Personal Data Protection and Processing Policy

Personal Data Protection and Processing Information Form

ATAKEY PATATES GIDA SANAYİ VE TİCARET ANONİM ŞİRKETİPERSONAL DATA PROTECTION AND PROCESSING INFORMATION FORM

As Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi, we show maximum sensitivity to the security of personal data. In this context, we would like to bring the following explanations to the attention of our customers, including those who benefit from our products and services as the Company, and third parties who use our website and / or mobile applications, in order to fulfil our disclosure obligation arising from Article 10 of the KVKK in accordance with the Personal Data Protection Law No. 6698 (‘KVKK’).

a) Data Controller and Representative

As the Company, in the capacity of Data Controller, your personal information will be recorded, stored, updated, disclosed/transferred to third parties where permitted by the legislation, classified and processed in the ways listed in the KVKK within the framework described below.

b) Collection and Processing of Personal Data

Although your personal data may vary depending on the services provided and provided by our Company and the commercial activities of our Company, it may be collected verbally, in writing or electronically by automatic or non-automatic methods, our Company units and offices, group companies, branches, social media channels, mobile applications and similar means. As long as you benefit from the products and services offered by our Company, your personal data may be processed by creating and updating. In addition, your personal data may be processed when you use our call centres or our website to use our services and when you participate in our Company's organisations.

Your personal data collected will be processed within the personal data processing conditions and purposes specified in Articles 5 and 6 of the KVKK for the purposes of ensuring the legal and commercial security of the Company and persons in business relations with the Company; ensuring the execution of the Company's human resources policies; determining and implementing commercial and business strategies.

In addition, it will be processed, collected, used, stored, disclosed, transferred and kept safe in accordance with the KVKK and other legislation for the purposes of informing the Company about sales, discounts, campaigns, promotions and marketing.

Our Company and our service providers may use your personal information for marketing and system support, software development purposes such as informing you about sales, discounts, campaigns, promotions and activities in line with the purposes set out in this Clarification Text.

c) To whom and for what purpose the processed personal data can be transferred

Your collected personal data may be transferred to our business partners, suppliers, shareholders, legally authorised public institutions and private persons for the purposes of ensuring the legal and commercial security of the Company and the persons who have a business relationship with the Company; ensuring the execution of the Company's human resources policies; determining and implementing commercial and business strategies, within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the KVKK.

d) Method and Legal Grounds for Collecting Personal Data

Your personal data is collected by the Company in all kinds of verbal, written and electronic media by the Company through different channels and based on different legal reasons; within the scope of providing the products and services offered by the Company within the legal framework determined in order to carry out or carry out our activities, in accordance with the contractual and legal responsibilities of our Company. Your personal data collected for this legal reason may also be processed and transferred for the purposes specified in Articles (b) and (c) of this Clarification Text within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the KVKK.

e) Rights of the Personal Data Owner listed in Article 11 of the KVKK

As personal data owners, if you submit your requests regarding your rights to the Company by the methods set out below in this Clarification Text, the Company will finalise the request as soon as possible and within thirty days at the latest, depending on the nature of the request. In order to fulfil your requests, the expenses to be incurred by our Company and in case a fee tariff is stipulated by the Personal Data Protection Board, the fee in the tariff determined will be charged by the Company. In this context, personal data owners;

• To learn whether personal data is being processed,

• Request information if personal data has been processed,

• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

• To know the third parties to whom personal data are transferred domestically or abroad,

• To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

• Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

• To object to the emergence of a result to the detriment of the person himself/herself by analysing the processed data exclusively through automated systems,

• In the event that personal data is damaged due to unlawful processing of personal data, it has the right to demand the compensation of the damage.

Pursuant to Article 13 of the LPPD, you are required to submit your request to exercise your above-mentioned rights to the Company ‘in writing’ or by other methods determined by the Personal Data Protection Board. Since the Personal Data Protection Board has not determined any method at this stage, you must submit your application to the Company in writing in accordance with the mandatory provision of the KVKK. In this context, the channels and procedures you will submit your application in writing to the Company within the scope of Article 11 of the KVKK are explained below.

In order to exercise your rights mentioned above, you can send your request, together with the necessary information identifying your identity and your explanations regarding the right you want to exercise, to Dikilitaş Mahallesi Emirhan Caddesi No:109 Beşiktaş/İstanbul by registered letter with return receipt requested or to Dikilitaş Mahallesi Emirhan Caddesi No:109 Beşiktaş/İstanbul with confirmation of receipt, stating which of your rights specified in Article 11 of the KVKK is related to the exercise of your right.

