Information on the Protection of Personal Data:
As EKMAŞ, we attach great importance to processing and storing your personal data in compliance with the Personal Data Protection Law No. 6698 (“Law”). We would like to inform our customers about the purposes and methods of collecting, processing, and transferring personal data, as well as your rights arising from the Law.
1. Methods of Collecting Personal Data
Our Company collects personal data by recording the information you provide in our systems during purchases made through the Site, membership processes, or purchases made without membership, as well as by recording the data generated from the use of your fixed/mobile internet and communication devices and/or mobile applications in various environments. This includes all kinds of membership, shopping, collection, delivery and related transactions carried out on the Site, filling out surveys, registration and behavioral actions recorded in our systems, and records related to return processes through the documentation maintained. These data are obtained directly from the information provided by the customer and from data learned through payment instruments.
Your personal data is processed based on legal grounds such as the necessity of data processing for the establishment and performance of a contract, being explicitly stipulated in laws, fulfillment of legal obligations, the legitimate interest of the data controller, and explicit consent for cookie records.
As EKMAŞ, in our capacity as data controller, within the framework of our legal obligations arising from legislation, we collect your personal data verbally, in writing or electronically through the website, social media platforms, mobile applications and similar means, for purposes such as enabling you to benefit from our services, informing you about our campaigns upon your consent, recording your suggestions and complaints, providing better service standards, and determining and implementing EKMAŞ’s commercial and business strategies.
Data Categories and Types That May Be Processed at Different Stages
Identity: Name – Surname, Turkish ID Number, Date of Birth (*), Gender (*)
Contact: Phone number, Address, Postal Code, Address Title, Email address, Country (*)
Customer Transaction: Shopping history information, Purchased product/service information, Order information, Membership ID – Password information, Delivery address, Your site usage information, Cookie records
Financial: Bank/credit card information, Billing address and other invoice information, Bank account information
Professional Experience: Occupation Information (*), Education Level (*)
*These personal data are processed only if you voluntarily fill in the relevant fields under “My Account Settings – Membership Information” after becoming a member, and within the scope of your explicit consent.
2. Processing of Personal Data and Purposes
EKMAŞ processes your personal data for the purposes specified in the table above, based on the legal grounds stated in Article 5 of KVKK. Your personal data collected through cookies are processed as follows:
Based on the legal ground that processing of personal data is necessary for the establishment or performance of a contract; in order to perform essential functions through strictly necessary cookies and to ensure that you benefit from the services provided by the Platform,
Based on the legal ground that data processing is necessary for the establishment, exercise or protection of a right; personal data processed through all types of cookies used on the Platform may be processed for the purpose of conducting legal affairs and litigation processes in case of a legal dispute or requests from public authorities,
Based on the legal ground that data processing is necessary for the legitimate interests of our Company, provided that it does not harm your fundamental rights and freedoms; for the purpose of carrying out activities to improve and enhance the performance and functionality of the Platform and to ensure ease of use,
Based on your explicit consent; your personal data is processed for purposes such as improving your shopping experience through Performance Cookies, Targeting Cookies and Functional Cookies, providing our services, making personalized promotions, offering promotions and marketing offers, improving the content of the website or mobile application according to you and/or determining your preferences, increasing your satisfaction, and transferring personal data domestically and abroad.
EKMAŞ may process your personal data, in any case in compliance with the Personal Data Protection Law No. 6698 and relevant legislation, for purposes such as enabling customers to benefit from our services, informing you about our campaigns upon your consent, recording your suggestions and complaints, providing better service standards, and determining and implementing commercial and business strategies.
3. What is the Legal Basis for Processing Your Personal Data?
EKMAŞ processes your personal data for the purposes stated above, based on the legal grounds set out in Articles 5, 6 and 8 of KVKK as follows:
The necessity of processing personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of the contract,
Your personal data has been made public by you in accordance with the law in the internet environment,
The necessity of data processing for the establishment, exercise or protection of a right,
Based on your explicit consent; storing your personal data in our CV pool and informing you about other suitable positions corresponding to your application within EKMAŞ,
If you apply for positions opened specifically for disabled personnel; your health data is processed based on your explicit consent, which you may withdraw at any time by applying to our Company through the methods specified in the “Contact for Your Rights and Requests” section of the Disclosure Text.
