Personal Data Protection and Processing Policy

1. INTRODUCTION

For AGRİTRADE TARIM ÜRÜNLERİ TİCARET LOJİSTİK VE DEPOCULUK LİMİTED ŞİRKETİ (referred to as “Agritrade” or “Company”) as the data controller, the protection of personal data belonging to its customers, employees and other natural persons with whom it is in contact is of great importance. Targeted by this Policy and other written policies for the processing and protection of personal data; It is the legal processing and protection of personal data of our product or service buyers, employees, employee candidates, visitors, employees of the institutions we cooperate with, employees of the group of companies we are involved in, and third parties who have relations with Agritrade.

In this context, administrative and technical measures required by Agritrade for the processing and protection of personal data are being taken in accordance with Law No. 6698 and the relevant legislation.

In this Policy, the following basic principles adopted by Agritrade for the processing of personal data will be explained:

  • Processing of personal data within the scope of consent,
  • Processing of personal data in accordance with the law and good faith,
  • Keeping personal data accurate and up-to-date when necessary,
  • Processing personal data for specific, explicit and legitimate purposes,
  • Limited and restrained processing of personal data in connection with the purpose for which they were processed,
  • Storing personal data for as long as required by the relevant legislation or for the purpose for which they were processed,
  • Clarifying and informing the persons whose personal data are processed,
  • Creating the necessary infrastructure for the relevant persons whose personal data is processed to exercise their rights,
  • Taking the necessary measures for the protection of personal data,
  • To act in accordance with the relevant legislation and regulations of the PPD Board in determining and implementing the purposes of processing personal data, transferring it to third parties,
  • Special regulation of the processing and protection of personal data of a special nature.

2. THE PURPOSE OF THE POLICY

The main purpose of this Policy is to explain the personal data processing activities carried out by Agritrade in accordance with the law and the systems adopted to protect personal data, in this context, to provide transparency towards the people with whom our company is associated.

3. SCOPE OF THE POLICY

This Policy; relates to all personal data of our customers, employees, employee candidates, visitors, employees of the institutions we cooperate with, and third parties, which are processed automatically or non-automatically, provided that they are part of any data recording system.

4. MATTERS RELATED TO THE PROTECTION OF PERSONAL DATA

Agritrade, in accordance with Article 12 of the Law on Protection of Personal Data, takes the necessary technical and administrative measures to prevent the unlawful processing of the personal data it processes, illegal access to the data and to ensure the preservation of the data, taking the necessary technical and administrative measures to ensure the appropriate level of security, in this context, it performs the necessary inspections or have them done.

4.1. Measures Taken to Ensure the Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data

Agritrade takes technical and administrative measures to ensure the lawful processing of personal data and to prevent illegal access, according to technological facilities and application cost.

4.1.1. Technical Measures

The following are the main technical measures taken by Agritrade to ensure the lawful processing of personal data and to prevent unlawful access:

  • Network security and application security are provided.
  • A closed system network is used for personal data transfers over the network.
  • Key management is being implemented.
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
  • The security of personal data stored in the cloud is ensured.
  • An authorization matrix has been created for employees.
  • Access logs are kept regularly.
  • The powers of employees who have changed their duties or left their jobs in this field are being removed.
  • Current anti-virus systems are used.
  • Firewalls are used.
  • The necessary security measures are taken regarding the entry and exit of physical environments containing personal data.
  • Personal data is backed up and the security of the backed up personal data is also ensured.
  • The user account management and authorization control system are being implemented and their monitoring is also being carried out.
  • Log records are kept in such a way that there is no user intervention.
  • If personal data of a special nature is to be sent by e-mail, it is necessarily sent in encrypted form and using a REM or corporate mail account.
  • Secure encryption/cryptographic keys are used for private personal data and are managed by different units.
  • Intrusion detection and prevention systems are used.
  • Infiltration testing is carried out.
  • Cybersecurity measures have been taken and their implementation is constantly monitored.
  • Encryption is performed.
  • Data loss prevention software is used.

