Kişisel Verilerin Korunması Politikası

This Personal Data Processing and Protection Policy (“Policy”), Uludağ Et Lokantası Gökhan Uludağ (“Uludağ Et Lokantası” or “Company”) to explain how we process and protect personal data.

As Uludağ Et Lokantası, our personal data is protected by the Personal Data Protection Law No. 6698 (“KVKK”) and the secondary legislation on the protection of personal data, and the Personal Data Protection Board (“Board”). decisions (collectively referred to as (“KVK Legislation”). We act in accordance with the principles of the KVK Legislation in the processing of personal data and take all necessary technical and administrative measures to ensure the security of personal data.

You can contact us at florya@uludagkebap.com to get information about the processing of your personal data by Uludağ Et Lokantası and to direct your questions. .

This Policy, belongs to Uludağ Et Lokantası's customers, employees, employee candidates, officials/representatives, real person business partners/suppliers, business partners/suppliers' employees, website visitors and workplace visitors. It covers all personal data processed as data controller, including personal data.

As Uludağ Et Lokantası, we act in accordance with the KVK Legislation and the principles and rules contained in this Policy in all personal data processing activities.

As Uludağ Et Lokantası, we aim to comply with applicable laws, rules, regulations and accepted good practices in all personal data processing activities we carry out. For this reason, all employees of Uludağ Et Lokantası and other persons involved in the processing of personal data are obliged to comply with this Policy and the principles and rules determined by this Policy. In this context, we take the necessary measures to ensure that our employees and third parties, who are data processors, who are involved in the processing of personal data about us, act in accordance with this Policy.

We have stated the definitions and their explanations in the policy below:

Recipient Group: Natural or legal person category to which personal data is transferred by Uludağ Et Lokantası

Explicit Consent: Consent on a specific subject, based on information and expressed with free will

Employee: Uludag Meat Restaurant employee

Electronic Recording Media: Recording media where personal data can be created, read, changed and written by electronic devices

Non-Electronic Recording Media: All written, printed, visual, etc. other than electronic media. recording media

Service Provider: Natural or legal persons providing service with Uludağ Et Lokantası under a certain contract

Relevant Person: Natural person whose personal data is processed

Destruction: Deletion, destruction or anonymization of personal data

Recording Medium: Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system

Personal Data: Any information relating to an identified or identifiable natural person

Personal Data Retention and Disposal Policy: Uludağ Et Lokantası's policy is based on the process of determining the maximum period required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization

Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing personal data completely or partially automatically or non-automatically provided that it is a part of any data recording system, All kinds of operations performed on data such as transferring, taking over, making it available, classifying or preventing its use

Authority: Personal Data Protection Authority

Special Quality Personal Data: People's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life , data on criminal convictions and security measures, as well as biometric and genetic data

Data Registration System: The registration system in which personal data is structured and processed according to certain criteria

Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authorization given by Uludağ Et Lokantası

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system; Uludag Meat Restaurant within the framework of this Policy

For the definitions not included in this Policy, the definitions in the KVK Legislation are valid.

As the data controller, we have explained our legal obligations arising from the KVK Legislation in this section of the Policy.

4.1. Lighting Obligation

As Uludağ Et Lokantası, we fulfill the obligation of disclosure in accordance with the Communiqué on the Procedures and Principles to be Complied with the Fulfillment of the Obligation to Light in the processes we obtain and process personal data, specific to the relevant processes and at the latest when the personal data is obtained. In this context, we take care to inform the relevant persons on the following issues:

• For what purpose the personal data of the persons concerned will be processed

• Company information (trade name, address, communication channels), if any, information regarding the identity of the Company representative(s)

• To whom and for what purpose the processed personal data can be transferred

• Method of obtaining personal data and legal reason

• Rights of the related persons arising from KVKK

4.2. Obligation to Ensure the Security of Personal Data

As Uludağ Et Lokantası, we take all necessary technical and administrative measures in our personal data processing processes, in order to ensure the confidentiality and security of personal data, and to prevent personal data from being accessed or accessed by unauthorized third parties. We have detailed the technical and administrative measures we have taken regarding these obligations in section 10 of this Policy. We act in accordance with the KVK Legislation regarding the deletion, destruction or anonymization of personal data. We have included our processes regarding the destruction of personal data in the 9th section of the Policy.

4.3. Obligation to Respond to Related Person Applications

As Uludağ Et Lokantası, we carry out our processes to resolve all requests and applications of the related persons as soon as possible and to respond to the relevant person within the framework of Uludağ Et Lokantası Contact Person Application Management Procedure. If the persons concerned apply with one of the methods described in Article 11 of this Policy, we finalize the requests of the persons concerned free of charge within thirty (30) days at the latest, by explaining the reasons for acceptance and rejection of the application, together with the reasons, in accordance with the relevant article of the KVKK.

