CONTACT | TFI

TFI TAB GIDA YATIRIMLARI A.Ş.
PERSONAL DATA PROTECTION AND PROCESSING POLICY

SECTION 1 - INTRODUCTION

1.1 INTRODUCTION

Protection of personal data is among the top priorities of TFI TAB Gıda Yatırımları A.Ş. (the “Company”). The principles adopted in the conduct of personal data processing activities carried out by our Company and the fundamental principles adopted in terms of compliance of our Company’s data processing activities with the provisions of the Personal Data Protection Law No. 6698 (the “Law”) are explained in this Policy of TFI TAB Gıda Yatırımları A.Ş. on Protection and Processing of Personal Data (the “Policy”), and in this manner, our Company fulfils the necessary transparency requirements by informing data subjects. Being aware of our responsibility within this scope, your personal data are processed and protected within the scope of this Policy.

On the other hand, the activities conducted by our Company in connection with protection of personal data of our employees are managed according to the Policy on Protection and Processing of Personal Data of TFI TAB Gıda Yatırımları A.Ş Employees, which has been issued in parallel to the principles set out in this Policy.

1.2 SCOPE

This Policy relates to all personal data of persons other than employees of our company which are processed automatically, or as part of any data recording system, through non-automatic means. Detailed information regarding such data subjects is available in Annex 2 attached to this policy (“Annex 2 - Data Subjects”).

1.3 IMPLEMENTATION OF THE POLICY AND APPLICABLE LEGISLATION

The relevant legal regulations related to processing and protection of personal data that are currently in force shall be primarily applied. Our Company agrees that, in case of any conflict between the effective legislation and the Policy, the effective legislation shall prevail. The policy regulates the rules laid down in the applicable legislation by concretising them within the scope of Company practices.

1.4 ENFORCEMENT OF THE POLICY

This Policy was issued by our Company in August 2019 and updated in November 2019 and December 2021. In case the whole or certain articles of the policy are renewed, both the Policy and its date shall be updated. If deemed necessary by our company, the policy will be published on our company's website at www.tabfoods.com. The Policy is a dynamic and living document, and the aim in publishing the Policy on our Company’s website is to reveal our Company’s approach and to give information regarding protection of personal data, and no third parties may claim any rights in reliance on this Policy.

SECTION 2 - ISSUES RELATED TO PROTECTION OF PERSONAL DATA

2.1 ENSURING SECURITY OF PERSONAL DATA

Our Company takes the necessary measures depending on the nature of personal data in order to prevent unlawful processing, access, transfer of personal data or any security vulnerabilities that may occur in other ways, and to ensure protection of personal data, in accordance with Article 12 of the Law. Within this context, our Company takes the required technical and administrative measures for ensuring the appropriate security level in accordance with the guidelines published by the Personal Data Protection Board (the “Board”), and performs or causes performance of the inspections on the subject.

2.2 PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Sensitive personal data are given special importance under the Law due to the risk of causing victimization or discrimination when such personal data are illegally processed.

Pursuant to Article 6 of the Law, “special category” personal data refers to any data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing style, membership in associations, foundations or labour unions, criminal convictions and security measures as well as biometric and genetic data (“Special Categories of Personal Data Other Than Health and Sexual Life”, and data relating to health and sexual life (“Special Categories of Personal Data Relating to Health and Sexual Life”).

The technical and administrative measures for protection of personal data are taken by our Company within the scope of adequate measures as set forth in the Board’s Decision dated 31 January 2018 and numbered 2018/10 with regard to special categories of personal data, and the necessary work conducted within this framework are followed up and inspected via inspections within the organisation of our company.

Detailed information regarding processing of special categories of personal data is provided in section 3.3 of this Policy.

2.3 RAISING AWARENESS AND SUPERVISION OF BUSINESS UNITS ON PROTECTION AND PROCESSING OF PERSONAL DATA

Our Company provides necessary trainings for business units in order to raise awareness regarding prevention of unlawful processing of, unlawful access to, and protection of personal data. The trainings and awareness work organised by our Company are formed on the basis of “Personal Data Security Guide” published by the Authority in its official website.

