GDPR Policy

SÜTİŞ PERSONAL DATA PROTECTION AND PROCESSING POLICY

Table of Contents

1. Definitions
2. General Information on the Personal Data Law and Introduction

III. About the Policy Text

1. Your Personal Data Collected
2. Purposes of Processing Personal Data
3. Transferring Personal Data

VIII Your Personal Data Obtained Before the GDPR Entered into Force

IX Storage and Protection of Personal Data

1. Principles Regarding Data Privacy
2. Rights of Personal Data Subject and Exercise of Rights Pursuant to GDPR Nr. 6698

XVII. Questions and Comments

Definitions

• “Explicit consent”:It refers to the declaration of consent on a specific subject, based on information and declared by the data subjects with free will.
• “Anonymisation”:It means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
• “Person Concerned”:Refers to the natural person whose personal data is processed.
• “Personal data”:refers to any information relating to an identified or identifiable natural person.
• “Special Personal data”:Refers to data that are subject to a stricter protection regime under the Law, which may cause the Data Subject to be victimised or discriminated against in cases such as disclosure or loss.
• “Processing of personal data”:It refers to all kinds of operations performed on personal data, such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system.
• “Data recording system”:It refers to the recording system in which personal data are structured and processed according to certain criteria.
• “Data controller”:It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
• “Board”:refers to Personal Data Protection Board.
• “Authority”:refers to Personal Data Protection Authority.

1. General Information on the Personal Data Law and Introduction

Law No. 6698 on the Protection of Personal Data (hereinafter referred to as GDPR) was adopted on 24 March 2016 and published in the Official Gazette No. 29677 dated 7 April 2016. Some parts of the GDPR entered into force on the date of publication and some parts entered into force on 7 October 2016.

Sütiş Restoran İşletmeleri Turizm Sanayi ve Ticaret Anonim Şirketi (hereinafter referred to as “Sütiş” or “the Company”) attaches great importance to the lawful processing of the personal data of its customers, business partners, employee candidates and other natural persons, excluding employees, who receive products and services.

For this reason, among many other studies, our Company aims to ensure compliance of personal data with the legislation in force, especially the Law No. 6698 on the Protection of Personal Data (“Law“), by preparing this Personal Data Protection and Processing Policy (“Policy“).

Sütiş makes the utmost effort to take the necessary administrative and technical measures to protect the personal data of everyone it comes into contact with while conducting its commercial activities. In this respect, our Company aims to ensure for everyone whose personal data is processed that,

• personal data are processed in accordance with the law and to inform the relevant persons in this direction and to obtain the explicit consent of the relevant person before processing the personal data of the relevant person in cases not covered by the exception and to prevent the unlawful recording or sharing of such data,
• they shall be transparently informed about which personal data belonging to him/her are processed,
• they shall be able to exercise his/her rights on his/her personal data within the framework permitted by the Law,

.

1. About the Policy Text

This Policy contains the Company’s statements and explanations regarding the processing of personal data of other real persons other than the employees of our Company, especially customers and employee candidates who receive products and services by the Company, within the scope of the Law.

Our Company reserves the right to make changes in the Policy in order to provide up-to-date information about the practices and legal regulations on the protection of personal data. In case the changes made in the policy are fundamental changes, data subjects will be informed through various channels.

This Policy has been prepared in order to provide information on which personal data Sütiş processes while continuing its commercial activities, for what purpose it processes this data, the method and legal reason for collecting personal data, and to which third parties for which purposes this data may be transferred. In addition, disclosure statements, explicit consents, commitments, forms and other documents containing information and consent to be prepared separately for the persons concerned, have been prepared in accordance with this policy.

Personal data are collected by our Company through the following channels, by automatic means or by non-automatic methods provided that they are part of the data recording system:

• Within the scope of your job applications to our company,
• During your visits to the premises of our company,
• Within the scope of the processing of personal data belonging to the parties of the contract, provided that it is directly related to the signing of the contract between our company and you and the establishment of a business relationship or the performance of the contract in question

Also your personal data can be collected and processed

• Through the use of software and applications made available through a computer or a number of smart devices (“Application“);
• Within the scope of printed forms, contracts, documents transmitted by you, except for Digital Media (hereinafter referred to as “Physical Media”),
• In verbal, written or electronic media through our channels such as our sales and marketing department employees, branches, suppliers, other sales channels, paper forms, business cards, digital marketing and call centre;
• In a physical or virtual environment, face-to-face or distant, verbal or written or electronic media, received from persons who share their personal data for purposes such as establishing a commercial relationship with our company, making offers, making business cards, making offers and other means;
• indirectly through different channels, including digital and physical environments, from (micro) websites used for websites, blogs, competitions, surveys, surveys, games, campaigns and similar purposes and through social media, e-bulletin reading or clicking movements, data provided by public databases, profiles open to sharing from social media platforms.

