POLICY ON THE PROTECTION AND PROCCESSING OF PERSONAL DATA

I. THE SCOPE AND THE PURPOSE OF THE POLICY

In order to be in compliance with the Law on Personal Data Protection numbered 6698 (“KVKK”), published on the Official Gazette numbered 29677, dated 07.04.2016 and the related legal regulations, in the context of the obligation to inform to data subjects, the Policy herein has been made available for the applicable procedures and principles adopted by our Company

About your personal data processed at our Company; the practice and basis regarding your personal data processed, the principles of processing of personal data, the purposes and conditions of processing of personal data, transfer of your personal data to domestic/abroad, destruction of your personal data, are explained below.

S 2000 MUTFAK SOĞUTMA SANAYİ TİCARET LTD. ŞTİ. (hereinafter referred to as “S2000”), will treat in accordance with the principle and process stipulated under this Policy, in respect of being compliance with KVKK and other related regulations and processing, destructing, transferring, using personal data or other cases, pursuant to the law and other related regulations.

This policy can be updated from time to time as per the changes applicable to the situations or/and legal regulations. In the case of any updating, the Company will notify it via its website or through other way.

II. DEFINITIONS


Explicit consent:	Freely given, specific and informed consent
Anonymizing :	Rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data.
Personal data:	All information relating to an identified or identifiable natural person.
Processing of personal data:	Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means
Data Subject:	The natural person, whose personal data is processed
Special categories of personal data:	Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data. Special categories of personal data, if obtained by others, can leave the data subject open to discrimination or unfair treatment. For this reason, sensitive personal data merit specific protection than other personal data.
Processor :	The natural or legal person who processes personal data on behalf of the data controller upon his authorization
Data Controller:	The natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.

III. THE PRINCIPLES OF PROCESSING OF PERSONAL DATA

Our Company processes personal data in the context of the principles and bases given below and in accordance with article 4 of KVKK regulating the procedures and principles on processing of personal data.

a. Lawfulness and conformity with rules of bona fides

Our Company processes your personal data in compliance with KVKK and other law and regulations which the Company has to follow due to the Company’s work.

b. Accuracy and being up to date, where necessary

Our Company takes sufficient administrative and technic measures for personal data provided by the data subject not to be changed incorrectly and without data subject’s consent, also takes necessary actions to update personal data upon the request from the data subject on changes on personal data.

c. Being processed for specific, explicit and legitimate purposes

The personal data processed by our Company is processed pursuant to and with the scope of purpose of processing stated to the data subject.

d. Being relevant with, limited to and proportionate to the purposes for which they are processed

Our Company does not process the personal data that exceeds the purpose for which they are processed and are not in the line with the Company’s activity.

e. Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed

Personal data processed pursuant to KVKK and other related laws and regulations is retained for the period of time stipulated by the relevant legislation or the purpose for which they are processed.

IV. THE CONDITIONS FOR PROCESSING OF PERSONAL DATA AND THE EXCEPTIONS

- Personal data is processed with the scope of the Company’s activity;

a) On condition of receiving the data subject’s consent or

b) If it is clearly provided for by the laws,

c) If it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid,

d) If processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract,

e) If It is mandatory for the controller to be able to perform his legal obligations,

f) If the data concerned is made available to the public by the data subject himself,

g) If data processing is mandatory for the establishment, exercise or protection of any right,

h) If it is mandatory for the legitimate interests of the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

- In respect to personal data of special nature processed with the scope of the Company’s activity;

a) It is not processed without the data subject’s consent,

b) Personal data, excluding those relating to health and sexual life, may be processed without seeking explicit consent of the data subject, in the cases provided for by laws,

c) Personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by any person or authorised public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