Personal Data Protection and Processing Policy

INFORMATION FORM

Document Name:

Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi Personal Data Protection and Processing Policy

Target Audience:

All real persons other than the employees of Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi whose personal data are processed by Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi

Prepared by:

Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi Personal Data Protection Committee

Version

v.01

Approved by:

Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi Personal Data Protection Committee

Effective Date:

November, 2019

In case of any discrepancy between the Turkish language version of the Policy and any translation, the Turkish text should be taken into consideration.

©Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi, 2019

This document may not be reproduced or distributed without the written permission of Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi.

CONTENTS

PART 1 - INTRODUCTION 3

1.1. INTRODUCTION 3

1.2. SCOPE 3

1.3. IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION 3

1.4. ENFORCEMENT OF THE POLICY 3

SECTION 2 - ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA 3

2.1. ENSURING THE SECURITY OF PERSONAL DATA 3

2.2. PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA 4

2.3. RAISING AWARENESS AND SUPERVISION OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA 4

SECTION 3 - ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA 4

3.1. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES STIPULATED IN THE LEGISLATION 4

3.2. CONDITIONS FOR PROCESSING PERSONAL DATA 5

3.3. PROCESSING OF PERSONAL DATA OF SPECIAL NATURE 6

3.4. DISCLOSURE OF PERSONAL DATA SUBJECT 6

3.5. TRANSFER OF PERSONAL DATA 6

SECTION 4 - CATEGORISATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND PURPOSES OF PROCESSING 8

SECTION 5 - STORAGE AND DESTRUCTION OF PERSONAL DATA 8

SECTION 6- RIGHTS OF PERSONAL DATA OWNERS AND EXERCISE OF THESE RIGHTS 8

6.1. RIGHTS OF THE PERSONAL DATA OWNER 8

6.2. EXERCISING THE RIGHTS OF THE PERSONAL DATA OWNER 9

6.3. OUR COMPANY'S RESPONSE TO APPLICATIONS 9

Annex 1 - Purposes of Processing Personal Data 10

Annex 2 - Personal Data Subjects 12

Annex 3 - Categories of Personal Data 13

ANNEX 4 - Third Parties to whom Personal Data are Transferred by our Company and Purposes of Transfer 15

1. SECTION 1 – INTRODUCTION
1.1 INTRODUCTION

Protection of personal data is among the most important priorities of Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi (‘Company’). Within the framework of this Atakey Patates Gıda Sanayi Ve Ticaret Anonim Şirketi, Personal Data Protection and Processing Policy (‘Policy’), the principles adopted in the execution of personal data processing activities carried out by our Company and the basic principles adopted in terms of compliance of our Company's data processing activities with the regulations contained in the Personal Data Protection Law No. 6698 (‘Law’) are explained and thus, our Company provides the necessary transparency by informing the personal data owners. With full awareness of our responsibility within this scope, your personal data are processed and protected within the scope of this Policy.

The activities carried out by our Company regarding the protection of personal data of our employees are managed under the Atakey Patates Gıda Sanayi Ve Ticaret Anonim Şirketi Employees Personal Data Protection and Processing Policy, which has been written in parallel with the principles in this Policy.

1.2 SCOPE

This Policy is related to all personal data of persons other than the employees of our Company, which are processed automatically or non-automatically provided that they are part of any data recording system. Detailed information regarding the personal data owners in question can be found in Annex 2 (‘Annex 2- Personal Data Owners’) of this Policy.

1.3 IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION

The relevant legal regulations in force regarding the processing and protection of personal data will be applied first. In case of incompatibility between the legislation in force and the Policy, our Company accepts that the legislation in force will be applied. The Policy regulates the rules set forth by the relevant legislation by concretising them within the scope of Company practices.

1.4 ENFORCEMENT OF THE POLICY

This Policy issued by our Company is dated November, 2019. In the event that all or certain articles of the Policy are renewed, the effective date of the Policy will be updated. The Policy is published on our Company's website http://www.atakey.com.tr/ and made available to the relevant persons upon the request of the personal data owners.

SECTION 2 - ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

2.1 ENSURING THE SECURITY OF PERSONAL DATA

In accordance with Article 12 of the Law, our Company takes the necessary measures according to the nature of the data to be protected in order to prevent unlawful disclosure, access, transfer or other security deficiencies that may occur in other ways. In this context, our Company takes administrative measures to ensure the necessary level of security in accordance with the guidelines published by the Personal Data Protection Board (‘Board’), conducts audits or has them conducted.

