Skip to content

EBEBEK MAĞAZACILIK ANONİM ŞİRKETİ PROTECTION AND PROCESSING OF PERSONAL DATA POLICY 2019

INTRODUCTION

The protection of personal data is of high sensitivity for Ebebek Mağazacılık Anonim Şirketi ("Ebebek") or the "Company") and is among the priorities of our company. As a company, we do not only consider the protection and processing of personal data, which is the basis of the right of privacy, in line with the legislation, but also reveal our view of people and human values on the basis of our approach. With this awareness, as a company, we take all administrative and technical measures for the protection and processing of personal data completely within the scope of the Law on the Protection of Personal Data Numbered 6698 ("the PPD Law"). This Protection and Processing of Personal Data Policy (the "Policy") has been prepared with the purpose of providing explanations with regard to the systems adapted concerning the activity of personal data processing and protection of personal data conducted by Ebebek legitimately and in line with its purpose, to provide detailed explanations regarding which data are found personal data, which personal data are retained by Ebebek, administrative and technical measures taken for the protection of personal data, and the processing, storage of personal data, clarifying and informing personal data holders, transmitting these to third parties and protection of the same, informing our personnel working within this scope, our company shareholders, our company officials, our visitors, personnel, officials and shareholders of the institutions we cooperate with, our customers, our potential customers, our members, visitors of our web site and mobile application and other third persons and ensuring transparency and auditability.

1.EXPLANATION IN GENERAL

1.1 Scope and Purpose of the Policy

This Policy; relates to personal data of all real persons of our customers, company shareholders, company officials, our visitors, personnel, shareholders and officials of the institutions we cooperate with, our customers, our potential customers, our members, visitors of our web site and mobile applications and other third parties, processed through automated ways or through non-automated ways, provided that these are part of any data recording system.

The following entities that process and retain personal data within the structure of Ebebek and all phases related to these entities are covered by this Policy;

• All printed or written documents, papers, files containing personal data
• All applications include personal data
• All databases containing personal data

Within this context; it relates to personal data collected by the consent of our customers, company shareholders, company officials, our visitors, personnel, shareholders and officials of the institutions we cooperate with, our customers, our potential customers, our members, visitors of our web site and mobile applications and other third parties, processed through fully or partially automated ways or through non-automated ways, provided that these are part of any data recording system. Anonymized and unidentified data, such as data that does not contain personal data obtained for statistical evaluations or studies, and data on legal entities are not considered as personal data and are not subject to this Policy. This Policy also applies to real person customers of Ebebek and its affiliates which are under control of Ebebek and to other real persons who do not have a specific framework agreement with Ebebek and its affiliates which are under control of Ebebek. The terms of Ebebek referred in this Policy shall also include the entity and its affiliates which are under its control.

The scope of application of this Policy regarding groups of personal data owners stated in the categories mentioned above may be the entire Policy as well as only a number of its provisions.

While this Policy is intended for the real persons whose personal data is processed by Ebebek through automated ways or through non-automated ways, provided that these are part of any data recording system, the issues related to the protection of the personal data of Ebebek personnel are regulated under the “The Protection and Processing of Personal Data Policy of Personnel of Ebebek Mağazacılık Anonim Şirketi", separately.

1.2 Implementation of the Policy and Related Legislation

The relevant legal regulations, in particular the PPD Law, which are in force with regard to the processing and protection of personal data, shall be applied initially. In case of any inconsistency between the legislation in force and the Policy, Ebebek agrees to apply the legislation in force.

As Ebebek, we take the necessary administrative and technical measures to protect the personal data processed in accordance with the PPD Law.

In the process of personal data, we adopt the principles of (i) processing personal data in accordance with the law and in principles of honesty, (ii) keeping personal data accurate and up-to-date when necessary, (iii) processing personal data for specific, explicit and legitimate purposes, (iv) processing personal data being relevant with, restricted to and proportionate to the purposes for which they are processed,(v) being retained personal data for the required period stipulated by the relevant legislation or for the purpose for which they are processed , (vi) clarifying and informing the personal data owners, (vii) establishing the necessary technical and administrative infrastructure for personal data owners to exercise their rights, (viii) taking necessary technical and administrative measures in the storage of personal data, (ix) acting in accordance with the relevant legislation and regulations of the Personal Data Protection Board in transferring personal data to third parties pursuant to the requirements of the purpose of processing personal data, (x) displaying the necessary sensitivity to the processing and protection of private personal data. In this context, this Policy consists of the regulation of the rules laid down by the relevant legislation, by embodying the same, within the scope of Ebebek practices.

1.3 Enter Into Force of the Policy

The Policy is published by Ebebek on its website and submitted to the public. Ebebek reserves the right to amend the Policy in line with the legal regulations. The current version of this Policy can be accessible on the Ebebek official website (www.ebebek.com).

2. PROCESSING OF PERSONAL DATA

Ebebek takes technical and administrative measures according to technological opportunities and implementation costs in order to ensure the processing of personal data in accordance with the law. Personnel is informed that they shall not disclose the personal data that they have acquired and use the same for any purpose other than for its processing purpose, contradiction to the provisions of the PPD Law, and that this obligation shall also continue after their resignations from their duties and necessary undertakings from them are taken accordingly. Ebebek's personal data processing activities include, without any restriction, any action realized regarding the data by using automated, semi-automatic or non-automated ways. Ebebek has the right to process the data of a data owner during the period of the use of its services and also following the termination of the relation, by complying the following principles. Ebebek may process personal data of the data owner or of third parties specified by the data owner, for various purposes, including, but not limited to, the following:

• Ebebek increases the awareness of data processing institutions such as business partners and suppliers to whom it transfers personal data in order to prevent unlawful processing of personal data, to prevent unlawful access to data and to ensure the storage of data in accordance with law.
• Obligations that Ebebek has to comply with while processing personal data as the data controller and the obligation to comply with legal, administrative and technical measures developed by itself in this regard are imposed on the data processing institutions which the entity has relations with in various titles such as suppliers, business partners, in line with the nature of the data processing activities.
• Ebebek takes the necessary technical and administrative measures according to technological opportunities and implementation costs in order to retain personal data in safe environments and to prevent it from being destruct, lost or changed for illegal purposes.
• In accordance with Article 12 of the PPD Law, Ebebek makes the necessary audits within its structure or have the same made. Such audit results are reported and necessary activities are conducted to improve the measures taken.
• Ebebek, in the event that personal data processed in accordance with Article 12 of the Law on PPD are obtained by others by illegal ways, operates a system that allows this situation to be notified to the concerned personal data owner and the PPD Board, as soon as possible.

The personal data processing activities conducted by Ebebek include, without any restriction, any kind of action realized regarding the data by using automated, semi-automatic or non-automated ways. In other words, the personal data processing activity means; for transfer, dissemination or other means of presentation, binning or combining, blocking, deleting or destruction purposes, acquisition, collection, recording, photographing, sound recording, video recording, organization, storing, modifying, re-arranging, retrieving or disclosing data from the data owner or third parties, obtaining, recording, storing, retaining, changing, rearranging, disclosing, transmitting, transferring abroad, taking over, data making available, classifying or preventing the use of data through fully or partially automated ways or through non-automated ways, provided that these are part of any data recording system.

3. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PROCESSING PURPOSES AND RETENTION PERIODS OF THE SAME

3.1 Categorization of Personal Data

Before Ebebek; personal data in the below given categorization is processed by informing the persons concerned as per Article 10 of the PPD Law, in line with the purposes of legitimate and lawful processing personal data of Ebebek, by basing on and within limits of one or more conditions of processing personal data stated under Article 5 of the PPD Law, by complying with general principles indicated under the PPD Law, in particular with the principles stated under Articles 4 regarding the processing personal data, and all obligations set forth in the PPD Law, and limited with the subjects within the scope of this Policy (our candidate personnel, company shareholders, company officials, our visitors, personnel, shareholders and officials of the institutions we cooperate with, our customers, our potential customers, our members, our visitors to our web site and mobile application and other third parties):

i. Personal Data Owners


  Personal Data Owner Category
  

  Explanation
  

  Candidate Personnel
  

  Real persons who have applied for a job to
  Ebebek in any way or have opened their resumes and relevant information for
  review of our company.
  

  Company Shareholders
  

  Real persons who are shareholders of
  Ebebek.
  

  Company Officers
  

  Ebebek board members and other authorized
  real persons.
  

  Visitors
  

  All real persons who have entered for
  various purposes to or visited for any purpose the physical premises owned by
  Ebebek.
  

