POLICY ON PROCESSING AND PROTECTION OF PERSONAL DATA
COMMITMENT TO DATA PRIVACY
This Policy on Processing and Protection of Personal Data (“Policy”) sets forth the principles to be followed by Özsu Fish Farming Inc. (“Özsu Fish”), as the data controller within the scope of Law No. 6698 on the Protection of Personal Data (“Law”), in processing and protecting personal data within Özsu Fish and/or by Özsu Fish, in accordance with the relevant legislation. Özsu Fish is aware of its responsibilities regarding compliance with the Law through its activities carried out in accordance with the principles of legality, honesty, and transparency in the processing of personal data.
Özsu Fish acts in accordance with this Policy and the principles stated in the Policy regarding the personal data it holds within its organization.
Your personal data is processed and protected in accordance with the following matters within the scope of this Policy.
PURPOSE OF THE POLICY
The main purpose of this policy is to determine the methods and processes related to the processing and protection of personal data carried out by Özsu Fish in a lawful manner and to ensure transparency by informing the individuals whose personal data is processed by Özsu Fish.
SCOPE OF THE POLICY
This Policy is prepared for individuals whose personal data is processed within Özsu Fish through non-automatic ways or as part of any data recording system.
This Policy does not apply to data that does not have the nature of personal data.
The scope of application of this policy to individuals whose personal data is processed may be the entire policy or only in terms of certain provisions.
This Policy may be modified in writing if required by the regulations for the protection of personal data, including the Law.
DEFINITIONS
“Explicit Consent”: It refers to the consent given based on information on a specific subject, with free will. “Recipient Group”: It refers to the category of natural or legal persons to whom personal data is transferred by the data controller. “Anonymization”: It refers to making personal data unrelated or unidentifiable with any real person by matching it with other data. “Electronic Environment”: It refers to the environments where personal data can be created, read, modified, and written by electronic devices. “Non-Electronic Environment”: It refers to all written, printed, visual, etc., other environments outside electronic environments. “Secure Electronic Signature”: It refers to the electronic signature created with a secure electronic signature creation tool that is exclusively owned by the signatory, enables the identification of the signatory based on a qualified electronic certificate, and ensures the detection of whether any changes have been made to the signed electronic data. “Service Provider”: It refers to the natural or legal person providing services to the Company within the framework of a specific contract. “Data Subject”: It refers to the real person whose personal data is processed. “Destruction”: It refers to the deletion, destruction, or anonymization of personal data. “Record Medium”: It refers to any medium where personal data processed either completely or partially automatically or, as part of any data recording system. “Registered Electronic Mail (KEP) Address”: It refers to the qualified form of electronic mail that provides legal evidence regarding the use of electronic mail, including the sending and delivery of electronic messages. “Personal Data”: It refers to any information about a real person that identifies or is identifiable. “Personal Data Processing Inventory”: It refers to the inventory created by data controllers regarding the personal data processing activities they carry out in connection with their business processes; explaining the personal data processing purposes and legal reasons, associating personal data with data categories, recipient groups to whom the data is transferred, and the group of data subjects, and detailing the inventory required for the purposes of processing personal data and the measures taken for data security, by disclosing the maximum retention period necessary for foreign transfers of personal data and data security. “Processing of Personal Data”: It refers to any operation performed on personal data, whether fully or partially automatic or, as part of any data recording system. “Personal Data Protection Committee”: The committee consisting of Gökay Gürsel, Selin Sertbaş, Rana Ceren Selimgil. “Board”: It refers to the Personal Data Protection Board. “Institution”: It refers to the Personal Data Protection Authority. “Special Qualified Personal Data”: It refers to data related to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, dress and clothing, membership in associations, foundations, or unions, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data. “Periodic Destruction”: It refers to the deletion, destruction, or anonymization process to be carried out periodically, repeatedly, if all processing conditions specified in the Law are eliminated. “Data Processor”: It refers to the natural or legal person processing personal data on behalf of the data controller based on the authorization given by the data controller.
DATA PROCESSING PRINCIPLES
Özsu Fish, acting in accordance with the Law, processes personal data in compliance with the principles set out in the Law, and ensures that these principles are followed by its employees, service providers, and other third parties authorized to process personal data on behalf of Özsu Fish. These principles are as follows:
- a) Legality and Good Faith: Personal data is processed in accordance with the law and good faith.
- b) Accuracy and Timeliness: Necessary measures are taken to ensure that personal data is accurate and, if necessary, up to date.
- c) Processing for Specific, Clear, and Legitimate Purposes: Personal data is processed for specific, clear, and legitimate purposes.
- d) Relevance, Limited, and Non-Excessive Processing: Personal data is processed in connection with the purposes for which it is processed, and processing is limited to the purposes for which personal data is processed.
