policy:

The policy is reviewed and updated as necessary. Changes made to this “Personal Data Retention and Disposal Policy” are immediately included in the text, and explanations regarding the changes are added at the end of the policy. Updates to FURİSAN’s “Personal Data Retention and Disposal Policy” will be published in the “KVKK” section of https://furisan.com/.

8. Enforcement of the Policy:

This policy is published on FURİSAN's website indefinitely and can be directly shared with the personal data owner via text or access link upon request. If it is decided to abolish the policy, the wet-signed old copies of this policy will be signed and kept by the relevant unit for 5 years.

VIDEO RECORDING SYSTEMS DISCLOSURE STATEMENT

This Disclosure Statement has been prepared by “FURİSAN GIDA SAN. VE TİC. LTD. ŞTİ.” (hereinafter referred to as “FURİSAN”) in its capacity as the Data Controller, pursuant to the Personal Data Protection Law No. 6698 (“KVKK/Law”), to inform employees, employee candidates, customers, visitors, and all relevant data subjects regarding the processing of personal data collected through in-house video recording systems under the specified conditions.

1. PURPOSE

We inform you that your personal data obtained through video and audio recordings by security cameras will be recorded, stored, preserved, shared with institutions authorized to request these personal data by law, transferred to domestic or foreign third parties under the conditions stipulated by the Law, and processed in other ways specified in the Law. All our activities related to your personal data are conducted and developed in compliance with the principles outlined in the Law.

METHOD OF COLLECTING YOUR PERSONAL DATA

Video recordings of you are obtained and processed with cameras located in the physical space, depending on the scope of the service relationship. Our company will process your personal data for the purposes specified in this Disclosure Statement. If there is any change in the purpose of processing your personal data, your consent will be obtained separately.

The personal data collected and used by our company includes, but is not limited to, the following:

DATA CATEGORY DESCRIPTION
PHYSICAL SPACE SECURITY DATA Video recordings taken at the entrance and inside the physical space

Video recordings are made through security cameras located inside and outside the workplaces owned by “FURİSAN” to ensure company security, and the recording process is monitored by the information technology unit.

PURPOSES OF PROCESSING YOUR PERSONAL DATA

In compliance with the processing conditions specified in Article 4 of the KVKK, your personal data within the scope of video systems can be processed for the following purposes:

  • Fulfillment of service obligations under the service contract
  • Fulfillment of employer responsibilities, ensuring job security, management, supervision, and execution of work
  • Preparation of all records and documents that will be the basis for processing in electronic (internet/mobile, etc.) or physical environments
  • Providing information to public officials upon request and as required by legislation concerning public safety
  • Fulfillment of legal obligations and use of rights arising from current legislation
  • Fulfillment of legal obligations when requested by the relevant authority within the scope of judicial and administrative investigations
  • Conducting business activities
  • Conducting occupational health and safety activities
  • Conducting assignment processes
  • Providing information to authorized persons, institutions, and organizations
  • Conducting emergency management processes
  • Conducting organization and event management
  • Conducting information security processes
  • Conducting storage and archiving activities
  • Ensuring physical space security

METHOD AND LEGAL BASIS OF COLLECTING YOUR PERSONAL DATA

Your personal data can be obtained through video systems 24/7 during the establishment of a legal relationship. Sections where video systems are located in the workplace have KVKK information visuals, and the link to this disclosure statement is shared within the visual content.

Pursuant to Article 5 of the KVKK, personal data cannot be processed without the explicit consent of the data subject. The Law specifies exceptions where explicit consent is not required.

Your personal data may be processed within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the KVKK, and for the purposes specified in this Disclosure Statement and for fulfilling legal obligations, as specified by relevant legislation.

TO WHOM AND FOR WHAT PURPOSES PERSONAL DATA MAY BE TRANSFERRED

Personal data related to video systems may be transferred to legally authorized public institutions under the conditions specified in Articles 8 and 9 of the Law, and to achieve the purposes listed above, by taking adequate and effective precautions specified by the legislation regarding security and confidentiality.

RETENTION PERIOD OF PERSONAL DATA

Your personal data processed for the purposes specified in this Disclosure Statement will be deleted, destroyed, or continued to be used by being anonymized 30 days after the personal data is obtained, following the Personal Data Retention and Disposal Policy.

RIGHTS OF THE RELEVANT PERSON

The relevant person has the right to learn whether their personal data is being processed, request information if their personal data has been processed, learn the purpose of processing their personal data and whether it is used in accordance with its purpose, know the third parties to whom personal data is transferred domestically or abroad, request the correction of incomplete or inaccurate personal data, request the deletion or destruction of personal data if the reasons for processing have disappeared despite being processed in accordance with the KVKK and other relevant laws, request notification of the actions taken in accordance with the relevant provisions of the Law to the third parties to whom the personal data has been transferred, object to the emergence of a result against the person by analyzing the processed data exclusively through automated systems, and request compensation for damages if they suffer harm due to the unlawful processing of personal data.

APPLICATION METHOD AND FORM

The relevant person may submit their applications regarding their rights listed above following the procedures and principles stipulated in the Communiqué on the Procedures and Principles of Application to the Data Controller.

For detailed information and the application form, you can visit the “KVKK” section at https://furisan.com/.

“APPLICATION FORM TO BE MADE BY THE DATA SUBJECT TO THE DATA CONTROLLER UNDER THE PERSONAL DATA PROTECTION LAW”