PURPOSE AND SCOPE

This Directive sets forth the rules to be observed in and/or by Kılıç HOLDİNG A.Ş. and Group Companies (the “Company”) during the processing of personal data and performance of the Personal Data pursuant to the applicable regulations including specifically the Personal Data Protection Law no. 6698.

This Directive shall apply to all employees, visitors and customers of KILIÇ HOLDİNG A.Ş. and/or Group Companies.

RESPONSIBILITY

The directive on protection and processing of personal data shall enter into force based on the approval of the Board of Directors. Also, variations to the directive shall also require the approval of the Board of Directors.  

DEFINITIONS

Personnel and/or Employee: the employees working under service contracts at KILIÇ HOLDİNG A.Ş. and/or Group Companies.

Enterprise: all kinds of enterprises owned by KILIÇ HOLDİNG A.Ş. and/or Group Companies.

PDPL: Personal Data Protection Law no. 6988

Explicit Consent: the consent provided with free will on a given subject based on the supply of information.

Personal Data: any information relating to an identified or identifiable natural person. In that respect, the Law does not apply to processing of data related to legal persons.

Special Categories of Personal Data: Biometric and genetic information as well as personal data concerning race, ethnicity, political affiliation, philosophical belief, religion, sect or other beliefs; outer appearance; memberships to associations, foundations or unions; health; sexual orientation; convictions; and data concerning security measures.

Application Form: the application form prepared for the use of data subjects with respect to the applications to be filed to the Data Controller in order to benefit from the rights granted under the Personal Data Protection Law no. 6988.

Processing of Personal Data: any kind of process performed on personal data such as obtaining, saving, storing, retaining, modifying, editing, describing, transferring, receiving, making available, classifying or blocking the use of personal data automatically or otherwise provided that any such non-automatic method forms part of any data recording system.

Pseudonymization: the process of disabling personal data in such a way that it can no longer be associated with an identifiable real person, even when the personal data is matched with other data.

Data Processor: real or legal person authorized to process personal data on behalf of the data controller.

Data inventory: the inventory created by data controllers in order to provide detailed information about personal data processing activities conducted on the basis of business processes in conjunction with the processing purposes, data categories, recipient group and data subject category by duly explaining the maximum duration required for fulfilling the processing purposes, personal data to be transferred abroad and measures taken for data security.

Data Controller: real or legal person determining the purposes and methods of processing personal data and assuming responsibility for setup and management of data storage system.

Data Controller Representative: the employee assigned by the Board of Directors for coordinating the relationship between the Company and Authority.

Data Subject: All of the real persons whose personal data are processed by or on behalf of the Company including employees, job applicants, visitors and customers.

Destruction of Personal Data: Deletion, removal or pseudonymization of personal data.

Periodical Destruction: Recurrent deletion, removal or pseudonymization at periodical intervals as indicated in the personal data retention and destruction policy in the event that the legal conditions for processing personal data are no longer applicable

Masking: crossing out, painting or blurring personal data in order to ensure that they shall no longer be related to an identified or identifiable natural person.

POLICY AND PRINCIPLES

• The personal data shall be processed in line with the principle of proportionality pursuant to the law and rules of integrity.
• The Enterprise shall take all kinds of measures in order to ensure that the personal data remain complete, correct and up-to-date and update the personal data where required by the data subject.
• The Enterprise shall determine the purpose of processing personal data before taking any action in that regard. The data subject shall be duly informed about the processing activities pursuant to the PDPL and shall be asked to provide explicit consent where necessary.
• The Enterprise may process the personal data in line with the principle of proportionality solely in case of exceptional conditions provided in the PDPL and applicable regulations (articles 5.2 and 6.3 of the PDPL) or for the purposes of the explicit consent provided by the data subject (articles 5.1 and 6.2 of the PDPL).
• The Enterprise shall preserve the personal data as long as required for the designated purpose. If the Enterprise intends to preserve the personal data for longer than indicated in the PDPL or required for the purpose of processing the personal data, the Enterprise shall act in compliance with the obligations provided in the PDPL.
• The Personal Data shall be deleted, destroyed or pseudonymized upon the conclusion of the period required for the processing purpose. In that case, the Company shall ensure that the third party recipients shall also delete, destroy or pseudonymize the personal data.
• The Data Controller Representative shall be responsible for conducting the deletion, destruction or pseudonymization processes while the Board of Directors shall be in charge of approving the relevant processes.