With the trainings and awareness work conducted, the aim is to ensure that the personal data processing by our Company’s employees in the course of performance of their duties will be in compliance with the Law and the secondary legislation.

Our Company establishes the necessary systems for raising awareness of our Company’s current employees and newly recruited employees on protection of personal data, and works with consultants on the subject if needed. Within this context, our Company evaluates participation in relevant trainings, seminars and informative sessions and organizes new trainings in line with the updates to the applicable legislation.

SECTION 3 - ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

3.1 PROCESSING OF PERSONAL DATA IN COMPLIANCE WITH THE PRINCIPLES IN THE LEGISLATION

3.1.1 Processing Lawfully and Based on the Rule of Honesty

Personal data are processed in a way that does not harm the fundamental rights and freedoms of individuals, in accordance with the rules of trust and honesty. As part of this framework, personal data are processed to the extent required by and in limitation to the business activities of our Company.

3.1.2 Ensuring that Personal Data are Accurate and When Necessary Up-To-Date

Our Company takes the necessary measures to ensure that personal data are accurate and up-to-date for the period in which they are processed, and also establishes the necessary mechanisms for verifying, at certain intervals, that the personal data are accurate and up-to-date.

3.1.3 Processing for Specific, Clear and Legitimate Purposes

Our Company clearly reveals the purposes of processing of personal data and processes such data as part of its business activities and for purposes related to such activities.

3.1.4 Being Related, Limited and Commensurate with the Purpose of Processing

Our Company collects personal data only in relation to and commensurate with business needs, and processes them in limitation with the specified purposes.

3.1.5 Safekeeping the Data for the Period Set Forth in the Legislation or for the Period Required for the Purpose of Processing

Our Company stores the personal data for the time required for the purpose for which they are processed and for the minimum period stipulated in the applicable legislation. Within this scope, our Company first determines whether a period is stipulated for storage of personal data in the applicable legislation, and if a period is specified, it acts in accordance with such period. If there is no legal period stipulated, personal data are stored for the time required for the purpose for which they were processed. Personal data are destroyed at the end of the designated storage periods at periodical intervals or upon the data subject’s application and through the designated destruction methods (deletion and/or destruction and/or anonymization).

3.2 CONDITIONS OF PROCESSING OF PERSONAL DATA

Apart from the explicit consent of the data subject, the basis of personal data processing activity can either be just one of the conditions listed below, or it is also possible for multiple conditions to form the basis of the same personal data processing activity. If the processed data are special categories of personal data, the conditions under title 3.3 (”Processing of Special Categories of Personal Data”) of this Policy shall be applicable.

(i) Obtaining Explicit Consent of Data Subject

One of the conditions for processing of personal data is the explicit consent of the data subject. The explicit consent of the data subject must be disclosed in connection with a specific subject, with prior information having been given, and at free will.

In case of presence of the personal data processing conditions below, personal data can be processed without the need to obtain explicit consent of the data subject.

(ii) Processing Explicitly Prescribed In the Law

If it is clearly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding processing of personal data, this data processing condition may be deemed to be applicable.

(iii) Failure to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility

If the processing of personal data of a person who may not disclose his/her consent due to actual impossibility or whose consent may not be deemed valid is compulsory to protect the life or bodily integrity of that person or another person, the personal data of the data subject may be processed.

(iv) Directly Related to the Institution or Performance of the Agreement

If the processing of personal data is necessary with the condition that it is directly related to the institution or performance of an agreement to which the data subject is party, this condition may be deemed to have been fulfilled.

(v) Fulfilling the Company's Legal Obligation

Personal data of the data subject may be processed if processing is compulsory for our company to fulfil its legal obligations.

(vi) Personal Data of the Data Subject Having Been Made Public By the Data Subject

If the data subject made his/her personal data public, the relevant personal data may be processed on the condition to be limited to the purpose in their being made public.

(vii) When Data Processing is Compulsory for Establishment or Protection of a Right

If data processing is compulsory for establishment, exercise or protection of a right, personal data of a data subject may be processed.