2.2 PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Sensitive personal data are given special importance under the Law due to the risk of causing victimisation or discrimination when processed unlawfully. These ‘sensitive’ personal data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of special categories of personal data and necessary audits are provided within our Company.

Detailed information on the processing of special categories of personal data is provided in section 3.3 of this Policy.

2.3 RAISING AWARENESS AND SUPERVISION OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our Company ensures that the necessary trainings are organised for the business units in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the protection of data.

Our Company establishes the necessary systems to ensure that existing employees and new employees are aware of the protection of personal data, and works with consultants if necessary. In this direction, our Company evaluates the participation in the relevant trainings, seminars and information sessions and organises new trainings in parallel with the updating of the relevant legislation.

SECTION 3 - ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

3.1 PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES STIPULATED IN THE LEGISLATION,

Processing in accordance with the Law and Good Faith

Personal data are processed in accordance with the general rule of trust and honesty so as not to harm the fundamental rights and freedoms of individuals. Within this framework, personal data are processed to the extent required by and limited to the business activities of our Company.

Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

Our Company takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the period of processing and establishes the necessary mechanisms to ensure the accuracy and currency of personal data for certain periods of time.

Processing for Specific, Explicit and Legitimate Purposes

Our company clearly sets out the purposes of processing personal data and processes them within the scope of purposes related to these activities in line with business activities.

Being Relevant, Limited and Proportionate to the Purpose of Processing

Our company collects personal data only to the extent and quality required by business activities and processes them limited to the specified purposes.

Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

Our Company retains personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the relevant legislation. In this context, our Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or in accordance with the data owner's application and with the specified destruction methods (deletion and/or destruction and/or anonymisation).

3.2 PROCESSING CONDITIONS OF PERSONAL DATA

Except for the explicit consent of the personal data owner, the basis of the personal data processing activity may be only one of the following conditions, or more than one condition may be the basis of the same personal data processing activity. In the event that the processed data is personal data of special nature, the conditions set out in section 3.3 of this Policy (‘Processing of Personal Data of Special Nature’) shall apply.

Explicit Consent of the Personal Data Owner

One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the personal data subject must be related to a specific subject, based on information and free will.

In the presence of the following personal data processing conditions, personal data may be processed without the explicit consent of the data subject.

Explicitly Stipulated by Laws

If the personal data of the data subject is explicitly stipulated in the law, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data, the existence of this data processing condition may be mentioned.

Failure to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility

The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognised as valid, in order to protect his/her or another person's life or physical integrity.

Direct Relevance to the Establishment or Performance of the Contract

Provided that it is directly related to the establishment or performance of a contract to which the data subject is a party, this condition may be deemed to be fulfilled if it is necessary to process personal data.

Fulfilment of the Company's Legal Obligation

Personal data of the data subject may be processed if processing is mandatory for our company to fulfil its legal obligations.

Publicisation of Personal Data by the Personal Data Owner

In case the data owner has made his/her personal data public, the relevant personal data may be processed limited to the purpose of publicisation.

Data Processing is Mandatory for the Establishment or Protection of a Right

Personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise or protection of a right.

Data Processing is Mandatory for the Legitimate Interest of our Company

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of our Company.

3.3 PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Sensitive personal data are processed by our Company in accordance with the principles set out in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

Sensitive personal data other than health and sexual life may be processed without seeking the explicit consent of the data owner if it is clearly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, the explicit consent of the data subject shall be obtained.

Sensitive personal data relating to health and sexual life may be processed by persons or authorised institutions and organisations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without seeking explicit consent. Otherwise, the explicit consent of the data subject shall be obtained.

3.4 CLARIFICATION OF THE PERSONAL DATA OWNER

In accordance with Article 10 of the Law and secondary legislation, our Company informs personal data owners about the purposes for which their personal data is processed by who is the data controller, for what purposes, with whom it is shared for what purposes, by which methods it is collected and the legal reason and the rights of data owners within the scope of processing their personal data.

3.5 TRANSFER OF PERSONAL DATA

Our Company may transfer personal data and special categories of personal data of the personal data owner to third parties (third party companies, group companies, third real persons) by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. In this respect, our Company acts in accordance with the regulations stipulated in Article 8 of the Law. Detailed information on this subject can be found in Annex 4 of this Policy (‘Annex 4- Third Parties to whom Personal Data is Transferred by our Company and the Purposes of Transfer’).

Transfer of Personal Data

Even without the explicit consent of the personal data owner, if one or more of the following conditions exist, personal data may be transferred to third parties by our Company by taking due care and taking all necessary security measures, including the methods stipulated by the Board.

