PERSONAL DATA PROTECTION POLICY OF MODERN ÇİKOLATA
- Purpose and Scope:
This policy aims to describe the personal data processing activity and the methods adopted for the protection of personal data in accordance with the Law No. 6698 on the Protection of Personal Data (KVKK) in all activities carried out by MODERN ÇİKOLATA. The Personal Data Protection and Processing Policy includes the principles applied to the collection, use, sharing, storage and disposal of personal data by MODERN ÇİKOLATA.
This Policy covers all personal data that are processed in the processes of our institution by non-automated means such as customers, suppliers, corporate employees, trainees and employees who have been dismissed or who are dismissed from MODERN ÇİKOLATA and are part of any data recording system.
- Authority and Responsibilities:
All employees, solution partners, business partners, external service providers, and other persons who store and process personal data in the institution, are responsible for fulfilling these requirements in fulfilling the requirements for disposal of data specified in Law, Regulation and Policy. Each business unit is responsible for preserving and protecting the data generated in its business processes.
It is the responsibility of the data responsible person to take the notice or correspondence with the KVK Board on behalf of the data manager or to register and accept the registration.
Within the institution;
- Data Specialist: MODERN ÇİKOLATA Food Industry. and Tic. Inc.
- Contact Person: Oğuzhan TAYYAR
has been determined.
- Definitions and Abbreviations:
Open Consent; Consent on a specific subject, informed and free.
Related User; Except for the person or unit responsible for the technical storage, protection and back-up of the data, they are the persons who process the personal data in the data responsible organization or in accordance with the authority and instructions received from the data officer.
Destruction; Deletion, destruction or anonymization of personal data.
Law; KVKK Law No. 6698 on the Protection of Personal Data.
Recording Environment; Any environment where personal data is processed by non-automated means, whether fully or partially automated or as part of any data recording system.
Personal Data; Any information relating to an identifiable or identifiable natural person.
Processing of Personal Data; Obtaining or recording, storing, storing, altering, re-arranging, disclosing, transferring, taking over, making available, making, classification or use of personal data in whole or in part automatically or as part of any data logging system. Any transaction performed on data such as blocking.
Making Anonymous Personal Data; Personal data, even when paired with other data, cannot be associated with a specific or identifiable real person.
Deleting Personal Data; Deletion of personal data; making personal data inaccessible and unavailable to Users in any way.
Elimination of Personal Data; The process of making personal data inaccessible, non-retrievable and re-usable by anyone.
Assembly; Personal Data Protection Board.
Personalized Personal Data; Biometric and genetic data of individuals related to race, ethnic origin, political thought, philosophical belief, religious, sect or other beliefs, costume and attire, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures.
Periodic Destruction; The process of deleting, destroying or anonymizing the personal data stored in the Law on the retention and destruction of personal data in the event of an abolition of all personal data.
Data Owner / Contact Person; Personal data processed personal data.
Data Processing; A natural or legal person handling personal data on his behalf on the basis of the authority conferred by the data officer.
Data Responsible; A natural or legal person who is responsible for setting up and managing the data recording system, determining the means and means of processing the personal data.
- Personal Data Processing and Protection Policy:
MODERN ÇİKOLATA Personal Data sets out the measures required for the protection and processing of the data and the process applied in a concrete way. In the event that the relevant laws and regulations are incompatible with this policy or if the policy is not up to date in accordance with the updated legislation, MODERN ÇİKOLATA agrees to comply with the applicable legislation. According to the changes in the law, regulations and regulations, this policy is updated and revised to ensure that MODERN ÇİKOLATA fulfills the legal requirements
4.1. Securing Personal Data
MODERN ÇİKOLATA takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data.
Article 12 (1) of the ICCB
- To prevent unlawful processing of personal data,
- To prevent unlawful access to personal data,
- Maintaining personal data.
It takes necessary measures to ensure the conditions.
The measures implemented by MODERN ÇİKOLATA to ensure the security of personal data are detailed in the sub-clauses.