(viii) When Data Processing is Compulsory for our Company’s Legitimate Interests

With the condition not to harm the fundamental rights and freedoms of the data subject, the personal data of the data subject may be processed when it is compulsory for the legitimate interests of our Company.

3.3 PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Special categories of personal data are processed by our Company in compliance with the principles set out in this Policy and after taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in case of presence of the following conditions:

Special categories of personal data other than health and sexual life can be processed without the explicit consent of the data subject if it is clearly stipulated in the laws, in the other words, if there is an explicit provision related to the processing of personal data in the applicable law. Otherwise, the explicit consent of the data subject shall be obtained.
Special categories of personal data related to health and sexual life may be processed by persons and authorised entities and institutions that are subject to non-disclosure obligation, without seeking explicit consent, for the purpose of protection of public health, performance of preventive medicine, medical diagnosis, treatment and care services, planning and management of healthcare services and its financing,. Otherwise, explicit consent of the data subject shall be obtained.

3.4 GIVING INFORMATION TO THE PERSONAL DATA SUBJECT

Pursuant to Article 10 of the Law and secondary legislation, our Company, in its capacity as the data controller for the personal data of the data subjects, informs the data subjects regarding by whom and for what purpose their personal data are processed, for what purposes and with whom they are shared, via which methods they are collected, the legal reasons for collection of data, and the rights of the data subjects within the scope of processing of their personal data.

3.5 TRANSFER OF PERSONAL DATA

Our Company may transfer the personal data of the data subject and also the special categories of personal data to third parties (third party companies, group companies, third real persons) by taking the necessary security measures within the scope of legitimate personal data processing purposes. For this purpose, our company acts in accordance with the regulations stipulated in article 8 of the Law. Detailed information on this subject can be found in Annex 4 of this Policy (“ANNEX 4- Third Persons to Whom Personal Data are Transferred by Our Company and Purposes of Transfer”).

3.5.1 Transfer of Personal Data

Even if there is no explicit consent of the data subject, our Company may transfer the personal data to third parties by taking the necessary security precautions, including the methods envisaged by the Board, and by showing the necessary care, subject to the presence of one or more of the data processing conditions listed below (“Data Processing Conditions”).

the activities related to the transfer of personal data are clearly stipulated in the laws,
transfer of personal data by the Company is directly related with and necessary for establishment or performance of an agreement,
transfer of personal data is compulsory in order for our Company to fulfil its legal obligations,
on the condition that the data were made public by the data subject, the personal data are transferred by our Company in limited to the purpose for which the data were made public,
transfer of personal data by the Company is compulsory for establishment, exercise or protection of the rights of the Company or the data subject or third parties,
transfer of personal data is compulsory for the legitimate interests of the Company, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.

3.5.2 Transfer of Personal Data to Third parties Residing Abroad

Overseas transfer of personal data by our Company will be performed in line with the following conditions depending on whether the country to which the data will be transferred is a secure country or not based on the designation to be made by the Board.

If the country to which the data will be transferred is not among the secure countries having adequate protection as announced by the Board, personal data may be transferred to third parties located abroad in case of presence of at least one of the Data Processing Conditions and in compliance with the fundamental principles set out in Article 4 of the Law:

provided that explicit consent has been obtained from the data subject,
if the Company and the data recipient in the relevant country undertake in writing adequate protection, and if an approval is obtained from the Board regarding the relevant transfer

If the country to which transfer will be made is one of the secure countries having adequate protection as announced by the Board, the personal data may be transferred in case of presence of any of the Data Processing Conditions.

3.5.3 Transfer of Special Categories of Personal Data

Special categories of personal data may be transferred by our Company in accordance with the principles set out in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and subject to the following conditions:

Special categories of personal data other than health and sexual life can be processed without the explicit consent of the data subject if it is clearly stipulated in the laws, in other words, if there is an explicit provision related to the processing of personal data in the applicable law. Otherwise, the explicit consent of the data subject shall be obtained.
Special categories of personal data related to health and sexual life may be processed by persons and authorised entities and institutions that are subject to non-disclosure obligation, without seeking explicit consent, for the purposes of protection of public health, performance of preventive medicine, medical diagnosis, treatment and care services, planning and management of healthcare services and its financing. Otherwise, the explicit consent of the data subject shall be obtained.