 4.1.2. Administrative Measures

The administrative measures taken by Agritrade to ensure the lawful processing of personal data and to prevent unlawful access:

  • Disciplinary regulations containing data security provisions are available for employees.
  • Training and awareness activities are carried out periodically on data security for employees.
  • Corporate policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
  • Confidentiality commitments are made.
  • The signed contracts contain data security provisions.
  • Extra security measures are taken for personal data transferred via paper, and the relevant documents are sent in a confidentiality-rated document format.
  • Personal data security policies and procedures have been established.
  • Personal data security issues are reported quickly.
  • Personal data security is monitored.
  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is provided.
  • The security of the environments containing personal data is ensured.
  • Personal data is reduced as much as possible.
  • Periodic/random inspections are carried out in-house.
  • The existing risks and threats have been identified.
  • Protocols and procedures for the security of personal data of a special nature have been established and are being implemented.
  • Data processing service providers are regularly audited on data security.
  • Awareness of data processing service providers about data security is provided.

4.2. Supervision of Measures Taken to Protect Personal Data

Agritrade carries out the necessary audits personally in order to ensure the implementation of the provisions of the Law in its own institution or organization and conducts them with the support of competent organizations if necessary. According to the results of this audit, the violations, negativities and nonconformities detected are reported to the information security officer in the committee and he/she takes the necessary measures in accordance with these issues. In case of outsourcing by Agritrade due to technical requirements regarding the storage of personal data, additional contracts are made containing provisions that the relevant companies to which the personal data is transferred in accordance with the law and the persons to whom the personal data is transferred will take the necessary security measures for the protection of personal data and that these measures will be complied with in their own establishments. In addition, Agritrade makes agreements with its personnel to comply with personal data protection measures in recruitment processes and in-house disciplinary policies.

5. RIGHTS AND DEMANDS OF THE PERSONAL DATA OWNER

Agritrade, as the data controller in accordance with the 13th article of the PDP Law, has established the Personal Data Application and Response Procedure and the written template for the applications that do not meet the application conditions specified in the law. In accordance with these procedures, technical preparations have been made in order to perform the necessary operations.

Requests for the rights listed below of the persons whose personal data are processed; By personal application with presentation of identity, in writing or by using registered electronic mail (REM) address, secure electronic signature, mobile signature or e-mail address previously notified to Agritrade by the relevant person and registered in Agritrade’s system, or in case they forward their identities to Agritrade in a confirmable way through a software or application developed for the purpose of application, the Company will respond to the request free of charge within thirty days at the latest, depending on the nature of the request. A detailed explanation in this regard is given below in article 19 of this policy.

The persons whose personal data are processed will be able to claim all the rights in the relevant article of the law, including all processing procedures, purposes and transfer information of their personal data, with their application in accordance with this procedure.

6. PROTECTION OF SENSITIVE PERSONAL DATA

With the Law on Personal Data Protection, special importance is attached to certain personal data due to the risk of causing victimization or discrimination when processed unlawfully. These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Agritrade acts sensitively in the protection of sensitive personal data, which is determined as “sensitive” by the Law on Personal Data Protection and processed in accordance with the law. In this context, the technical and administrative measures taken by Agritrade for the protection of personal data are meticulously implemented in terms of sensitive personal data, and necessary audits are provided within Agritrade.

7. TRAINING OF AGRİTRADE EMPLOYEES ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

Agritrade provides its employees with the necessary trainings in order to prevent the illegal processing of personal data, to prevent illegal access to data, and to raise awareness about data protection.

8. MATTERS RELATED TO PROCESSING OF PERSONAL DATA

Agritrade, in accordance with Article 20 of the Constitution and Article 4 of the Law on Personal Data Protection, regarding the processing of personal data; carries out personal data processing activities in a limited and measured manner in accordance with the law and good faith, accurately and, when necessary, for up-to-date, specific, clear and legitimate purposes. Agritrade retains personal data for as long as required by law or for the purpose of processing personal data. Agritrade processes personal information of its customers, employees, visitors, supplier company employees and third parties; It processes personal data in the form of identity information, contact information, occupational data, visual and audio data, education data, family members data, health information, military service information, transaction security information, and while processing these data, the personal data of the persons whose data are processed are registered in Agritrade within the framework of performance of contracts, fulfillment of work, establishment of a right and financial/legal/commercial obligations, in addition to being able to benefit from its services effectively, to develop product and service diversity, and to be informed about innovations as a result of these services.

