Personal Data Protection Policy

GÜNDOĞDU GIDA SÜT ÜRÜNLERİ SANAYİ VE DIŞ TİCARET A.Ş.

PERSONAL DATA PROTECTION POLICY

01/06/2020

INTRODUCTION

The protection of personal data is a matter of importance for Gündoğdu Gıda Süt Ürünleri Sanayi Ve Dış Ticaret A.Ş. (hereinafter referred to as “Gündoğdu Gıda” or the “Company”). Since its establishment, Gündoğdu Gıda has kept confidential the personal data it has obtained from natural persons within the scope of its activities and has taken all kinds of technical and administrative measures to protect personal data and ensure data security. Gündoğdu Gıda adopted and applied the confidentiality of personal data as a working principle even before 7 April 2016, the date on which the Turkish Personal Data Protection Law No. 6698 (KVKK) entered into force.

In order to conduct all of its activities in compliance with both the Constitution of the Republic of Turkey and the KVKK and the secondary legislation on the subject, the Company adopts all of the principles stipulated by the KVKK and fulfils its obligations regarding the processing, deletion, destruction, anonymization and transfer of personal data, informing the Data Subject, and ensuring data security. This Personal Data Protection Policy, prepared within this scope, is made available to the natural persons whose personal data are processed.

1.1. DEFINITIONS

“Explicit Consent”	Consent relating to a specific subject, based on being informed and expressed with free will
“Employee”	A natural person who has an employee-employer or similar relationship with Gündoğdu Gıda under an employment contract or a service contract
“KVKK”	Turkish Personal Data Protection Law No. 6698 (KVKK)
“Personal Data”	Any information relating to an identified or identifiable natural person
“Anonymization of Personal Data”	The process of rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even when matched with other data
“Processing of Personal Data”	Any operation performed on data, such as the collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, takeover, making available, classification or prevention of use of personal data through fully or partially automated means or non-automated means provided that they form part of a data recording system
“Deletion of Personal Data”	The process of rendering personal data inaccessible and non-reusable in any way for the relevant users
“Destruction of Personal Data”	The process of rendering personal data inaccessible, irretrievable and non-reusable by anyone in any way
“Board”	Personal Data Protection Board
“Authority”	Personal Data Protection Authority
“Special Categories of Personal Data”	Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data
“Personal Data Protection Policy”	Gündoğdu Gıda Personal Data Protection Policy
“Gündoğdu Gıda” or “Company”	Gündoğdu Gıda Süt Ürünleri Ve Dış Ticaret A.Ş.
Data Processor	The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and who is responsible for the establishment and management of the data recording system

1.2. PURPOSE AND SCOPE OF THE PERSONAL DATA PROTECTION POLICY

This Personal Data Protection Policy explains the matters relating to the collection, use, transfer, destruction and other forms of processing of personal data by Gündoğdu Gıda, as well as the technical and administrative measures taken by the Company for the protection of personal data and the rights of Data Subjects. This Personal Data Protection Policy applies to the personal data of;

Employees,
Job applicants,
Company shareholders,
Company officers,
Visitors,
Employees of institutions with which the Company cooperates,
Those who access any application and service offered by the Company, and
Third parties

processed within the scope of the KVKK. Personal data obtained from Data Subjects with their explicit consent or under the other lawful grounds listed in the KVKK are processed for the fulfilment of Gündoğdu Gıda's legal obligations, the due provision of its services, the improvement of the quality of the services provided and the enhancement of the quality policy, and for the other purposes specified in this Personal Data Protection Policy.

PROCESSING OF PERSONAL DATA

2.1. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

When carrying out personal data processing activities, Gündoğdu Gıda complies with the principles listed in Article 4 of the KVKK.

Compliance with the law and the rules of good faith:

Gündoğdu Gıda inquires into the source of the personal data it obtains from the Data Subject or from third parties and attaches importance to their being obtained and processed in compliance with the law and within the framework of the rules of good faith. Within this framework, the Company makes the necessary warnings and notifications to the third parties to which it transfers personal data for the purpose of protecting personal data.

Being accurate and, where necessary, up to date:

Gündoğdu Gıda attaches importance to ensuring that all data held within its legal entity constitute accurate information, do not contain incorrect information and, finally, that they are updated where changes to personal data are communicated to it. The Company exercises the reasonable care and attention incumbent upon it regarding the accuracy and currency of the personal data declared by its customers or by third parties who contact it.

Being processed for specific, explicit and legitimate purposes:

Gündoğdu Gıda sets out its legitimate and lawful data processing purposes in a specific and explicit manner before commencing the personal data processing activity. Personal data are not processed for purposes other than those so determined.