Processing of Personal Data

The Company may process the personal data solely in line with the following principles and rules.

• Explicit Consent
  • Personal data shall be processed based on the Explicit Consent to be provided by data subjects following the disclosure to be made for fulfilling the Disclosure Obligation towards data subjects.
  • For the purposes of the disclosure obligation, Data Subjects shall be informed of their rights in relation to the personal data before asking them to provide Explicit Consent for the processing to be conducted.
  • Data Subjects shall provide Explicit Consent through the “Statement of Explicit Consent under Personal Data Protection Law”. Explicit Consent shall be preserved throughout the period designated for PDP so that the availability thereof might be duly proven.
  • The Personal Data Representative and other relevant individuals shall be responsible for fulfilling the disclosure obligation for all Personal Data Processing activities and receiving and retaining explicit consent where necessary.
  • All employees responsible for processing Personal Data shall be required to comply with the instructions of the Personal Data Representative, provisions of this Directive and all of the rules related to the PDP.
• Processing Personal Data in the absence of Explicit Consent
  • The Company may process Personal Data without receiving explicit consent from the data subject to the extent that the PDP regulations stipulate for processing Personal Data without receiving Explicit Consent (e.g. articles 5.2 and 6.3 of the PDPL).
    • The Company may process Personal Data without receiving explicit consent from data subjects who are unable to express their consent due to any physical incapacity or who are not legally entitled to express consent and/or for the purpose of protecting the life and physical integrity of any other person.
    • The Company may process Personal Data without receiving explicit consent from data subjects to the extent that it is necessary to process the Personal Data of parties to an agreement provided that such processing should be directly related to creation, performance and conclusion of an agreement.
    • The Company may process Personal Data without receiving explicit consent from data subjects where the Company is required to process the Personal Data for fulfilling its legal obligations.
    • The Personal Data made available to the public by the Data Subject may be processed without receiving explicit consent.
    • The Company may process Personal Data without receiving explicit consent from data subjects where such processing is required for creating, using or retaining any specific right.
    • The Company may process Personal Data without receiving explicit consent from data subjects where such processing is required for legitimate interests of the enterprise so long as it does not impair the fundamental rights and freedoms of data subjects.

Processing CCTV Footage

The Company records CCTV footage of its visitors, employees and other relevant individuals in line with the fundamental principles of the PDPL and this Directive in order to promote the commercial and overall security of the facilities and enterprises and keeps the CCTV footage safely in physical or electronic media throughout the period specified for the processing purposes. The Company shall comply with all kinds of legal requirements, including specifically PDPL, with respect to protection of personal data. CCTV system is not available in locations requiring high level of privacy.

Announcement of the Availability of CCTV System

The Company shall keep the data subjects informed of the availability of CCTV system pursuant to article 10 of the PDPL with a view to refraining from impairing the fundamental rights and freedoms of data subjects by informing data subjects in line with the principle of transparency. Accordingly, a notice shall be published on the corporate website regarding this Directive in addition to a bulletin available in the areas where monitoring activities are conducted.

Monitoring Entrances-Exits of Buildings and Offices

The Company shall process personal data regarding the entrance and exit of visitors at the gates of the buildings and offices in order to promote security as well as performing the purposes provided herein.

Processing of Special Categories of Personal Data

• Special Categories of Personal Data may be processed solely in case of availability of Explicit Consent of Data Subjects or where it is legally required to process Special Categories of Personal Data other than those related to sexual life and personal health.
• The Personal data relating to health and sexual life may be processed without Explicit Consent only to the extent required for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.
• The Company shall adopt the measures required by the Authority for processing Special Categories of Personal Data.

Deletion, Destruction or Pseudonymization of Personal Data

• Personal data shall be deleted, destroyed or pseudonymized upon the fulfilment of the legitimate purpose of processing personal data. The Data Controller Representative shall determine the conditions requiring any deletion, destruction or pseudonymization process.
• The Data Controller Representative shall be responsible for the deletion, destruction or pseudonymization processes. In that respect, the Data Controller Representative shall set the necessary procedure for this purpose.
• The Company shall not retain Personal Data in order to prevent any future use.

