1. Policy, Scope, and Purpose

1.1 Ak Gıda San. ve Tic. A.Ş. (Hereinafter referred to as “Ak Gıda.”)

The Board of Directors and management, in accordance with the Information Security Policy, commit to adhering to the principles and rules established by the Constitution of the Republic of Turkey, the Personal Data Protection Law No. 6698 (KVKK), and other relevant legislation regarding the protection of personal data. They also commit to protecting the rights and freedoms of individuals whose data are processed by Ak Gıda. For this purpose, the Board of Directors has adopted a written personal data protection policy and system to be implemented and developed.

1.2 Scope

The provisions of the policy encompass all information systems and sub-information, contracts, environmental and physical areas involved in the processing of personal data in Ak Gıda’s fields of activity and work areas, as well as all systems and regulations developed for these. This policy includes all units of Ak Gıda, personnel of firms providing support services, visitors, third parties, interns, and contracted staff.

1.3 Objectives of the Personal Data Protection Policy and System

The purpose of the Personal Data Protection Policy and System is to ensure that Ak Gıda establishes and implements its own standards in managing personal data; to identify and support organizational goals and obligations, and to establish control mechanisms in line with Ak Gıda’s acceptable level of risk. It also aims to fulfill obligations under international agreements, the Constitution, laws, contracts, and professional standards related to the protection of personal data, and to best protect the interests of individuals.

1.4 Ak Gıda will comply with personal data protection legislation and data protection principles.

The data protection principles adopted by Ak Gıda include:

a. Processing personal data only when it is clearly necessary for legitimate corporate purposes;
b. Processing the minimum necessary amount of personal data for these purposes and not processing excessive data;
c. Providing clear information to individuals about how their personal data is used and by whom;
d. Processing only relevant and appropriate personal data;
e. Processing personal data fairly and in accordance with the law;
f. Maintaining an inventory of personal data categories processed by Ak Gıda;
g. Keeping personal data accurate and up to date as needed;
h. Retaining personal data only for as long as necessary in accordance with legal regulations, Ak Gıda’s legal obligations, or legitimate corporate interests;
i. Respecting individuals’ rights regarding their personal data, including the right to access;
j. Keeping all personal data secure;
k. Transferring personal data abroad only when adequate protection is in place;
l. Applying exceptions permitted by legislation;
m. Establishing and implementing a personal data protection system for the implementation of the policy;
n. Identifying internal and external stakeholders involved in the personal data protection system and the extent of their involvement with Ak Gıda’s system;
o. Designating personnel with special authority and responsibilities related to the personal data protection system.


2. Notifications

2.1 Ak Gıda informs the Personal Data Protection Board (“KVK Board”) as the data controller about which personal data categories it processes in this capacity. Ak Gıda identifies all personal data categories processed in its personal data inventory.

2.2 Notification is made in accordance with the procedures and methods determined by the KVK Board, and a copy of the notification is kept by Ak Gıda’s Information Security and Personal Data Protection Board.

2.2 If deemed necessary by the relevant legislation or the KVK Board, notifications are periodically repeated.

2.3 The Information Security and Personal Data Protection Board reviews Ak Gıda’s data processing activities and changes therein annually, to identify potential changes in the notification made to the KVK Board. It informs the KVKK Board if necessary.

All units of Ak Gıda, personnel of firms providing support services, interns, and contracted staff who violate this policy will be subject to Ak Gıda’s disciplinary regulations. In cases where such a violation constitutes a crime or misdemeanor, the situation will be reported to the relevant authorities as soon as possible.

Solution partners of Ak Gıda who have or may have access to personal data and all third parties working with Ak Gıda are invited to read and comply with this policy. No third party can have access to personal data processed by Ak Gıda without a written confidentiality agreement that includes obligations with standards at least as strong as those of Ak Gıda, and which encompasses Ak Gıda’s right to audit in relation to these obligations.


3. Definitions

Explicit Consent: Consent that is informed, related to a specific issue, and given freely.
Anonymization: The process of turning personal data into a state where it cannot be associated with an identifiable natural person, even when matched with other data.
Data Subject: The natural person whose personal data is processed.
Personal Data: Any information relating to an identified or identifiable natural person.
Sensitive (Special Category) Personal Data: Data related to racial or ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade-unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Processing of Personal Data: Operations performed on personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
KVKK: Personal Data Protection Law No. 6698.
KVK Board: Personal Data Protection Board.
KVK Institution: Personal Data Protection Authority.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller.
Data Recording System: A system where personal data is processed according to certain criteria.
Data Controller: A natural or legal person who determines the purposes and means of the processing of personal data and is responsible for the establishment and management of the data recording system.

4. Duties and Responsibilities

4.1 Ak Gıda is the data controller in accordance with KVKK.
4.2 All personnel, especially those in upper management, managerial, and audit positions, are responsible for developing and promoting correct practices in the processing of personal data within Ak Gıda, and also for other obligations related to this matter as specified in their individual job descriptions.
4.3 The Information Security and Personal Data Protection Board (BGKVK Board) has been established as the responsible unit for managing the personal data protection system and ensuring and documenting compliance with KVKK and other relevant legislation. This Board is accountable to the Board of Directors in these matters.