The issues regarding the processing of personal data of our customers whose personal data are processed by our Company are also regulated within the scope of Sütiş Website/Customer Disclosure Statement and the issues regarding the processing of personal data of employees whose personal data are processed are regulated within the scope of Sütiş Employee Disclosure Statement.

1. Your Personal Data Collected

Your personal data collected by our Company may vary depending on the nature of the legal relationship you have established with our Company (customer, visitor or job applicant, etc.). Accordingly, your personal data collected by our Company through all channels, including Digital Media, are categorically as follows:

• Identity Information(Name-surname, T.R. Identification Number/Tax Identification Number, gender, place of birth, date of birth, age, occupation, place of registration, etc.)
• Contact Information(E-mail address, telephone number, mobile phone number, address, etc.)
• Transaction Security Data(IP address monitoring records, etc.)
• Legal Procedure and Compliance Information (information requests received from judicial and administrative authorities or data included in decisions, etc.)
• Audit and Inspection Information(Information on all kinds of records and transactions related to legal proceedings associated with the Relevant Person and asserting our rights, etc.)
• Marketing Data (reports and evaluations showing the habits and tastes of the person associated with the Data Subject and to be used for marketing purposes, targeting information, cookie records, information derived in line with data enrichment activities, information and evaluations obtained as a result of surveys, satisfaction surveys, campaigns and direct marketing activities, electronic commercial messages, gift voucher information, communication preferences, order history, etc.)
• Request/Complaint Management Information(information and records collected regarding the requests and complaints made to our Company regarding our products and services associated with the person, and information regarding the reports or correspondence where the results of these are evaluated by the relevant business units, etc.)
• Financial Data(Debit/Credit Card Number, expiry date, CVV information)

1. Purposes of Processing Personal Data

Your personal data obtained may be processed by our Company within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law and for the purposes listed below:

• Fulfilment of Obligations Arising from Legislation,
• Planning and Execution of Operational Activities Necessary for Ensuring the Execution of Company Activities in Compliance with the Relevant Legislation,
• Fulfilling the requirements of the services we offer to you, our customers, in accordance with the requirements of the contract and technology and to improve the products and services offered;
• Ensuring that the data is accurate and up-to-date
• Providing Legislative Information to Authorised Institutions
• Planning and Execution of Market Research Activities for Sales and Marketing of Products and Services
• Planning and Execution of Sales Processes of Services,
• Planning and Execution of Customer Relationship Management Processes,
• Planning and Execution of Company Audit Activities
• Planning and Execution of Operation Processes
• Ensuring the Security of Company Operations
• Planning and Execution of Business Continuity Ensuring Activities
• Planning and Execution of Activities for Performing Efficiency / Effectiveness Analyses of Business Activities,
• Planning and Execution of the Activities for Performing Appropriateness Analyses of Business Activities,
• Execution of Strategic Planning Activities,
• Planning and Execution of Marketing Processes of Services
• Follow-up of Accounting and Finance Affairs
• Follow-up of Legal Requests and Related Person Applications,
• Follow-up of Legal Affairs,
• Planning and/or Execution of the Company’s Financial Risk Processes,
• Planning and/or Execution of Operational Risk Processes of the Company
• Planning and/or Execution of Customer Satisfaction Activities
• Ensuring the Security of Company Operations
• Recruitment / Employment
• Execution of Personnel Recruitment Processes

1. Transferring Personal Data

The personal data you share;

Your personal data may be shared with our suppliers and business partners from whom we receive support in the establishment, execution and termination of your relationship with our Company, including the parties that provide products or services to our Company or on behalf of our Company and the parties we cooperate with to make you benefit from products and services.

The User’s Name and Contact Information may be shared with payment institutions in order to perform identity verification in accordance with the payment institution framework agreement that the User will approve at the payment stage and in accordance with the Regulation on Measures to Prevent Laundering of Proceeds of Crime and Financing of Terrorism published in the Official Gazette dated 9 January 2008 and numbered 26751.

