EN

NİL UNLU MAMULLERİ GIDA PASTACILIK SANAYİ VE TİCARET ANONİM ŞİRKETİ
PERSONAL DATA PROCESSING, PROTECTION, AND PRIVACY POLICY

SECTION ONE
INTRODUCTION

1.1 Introduction
As NİL UNLU MAMULLERİ GIDA PASTACILIK SANAYİ VE TİCARET ANONİM ŞİRKETİ ("Company"), we attach utmost importance to the lawful processing and protection of all personal data of real persons that we come into contact with during our commercial activities, in accordance with the Law on the Protection of Personal Data No. 6698 ("KVKK" or "Law"). We approach all our planning and activities with this awareness. With this in mind, we present this Personal Data Processing, Protection, and Privacy Policy ("Policy") to inform you, both to fulfill the obligation of disclosure under Article 10 of the Law, and to share the administrative and technical measures we take regarding the processing and protection of personal data.

1.2 Purpose of the Policy
The primary aim of this Policy is to provide explanations regarding systems for the processing and protection of personal data in accordance with the law and the purpose of the Law, and to inform the stakeholders of the Company, including the Company's officials, business partners, suppliers, consultants, employees, job candidates, visitors, customers, potential customers, third parties, official institutions, banks, independent auditing organizations, and others whose personal data is processed by our Company. In this way, it is aimed to ensure full compliance with the legislation in the processing and protection activities carried out by our Company and to protect all the rights of the data subjects concerning their personal data.

1.3 Scope of the Policy and Data Subjects
This Policy is prepared for individuals whose personal data is processed by our Company, either automatically or through non-automatic methods as part of a data recording system, including internal and external stakeholders of the Company, Company officials, business partners, suppliers, consultants, employees, job candidates, visitors, customers, potential customers, third parties, official institutions, banks, and independent auditing organizations, and it will apply to those persons mentioned. Our Company informs the data subjects about the Law by publishing this Policy on its website. If the data does not fall under the definition of "Personal Data" as specified below, or if the personal data processing activity is not carried out by our Company in the above-mentioned ways, this Policy will not be applicable.

1.4 Definitions
The concepts used in this Policy have the following meanings:

  • Company/Our Company: Refers to NİL UNLU MAMULLERİ GIDA PASTACILIK SANAYİ VE TİCARET ANONİM ŞİRKETİ.

  • Personal Data/Data: Refers to any information relating to an identified or identifiable natural person.

  • Special Categories of Personal Data/Data: Includes data related to race, ethnicity, political opinion, philosophical beliefs, religion, sect, or other beliefs, clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

  • Processing of Personal Data: Refers to any operation performed on personal data, including obtaining, recording, storing, retaining, altering, reorganizing, disclosing, transferring, receiving, making available, classifying, or restricting the use of personal data, either wholly or partly by automated means or through non-automated methods as part of a data recording system.

  • Record Media: Refers to any environment where personal data processed wholly or partly automatically or non-automatically as part of a data recording system is stored.

  • Data Subject: Refers to the individuals whose personal data is processed by the Company, including internal and external stakeholders, company officials, business partners, suppliers, consultants, employees, job candidates, visitors, customers, potential customers, third parties, official institutions, banks, and independent auditing organizations.

  • Data Recording System: Refers to the system where personal data is processed according to certain criteria.

  • Data Controller: Refers to the legal entity responsible for determining the purposes and means of processing personal data, as well as establishing and managing the data recording system.

  • Data Processor: Refers to the real and legal persons who process personal data on behalf of the data controller based on the authority granted.

  • Authorized User: Refers to those responsible for the technical storage, protection, and backup of the data or other individuals who process personal data within the data controller's organization or based on instructions received from the data controller.

  • Explicit Consent: Refers to consent that is based on information and given freely for a specific issue.

  • Destruction: Refers to the deletion, destruction, or anonymization of personal data.

  • Anonymization: Refers to the process by which personal data, previously associated with a person, is made irretrievable and unidentifiable even if combined with other data.

