en
Privacy Policy

CLARIFICATION TEXT OF THE INTERNET PLATFORM

  1.    DATA CONTROLLER

Ervin Gıda ve Meşrubat (“Company”)  is a data controller within the scope of Personal Data Protectıon Law In Accordance With The Law No 6698 (“Law”). It constitutes personal data processing activities per the law and other applicable legislation.

  2.    COLLECTION, PROCESSING AND PROCESSING PURPOSE OF PERSONAL DATA

Your personal data listed below are collected electronically and are processed for the following purposes:

  • Your identity and contact information that you will provide in your application to us by using the "e-mail list" and/or "contact" form on our website,
  • Your digital and cookie data will also be processed if you visit our website or browse these sites.
     

Your personal data is processed to provide our Company's services, perform after-sales services, increase customer satisfaction, evaluate and respond to complaints and suggestions, make statistical analyses, fulfill legal and regulatory requirements, and provide necessary information in line with the requests and inspections of official authorities, and ensuring data security.

On the other hand, if you give explicit consent, your identity and contact data will also be processed for promotional, e-mail newsletter sending, and marketing purposes.

  3.    TRANSFER OF YOUR PERSONAL DATA TO THIRD PERSONS

Your personal data, within the scope of the law and other legislation and for the purposes described in article 2 of this Clarification Text, depending on the reason that requires it to be transferred and limited for this reason; Within the scope of the law and relevant regulations; It can be transferred to supervisory and regulatory public institutions and organizations (BTK, TÜİK, courts, banks, etc.), auditors, companies that provide software and hardware support services, and legally authorized private people such as lawyers.

On the other hand, since our website servers are located abroad, the personal privacy you share with us through our website will be transferred abroad based on your explicit consent.

  4.    PROTECTION OF YOUR RIGHTS REGARDING YOUR PERSONAL DATA

The rights of natural people whose personal data are processed are listed in Article 11 of the Law. As a personal data owner, you must make your requests regarding your rights listed in the relevant Law article following the application procedures stipulated in the Notification on Application Procedures and Principles to the Data Controller. You must confirm your identity at our Company's official address and submit your application in an authorized manner, either in person or through a cancellarius (notery). Depending on the subject, your request will be finalized as soon as possible and within thirty (30) days at the latest costlessly. However, if the procedure requires an additional cost, it will request the fee at the tariff determined by the Personal Data Protection Board.

EXPLICIT CONSENT TEXT FOR THE PROCESSING OF PERSONAL DATA

As informed in the Clarification Text, I consent to process the personal data I have shared with your company for promotional, e-mail newsletter sending, and marketing purposes.

Commercial Electronic Message Approval 

In addition, following Law No. 6563 on the Regulation of Electronic Commerce, through the channels I have marked below, I consent to you contacting me for commercial communication, newsletter sending, advertising, and promotional purposes regarding products and services.

SMS

E-mail

Call
 

PERSONAL DATA PROTECTION And PROCESS POLICY

Version:  1
Update Date: 01.09.2022

1. PURPOSE

Ervin Gıda ve Meşrubat (“Company”)  and company employees undertake to abide by the principles and rules stipulated by the Constitution of the Republic of Turkey, Personal Data Protection Act (KVKK) no: 6698, and other legislations and to protect the rights and freedoms of the individuals whose data has been processed by the Company. To that end, the Company has adopted a written Personal Data Protection And Process Policy (“Policy”) to be applied and developed

The purpose of politics is to establish rules for the internal management of personal data, define goals and obligations, establish control mechanisms in line with a reasonable risk level, fulfill legal obligations in the field of personal data protection, and ensure the best possible protection of individuals' interests.

2. SCOPE

The provisions of this Policy apply to all employees of The Company who provide support services to all units of The Company, including The Company's board of directors, subordinates, and interns. Any actions that violate Law No. 6698 on the Protection of Personal Data or this Policy will be evaluated within the scope of relevant legislation, and sanctions will be applied accordingly.

Furthermore, The Company invites all business partners, suppliers, and third parties with access to or the possibility of accessing personal data held by The Company to read and comply with this Policy.