Transfer and Processing of Personal Data by Third Persons

The Company may transfer the Personal Data to domestic and/or foreign third persons, whether real or legal, in line with PDP regulations by taking the necessary measures for the processing purposes. In case of any such transfer, the Company shall ensure that the aforementioned third persons shall act in line with the requirements of this Directive. In that regard, the Company shall introduce necessary protective provisions to the agreements to be executed with the relevant third persons. The Legal Department and Data Controller Representative shall prepare the provision to be incorporated into the agreements to be executed with third persons to whom any such transfer is to be made. Each employee shall be obliged to perform the processes provided herein in case of any Personal Data transfer. If any variation is required to be made to the article submitted by the Data Controller Representative, the Legal Department and Data Controller Representative shall be informed accordingly.

            Personal Data Transfer to Domestic Third Persons  

• The Company may transfer the Personal Data to third persons in Turkey without receiving Explicit Consent under the exceptional conditions provided in articles 5.2 and 6.3 of the PDPL or otherwise by receiving Explicit Consent from the Data Subject (e.g. articles 5.1 and 6.2 of the PDPL).
• The employees of the Company and Data Controller Representative shall be severally responsible for ensuring compliance of transfer activities with the PDP regulations.

Personal Data Transfer to Foreign Third Persons

• The Company may transfer the Personal Data to third persons abroad without receiving Explicit Consent under the exceptional conditions provided in articles 5.2 and 6.3 of the PDPL or otherwise by receiving Explicit Consent from the Data Subject (e.g. articles 5.1 and 6.2 of the PDPL).
• In the event that the Personal Data are transferred without Explicit Consent in line with the PDP regulations, the foreign country of transfer should conform to one of the prerequisites provided below:
  • Being qualified as a country with sufficient protection by the Board.  
  • If the foreign country is not qualified as a country with sufficient protection, presentation of a written covenant issued by the Company and Data Processors in the relevant country to undertake sufficient protection in order to receive permission from the Board.
• The employees of the Company and Data Controller Representative shall be severally responsible for ensuring compliance of transfer activities with the PDP regulations.

Disclosure Obligation of the Company

The Company shall duly inform the Data Subjects prior to the processing of Personal Data in line with article 10 of the PDPL. In that respect, the Company shall fulfil the Disclosure Obligation while obtaining the Personal Data. The Disclosure to be made to the Data Subjects shall contain the following information:

• Identity of the Data Controller and its representative, if any,
• Purpose of processing,
• Recipients of processed Personal Data and purpose of transfer,
• Legal grounds and methods for collecting Personal Data,
• Data Subject rights provided in article 11 of the PDPL.

The Company shall present information to the Data Subject in line with article 20 of the Turkish Constitution and article 11 of the PDPL in case of any such request.

The Company shall inform the Data Subject of the Personal Data which are processed where such information is requested by the Data Subject pursuant to the provisions of PDP Regulations.

The designated employees and Data Controller Representative shall be severally responsible for ensuring performance of the Disclosure Obligation prior to the processing of Personal Data. In that regard, the Data Controller Representative and senior management shall prepare a PDP Procedure so as to ensure that each processing activity is duly reported to the Data Controller Representative.

If the Data Processor is a third person other than the Company, the Data Processor shall be required to execute a written contract in order to undertake to comply with the abovementioned obligations before commencing the processing activities. If any third person is to transfer Personal Data to the Company, the Data Controller Representative shall specify the article to be incorporated into the agreement to be executed by the relevant parties. Each employee shall be obliged to observe the principles provided herein in case of any Personal Data transfer to the Company by a third person. If the transferor third person requests any variation to the article presented by the Data Controller, the Data Controller Representative shall be promptly informed of such request.