4. What Are Your Rights Regarding the Protection of Your Personal Data?
By applying to our Company through the methods specified in the “Contact for Your Rights and Requests” section of this Disclosure Text, you have the right to:
Learn whether your personal data is processed,
Request information if your personal data has been processed,
Learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
Know the third parties to whom your personal data is transferred domestically or abroad,
Request correction of your personal data if it is incomplete or incorrectly processed,
Request deletion or destruction of your personal data within the framework of the conditions stipulated in KVKK,
Request notification of the transactions carried out pursuant to your rights of correction, deletion and destruction to third parties to whom personal data has been transferred,
Object to the occurrence of a result against you by analyzing your processed personal data exclusively through automated systems,
Request compensation for the damage in case you suffer damage due to unlawful processing of your personal data.
5. Transfer of Personal Data
EKMAŞ takes utmost care to process your personal data collected through cookies in compliance with the provisions of KVKK regarding the transfer of personal data, in line with the principles of “need to know” and “need to use”, by observing the principle of data minimization and by taking necessary technical and administrative security measures.
The cookies used on www.ekmas.com.tr website may activate advertising technologies in order to present advertisements that may be of interest to you when you visit search engines, the website, mobile applications and/or websites where the site advertises. Advertising technology uses information about your previous visits to the website/mobile application and to the websites/mobile applications where the site advertises in order to provide you with personalized advertisements. While presenting these advertisements, a unique third-party cookie may be placed on your browser so that the website can recognize you. Personal data obtained through such third-party cookies may be shared with the relevant social media platforms if you log in to Ekmaş through these platforms.
Ekmaş also uses Google Analytics, a web analytics service provided by Google Inc. Google Analytics uses cookies to analyze how users use the website, mobile application and/or mobile site and provides statistical information/reports.
EKMAŞ may share your personal data only; based on your explicit consent or in compliance with the security and confidentiality principles specified in the Law and provided that adequate measures are taken, domestically and abroad where necessary, for the purposes of carrying out company activities, maintaining business relations between data owners and our customers and/or conducting negotiations for this purpose, offering services, opportunities and facilities and increasing service quality; with our group companies, business partners, customers, suppliers, audit companies, authorized public institutions or organizations that are legally entitled to request such data, and other relevant authorities without being limited to these.
How Does EKMAŞ Protect Your Personal Data?
Personal data shared with Ekmaş is under the supervision and control of Ekmaş. As the data controller, Ekmaş has undertaken the responsibility to establish the necessary organization and to take and adapt technical measures in order to protect the confidentiality and integrity of the information in accordance with the applicable legislation. Being aware of this obligation;
Penetration tests are carried out periodically in accordance with international and national technical standards regarding data confidentiality.
Your personal data transmitted to Ekmaş through the website, mobile site and mobile application are protected using SSL (Secure Sockets Layer) technology.
Risk analyses regarding personal data processing activities are carried out regularly and actions are taken to reduce risks.
Access and authorization controls are implemented to prevent unauthorized access to personal data.
Within this scope, we inform you that our data processing policies are always kept up to date.
Data Retention, Anonymization and Disposal Policy
1. Purpose
The purpose of this procedure is to ensure that all printed and written content, information technology assets and peripheral units used in obtaining, processing and storing information are securely disposed of when necessary and in compliance with the Personal Data Protection Law No. 6698.
2. Scope
This procedure covers all personal and commercial data records and business processes.
3. Definitions
Law: Refers to the Law No. 6698 on the Protection of Personal Data.
Personal Data: Refers to any information relating to an identified or identifiable natural person. A person being identifiable means that the person can be identified by associating existing data with a real person in any way.
Redaction: Refers to processes such as crossing out, painting, or blurring personal data so that it cannot be associated with an identified or identifiable natural person.
Recording Environment: Refers to any environment where personal data is processed, whether fully or partially automatically or as part of a data recording system.
Personal Data Retention and Disposal Policy: Refers to the policy on which data controllers base the determination of maximum retention periods and the processes of deletion, destruction, and anonymization of personal data.
Masking: Refers to processes such as deleting, crossing out, painting or starring certain parts of personal data so that it cannot be associated with an identified or identifiable person.
Special Categories of Personal Data: Refers to data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Disposal: Refers to the deletion, destruction or anonymization of personal data at recurring intervals specified in the retention and disposal policy when all conditions for processing personal data set out in the Law are eliminated.
4. References
Personal Data Protection Law No. 6698 and the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2018 and numbered 30224.
5. Application
5.1. Disposal of Assets
In cases where the purpose for processing personal data no longer exists, explicit consent has been withdrawn, or all processing conditions set forth in Articles 5 and 6 of the Law are eliminated and none of the exceptions apply, personal data whose processing conditions have ceased shall be deleted, destroyed or anonymized by the relevant business unit in accordance with Articles 7, 8, 9 or 10 of the Regulation, taking into account business needs and by explaining the justification of the method applied. However, if there is a finalized court decision, the disposal method determined by the court must be applied.