  • Deletion of Personal Data: Refers to making personal data inaccessible and unusable by authorized users.

  • Destruction of Personal Data: Refers to the irreversible process of making personal data inaccessible and irretrievable by anyone.

  • Periodic Destruction: Refers to the deletion, destruction, or anonymization of personal data, performed periodically when the conditions for processing personal data no longer apply, in accordance with the data retention and destruction policy.

  • Law/KVKK: Refers to the Law No. 6698 on the Protection of Personal Data.

  • Regulation: Refers to the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.

  • KVKK Board: Refers to the Personal Data Protection Board.

    1.5. Effective Date of the Policy

    This Policy, which was organized by the Company and came into force on April 3, 2018, is published on the Company's website (www.nevalefirin.com) and is made available to the relevant persons upon their request.

    SECOND SECTION

    PROCESSING AND TRANSFER OF PERSONAL DATA

    2.1. General Principles for the Processing of Personal Data

    The Company processes Personal Data in accordance with the provisions set forth in the Law on the Protection of Personal Data No. 6698 (“KVKK” or “Law”) and other relevant laws, as well as this Policy. In this regard, the Company acts in accordance with the following principles while processing Personal Data:

    • Personal Data is processed in accordance with the relevant legal rules and the principle of honesty. Under this principle, the Company's data processing activities are carried out within the limits required by all relevant legislation, including the Constitution and the KVKK, as well as the rules of honesty.
    • Personal Data is ensured to be accurate and up-to-date, provided that the data subject is informed. In this scope, the sources from which data is obtained, verifying its accuracy, and evaluating whether it needs to be updated are carefully considered.
    • Personal Data is processed for specific, explicit, and legitimate purposes. The legitimacy of the purpose means that the Personal Data processed by the Company is related to its business or services and is necessary for those purposes.
    • The Company processes Personal Data only for the clearly identified legitimate purposes and does not engage in data processing activities outside of these purposes. In this context, the Company processes Personal Data only when necessary in connection with the business relationship established with the relevant persons.
    • Personal Data is processed only to the extent necessary to achieve the specific purpose, and the processing of Personal Data unrelated or unnecessary for that purpose is avoided. The processed data is limited and proportional to the purpose for which it is processed.
    • If there is a legally prescribed retention period for Personal Data in relevant legislation, the Company complies with these periods; otherwise, the Company retains Personal Data only for as long as necessary for the purpose for which it was processed. If there is no valid reason to retain the data further, it will be deleted, destroyed, or anonymized.

    2.2. Conditions for Processing Personal Data

    Except for the exceptions stated in the Law, the Company does not process Personal Data without the explicit consent of the relevant person. However, if any of the following conditions exist, Personal Data may be processed even without the explicit consent of the relevant person:

    • The Company may process the Personal Data of the Relevant Person without their explicit consent in cases where it is explicitly prescribed by the laws. For example, according to Article 230 of the Tax Procedure Law, the explicit consent of the relevant person will not be sought for placing their name on an invoice.
    • Personal Data may be processed without explicit consent if the person is in a situation where they cannot provide consent due to physical impossibility, or their consent is not legally valid, and processing is necessary for the protection of life or bodily integrity of themselves or another person. For instance, if a person is unconscious or mentally ill, their Personal Data may be processed for medical intervention. In this context, data such as blood type, past illnesses, surgeries, and medication used may be processed through the relevant healthcare system.
    • The Company may process Personal Data if it is directly related to the establishment or performance of a contract. For example, in accordance with a contract, the creditor’s bank account number may be collected for payment.
    • The Company may process Personal Data if it is necessary for fulfilling legal obligations as a data controller.
    • The Company may process Personal Data if the data subject has made it public, meaning the data has been disclosed to the public.
    • The Company may process Personal Data without the explicit consent of the relevant person if it is necessary for the establishment, exercise, or protection of a legal right.
    • The Company may process Personal Data without the explicit consent of the relevant person if it is necessary for legitimate interests, provided that such processing does not harm the fundamental rights and freedoms of the data subject. The Company ensures that the fundamental principles regarding the protection of Personal Data are adhered to and takes into account the balance of interests of the relevant persons.