• The relevant activities regarding the transfer of personal data are clearly stipulated in the laws,

• The transfer of personal data by the Company is directly related and necessary for the establishment or performance of a contract,

• The transfer of personal data is mandatory for our Company to fulfil its legal obligations,

• Transfer of personal data by our Company limited to the purpose of publicisation, provided that the personal data has been made public by the data subject,

• The transfer of personal data by the Company is mandatory for the establishment, use or protection of the rights of the Company or the data subject or third parties,

• It is mandatory to carry out personal data transfer activities for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject,

• It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.

In addition to the above, personal data may be transferred to foreign countries declared by the Board to have adequate protection (‘Foreign Country with Adequate Protection’) in the presence of any of the above conditions. In the absence of adequate protection, in accordance with the data transfer conditions stipulated in the legislation, the data may be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the Board has authorisation (‘Foreign Country Where the Data Controller Undertakes Adequate Protection’).

Transfer of Special Categories of Personal Data

Sensitive personal data may be transferred by our Company in accordance with the principles set out in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

Sensitive personal data other than health and sexual life may be processed without the explicit consent of the data owner if it is expressly stipulated in the laws, in other words, if there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, the explicit consent of the data subject shall be obtained.

Sensitive personal data relating to health and sexual life may be processed by persons or authorised institutions and organisations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without seeking explicit consent. Otherwise, explicit consent of the data subject shall be obtained.

In addition to the above, personal data may be transferred to the Foreign Country with Adequate Protection in the presence of any of the above conditions. In the absence of adequate protection, in accordance with the data transfer conditions stipulated in the legislation, the data may be transferred to the Foreign Country where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the Data Controller Undertaking Adequate Protection is located.

SECTION 4 - CATEGORISATION AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY OUR COMPANY

Personal data are processed by our Company by informing the relevant persons in accordance with Article 10 of the Law and secondary legislation, in line with the personal data processing purposes of our Company, based on and limited to at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, in accordance with the general principles specified in the Law, especially the principles specified in Article 4 of the Law regarding the processing of personal data. Within the framework of the purposes and conditions specified in this Policy, the categories of personal data processed and detailed information about the categories can be found in Annex 3 (‘Annex 3- Personal Data Categories’) of the Policy.

Detailed information on the aforementioned personal data processing purposes is provided in Annex 1 of the Policy (‘Annex 1- Personal Data Processing Purposes’).

SECTION 5 - STORAGE AND DESTRUCTION OF PERSONAL DATA

SECTION 6- RIGHTS OF PERSONAL DATA OWNERS AND EXERCISE OF THESE RIGHTS

6.1. RIGHTS OF THE PERSONAL DATA OWNER

Personal data subjects have the following rights

1. To learn whether personal data is being processed or not,

2. Request information if personal data has been processed,

3. To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

4. To know the third parties to whom personal data are transferred domestically or abroad,

5. To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

6. Although it has been processed in accordance with the provisions of the Law and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

7. To object to the emergence of a result to the detriment of the person himself/herself by analysing the processed data exclusively through automated systems,

8. In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

6.2. EXERCISING THE RIGHTS OF THE PERSONAL DATA OWNER

Personal data owners will be able to submit their requests regarding their rights listed in section 6.1. (‘Rights of Personal Data Owner’) to our Company by the methods determined by the Board. In this direction, they can benefit from the ‘Atakey Patates Gıda Sanayi ve Ticaret A.Ş. Data Owner Application Form’ which can be accessed at http://www.atakey.com.tr/.

6.3. OUR COMPANY'S RESPONSE TO APPLICATIONS

Our Company takes the necessary administrative and technical measures to finalise the applications to be made by the personal data owner in accordance with the Law and secondary legislation.

In the event that the personal data owner submits his/her request regarding the rights set out in section 6.1. (‘Rights of the Personal Data Owner’) to our Company in accordance with the procedure, our Company will finalise the relevant request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

