Personal Data Protection and Processing Policy

PERSONAL DATA PROTECTION AND PROCESSING POLICY
 
1. PURPOSE AND SCOPE
2. TARGET
3. DEFINITIONS AND ABBREVIATIONS
4. RESPONSIBILITIES
5. PROCEDURES AND PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA
5.1-GENERAL PRINCIPLES ON PROCESSING PERSONAL DATA
5.1.1.Performing Personal Data Processing Activities in Accordance with Law and the Rule of Integrity
5.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
5.1.3. Processing for Specific, Clear and Legitimate Purposes
5.1.4. Being Relevant, Limited and Proportionate to the Purpose for Which They Are Processed
5.1.5. Storage for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which they are Processed
5.2 Conditions for Processing Personal Data
5.3-Processing of Special Personal Data
5.4-TRANSFER OF PERSONAL DATA
5.4.1-TRANSFER OF PERSONAL DATA TO PERSONS DOMESTIC
5.4.2-TRANSFER OF PERSONAL DATA TO PERSONS ABROAD
5.5-COMPANY'S OBLIGATION TO DISCLOSE
5.6-RIGHTS OF THE RELEVANT PERSON
5.7-MEASURES TAKEN FOR DATA SECURITY
5.7.1. Administrative Measures
5.7.2. Technical Measures
6- IMPLEMENTATION OF THE POLICY AND RELATED LEGISLATION
7- ENFORCEMENT AND UPDATING OF THE POLICY

1. PURPOSE AND SCOPE

KASABA DÜKKAN EMİR CAN DÜNDAR Personal Data Processing and Protection Policy sets out the principles to be adopted by the Company and taken into consideration in practice regarding the protection and processing of personal data.

The Policy aims to define the framework and coordinate the compliance activities to be carried out by the Company specifically to ensure compliance with Law No. 6698 on the Protection of Personal Data ("PDP") regarding the protection and processing of personal data. In this context, the Company's aim is to continue to conduct its activities in accordance with the principles of lawfulness, integrity, and transparency, which have been adopted since its inception.

2. TARGET

The Company's Personal Data Protection Policy aims to create the necessary systems and establish the necessary order to ensure compliance with the legislation, in line with the aim of raising awareness about the legal processing and protection of personal data within the Company.

In this context, the Company's Personal Data Protection Policy aims to provide guidance regarding the implementation of the regulations set forth in the Personal Data Protection Law and relevant legislation.

3. DEFINITIONS AND ABBREVIATIONS

The important definitions used in the Company's Personal Data Protection Policy are listed below:

EXPLICIT CONSENT: Consent related to a specific subject, based on information and expressed with free will.

ANONYMOUSATION: This refers to the irreversible alteration of personal data, such that it no longer qualifies as personal data. For example, rendering personal data incapable of being associated with a natural person through techniques such as masking, aggregation, data corruption, etc.

CONCERNED PERSON: The natural person whose personal data is processed. E.g.: Customers, employees

PERSONAL DATA: Any information relating to an identified and identifiable natural person. Therefore, the processing of information relating to legal entities is not within the scope of the Law. For example: name-surname, TR ID No., e-mail, address, date of birth, credit card number, bank account number, etc.

SPECIAL NATURE PERSONAL DATA: Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress code, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special nature data.

PROCESSING OF PERSONAL DATA: Any operation performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.

DATA CONTROLLER: Refers to the natural or legal person who determines the purposes and means of processing personal data and manages the place where data is systematically kept (data recording system).

DATA OWNER APPLICATION FORM: The application form that the Data Subject will use when applying for their rights in accordance with Article 11 of the Personal Data Protection Law.

CONSTITUTION: The Constitution of the Republic of Türkiye, numbered 2709, dated 7 November 1982, published in the Official Gazette, numbered 17863, dated 9 November 1982.

KVK LAW: Personal Data Protection Law No. 6698 dated 24 March 2016, published in the Official Gazette No. 29677 dated 7 April 2016.

POLICY: Company Personal Data Protection and Processing Policy

NOTIFICATION ON THE PROCEDURES AND PRINCIPLES TO BE FOLLOWED IN FULFILLING THE OBLIGATION TO DISCLOSE:

Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation, which was published in the Official Gazette dated 10 March 2018 and numbered 30356 and entered into force.