    2.3. Conditions for Processing Special Categories of Personal Data

    The Company does not process Special Categories of Personal Data without the explicit consent of the relevant person. However, Personal Data excluding health and sexual life may be processed without explicit consent in cases prescribed by law. Health and sexual life-related Personal Data may only be processed by the Company without explicit consent in situations related to the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, planning, and management of health services and financing, provided that the Company is under the obligation of confidentiality. The Company ensures that the necessary measures determined by the Personal Data Protection Board are taken while processing Special Categories of Personal Data.

    2.4. Conditions for the Transfer of Personal Data

    The Company may transfer Personal Data and Special Categories of Personal Data to third parties in accordance with the provisions of the Law, ensuring necessary confidentiality and security measures. The Company ensures that the transfer of Personal Data complies with the regulations set out in the Law. In this context, the Company may transfer Personal Data to third parties based on one or more of the Personal Data processing conditions stated in Article 5 of the Law:

    • If the Relevant Person’s explicit consent is obtained;
    • If there is an explicit regulation in the laws regarding the transfer of Personal Data,
    • If it is necessary for the protection of the life or bodily integrity of the Relevant Person or another person,
    • If the Relevant Person is unable to provide consent due to physical impossibility or their consent is legally invalid,
    • If it is necessary to transfer Personal Data directly related to the establishment or performance of a contract,
    • If it is necessary for the Company to fulfill its legal obligations,
    • If the Relevant Person has made the Personal Data public,
    • If the transfer of Personal Data is necessary for the establishment, exercise, or protection of a right,
    • If it is necessary for the legitimate interests of the Company, provided that the relevant person’s fundamental rights and freedoms are not violated,

    2.4.1. Conditions for the Transfer of Personal Data Abroad

    The Company may transfer Personal Data and Special Categories of Personal Data to third parties abroad, taking necessary security measures. The Company may transfer Personal Data to foreign countries that have been declared by the Personal Data Protection Board as providing adequate protection or to foreign countries where the data controllers in both Turkey and the relevant foreign country have committed in writing to provide adequate protection, and with the permission of the Personal Data Protection Board.

    •  

  • 2.5. Conditions for Transferring Special Categories of Personal Data

    The Company, taking necessary precautions and security measures and ensuring that the appropriate measures foreseen by the Personal Data Protection Board (KVK Board) are in place, may transfer the Relevant Person's Special Categories of Personal Data to third parties under the following circumstances, in accordance with legitimate and lawful purposes for processing Personal Data:

    • If the Relevant Person gives explicit consent, or
    • In the presence of the following conditions, without the need for the Relevant Person's explicit consent:

    The Relevant Person's Special Categories of Personal Data, excluding health and sexual life (which include race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and attire, membership in associations, foundations or trade unions, criminal convictions and security measures, as well as biometric and genetic data), may be transferred in situations foreseen by law.

    The Relevant Person's health and sexual life-related Special Categories of Personal Data may only be transferred to persons or authorized institutions and organizations that are under an obligation of confidentiality, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, as well as planning and managing healthcare services and their financing.

    2.5.1. Transfer of Special Categories of Personal Data Abroad

    The Company, taking necessary precautions and security measures and ensuring that sufficient safeguards are in place as prescribed by the Personal Data Protection Board (KVK Board), may transfer the Relevant Person's Special Categories of Personal Data to foreign countries where there is a data controller who provides adequate protection or commits to providing adequate protection, in accordance with legitimate and lawful purposes for processing Personal Data, under the following conditions:

    • If the Relevant Person gives explicit consent, or
    • In the presence of the following conditions, without the need for the Relevant Person's explicit consent:

    The Relevant Person's Special Categories of Personal Data, excluding health and sexual life (which include race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and attire, membership in associations, foundations or trade unions, criminal convictions and security measures, as well as biometric and genetic data), may be transferred in situations foreseen by law.