4.1.1. Technical Measures
Technical measures are taken according to the developments in technology. Infrastructure investments are made suitable for developing technology. Provides installation of software and hardware including virus protection systems and firewalls. Access to software that hosts personal data is restricted by limited authorization. Access controls are performed in certain periods. The transaction log records are kept in the ERP applications provided by the personnel. Used versions of the systems with the necessary safety measures against the current and known openings are used. Reports the information obtained as a result of controlling the security of the systems to the related parties. Risk points are determined and necessary technical measures are taken. In order to maintain the security of the Personal Data, it promotes awareness to be a part of the corporate culture with a continuous functioning technical model. Clearance and penetration tests are performed at certain periods to ensure the security of the corporate network. All equipment in MODERN ÇİKOLATA is protected by antivirus applications. In order to prevent unauthorized access, MODERN ÇİKOLATA offers alarm systems, finger reader, security personnel and camera systems and protection measures. UPS, fire fighting, heat / liquid alarm systems and critical equipment are protected against possible natural disasters. Expired data is destroyed by paper choppers. Institutions throughout the ISO 27001 Information Security Management System is applied and Turkey are audited by accredited institutions from Instution Accreditation.
4.1.2. Administrative Measures
MODERN ÇİKOLATA takes necessary administrative measures to ensure the security of personal data and performs its supervision. In accordance with the ISO 27001 Information Security Management System standard to ensure the proper protection, processing, deletion, destruction and anonymisation of Personal Data within the organization. MODERN ÇİKOLATA employs knowledgeable and experienced persons in order to ensure data security and provides necessary training to its personnel. Internal controls are performed for installed systems. Operates the processes of risk analysis, data classification, information security risk assessment and business impact analysis within the scope of established systems. Identify the authorities and rules of access to personal data of employees in information technology units. Employees are informed that they will not be able to disclose the personal data they have learned to someone else in contravention of the provisions of the Law, cannot use it other than the purpose of the transaction and will continue after the termination of this duty. Necessary commitments are taken from the employees accordingly. With the sharing of personal data with third parties, a framework agreement is signed with the persons to whom personal data is shared or ensures the security of the data with the provisions to be added to the contracts. According to the activity of the third party where the data is shared, KVKK sanctions are added to the dealer contracts. Personal data shared third parties accept the provisions regarding that they will take necessary security measures to protect personal data and ensure that they comply with these measures in their organizations. In the event that it is determined that the personal data processed by others are obtained by others in spite of the measures taken, the data responsible shall inform the related person and the KVK Board by the contact person. How personal data is obtained by others is investigated. MODERN ÇİKOLATA implements the necessary administrative measures to eliminate the weakness it has detected, and takes technical measures when needed.
4.1.3. Securing Personal Data in a Secure Environment
MODERN ÇİKOLATA takes necessary technical and administrative measures according to technological opportunities and application cost in order to store the personal data obtained in safe environments. For physical data; archives created by authorized persons have been created. In order to identify critical data within the organization, information classifications have been made. Personnel data is maintained only in suitable environments accessible to authorized personnel. Access to personal data is only available to authorized personnel.
4.1.4. Audits for the Sustainability of Protection of Personal Data
MODERN ÇİKOLATA shall carry out or make necessary inspections in accordance with Article 12 of the Law. Provides internal and external audits to ensure the sustainability of the Information Security Management System. It performs regular penetration tests for technical openings in the systems. Systems are regularly monitored by computing. Necessary technical and administrative measures are taken after the determination of the findings after the monitoring of the management systems, the data produced by the warning systems and the monitoring of the systems. In case of unlawful access to or processing of personal data, the Data Officer is informed.
4.1.5. Measures taken in case of unauthorized disclosure of personal data
MODERN ÇİKOLATA informs the related personal data holder and KVK Board if the personal data processed in accordance with Article 12 of the Law is unauthorized disclosure.
If deemed necessary by the KVK Board, this may be announced on the website of the KVK Board or by other means.
4.1.6. Measures Applied to Ensure the Protection of Personal Data by Third Parties
MODERN ÇİKOLATA, in his contracts with third parties; it prevents the unlawful processing of personal data, prevention of unlawful access to the data and the necessary sanctions for maintaining the data. Confidentiality agreements are signed with third parties before sharing information. Information is provided to third parties to increase awareness.