Your personal data may also be shared with legally authorised public institutions and private persons within the scope of their authorisation. In these cases where your personal data is shared, our Company takes the necessary measures to ensure that the party with whom the data is shared carries out processing and transfer activities in accordance with the rules contained in this Policy and the provisions of the legislation.

Within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law, Personal Data may be processed by our group companies, business partners, suppliers, cargo companies, e-commerce infrastructure service provider IdeaSoft Yazılım San. Tic. A.Ş., legally authorised public institutions and organisations and legally authorised private institutions, and limited to these purposes, it may be transferred abroad within the framework of the procedures specified in Article 9 of the Law and the decisions of the Personal Data Protection Board.

In this direction;

The Company may transfer personal data abroad by taking due care, taking the administrative and technical measures stipulated by the legislation and adequate measures determined by the Board, in accordance with the legal reasons set out in Article 5 and Article 6 of the Law and the processing purposes specified in the policy. The Company’s personal data may be transferred abroad if one of the following appropriate safeguards is provided, provided that there is a qualification decision on the country, international organisation or sectors within the country to which the transfer will be made as specified in Article 9 of the Law, or provided that the person concerned has the opportunity to exercise his rights and apply for effective legal remedies in the country where the transfer will be made.

The assurances set out in Article 9 of the Law are valid and applicable in cases of

1. Existence of an agreement that is not in the nature of an international contract between public institutions and organisations or international organisations abroad and public institutions and organisations or professional organisations in the nature of a public institution in Turkey and the Board’s authorisation of the transfer,
2. The existence of binding corporate rules approved by the Board, which contain provisions on the protection of personal data and which companies within the group of undertakings engaged in joint economic activities are obliged to comply with,
3. Existence of a standard contract announced by the Board, including data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data,
4. Existence of a written undertaking containing provisions to ensure adequate protection and authorisation of the transfer by the Board,

Permanent transfer of personal data abroad by the Company. Provided that it complies with the principles specified in Article 4 of the Law for non-continuous transfer and provided that it is incidental (not regular and systematic), it may transfer personal data abroad only in the presence of one of the following cases.

1. Explicit consent to the transfer, provided that the person concerned is informed about the possible risks,
2. The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject,
3. The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject,
4. The transfer is necessary for an overriding public interest.
5. The transfer of personal data is mandatory for the establishment, exercise or protection of a right,
6. The transfer of personal data is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
7. Transfer from a registry open to the public or persons with a legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it,

It is ensured that the data transferred abroad fulfil the above-mentioned guarantees in terms of subsequent transfers to be made by the place of transfer. Except for continuous transfer and incidental transfer, personal data may be transferred abroad only with the permission of the Board by obtaining the opinion of the relevant public institution or organisation, without prejudice to the provisions of international agreements, in cases where the interests of Turkiye or the person concerned would be seriously damaged. .

1. Your Personal Data Obtained Before the GDPR Entered into Force

Your personal data obtained before 7 April 2016, the effective date of the Law, in accordance with the terms and conditions set out in this document are also processed and stored in accordance with the terms and conditions set out in this document.

Transfer of your personal data abroad;

Your personal data collected by any of the above-mentioned methods to be processed in Turkiye or to be processed and stored outside Turkiye may also be transferred to service intermediaries abroad (to countries accredited by the Personal Data Board and where there is adequate protection for the protection of personal data), provided that they remain within the scope of GDPR and in accordance with the contractual purposes.

1. Storage and Protection of Personal Data

Our Company determines the retention periods of personal data by taking into account the legislation in force and the purposes of processing the data subject to the process. In this context, the statute of limitations regarding the legal obligations related to the personal data processing activity is taken into consideration. In the event that the purpose of personal data processing disappears, the data is deleted, destroyed or anonymised unless there is another legal reason or basis that allows the retention of personal data.

If it is learnt that personal data is obtained by others illegally, the situation will be immediately notified to the Personal Data Protection Board in writing and in accordance with the legal regulation.

Keeping personal data up-to-date and accurate;

Pursuant to Article 4 of the GDPR, our Company has the obligation to keep your personal data accurate and up-to-date. In this context, in order for our Company to fulfil its obligations arising from the legislation in force, our Customers are required to share accurate and up-to-date data or update them via the website / mobile application.