    The Relevant Person's health and sexual life-related Special Categories of Personal Data may only be transferred to persons or authorized institutions and organizations that are under an obligation of confidentiality, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, as well as planning and managing healthcare services and their financing.

    THIRD SECTION

    PURPOSES OF PROCESSING AND TRANSFERRING PERSONAL DATA, PERSONS TO WHOM DATA MAY BE TRANSFERRED

    3.1. Purposes of Processing and Transferring Personal Data

    Personal Data is processed in compliance with the law and the purpose of the Law for the following purposes:

    • Ensuring the general and commercial security of the Company and its businesses
    • Managing recruitment processes and ensuring security measures
    • Properly planning and implementing human resources policies
    • Planning, executing, and managing commercial partnerships and strategies
    • Ensuring the legal, commercial, and physical security of the Company and its partners
    • Ensuring the corporate operations, management, and communication activities
    • Ensuring the Relevant Person benefits from the Company's products and services in the best way, tailored to their needs and requests
    • Creating databases for customers, commercial partners, suppliers, employees, and job candidates
    • Communicating with persons who submit requests and complaints, and managing request and complaint handling
    • Managing relations with business partners or suppliers
    • Carrying out recruitment processes
    • Executing/following up on financial reporting and risk management
    • Managing legal affairs of the Company
    • Protecting the Company's reputation
    • Managing investor relations
    • Providing information to authorized institutions based on legal obligations
    • Conducting security-related activities, such as video recording processes, identity and permission procedures at facility entrances, conducting OSH training, maintaining workplace accident records, managing visitor procedures, coordinating emergency operations, and implementing health processes
    • Managing visitor registrations and tracking them, and other activities in compliance with the relevant data processing conditions under Articles 5 and 6 of the Law

    Personal Data will be processed in accordance with the conditions stipulated in the Law. If the processing activity does not meet the requirements outlined by the Law, explicit consent from the Relevant Person will be obtained.

    3.2. Persons to Whom Personal Data May Be Transferred

    Personal Data may be shared with business and solution partners, banks, technical, logistical, and other third parties who perform tasks on behalf of the Company, in order to ensure the full and flawless provision of the services. These third parties are those who need access to the relevant information in order to fully and flawlessly provide the services.

    Apart from these, Personal Data may also be shared with other third parties when it is necessary for the Company to fulfill its legal obligations, or when explicitly foreseen in laws, or in the case of a judicial or administrative order.

    Some Personal Data may be shared with advertisers for the purpose of customizing advertisements for target audiences, but only in aggregated or anonymized forms that cannot identify the individual.

    If anonymized data is shared, it will not be linked to any identifiable individual, and the confidentiality of the Relevant Person is guaranteed.

    FOURTH SECTION

    METHOD OF COLLECTING PERSONAL DATA, LEGAL BASIS, DELETION, DESTRUCTION, ANONYMIZATION, AND STORAGE PERIOD

    4.1. Method of Collecting Personal Data and Legal Basis

    In order to ensure compliance with the purposes outlined in Article 1 and the scope defined in Article 2 of the Law, Personal Data is collected through various methods such as verbal, written, phone, fax, email, other electronic means, technical methods, and from various sources including the Company’s website, mobile applications, etc. Personal Data is collected based on legal obligations, contracts, requests, and consent for the purposes outlined in this Policy, ensuring that the responsibilities of the Company are fulfilled accurately and completely.

    4.2. Deletion, Destruction, or Anonymization of Personal Data

    Unless otherwise provided by other laws, the Company, in accordance with the Law and other applicable laws, will delete, destroy, or anonymize Personal Data when the reasons for processing no longer exist. This will be done either by the Company or upon the request of the Relevant Person. The deletion of Personal Data means making it completely inaccessible and unusable. The destruction of Personal Data means the irreversible destruction of materials such as documents, files, CDs, diskettes, or hard disks containing personal data. Anonymization refers to making the data irreversibly unidentifiable to any individual, even if combined with other data.