4.1.7. Measures for the Protection of Specially Qualified Personal Data
Sufficient measures should be taken for special personal data, either because of their qualifications or because they may lead to victimization or discrimination. In Article 6 of the Law, personal data that are at risk of causing discrimination or discrimination of persons when they are unlawfully committed are designated as olarak Special Qualities ’.
These data; data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, costume and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data.
MODERN ÇİKOLATA takes the necessary measures to protect the personal data that are designated as korun special kişisel with the Law and that are treated in accordance with the law. The technical and administrative measures taken to protect personal data are sensitive to specific personal data.
The personalized personal data of MODERN ÇİKOLATA are processed with the condition that adequate measures will be taken by the KVK Board. The clear consent of the data holder is obtained before the special personal data is processed. If the data owner does not have clear consent, it can be processed with the authority given by the law in accordance with the following criteria.
- Personal personal data, other than the health and sexual life of the personal data holder, shall be
- The personal and personal data of the personal data owner and his / her sexual life are only for the purpose of planning and managing the health care financing, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services, organizations.
4.1.8. Creating Awareness for the Protection of Personal Data
In order to prevent unlawful access to personal data, to prevent unlawful access to data and to increase awareness of data retention, the business units are informed, trainings are organized and their activities are measured. Other documents related to the sites Personal Data Protection and Processing Policy iler have been published on the website of our institution. MODERN ÇİKOLATA employees are informed about this policy.
Policies are revised and announced to employees in case of changes in relevant laws, regulations or regulations.
4.2. Principles for Processing Personal Data:
In Article 4 (2) of the Law, principles have been defined for the processing of personal data. MODERN ÇİKOLATA processes personal data in accordance with the determined principles.
The processing of personal data is carried out in accordance with the following principles;
- To comply with the rules of law and integrity,
- Being accurate and up-to-date,
- Processing for specific, clear and legitimate purposes,
- Connected, limited and measured,
- Not be maintained for the period stipulated in the relevant legislation or for the purpose for which they were processed.
4.3. Conditions for Processing Personal Data:
MODERN ÇİKOLATA takes the majority of the data received from the Related Persons due to legal obligations. According to Article 5/2 of the Personal Protection Act, the processing of the data:
- a) Clearly prescribed in law.
(b) The person who is unable to disclose his consent due to impossibility or whose legal consent is not recognized shall be obligatory for the protection of himself or someone else’s life or body integrity.
- c) It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract.
- d) The data officer is obliged to fulfill his legal obligation.
- e) It is publicized by the person concerned.
- f) Data processing is mandatory for the establishment, use or protection of a right.
- g) Data is compulsory for the legitimate interests of the data responsible, provided that it does not harm the fundamental rights and freedoms of the person concerned.
Apart from the above mentioned circumstances, MODERN ÇİKOLATA only processes personal data by providing clear consent of the data owners.
4.4. Disposal of Personal Data:
MODERN ÇİKOLATA will dispose of its personal data if it is not compulsory for personal data owners to use it for legal reasons or for the protection of public order. The personal data of the data owners are destroyed according to the decision of the institution when the requirements for the continuation of the service for the citizen, the fulfillment of the legal obligations, and the planning of employee rights and benefits are eliminated. The rules and method for the destruction of personal data are detailed in the “Data Retention and Disposal Policy Kişisel.
4.5. Transfer of Personal Data to Domestic Persons:
MODERN ÇİKOLATA is strictly abiding by the provisions of the Law with regard to the sharing of personal data with third parties without prejudice to the provisions of other laws. In this context, personal data is not transferred to third parties without the express consent of the data holder. However, in the presence of one of the following conditions specified in the Law, personal data; it can also be transferred without the explicit consent of the data holder.
These situations are as follows:
- Clearly prescribed by law,
- the person who is unable to explain his consent due to impossibility or whose legal consent is not recognized, is compulsory for the protection of himself or someone else’s life or body integrity.
- It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract,
- Compliance with the legal liability of the data responsible,
- It is publicized by the data owner itself,
- Data processing is mandatory for the establishment, use or protection of a right,
- It is compulsory to process data for the legitimate interests of the data responsible, without prejudice to the fundamental rights and freedoms of the data holder.