1. Principles Regarding Data Privacy

Our Company acts in accordance with the general principles described below within the scope of all personal data processing activities;

• Acting in accordance with the law and integrity rules:Our Company acts in accordance with the legislation in force and complies with the rules of honesty in all kinds of personal data processing processes.
• Accuracy and timeliness:Our company provides data subjects with the opportunity to update their personal data and takes the necessary measures to ensure that the data is transferred to the database correctly.
• Processing for specific, explicit and legitimate purposes:Our Company limits its personal data processing activities to specific and legitimate purposes and clearly informs the data subjects about the said purposes through clarification texts.
• Being relevant, limited and proportionate to the purpose for which they are processed:Personal data are processed by our Company to the extent necessary for the purpose notified to the data subject at the time they are obtained, in connection with and limited to this purpose.
• To be kept for the period stipulated in the relevant legislation or required for the relevant purpose:If a certain period of time is determined within the scope of the legislation in force, our company retains personal data for this period. If such a period is not specified in the legislation, reasonable retention periods are determined by taking into account the purpose of data use and the procedures of our Company and the data are kept limited to this period. Following the expiry of the aforementioned periods, the data are deleted, destroyed or anonymised in accordance with the procedures of our Company.

1. Rights of Personal Data Subject and Exercise of Rights Pursuant to GDPR Nr. 6698

According to Article 11 of the Law, data subjects have the following rights against the data controller;

To learn whether personal data about him/her is being processed,

• To request information if personal data related to him/her has been processed,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom personal data are transferred domestically or abroad,
• To request correction of personal data in case of incomplete or incorrect processing,
• To request the deletion or destruction of personal data within the framework of the conditions stipulated in the relevant legislation,
• In case of correction, deletion or destruction of personal data, to request that these transactions be notified to third parties to whom personal data are transferred,
• To object to the emergence of a result to the detriment of the person himself/herself by analysing the processed data exclusively through automated systems,
• In case of damage due to unlawful processing of personal data, to demand compensation for the damage

.

In order to exercise the aforementioned rights persons concerned will be able to use the Data Subject Application Form on  https://shop.sutis.com.tr/ website.

Applications can be made by one of the following methods, together with documents that will enable your identity to be determined;

• Filling out the form and sending the wet signed copy of the form in person or through a notary public to “Adnan Kahveci Mah. Sümer Cad. No:3/1 Beylikdüzü / Istanbul”
• Signing the form with a secure electronic signature issued within the scope of the Electronic Signature Law No. 5070 and sending it by e-mail to [email protected],
• Following another method prescribed by the Board.

Our Company responds to data subjects who wish to exercise such rights within the limits stipulated in the Law within a maximum period of thirty days as stipulated in the Law. In order for third parties to apply on your behalf, you must have a special power of attorney issued by a notary public on behalf of the person who will make the application.

Although your applications are processed free of charge as a rule, if a fee tariff is stipulated by the Personal Data Protection Board, a fee may be charged based on this tariff.

Our Company may request information from the Data Subject in order to determine whether the applicant is the data subject or not, and may ask questions to the data subject regarding his/her application in order to clarify the matters specified in the application.

Data Security

In order to ensure the security of your personal data, our company takes reasonable technical and administrative measures to prevent unauthorised access risks, accidental data loss, deliberate deletion or damage to data.

In this context, our Company;

• registers access to personal data,
• ensures data security by using software and hardware including virus protection systems and firewalls,
• monitors personal data processing activities on a business unit basis,
• ensures that the necessary audits are carried out to ensure the implementation of the provisions of the Law In accordance with Article 12 of the Law.
• ensures compliance of data processing activities with the Law through internal policies and procedures,
• makes authorisations in accordance with the nature of the data accessed within the company,
• subjects access to Sensitive Personal Data to stricter measures,
• carries out additional security checks on persons who have access to Sensitive Personal Data,
• In case of access to personal data from outside the Company for reasons such as outsourcing, our Company receives commitments by the external service provider to ensure compliance with the Law,
• Takes the necessary actions to inform all employees, especially those who are authorised to access personal data, about their duties and responsibilities under the Law

1. Questions and Comments

If you wish to communicate your questions and comments to our Company within the scope of this policy you can contact us by filling out the form at  https://shop.sutis.com.tr/pages/iletisim.