  Personnel, Shareholders and
  Officers of the Institutions that We Cooperate with
  

  Real persons, including personnel of the
  institutions that Ebebek have any kind of business relation with (such as,
  but not limited to, business partners, suppliers), shareholders and officials
  of such institutions.
  

  Customers
  

  Real persons who purchase the products and
  services offered by our company from our stores regardless of whether they
  have any contractual relationship with Ebebek.
  

  Potential Customers
  

  Real persons who have requested or are interested
  in the use of our products and services or have been evaluated as they may
  have such interest in accordance with the rules of commercial custom and
  principles of honesty.
  

  Members
  

  A real person who becomes a member by
  registering upon filling in the member application form through the Stores or
  Ebebek Web Site or Mobile Application
  

  Web Site and Mobile Application
  Visitors
  

  Real persons who visit Ebebek Web Site
  and/or Mobile Application.
  

  Third Parties
  

  Other real persons who are not covered by
  this Policy and the Protection and Processing of Personal Data Policy of
  Personnel of Ebebek (For Instances: experts, doctors, trainers, models,
  leaser landlords, sureties, companions, family members and relatives of
  personnel, former personnel)
  

ii. Personal Data Categorization and Data Owners Concerned


  PERSONAL DATA CATEGORIZATION
  

  EXPLANATION ON PERSONAL DATA
  CATEGORIZATION
  

  PERSONAL DATA OWNER
  CATEGORIZATION
  

  Identity Information
  

  Documents such as driving license, identity card and
  passport which includes information on name-surname, T.C. identity number,
  nationality information, mother's-father's name, baby's name, baby's birth
  date, place of birth, date of birth, gender, information such as tax number,
  SSI number, signature information, vehicle license plate, etc.
  

  Our Candidate Personnel, Company Shareholders, Company
  Officials, Our Visitors, Personnel, Shareholders and Officials of
  Institutions that We Corporate with, Our Customers, Our Potential Customers,
  Our Members and Other Third Parties
  

  Contact information
  

  Information such as telephone number, address, e-mail
  address, fax number, IP address
  

  Our Candidate Personnel, Company Shareholders, Company
  Officials, Our Visitors, Personnel, Shareholders and Officials of
  Institutions that We Corporate with, Our Customers, Our Potential Customers,
  Our Members and Other Third Parties
  

  Customer and Member Information
  

  Name-Surname, T.R. Identity Number, nationality
  Information, Date of Birth, Gender, Child Information, Child's Date of Birth,
  Credit Card and/or Bank Debit Card Information, Passport Number, Phone
  Number, E-Mail Address, Notification Address
  

  Our Customers, Our Members
  

  Customer and Member Transaction
  Information
  

  The information obtained within the scope of the
  records regarding the purchase of our products and services and the
  instructions required for the purchase of our customers and members within
  the data recording system and the personal data processed with regard to the
  use and to do marketing by customizing the purchasing habits pursuant to the
  tastes and needs of personal data owner who purchase and/or use our products
  and services and reports and evaluations generated as a result of this
  transaction
  

  Our Customers, Our Members
  

  Location Data
  

  Information which determines the location; of the real
  person's whose identity is specific or is identifiable; that is processed
  partially or completely through automatic or non-automatic ways provided as
  part of the data recording system; within the framework of the operations
  carried out by the business units of the personal data holder, of the
  employees of the institutions with which we cooperate while using Ebebek
  vehicles; such as GPS location, travel data etc. delivery information for
  customers, delivery return information given by the cargo company
  

  Our Candidate Personnel, Company Shareholders, Company
  Officials, Our Visitors, Personnel, Shareholders and Officials of
  Institutions that We Corporate with, Our Customers, Our Potential Customers,
  Visitors of Web Site and Mobile Application, Our Members and Other Third
  Parties
  

  Information on Family Members
  and Relatives
  

  Information on family members (such as: spouse, mother,
  father, child), relatives and other persons that can be reached in case of
  emergency of the real person's whose identity is specific or is identifiable;
  that is processed partially or completely through automatic or non-automatic
  ways as part of the data recording system; within the framework of the
  operations carried out by Ebebek business units, for the purpose of protecting
  legal and other interests of Ebebek and personal data owner
  

  Candidate Personnel and other Third Parties
  

  Financial Information
  

  Personal data regarding the information, documents and
  records reflecting all kinds of financial information that are created according
  to the type of legal relation established by Ebebek with the personal data
  owner, and the data such as bank account number, IBAN number, credit card
  information, financial profile, assets data, income information.
  

  Company Shareholders, Company Officials, Personnel,
  Shareholders and Officials of Institutions that We Corporate with, Our
  Customers, Our Members and Other Third Parties
  

  Visual/Audio Information
  

  All kinds of photographic and camera recordings (except
  records included in the Physical Space Security Information), audio
  recordings, and data contained in documents in the nature of copies of
  documents containing personal data
  

  Our Candidate Personnel, Company Shareholders, Company
  Officials, Our Visitors, Personnel, Shareholders and Officials of Institutions
  that We Corporate with, Our Customers, Our Potential Customers, Our Members
  and Other Third Parties
  

  Personal Information
  

  All kinds of personal data (CV, etc.) processed in
  order to obtain information that will be the basis for the formation of
  personal rights
  

  Our Candidate Personnel, Company Shareholders, Company
  Officials, Personnel, Shareholders and Officials of Institutions that We
  Corporate with, and Other Third Parties
  

  Personal Data of Special Nature
  

  All kinds of health data such as prescription
  information, doctor's report, analysis and radiology results, health report,
  blood type, genetic data, etc., and religion, membership association data,
  etc.
  

  Our Candidate Personnel, Company Shareholders, Company
  Officials, Personnel, Shareholders and Officials of Institutions that We
  Corporate with, Our Customers and Other Third Parties
  

  Request/Complaint Management
  Information
  

  Personal data regarding the receipt and evaluation of
  all kinds of request or complaints directed to Ebebek
  

  Candidate Personnel, Our Customers, Our Potential
  Customers, Our Members and Other Third Parties
  

  Process Security Information
  

  Personal data processed in order to ensure the
  technical, administrative, legal and commercial security of both the data
  owner and Ebebek while Ebebek conducts its commercial activities
  

  Our Candidate Personnel, Company Shareholders, Company
  Officials, Our Visitors, Personnel, Shareholders and Officials of
  Institutions that We Corporate with, Our Customers, Our Potential Customers,
  Visitors of Web Site and Mobile Application, Our Members and Other Third
  Parties
  

  Physical Space Security
  Information
  

  Personal data relating to records and documents taken
  during the entry into the physical premise belongs to Ebebek or the physical
  premise where the Ebebek is a lessee (the Head Office and Stores of Ebebek,
  etc.), during the stay in such physical premise; camera records, fingerprint
  records, and other records and data obtained from the security point
  

  Our Candidate Personnel, Company Shareholders, Company
  Officials, Our Visitors, Personnel, Shareholders and Officials of
  Institutions that We Corporate with, Our Customers, Our Potential Customers,
  Our Members and Other Third Parties
  

  Information Regarding Legal
  Transaction
  

  The determination of the legal receivables and rights
  of Ebebek, following up and performing its debts, and data processed within
  the scope of its legal obligations, and data likely to be requested from
  Ebebek with regard to the protection of the rights and interests of
  customers, and data informed by judicial authorities, arbitral tribunals,
  etc. and its legal obligations
  

  Our Candidate Personnel, Company Shareholders, Company
  Officials, Our Visitors, Personnel, Shareholders and Officials of
  Institutions that We Corporate with, Our Customers, Our Potential Customers,
  Visitors of Web Site and Mobile Application, Our Members and Other Third
  Parties
  

  Risk Management Information
  

  The personal data processed via methods used in
  accordance with the generally accepted
  principles of legal, commercial practice and honesty in these fields, in
  order to manage commercial, technical and administrative risks
  

  Our Candidate Personnel, Company Shareholders, Company
  Officials, Our Visitors, Personnel, Shareholders and Officials of
  Institutions that We Corporate with, Our Customers, Our Potential Customers,
  Visitors of Web Site and Mobile Application, Our Members and Other Third
  Parties
  

  Audit and Inspection
  Information
  

  Personal data processed within the scope of Ebebek's
  legal obligations and compliance with Ebebek policies
  

  Our Candidate Personnel, Company Shareholders, Company
  Officials, Our Visitors, Personnel, Shareholders and Officials of
  Institutions that We Corporate with, Our Customers, Our Potential Customers,
  Visitors of Web Site and Mobile Application, Our Members and Other Third
  Parties
  