Annex 1 - Purposes of Processing Personal Data

MAIN OBJECTIVES (PRIMARY)	SUB-OBJECTIVES (SECONDARY)
Planning and execution of our company's human resources policies and processes	Planning of human resources processes
	Execution of personnel recruitment processes
	Planning and execution of intern and student recruitment, placement and operation processes
Carrying out the necessary work by our relevant business units for the realisation of the commercial activities carried out by the Company and carrying out the related business processes	Planning and execution of corporate communication activities
	Event management
	Planning and execution of corporate governance activities
	Planning and execution of business activities
	Follow-up of finance and accounting affairs
	Establishment and management of information technology infrastructure
	Planning and execution of production and operation processes
	Planning and execution of the activities of conducting effectiveness/efficiency and relevance analysis of business activities
	Planning information security processes
Carrying out the necessary work by our business units to ensure that the relevant persons benefit from the products and services offered by the Company and carrying out the relevant business processes	Follow-up of contract processes and legal requests
	Follow-up of customer requests and complaints
Planning and execution of the Company's commercial and business strategies	Execution of strategic planning activities
	Management of relationships with business partners and suppliers
	Planning and execution of reporting activities
Ensuring the legal, technical and commercial-business security of the Company and related persons who are in business relations with the Company	Planning and execution of internal audit and investigation processes
	Follow-up of legal affairs
	Realization of company and partnership law transactions
	Planning and execution of company audit activities
	Ensuring the security of company premises and facilities
	Planning and execution of the Company's financial risk processes
	Planning and execution of the necessary operational activities to ensure that the Company's activities are carried out in accordance with company procedures and relevant legislation
	Ensuring the security of company operations

ANNEX 2 - Personal Data Subjects

CATEGORIES OF PERSONAL DATA SUBJECTS	EXPLANATION
Customer	Natural or legal persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company
Visitor	Natural persons who have entered the physical premises owned by our Company for various purposes or who visit our websites
Third Person	Third party natural persons (e.g. guarantors, family members and relatives) who are related to these persons in order to ensure the security of our company's commercial transactions with the aforementioned parties or to protect the rights of the aforementioned persons and to obtain benefits, or other natural persons who are not covered by this Policy and Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi Employees Personal Data Protection and Processing Policy
Employee Candidate	Natural persons who have applied for a job to our company by any means or who have opened their CV and related information to our company's review
Company Shareholder	Real persons who are shareholders of our Company
Company Official	Members of the Board of Directors and other authorized real persons
Employees, Shareholders and Authorities of the Institutions We Cooperate with	Natural persons, including, but not limited to, shareholders and officials of these institutions, working in institutions with which our Company has all kinds of business relations (such as business partners, dealers, authorized services, suppliers)

Annex 3 - Categories of Personal Data

PERSONAL DATA CATEGORIES	EXPLANATION
Identity Information	Data containing information about the identity of the person: documents such as driver's license, identity card and passport containing information such as name-surname, Turkish ID number, nationality, parents' name, place of birth, date of birth, gender, and information such as tax number, SSI number, vehicle license plate, etc.
Contact Information	Telephone number, address, e-mail, fax number
Customer Information	Information obtained and produced about the relevant person as a result of our commercial activities and the operations carried out by our business units within this framework
Family Members and Relatives	Information about the family members and relatives of the personal data subject within the framework of our Company's operations and the products and services we offer or in order to protect the legal and other interests of the Company and the data subject
Customer Transaction Information	Information that clearly belongs to an identified or identifiable natural person and is included in the data recording system; such as records for the use of our products and services and the instructions and requests of the customer required for the use of products and services
Physical Space Security Information	Personal data relating to the records and documents taken at the entrance to the physical space, during the stay in the physical space, which clearly belong to an identified or identifiable natural person and are included in the data recording system; camera records, fingerprint records and records taken at the security point, etc.
Transaction Security Information	Your personal data processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities (e.g. log records)
Risk Management Knowledge	Personal data processed by means of methods used in accordance with generally accepted legal, commercial customs and good faith in these areas in order for us to manage our commercial, technical and administrative risks
Financial Information	Personal data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by our company with the personal data owner and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information
Employee Candidate Information	Personal data processed regarding individuals who have applied to become an employee of our company or who have been evaluated as employee candidates in line with the human resources needs of our company in accordance with the commercial custom and honesty rules or who are in a working relationship with our Company
Sensitive Personal Data	Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data
Request/Complaint Management Information	Personal data regarding the receipt and evaluation of any request or complaint addressed to our Company
Audiovisual Data	Data in the form of photographs and camera recordings (except for recordings within the scope of Physical Space Security Information), voice recordings and copies of documents containing personal data, which clearly belong to an identified or identifiable natural person
Audit and Inspection Knowledge	It means personal data processed during internal or external audit activities within the scope of our company's legal obligations and compliance with company policies.
Legal Action and Compliance	Personal data processed within the scope of determination and follow-up of our legal receivables and rights and performance of our debts and compliance with our legal obligations and our Company's policies

ANNEX 4 - Third Parties to whom Personal Data is Transferred by our Company and Purposes of Transfer

In accordance with Articles 8 and 9 of the Law, our Company may transfer the personal data of customers to the categories of persons listed below:

Business Partners

Suppliers

Legally Authorized Private Law Persons

Legally Authorized Public Institutions and Organizations

Group Companies

Company Board Members

The scope of the above-mentioned persons to whom data is transferred and the purposes of data transfer are stated below.