Provided that adequate measures are taken; in terms of the provision of specific personal data other than health and sexual life in the laws, and in terms of personal data relating to health and sexual life,
- Protection of public health,
- preventive medicine,
- Medical diagnosis,
- Carrying out treatment and care services,
- Your personal data can be transferred without explicit consent for purposes such as planning and management of health services and financing.
In the transfer of special personal data, the conditions specified in the processing conditions of these data are complied with.
4.6. Transferring Personal Data to People Abroad:
The transfer of all personal data within the MODERN ÇİKOLATA abroad is only transferred to the data of the personnel working in the relevant companies in order to carry out the logistics operations in the export process.
4.7. Categorization of Personal Data:
Personal data by MODERN ÇİKOLATA; It is divided into two groups as tır Data Subject Person Group grup and ”Data Type“.
4.7.1. Data Subject Contact Group Categories
Employee / Old Employee Personal Data is the personal data received for the purpose of performing Customer / Supplier Personal Data, R & D, production, sales and support services. Most of these data are personal data that are required by the relevant laws. Clear consent is obtained for non-mandatory personal data.
4.7.2. Data Type Categories
Identity, Communication, Location, Personnel, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Finance, Professional Experience, Marketing, Visual and Audio Records, Race and Ethnicity, Philosophical Belief, Religion, Sect and Other Beliefs, Disguise , Health Information, Sexual Life, Criminal Sentence And Security Measures, Biometric Data
4.7.3. Printed Documents
The suppliers, customers and employees of MODERN ÇİKOLATA collects personal data in a printed document environment in some cases for their services. Such data are processed, stored and destroyed in accordance with the conditions specified in the Law.
4.7.4. Camera record
In order to provide security by MODERN ÇİKOLATA, personal data processing activities are carried out for monitoring the guest entry and exit activities with security cameras in our Institution buildings and facilities.
Within this scope, MODERN ÇİKOLATA acts in accordance with the Constitution, KVK Law and other relevant legislation.
The records of our visitors are taken from the premises of our institution through the camera and the camera monitoring system.
In the scope of monitoring activities with our security camera; to improve the quality of the service offered, to ensure the reliability of the institution, staff, customers and other people is intended to provide security.
In order to conduct surveillance activities with the camera for security purposes, we comply with the regulations of KVK Law.
Only a limited number of institution employees have access to records stored and stored in digital media. Contracts with confidentiality are signed with the personnel who have access authorization.
In accordance with Article 12 of the KVK Law, necessary technical and administrative measures are taken to ensure the security of the personal data obtained by the monitoring activity.
4.7.5. Personal Data of Visitors
In order to ensure the safety of the visitors to the MODERN ÇİKOLATA, only the first and last name information is received without any personal data from the person concerned.
4.7.6. Biometric Personal Data
Fingerprint data from staff is hosted for access control of critical areas in the organization. Fingerprint data are processed in accordance with the KVK Law, closed circuit is stored in the device and data sharing cannot be made.
4.8. Rights of the Personal Data Holder and Application Methods to Our Institution:
You can reach the full text of http://www.mevzuat.gov.tr/MevzuatMetin/1.5.6698.pdf.
Article 11- (1) Everyone is contacted by the data officer;
- Learn whether your personal data has been processed,
- Request personal information if your personal data has been processed,
- To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
- Knowing third parties in which your personal data is transmitted domestically or abroad;
- Requesting correction of your personal data if it is incomplete or incorrectly processed,
- Request the deletion or destruction of your personal data,
- Request that these transactions be notified to third parties where your personal data is transferred if your personal data is corrected, deleted or destroyed;
- Objection to the emergence of a result against you by analyzing your processed data exclusively through automated systems,
- Requesting that the loss be incurred if you incur losses due to unlawful processing of your personal data,
Application methods for your personal data are as follows;
|Application Method||Address Of Application||Information to be Submitted for Application Submission|
|Post to the official address will be sent via PTT via Post Office||Organize Sanayi Bölgesi, 6. Caddesi, 70000 Merkez/Karaman||In Information Request under the Law of Protection of Personal Data “will be written on the envelope.|
|Application Notarized by Notary||Organize Sanayi Bölgesi, 6. Caddesi, 70000 Merkez/Karaman||The notification envelope ına Information Request under the Law on the Protection of Personal Data ına will be written.|
|Secure Electronic Signature Application [Signed by a Secure Electronic Signature] Application via Registered Electronic Mail (KEP)||[email protected]||The subject of e-mail will be written in the “Information Request for Personal Data Protection Law E.|
In addition, after the announcement of other methods determined by the Board, it will be announced by our company how the applications will be received through these methods. Please indicate the method of notification of your response to your application.