 

3. DEFINITIONS

Explicit consent

means freely given, specific and informed consent

Anonymization

means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data

Contact person:

means the natural person notified by the Data Controller during registration to the Registry for the communication to be established with the Authority regarding the obligations of the data controller,

Law

means Personal Data Protection Law (Law Number: 6698)

Personal data

means any information relating to an identified or identifiable natural person

Personal data inventory

Personal data processing activities of data controllers associated the personal data processing purposes and legal reasons, data category, transferred recipient and data owner. It is detailed by explaining the maximum retention period of personal data, transfer to foreign countries, personal data and measures taken regarding data security.

Processing of personal data

means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,

Institution

means the Personal Data Protection Institution

Board

means the Personal Data Protection Board,

The Committee of KVK

means structure consisting of a natural person or persons appointed by the data controller who carries out the administrative monitoring and coordination of the processes established within the scope of the Law,

KVK recognizance

means the document determining the legal obligations of third parties with whom data is shared,

Register

The register of data controllers kept by the Institution,

Data processor

means the natural or legal person who processes personal data on behalf of the data controller upon its authorization,

Data controller

means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

 

 

  5.    RESPONSIBILITIES

The Company is the data controller, as per KVKK. All employees are responsible for developing and promoting proper practices regarding personal data processing at The Company and other liabilities.

All employees of The Company processing data must abide by the Personal Data Protection legislation.

The company must arrange all communication and training required for all employees to know their responsibilities and become well aware of personal data protection.

The Company staff is liable to ensure that all the personal data provided to The Company or the personal data of the employees is correct and up to date.

4.1. The Committee of KVK

The members of the Committee of KVK with expertise and experience in personal data protection legislation and practices are assigned by the Board of Directors, and they directly report to the Board of Directors. The KVK Committee was established as responsible for managing the personal data protection system and documenting compliance with the Law and other relevant legislation.  The KVK Committee is liable to the Board of Directors on these matters.

4.2. Duties and Responsibilities of the Committee of KVK

  • The Committee should be informed regarding Personal Data Protection legislation and developments.
  • The Committee is responsible for ensuring that the policies and procedures of Company are up to date and that the data processing audits take place according to the schedule and for compliance with the relevant legislation and education.
  • Regarding data protection, the Committee functions in harmony with the relevant staff.
  • It is responsible for providing that The Committee of KVK neither collects nor processes any personal data that is not explicitly needed for processing.
  • The Committee of KVK periodically investigates whether the data processed via the personal data inventory is appropriate and relevant.
  • The Committee of KVK investigates annually whether all of its data processing methods are appropriate and relevant through internal and/or external audits.
  • Concerning personal data that The Committee of KVK does not find appropriate or relevant or finds excessive regarding the processing purpose, it is responsible for ceasing the data processing activities and for secure destruction of the processed data as per storage and destruction procedure.
  • By evaluating the type of processed data, storage period, and the amount by utilizing the data inventory, the Committee of KVK must instruct the relevant unit to review whether the specific data is correct or current.


5. IMPLEMENTATION FUNDAMENTALS

5.1. PROCESSING PRINCIPLES

The Company will abide by personal data protection legislation and data protection principles. Data protection principles adopted by The Company are provided below:

  • To process personal data only on the condition that it is explicitly required considering legitimate corporate purposes,
  • To process only the minimum amount of personal data required in line with said purposes,
  • To provide individuals with explicit information regarding who uses these data and how it is used,
  • To process only relevant and appropriate personal data,
  • To process personal data legally and equitably,
  • To maintain an inventory of personal data categories processed by The company,
  • To ensure that the personal data is correct and, if needed, updated,
  • To store the personal data only for a period required by legal regulations, legal responsibilities of The company, or legitimate corporate benefits,
  • To store personal information in a way that prevents access to the identity of Data Owners for any time longer than is reasonably required for the purposes for which personal data are processed,
  • Ensuring data privacy is a top priority in the initial phase of any project or activity and subsequently throughout its service life (Principle of Ensuring Privacy from the Start)
  • To respect the rights of the individuals regarding their personal data, including the right to access,
  • To transfer personal data abroad, only explicit consent or on the condition that enough protection is available,
  • To apply the exceptions permitted by the legislation,
  • To establish and implement the personal protection system for performing the policy,
  • To determine the internal and external stakeholders of The Company who are a party to the personal data protection system and to which extent they are involved in the personal protection system of The Company,
  • To determine the employee(s) who have/has extraordinary powers and responsibilities regarding the personal data protection system.