Being relevant, limited and proportionate to the purposes for which they are processed:

Gündoğdu Gıda carries out its personal data processing activities solely limited to the purpose of processing. Personal data that are not relevant to the determined purpose are not processed by Gündoğdu Gıda.

Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed:

Gündoğdu Gıda retains personal data for the period stipulated by the legislation or required by the purpose of processing. However, when the period stipulated by the legislation expires or when all of the purposes of processing cease to exist, it deletes, destroys or anonymizes the personal data.

The aforementioned principles apply regardless of whether the Company has processed the personal data on the basis of explicit consent or in accordance with the other data processing conditions. At this point, Gündoğdu Gıda processes personal data in accordance with the data processing conditions and the general principles, and also fulfils its obligation to inform.

2.2. CONDITIONS FOR THE PROCESSING OF PERSONAL DATA

Gündoğdu Gıda processes personal data with explicit consent or, in accordance with the other data processing conditions, in the following enumerated cases:

Where it is expressly provided for by laws.
Where it is necessary for the protection of the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally recognized, or of another person.
Where the processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the conclusion or performance of the contract.
Where it is necessary for the Data Controller to be able to fulfil its legal obligation.
Where the data have been made public by the Data Subject themselves.
Where data processing is necessary for the establishment, exercise or protection of a right.
Where data processing is necessary for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the Data Subject.

According to the KVKK, data relating to persons' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, constitute special categories of personal data.

In the processing of special categories of personal data, Gündoğdu Gıda takes the additional measures stipulated by the KVKK and the Personal Data Protection Board.

In the processing of special categories of personal data, the data processing conditions listed in Article 6 of the KVKK and the additional measures announced by the Personal Data Protection Board are observed. Within this scope, special categories of personal data are processed in the following cases:

Where the explicit consent of the Data Subject exists
Where the processing of special categories of personal data other than those relating to health and sexual life is provided for by laws.
Where data relating to health and sexual life are processed by persons under an obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, the conduct of treatment and care services, and the planning and management of health services and their financing.

The procedures and principles regarding the processing, destruction and protection of special categories of personal data are regulated by the Gündoğdu Gıda Policy on the Protection and Processing of Special Categories of Personal Data.

2.3. PURPOSES OF PROCESSING PERSONAL DATA

Gündoğdu Gıda processes personal data for the purposes enumerated below within the framework of the legal grounds set out in Articles 5 and 6 of the KVKK:

Within the scope of the planning and execution of human resources activities; the personal data of job applicants are processed for the purposes of assessing suitability for the job and conducting personnel recruitment processes, while the personal data of employees are processed for purposes such as the performance of the employment contract, the establishment of fringe benefits, the conduct of promotion/bonus/raise processes, the fulfilment of obligations arising from the legislation to which the Company is subject, primarily the Labour Law, the execution of social insurance processes, the evaluation of employee performance, and similar purposes.

In addition, within the scope of its ordinary company activities and the services it provides to its customers, the Company processes personal data for purposes such as: the planning and execution of corporate sustainability activities, event management, the management of relationships with business partners or suppliers, the execution/monitoring of financial reporting and risk management operations, the execution/monitoring of legal affairs, the planning and execution of corporate communication activities, the execution of corporate governance activities, the performance of corporate and partnership law transactions, request and complaint management, the management of investor relations, ensuring the security of Gündoğdu Gıda buildings and facilities, the determination and implementation of the Company's commercial and business strategies, the resolution of Data Subjects' problems and complaints, ensuring their satisfaction and providing an effective service, responding to information requests from administrative and judicial authorities, ensuring compliance with legal processes and legislation, ensuring information and transaction security and preventing malicious use, and similar purposes.

Where a processing activity carried out for the aforementioned purposes does not satisfy any of the other data processing conditions stipulated under the KVKK, explicit consent is obtained by Gündoğdu Gıda from the Data Subject in relation to the relevant data processing process.

2.4. METHOD OF COLLECTING PERSONAL DATA

Gündoğdu Gıda collects personal data audibly, electronically or in writing, in physical and electronic environments, through contracts, digital media, notifications from administrative and judicial authorities, e-mail and other communication channels, in accordance with the personal data processing conditions specified in the KVKK and in line with the legal grounds specified in this Personal Data Protection Policy. The personal data in question are processed fundamentally within the scope of this Personal Data Protection Policy for the purposes of concluding the contract and providing better service to the Data Subjects.

Within this scope, personal data may be obtained when the services offered by the Company are used, when a legal relationship is established with the Company (purchase, intermediation, employment, etc.), or when contact is made with the Company in relation to the services through channels such as (post, e-mail, etc.).