SECTION 4 - CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND PURPOSES OF PROCESSING

Our Company processes personal data in compliance with the general principles set forth in the law, and in particular, the principles set out in Article 4 of the law on processing of personal data, based on at least one of the Data Processing Conditions, in a limited manner, in line with the personal data processing purposes that arise within the framework of performance of our Company’s business activities.

Detailed information regarding such personal data processing purposes are given in ANNEX 1 (“ANNEX 1 – Personal Data Processing Purposes”).

Categories of personal data that are processed by our Company within the framework of performance of business activities and detailed information regarding the categories are available in Annex 3 (”ANNEX 3- Personal Data Categories”) attached to the Policy.

SECTION 5 - STORAGE AND DISPOSAL OF PERSONAL DATA

Our Company keeps personal data for the time required for the purpose for which they are processed and for the minimum period stipulated in the applicable legislation. Within this scope, our Company first determines whether a period is stipulated for the storage of personal data in the applicable legislation, and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data are stored for the time required for the purpose for which they were processed.

Personal data that are processed by our Company are evaluated in terms of categories, and a maximum data storage period has been designated for each personal data category in line with the relevant data processing activity. Such time periods are described in the chart given in our Company’s Policy on Personal Data Storage and Destruction. Personal data are destroyed at the end of the designated maximum storage periods at periodical intervals or upon the data subject’s application through the designated destruction methods (deletion and / or destruction and / or anonymization).

SECTION 6- RIGHTS OF DATA SUBJECTS AND EXERCISE OF SUCH RIGHTS

6.1. DATA SUBJECT’S RIGHTS

Data subjects have the following rights:

To learn whether or not their personal data have been processed,
To ask for information if their personal data have been processed,
To learn the purpose of processing of their personal data and if such personal data have been used in accordance with the intended purpose,
, to know the third parties to whom his personal data are transferred in country or abroad,
To ask for rectification or correction if their personal data have been processed inaccurately or deficiently and to request that such rectification or correction be notified to the third persons to whom personal data have been transferred,
In cases where the reasons that required processing of personal data are no longer applicable even though the personal data were processed in accordance with the provisions of the Law and other applicable laws, to ask for deletion or destruction of the personal data and ask that such deletion or destruction be notified to the third persons to whom personal data have been transferred,
To object to a result to his/her disadvantage causes by the analysis of personal data exclusively by means of automated systems, to claim compensation for the damage arising from the unlawful processing of his/her personal data.

6.2. DATA SUBJECT’S EXERCISE OF HIS/HER RIGHTS

Data subjects may send their requests related to their rights set out in Section 6.1 (”Data Subject’s Rights”) to our Company through the methods determined by the Board. Accordingly, they shall be able to benefit from the “TFI TAB Gıda Yatırımları A.Ş. Data Subject Application Form”, which is available at www.tabfoods.com

6.3. OUR COMPANY'S RESPONSE TO APPLICATIONS

Our Company takes the necessary administrative and technical measures for finalizing the applications to be filed by data subjects in compliance with the Law and the secondary legislation.

If the data subject duly submits his/her demand in relation to the rights referred to in Section 6.1 (”Data Subject’s Rights”) to our Company, our Company will finalise the demand free of charge as soon as possible and no later than 30 (thirty) days, depending on the nature of the demand. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