Rights of Data Subjects

Pursuant to the applicable PDP Regulations, the Data Subjects shall be entitled to:

• learn whether or not your personal data have been processed by the Enterprise,
• request information about the processing, if any,
• request information about the processing purpose and whether or not the use of the Personal Data is fit for the purpose,
• receive information about the recipient domestic or foreign third parties,
• ask for correction in case of incomplete / incorrect processing of the Personal Data by the Enterprise,
• ask for deletion or destruction of Personal Data in the event that the causes for processing are no longer applicable in terms of the purpose, duration and legitimacy,
• ask for notification of correction, deletion or destruction processes, if applicable, to third persons to whom the personal data are transferred,
• object to any unfavourable result for the data subject arising from analysis of processed data with automated systems exclusively,
• demand indemnification against losses, if any, incurred as a result of processing activities in violation of the law.

Data Subjects who intend to exercise the rights provided above and/or consider that the requirements of this Policy are not observed with respect to the processing activities may submit their requests to the Data Controller by sending an e-mail with secure electronic signature to the e-mail address, which may be changed from time to time, or deliver a petition with original signature to the mailing address, which may be changed from time to time, along with the information and documentation proving their identity either in person or via notary.

Data Controller: Kılıç Deniz Ürünleri Üretimi İhracat İthalat ve Tic.A.Ş.

E-mail:[email protected]

Mailing Address: Kemikler Köyü Mevkii Milas Bodrum Karayolu 18.km Milas/MUĞLA 48200 TURKEY

After the Data Subjects inform the Company of their requests in writing, the Company shall respond to all such requests within maximum thirty days free of charge according to the particulars of the request. Nevertheless, the Company shall charge the fee provided in the applicable tariff to the applicants if the Personal Data Protection Board provides for any fee for the relevant request. The Data Controller shall either accept the request or reject it by explaining the reasons for such rejection and duly inform the relevant persons in writing or electronic media. In the event that the request is accepted, the Data Controller shall fulfil the requirements of the application. If the application is related to any fault committed by the Data Controller, the relevant fee shall be reimbursed to the applicant.

Data Management and Security

1. The Company shall assign a Data Controller Representative who shall be responsible for fulfilling the obligations arising from the PDP Regulation, ensuring and supervising the performance of the necessary PDP procedures and making suggestions about those procedures.
2. All employees involved in the process shall be severally responsible for protecting personal data in line with this Directive and PDP Procedures.
3. The Company shall monitor the Personal Data Processing activities with the use of suitable technological means and technical systems with due regard for the relevant costs.
4.  
5. The employees of the Company shall be provided with information and training about the protection of Personal Data under the applicable law.
6. The Company shall adopt a PDP Procedure regarding the access of relevant employees to the Personal Data. The Data Controller Representative and management shall be severally responsible for preparing and implementing the procedure.
7. The employees of the Company may have access to the Personal Data solely in line with the authority granted to them under the applicable PDP Regulation. Any access and process conducted without adequate authorization shall be regarded to be in breach of the law which may result in termination of the employment contract with cause.
8.  
9. If the Company doubts or determines any security flaw with respect to the Personal Data, the Data Controller Representative shall be promptly informed of the situation.
10. The Data Controller Representative shall create a detailed PDP Procedure regarding Personal Data security, which shall be duly submitted to the Board of Directors for approval.
11.  
12. Employees who are provided with any corporate equipment shall be responsible for safekeeping the relevant equipment.
13. Employees shall be responsible for safekeeping the physical files remaining under their custody.
14. If any additional security measures are required or introduced under the PDP Regulations, all employees shall be obliged to comply with those additional security measures and ensuring sustainable performance in that regard.
15. The Company shall install virus protection systems and software and hardware with firewalls in line with the technological developments so as to ensure safekeeping of the Personal Data.
16.  
17. The Company shall use back-up programs and adopt sufficient level of security measures in order to prevent loss of or damage to the Personal Data.
18. The documentation containing Personal Data shall be protected through encrypted systems. In that respect, the Personal Data should not be kept in common areas and desktop without encryption. The personal data held in the office IT equipment shall not be transferred to other equipment or taken outside the Company without receiving prior written consent from the Data Controller Representative.
19. The Board of Directors and Data Controller Representative shall be obliged to take all kinds of technical and administrative measures required for protecting Personal Data, monitoring administrative activities on a continual basis, prepare and announce the necessary PDP Procedures and supervise compliance with the relevant procedures. In that respect, the Data Controller Representative shall organize training sessions for increasing awareness of employees about the matter.
20.  
21. Where a corporate department processes Special Categories of Personal Data, this department shall be briefed about the significance, security and privacy of the Personal Data by the Data Controller Representative so that the relevant department shall act in compliance with the provisions of the PDP Law. The power to have access to the Special Categories of Personal Data shall be granted to a limited number of employees who shall be listed and monitored by the Data Controller Representative.
22. All kinds of Personal Data subject to processing activities in the Company shall be regarded to constitute “Confidential Information”.
23. The employees of the Company have been duly informed of the fact that the obligations related to the security and privacy of Personal Data shall survive the termination of employment according to which they have presented a covenant to undertake that they shall observe the applicable rules.