  Marketing Knowledge
  

  Data that can be used in marketing activities
  

  Customers, Potential Customers, Visitors of Web Site
  and Mobile Applications, Members and Other Third Parties
  

  Reputation Management
  Information
  

  Personal data associated with the person and collected
  to protect Ebebek's business reputation
  

  Our Candidate Personnel, Company Shareholders, Company
  Officials, Our Visitors, Personnel, Shareholders and Officials of
  Institutions that We Corporate with, Our Customers, Our Potential Customers,
  Visitors of Web Site and Mobile Application, Our Members and Other Third
  Parties
  

3.2 Principles of Processing of Personal Data

Pursuant to Article 5 of the PPD Law, personal data can only be processed in accordance with the procedures and principles stipulated in the PPD Law and other relevant legislation. As Ebebek, personal data are processed in accordance with the procedures and principles specified in the PPD Law and other relevant legislation; within the scope of the PPD Law, it is explicitly stated that the following principles shall be complied with in the processing of personal data.

i. Processing of Personal Data in Accordance with Law and Principles of Honesty

Ebebek; conducts the activity of personal data processing by complying with legal regulations, in particular with the Constitutional Law of the Republic of Turkey and PPD Law and other legislation and the principles of honesty where the trust relation is the basis.

ii. Ensuring the Accuracy and Up-to-Dateness of the Processed Personal Data

Ebebek; while processing personal data, has established systems and procedures to ensure the accuracy and up-to-dateness of the personal data that it processes. In this context, Ebebek takes the necessary measures to ensure that personal data owners make correction on their personal data and verify the same.

iii. Processing of Personal Data for Specific, Clear and Legitimate Purposes

Within the scope of the obligation to clarify stated in Article 10 of the PPD Law, Ebebek sets out the purpose of personal data processing explicitly and precisely before commencing the activity of processing personal data, and operates within explicit and lawful purposes.

iv. Processing of Personal Data being Relevant with, Restricted to and Proportionate to the Purposes

Ebebek processes personal data in connection with the purpose of performing the service that it determines and provides before commencing the processing activity and to the extent necessary. Ebebek does not carry out personal data processing activities that are not related to the realization of the purpose or on the assumption that it is needed in the future. The processing of personal data is restricted to Ebebek's activities and legal obligations.

v. Retention of Personal Data for the Required Period Stipulated by the Relevant Legislation or for the Purpose for which They are Processed

Ebebek retains personal data for the required period stipulated by the PPD Law and the relevant legislation or for the purpose for which they are processed. Accordingly, Ebebek retains personal data for a restricted period of time if it is stipulated in the related legislation and if it is not stipulated, for the period required for the purpose for which it is processed. Ebebek does not retain personal data with the possibility of future use. Ebebek deletes, destructs or anonymize personal data if the period of time expires or reasons for processing are disappeared.

3.3 Conditions of Processing Personal Data

Ebebek processes personal data with your express consent, restricted to the purposes and terms within the personal data processing conditions set out in paragraph 2 of article 5, and in paragraph 3 of article 6 of the PPD Law. Your personal data may be processed without your explicit consent under the following conditions.

• In the event that the processing of your personal data is explicitly stipulated in the Laws for Ebebek's relevant activities,
• In the event that the processing of your personal data by Ebebek is directly related to and required for the establishment or execution of an agreement,
• In the event that the processing of your personal data is mandatory for Ebebek to be able to perform its legal obligations,
• Provided that your personal data is made available to public by your side; the data concerned is processed by Ebebek within the limits of your publicizing purpose,
• In the event that the processing of your personal data by Ebebek is compulsory for the establishment, use or protection of the rights of Ebebek or your rights or the rights of third parties,
• In the event that the personal data processing activity is compulsory for the legitimate interests of Ebebek, without violating your fundamental rights and freedoms,
• In the event that personal data processing activity by Ebebek is compulsory for the protection of life or the physical integrity of the personal data owner or someone else, and in such case the personal data owner fails to disclose her/his consent due to factual and legal invalidity,
• In the event that it is set forth by laws in terms of sensitive personal data other than the health and sexual life of the personal data owner.
• In terms of sensitive personal data regarding the health and sexual life of the personal data owner, these are processed any persons or authorized public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

3.4 Purposes of Processing Personal Data

Ebebek processes your personal data for the following purposes:
1) Conducting the required activities in order to carry out the internal operations of the Company, business activities and to ensure the security of the Company's operations, to realize efficiency, effectiveness and appropriateness analyzes of the business activities,
2) Management and Execution of Strategic Planning Activities and Relations with Business Partners or Suppliers,
3) Execution of production and/or operation processes,
4) Planning and execution of logistics activities,
5) Ensuring business continuity and planning and executing corporate governance and sustainability activities,
6) Planning and executing corporate communication activities,
7) Event Management
8) Conducting personnel recruitment (hiring) processes of Ebebek,
9) Executing and following financial reporting and risk management transactions of Ebebek,
10) Planning, evaluating and following purchasing activities,
11) Executing and following legal affairs of Ebebek,
12) Making Ebebek Website and Mobile Application easier to use,
13) Carrying out activities that have legal, technical and administrative results and providing information to the competent authorities due to the legislation provisions, carrying out activities related to legal requests and execution of legal affairs,
14) Keeping the data accurate and up-to-date,
15) Collecting, evaluating and fulfilling the data owner's complaints, questions, requests and suggestions,
16) Planning and execution of customer relationship management processes,
17) Planning and/or execution of customer satisfaction activities,
18) Fulfilling the requirements of the agreements established with customers and members,
19) Planning and execution of sale processes of products and/or services,
20) Following contractual processes and/or legal requests,
21) Getting to know our members and improve our communication,
22) Conducting traffic measurement, statistical and analytical analyzes, profiling/segmentation studies for sales and marketing activities,
23) Providing opportunities regarding products and services special for you through targeting and re-targeting,
24) Providing a better and more reliable service to the customer, developing more appropriate services and products, and maintaining them continuously,
25) Presenting products and services offered by Ebebek by customizing these according to customers' tastes, usage habits and needs,
26) Compliance with legislation,
27) Request and complaint management,
28) Establishment of possible claims of rights and receivables of the persons concerned,
29) Providing information to the competent authorities due to the legislation,
30) Generating and tracking visitors' records,
31) Ensuring the security of company premises, storage and/or facilities,
32) Conducting activities related to information security processes and information technology infrastructure,
33) Planning and execution of emergency management processes, conducting occupational health and/or safety processes,
34) Carrying out activities related to Group companies, ensuring that employees have access to information,
35) Preparation and submission of various reports, researches and/or presentations;
36) Managing social media accounts and Website and Mobile Application
37) Performing Parental Loyalty Center services,
38) Ensuring the fulfilment of obligations under the Consumer Protection Law, the Law on the Regulation of Retail Trade and other legal regulations by Our Company and the branch offices in the name of our Company, our call centers, by our affiliated companies or through our web sites and our social media pages, and/or including but not limited to these, all kinds of channels,
39) Conducting marketing and sales activities, conducting the processes of establishing and/or increasing loyalty to the products and/or services offered by the Company, conducting market research activities for sales and marketing of products and services,
40) To serve you better, to provide various advantages and to provide information about sales, marketing, information, promotions, to provide information on campaigns and their conditions, to conduct surveys, customer satisfaction research, to ensure and to make your purchase transactions to accelerate, to take your orders and to deliver these.

3.5 COLLECTION METHOD OF YOUR PERSONAL DATA

Personal data of persons whose personal data is processed under this Policy are collected within the scope of the objectives determined in advance and described in this Policy, by all kinds of channels including but not limited to our Company/ our branch offices/ our website/ our mobile applications/ our call center/ our partner or supplier companies, contracted organizations, market research companies, companies and software for measuring traffic or customer satisfaction, through methods of written form or electronic form of e-mail, short message (sms), Web Site and Mobile Application and other mobile applications, online or physical application form, offers, contact form, etc., forms, call center, operator and answering machine services, complaint management systems, social media channels, voice recording, video and camera recording.