Agritrade informs the persons whose personal data are processed in accordance with Article 10 of the Law on Personal Data Protection and requests the consent of the relevant persons in cases where consent is required, and processes this personal data based on the criteria specified below.

8.1. Processing in Accordance with the Law and Good Faith

Agritrade acts in accordance with the principles brought by legal regulations and the general rule of trust and good faith in the processing of personal data. Agritrade acts in accordance with the principles brought by legal regulations and the general rule of trust and good faith in the processing of personal data.

8.2. Ensuring That Personal Data is Accurate and Up-to-Date When Necessary

Keeping personal data accurate and up-to-date is necessary for Agritrade to protect the fundamental rights and freedoms of the person concerned. Agritrade has an active duty of attention to ensure that personal data is accurate and up-to-date when necessary. For this reason, all communication channels are open in order to keep the information of the relevant persons whose personal data has been processed by Agritrade accurate and up-to-date.

8.3. Processing for Specific, Explicit and Legitimate Purposes

Agritrade clearly and definitively determines the purpose of processing personal data that is legitimate and in accordance with the law. Agritrade processes as much personal data as is necessary in connection with and for the activities it carries out.

8.4. Being Limited and Restrained in Connection with the Purpose for Which They were Processed

Agritrade processes personal data for the purposes related to the subject of its business and necessary for the conduct of its business. For this reason, Agritrade processes personal data in a way that is conducive to the realization of the identified goals and avoids the processing of personal data that is not related to the realization of the goal or is not needed.

8.5. Preservation for As Long As Required by the Relevant Legislation or for the Purpose for which They were Processed

Agritrade retains personal data only for the period specified in the relevant legislation or necessary for the purpose for which they were processed. In this context, Agritrade first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period; if a period has not been determined, personal data is stored for the period required for the purpose for which they are processed and for the period specified in the Preservation and Disposal Policy published by Agritrade. Agritrade is based on the retention periods in the personal data inventory, and at the end of the periods specified here, personal data is deleted, destroyed or anonymized according to the nature of the data and the purpose of use, within the framework of the obligations under the Law.

10. DISCLOSURE AND INFORMING OF THE PERSONAL DATA OWNER

Agritrade, in accordance with Article 10 of the KVK Law, enlightens the persons whose personal data are processed during the acquisition of personal data. In this context, Agritrade, on the identity of the data controller, the identity of its representative, if any, the purpose for which the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the persons whose personal data are processed for legal reasons; It provides clarification according to the nature of the person concerned and the data processing process. In this context, they can be easily seen within the Company and in the common areas of the personnel. Lighting Information and Clarification Texts have been placed. In addition, clarification texts have been placed so that visitors can easily access and obtain information. In addition, clarification is also provided on our Agritrade website. The obligation to disclose is fulfilled as soon as the personal data is processed.

11. THE TRANSFER OF PERSONAL DATA

Agritrade is able to transfer the personal data and sensitive personal data of the relevant person to third parties by taking necessary security measures for the purposes of personal data processing in accordance with the law. According to Article 9/1 of the Law on Personal Data Protection, upon providing the explicit consent condition, transfers to abroad are carried out by Agritrade. The reasons for the transfer are described below:

  • If there is a clear regulation in the law on the transfer of personal data,
  • If it is necessary to transfer personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
  • If the transfer of personal data is mandatory for Agritrade to fulfill its legal obligation,
  • If the transfer of personal data is mandatory for the establishment, exercise or protection of a right,
  • If the transfer of personal data is mandatory for the legitimate interests of Agritrade, provided that it does not damage the fundamental rights and freedoms of the person concerned.

12. AGRİTRADE PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA

In accordance with Agritrade’s legitimate and lawful personal data processing purposes, in accordance with Article 5 and 5 of the Personal Data Protection Law, based on and limited to one or more of the personal data processing conditions specified in Article 4, primarily related to the processing of personal data, the following categories of personal data are processed by informing the relevant persons, in accordance with the general principles set out in the PDP Law and all obligations set out in the PDP Law, including the principles set out in the article, and limited to the relevant persons whose personal data are processed in accordance with this Policy.