V. PERSONAL DATA CLASSIFICATION

ID Information	Those written on the Identification card; name, surname, mother’s name, father’s name, birth place, birth date, marital status, religion, blood group, the registered city, county and hometown and others, not limited to these, included on the identification.
Contact Information	In order to contact you, information provided or you are required to provide; the phone number, the home phone number, residence or other address, electronic mail address so on.
Personnel Information	The copy of ID Birth Certificate The document of residence address Medical Report The copy of Diploma Criminal Record Photo The documents related with information of family The document related with military service Labor/service contract The notification of Social Security Institution (SGK) Other documents and information related with your health status
Bank Account Information	Bank account number, IBAN number, other information related with credit card and debit card.
Resume Information	The information written on the resume form or requested by our Company or you provided; education information, school information related with your education and your educational information, The information written on the resume form or requested by our Company or you provided; information related with the date, place and period of your previous work, information of your position and task in your previous work and any information regarding your work experience, The photograph included on your resume form or requested by our Company or you provided, The driving licence included on your resume form or requested by our Company or you provided and information included on your driving licence, References included on your resume form or requested by our Company or you provided and information regarding your reference.
Visitor Information	Name and surname of who visits the Company, the visit time, if available the number plate of car and other information related with the visitor.

VI. PROVIDING PROTECTION OF PERSONAL DATA

As S2000, we fulfil all necessary technic and administrative measures with the scope of the sufficient technologic base, in order to provide protection and to keep personal data in compliance with KVKK and the related laws, processed by our Company; in this direction, we carry out necessary inspections by taking measures against data breach, unauthorised access, data loss, changing data without consent and similar threats.

In this context, we detect available risks and threats, carry out awareness trainings by educating our employees, determine policies and procedures on personal data protection, ensure to minimize personal data, make non-disclosure agreements with the processors; use the firewall and anti-virus applications, configure available hardware and software, carry out the updating and detection of software; provide electronically and physical protection, take necessary measures to prevent breach of data protection by unauthorised person with key management, access log, user access management, technical surveillance countermeasures and encryption algorithm.

VII. THE PURPOSE OF PROCESSING OF PERSONAL DATA

Your personal data is processed with the purposes of fulfilment of the Company’s activity and of obligation imposed by the laws, as limited with these.

In this sense,

a. In respect to the practice of security camera at the workplace

- Under the Law on Occupational Health and Safety numbered 6331, Labor Law numbered 4857 and the provisions of secondary legislation, on the purpose of protecting safety of life and property of employees and of maintaining security of the workplace also in order to carry out disciplinary and legal processes for this purposes, monitoring is made at the various area in the workplace by security camera. The written warnings to inform about security camera are available at the place where security camera is located.

- The security cameras have been located to maintain the security of the workplace with the scope of employer’s legitimate interest, considering the limit of proportionality.

b. In respect to the personal data of costumer, potential customers and business and solutions partners

The personal data like ID information, contact information, financial information and similar information, provided to us or we requested, is processed;

- to provide more effective service to our supplier and business partners; to operate legal and financial process.

- to maintain security of the workplace, commercial and economic safety.

- in the context of convenience-ethic inspection, to get the convenience of work activity detected by the natural or legal person for criteria of ethic and of social convenience.

- to improve service by which our Company provide and to maintain the satisfaction of products.

c. In respect to the personal data of visitors

- In order to maintain safety of life and property and lay out of the Company, the personal data of visitors regarding ID information, like name-surname, entry-exit time, employee’s name for who visitor comes and the purpose of visitor to come, is processed.

d. In respect to the personal data of job candidates

Personal data of job candidates such as ID information, contact information, resume information and similar information is processed;

- to evaluate the convenience of job candidates to the work and to progress the interview process sending the application form and resumes to the related department.

- to evaluate and to determine whether you as a job candidate provide required and sufficient qualifications at the time of the application of job and of any process made during the application of job.

- to contact with your reference and to have information about you from your reference.

- to hire you at the end of the job application process in the case of positive completion of your job application.

e. In respect to the personal data of employees

Personal data of employees such as ID information, personnel information, resume information, bank account information, contact information and similar information is processed;

- to maintain lay out, tranquillity and safety of the workplace,

- to fulfil obligations of the Laws as creating and retaining personnel file and to share personal data herein to the auditor public institutions and organisations and authorised auditor natural and legal person,

- to record all transactions, through log, made by the employees in the fileserver system

- to include images regarding our Company’s organisations and similar activities, in the social media,

- to use the methods determining the employees’ entry/exit time and other similar monitoring methods in order to maintain safety of employees and the workplace, to protect their safety of life and property,