1.Data You Have Provided Directly To Us: This personal data includes all personal data directly provided to Ebebek by all of our candidate personnel, company shareholders, company officials, visitors, personnel, shareholders and officials of the institutions that we cooperate with, our customers, our potential customers, our members, our Website and Mobile Application visitors and all third parties. For instance, name-surname, contact information, identity information, responds given to the surveys, demographic data and content information fall into this type of data.
2.Data that We Have Acquired When Our Website and Mobile Application Have Been Used By Your Side: It covers personal data regarding the usage habits of our members, our Website and Mobile Application visitors and other third parties through certain software or technological devices. For instance, location data and favorites as well as fields of interests and usage data fall into this type of data. You can use your initiative on this type of data by changing your settings on the mobile device.
3.For the purposes of online behavioral advertising and marketing, Ebebek is entitled to associate users’ behavior on the website, even if they are not member, via a cookie located in the browser and configure re-marketing listings based on metrics such as number of page viewed, duration of visit and target completion numbers. Furthermore, users may be displayed target-specific advertising content based on their fields of interest on the website or other sites in the Visual Advertisement Network.
4.When Google AFS advertisements are forwarded to Ebebek, Google may install cookies on the browsers of users or review the available cookies located on these or use web beacons with the intent of collecting information.

If the processing carried out for the mentioned purposes does not fulfil any of the conditions stipulated in the PPD Law, your express consent to the relevant processing process is obtained by Ebebek in accordance with the procedure and the law. In the event of any of the above conditions exist, your data may be processed in accordance with other principles without your express consent.

In addition, the personal data collected by Ebebek in the recruitment process of Candidate Personnel, which is the category of data owner, in which Ebebek collects the most personal data, and special personal data collected according to the nature of the business, are processed within the scope of the following purposes:

• To evaluate the qualification, experience and interest of the Candidate Personnel to the appropriateness to the vacant position,
• To conduct research on the Candidate Personnel by contacting third parties,
• To communicate with the Candidate Personnel about the application and recruitment process,
• To communicate with the Candidate Personnel if a position is vacated afterwards,
• To fulfil the requirements of the relevant legislation and/or the requests of authorized institutions and organizations.

Within this scope, the Candidate Personnel's (i) written application form or digital application form published electronically, (ii) resumes sent to Ebebek via e-mail, cargo, reference etc. are collected within the scope of a predetermined purpose (iii) through recruitment and/or consulting companies, online recruitment platforms and Ebebek career site (e-bebek.com/kurumsal/kariyer/ ), (iv) during face-to-face interviews, (v) through recruitment tests which determine the talent and personality traits conducted and of which results are examined by experts with experience, (vi) in the recruitment process, (vii) after recruitment.

Candidate Personnel may, if they wish, submit their requests regarding their rights arising from being Data Owners and arising from the Law by the application method described in this Policy.

3.6 Retention Periods for Personal Data

Ebebek processes Personal Data in accordance with the relevant legislation and the requirements of the principles of honesty and uses the same within these restrictions. In this context, Ebebek takes into consideration the proportionality requirements in processing of personal data, and does not use personal data other than for its intended purpose.

Our Company ensures that the Personal Data, which it processes by taking into account the fundamental rights and legitimate interests of the Personal Data Owners, are accurate and up to date. In this context, it considers issues such as the sources from which data are obtained is specific, verifying their accuracy, and evaluating whether these are required be updated.

Ebebek explicitly and precisely determines the purpose of data processing and ensures that this purpose is legitimate. The legitimacy of the purpose means that the Personal Data processed by Ebebek is relevant to and required by the work it has conducted or the service it provides. The purpose of processing personal data is set forth by Ebebek before the commencement of the activity of the personal data processing

Ebebek ensures that the Personal Data processed is appropriate to the achievement of the specified purposes and avoids the processing of Personal Data that is not relevant to achieve the purpose and not required. In order to process data to fulfil the potential requirements that may arise later on, it fulfils the processing conditions of the Personal Data set out in the Law, as if it commences to process it for the first time. Additionally, it restricts the processed data to only what is necessary to achieve the purpose. For instance, the activity of processing personal data to fulfil the potential requirements that may arise later on is not conducted.

If there is a period regarding the retention of data foreseen in the relevant legislation, Ebebek complies with these periods; otherwise, it will retain Personal Data only for the period required for the purpose for which it was processed. This period is determined by Ebebek. If there is no valid reason for further retaining of Personal Data by our Company, such data is deleted, destroyed or made anonymous.

Certain personal data is given special attention by the PPD Law, due to the risk of causing unjust treatment or discrimination to persons when the same are processed unlawfully. As stated in the definition section, information regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, memberships to associations and foundations, health, sexual life, criminal convictions and security measures and the bio-metric and genetic data of persons are Personal Data of Special Nature. We would like to restate that accession to our company's mobile application is available with a fingerprint and the data regarding this fingerprint is not stored by us. Other data in the special nature of data can be processed with your explicit consent like your other data.

Our Company takes into consideration that the Sensitive Personal Data are data in the nature that may cause the person to be unjustly treated or discriminated if they are acquired by others, therefore all necessary measures are taken with the utmost care to protect such type of personal data processed in accordance with the law.

If the purpose of processing the personal data expires, and the retention periods determined by the relevant legislation and Ebebek also come to an end; the personal data can only be retained for the purposes to constitute evidence in potential legal disputes, or to assert the related right associated to personal data, or to prepare of statement of defense. While determining the retention periods stated herein, the statute of limitations with regard to the asserting the mentioned right and the sample claims previously directed to Ebebek on the same matters even though the stature of limitations are expired are taken into account. In such a case, the retained personal data are not accessible for any other purpose and except for the requirements of using such personal data in the relevant legal dispute, the relevant personal data is accessible. Once the mentioned period has also expired, personal data is deleted, destroyed or made anonymous.

4. TRANSFER OF PERSONAL DATA AND PERSONAL DATA OF SPECIAL NATURE

4.1 Transfer of Personal Data

Ebebek is able to transfer the personal data and the sensitive personal data of the data owner to third parties by taking the necessary security measures in accordance with the purposes of processing the personal data which is obtained and processed pursuant the law. In this respect, Ebebek acts in accordance with the provisions of Article 8 of the PPD Law.

Ebebek may transfer personal data to third parties, in line with its purposes of legitimate and lawful processing personal data and in some circumstances in order to increase the data protection, by basing on and within limits of one or more conditions of processing personal data set forth under Article 5 of the PPD Law which are stated below:

• In case the personal data owner expresses her/his explicit consent, • In case there is an explicit regulation regarding the transfer of personal data by laws,
• In case it is mandatory for the protection of life or physical integrity of the personal data owner or of any other person or in case personal data owner is incapable of giving her/his consent due to the factual impossibility or whose consent is not deemed legally valid,
• In case the processing of personal data belonging to the parties of an agreement is necessary, provided that it shall be directly related to the conclusion or fulfilment of such agreement,
• In case the personal data transfer is mandatory for Ebebek to fulfil its legal obligation, in case the personal data is made available to the public by the personal data owner,
• In case the personal data transfer is mandatory for the establishment, exercise or protection of any right,
• In case the personal data transfer is mandatory for the legitimate interests of Ebebek, provided that it shall not violate the fundamental rights and freedoms of the personal data owner.

Furthermore, apart from the statutory obligations, Ebebek may transfer the personal data to third parties in the following circumstances by obtaining the express consent of the personal data owner:

• Performance of Membership Agreement and Services, • Development of user experience (including improvement and customization),
• Ensuring the safety of users, detecting fraud,
• Development of services,
• Execution of operational evaluation research,
• Conducting traffic measurement, statistical and analytical analyzes, profiling/segmentation studies for sales and marketing activities,
• Providing opportunities regarding products and services special for you through targeting and re-targeting,
• Elimination of errors,
• Authentication of user identities,
• Carrying out the necessary activities by the business units in order to get benefit from the products and services offered by Ebebek, presenting products and services offered by Ebebek by customizing these according to customers' tastes, usage habits and needs,
• Ensuring the legal and commercial security of persons in business relations with Ebebek (Administrative operations for communication carried out by Ebebek, ensuring physical safety and audit of Ebebek's locations, evaluation processes of representatives or employees with business partner/customer/supplier, reputation research processes, legal compliance process, audit, financial affairs, etc.),
• Determination and implementation of Ebebek's commercial and business strategies and determination of the execution of the human resources policies of the organization,
• In order to achieve any of the purposes of this Privacy Policy: (i) ministries, judicial authorities and similar competent public institutions and organizations, (ii) outsourcing service providers, (iii) cargo companies, (iv) law offices, (v) research companies, (vi) call centers, (vii) software companies with regard to the complaints management and ensuring security, (viii) agencies, (ix) consulting companies, (x) companies in the printing sector, and (xi) social media channels (Facebook, Instagram, Tweeter, etc.),
• the User's Name and Contact Information, to the payment institutions for the purpose of the verification of the identity pursuant to the framework agreement on the payment institution to be approved during the payment phase and the Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism which was published in the Official Gazette dated 9th of January 2008 and numbered 26751.