Agritrade has established a personal data inventory in accordance with the Data Officers Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, source of data, data processing purposes, data processing process, recipient groups to which data is transferred, and retention periods. In this context, the following types of data categories are included in the Agritrade personal data inventory, although they are not limited to these types.

CATEGORIZATION OF PERSONAL DATACATEGORIZATION OF PERSONAL DATA DESCRIPTION
Contact DataIt is a set of data that can be used to contact a person (Phone, address, e-mail, Ip address).
Identity DataIt is a group of data containing information about the person’s identity (First name, last name, TRIN, mother’s name, father’s name, place of birth, date of birth, gender, wallet serial number, photocopy of identity, tax no, SSI no, nationality data, employee card).
Audio/Visual DataIt is a data group containing visual and auditory data belonging to a person (Photo, audio recording, camera recording, driver’s license photocopy/scan, ID photocopy front side).
Physical Space Security Data It is the data group in which the camera record in which the person’s location is recorded. (Camera recording).
Digital Trail DataIt is a group of data with digital traces formed as a result of the processing of personal information (Log Records , IP address information).
Financial DataIt is a group of data containing a person’s financial information (Bank account number, iban, card information, bank name, financial profile, mail order form, credit rating).
Professional DataIt is a group of data containing information about a person’s profession (information about the institution where they work, the register of the professional chamber).
Education DataIt is a data group containing educational data belonging to a person (Diploma note, diploma photocopy/scan).
Company DataIt is personal company data (Company address).
Signature DataIt is a data group with signature information belonging to a person (Wet signature, e-signature, signature copy/scan).
Military Service Data It is a set of data on the status of a person’s military service or (military service status, temporary status)
Health DataIt is a set of data on a person’s health status. (Health report, medication information, hearing and vision information, consultation report, examination information)
Criminal Conviction DataIt is a set of data on the legal sanctions that a person has received in his past (Criminal Proceedings, Criminal Record, Disciplinary Record).

Agritrade has determined the Agritrade Personal Data Inventory, which it has created based on the data types used within the scope of data processing activities, as shown in the table above, and with the Agritrade Data Retention and Destruction Policy.

13. PURPOSES OF PROCESSING PERSONAL DATA

Agritrade processes personal data limited to the purposes and conditions within the personal data processing conditions specified in the 2nd paragraph of the 5th article of the Law on Personal Data Protection and the 3rd paragraph of the 6th article. These purposes and conditions are as follows:

  • Execution of Emergency Management Processes
  • Execution of Information Security Processes
  • Execution of Employee Candidate / Intern / Student Selection and Placement Processes
  • Execution of Application Processes of Employee Candidates
  • Execution of Employee Satisfaction and Loyalty Processes
  • Fulfillment of Obligations Arising from the Employment Contract and Legislation for Employees
  • Execution of the Processes of Fringe Rights and Benefits For Employees
  • Execution of Audit/Ethics Activities
  • Execution of Educational Activities
  • Execution of Access Privileges
  • Receiving And Evaluating Recommendations for Improving Business Processes
  • Execution of Activities to Ensure Business Continuity
  • Execution of Logistics Activities
  • Conducting the Processes of Purchasing Goods / Services
  • Execution of Goods/Services After-Sales Support Services
  • Execution of Goods/Services Sales Processes
  • Execution of Production and Operation Processes of Goods / Services
  • Execution of Customer Relationship Management Processes
  • Conducting Activities Aimed at Customer Satisfaction
  • Organization and Event Management Within the Company
  • Conducting Marketing Analysis Studies
  • Execution of Performance Evaluation Processes
  • Execution of Advertising / Campaign / Promotion Processes
  • Execution of Risk Management Processes
  • Conducting Storage and Archival Activities
  • Conducting Social Responsibility and Civil Society Activities
  • Execution of Contract Processes
  • Execution of Sponsorship Activities
  • Execution of Strategic Planning Activities
  • Follow-up of Requests / Complaints
  • Ensuring an audit of the consistency of their information,
  • In terms of employees; creation of personal data sheet, determination of whether they are qualified to fulfill the requirements of the job continuously, private health insurance, creation of health files, taking occupational safety measures,
  • Fulfillment of legal obligations,
  • Execution of Activities in Accordance with the Legislation
  • Execution of Financial And Accounting Affairs
  • Execution of Loyalty Processes to the Company / Product / Services
  • JUL: Ensuring the Safety of Physical Space
  • Execution of Assignment Processes
  • Monitoring and Execution of Legal Affairs
  • Execution of Internal Audit/ Investigation / Intelligence Activities
  • Execution of Communication Activities
  • Planning of Human Resources Processes
  • Execution / Supervision of Business Activities
  • Execution of Occupational Health and Safety Activities
  • Ensuring the Safety of Movable Property and Resources
  • Execution of Supply Chain Management Processes
  • Execution of the Wages Policy
  • Execution of Marketing Processes of Products / Services
  • Ensuring the Security of Data Controller Operations
  • Foreign Personnel Work And Residence Permit Procedures
  • Execution of Investment Processes
  • Execution of Talent/ Career Development Activities
  • Providing Information to Authorized Persons, Institutions and Organizations
  • Execution of Management Activities
  • Creation and Tracking of Visitor Records
  • Conducting studies to improve the quality of service and providing better services,
  • Invoice arrangement for our services,
  • Identity confirmation,
  • Answering questions and complaints,
  • Taking the necessary technical and administrative measures within the scope of data security,
  • Providing financial reconciliation with related business partners and other third parties regarding the products and services offered,
  • Providing the necessary information in line with the requests and inspections of regulatory and supervisory institutions and official authorities,
  • Preservation of information about the data that should be stored in accordance with the relevant legislation,
  • Agritrade execution/follow-up of financial reporting and risk management transactions,

14. PERIODS OF STORAGE OF PERSONAL DATA

Agritrade stores personal data for the period specified in the relevant laws and regulations, if provided for in these regulations.

If a period of time is not regulated in the legislation regarding how long the personal data should be kept, the personal data is kept for a period of time that requires it to be kept in accordance with the practices of Agritrade and the practices of the industry, depending on the activity carried out by Agritrade while processing that data and later deleted, destroyed or anonymized in accordance with the Personal Data Retention and Destruction Policy established by Agritrade.

If the purpose of processing personal data has expired and the retention periods set by the relevant legislation and Agritrade have also expired, personal data can only be stored to provide evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. The retention periods are determined based on the examples in the previous requests made to Agritrade on the same issues despite the expiry of the statute of limitations and the statute of limitations for the right to assert the aforementioned right in the establishment of the periods here. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it should be used in the relevant legal dispute. Personal data is deleted, destroyed or anonymized after the expiration of the period mentioned here.

15. THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY AGRİTRADE AND THE PURPOSES OF THE TRANSFER

Agritrade, in accordance with Article 10 of the Law on Personal Data Protection, notifies groups of persons whose personal data is transferred to the person whose personal data is processed.

Agritrade, in accordance with Articles 8 and 9 of the Law on Personal Data Protection, may transfer the personal data of the persons whose personal data are processed under this Policy to the following stakeholder categories:

  • Agritrade business partners
  • Banks and insurance companies
  • Travel agencies
  • Hotels
  • Educational companies
  • Agritrade suppliers
  • Agritrade company officials
  • Legally authorized public institutions and organizations

The transfer scope and data transfer purposes are stated below:

Persons Who Can Transfer DataDefinitionPurpose of Data Transfer
· Business partnersDefines the parties with whom Agritrade establishes business partnerships for the purposes of carrying out various projects, receiving services, while carrying out commercial activities.It is transferred on a limited basis in order to ensure the fulfillment of the founding purposes of the business partnership.
SupplierAgritrade defines the parties that provide services to Agritrade on a contractual basis in accordance with Agritrade’s orders and instructions while carrying out its commercial activities.It is transferred on a limited basis in order to provide Agritrade with the services that Agritrade outsources from the supplier and which are necessary to carry out the commercial activities of Agritrade.
Authorized Public Institutions and OrganizationsAccording to the provisions of the legislation, defines the public institutions and organizations authorized to receive information and documents from Agritrade.It is transferred for a limited purpose in cases where public institutions and organizations request it and offer a legal basis.