Training

The Company shall offer training to its employees about protection of Personal Data in line with this Directive and enclosed PDP Procedures as well as the PDP Law. The training sessions shall especially focus on definition of Special Categories of Personal Data along with the actions to be taken for protecting the relevant data. If any employee has physical or electronic access to Personal Data, the training shall be organized in the relevant setting (e.g. computer software etc.).

Violations

Each employee shall be responsible for duly informing the Data Controller Representative of any action or negligence which is considered to constitute violation of this Directive and the PDP Law. Thereupon, an action plan shall be created for eliminating the violation pursuant to the provisions of this Directive and the PDP Law.

The Committee shall prepare the notification to be made to the Data Subject and Authority regarding the violation based on the relevant violation reports with due regard for the provisions of the regulations in force in addition to the PDP Law. The Data Controller Representative shall be responsible for coordinating the correspondence and communication with the Authority.

PROTECTION OF PERSONAL DATA  

KILIÇ HOLDİNG A.Ş. AND KILIÇ GROUP COMPANIES

DISCLOSURE STATEMENT ABOUT PROCESSING OF PERSONAL DATA 

We, Kılıç Holding A.Ş. and Kılıç Group Companies (the “Company”), remain aware of our responsibility to process your personal data securely. In that respect, we adopt all kinds of suitable security measures in order to prevent unlawful processing of or access to your personal data and ensure safety of your personal data during the processing and transfer activities under the Personal Data Protection Law no. 6698 (the “PDP Law”). This statement sets forth important information about the processing activities to be conducted in relation to personal data.

Please note that the Company reserves the right to amend this text partially or wholly, in which case this document shall be duly updated.

1.         DATA PROCESSOR:

The Company is a legal entity responsible for determining the motives and methods for processing of your personal data as well as establishing and overseeing the data recording system. The Company shall begin to process your personal data in line with the applicable safety rules upon receiving your explicit consent or delivering a disclosure to you where explicit consent is not required. Please note that we may assign one or more than one data processor for processing your personal data by ensuring the safety of your data as necessary.

2.         LEGAL MOTIVES AND METHODS OF PROCESSING AND THE PERSONAL DATA TO BE PROCESSED:

Pursuant to the applicable regulations, the Company shall use your personal data for performing services and improving the quality of those services, undertaking the activities required by public authorities and/or regarded as exceptional activities as well as complying with the privacy, reporting and disclosure obligations required thereunder. In that respect, the Company may process your personal data which are listed in Annex-1 with a view to taking suitable security measures during your visit to the corporate offices, promoting occupational health and safety along with the security of the business place, conducting the required processes and actions in order to provide services to you and upholding the legitimate interests of the Company.

We may disclose the personal data to be processed for the relevant purposes with our domestic and foreign affiliates, business partners, suppliers, officers, shareholders, group companies and public authorities and private persons who are empowered to have access to the same under the applicable Law.

3.         DISCLOSURE OF PERSONAL DATA:

The Company may collect your personal data in verbal, written or electronic media through the corporate website and other channels by means of our affiliates, business partners and employees in line with the provisions of the applicable regulations.

This disclosure statement constitutes annex to and an inseparable part of all kinds of service requests and agreements executed with the Company.

4.         DESTRUCTION OF PERSONAL DATA:

The Company shall retain the personal data throughout the period specified in the applicable regulations. Nevertheless, where any such period is foreseen in the applicable regulations, the Company may retain your personal data as long as processing is required in relation to our services based on the corporate and commercial practices and for a reasonable period thereafter so as to constitute evidence in case of any potential legal dispute. Upon the conclusion of the designated period, the Company shall delete, destroy or pseudnymize your personal data at the nearest possible date under article 7 of the PDP Law.