All information on devices capable of storing data is erased against unauthorized access, and the disk and recording mechanisms are physically destroyed. A Media/Device Disposal Report is prepared and signed by the information systems operator, recording details such as date, device information and reason for disposal.
Methods for Deletion of Data
a. Personal Data in Paper Format: Destroyed using shredders or, where necessary, deleted using the redaction method.
b. Office Files on Central Servers: Deleted using the operating system’s delete command.
c. Data on Portable Media: Deleted using the operating system’s delete command.
d. Databases: Relevant rows containing data are deleted using database commands.
Methods for Destruction of Assets and Data
a. Local Systems: Destroyed using appropriate methods such as degaussing, physical destruction or overwriting.
b. Environmental Systems:
• Network devices (switches, routers, etc.): Destroyed using the appropriate methods specified in item (a).
• Flash-based media: Destroyed using the methods recommended by the manufacturer or the methods specified in item (a).
• Magnetic tapes: Destroyed by degaussing or physical methods such as burning or melting.
• SIM cards and fixed memory cards: Destroyed using appropriate methods specified in item (a).
• Optical discs: Destroyed by physical methods such as burning, shredding or melting.
• Peripheral devices with fixed storage: Destroyed using appropriate methods specified in item (a).
c. Printed Materials: Destroyed using paper shredding machines. Personal data transferred from original paper format to electronic media are destroyed using appropriate methods depending on the medium.
Methods for Anonymization of Personal Data
During anonymization, appropriate methods specified in the guideline published by the Personal Data Protection Authority are used.
As a result of periodic reviews or when it is determined that data processing conditions no longer exist, the relevant unit or data owner decides to delete, destroy or anonymize the personal data in accordance with this policy. In case of uncertainty, the opinion of the relevant business unit is obtained.
In the disposal of data, the retention periods published by the General Directorate of State Archives are taken into account. Data that has completed its retention period and has no legal obstacle to disposal is destroyed.
5.1.1. Disposal of Multi-Stakeholder Data
Where personal data with multiple stakeholders exists in central information systems, the decision regarding disposal is made in accordance with this policy by obtaining the opinion of the Data Controller Representative.
5.1.2. Disposal of Personal Data Upon Request of the Data Subject
If the data subject requests deletion, destruction or anonymization of personal data pursuant to Article 13 of the Law through the “Personal Data Owner Application Form,” the request is finalized within thirty days at the latest. Requests are evaluated only after identity verification. The applicant is informed via the methods specified in the application form.
If legal requirements prevent deletion, this is explained to the data subject. If all processing conditions are eliminated, the relevant personal data is deleted, destroyed or anonymized within three months. If the data has been transferred to third parties, the relevant unit notifies those parties and ensures necessary actions are taken in accordance with the Regulation.
5.2. Periodic Review of Personal Data
All users and units processing or storing personal data review whether processing conditions still exist at least every six months. This review is also carried out upon request of the data subject or notification by a court.
All actions related to deletion, destruction or anonymization are recorded and retained for at least three years, except where other legal obligations apply.
All processes are carried out in compliance with Article 4 (General Principles) and Article 12 (Data Security Obligations) of the Law, relevant legislation, Board decisions and court decisions.
5.3. Storage of Personal Data
Retention periods are specified in the “Personal Data Processing Inventory.”
These retention and disposal periods are taken into account in periodic or request-based disposal processes and may vary upon request of the data subject unless legally required.
Physical security measures are applied for paper documents and storage devices such as CD, DVD and USB, ensuring restricted access and monitoring. Digital data is stored on secure servers with necessary protection measures.
Administrative and technical measures taken to ensure personal data security are detailed in the Personal Data Protection and Processing Policy.
6. Control
Documents are revised when necessary and are reviewed periodically once a year.
Contact for Your Rights and Requests
You may submit your questions regarding your personal data and your rights under Article 11 of KVKK to [email protected] via your registered email address, using a petition or application form prepared in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller.
You may also apply in person, in writing, via notary, or by using a secure electronic signature or mobile signature to our Registered Electronic Mail (KEP) address ([email protected]). Applicants must provide documents verifying their identity.
About the Disclosure Text
EKMAŞ reserves the right to update this Disclosure Text within the framework of changes in the applicable legislation.
Update Date: 04/05/2023
EKMAŞ GIDA MAKİNALARI LTD. ŞTİ.
Address: Yeşilce Mah. Kağıthane Barbaros Cad. Şebnem Sokak No:10/A Seyrantepe, Kağıthane, İstanbul
Phone: 08506500000
Email: [email protected]