16. PROCESSING OF PERSONAL DATA

16.1. Processing of Personal Data

The explicit consent of the relevant person whose personal data is being processed is only one of the legal bases that make it possible to process personal data in accordance with the law. Apart from express consent, personal data may also be processed in case of the existence of one of the conditions specified in the law. The basis of the personal data processing activity may be only one of the following conditions, as well as more than one of these conditions may be the basis of the same personal data processing activity.

Terms of ProcessingScopeExample
ProvisionTax Legislation, Labor Legislation, Trade Legislation, etc.Keeping personal information belonging to the employee in accordance with the legislation.
Execution of the ContractEmployment Contract, Sales Contract, Service Contract, Commitments, etc.Conclusion of a sales contract on Agritrade’s products.
Legal Responsibility of the Data ControllerCompliance with Financial and Administrative Audits, Social Security Legislation, Sector-Oriented Regulations.Sharing information in audits specific to areas such as the Social Security Institution.
PublicityThe relevant person submits his/her information to the public.The person’s declaration of their contact information in order to be reached in case of emergency.
Establishment, Protection, Use of the RightMandatory data for use in filing a lawsuit and filing a claim/complaint, etc.Storage of the necessary information about an employee who left the job for the duration of the case statute of limitations.
Legitimate InterestsThe data may be processed if it is mandatory for the legitimate interest of the data controller, provided that the basic rights of the person concerned are not harmed.Data processing for the purpose of applying rewards and bonuses that increase employee loyalty.

17. PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED IN AGRİTRADE, COMPANY BUILDING ENTRANCES AND IN THE BUILDING

In order to ensure security, Agritrade carries out security camera monitoring activities in Agritrade buildings and facilities and personal data processing activities aimed at tracking guest entrances and exits.

Personal data processing activities are carried out by Agritrade by using security cameras and recording guest entrances and exits.

Agritrade, within the scope of surveillance with security cameras, aims to protect the interests of the company and other persons in order to ensure their safety. This monitoring activity is carried out in accordance with the Law on Personal Data Protection and Private Security Services and the relevant legislation. In this context, the information that the camera is being monitored is announced to all employees and visitors and the persons are informed. Notification messages are hung at the entrances of the monitored areas. In accordance with Article 12 of the Law on Personal Data Protection Agritrade takes the necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring.

17.1. Tracking of Guest Entrances and Exits Carried Out in the Agritrade Building, at the Entrances and Inside the Facility

For the purpose of ensuring security and other purposes specified in this Policy, Agritrade conducts personal data processing activities aimed at tracking the entry and exit of guests in Agritrade buildings and facilities. While obtaining the identity data of the people who come to Agritrade buildings as guests, or through texts posted in Agritrade or made available to the guests in other ways, the relevant persons are informed in this context. The data obtained for the purpose of guest entry-exit tracking is processed only for this purpose and the personal data of the relevant person is recorded in the data recording system in a physical environment.

17.2. Storing Log Records Related to Access to Software Provided to Personnel at Agritrade Facilities

For the purpose of ensuring security and other purposes specified in this Policy by Agritrade, internet access can be provided to visitors who request it during their stay in buildings and facilities. In this case, log records of internet access are kept in accordance with the Law No. 5651 and the mandatory provisions of the legislation regulated in accordance with this Law, and these records are processed only if requested by authorized public institutions and organizations or in order to fulfill the relevant legal obligation in the audit processes to be carried out in Agritrade.

18. TERMS OF DESTRUCTION (DELETION, DESTRUCTION AND ANONYMIZATION) OF PERSONAL DATA

In the event that the reasons requiring processing disappear, although it has been processed in accordance with the provisions of the relevant law, in accordance with Article 138 of the Turkish Penal Code, Article 7 of the Law on Personal Data Protection and the “Regulation on the Deletion, Destruction and Anonymization of Personal Data” issued by the Board, personal data is deleted, destroyed or anonymized upon Turkey’s own decision or upon the request of the personal data subject. Agritrade has established a policy on this issue in accordance with the provisions of the regulation and is destroying data according to the nature of this policy.