All data processing activities must be conducted in compliance with the data protection principles provided herein below. The policy and procedures of The Company aspire to ensure compliance with these principles:

  • To comply with legal rules and good faith.
  • To be correct and, when required, up to date.
  • To be processed for specified, explicit, and legitimate purposes.
  • To be relevant to the purpose of processing, to be limited and in moderation.
  • To be kept for a while, required by the applicable legislation or the purpose of processing.


In line with this, The Company publishes clarification texts/privacy notices on their personal data processing activities on data collection channels. The KVK Committee's opinion is considered when deciding which section notifications contain clear and understandable information about who The Company processes data for and for what reasons will be included and announced. These notices cover the items listed below:

  • The identity of The Company as data controller and contact details thereof,
  • Types of personal data processed,
  • Purposes of personal data processing,
  • Methods of collecting personal data,
  • On what legal reason the personal data is processed,
  • Rights of the data owner,
  • Third parties that data may be shared with.


The personal data inventory determines the justifications/purposes of data processing. The personal data may not be used for other than the specified purpose without any further legal justification or the data owner’s explicit consent. In case the conditions that require the personal data to be used for other than the purpose specified in the personal data inventory occur, the Committee of KVK is notified by the relevant employee/unit. The Committee of KVK investigates the appropriateness of the new purpose and, if required, ensures that the data owner is informed about the new data processing for the new purpose.

Personal data must be processed appropriately, relevantly, and to a limited extent for the purposes for which they are processed, and must be accurate and current. Data stored for a long time should be checked for accuracy and currency. The Company is responsible for training all employees on the accurate and current collection and storage of data.

The KVK Committee should be informed about all data collection channels.

It is the responsibility of the relevant employee to ensure that the information collected about employees is accurate and up to date.

Employees/customers/institutions and other relevant persons must inform the Company to update the processed personal data.

Personal data should be processed so that the data subject can only be identified if necessary for processing.

Secure data deletion techniques chosen by the Board are used for personal data in situatons where it is stored for an extended periodor when data security is compromised because of requirements such as backups to protect the rights and freedoms of individuals.

When personal data needs to be processed for longer than the specified periods following the procedure defining the storage and destruction process, written approval of the KVK Committee is obtained.

All Company units that process Personal Data are responsible for complying with both the principles set out above and the measures in applicable data protection laws and must be able to prove that they abide.

5.2. RISK ASSESSMENT

The Company identifies the risks associated with the processing of personal data types. If a particular type of data processing activity is likely to pose a high risk to personal rights and freedoms in line with its structure, context, and purposes, the Company must manage potential risks by performing an impact analysis before the data processing activity. A single assessment may be based on multiple data processing activities that involve similar risks.

If, as a result of the impact analysis, it is understood that the Company is about to start a data processing activity that may pose a high risk to personal rights and freedoms, the approval of the KVK Committee is required on this issue. The KVK Committee may request the Board's perspective on the subject if necessary.

5.3. RECEIVING EXPLICIT CONSENT

The Company accepts as explicit consent the consent of the data owner regarding certain data processing activities and, where required by the Law, informed and free will, expressed by written/verbal declaration or explicit action.Explicit consent is obtained in writing or a systematically verifiable manner. Explicit consent may always be retrieved by the data owner.

If the data processing activity based on explicit consent will be continuous or repeated, the explicit consent obtained is checked. The up-to-dateness and accuracy of these express consents is the responsibility of the relevant unit. Explicit consent forms or other appropriate proof tools regarding data processing activity based on explicit consent are kept by the relevant department.

5.4. DATA SECURITY

All employees are responsible for keeping the personal data processed by The Company and under their responsibility secure. Employees are obliged to ensure that data is not disclosed to third parties unless they sign a confidentiality agreement.

Personal data must be accessible to solely the ones required to access such data. 

Incidents that threaten the security of personal data are reported to the Board and the relevant person as soon as possible after they are definitively determined by the KVK Committee and, in any case, within 72 hours at the latest after the incident becomes known.

5.5. DATA SHARING

Personal data may only be shared with third parties legally and equitably. In line with this, for sharing personal data, one of the conditions listed below must be met:

  • Receiving the explicit consent of the data owner,
  • Stipulating explicitly by law,
  • It is required to protect the life or bodily integrity of the person who cannot declare his consent due to actual impossibility or whose consent is not legally valid or of someone else.
  • It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or execution of an agreement to which the Company is or will be a party,
  • It is mandatory for the Company to fulfill its legal obligations,
  • It has been made public by the person concerned,
  • Data processing is mandatory for the establishment, exercise, or protection of the Company's rights,
  • It is compulsory to process data for the Company's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the person concerned.