ANNEX 1 - Purposes of Processing of Personal Data

MAIN OBJECTIVES (PRIMARY)	SUB OBJECTIVES (SECONDARY)
Planning and performance of our company's human resources policies and processes	Planning human resources processes
	Performance of staff procurement processes
	Planning and performance of intern and student supply, placement and operation processes
Carrying out the necessary work by our relevant business units in order to carry out the commercial activities carried out by the company and carrying out the related business processes	Planning and performance of corporate communication activities
	Event management
	Planning and performance of corporate governance activities
	Planning and performance of business activities
	Follow-up of finance and accounting affairs
	Establishing and managing information technology infrastructure
	Planning and performance of production and operation processes
	Planning and performance of activities of efficiency / productivity and appropriateness analysis of business activities
	Planning information security processes
Carrying out the necessary work by our business units in order to benefit the relevant people from the services offered by the company and carrying out the relevant business processes	Follow-up of agreement processes and legal requests
	Planning and performance of the sales processes of the services
Planning and performance of The Company's commercial and business strategies	Performance of strategic planning activities
	Management of relations with business partners and suppliers
	Planning and performance of customer satisfaction activities
	Planning and performance of reporting activities
Ensuring the legal, technical and commercial-business security of the Company and the relevant persons who have a business relationship with the Company	Planning and performance of internal audit of company and investigation processes
	Follow-up of legal affairs
	Realization of company and partnership law transactions
	Planning and performance of company audit activities
	Ensuring the security of company premises and facilities
	Planning and performance of the company's financial risk processes
	Planning and performance of the operational activities required to ensure that the company activities are carried out in accordance with the company procedures and relevant legislation
	Ensuring the security of company operations

ANNEX 2 - Data Subject

DATA SUBJECT CATEGORIES	EXPLANATION
Visitor	Real persons who have entered the physical locations owned by our Company for various purposes or visited our websites.
Third Person	In order to ensure the security of commercial transactions between the above parties or to protect the rights and interests of such persons, third party real persons (e.g. guarantor, family members and relatives) or employees of this Policy and TFI TAB Gıda Yatırımları A.Ş. are other real persons that are not covered by the Personal Data Protection and Processing Policy.
Employee Candidate	Real persons who have applied for a job to our company in any way or who have made available their curriculum vitae and related information for our company's review.
Company Shareholder	Real person shareholders of our company.
Corporate Officer	Our Company’s board of directors’ members and other authorized real persons.
Family Members and Relatives	Family members and relatives of the data subject within the framework of our Company’s operations or for the purpose of protection of legal and other interests of the Company and the data subject
Employees, Shareholders and Partnered Authorities	Real persons working in the institutions with which our company has any kind of business relationships (such as but not limited to business partners, dealers, authorized services, suppliers), including the shareholders and officials of such institutions.

ANNEX 3 – Personal Data Categories

PERSONAL DATA CATEGORIES	DESCRIPTION
Personal Identifying Information	Documents such as driving license, identity card and passport containing information about the personal identity of the person such as the name-surname, Turkish identification number, nationality information, mother-father's name, place of birth, date of birth, gender as well as information such as tax identification number, Social Security Institute registration number, vehicle license plate number, etc.
Contact Details	Telephone number, address, e-mail, fax number.
Family Members and Relatives Information	Information about the family members and relatives of the data subject as part of the operations of our Company and the services we provide or in order to protect the legal and other interests of the Company and the data subject.
Physical Environment Security Information	Personal data that evidently belong to an identified or identifiable natural person and that are included in the data recording system; personal data related to the records and documents received at the time of entry into the physical environment, during the stay in the physical environment; it includes items such as camera recordings, fingerprint records and records taken at the security point.
Transaction Security Information	Personal data (such as log records) that are processed to ensure our technical, administrative, legal and commercial security while conducting our business activities.
Risk Management Information	Personal data that are processed through methods used in accordance with the generally accepted legal, commercial practice and honesty rule in these fields in order for us to manage our commercial, technical and administrative risks.
Financial Information	Personal data that evidently belong to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; relating to the information, documents and records showing all kinds of financial results created according to the type of legal relationship that our Company has established with the data subject, as well as bank account number, IBAN number, credit card information, financial profile, assets data, income data
Employee Candidate Information	Personal data processed about individuals who have applied to become an employee of our Company or who have been evaluated as an employee candidate in accordance with human resources needs of our Company in accordance with the rules of commercial practice and honesty or who are in a working relationship with our Company.
Special categories of personal data	Any data related to race, ethnic origin, political opinions, philosophical ideas, religion, sect or other beliefs, clothing style, membership in associations, foundations or labour unions, health conditions, sexual life, criminal convictions and security measures and biometric data.
Marketing Data	Personal data processed for marketing the services of our Group companies by customising according to the usage habits, taste and needs of the data subject and the reports and evaluations created as a result of such processing.
Audio-visual Data	Audio-visual data that evidently belong to an identified or identifiable real person; photo and camera recordings (excluding the records included within the scope of Physical Environment Security Information), sound recordings and the data contained in documents that are copies of documents containing personal data.
Audit and Inspection Data	Personal data processed during internal or external audit activities within the scope of our Company's legal obligations and compliance with company policies.
Legal Procedure and Compliance	Personal data processed within the scope of our legal obligations related to the determination, follow-up of our legal receivables and rights and the performance of our debts and compliance with the policies of our Company.