    4.3. Retention Period of Personal Data

    The Company retains Personal Data for the duration specified in the relevant legislation. If no specific retention period is provided in the legislation, the Company will store the data for as long as necessary for the activities being performed or as required by the Company’s practices and commercial customs. After this period, the data will be deleted, destroyed, or anonymized.

    If the purpose of processing personal data has expired and the retention periods determined by the relevant legislation and the Company have expired; personal data can only be stored for the purpose of constituting evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defence. In the determination of the periods herein, the retention periods are determined based on the statute of limitations for the assertion of the aforementioned right and the examples in the requests previously addressed to the Company on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymised. Detailed regulations regarding the Company's techniques regarding the storage, deletion, destruction and anonymisation of Personal Data are included in the Company's Personal Data Retention and Destruction Policy.

    SECTION FIVE

    5. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

    In accordance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of Personal Data, to prevent unlawful access to data and to ensure the preservation of data, and conducts or has the necessary audits carried out within this scope.

    5 .1. Ensuring the Security of Personal Data

    5.1.1. Technical and Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

    The Company takes technical and administrative measures to ensure that Personal Data is processed in accordance with the law, according to technological possibilities and implementation cost.Technical Measures Taken to Ensure the Lawful Processing of Personal DataThe main technical measures taken by the Company to ensure the lawful processing of Personal Data are listed below:

    The authorization system ensures that unauthorized individuals or institutions are prevented from accessing personal data. The personal data processing activities carried out within the company are monitored through established technical systems. The technical measures taken are periodically reported to the relevant parties as part of the internal audit mechanism. The company works with personnel or organizations that are knowledgeable in technical matters.

    Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

    The main administrative measures taken by the company to ensure the lawful processing of Personal Data are listed below:

    • Employees are informed and trained on the protection of personal data law and the lawful processing of personal data.
    • The company conducts and ensures the necessary audits to enforce the provisions of the Law within its institution or organization.
    • All activities carried out by the company are analyzed in detail by each department, and as a result of this analysis, personal data processing activities conducted by the relevant department are identified.
    • The personal data processing activities carried out by the company’s departments are determined in relation to the requirements to ensure compliance with the personal data processing conditions set forth by the Law, and the specific requirements for each department’s activities are established.
    • To ensure compliance with the legal requirements for each department, awareness is raised within the relevant departments, and implementation rules are set. Administrative measures for monitoring these aspects and ensuring continuous implementation are carried out through internal company policies and training.
    • The company employs knowledgeable and experienced personnel regarding the processing of personal data and provides necessary training on the Law on the Protection of Personal Data (KVK).
    • Contracts and documents that govern the legal relationship between the company and its employees include obligations not to process, disclose, or use personal data, except as instructed by the company or as stipulated by legal exceptions. Awareness is raised among employees on this matter, and audits are conducted to ensure compliance with the obligations under the Law.
    • In the event that personal data is obtained through unlawful means by others, the company will report the situation to the relevant parties and the Board as soon as possible.
    • Regarding the sharing of personal data, the company ensures data security by signing framework agreements with those to whom personal data is shared or by adding provisions to existing contracts.

Section 5.1.2: Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The Company takes technical and administrative measures based on the nature of the data to be protected, technological capabilities, and implementation costs to prevent the unlawful disclosure, access, transfer, or any other form of unauthorized access to Personal Data.

Technical Measures to Prevent Unlawful Access to Personal Data
The main technical measures taken by the Company to prevent unlawful access to Personal Data are listed below:

  • Technical measures in line with developments in technology are adopted, and these measures are periodically updated and renewed.
  • Access and authorization technical solutions are implemented according to the legal compliance requirements determined for each business unit.
  • Access rights are restricted, and authorizations are regularly reviewed.
  • The technical measures taken are periodically reported to the relevant parties through internal audit mechanisms, and any risks are reassessed to produce necessary technological solutions.
  • Software and hardware, including virus protection systems and firewalls, are installed.
  • Personnel with expertise in technical matters are employed.
  • Regular security scans are performed on the applications collecting Personal Data to identify vulnerabilities. Any discovered vulnerabilities are addressed.
  • Internal controls are performed within the established systems.
  • Risk analysis, data classification, risk assessment, and business impact analysis processes are conducted within the systems established.
  • Technical infrastructure is provided to prevent and/or monitor the leakage of Personal Data outside the organization.
  • Access to Personal Data by staff in information technology departments is strictly controlled.