 

Personal data can only be transferred abroad if the above conditions are met, and there is sufficient protection in the destination country or if the data owner has explicit consent for such transfer.

The list of countries where the Board determines sufficient protection is considered when transferring personal data abroad.

Regarding the transfer of personal data abroad, the KVK Committee obtains the necessary permissions and notifications from the Board in accordance with the Law and relevant legislation.

All procedures related to sharing personal data must be documented in writing, along with their justifications. The KVK Committee periodically audits these records.

In the absence of a legal basis or legal obligation, in the case of a regular data-sharing relationship, a KVK recognizance is made with the relevant party, defining the conditions for data sharing.

5.6. RECORDS MANAGEMENT

Personal data cannot be retained for longer than necessary for processing. Records containing personal data and their retention periods are defined following the Personal Data Recording, Retention, and Destruction Procedure.

Personal data that has expired or needs to be destroyed upon a justified request from the data owner is anonymized, deleted, or destroyed following the procedure that defines the storage and destruction process.

5.7. PROTECTION OF RIGHTS OF THE DATA OWNER

Data owners have the following rights regarding data processing activities and records at the Company:

  • Ascertaining whether any personal data is processed or not,
  • Requesting information related to the processing of personal data, if processed,
  • Ascertaining the purpose of the processing of personal data, and whether or not the use of Personal Data is in compliance with this purpose,
  • Identifying third parties to whom the personal data is transferred within the country and abroad,
  • Requesting rectification if personal data is processed in an unsatisfactory or incorrect manner,
  • Demanding personal data for which there is no legal justification or foundation to be processed as per this policy and KVKK to be deleted or destroyed,
  • Demanding the notification of adjustment, deletion to third parties to whom the personal data had been transferred,
  • Objection to the result of the analyzation (exclusively by means of automatic systems) of the processed personal data, and which is to the detriment of the person,
  • Claiming compensation for damages that he/she suffered due to the illegal processing of the personal data.

 

Procedure for Data Owner Requests

Data subjects can submit their requests related to the rights mentioned above to The Company in accordance with the application procedures stipulated in the Notification on Application Procedures and Principles to the Data Controller for Data Subject Applications.

In this case, the Company will promptly and, at the latest, within 30 (thirty) days, free of charge, conclude the request, depending on its nature. However, if the process requires an additional cost, the Company may request the fee specified in the tariff determined by the Board. The processes related to the receipt, transmission, and conclusion of requests are carried out in accordance with the Data Subject Application Receipt, Evaluation, and Response Procedure.

In notifications and on the website, data subjects' access rights and contact information are provided to enable them to direct their requests.

All employees of The Company, regardless of their job description, are responsible for guiding data subjects on the correct application method for data subject access requests. The KVK Committee should inform The Company employees on handling requests from data subjects.

In this context, demands;

• By personal application of the Data Owner or,

• It can be made through a cancellarius (notery) with this address; Karayolları Mah. 564 St. No:4 Gaziosmanpaşa / Istanbul

6.EFFECTIVE DATE AND UPDATES

This Policy entered into force on 01.09.2022 and will be reviewed by the KVK Committee every year at the beginning of the year and updated, if necessary, in line with the Law, relevant secondary regulations, Board Decisions, and The Company processes.

 

PROCEDURE FOR RECEIVING, EVALUATING, AND RESPONDING TO DATA OWNER APPLICATIONS

Version: 1
Update Date: 01.09.2022

The Procedure for Receiving, Evaluating and Responding to Data Subject Applications (“Procedure”) has been prepared to determine the procedures and principles regarding the receipt, evaluation and response of applications made to Ervin Gıda ve Meşrubat (“Company”) to obtain information.

The Company makes transactions regarding receiving, evaluating and responding to applications made by data owners regarding personal data following this Procedure.