Gündoğdu Gıda adopts the principle of acting in compliance with the law when obtaining personal data from both its business partners and its solution partners. Data are collected from business partners and solution partners subject to a data confidentiality undertaking and only to the extent required by the service, and at this point measures are taken to ensure data security.

Gündoğdu Gıda processes the personal data of its employees, without obtaining consent, to the extent necessary for the employment relationship and in other cases permitted by the relevant legislation, and ensures the confidentiality and protection of the personal data belonging to its employees.

TRANSFER OF PERSONAL DATA

The Company transfers personal data to third parties solely in line with the purposes specified in this Personal Data Protection Policy and in accordance with Articles 8 and 9 of the KVKK. Within this scope, the Company may transfer the personal data it has collected to the persons and institutions specified below for specific purposes:

To the Company's business partners, limited to the purpose of ensuring the fulfilment of the purposes for which the business partnership was established,
To the Company's suppliers, limited to the purpose of ensuring that the services which the Company procures externally from the supplier and which are necessary for the performance of the Company's commercial activities are provided to the Company,
To the Company's customers,
To authorized public institutions and organizations upon request,
To the Company's solution partners,

The purpose of the Company's sharing of personal data is to provide access to services, to fulfil its legal obligations, to ensure the implementation of the contract it has concluded with the Data Subject, to carry out purchase and sale transactions, or to prevent and detect fraudulent or illegal activities relating to the services, and to conduct its other commercial activities in compliance with the law.

Gündoğdu Gıda adopts the principle of acting in compliance with the law in its data sharing activities. Data are shared with the third parties to whom personal data are transferred only to the extent required by the service. The utmost care is taken to ensure that these parties take the measures relating to data security.

The personal data subject to the domestic and international transfers specified above are protected not only by technical measures ensuring data security but also legally by means of data transfer agreements.

The Company may share the personal data it processes with the public institutions and organizations legally authorized to request such information, for the purpose of performing its obligations under the laws (in cases where the Company has a legal or administrative obligation to notify or provide information, including but not limited to the fight against crime, threats to state and public security and the like).

RETENTION AND DESTRUCTION OF PERSONAL DATA

In accordance with the KVKK, personal data are kept accurate and up to date and are retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed. This period is determined separately for each category of personal data, and after the expiry of this period, the relevant personal data are deleted, destroyed or anonymized at the end of the periodic destruction periods determined in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

Deletion of personal data refers to the process of rendering personal data inaccessible and non-reusable in any way for the relevant users; destruction of personal data refers to the process of rendering personal data inaccessible, irretrievable and non-reusable by anyone in any way; anonymization of personal data refers to rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even when matched with other data.

Within this scope, Gündoğdu Gıda has determined the necessary periodic destruction periods and has established a Personal Data Retention and Destruction Policy. The Company records all operations carried out in relation to the deletion, destruction and anonymization of personal data and retains such records for at least three years, without prejudice to other legal obligations.

When Data Subjects apply to the Company and request the deletion or destruction of their personal data, Gündoğdu Gıda;

- If all of the conditions for processing personal data have ceased to exist, deletes, destroys or anonymizes the personal data subject to the request. It concludes the Data Subject's request within thirty days at the latest and informs the Data Subject.
- If all of the conditions for processing personal data have ceased to exist and the personal data subject to the request have been transferred to third parties, it notifies the third party of this situation and ensures that the necessary operations are carried out by the third party.
- If not all of the conditions for processing personal data have ceased to exist, it may reject this request by explaining its reasons in accordance with the third paragraph of Article 13 of the KVKK and notifies the Data Subject of the rejection in writing or electronically within thirty days at the latest.

TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA

In order to ensure the lawful processing of personal data, Gündoğdu Gıda takes technical and administrative measures in accordance with technological possibilities and the cost of implementation. The technical and administrative measures taken for the protection of personal data are applied with particular care and with additional measures with respect to special categories of personal data, and the necessary audits within the Company are ensured periodically at the highest level.

Gündoğdu Gıda has taken all appropriate security measures to ensure that personal data are processed only within the scope of the purposes specified in this Personal Data Protection Policy and to reduce risks such as malicious use, unauthorized access to, sharing, destruction or alteration of personal data. These security measures also include other precautions taken in matters such as the transfer of personal data to countries that may not provide an adequate level of data protection.

Personal data are confidential and Gündoğdu Gıda observes this confidentiality. Personal data can only be accessed by persons authorized within the Company. Within this framework, it is ensured that software complies with standards, that third parties are selected with care, and that the data protection policy is also observed within the Company.