- e) Retention for the Period Required by the Purpose for Processing: Personal data is kept for the period required by the purpose for which it is processed.
- f) Processing in Accordance with the Law and Integrity: Personal data is processed in accordance with the law and integrity.
- g) Data Owner’s Rights: The rights of the data subject as set out in the Law are respected.
- h) Security of Personal Data: Necessary technical and administrative measures are taken to ensure the appropriate level of security in order to prevent unlawful processing of personal data and to prevent unlawful access to personal data.
- i) Transferring Personal Data Abroad: Personal data is transferred abroad in compliance with the procedures and principles set out in the Law.
DATA PROCESSING PURPOSES
Özsu Fish processes personal data for the following purposes:
- a) Conducting Business Activities: Personal data is processed for the purpose of conducting the business activities carried out by Özsu Fish.
- b) Legal and Commercial Security: Personal data is processed to ensure the legal and commercial security of Özsu Fish.
- c) Ensuring the Security of the Physical Space and Information Technologies of Özsu Fish: Personal data is processed to ensure the security of the physical space and information technologies of Özsu Fish.
- d) Employee Management: Personal data of employees is processed for the purpose of personnel management, conducting business activities, and fulfilling the obligations arising from the employment contract.
- e) Managing Relations with Business Partners and Customers: Personal data is processed in order to manage the relations of Özsu Fish with its business partners and customers.
- f) Compliance with Legal Obligations: Personal data is processed in order to fulfill the legal obligations of Özsu Fish.
- g) Implementation and Improvement of Company Policies: Personal data is processed for the implementation and improvement of company policies.
- h) Conducting Marketing Activities: Personal data is processed for the purpose of conducting marketing activities.
- i) Execution of Financial and Accounting Affairs: Personal data is processed for the execution of financial and accounting affairs.
- PROCESSING OF SPECIAL CATEGORY PERSONAL DATA
Special category personal data, as defined in Article 6 of the Law, consists of certain personal data that, when processed unlawfully, poses a risk of harm or discrimination to individuals, and is subject to specific regulations. Therefore, personal data of this nature is processed in compliance with the principles stated in this policy, along with the methods determined by the Board, and all necessary administrative and technical measures are taken. The processing of special category personal data occurs under the following conditions:
- Non-Health and Non-Sexual Life Special Category Personal Data: Non-health and non-sexual life special category personal data may be processed with the explicit consent of the data subject or without explicit consent in cases clearly stipulated by the law.
- Health and Sexual Life-Related Special Category Personal Data: Health and sexual life-related special category personal data may be processed with the explicit consent of the data subject or without explicit consent for the purposes of protecting public health, preventive medicine, conducting medical diagnosis, treatment, and care services, planning, and managing health services and financing, and by individuals or authorized institutions and organizations bound by confidentiality.
During the processing of special category personal data, all necessary administrative and technical measures determined by the Board are taken. Employees involved in the processing of special category personal data are required to sign confidentiality agreements, and they receive the necessary training. In case of changes in roles or termination of employment of employees who have access to special category personal data, their authorizations in this field are immediately revoked. Special category personal data is securely stored in both physical and digital environments, in accordance with the security measures specified in the regulations, including the Data Security Guide published by the Board.
CATEGORIES OF PERSONAL DATA PROCESSED BY OUR COMPANY
Özsu Fish processes the following categories of personal data:
- Identity: (Name, Surname, Parent Names, Mother’s Maiden Name, Date of Birth, Place of Birth, Marital Status, ID Serial Number, T.C. ID Number, etc.)
- Contact: (Address, Email Address, Contact Address, Registered Email Address (KEP), Phone Number, etc.)
- Location: (Location Information)
- Employee: (Payroll Information, Disciplinary Investigation, Employee Entry-Exit Records, Resume Information, Performance Evaluation Reports, etc.)
- Legal Transaction: (Information in Correspondence with Judicial Authorities, Information in Lawsuit Files, etc.)
- Customer Transaction: (Call Center Records, Invoice, Promissory Note, Check Information, Order Information, Request Information, etc.)
- Physical Space Security: (Entry-Exit Records of Employees and Visitors, Camera Records, etc.)
- Transaction Security: (IP Address Information, Website Entry-Exit Information, Password Information, etc.)
- Financial: (Balance Sheet Information, Financial Performance Information, Credit and Risk Information, etc.)
- Professional Experience: (Diploma Information, Courses Taken, In-Service Training Information, Certificates, Transcript Information, etc.)
- Visual and Auditory Records: (Visual and Auditory Records)
- Health Information: (Blood Type Information, Personal Health Information, Occupational Health Report Data, etc.)
- Criminal Conviction and Security Measures: (Criminal Record Information, etc.)