1. DEFINITIONS

Law:

means Personal Data Protection Law (Law Number: 6698)

Board:

means Personal Data Protection Board

Data owner

means natural person, whose personal data are processed,

Personal data:

means any information relating to an identified or

identifiable natural person, within the scope of the law

2. RECEIVE OF APPLICATION

2.1. Form of Application

Data Subjects will submit their applications to contact person in writing, as per Article 13 of the Law, to obtain information about their personal data collected by the Company and exercise their rights specified in Article 11 of the Law. Accordingly, applications made by Data Owners can be made in writing as follows:

  • In-person by ensuring the verification of your identity to our Company's official address or
  • Through a cancellarius  (notary) in an official manner.

 

2.2.      Content of Application

For Data Owner requests to be evaluated, it will first be determined whether the Data Subject is the owner of the personal data processed by The Company. In this regard, in applications to be made to our Company within the scope of the Law, the identity information of the Data Owner must be clearly and accurately stated.

In case of conditional requests, the Data Owner must provide the necessary information on how this condition is fulfilled and submit the documents to prove this claim to The Company.

Applications not made through the methods specified in this Procedure may be evaluated if the Data Owner’s identity has been verified and the information and/or documents requested by the Law for the Application have been provided by the Data Owner. Otherwise, such applications will be rejected due to violation of procedure.

Applications that do not meet the qualifications specified in this article will be evaluated, and contact will be maintained with the Data Owner until the requested information is obtained. However, if the Data Owner not provides the requested information and/or documents, the Application of the Data Owner will be rejected due to violation of procedure.

3. OTHER CASES

3.1. Application Made by an Attorney  or Legal Representative

Applications to the Company within the scope of the Law can also be made by the representative or legal representative of the Data Owner, provided that an official document proving their authorization is presented.

3.2.      Application Fee

It is envisaged in the Law that the Data Controller will conclude the request submitted to it free of charge. However, it is also stated that a fee may be charged in accordance with the principles to be determined by the Board if the process requires an additional cost. In this context, if the conclusion of the applications made to the Company requires any additional cost, the Company may request a fee from the Data Owner.

4.         APPLICATION EVALUATION PROCESS

In case of determination of incomplete information and/or documents in applications made by the Data Owner, this will be notified to the Data Owner. If the Data Owner not provides the requested information and/or documents, the Application of the Data Owner will be rejected due to violation of procedure.

In cases where it is not possible to respond to the Data Subject's Application without sharing personal data belonging to third parties, the following three-step evaluation process will be applied by the Company:

  • Whether it is possible to respond to the application without sharing personal data of third parties (e.g., deletion or anonymization of personal data belonging to third parties) will be evaluated.
  • Whether the explicit consent of the third party for sharing their personal data can be determined.
  • If it is not possible to obtain the explicit consent of the third party, whether the personal data of such third party can be shared without obtaining explicit consent will be evaluated.


If it is not possible to conclude the application without sharing the data of the third party, in the first place, explicit consent will be obtained from the Data Owner who is required to share personal data. If the third party does not consent to sharing their data, the information containing the third party's personal data will be removed entirely, and the application will be responded to.

If it is not possible to reach the third party whose data will be shared, the Company will exercise the utmost care and sensitivity in sharing the information containing the third party's personal data. In this way, personal data of third parties may be transferred if it is mandatory.

5. EVALUATION PERIODS FOR APPLICATIONS

The requests of the Data Owner will be evaluated and concluded by the Company as soon as possible and at the latest within thirty (30) days.

Applications made to the Company are forwarded to the relevant department of the Company within a maximum of three (3) days. Investigations to be carried out by the department to which the application is directed will be concluded within a maximum of one (1) week.

6. RESPONSE TO APPLICATIONS

Applications made to the Company by the Data Subject will be responded to by the contact person appointed by the Company, and the responses to the applications will include the following information:

- Applicant (requesting state party)

- Requests

- Information and Documents Provided as a result of the Requests

- Date of Receipt of the Request

- If extra information and documents related to the request are requested, the date of these requests and the date of receiving the relevant responses

- Actions Taken Regarding the Request

- Company's Responses to the Requests

- Response Date

- Authorized Signature

Event records, documents, and results arising from the relevant application will be kept in an electronic directory created for this purpose. The archive will also hold a copy of the written correspondence record.

7.EFFECTIVE DATE AND UPDATES

This Prosedure entered into force on 01.09.2022 and will be reviewed by the KVK Committee every year at the beginning of the year and updated, if necessary, in line with the Law, relevant secondary regulations, Board Decisions, and The Company processes.

 

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. Privacy Policy, Cookie Declaration