4. RESPONSIBILITIES

All our employees, stakeholders, guests, visitors, and relevant third parties are obligated to cooperate throughout the Company to ensure the operation, activities, processes, and implementation of the Company's Personal Data Protection Policy, and to prevent legal risks and imminent danger. All Company bodies and departments are responsible for ensuring compliance with the Company's Personal Data Protection Policy.

5. PROCEDURES AND PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA

5.1-GENERAL PRINCIPLES ON PROCESSING PERSONAL DATA

One of the primary concerns for the Company is to comply with the general principles stipulated in the legislation when processing personal data. In this context, the Company must comply with the principles listed below when processing personal data in accordance with the Constitution and the Personal Data Protection Law.

5.1.1.Performing Personal Data Processing Activities in Accordance with Law and the Rule of Integrity

In accordance with Article 4 of the Personal Data Protection Law, the Company must process personal data in accordance with the law and the rules of honesty; accurately and, if necessary, up-to-date; for specific, clear and legitimate purposes; and in a purpose-related, limited and proportionate manner.
In this context, the Company takes into account the requirements of proportionality in the processing of personal data and should not use personal data other than as required for the purpose.

5.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

The Company must ensure that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of the Data Subject and its own legitimate interests; and must take the necessary measures and establish systems to ensure this.

5.1.3. Processing for Specific, Clear and Legitimate Purposes

The Company must process personal data for legitimate and lawful reasons, in connection with its activities, and to the extent necessary. The purposes for which personal data will be processed must be determined by the Company before any personal data processing activity begins.

5.1.4. Being Relevant, Limited and Proportionate to the Purpose for Which They Are Processed

The Company processes personal data in a manner suitable for achieving the specified purposes and must avoid processing personal data that is not relevant or needed to achieve the purpose.
For example, personal data processing should not be carried out to meet needs that may arise later.
5.1.5. Storage for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which they are Processed

In accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the Personal Data Protection Law, the Company must retain the personal data it processes only for the period stipulated in the relevant legislation and laws or required by the purpose of processing personal data.

In this context, the Company first determines whether relevant legislation specifies a retention period for personal data, and if so, it complies with this period. If no legal period exists, personal data is retained for the period necessary for the purpose for which it is processed. At the end of the designated retention periods, personal data is destroyed in accordance with periodic destruction periods or the Data Subject's request, and by the specified destruction methods (deletion and/or destruction and/or anonymization).
Details are set out in the Personal Data Retention and Destruction Policy.

5.2 Conditions for Processing Personal Data

The conditions for processing personal data are regulated by the KVKK, and personal data is processed by the Company in accordance with the conditions stated below.

One of the conditions for processing personal data is the explicit consent of the Relevant Person. Except for the exceptions listed in the law, the Company processes personal data only with the explicit consent of the Relevant Person. The Relevant Person's explicit consent must be specific, informed, and expressed freely. In the event of the circumstances listed in the law, personal data may be processed even without the Relevant Person's explicit consent.

If the personal data processing conditions listed below are met, personal data may be processed without the explicit consent of the Data Subject.

I. Explicitly Provided in Laws

If the personal data of the relevant person is clearly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, the existence of this data processing condition can be said to exist.

ii. Failure to Obtain the Explicit Consent of the Person Concerned Due to Actual Impossibility

If the processing of personal data is necessary to protect the life or physical integrity of the person or another person who is unable to give his consent due to actual impossibility or whose consent cannot be validated, the personal data of the Relevant Person may be processed.

iii. Direct Interest in the Establishment or Execution of the Contract

This condition may be deemed to be fulfilled if the processing of personal data is necessary, provided that it is directly related to the establishment or performance of a contract to which the Data Subject is a party.

IV. Fulfillment of Legal Obligations by the Data Controller

If processing is necessary for the Company to fulfill its legal obligations, the Personal Data of the Relevant Person may be processed.

V. Publicization of Personal Data by the Personal Data Subject

If the Data Subject has made his/her personal data public, the relevant personal data may be processed limitedly for the purpose of publicity.

VI. Data Processing is Necessary for the Establishment or Protection of a Right

If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the Relevant Person may be processed.

VII. Data Processing is Necessary for the Legitimate Interest of the Data Controller

Personal data of the Data Subject may be processed if data processing is mandatory for the Company's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the Data Subject.