19. RIGHTS OF PERSONAL DATA OWNERS; USE OF THESE RIGHTS

Agritrade informs the rights of the person concerned in accordance with Article 10 of the Law on Personal Data Protection and guides the person whose personal data is processed on how to use these rights regulated in Article 11 and Agritrade carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the Law on Personal Data Protection in order for the persons concerned to evaluate their rights and to provide the necessary information to the relevant persons.

19.1. The Rights of the Person Concerned and Exercising These Rights

19.1.1. Rights of relevant persons whose personal data are processed

The relevant persons whose personal data are processed have the following rights:

a. Find out if personal data has been processed,

b. Request information about personal data if it has been processed,

c. To find out the purpose of processing personal data and whether they are used for their intended purpose,

d. Know the third parties to whom personal data is transferred in the country or abroad,

e. To request that personal data be corrected if they have been incompletely or incorrectly processed and to request that the process in this regard be notified to third persons, to whom personal data are transferred,

f. To request that personal data be deleted or disposed of in case the reasons for processing no longer exist even though they have been processed in accordance with provisions of the Law and other relevant laws, and to request that this operation be notified to third persons, to whom personal data are transferred,

g. Objecting to this result in the event that a result arises against the person themselves by analyzing the processed data exclusively through automated systems,

h. Requesting compensation for damages if personal data is damaged due to unlawful processing.

19.1.2. Cases Where the Relevant Person Cannot Assert Their Rights

The relevant persons whose personal data are processed are subject to Article 28 of the Law on Personal Data Protection. since the following cases are excluded from the scope of the Law on Personal Data Protection in accordance with Article 20.1.1 on these issues they cannot assert their rights, which are considered in:

a. Processing of personal data for purposes such as research, planning and statistics by anonymizing it with official statistics,

b. Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime,

c. Processing personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,

d. Processing of personal data by judicial authorities or enforcement bodies in connection with the proceedings of an investigation, prosecution, trial or execution.

In accordance with Article 28/2 of the Law on Personal Data Protection; except for the right to demand compensation for damage by relevant persons whose personal data is processed in the following cases, 20.1.1.they cannot assert their other rights, which are considered in:

a. The processing of personal data that is necessary to prevent the commission of a crime or to investigate a crime,

b. Processing of personal data made public by the relevant person whose personal data is being processed,

c. Personal data processing necessary for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law,

d. The processing of personal data necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and financial issues.

19.1.3. Exercise of the Rights of the Relevant Person

Persons whose personal data are processed will be able to submit their requests regarding their rights set forth in this Policy to Agritrade free of charge, with the information and documents that will identify them, by filling out and signing the Application Form, using the methods specified below or other methods determined by the Personal Data Protection Board. Comprehensive regulation in this regard has been made in the Agritrade Personal Data Application and Response Procedure. Personal Data Application and Response Procedure can be requested from genel@agrilink.com.tr e-mail address or the relevant procedure can be accessed via the www.agritrade.com.tr website. The application must be submitted to our Company in writing or electronically and by the methods listed below, in accordance with the 1st paragraph of Article 13 of the Law on Personal Data Protection and the relevant provisions of the Communiqué on Application Procedures and Principles to the Data Controller.

In order for the above-mentioned application to be accepted as a valid application, in the application pursuant to the Communiqué on Application Procedures to the Data Controller;

a) Name, surname and signature if the application is written,

b) For citizens of the Republic of Turkey T.R. identification number, nationality for foreigners, passport number or identification number, if any,

c) Address of the place of residence or place of work based on the notification,

d) E-mail address, telephone and fax number based on the notification, if any,

e) Subject of request,

is mandatory to specify above-mentioned information. Otherwise, the application will not be considered a valid application. For applications that will be made without filling out the application form, the issues listed here must be fully transmitted to Agritrade.