Administrative Measures to Prevent Unlawful Access to Personal Data
The main administrative measures taken by the Company to prevent unlawful access to Personal Data are listed below:

  • Employees are trained regarding the technical measures to prevent unlawful access to Personal Data.
  • Access and authorization processes for Personal Data processing are designed and implemented within the Company, in accordance with legal compliance requirements for each business unit.
  • Employees are informed that they cannot disclose the Personal Data they learn or use it for purposes other than the intended use, and they are required to provide necessary commitments regarding this obligation, which will continue even after their departure from the Company.
  • Contracts with individuals to whom Personal Data is transferred include clauses requiring them to take necessary security measures to protect the Personal Data and ensure compliance with these measures within their organizations.

Section 5.1.3: Storing Personal Data in Secure Environments
The Company takes the necessary technical and administrative measures, according to technological capabilities and implementation costs, to ensure the safe storage of Personal Data and prevent its unlawful destruction, loss, or alteration.
The measures outlined in Article 12(1) of the KVKK are as follows:

  • Prevent unlawful processing of Personal Data.
  • Prevent unauthorized access to or modification of Personal Data.
  • Ensure the retention of Personal Data.

The measures taken by the Company in this regard are listed below:

Technical Measures for Storing Personal Data in Secure Environments
The main technical measures taken by the Company to store Personal Data in secure environments are as follows:

  • Systems in line with technological developments are used to store Personal Data securely.
  • Personnel with technical expertise are employed.
  • Technical security systems are installed for storage areas, and security tests and investigations are carried out on information systems to identify vulnerabilities. Any identified current or potential risks are addressed.
  • The technical measures taken are periodically reported to the relevant parties through internal audit mechanisms.
  • Backup programs are used to ensure Personal Data is stored in a legally compliant manner.
  • Access to storage areas containing Personal Data is restricted, allowing only authorized personnel to access the data for the purpose of storage. Access logs are maintained for data storage areas, and unauthorized access attempts are immediately reported to the relevant parties.

Administrative Measures for Storing Personal Data in Secure Environments
The main administrative measures taken by the Company to store Personal Data in secure environments are as follows:

  • Employees are trained to ensure Personal Data is stored securely.
  • Legal and technical consultancy support is obtained to follow developments in information security, privacy, and data protection.
  • When outsourcing Personal Data storage due to technical requirements, contracts with relevant firms include clauses to ensure that the firms take necessary security measures to protect the Personal Data and ensure compliance within their organizations.

Section 5.1.4: Auditing Measures Taken for the Protection of Personal Data
In compliance with Article 12 of the Law, the Company conducts necessary audits internally or externally. The results of these audits are reported to the relevant department within the Company's internal structure, and activities are conducted to improve the measures taken.

Section 5.1.5: Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
In compliance with Article 12 of the Law, the Company operates a system to ensure that any unauthorized access to Personal Data is reported to the relevant individual and the Personal Data Protection Authority as soon as possible. If deemed necessary by the Authority, the incident may be publicly announced via the Authority's website or another method.

Section 5.2: Protection of the Legal Rights of the Data Subject
The Company ensures that the legal rights of the Data Subject are protected and that necessary measures are taken to safeguard these rights in accordance with the Law and this Policy. Detailed information regarding the rights of the Data Subject is provided in Section 6 of this Policy.

Section 5.3: Protection of Sensitive Personal Data
The Law assigns special importance to certain Personal Data, as unlawful processing of these data may lead to the risk of harm or discrimination. Such data include information regarding race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, security measures, biometric and genetic data. The Company applies utmost sensitivity to the protection of "sensitive personal data" that is processed in accordance with the Law. In this context, the technical and administrative measures taken by the Company to protect Personal Data are also applied with the utmost care for Sensitive Personal Data, and necessary audits are conducted within the Company.