4.2 Transfer of Sensitive Personal Data

Ebebek may transfer sensitive personal dataof the personal data owner to third parties in the following circumstances, in line with its purposes of legitimate and lawful processing personal data; by paying required attention, taking required security measures and adequate measures published by the PPD Board.

• In case personal data owner expresses her/his explicit consent, or • In case personal data owner does not express her/his explicit consent;
 In the circumstances foreseen by the laws, the sensitive personal dataof the personal data owner other than the ones related to her/his health and sexual life ( data related to information regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, memberships to associations and foundations or trade-unions, criminal convictions and security measures and the bio-metric and genetic data),
 The sensitive personal dataof personal data owner relating to health and sexual life are only by any persons or authorized public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing

Ebebek may transfer the Personal Data and the Sensitive Personal Data of the Personal Data Owners to third parties abroad by taking necessary security measures, in order to ensure data security in line with its purpose of processing Personal Data and with its other legitimate purposes. Ebebek may transfer Personal Data; to foreign countries on which PPD Board has declared that the sufficient protection is provided in, or in case the sufficient protection is not provided, to foreign countries on which a written undertaking with regard to the sufficient protection is given by the controllers in Turkey and in the relevant foreign country and to which an authorization granted by the PPDBoard. In this respect, Ebebek acts in accordance with the provisions set forth under Article 9 of the PPD Law. Ebebek may transfer personal data, in line with its purposes of legitimate and lawful processing personal data, to the Foreign Countries in which Sufficient Protection is Provided or the Controller Undertakes Sufficient Protection, upon the explicit consent is given by the personal data owner or where the explicit consent of the personal data owner is not given, upon the existence of one of the following circumstances:



  PERSONS THAT CAN MAKE DATA
  TRANSFER
  

  DEFINITION
  

  PURPOSE OF TRANSFER
  

  Business Partner
  

  It defines the parties with which Ebebek establishes
  business partnerships for the purpose of conducting various projects
  individually or jointly with the Group Companies and receiving services in
  carrying out its commercial activities.
  

  Restricted with the purpose of ensuring the fulfilment
  of the objectives of establishing the partnership (for instance: cargo
  companies, agencies, companies providing services on server support and cloud
  computing, companies providing services on IT support, companies providing
  services on traffic / customer satisfaction measurement, companies providing
  services on profiling and segmentation support, companies provides services
  on sms in the field of sales and marketing, companies providing support on
  the required subjects of processing personal data in particular mailing and
  archiving, solution partners and companies providing services in the fields
  of infrastructure providers, logistics services, call center and consultant,
  etc.)
  

  Supplier
  

  It defines parties providing services to Ebebek on a
  contract basis in accordance with Ebebek's orders and instructions while
  carrying out Ebebek's commercial activities.
  

  Restricted with the purpose of ensuring services, which
  are outsourced by Ebebek from the supplier and required to perform the
  commercial activities of Ebebek, are provided to Ebebek.
  

  Shareholders
  

  Members of the board of directors and other authorized
  real persons of Ebebek
  

  Restricted with the purposes of conducted activities of
  Ebebek within the scope of corporate law, event management and corporate
  communication processes, pursuant to the provisions of the relevant legislation
  

  Company Officers
  

  Competent public institutions and organizations
  authorized to receive information and documents from Ebebek according to the
  relevant legislation
  

  Restricted with the purposes of ensuring the
  development of strategies for the commercial activities of Ebebek, management
  and audit of the same in the highest level, pursuant to the provisions of the
  relevant legislation
  

  Legally Authorized Public
  Institutions and Organizations
  

  Private law persons authorized to receive information
  and documents from Ebebek according to the relevant legislation
  

  Restricted with the purpose required within the legal
  authority of the related public institutions and organizations
  

  Legally Authorized Private Law
  Persons
  

  Private law persons authorized to receive information
  and documents from Ebebek according to the relevant legislation
  

  Restricted with the purpose required within the legal
  authority of the relevant private law persons (for instance: Law offices,
  audit firms, payment institutions for the purpose of the verification of
  identity pursuant to the Regulation on Measures Regarding Prevention of
  Laundering Proceeds of Crime and Financing of Terrorism)
  
  
  

6. RIGHTS AND OBLIGATIONS RELATED TO PERSONAL DATA

6.1 Obligation to Clarify Personal Data Owners by Ebebek

Ebebek clarifies personal data owners during the obtaining of personal data in accordance with Article 10 of the PPD Law. Within this context, Ebebek clarifies information on the identity of its representative, if any, for what purpose personal data be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal reason of collection of personal data and legal rights of the personal data owner. Article 20 of the Constitution sets forth that everyone has the right to be informed about personal data concerning her/him. Accordingly, Article 11 of the PPD Law mentions the right to "request information" as one of the rights of the personal data owners. In this context, Ebebek provides the necessary information in the event that the Personal Data Owner requests information in accordance with Articles 20 of the Constitution and Article 11 of the PPD Law.

6.2 Rights of Personal Data Owner and Application Method

Ebebek manages required channels, internal working procedures, administrative and technical regulations in accordance with Article 13 of the PPD Law to evaluate the rights of personal data owners and to provide them with necessary information. In case the personal data owners submit their requests in writing to Ebebek with regard to their rights listed below, their requests are finalized, depending on the nature of the request, within thirty days at the latest and free of charge. However, in case PPD Board requests fee , Ebebek shall charge the fee stated in the tariff to be determined by the PPD Board. Information on such mentioned fee shall also be provided to those concerned, urgently. Personal data owners have the rights to;
• Learn as to whether her/his personal data has been processed,
• Request information if her/his personal data has been processed,
• Learn the purpose of processing her/his personal data and as to whether these are used for intended purposes,
• Request information on third persons to whom her/his personal data are transferred at home or abroad,
• to request correction of the personal data processed incompletely or inaccurately and to request the provision of the information on the transaction performed under this scope to the third parties to whom the personal data are transferred,
• Where reasons for processing personal data are disappeared, although these were processed in accordance with the provisions of PPD Law and other related laws, to request the deletion or destruction of her/his personal data and to request the provision of the information on the transaction performed under this context to third parties to whom such personal data are transferred,
• to object to consequences to her/his detriment, arising from the analysis of the processeddata exclusively via automatic systems,
• where the data owner suffered a damage due to the process of her/his personal data against the law, to request compensation for her/his damage.
Personal Data Owners may submit their requests regarding their rights listed in Article 11 of the PPD Law to Ebebek, free of charge, by filling in and signing the Application Form together with the information and documents that will verify their identities and by the methods stated below or by other methods determined by the Protection of Personal Data Board:

1) Once the application form given under the address of https://www.e-bebek.com/en/kurumsal/kisisel-veri-basvuru-formu/ is filled in, a copy of the originally signed version of the same shall be submitted to the address located at İçerenköy Mahallesi Değirmen Yolu Caddesi No:37 D:6 PK: 34752 Ataşehir / Istanbul in person or via notary,
2) Once the application form given under the address of https://www.e-bebek.com/en/kurumsal/kisisel-veri-basvuru-formu/ is filled in, it shall be signed via your “secure electronic signature" within the scope of the Electronic Signature Law Numbered 5070, the signed form with secure electronic signature shall be sent to the address of ebebek@hs03.kep.tr via registered electronic email

In order for third parties to request an application in the name of personal data owners, a special power of attorney, issued by a notary public in the name of the person applying for the data owner and granted by the same, must be submitted.

6.3 Exceptions to the Rights of the Personal Data Owner

Pursuant to Article 28 of the PPD Law; since the following circumstances are kept outside the scope of the PPD Law, the personal data owners are not entitled to request their rights, stated under Article 6.2 of this Policy, with regard to these matters. The circumstances are as follows,

• Processing the personal data for the purposes of research, planning and statistics by making the same anonymous with official statistics,
• Processing the personal data for the purposes of artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that national defense, national security, public security, public order, economic security, right to privacy or personal rights are not violated or these are processed so as not to constitute a crime
• Processing the personal data within the scope of preventive, protective and intelligence activities executed by public institutions and organizations authorized and assigned by law to ensure national defense, national security, public security, public order or economic security
• Processing of the personal data by judicial or execution authorities in relation to investigation, prosecution, adjudication or execution procedures

Personal data owners, pursuant to Article 28/2 of the PPD Law, are not entitled to claim their other rights listed under Article 6.2. of this Policy, except the right to request the compensation of their damages, in the following circumstances:

• Processing personal data being required for the prevention of committing a crime or for the criminal investigation,
• Processing of personal data which is made available to public by the personal data owner her/himself,
• Processing personal data being required for inspection or regulatory duties and disciplinary investigation and prosecution to be carried out by the public institutions and organizations and by professional associations having the status of public institution, assigned and authorized, in accordance with the power granted to these by the law
• Processing personal data is required for the protect the economic and financial interests of the State in relation to budget, taxes and financial matters.