Persons to whom data can be transferred	Definition	Data Transfer Purpose
Business Partner	Investors and other parties with whom our Company has established business partnerships for purposes such as the sale, promotion and marketing of our Company's products and services, after-sales support, and the execution of joint customer loyalty programs while conducting its commercial activities	Limited to ensure the fulfillment of the purposes for which the joint venture was established
Consultant / Service Provider / Supplier	Parties providing services to our Company in line with the data processing processing purposes and instructions of our Company within the scope of the execution of our Company's commercial activities	Limited to the purpose of ensuring that our Company provides our Company with the services outsourced by our Company's Consultant/Service Provider/Supplier and necessary to fulfill our Company's commercial activities
Legally Authorized Public Institutions and Organizations	Public institutions and organizations authorized to obtain information and documents from our Company in accordance with the provisions of the relevant legislation, such as; Trade Registry Directorate, SPK, EPDK, Competition Board	Limited to the purpose requested by the relevant public institutions and organizations within the legal authority
Legally Authorized Private Law Persons	It refers to institutions or organizations (e.g. banks, independent auditors) that are established in accordance with certain conditions determined by law in accordance with the provisions of the relevant legislation and continue their activities within the framework determined by law.	Personal data are shared in a limited manner in relation to the subjects that fall within the scope of the activities carried out by the relevant private institutions and organizations.
Group Companies	You can reach the Group Companies from the list on https://www.tabfoods.com/tr/sirketler/qsr-turkiyehttps://www.tabfoods.com/tr/sirketler/qsr-cinhttps://www.tabfoods.com/tr/sirketler/ekosistem-sirketleriadresinde.
Company Board Members	Company Board Members	Limited to the purpose of carrying out the activities of the Board of Directors of the Company

Privacy

TFI ATAKEY PATATES GIDA SANAYİ VE TİCARET A.ŞGROUP COMPANIES PERSONAL DATA PROTECTION AND PROCESSING INFORMATION FORM

As ATAKEY PATATES GIDA SANAYİ VE TİCARET A.Ş., we show maximum sensitivity to the security of personal data

In this context, in order to fulfill our disclosure obligation arising from Article 10 of the KVKK in accordance with the Personal Data Protection Law No. 6698 (“KVKK”), we would like to bring the following explanations to the attention of our customers, including those who benefit from our products and services as the Company, and third parties using our website and / or mobile applications

a) Data Controller and Representative

As the Company, as the Data Controller, your personal information will be recorded, stored, updated, disclosed/transferred to third parties where permitted by the legislation, classified and processed in the ways listed in the KVKK within the framework described below

b) Collection and Processing of Personal Data

Although your personal data may vary depending on the services provided and provided by our Company and the commercial activities of our Company, it may be collected verbally, in writing or electronically by automatic or non-automatic methods, our Company units and offices, group companies, branches, social media channels, mobile applications and similar means.

As long as you benefit from the products and services offered by our Company, your personal data may be processed by creating and updating. In addition, your personal data may be processed when you use our call centers or our website to use our services and when you participate in our Company's organizations.

Your personal data collected will be processed within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the KVKK for the purposes of ensuring the legal and commercial security of the Company and persons in business relations with the Company; ensuring the execution of the Company's human resources policies; determining and implementing commercial and business strategies.

In addition, it will be processed, collected, used, stored, disclosed, transferred and kept safe in accordance with KVKK and other legislation for the purposes of informing the Company about sales, discounts, campaigns, promotions and marketing.

Our Company and our Franchise branches, service providers may use your personal information for marketing and system support, software development purposes such as informing about sales, discounts, campaigns, promotions and activities in line with the purposes set out in this Clarification Text.

c) To whom and for what purpose the processed personal data can be transferred

Your collected personal data may be transferred to our business partners, suppliers, shareholders, legally authorized public institutions and private persons for the purposes of ensuring the legal and commercial security of the Company and the persons who have a business relationship with the Company; ensuring the execution of the Company's human resources policies; determining and implementing commercial and business strategies, within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the KVKK.

d) Method and Legal Grounds for Collecting Personal Data

Your personal data is collected by the Company in all kinds of verbal, written and electronic media by the Company through different channels and based on different legal reasons; within the scope of providing the products and services offered by the Company within the legal framework determined in order to carry out or carry out our activities, in accordance with the contractual and legal responsibilities of our Company.