5.         DATA SUBJECT RIGHTS:

Pursuant to article 11 of the PDP Law, you shall be entitled to apply to the Company in order to:

1.         learn whether or not your personal data has been processed and request information about the processing, if any,

2.         request information about the processing purpose and whether or not the use of data is fit for the purpose,

3.         receive information about the recipient domestic or foreign third parties,

4.         ask for correction in case of incomplete / incorrect processing,

5.         request deletion, destruction or pseudonymization of personal data in the event that the

6.         ask for notification of the processes provided in paragraphs (d) and (e) above to third party recipients,

7.         object to any unfavourable result arising from analysis of processed data with automated systems exclusively,

8.         demand indemnification against losses, if any, incurred as a result of processing activities in violation of the law.

In order to exercise the abovementioned rights under the PDP Law, Communiqué on Principles and Procedures for Application to Data Controllers issued on 10.03.2018 and applicable regulations, please deliver the application form available on http://www.kilicdeniz.com.tr/kvkform to:

1.         Kemikler Köyü Mevkii Milas Bodrum Karayolu 18.km Milas Muğla – Turkey in person, via notary or registered letter along with the petition bearing original signature;

2.         [email protected],(employees of Kılıç Deniz Ürünleri Üretimi İhracat, İthalat ve Tic. A.Ş.), [email protected] (employees of Bafa Su Ürünleri Yavru Üretim Merkezi San. Tic. A.Ş.), [email protected] (employees of Gündoğdu Su Ürünleri Üretim ve  Pazarlama San. Ve Tic. A.Ş.) by e-mail  via your registered electronic mail (KEP) address, secure electronic signature or mobile signature or through your e-mail address which is registered within the corporate system or with the use of any special software or application (provided that the application should satisfy the requirements of the applicable regulations).

If a third person is to file a request on behalf of you, please ensure that a duly notarized statutory form of power of attorney is appended to the application.

The Company shall respond to all such requests within maximum thirty days free of charge. If the relevant application requires an additional cost, the Company shall charge the fee provided in the tariff specified by the Personal Data Protection Board (the “Board”). If the Company responds to your application via CD, flash disk or a similar medium, the Company may charge a fee not to exceed the cost of the relevant medium.

The Company may ask you to provide necessary information and documentation in order to ascertain whether or not you qualify as a data subject. In addition, the Company may pose questions about your application in order to clarify the relevant points.

The Company may reject your application by providing an explanation in case of following reasons:

1.         Processing personal data for research, planning and statistical purposes after pseudonymization along with official statistical purposes,

2.         Processing personal data for artistic, historic, literary or scientific purposes or under the principle of freedom of expression provided that such processing does not constitute crime or violate national defence, national security, public security, public order, economic security, right to privacy or personal rights,

3.         Processing personal data conducted by duly authorized public institutions and organizations for preventive, protective and informative activities with a view to promoting national defence, national security, public security, public order or economic security,

4.         Processing personal data conducted by judicial authorities or execution offices for investigations, proceedings, trials or execution processes,

5.         Processing personal data to the extent required for preventing commitment of a crime or investigating into a crime,

6.         Processing personal data which are made available to the public by the data subject,

7.         Processing personal data to the extent required for enabling legally empowered public authorities and organizations and professional chambers qualified as public institutions to perform the supervision or regulation duties and conducting disciplinary investigations or proceedings,

8.         Processing personal data to the extent required for protecting the economic and financial interests of the Government regarding budget, tax and financial matters,

9.         Requests with the potential to impair the rights and freedoms of third persons,

10.      Requests which are considered to require disproportionate efforts,

11.      Requests for any information which is already available to the public.

The Company shall respond to your request in writing or through electronic media. In the event that your request is denied under article 14 of the PDP Law, you are not satisfied with our response or we fail to respond to your request in due time, you shall be entitled to file a complaint to the Board within 30 (thirty) days as from receiving our response or the conclusion of response duration, where we fail to provide a response, and within 60 (sixty) days as from filing an application to the Company in any case.

ANNEX-1: Personal Data Categories