6.4 Principles and Procedures for Responding to Data Owner's Applications

An application can only made to Ebebek, where Ebebek is deemed to be the controller under the PPD Law. This is the circumstance where collecting directly personal data from the person concerned by Ebebek is considered to be the data transfer from the controller to the controller within the scope of the PPD Law.

6.4.1 Procedure and Duration of Ebebek Responding to Applications

When the personal data owner conveys her/his request to Ebebek by complying with the procedure stated under Article 6.2. of this Policy, Ebebek shall finalize the related request free of charge within thirty days at the latest according to the nature of the request. However, in case PPD Board requests fee, Ebebek shall charge the fee from the applicant stated in the tariff to be determined by the PPD Board.

6.4.2 Information that Ebebek May Request from the Applicant Personal Data Owner

Ebebek may request information from the concerned person to determine as to whether the applicant is personal data owner. In order to clarify the issues in the application of personal data owner, Ebebek may pose questions to the personal data owner with regard to her/his application.

6.4.3 Ebebek's Right to Refuse the Application of the Personal Data Owner

Ebebek may refuse the application of the applicant, in the circumstances stated under Article 28 of the PPD Law and in the following circumstances, by explaining the justification:
• In case the application of the personal data owner is likely to prevent other people's rights and freedoms. • In case requests require disproportionate effort.
• In case the requested information is made available to public.

6.4.4 Personal Data Owner's Right to File a Complaint with the PPD Board

In case the application is refused, the response is found unsatisfactory or the response is not given in due time; the personal data owner, pursuant to Article 14 of the PPD Law, may file a complaint with the PPD Board within thirty days as of s/he learns about the response of Ebebek, and within sixty days as of the application date, in any case.

7.TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR SECURE RETENTION OF PERSONAL DATA, PREVENTING ILLEGAL PROCESSING OF PERSONAL DATA AND PREVENTING UNLAWFUL ACCESSING TO PERSONAL DATA

As Ebebek, technical and administrative measures are taken in full in accordance with Article 12 of the PPD Law in order to process the data in accordance with the law, to retain the data processed and to protect the data against unlawful access.

7.1 Privacy in the Processing of Personal Data

Personal data processed by Ebebek in accordance with the law is subject to data security. Ebebek takes all necessary technical and organizational measures to ensure the confidentiality and security of your personal data collected through our Web Site and Mobile Application and personal data of special nature.
Accessing, processing or using this data for private or commercial purposes, sharing this data with unauthorized persons, or otherwise making it accessible by any personnel of Ebebek are forbidden. Ebebek's personnel can access personal data only in accordance with and within the scope of the type and scope of their tasks. For this purpose, roles and responsibilities are detailed and separated. Any personnel, who is not authorized under Ebebek's legitimate duty, to process this data is deemed to be an unauthorized transaction.
Managers shall inform their personnel of the obligation to protect data confidentiality during the initial phase of the employment relationship. This obligation shall also continue after the end of employment.

7.2 Security in the Processing of Personal Data

Personal data is protected by Ebebek against unauthorized access, unlawful processing or disclosure and accidental loss, alteration or destruction of data. Your personal data is retained in a secure working environment that is not publicly accessible and can only be accessed by authorized Ebebek personnel, agents and contractors.

7.3 Technical Measures Taken by Ebebek on the Privacy and Security of Personal Data

The technical measures taken within the scope of personal data processing activities carried out within Ebebek structure are as follows:
• High-level technical systems are used and these systems are periodically audited.
• The technical measures taken are periodically reported to the person concerned as a result of the internal audit mechanism and the necessary technological solutions are produced by re-evaluating the issues which entail risk.
• Training is given to related persons/departments on technical issues.
• Software and hardware including virus protection systems and firewalls are used. (For instance: Secure Sockets Layer (SSL) encryption is used in all web pages that collect personal data by online services such as Web Site and Mobile Application.) In order to use these services, a SSL-supported browser such as Safari, Firefox, Chrome or Internet Explorer is required. In this way, the privacy of your personal data transmitted over the internet can be protected.)
• It complies with the PCI DSS (Payment Card Industry Data Security Standard) regulations established to ensure data security in card payment systems and ensures data transmission and operation in card payment systems securely. The credit card number is encrypted by Ebebek's online credit card application and transmitted to the bank and is never shared with third parties. Credit card information is not retained by Ebebek.
• In order to ensure the safe retention of personal data, backup programs are used in a lawful manner.
• Systems responsive to technological developments are being used in order to retain personal data in a secure environment.
• The relevant unit is continuously informed on technical issues.
• Technical security systems are established for retention fields storage, and technical measures taken are periodically reported to the concerned in pursuant of internal audit mechanism, and required technological solution is produced by re-evaluating the issues which entail risk.
• Access to data storage areas with personal data is logged and improper access or access attempts are instantly communicated to those concerned.
• Technical measures are taken in accordance with the developments in technology, software is used and the measures are periodically updated and renewed within the scope of both natural and legal requirements.
• Technical solutions of access and authorization are put into operation in accordance with the legal compliance requirements determined on the basis of business units. • Access authorizations are limited and the authorizations are reviewed regularly.
• In order to determine the security vulnerabilities in applications where personal data is collected, these are regularly screened. The determined security vulnerabilities are ensured to be closed.

7.4 Administrative Measures Taken by Ebebek on the Privacy and Security of Personal Data

The administrative measures taken within the scope of personal data processing activities carried out within Ebebek structure are as follows:

• Personnel are informed and trained on the protection of personal data law and the processing of personal data in accordance with the law, the technical measures to be taken to ensure the safe retention of personal data and to prevent unlawful access.
In this way, it is also aimed to provide the fact of being kept up-to-date in terms of obligations.
• All activities carried out by Ebebek are analyzed in detail in all business units, and as a result of this analysis, personal data processing activities are revealed in the commercial activities realized by the related business units.
• All personal data processing activities carried out by the business units of Ebebek; the requirements to be fulfilled in order to ensure that these activities comply with the personal data processing conditions required by the PPD Law are determined in each business unit and in the detail activity that it carries out.
• In order to ensure the legal compliance requirements determined on the basis of business units, awareness is created and implementation rules are determined for the relevant business units; necessary administrative measures to ensure the audit of these issues and to ensure the continuity of implementation are accomplished through internal policies and training.
• In the agreements and documents governing the legal relationship between Ebebek and its personnel, rules are laid down that impose the obligation in order not to process, disclose and use personal data, except for Ebebek's instructions and exceptions brought by law, and awareness of personnel is created and audits are carried out.
• Within the scope of commercial activities, commitments for the protection of personal data are taken regarding 3rd persons.
• In agreements which are concluded with persons to whose personal data are legally transferred by Ebebek and with third persons from who technical services are provided regarding the retention of personal data; provisions are laid down with regard to take required measures in order prevent the unlawful processing of personal data, to prevent unlawful access to data, and to ensure the protection of data in accordance with law, and to ensure compliance with these measures in their own institutions.
• Access and authorization stages of personal data for processing of personal data on the basis of business units are designed and implemented in accordance with legal compliance requirements, internally.
• Personnel is informed that they shall not disclose the personal data that they have acquired and use the same for any purpose other than for its processing purpose, contradiction to the provisions of the PPD Law, and that this obligation shall also continue after their resignations from their duties and necessary undertakings from them are taken accordingly.
• In agreements which are concluded with persons to who personal data are legally transferred by Ebebek; provisions are laid down with regard to take required measures by the persons to whom the personal data are transferred in order to protect the personal data, and to ensure compliance with these measures in their own institutions.
• In accordance with Article 12 of the PPD Law, Ebebek makes the necessary audits within its structure or have the same made. The results of these audits are reported to the related department concerned with the subject within the internal operation of Ebebek, and necessary activities are carried out to improve the measures taken.
• Ebebek provides the necessary training to its business units, its business partners and suppliers in order to raise awareness to prevent unlawful processing of personal data, to prevent unlawful access to data and to protect data. In this respect, Ebebek evaluates the attendance to related training, seminars and information sessions and conducts the necessary audits or have the same made. Ebebek updates and renews its training in line with the current relevant legislation.
• The provisions of the legal legislation are complied with also with regard to the data obtained within the scope of the potential contractual relationship, and the persons concerned are fully informed about their rights.