- to record and to transfer the personal data herein to domestic/abroad or third parties in order to make organisations for providing social activities such as fair, seminar, trips, training, conference and services like accommodation and transport, to carry out visa process, to inform employees about updating news of the Company, to contact to himself/herself or relative person and also for advertising, promotion and similar purpose of the Company’s activity and for rewarding (like promotion or gifts so on) made on the purpose of motivating employees,

- to process and to share as well as personal data of special nature to the workplace doctor and medical officers in the context of activity of “ISG”,

- to share the personal data of the employees to transportation companies for shuttle services,

- to keep phone card, credit card or vehicles provided by the Company to the employees under control with the scope of the right of management of the employer,

- to retain corporate e-mail accounts provided by the Company to the employees, correspondences carried out in these e-mail accounts and e-mail files containing these correspondences in the cloud system located abroad.

f. In respect to the personal data of subcontractor

Personal data of employees of subcontractor such as ID information, personnel information, resume information, bank account information, contact information and similar information is processed;

- to process and to share as well as personal data of special nature to the workplace doctor and medical officers in the context of activity of “ISG”,

VIII. THE TRANSFER OF PERSONAL DATA DOMESTIC AND ABROAD

Your personal data can be transferred;

- to the third parties for improving productivity and the policy of employment of our Company, providing sustainability and limited to these goals herein,

- to the banks, the third parties worked with, the expert of ISG, the workplace doctor and medical personnel, on the purpose of the fulfilment of obligations owed by the employer,

- to the Microsoft Office programmes, SAP applications, cloud applications, and back-up systems that all are located abroad, in order to effectively manage and operate the Company’s business and business flow and for the policy to be applied

- to the external service providers with who the Company issued an agreement regarding that the external service providers shall take required technic and administrative measures, in the context of realisation of the Company’s commercial activity and similar activity,

- to the business partners, suppliers and to the third parties and abroad by which the Company gets service in the context of the Company’s activity, in order to provide service and products.

- Upon the request or under the necessary situation, your personal data will be transferred to the courts, law-enforcement office/police office and enforcement offices.

IX. DESTRUCTION OF PERSONAL DATA

The personal data processed with the scope of the Company’s activity, is retained with the scope of the purpose of processing during the period of time that is necessary to provide this purpose and during the time stipulated under the related laws.

The personal data which has lost its function or whose retention period has been expired or upon demand by the data subject to destruct if allowed by the related laws, is destructed in compliance with the methods stipulated by article 7 of KVKK.

Erasure of personal data is the process of rendering personal data inaccessible and non-reusable for the users concerned, by no means.

Destruction is the process of rendering personal data inaccessible, irretrievable or non-reusable by anyone, by no means.

Anonymization is the process of rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data.

X. THE RIGHTS OF THE DATA SUBJECTS

With the scope of the rights stipulated under the article 11 of KVKK, the data subject can apply to our Company about the personal data processed in the context of the Company’s activity and

a) to learn whether his personal data is processed or not,

b) to request information if his personal data is processed,

c) to learn the purpose of his data processing and whether this data is used for intended purposes,

d) to know the third parties to whom his personal data is transferred at home or abroad,

e) to request the rectification of the incomplete or inaccurate data, if any,

f) to request the erasure or destruction of his personal data under the conditions laid down in Article 7,

g) to request notification of the operations carried out in compliance with subparagraphs (d) and (e) to third parties to whom his personal data has been transferred,

h) to object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavourable consequence for the data subject,

i) to request compensation for the damage arising from the unlawful processing of his personal data.

XI. LAST PROVISIONS

In the case of use the rights given above and, if you apply our Company with related the matters given above, your application will be completed free of charge maximum in 30 days depending on the qualification of the application. However, if the application requires extra expenses for the Company, the fee stipulated by the Personal Data Protection Authority may be asked.

You are required to make the application related with the process of your personal data by filling up the application form available on our website and proving personally your ID.

S2000 Commercial Kitchens and Refrigeration Contact Information

Adress:Boğazköy, Bolluca, İstiklal Mah. Erciyes Sokak No.12 Arnavutköy - İstanbul - Turkey

Website address to contact: https://www.s2000.com.tr

E-mail address to contact: info@s2000.com.tr/