PURPOSES OF PROCESSING PERSONAL DATA
Your personal data is processed by Özsu Fish for the purposes specified below, in accordance with the relevant Law:
- Execution of Emergency Management Processes
- Execution of Information Security Processes
- Execution of Candidate/Intern/Student Selection and Placement Processes
- Execution of Employee Application Processes
- Execution of Employee Satisfaction and Loyalty Processes
- Fulfillment of Contractual and Legal Obligations for Employees
- Execution of Rights and Benefits Processes for Employees
- Conducting Audits/Ethical Activities
- Execution of Training Activities
- Execution of Access Authorization Processes
- Conducting Activities in Compliance with Regulations
- Execution of Financial and Accounting Affairs
- Ensuring Physical Space Security
- Execution of Assignment Processes
- Follow-up and Execution of Legal Affairs
- Execution of Communication Activities
- Planning Human Resources Processes
- Execution/Control of Business Activities
- Execution of Occupational Health and Safety Activities
- Execution of Business Continuity Activities
- Execution of Logistic Activities
- Execution of Purchase and Sales Processes of Goods/Services
- Execution of After-Sales Support Services for Goods/Services
- Execution of Sales Processes of Goods/Services
- Execution of Production and Operation Processes of Goods/Services
- Execution of Customer Relationship Management Processes
- Execution of Activities for Customer Satisfaction
- Execution of Performance Evaluation Processes
- Execution of Risk Management Processes
- Execution of Storage and Archive Activities
- Execution of Contract Processes
- Ensuring the Security of Data Controller Operations
- Execution of Talent/Career Development Activities
- Providing Information to Authorized Individuals, Institutions, and Organizations
- Execution of Management Activities
TRANSFER OF PERSONAL DATA
Özsu Fish may transfer your personal data, with your explicit consent or in the absence of explicit consent under certain conditions, for the purposes specified above. The transfer may occur under the following conditions:
- If the transfer is explicitly provided for in the laws related to the relevant activity,
- If the transfer is directly related and necessary for the establishment or performance of a contract,
- If the transfer is mandatory for the fulfillment of a legal obligation,
- If the personal data has been made public by the data subject,
- If the transfer is necessary for the establishment, exercise, or protection of a right,
- If the transfer is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject,
- If the transfer is necessary for the protection of life or physical integrity, and the data subject is unable to express his/her consent due to actual impossibility or legal incapacity.
If personal data is to be transferred abroad, Özsu Fish will ensure the necessary level of protection through written commitments from data controllers in foreign countries and with the permission of the Board.
PERSONAL DATA TRANSFERRED TO INDIVIDUAL GROUPS
Your personal data may be transferred to the following individuals or groups under the conditions specified:
- Individuals or Private Legal Entities
- Shareholders
- Business Partners
- Suppliers
- Authorized Public Institutions and Organizations
STORAGE AND DESTRUCTION OF PERSONAL DATA
Your personal data, as an extension of the principle of being accurate and up to date, when necessary, is primarily stored for the periods stipulated in the laws; otherwise, it is stored for the duration necessary to achieve the purposes stated in this Policy. For personal data for which storage periods have expired or the reasons requiring processing have ceased, and in cases where the relevant individual requests the destruction of their personal data, Özsu Balık destroys personal data in accordance with the relevant legislation within the framework of storage and destruction procedures.
Even if the processing purposes of your personal data cease and the legal storage periods have expired, your personal data may be kept for the purpose of constituting legal evidence or asserting or defending rights related to personal data.
ÖZSU BALIK’S OBLIGATION TO INFORM
In accordance with the obligation stipulated in Article 10 of the Law, Özsu Balık fulfills its obligation to inform by notifying the identity of Özsu Balık, the purposes for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method of collecting personal data, and the legal reason for processing, enlightening the relevant person. In accordance with Article 11 of the Law, Özsu Balık provides the necessary information when the individual requests information, in line with the right of everyone under Article 20 of the Constitution to be informed about personal data related to themselves.
RIGHTS OF THE DATA SUBJECT
The legal rights that the data subject can use regarding personal data are listed below:
- To learn whether personal data is processed,
- To request information if personal data has been processed,
- To learn the purpose of processing personal data and whether they are used in line with that purpose,
- To learn third parties to whom personal data is transferred domestically or abroad,
- To request the correction of personal data if it is incomplete or incorrectly processed and to request notification of this correction to third parties to whom personal data has been transferred,
- To request the deletion or destruction of personal data in case the reasons requiring processing have ceased, despite being processed in accordance with the law, and to request notification of this to third parties to whom personal data has been transferred,
- To object to the occurrence of a result against them by exclusively analyzing processed data through automated systems,
- To request the remedy of damages in case of harm due to the unlawful processing of personal data.