5.3-Processing of Special Personal Data

The Company demonstrates particular care in the processing of sensitive personal data, the protection of which is believed to be of greater importance to the Data Subject in various respects. In this context, such data is not processed without the Data Subject's explicit consent, provided that adequate safeguards, as determined by the Board, are taken. However, sensitive personal data, excluding data related to health and sexual life, may be processed without the Data Subject's explicit consent in cases stipulated by law. However, data related to health and sexual life may be processed without explicit consent, provided adequate safeguards are taken and in the presence of the following reasons.

.Protection of public health,
.Preventive medicine,
Medical Diagnosis,
.Execution of treatment and care services,
Planning and management of health services and their financing.

5.4-TRANSFER OF PERSONAL DATA

Our Company may transfer the Personal Data Subject's personal data and special personal data to third parties (public and private authorities, third parties) by taking the necessary security measures in accordance with the lawful personal data processing purposes. In this regard, the Company complies with the regulations stipulated in Article 8 of the Law. If there are groups of individuals with whom personal data is/may be shared, the relevant person is informed with a disclosure text.

5.4.1-TRANSFER OF PERSONAL DATA TO PERSONS DOMESTIC

The Company diligently complies with the requirements of the Personal Data Protection Law (KVKK) regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. In this context, the Company does not transfer personal data to third parties without the explicit consent of the relevant person. However, if one of the following conditions stipulated by the KVKK exists, the Company may transfer personal data without the explicit consent of the relevant person:
• It is clearly foreseen in the laws,
• It is necessary for the protection of the life or physical integrity of a person who is unable to give his consent due to a physical impossibility or whose consent is not legally valid, or of someone else,
• It is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or execution of a contract,
• It is mandatory for the data controller to fulfill its legal obligations,
• It has been made public by the Relevant Person himself,
• Data processing is necessary for the establishment, exercise or protection of a right,
• Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the Data Subject.

Provided that adequate measures are taken, it is stipulated in the law for special personal data other than health and sexual life, and for special personal data related to health and sexual life,

• Protection of public health,
• Preventive medicine,
• Medical diagnosis,
• Carrying out treatment and care services,
• Your personal data may be transferred without explicit consent for purposes such as planning and managing healthcare services and their financing.

In the transfer of special personal data, the conditions specified in the processing conditions of this data are complied with.

5.4.2-TRANSFER OF PERSONAL DATA TO PERSONS ABROAD

Regarding the transfer of personal data abroad, the explicit consent of the Relevant Person is required in accordance with Article 9 of the Personal Data Protection Law. However, if conditions exist that permit the processing of personal data, including sensitive personal data, without the Relevant Person's explicit consent, the Company may transfer personal data abroad without the Relevant Person's explicit consent, provided that the foreign country to which the personal data will be transferred provides adequate protection. If the country to which the transfer will be made has not been designated by the Board as a country with adequate protection,

The company and the data controller/data processor in the relevant country will undertake in writing to provide adequate protection.

In case there are groups of people with whom personal data is/may be shared, the relevant person is informed with a disclosure text.

5.5-COMPANY'S OBLIGATION TO DISCLOSE

Pursuant to Article 10 of the Personal Data Protection Law and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, the Data Subject must be informed before, or at the latest, at the time of collection of personal data. The information to be provided to the Data Subject within the framework of this obligation to inform is as follows:
The identity of the data controller and its representative, if any,
The purpose for which personal data will be processed,
To whom and for what purpose the processed personal data can be transferred,
The method and legal reason for collecting personal data,
Other rights listed in Article 11 of the KVKK.

In order to fulfill its obligation to inform, the Company has prepared information declarations to be presented to the Data Subject within the scope of the above-mentioned Personal Data Protection Law provision, on the basis of the processes and persons whose data are processed.

On the other hand, within the framework of Article 28, Paragraph 1 of the KVKK, the Company does not have an obligation to inform in the situations listed.

• Personal data is processed by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and that data security obligations are complied with.
• Processing of personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime,
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security,
• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

However, pursuant to Article 28(2) of the KVKK, the Company’s obligation to inform will not be applicable in the following cases:

• Personal data processing is necessary for the prevention of crime or criminal investigation,
• Processing of personal data made public by the Data Subject,
• Personal data processing is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law,

• Personal data processing is necessary to protect the economic and financial interests of the State regarding budgetary, tax and financial matters.