Your personal data collected for this legal reason may also be processed and transferred for the purposes specified in Articles (b) and (c) of this Clarification Text within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the KVKK.

e) Rights of the Personal Data Owner listed in Article 11 of the KVKK

As personal data owners, if you submit your requests regarding your rights to the Company by the methods set out below in this Clarification Text, the Company will finalize the request as soon as possible and within thirty days at the latest, depending on the nature of the request. In order to fulfill your requests, the expenses to be incurred by our Company and if a fee tariff is stipulated by the Personal Data Protection Board, the fee in the tariff determined by the Company will be charged.

In this context, personal data owners;

- Learn whether personal data is being processed,

- Request information if their personal data has been processed,

- To learn the purpose of processing personal data and whether they are used for their intended purpose,

- To know the third parties to whom personal data are transferred domestically or abroad,

- To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

- Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

- To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,

- In the event that personal data is damaged due to unlawful processing of personal data, it has the right to demand the compensation of the damage.

Pursuant to Article 13 of the LPPD, you are required to submit your request to exercise your above-mentioned rights to the Company “in writing” or by other methods determined by the Personal Data Protection Board.

Since the Personal Data Protection Board has not determined any method at this stage, you must submit your application to the Company in writing in accordance with the mandatory provision of the KVKK. In this context, the channels and procedures you will submit your application in writing to the Company within the scope of Article 11 of the KVKK are explained below.

In order to exercise your rights mentioned above, you can send your request, together with the necessary information identifying your identity and your explanations regarding the right you want to exercise, to Dikilitaş Mahallesi Emirhan Caddesi No:109 Beşiktaş / İstanbul by registered letter with return receipt or to Dikilitaş Mahallesi Emirhan Caddesi No:109 Beşiktaş / İstanbul with confirmation of receipt, stating which of your rights specified in Article 11 of the KVKK is related to the exercise of your right.

Data Subject Application Form

Application Method

Pursuant to Article 13 of the Law and Article 5 of the Communiqué on the Procedures and Principles of Application to the Data Controller, you can submit your requests within the scope of your rights listed in Article 11 of the Personal Data Protection Law No. 6698 (“Law”) to our Company with one of the methods described below with this form.

	APPLICATION METHOD	ADDRESS TO APPLY	APPLICATIONINFORMATION TO BE SHOWN
Application in Writing	In-person application with wet signature or through a Notary Public	Dikilitaş Mah. Emirhan Cad. Atakule No: 109 /A K:11 34349Beşiktaş/İstanbul	“Kişisel Verilerin Korunması Kanunu Kapsamında Bilgi Talebi” will be written on the envelope/notification.
Via Registered Electronic Mail (KEP)	By registered electronic mail (KEP) address	atakey@hs02.kep.tr	“Kişisel Verilerin Korunması Kanunu Bilgi Talebi” will be written in the subject section of the e-mail.
Application with the Electronic Mail Address Found in Our System	By using your e-mail address registered in our Company's system	kvkk@atakey.com.tr	“Kişisel Verilerin Korunması Kanunu Bilgi Talebi” will be written in the subject section of the e-mail.
Application with an Electronic Mail Address that is not in our system	By using your e-mail address that is not in our Company's system, including mobile signature/e-signature	kvkk@atakey.com.tr	“Kişisel Verilerin Korunması Kanunu Bilgi Talebi” will be written in the subject section of the e-mail.

Data Subject Application Form

Cookie Clarification Text

As Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi (hereinafter referred to as “Atakey” or “Company”), we utilize certain technologies (“cookies”) such as cookies, pixels, GIFs, etc. in order to improve your experience during your use or visit to our websites (“Site”), applications or all similar online or offline media that we make available to you in the digital environment (all mentioned media will be referred to as “Platform” together).

The use of these technologies is carried out in accordance with the legislation we are subject to, in particular the Law No. 6698 on the Protection of Personal Data (“KVK Law”).

The purpose of this Cookie Clarification Text is to inform you about the processing of personal data obtained due to the processing of personal data through the collection of personal data such as cookies and pixels used during the use of the Platforms. In this text, we would like to explain to you what kind of cookies we use on our site and application for what purposes and how you can control these cookies.

As Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi, we may stop using the cookies we use on our site and application, change their types or functions, or add new cookies to our site and application. Therefore, we reserve the right to change the provisions of this Cookie Clarification Text at any time. Any changes made to the current Cookie Clarification Text will become effective upon publication on the site, application or any public medium. You can find the last update date at the end of the text.