Section 6: Rights of the Data Subject, Exercising Rights, and Evaluation
6.1. Information of the Data Subject
In accordance with Article 10 of the Law, the Company informs the Data Subject during the collection of Personal Data. This information includes the identity of the representative of the Company, the purpose for processing the Personal Data, the third parties to whom the data may be transferred, the method and legal basis for data collection, and the rights of the Data Subject.

6.2. Rights of the Data Subject under the KVKK
In accordance with Article 10 of the Law, the Company informs the Data Subject about their rights and provides guidance on how to exercise them. Necessary internal processes, administrative and technical arrangements are made to implement these rights. In accordance with Article 11 of the Law, Data Subjects have the right to:

  • Learn whether their Personal Data is being processed,
  • Request information about the processing of their Personal Data,
  • Learn the purpose of processing and whether the data is being used for its intended purpose,
  • Know third parties to whom their Personal Data is transferred,
  • Request correction of incorrect or incomplete Personal Data,
  • Request the deletion or destruction of their Personal Data under certain conditions,
  • Request notification of corrections, deletions, or destructions to third parties,
  • Object to any automatic processing of Personal Data that results in an adverse outcome,
  • Request compensation for any damages caused by unlawful processing of their Personal Data.

6.3. Circumstances Where the Data Subject Cannot Exercise Their Rights
According to Article 28 of the Law, the following situations are excluded from the scope of the Law, and Data Subjects cannot exercise the rights listed in Section 6.2 in these cases:

  • Processing of Personal Data by individuals for activities related only to themselves or their family members living in the same household.
  • Processing of Personal Data for the purposes of national defense, national security, public safety, public order, economic security, or to protect privacy rights, provided these do not violate individual rights or constitute a crime.

6.4. Exercising the Data Subject's Rights
In accordance with Article 13 of the KVKK, Data Subjects can submit their requests regarding the rights listed in Section 6.2 of this Policy to the Company in writing or through other methods specified by the Personal Data Protection Authority. Requests can be submitted to the Company using the application form available at www.nevalefirin.com, as detailed below.

6.5. Company's Response to Requests
The Company will respond to requests within 30 days at the latest, free of charge, unless the process incurs additional costs. If accepted, the Company will fulfill the request. If rejected, the Company will provide a written explanation.

6.6. Right of Complaint to the KVK Authority
If the request is rejected or the response is insufficient, or if there is no response within the designated time, the Data Subject has the right to complain to the Personal Data Protection Authority within 30 days from learning of the rejection or within 60 days from the application.

Section 7: Processing of Video Records
The Company takes video recordings of visitors, employees, and other relevant persons for general and commercial security purposes in accordance with the KVKK and this Policy. These recordings are securely stored in physical or electronic environments for the specified duration, in compliance with legal requirements.

Section 8: Organizational Structure for Managing the Personal Data Protection Policy
The Company has appointed a responsible person to manage this Policy and other related policies. The appointed individual ensures that Personal Data is processed and stored in accordance with the Law and this Policy.

Section 9: Miscellaneous

9.1. Update and Compliance
In case of any discrepancy between the KVKK, related regulations, and this Policy, the provisions of the KVKK and relevant laws will apply. The Company reserves the right to update this Policy in accordance with changes in the Law, decisions of the Personal Data Protection Authority, or developments in the industry or technology.

9.2. Enforcement
This Policy was adopted and entered into force on [Date]. All employees and relevant parties must comply with the Policy and ensure its proper implementation.

9.3. Entry into Force
This Policy, prepared by the Company, entered into force on 03.04.2018.

9.4. Distribution
The Policy is published on the Company's website and announced to third parties and the Company's employees.

9.5. Annexes
ANNEX – 1: Personal Data Processing Disclosure Text of Nil Unlu Mamulleri Sanayi ve Ticaret AŞ
ANNEX – 2: Personal Data Protection Law Related Person Application Form of Nil Unlu Mamulleri Sanayi ve Ticaret AŞ