7.5 Measures to be Taken In the Event of Unlawful Disclosure of Personal Data

Ebebek, in the event that personal data processed in accordance with Article 12 of the Law on PPD are obtained by others by illegal ways, operates a system that allows this situation to be notified to the concerned personal data owner and the PPD Board, as soon as possible. In the event of unlawful disclosure of personal data, Ebebek shall notify the PPD Board within 72 hours at the latest and shall immediately establish actions in line with current developments. If deemed necessary by the PPD Board, this situation may be announced on the website of the PPD Board or by other means.

7.6 Conducting Audit Activities

In accordance with Article 12 of the PPD Law, Ebebek makes the necessary audits within its and its business partners' structure or have the same made within the agreements conducted with 3rd party companies. The results of these audits are reported to the related department concerned with the subject within the internal operation of the company, and necessary activities are carried out to improve all measures taken.

8. DELETION, DESTRUCTION, ANONYMIZATION OF PERSONAL DATA

All transactions realized with regard to the deletion, destruction and anonymization of personal data are recorded and such records are retained at least for [*] years, apart from the other legal obligations.

Ebebek destructs your personal data for the following reasons:

• Expiration of the period specified by the laws on the retention of personal data,
• The expiry of the destruction period specified in the Deletion and Destruction Policy by Ebebek,
• Expiration of periodic destruction period determined by Ebebek in the Deletion and Destruction Policy,
• Amendment or abolition of the provisions of the relevant legislation which constitute the basis for processing personal data,
• Since the relevant agreement has not been conducted at all, the agreement is not valid, the automatic termination of the agreement, the termination of the agreement or to withdraw from the agreement,
• Disappearance of the purpose of processing personal data,
• The processing of personal data is against the law or the principles of honesty,
• In case the processing of personal data occurs only with the express consent of the person concerned, the person concerned revoke his consent,
• The acceptance by Ebebek of the application made by the person concerned regarding the processing of personal data within the framework of his rights,
• In case Ebebek rejects the application it received with the request of deletion or destruction of personal data by the person concerned, if the respond is found to be unsatisfactory or is not given within the period prescribed by law; filing a complaint with the PPD Board and the request is approved by the Board,
• Although the maximum period for which retaining personal data has elapsed, there is no condition to justify the retaining of the personal data for a longer period of time,
• Disappearance of the conditions under articles 5 and 6 of the PPD Law that require the processing of personal data.

8.1 Personal Data Deletion, Destruction Techniques

Although Ebebek has processed personal data in accordance with the provisions of the relevant law, in case the reasons for the processing disappear, it may delete or destruct the personal data on the basis of its own decision or at the request of the personal data owner. Deletion or destruction of personal data is the process of making personal data inaccessible and reusable to the users concerned, in any manner. Within this scope, Ebebek deletes or destructs personal data by using the following techniques:

• Ebebek takes all necessary technical and administrative measures to ensure that deleted personal data cannot be accessed and reused by the relevant users,
• If the process of the deletion of personal data will result in also inaccessibility of other data in the system and inability to use this data, Ebebek applies the following rules;
- Archiving of personal data by making it unrelated to the person concerned,
- Making the same not accessible to any other institution, organization and/or person,
- Taking all necessary technical and administrative measures to ensure that personal data can only be accessed by authorized persons,
- Deletion of the personal data of the person concerned from the Ebebek systems in case the request for deletion is transmitted directly by real persons.
Deletion of personal data that is part of any data recording system and is processed by non-automated means;
- Obfuscation of unnecessary personal data,
- It is performed by masking unnecessary personal data in the form of paper which are transmitted electronically through scanning or without digitization.
The above mentioned deletion conditions are the most commonly used deletion techniques, the most commonly deletion or destruction techniques used by Ebebek are as follows:

8.1.1 Physical Destruction: Personal data can also be processed in non-automated ways, provided that it is part of any data recording system. When deleting/destructing such data, the system of physical destruction of personal data is applied in a manner that it could not be used subsequently.
8.1.2 Secure Deletion Software: When deleting/destructing data processed in fully or partially automated ways and stored in digital media; the methods for deleting data from the related software in a manner that it cannot be recovered.
8.1.3 Sending to a Specialist for Secure Deletion: In some cases, Ebebek may agree with an expert to delete personal data on its behalf. In this case, the personal data is safely deleted/destructed by the person who is skilled in this field in a manner that it cannot be recovered.

Anonymization of personal data refers to making personal data unlikely to be associated with any identifiable or unidentifiable real person in any way even when the personal data is paired with other data. Ebebek may anonymize personal data when the reasons for processing the personal data processed in accordance with the law are disappeared. In accordance with Article 28 of the PPD Law; anonymized personal data can be processed for research, planning and statistics purposes. Such transactions do not fall under the scope of the PPD Law, the explicit consent of the personal data owner is not required. Since the personal data processed by making it anonymous shall fall outside the scope of the PPD Law, the rights regulated under Article 6 of the Policy shall not apply to such data. The most commonly used anonymisation techniques by Ebebek are listed below.

8.2.1 Masking: This is the method in which key determinant information of personal data is extracted from data set with data masking and personal data is anonymized.
8.2.2 Aggregation: Through data aggregation method, several data is aggregated and personal data is made in a manner that is not associated with any person.
8.2.3 Data Derivation: Through data derivation method, a more general content is generated from the content of personal data and it is ensured that the personal data is not associated with any person.
8.2.4 Data Shuffling, Permutation: With the data shuffling method, the values in the personal data set are mixed and the connection between the values and the persons is broken down.
Through its Web Site and Mobile Application, Ebebek offers its members the opportunity to directly forward their requests for anonymization of their personal data through their membership accounts.

9. RETENTION AND DESTRUCTION PERIODS FOR PERSONAL DATA

In the first transaction of the periodic destruction following the date when the obligation to delete, destruction or anonymize personal data arises, Ebebek deletes, destructs or anonymises personal data. The period of time to realize the periodic destruction is six months. The retention periods for personal data are determined in accordance with the PPD Law and business processes. The PPD Board may shorten the periods specified in this article in the event that any damages occur which can be difficult or impossible to recover and there is an explicit violation of the law.
If the Personal Data Owner applies to Ebebek, pursuant to Article 13 of the PPD Law, and s/he requests the deletion/destruction of her/his personal data, Ebebek shall:
i. In case all of the conditions for processing personal data have been disappeared; delete, destruct or anonymize the personal data subject to the request. Ebebek finalizes the request of the Personal Data Owner real person within thirty days at the latest and informs the data owner real person.
ii. In case all of the conditions for processing personal data have been disappeared and the personal data subject to the request has been transferred to third parties, Ebebek notifies the third party of such circumstance; ensures that the necessary transactions are carried out by the third party.
iii. In case all of the conditions for processing personal data have not been disappeared, this request may be refused by Ebebek pursuant to Article 13 of PPD Law by explaining its justification and the rejection response shall be notified to the person concerned in writing or electronically within thirty days at the latest.

9.1 PERIODS OF DELETION, DESTRUCTION, ANONYMIZATION OF PERSONAL DATA

Ebebek considers the following periods under its obligation to delete, destruct or anonymize personal data:
• In the first transaction of the periodic destruction following the date on which the obligation arises
• The period of the periodic destruction shall not be longer than 180 days (6 months), in any case.

9.2 Deletion and Destruction Periods of Personal Data upon Request of the Person Concerned

When the person concerned applies to Ebebek and requests the deletion or destruction of her/his personal data;
• In case all of the conditions for processing personal data have been disappeared; Ebebek may delete, destruct or anonymize the personal data subject to the request. The requests for the deletion or destruction of the persons concerned shall be concluded by Ebebek within thirty days at the latest.
• In case all of the conditions for processing personal data have not been disappeared, this request may be refused by Ebebek by explaining its justification and the rejection response shall be notified to the person concerned in writing or electronically within thirty days at the latest.

10. OUR RESPONSIBLE UNIT FOR THE PROTECTION AND PROCESSING AND DESTRUCTION OF PERSONAL DATA

Ebebek ensures providing coordination within the company structure under the scope of ensuring, maintaining and execution of the compliance of data, which it has processed, with the PPD Law and the related regulations and other legal regulations via its “Information Technologies Department and Its Team”. This department is responsible for the fulfilment of rights and obligations, the execution and improvement of the established system and its updates.
This Policy is reviewed once a year and its up-to-dateness is ensured within the compliance to legal legislation. Issues stated under the Policy may be amended by Ebebek provided that it complies with the legal requirements.