4.3.2 Duties and Responsibilities of the Information Security and Personal Data Protection Board The Board must inform the Board of Directors about the Personal Data Protection legislation and developments. The Board is responsible for ensuring that Ak Gıda’s policies and procedures are up-to-date, that data processing audits are conducted according to the planned schedule, and that these are in compliance with relevant legislation. The Board collaborates with all relevant personnel on personal data protection matters. The main duties and responsibilities of the Committee are: The BGKVK Board has the authority to audit all systems related to the collection, processing, and storage of personal data at Ak Gıda. In performing its duties, the Board can request cooperation from all personnel, including access to systems and records. If this cooperation is not provided, the Board will report the situation to the Board of Directors.

4.4 All personnel of Ak Gıda who process personal data are responsible for acting in accordance with the Personal Data Protection legislation.

4.5 The Human Resources unit, Training Instructors, and IT are responsible for ensuring that all personnel are aware of their responsibilities in the field of personal data protection and for conducting the necessary notifications and trainings.

4.6 Ak Gıda personnel are obligated to ensure the accuracy and up-to-dateness of all personal data provided by them or relating to them to Ak Gıda.


5. Data Protection Principles

All personal data processing activities must be conducted in compliance with the following data protection principles. Ak Gıda’s policies and procedures aim to ensure this compliance:

5.1 Personal data are processed lawfully, fairly, and transparently.

In line with this, Ak Gıda includes informative texts/privacy notices in data collection channels and related areas regarding its personal data processing activities. The areas where these notices, which contain clear and understandable information about whose data Ak Gıda processes and for what purposes, will be placed and announced are determined by the BGKVK Board. These notices include the following information:

5.2 Personal data can only be processed for specified, explicit, and legitimate purposes.
5.2.1 The reasons/purposes for processing personal data are identified in the personal data inventory, and personal data cannot be used for purposes other than those specified without a legal basis or the explicit consent of the data subject.
5.2.2 If conditions arise that necessitate the use of personal data for purposes other than those specified in the personal data inventory, this situation is reported to the Contact Person/BGKVK Board by the relevant personnel/unit. The BGKVK Board checks the appropriateness of the new purpose and, if necessary, ensures that the data subject is informed about the new purpose and the new data processing activity.

5.3 Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
5.3.1 The BGKVK Board is responsible for ensuring that personal data not clearly necessary for the processing purpose are not collected or processed.
5.3.2 All data collection forms, both electronic and physical, and data collection mechanisms in information systems are implemented subject to approval by the BGKVK Board.
5.3.3 The BGKVK Board periodically audits, through the personal data inventory, to ensure that the processed data are adequate and relevant.
5.3.4 The BGKVK Board annually audits, through internal or external audits, to ensure that all data processing methods are adequate and relevant.
5.3.5 The BGKVK Board is responsible for stopping the processing activity of personal data that it determines to be inappropriate, irrelevant, or excessive in terms of processing purpose, and for the secure destruction of processed data in accordance with storage and destruction procedures.

5.4 Personal data must be accurate and, where necessary, kept up to date.
5.4.1 The accuracy and currency of data held over a long period must be reviewed.
5.4.2 The managers of the Human Resources, Training Instructors, and IT department are responsible for ensuring that all personnel are trained in the accurate and up-to-date collection and retention of personal data.
5.4.3 The accuracy and currency of data held about personnel are the responsibility of the respective individuals.
5.4.4 Personnel/customers and other relevant individuals should inform Ak Gıda to update processed personal data. Upon such notification, the responsible unit must correct and update the relevant record.
5.4.5 The BGKVK Board may instruct the relevant unit to review the accuracy or currency of certain data based on its evaluation of the type, retention period, and amount of data processed, as per the data inventory.

5.5 Personal data should only be processed if necessary for the purposes of data processing.
5.5.1 In cases where personal data are stored beyond the necessary period due to requirements such as backups, personal data should be encrypted or anonymized/masked to protect the rights and freedoms of individuals in the event of data security vulnerabilities.
5.5.2 The processing of personal data after the periods specified in the Storage_and_Destruction_Policy is subject to the written approval of the BGKVK Board.


6. Rights of Data Subjects

Data subjects have the following rights regarding data processing activities and records at Ak Gıda:
6.1 The right to learn whether their personal data is being processed,
6.2 If their personal data is processed, the right to request information about this,
6.3 The right to know the purposes of processing their personal data and whether it is used in accordance with these purposes,
6.4 The right to know the third parties to whom their personal data is transferred, both domestically and internationally,
6.5 In the event that personal data is incompletely or inaccurately processed, the right to request its correction,
6.6 The right to request the deletion or destruction of their personal data in cases where there is no legal basis or justification for processing under KVKK or this policy,
6.7 The right to request that any corrections or deletions made upon their request be notified to third parties to whom personal data has been transferred,
6.8 The right to object to outcomes that are to their detriment, arising from the analysis of processed data solely through automated systems,
6.9 The right to request compensation for damages in case of harm due to unlawful processing of their personal data.