In order for third parties to submit an application on behalf of the relevant persons whose personal data has been processed, there must be a special power of attorney issued by the relevant person through a notary public on behalf of the person who will submit the application.

20. THE RELATIONSHIP OF AGRİTRADE’S PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES

Agritrade has established the principles set out in this document based on the policies related to other data assets within Agritrade and the internal procedures for the protection and processing of personal data.

ANNEX-1 DEFINITIONS

Explicit Consent : Consent to a particular issue, based on being informed and disclosed of free will.

Anonymization : It is the modification of personal data in such a way that it will lose its personal data nature and in a way that cannot be undone. Ex: Making personal data unable to be associated with a person, by means of techniques such as masking, aggregation, data corruption etc.

Application Form: “Application Form Regarding the Applications to be Made by the Relevant Person (Personal Related Person) to the Data Controller in accordance with the Law on Protection of Personal Data No. 6698”, which includes the application to be made by the persons whose personal data are processed to exercise their rights.

Employee Candidate : natural persons who have applied for a job in Agritrade by any means or have shared a resume and related information.

Employees, Shareholders and Officials of Cooperatively Owned Institutions: Individuals and legal entities, including shareholders and officials of these institutions, working in institutions (such as, but not limited to, business partners, suppliers) with which Agritrade has any kind of business relationship.

Business Partner: The parties with whom Agritrade has established business partnerships for the purposes of individually or jointly carrying out various projects, receiving services, while carrying out its commercial activities.

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations performed on data such as classification or prevention of use.

Relevant person: The natural person whose personal data is processed. For example; customer, staff…

Personal Data: Any information related to a specific or identifiable natural person. Therefore, the processing of information about legal entities is not covered by the Law. For example; first name, last name, TRIN, e-mail, address, date of birth, credit card number, etc.

Sensitive Personal Data: Race or ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing, association or trade union membership, health, sexual life, criminal convictions and security measures, data on genetic and biometric data.

Provider: The parties that provide services to Agritrade on a contractual basis in accordance with Agritrade’s orders and instructions while Agritrade conducts its commercial activities.

Third Party: natural persons whose personal data are processed within the scope of the policy, which are not defined in a different way within the scope of the policy. For example; family members, former employees…

Data Processor: The natural and legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. For example, departments working within Agritrade, etc.

Data Controller: The person who determines the purposes and means of processing personal data, manages the location where the data is systematically stored (data registration system). Within the scope of this policy, Agritrade Industrial Automation Solutions A.Ş is the data controller.

Deletion of Data: It refers to the situation that all relevant users within the company are encrypted in such a way that access to personal data is blocked, and only the data protection officer has the password.

Destruction of Data: It refers to the situation when personal data is completely eliminated physically or technologically in a way that cannot be returned again.

Visitor: Real persons who have entered the physical facilities owned by Agritrade for various purposes or visited our websites.

ANNEX-2 DATES THAT ARE IMPORTANT FOR THE IMPLEMENTATION OF THE LAW ON PROTECTION OF PERSONAL DATA

As of April 7, 2016, Agritrade acts in accordance with the following obligations: (i) General rules and principles regarding the processing of personal data, (ii) Obligations regarding the disclosure of the persons whose personal data are processed, (iii) Obligations regarding data security.

As of October 7, 2016, the regulations listed below will enter into force and Agritrade will act in accordance with these regulations: (i) Provisions regarding the transfer of personal data to third parties and abroad, (ii) Regulations regarding the exercise of the right of application by the persons whose personal data are processed, against Agritrade (to learn whether their personal data has been processed, to request information, to learn about the persons to whom it has been transferred, to request correction) and to file a complaint with the PPD Board.

As of 7 April 2017, (i) consents obtained in accordance with the law before 7 April 2016 will be considered in accordance with the Law On Protection Of Personal Data, unless a contrary statement is made by the persons whose personal data are processed. (ii) regulations regarding the Law On Protection Of Personal Data will enter into force.

Personal data processed before 7 April 2016 will be harmonized with the Law On Protection Of Personal Data, deleted or anonymized by Agritrade until 7 April 2018.