CASES WHERE THE DATA SUBJECT CANNOT EXERCISE THEIR RIGHTS
In cases specified in Article 28 of the Law, data subjects will not be able to exercise the rights listed in Article 14.
15.1. Cases covered by Article 28 of the Law are as follows:
- Processing of personal data for research, planning, and statistics purposes by rendering them anonymous through official statistics,
- Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, or economic security, or the privacy of private life or personality rights without constituting a crime,
- Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized and authorized by law to ensure national defense, national security, public safety, public order, or economic security,
- Processing of personal data by judicial authorities or execution authorities regarding investigation, prosecution, trial, or execution processes.
15.2. In accordance with the second paragraph of Article 28 of the Law, in the following cases, except for the right to request the remedy of damages, the data subject cannot exercise the other rights listed in Article 14:
- If personal data processing is necessary for the prevention of crime or for the investigation of crimes,
- Processing of personal data that has been made public by the data subject,
- Processing of personal data by public institutions and organizations authorized and authorized by law for the performance of supervisory or regulatory duties or for the conduct of disciplinary investigations or prosecutions,
- Processing of personal data for the protection of the state’s economic and financial interests concerning budget, tax, and financial matters.
EXERCISING THE RIGHTS OF THE DATA SUBJECT
In accordance with compliance with the Law, you can submit your request to use your specified rights by submitting a signed petition in person, by notary or registered mail, or by using the registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the e-mail address previously notified to Özsu Balık and registered in the Özsu Balık system. Please confirm the current application methods from the legislation before applying.
Postal address: Demircili Mah. Demircili Cad. No:42 Urla/İZMİR E-mail address: kvkk@ozsubalik.com.tr KEP address: ozsubalik@hs03.kep.tr
If your requests are submitted in writing, depending on the nature of the request, your requests will be concluded free of charge within thirty days at the latest. In case the transaction requires an additional cost, the fee specified in the tariff determined by the Personal Data Protection Board will be charged.
RIGHT TO COMPLAIN TO THE BOARD BY THE DATA SUBJECT
In cases where the application is rejected by Özsu Balık, the response is considered insufficient, or no response is provided within the specified period, the data subject can file a complaint with the Board within thirty days from the date of learning the response. According to the Law, the complaint cannot be made to the Board without exhausting the application.
RESPONSIBILITY AND DISTRIBUTION OF DUTIES
In accordance with the Law and relevant legislation, Özsu Balık has appointed a Data Contact Person to ensure internal coordination, preservation, and continuity and to establish communication with the Authority. The contact person is responsible for tracking, notifying, and controlling applications and data breaches related to Özsu Balık.
ENSURING PERSONAL DATA SECURITY
Within the structure of Özsu Balık, all kinds of administrative, technical, and legal measures that can be taken to protect and process personal data under the Law have been taken. In this context, the measures taken by Özsu Balık are as follows.
19.1. Administrative Measures
- Disciplinary regulations containing data security provisions are available for employees.
- Employees receive training and awareness campaigns on data security at regular intervals.
- Corporate policies have been prepared and implemented regarding access, information security, use, storage, and disposal.
- Privacy commitments are made.
- Policies and procedures for personal data security have been determined.
- Contracts signed include data security provisions.
- Extra security measures are taken for personal data transmitted on paper, and relevant documents are sent in the format of documents with confidentiality degrees.
- Protocols and procedures for the security of special categories of personal data have been determined and implemented.
- Special categories of personal data are sent encrypted via email and using a registered electronic mail (KEP) or corporate email account.
- Service providers processing data are made aware of data security.
19.2. Technical Measures
- Network and application security are ensured.
- Closed system network is used for personal data transfers via the network.
- The security of personal data stored in the cloud is ensured.
- Access logs are regularly kept.
- The authorizations of employees who undergo a change of duty or leave the job in this area are revoked.
- Up-to-date antivirus systems are used.
- Firewalls are used.
- Necessary security measures are taken for the entry and exit of physical environments containing personal data.
- Personal data is backed up, and the security of the backed-up personal data is ensured.
- Log records are kept in a way that is not subject to user intervention.
- Intrusion detection and prevention systems are used.
BREACHES
In case personal data is obtained by others through unlawful actions within Özsu Balık, this situation will be reported to the relevant person and the Authority as soon as possible. In this context, Özsu Balık will establish the necessary audit mechanisms.
CHANGES TO THE POLICY
This Policy may be amended by a written decision. Changes to the policy are shared with employees via email or made accessible to employees and relevant individuals via the link of the website below.
EFFECTIVENESS
This Policy, organized by Özsu Balık, was approved by the Board of Directors on 15/12/2023. The Policy is published on Özsu Balık’s website (www.ozsubalik.com.tr) and made available to the data subjects.