Detailed information about the purposes of processing your personal data by our Company; You can access the Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi Personal Data Protection and Processing Policy at http://www.atakey.com.tr/.

Method and Legal Grounds for Collecting Personal Data

Your personal data is collected based on a legal reason for the legitimate interest of our Company through cookies in the electronic environment within the scope of your visit to our website or due to your use of our application. Your collected personal data may also be processed for the purposes specified in this Cookie Clarification Text within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law.

To whom and for what purpose personal data may be transferred

As Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi, we may share your personal data within the scope of the Cookie Clarification Text with our group companies, affiliates and subsidiaries, legally authorized public institutions and legally authorized private persons, limited to the realization of the above-mentioned purposes and in accordance with the legislation.

Which Cookies are Used for Which Purposes?

As Atakey Patates Gıda Sanayi ve Ticaret Anonim Şirketi, we use cookies for various purposes on our website and application and process your personal data through these cookies. These purposes are mainly the following:

Analyzing the Site and the application and improving the performance of the Site and the application. For example, the integration of different servers on which the Site runs, determining the number of visitors to the Site and making performance settings accordingly, or making it easier for visitors to find what they are looking for.

Cookies Used on Our Site and Application

Below you can find the different types of cookies we use on our site and application. Both first party cookies (placed by the site you visit) and third party cookies (placed by servers other than the site you visit) are used on our site and application.

Performance and Analysis Cookies

Thanks to these cookies, we can improve the services we provide to you by analyzing your use and performance of our Site and application. For example, thanks to these cookies, we can determine which pages our visitors view the most, whether our site is working properly and possible problems.

Cookie	Description
Google Analytics	Tracking of site entries and pages viewed

How Can I Control the Use of Cookies?

The preferences of our visitors and users regarding the use of cookies and similar technologies are essential for us. However, it is necessary to use Cookies that are mandatory for the operation of the Platform. In addition, we would like to remind you that if some cookies are turned off, some functions of the Platform may not work partially or completely.

Information on how you can manage your preferences regarding the cookies used on the Platform is as follows: 

Visitors have the opportunity to customize their preferences regarding cookies by changing the browser settings through which they view the Platform. If the browser being used offers this option, it is possible to change the preferences regarding cookies through the browser settings. Thus, although it may vary depending on the possibilities offered by the browser, data subjects have the opportunity to prevent the use of cookies, to receive a warning before the cookie is used, or to disable or delete only some cookies.

Although the preferences in this regard vary depending on the browser used, it is possible to access the general explanation at https://www.aboutcookies.org/. Preferences regarding cookies may need to be made separately for each device that the visitor accesses the Platform.

Click here to turn off cookies managed by Google Analytics.

Click here to manage the personalized advertising experience provided by Google.

In terms of cookies used by many companies for advertising activities, preferences can be managed through Your Online Choices.

To manage cookies on mobile devices, the settings menu of the mobile device can be used.

You have the opportunity to customize your preferences regarding cookies by changing your browser settings.

Adobe Analytics	http://www.adobe.com/uk/privacy/opt-out.html
AOL	https://help.aol.com/articles/restore-security-settings-and-enable-cookie-settings-on-browser
Google Adwords	https://support.google.com/ads/answer/2662922?hl=en
Google Analytics	https://tools.google.com/dlpage/gaoptout
Google Chrome	http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95647
Internet Explorer	https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies
MozillaFirefox	http://support.mozilla.com/en-US/kb/Cookies
Opera	http://www.opera.com/browser/tutorials/security/privacy/
Safari:	https://support.apple.com/kb/ph19214?locale=tr_TR

What are Your Rights as a Data Subject?

Data subjects pursuant to Article 11 of the KVK Law,

• to learn whether his/her personal data are processed or not,

• to demand for information as to if his/her personal data have been processed,

• to learn the purpose of the processing of his/her personal data and whether these personal

• data are used in compliance with the purpose,

• to know the third parties to whom his personal data are transferred in country or abroad,

• to request the rectification of the incomplete or inaccurate data, if any,

• to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,

• to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,

• to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,

• to claim compensation for the damage arising from the unlawful processing of his/her personal data.

You can submit your applications for your rights listed above to our Company by filling out the Data Owner Application Form available at http://www.atakey.com.tr/ or by sending an e-mail to kvkk@atakey.com.tr. Depending on the nature of your request, your applications will be finalized free of charge as soon as possible and within thirty days at the latest; however, if the transaction requires an additional cost, you may be charged a fee according to the tariff to be determined by the Personal Data Protection Board.

Personal Data Protection and Processing Information Form