Within the scope of the technical and administrative measures it takes to ensure data security, Gündoğdu Gıda;

Organizes regular training and awareness activities for its employees on the protection of personal data.
Establishes policies based on the Company's personal data processing inventory and designs the processes necessary for the implementation of the policies.
Identifies the Company's risks under personal data protection law and diligently carries out work aimed at eliminating those risks. Within this scope, it creates active information and explicit consent channels.
Carries out periodic internal audits within the Company to fulfil obligations relating to personal data protection law.
Continuously procures legal consultancy services regarding compliance with updated legislation.
Establishes a separate policy for the protection of special categories of personal data and implements the additional measures determined by the Board.
Implements the necessary measures such as data sharing agreements in the management of relationships with data processors.

Establishes a secure technical infrastructure to ensure the security of the databases in which personal data are to be stored.
Determines the procedures for reporting the technical measures taken and the audit processes.
Security-related precautions are renewed and improved periodically.
Network security and application security are ensured.
Closed-system networks are used for transfers of personal data via networks.
Key management is implemented.
Security measures within the scope of the procurement, development and maintenance of information technology systems are taken.
The security of personal data stored in the cloud is ensured.
Access logs are kept regularly.
Corporate policies on access, information security, use, retention and destruction have been prepared and put into practice.
Data masking measures are applied where necessary.
The authorizations of employees who change roles or leave employment are revoked in this area.
Firewalls are used.
Personal data security issues are reported quickly.
Personal data security is monitored.
The security of environments containing personal data is ensured.
Personal data are backed up and the security of the backed-up personal data is also ensured.
User account management and an authorization control system are implemented and monitored.
Log records are kept in a manner that prevents user intervention.
Intrusion detection and prevention systems are used.
Cyber security measures have been taken and their implementation is continuously monitored.
Encryption is applied.
Penetration testing is carried out.
Data loss prevention software is used.

In the event that, despite Gündoğdu Gıda having taken the necessary information security measures, personal data are damaged or fall into the hands of unauthorized third parties as a result of attacks on the platforms operated by Gündoğdu Gıda or on the Company's system, Gündoğdu Gıda acts immediately to remedy the breach in question and minimizes the damage to the person concerned. Gündoğdu Gıda immediately notifies the relevant Data Subjects and the Board of this situation and takes the necessary measures.

RIGHTS OF DATA SUBJECTS OVER THEIR PERSONAL DATA

According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of personal data concerning themselves. In this context, the rights of the Data Subject over their personal data are listed in Article 11 of the KVKK as follows:

To learn whether their personal data are being processed,
To request information in this regard if their personal data have been processed,
To learn the purpose of the processing of their personal data and whether they are used in accordance with their purpose,
To know the third parties to whom their personal data are transferred, whether domestically or abroad,
To request the rectification of their personal data if they have been processed incompletely or incorrectly,
To request the deletion or destruction of their personal data within the framework of the conditions stipulated in Article 7 of the KVKK,
To request that such deletion, destruction or rectification operations be notified to the third parties to whom the personal data have been transferred,
To object to the occurrence of a result to the detriment of the data subject through the analysis of the processed data exclusively by automated systems,
To claim compensation for damages in the event of suffering damage due to the unlawful processing of their personal data in violation of the KVKK.

Where Data Subjects submit their requests regarding the rights listed above in accordance with the application procedures stipulated in the Communiqué on the Procedures and Principles of Application to the Data Controllerto the Company, Gündoğdu Gıda will conclude such request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on its nature. However, if the operation requires an additional cost, Gündoğdu Gıda may charge the fee in the tariff determined by the Board.

The Data Subject may submit their requests within the scope of the rights specified above in writing or by using a registered electronic mail (KEP) address, a secure electronic signature, a mobile signature, or the e-mail address previously notified to the Company by the Data Subject and registered in Gündoğdu Gıda's system. The application must include;

Name, surname and, if the application is in writing, signature,
For citizens of the Republic of Turkey, the Turkish ID number; for foreigners, their nationality, passport number or identity number if available,
The residential or business address to be used for notification purposes,
If available, the e-mail address, telephone and fax number to be used for notification purposes,
The subject of the request

and the information and documents relating to the subject must be attached to the application. Applications will only be taken into consideration if they are in Turkish. In order for third parties to submit an application request on behalf of Data Subjects, there must be a special power of attorney issued through a notary by the Data Subject in the name of the person who will make the application.

AMENDMENTS TO THE PERSONAL DATA PROTECTION POLICY

Gündoğdu Gıda may amend this Personal Data Protection Policy at any time. Such amendments take effect on the day the amended new Personal Data Protection Policy is published. The necessary notifications will be made to the Data Subjects so that they are aware of the amendments to this Personal Data Protection Policy.