Data subjects can request access to their personal data and exercise the rights listed above. Such requests are forwarded to the Contact Person/BGKVK Board and responded to within 30 days. The processes of receiving, transmitting, and concluding these requests are carried out according to the request management procedure.

Data subjects can submit their requests by filling out the KVKK Application Form and sending it to the address Ofis Park Maltepe Altayçeşme Mah. Çamlı Sok. No:21 Maltepe, either through a notary or via registered mail with acknowledgment of receipt, ensuring identity verification, or they can send it to the registered email address akgida@hs03.kep.tr.

All personnel of Ak Gıda, regardless of their job description, are obligated to guide data subjects on the correct method of application for data subject access requests. Ak Gıda personnel should be informed and trained on how to handle requests from data subjects.

To facilitate data subjects in making their requests, informative texts/privacy notices and Ak Gıda’s web address will include the contact information of the Contact Person/BGKVK Board.


7. Obtaining Explicit Consent

Ak Gıda considers explicit consent to be the consent expressed through a written/oral statement or a clear affirmative action, based on being informed and freely given, indicating the data subject’s agreement to the processing of their data. For sensitive data, explicit consent must always be obtained in writing. Explicit consent can be withdrawn by the data subject at any time.

Explicit consent can be obtained by having the data subject sign an explicit consent form template or by including elements of this template in a contract or electronic form made with the data subject. For personal data routinely processed concerning employees, prospective employees, and customers, explicit consent is obtained through the relevant contracts or forms.

If data processing activity based on explicit consent is continuous or repetitive, the responsible unit maintains a consolidated list of individuals from whom explicit consent has been obtained. The currency and accuracy of this list are the responsibility of the relevant unit. Forms of explicit consent or other relevant proof for data processing activities based on explicit consent are kept by the relevant unit.


8. Data Security

All personnel are responsible for ensuring the secure storage of personal data processed by Ak Gıda and under their responsibility.

Access to personal data should only be available to those who need it. Accesses are granted in accordance with the Access_Management_Procedure.

The security of personal data is maintained in accordance with Ak Gıda’s KVK Policy and its related documents.

Information security incidents related to personal data are reported to the KVK Board and the relevant individual by the BGKVK Board as soon as possible.


9. Data Sharing

9.1 Personal data can only be shared with third parties in accordance with the law and fairness. For personal data to be shared, one of the following conditions must be met:
• Obtaining the explicit consent of the data subject.
• Being explicitly prescribed in the laws.
• It is necessary to protect the life or bodily integrity of the data subject or someone else, or because the person is unable to express their consent due to physical impossibility or their consent is not legally valid.
• It is necessary for the establishment or performance of a contract to which Ak Gıda is a party or will be a party, provided that it directly concerns the personal data of the parties to the contract.
• It is necessary for Ak Gıda to fulfill its legal obligation.
• It has been made public by the data subject.
• It is necessary for the establishment, exercise, or protection of the rights of Ak Gıda.
• Provided that it does not harm the fundamental rights and freedoms of the data subject, it is necessary for the legitimate interests pursued by Ak Gıda.

9.2 Personal data can only be transferred abroad if the above conditions are met, if there is sufficient protection in the target country, and with the explicit consent of the data subject regarding this transfer. When transferring personal data abroad, the list of countries with sufficient protection determined by the KVK Board is taken into account. When it comes to the transfer of personal data abroad, BGKVK Board provides the necessary permissions and notifications to the KVK Board in accordance with the Law on Protection of Personal Data (KVKK) and relevant legislation.
9.3 All transactions related to the sharing of personal data must be recorded in writing, along with their justifications. The BGKVK Board ensures that these records are audited at certain intervals. 8.4 In the absence of a legal basis or legal obligation, if there is a regular data sharing relationship, a KVKK Commitment Letter is prepared with the relevant party, specifying the conditions of data sharing.
The KVKK Commitment Letter includes at a minimum:
• The purpose or purposes of the sharing;
• Potential third-party recipients or recipient types and conditions of access;
• The categories of data to be shared (these should be kept to a minimum necessary for your purposes);
• General principles regarding the processing of data;
• Data security measures;
• The retention period of the shared data;
• Data subject rights, access requests, application and complaint response procedures;
• Review of the termination of the sharing agreement;
• Liability and sanctions for non-compliance with the agreement or individual violations by staff.


10. Kayıtların Yönetimi

Personal data cannot be retained for longer than necessary for the purposes of processing. The classification of records containing personal data and the retention periods for these records are determined in accordance with the Data Retention and Disposal Policy.

Once the retention period for the purposes of processing has expired or upon a valid request from the data subject, personal data is anonymized, deleted, or destroyed in accordance with the Data Retention and Disposal Policy in a manner that the identity of the data subject, a real person, cannot be determined.


11 Politikanın Güncel Tutulması

Document Ownership and Approval

The owner of this document is the BGKVK Board, and they are responsible for regularly reviewing this policy as required.

The current version of this document has been made accessible to all Ak Gıda personnel on a shared platform and published on the company’s website.

This policy was approved by the Board of Directors on 01.08.2021 and published with the signature of the General Manager.