5.6-RIGHTS OF THE RELEVANT PERSON

With respect to personal data processed by the Company in accordance with the principles set forth in this Policy, the necessary measures have been taken to ensure that the Data Subject exercises the rights granted to him/her in Article 11 of the Personal Data Protection Law. These rights are as follows:

a) Learning whether personal data is being processed,
b) Request information regarding the processing of personal data,
c) To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
d) To know the third parties to whom personal data is transferred, either domestically or abroad,
e) To request correction of personal data in case it is processed incompletely or incorrectly,
f) Request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
g) To request that the transactions carried out in accordance with articles (e) and (f) above be notified to third parties to whom personal data has been transferred,
h) To object to the emergence of a result to the detriment of the person himself/herself, by means of analysis of the processed data exclusively through automated systems,
i) To request compensation in case of damages due to unlawful processing of personal data.
Relevant Persons may exercise their rights listed above by submitting their requests through the Relevant Person application form located at https://shopderin.com/pages/kvkk. Detailed information on completing the form or submitting it to the Company is included in this form. The Company will respond to these requests physically or electronically to the Relevant Persons.
Depending on the nature of the request, the Company will process the request free of charge as soon as possible and within thirty (30) days at the latest. However, if the process requires additional costs, the Company will charge the applicants the fee set by the Board. Additionally, during the processing of the Relevant Person's request, the Company may request additional information or documentation from applicants.

On the other hand, within the framework of Article 28, Paragraph 1 of the KVKK, the Data Subject cannot exercise the above rights listed in Article 11 of the KVKK in the following cases:

• Personal data is processed by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and that data security obligations are complied with.
• Processing of personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime,
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security,
• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

However, within the framework of the second paragraph of Article 28 of the KVKK, the above rights listed in Article 11 of the KVKK, excluding the right to compensation for damages, will not be applicable in the following cases:

• Personal data processing is necessary for the prevention of crime or criminal investigation,
• Processing of personal data made public by the Data Subject,

• Personal data processing is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law,
• Personal data processing is necessary to protect the economic and financial interests of the State regarding budgetary, tax and financial matters.

5.7-MEASURES TAKEN FOR DATA SECURITY

Aware of the importance of ensuring security in all aspects within the Company, the Company must take the necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data it processes, to prevent unlawful access to data, and to ensure the preservation of data, in accordance with Article 12 of the Personal Data Protection Law, and must carry out the necessary inspections within this scope.

The company must take the necessary technical and administrative measures, within the technological possibilities, to ensure that personal data is processed in accordance with the law.

5.7.1. Administrative Measures

• The Company conducts and has conducted the necessary audits in its own institution or organization to ensure the implementation of the provisions of the Law.
• In case the processed personal data is obtained by others through illegal means, the Company shall notify the relevant person and the Board of this situation as soon as possible.
• Regarding the sharing of personal data, the Company ensures data security by signing a framework agreement with the persons with whom personal data is shared or by adding provisions to the agreements.
• The Company employs personnel who are knowledgeable and experienced in the processing of personal data and provides its personnel with the necessary training on the protection of personal data.

5.7.2. Technical Measures

• The Company employs knowledgeable and experienced people to ensure data security and provides its personnel with the necessary training on the protection of personal data.
• Performs necessary internal controls within the scope of established systems.
• Conducts the processes of risk analysis, data classification, IT risk assessment and business impact analysis within the scope of the established systems.
• Ensures the provision of technical infrastructure and the creation of relevant matrices to prevent and/or monitor the leakage of personal data outside the institution.
• It ensures that the access rights of employees to personal data in information technology companies are kept under control.

6- IMPLEMENTATION OF THE POLICY AND RELATED LEGISLATION

Relevant applicable legal regulations regarding the processing and protection of personal data will be applied first. In the event of any inconsistency between the applicable legislation and the Policy, the Company acknowledges that applicable legislation will prevail.
The Policy regulates the rules set forth by the relevant legislation by concretizing them within the scope of Company practices.

7. ENFORCEMENT AND UPDATING OF THE POLICY

The Policy will be effective from the date it is published on the Company website. The Policy will be reviewed as needed, and necessary sections will be updated.