ANNEX 4 - Third Parties to Whom Personal Data are Transferred by Our Company and Purposes of Transfer

In accordance with Articles 8 and 9 of the Law, our Company may transfer personal data of customers to the following categories of persons:

Business Partners
Suppliers
Shareholders
Subsidiaries
Legally Authorised Private Law Persons
Legally Authorised Governmental Entities and Authorities
Group Companies
Company’s Board Members

The details of the persons to whom transfer is made and purposes of data transfer are indicated below.

Persons to whom Data Transfer May be Made	Definition	Purpose of Data Transfer
Business Partner	Investors and other parties with whom our company has partnered for the purpose of selling, promoting and marketing the services of group companies, after-sales support, and conducting common customer engagement programs in course of its commercial activities.	The purpose of data transfer is limited in order to ensure the fulfilment of the purposes of establishing the business partnership.
Consultant / Service Provider / Supplier	The parties that provide services to our Company as part of the data processing purposes and instructions of our Company within the scope of the commercial activities of our company (including the cloud system that is used in association with Microsoft Office program that is the e-mail system used for continuity of commercial activities and Company’s internal management and human resources processes and other programs that are related thereto)	The purpose of data transfer is limited in order to provide our Company with the services provided by the Consultant / Service Provider / Supplier externally, which are necessary for fulfilment of commercial activities of our Company, and since it is obligatory to use the related information technologies license and e-mail system for ensuring the continuity of the company’s commercial activities and internal management and human resources processes.
Shareholders	Parties that are entitled to the shares of our Company	Limited to the purpose of designing the strategies for our Company’s commercial activities in compliance with the provisions of the applicable legislation, and purpose of inspection
Subsidiaries	The companies in which our Company has shareholding and that it controls as indicated in the below lists: https://www.tabfoods.com/tr/sirketler/qsr-turkiye https://www.tabfoods.com/tr/sirketler/qsr-cin https://www.tabfoods.com/tr/sirketler/ekosistem-sirketleri	For the purpose of performance of commercial activities and management of human resources processes that require participation of also our Company’s subsidiaries
Legally Authorised Governmental Entities and Organisations	In accordance with the provisions of the applicable legislation, governmental entities and organisations that are entitled to obtain information and documents from our Company: For example; Capital Markets Board, Energy Market Regulatory Board, Social Security Institution, Ministries, tax departments and execution offices, authorised courts, Trade Registry Directorate, Chamber of Commerce, Competition Board	Limited to the purpose for which they have been requested by the relevant governmental entities and organizations within their legal competence
Legally Authorised Private Law Persons	Institutions or organizations that are established in accordance with specific conditions designated under law pursuant to the provisions of applicable legislation and that operate within the scope designated by law (e.g. banks, independent auditors)	On a limited basis in relation to issues that fall within the scope of activities carried out by the relevant private institutions and organizations.
Group Companies	(You can reach the list of Group Companies via the following addresses: https://www.tabfoods.com/tr/sirketler/qsr-turkiye https://www.tabfoods.com/tr/sirketler/qsr-cin https://www.tabfoods.com/tr/sirketler/ekosistem-sirketleri	For the purpose of conducting human resources processes and commercial activities within the organisation of our Group Companies
Company’s Board of Directors’ Members	Company’s Board of Directors’ Members	To the extent needed for the operations of the Board of Directors <0}

Personal Data Protection and Processing Policy