11. RECORDING MEDIUMS

Ebebek records and stores personal data that it processed, in accordance with the procedures and principles stipulated in the PPD Law and other laws, through fully or partially automated ways or through non-automated ways, provided that these are part of any data recording system.

11.1 Stores, Storage, Registration and Tracking at the Entrance and/or Inside of Ebebek Head Office Building

In order to increase the quality of the service provided by Ebebek, to ensure its reliability, to ensure the safety of Ebebek, its personnel, customers, visitors and other persons and to protect the interests of customers regarding the service they receive, the personal data processing is carried out by monitoring via security cameras at Ebebek Head Office Building, Stores and Storage. The monitoring activities via security cameras by Ebebek are conducted in accordance with the Law on Private Security Services and related legislation. No monitoring is carried out in areas (for instance, toilets) that may result in an interference to individual's privacy by exceeding the security objectives. In accordance with Article 4 of the Law, Ebebek processes personal data being relevant with, restricted to and proportionate to the purposes for which they are processed, and also continues to monitor via video cameras within its scope.
Ebebek also takes the necessary technical and administrative measures to ensure the security of the personal data obtained as a result of the monitoring activity carried out by Ebebek through video recording. Within this scope, a limited number of authorized Ebebek personnel have access to the relevant video recordings.
Within the framework of Article 10 of the Law, the personal data owner is clarified. As part of the obligation to clarify, it publishes this Policy on its website and clarifies by hanging a notification letter on the monitoring of the entrances to the areas where monitoring is carried out. In addition, administrative and technical measures specified in this Policy are taken within the scope of personal data processing activity by monitoring with security camera.

11.2 Tracking of Entry-Exit to Stores, Storage, Ebebek Head Office Building

Furthermore, Ebebek; conducts the personal data processing activity with regard to the monitoring of entrances and exits of guests to Ebebek Head Office Building, for the purpose of ensuring security and the purposes specified in this Policy. In other words, the names, surnames and T.R. Identity Numbers of the persons who come to Ebebek Head Office Building as visitors are processed and the visitors who have personal data are informed by the clarification texts posted on the entrances. The data obtained for tracking entrance and exits of guests are processed for this purpose only, and the personal data are recorded in the data recording system in physical domains.

11.2 Tracking of Entry-Exit to Stores, Storage, Ebebek Head Office Building

Ebebek records the log records regarding the internet accesses in accordance with the provisions of the Law Numbered 5651 and the governing provisions of the legislation regulated pursuant to this Law; these records are processed only in order to respond to the request of the authorized public institutions and organizations or to fulfil the legal obligation in the audit processes to be performed within the Corporate.
Ebebek records from its Web Site and Mobile Application (application); visits of Web site and Mobile Application visitors, in order for them to realize their purpose of visit and to display them contents customized for them, to perform online advertising activities (cookies), etc.), and internet transactions within the web site and/or the application by technical methods. Ebebek discloses these activities that it conducted within its web site and applications and detailed explanations regarding the protection and processing of personal data in the texts with the heading of the “Privacy Policy" of its related web sites and applications.
Ebebek uses various systems to carry out its activities. Personal data can be processed to these systems by Ebebek personnel within the purpose given below and in accordance with the purposes of duty that they carry out and duty descriptions:



  The Law on the Protection of Personal Data
  (the "PDP Law")
  

  :
  

  The Law on the Protection of
  Personal Data dated 24th of March 2016, and numbered 6698 which was published
  in the Official Gazette dated 7th of April 2016 and numbered 29677
  

  Board
  

  :
  

  Protection of Personal Data
  Board
  

  Authority
  

  :
  

  Protection of Personal Data
  Authority
  

  Company
  

  :
  

  Ebebek Mağazacılık Anonim
  Şirketi
  

  Group Companies
  

  :
  

  All other (affiliates,
  partners, etc.)
  

  Company Official
  

  :
  

  Members of the Board of
  Directors of Ebebek and its other authorized real persons
  

  Company Shareholder
  

  :
  

  Real person who owns Ebebek's
  shares or real person representatives of legal entities
  

  Personal Data
  

  :
  

  All kinds of information
  relating to an identified or identifiable real person. Therefore, the
  processing of data relating to legal persons is hereby not within the scope
  of the Law. For instance; name-surname, TR Identity Number, e-mail, address,
  date of birth, credit card number, etc.
  

  Personal Data of Special Nature
  

  :
  

  Data relating to the race,
  ethnic origin, political opinion, philosophical belief, religion, sect or
  other belief, appearance, membership to associations, foundations or
  trade-unions, health, sexual life, criminal convictions and security
  measures, and the bio-metric and genetic data.
  

  Personal Data Owner
  

  :
  

  Real person whose personal data
  are processed For example; candidate personnel
  

  Processing of Personal Data
  

  :
  

  All kinds of processes
  performed on data including acquisition, recording, storing, retaining,
  modifying, re-arranging, disclosing, transmission, taking over, making
  available, classifying or prevention of use through fully or partially
  automated ways or through non-automated ways, provided that these are part of
  any data recording system
  

  Data Processor
  

  :
  

  Real and legal person who
  processes personal data in the name of the data controller with the
  authorization granted by the data controller. For instance, the cloud
  computing firm that holds Ebebek's data, the call center firm that searches
  within the framework of scripts, etc.
  

  Data Controller
  

  :
  

  The person who determines the
  purpose and means of processing personal data and manages the location where
  the data is systematically kept (data recording system)
  

  Contact Person
  

  :
  

  The real person notified to the
  Registry while registering the System
  by the data controller in order
  to make contact to be established with the Authority in relation with the
  obligations of the legal entities located in Turkey, and the data
  controller’s representative for the legal entities that are not located in
  Turkey under the Law and secondary regulations to be issued by basing on this
  Law
  

  Explicit Consent
  

  :
  

  Consent about a specific
  subject based on information and
  expressed in free will
  

  Delete/Destruction
  

  :
  

  Process of making personal data
  inaccessible, recoverable and unusable by anyone, in any manner.
  

  Anonymization
  

  :
  

  The change of personal data in
  such a way that it loses the nature of personal data and such status cannot
  be recovered. For instance, by techniques of masking, aggregation, data
  destruction, etc., the personal data is made in a manner that it could not be
  associated with any real person
  

  Destruction
  

  :
  

  Deletion, destruction or
  anonymization of personal data
  

  Application Form
  

  :
  

  "Application Form for
  Applications to the Data Controller by the Person (Personal Data Owner)
  Concerned According to the Law on the Protection of Personal Data Numbered
  6698", which contains the application to be made by the personal data
  owners to exercise their rights
  

  Candidate Personnel
  

  :
  

  Real persons who have applied
  for a job to Ebebek in any way or have opened their resumes and relevant
  information for the review of our company.
  

  Personnel, Shareholders and Officers of the
  Institutions that We Cooperate with
  

  :
  

  Real persons, including
  personnel of the institutions that Ebebek have any kind of business relation
  with (such as, but not limited to, business partners, suppliers),
  shareholders and officials of such institutions.
  

  Business Partner
  

  :
  

  The parties with which Ebebek
  establishes business partnerships for the purpose of conducting various
  projects individually or jointly with the Group Companies and receiving
  services in carrying out its commercial activities.
  

  Supplier
  

  :
  

  Parties providing services to
  Ebebek on a contract basis in accordance with Ebebek's orders and instructions
  while carrying out Ebebek's commercial activities.
  

  Customer
  

  :
  

  A real person who purchases
  Ebebek products and/or services from Ebebek Stores, its Website or Mobile
  Application.
  

  Member
  

  :
  

  A real person who becomes a member by
  registering upon filling in the member application form through the Stores or
  Ebebek Web Site or Mobile Application.
  

  Third Person
  

  :
  

  Real persons whose personal
  data are processed under the Policy (For instance, potential customers,
  sureties, companion, family members and relatives, former personnel), and who
  are not defined differently within the scope of the Policy.
  

  Visitor
  

  :
  

  Real persons who have entered
  to the physical premises owned by Ebebek for various purposes.
  

  Ebebek Head Office Building
  

  :
  

  Ebebek's head office building
  located in Bostancı, Istanbul.
  

  Stores
  

  :
  

  Locations owned and where
  retail sell conducted by Ebebek.
  

  Storage
  

  :
  

  Locations owned and used as
  storage area by Ebebek
  

  Web Site and Mobile Application
  

  :
  

  The web sites having address of www.ebebek.com
  and www.bebek.com and Ebebek mobile application.
  

  Web Site and Mobile Application
  Visitors
  

  :
  

  Real persons who visit Ebebek
  Web Site and Mobile Application.