Your applications submitted to us will be replied within thirty days from the date on which your request is received by us in accordance with the second paragraph of Article 13 of the Law on KVK. Our responses will be sent to you in writing or electronically in accordance with the provisions of Article 13 of the Law on the Law.
4.9. Personal Data Owners and Categories Stored and Processed in Our Institution:
MODERN ÇİKOLATA working as the supplier, business partner and customers are hosted personal data. The categories of personal data received are as follows;
- Candidate Employee Data;
Name Surname, ID Number, Address, Photo, Place of Birth, Date of Birth, Nationality, Telephone Information, Population Registration Information, Mother Name, Father Name, Spouse, Child Information, Gender
- Employee / Old Employee Personal Data:
Name Surname, Identity Number, Identity Number Name, Photograph, Mother’s Name Surname, Maternal Identity Number, Father Name Surname, Father TC Identity Number, First Name Surname, Spouse TR Identity Number, Child Name Surname, Child Identity Number, Birth Location, Date of Birth, Population Registration Location, Volume No, Religious Information, Family Order Number, Bill Number, Blood Group, Obstacle Status, Health Information, Old Surname, Gender, Payroll Information, Employee Staff Payroll Records, Bank Information, Tax Exemption Letter, Address Information, Mail Address, Telephone Information, Forensic Register, Learning Information, AGİ Form, Discipline Records, Military Information, SGK Registration Number
- Customer / Supplier Personal Data:
Name Surname, Institution, Mail Address, Telephone, Address, Signature, TC Identification Number, Tax Number, Bank Account Information, Car Sticker, Training Information, Passport Information.
- Partner Personal Data:
Name Surname, Institution, Mail Address, Telephone, Address, Signature, TC Identification Number, Tax Number, Bank Account Information, Car Sticker, Training Information, Passport Information.
4:10. Disclosure and Information Obligation:
Under Article 10 of the Act, data owners need to be clarified prior to the acquisition of personal data or at the latest. The information required to be communicated to the data owners within the framework of the said disclosure obligation are as follows:
- the identity of the data responsible and its representative,
- The purpose for which personal data will be processed,
- To whom and for which purpose personal data can be transferred,
- The method and legal reason for collecting personal data,
- Other rights referred to in Article 11 of the Law.
On the other hand, Law 28 (1). There is no obligation of illumination in the following cases:
- the processing of personal data within the scope of activities related to the family members living in the same residence or fully by the natural persons, provided that they are not given to third parties and the obligations related to data security are complied with,
- Processing of personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
- the processing of personal data within the scope of art, history, literature or scientific purposes or freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that have been given duties and authority by law in order to provide national defense, national security, public security, public order or economic security.
- Processing of personal data by judicial authorities or enforcement authorities for investigations, prosecutions, proceedings or executions.
MODERN ÇİKOLATA Disclosure Declaration and KVKK Open Consent Document documents were created for the data owners to get their disclosure and clear consent.
4:11. Conditions for Deletion, Destruction and Anonymization of Personal Data:
MODERN ÇİKOLATA deletes, destroys or anonymizes the personal data it has obtained, in accordance with the request of its personal data holders, because of legal obligations and if it is not obligatory to use it for the protection of public order. The rules and method for deleting, destroying and anonymizing personal data are detailed in the leştiril Data Retention and Disposal Policy Kişisel.
- Reference Documents
- Law No. 6698 on the Protection of Personal Data,
- Regulation on the Deletion, Destruction or Anonymization of Personal Data.