4.4. Obligation to Fulfill the Decisions of the Personal Data Protection Board

As Uludağ Et Lokantası, we show maximum sensitivity to comply with the Board decisions, which are an important and integral part of the KVK Legislation. We use all the means to implement all the technical and administrative measures foreseen by the Board for the protection of personal data by closely following all the decisions of the Board, especially the policy decisions that are binding for all data controllers published on the website of the Institution.

5.1. Personal Data Processing Process

We process the personal data of the relevant persons that we collect within the framework of our operations based on the legal reasons explained in the continuation of this Policy. We have included examples of our personal data processing processes in the tables below.

Table-1: Sample Processes for Processing Customer Personal Data

Table-2: Sample Processes for Processing Employee Personal Data

5.2. Personal Data Processing Principles

As Uludağ Et Lokantası, we comply with the following data processing principles when processing the personal data we obtain as the data controller:

• Compliance with the law and the rules of honesty: All data processing activities are carried out transparently in accordance with the legislation and good faith principles.

• Being accurate and up-to-date when necessary: The channels to ensure that personal data are correct and up-to-date are always kept open, and effective application methods are offered to the relevant persons for the correction of inaccuracies and deficiencies in the processed personal data.

• Processing for specific, clear and legitimate purposes: The purposes for which personal data will be processed are determined in accordance with the legislation and the ordinary course of life, and these purposes are presented to the relevant persons in a transparent and understandable manner.

• Being connected, limited and measured for the purposes of processing: Personal data that is not relevant or needed for the purpose of processing personal data is not processed, and personal data processing activities are not carried out to meet possible needs. If the need to use the obtained data for other purposes arises, a new data processing process comes to the fore; the said process is carried out within the scope of the processing conditions stipulated in the KVKK as if the data processing is started for the first time.

• Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed: If there is a period stipulated in the legislation for the storage of personal data, this period shall be complied with; If such a period is not foreseen in the legislation, personal data is stored only for the period required for processing purposes.

5.3. Processing of Personal Data

As Uludağ Et Lokantası, we process the personal data we obtain as the data controller if there is one of the legal compliance reasons specified in the 2nd paragraph of Article 5 of the KVKK, and in the absence of these reasons, the express consent of the relevant persons in accordance with the 1st paragraph of the 5th Article of the KVKK. we apply. The legal compliance reasons we rely on when processing personal data are explained below:

• The processing of personal data is clearly stipulated in the law

• Processing of personal data in order to protect the life and physical integrity of the person or another person who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid

• The processing of personal data is necessary for the establishment or performance of a contract between Uludağ Et Lokantası and related persons

• Processing of personal data in order to fulfill our legal obligations

• Personal data made public by the person concerned

• Processing of personal data for the establishment, exercise or protection of a right

• The processing of personal data is necessary for our legitimate interests

While determining whether a data processing activity is necessary for the legitimate interests of Uludağ Et Lokantası, it makes an evaluation based on the criteria specified in the Board's Decision No. 2019/78 dated 25.03.2019; While making this assessment, we perform a balance test by comparing the fundamental rights and freedoms of the person concerned with the legitimate interest that will arise.

In cases where at least one of the reasons for compliance with the law explained above is not available for the processing of personal data, we act in accordance with the express consent of the person concerned for the processing of personal data.

Explicit consent is defined as "consent related to a certain subject, based on information and expressed with free will" in the KVKK. As Uludağ Et Lokantası, we consider the following three factors when asking for the explicit consent of the persons concerned:

• Relevance to a specific subject: The explicit consent of the relevant persons is asked for specific data processing activities/activities and the consent texts are made understandable.

• Being informative: Consent texts and clarification texts are presented together/on the same channel, it is ensured that the data subject understands the results of the data processing activity. In this context, firstly, the relevant persons are informed, and then they are asked whether they have express consent.

• Being disclosed with free will: When asking for the explicit consent of the persons concerned, misleading statements that will injure their will are avoided; Alternatives/right of refusal are given to the persons concerned who do not want to give express consent.

5.4. Processing of Private Personal Data

As Uludağ Et Lokantası, personal data of special nature The Board dated 31.01.2018 and 2018/10, by taking the administrative and technical measures stipulated in the KVK Legislation. In Uludağ Et Lokantası's Processing of Special Quality Personal Data Policy, which we have prepared in this direction, we have included rules and principles in the processing of special quality personal data, and we act in accordance with them.

5.5. Use of Cookies and Cookies

Uludag Et Lokantası website (www.uludagpaket.com) we process a number of personal data by using various cookies in order to increase the experience of the persons visiting the website and to ensure that the website works in the best possible way. By using cookies, we aim to provide the best experience to our website visitors and customers. Regarding the personal data we process through the said cookies, we enable the relevant persons to manage their preferences regarding cookies by making the necessary clarifications at the time of first login to the Uludağ Et Lokantası website. Detailed information about cookies and personal data we process through cookies Our Cookie Policy.

We use various identification technologies in the Uludağ Et Lokantası mobile application to increase the customer experience and to ensure that the application works in the best way possible. You can find detailed information on the use of identification technologies in the Privacy Policy text in the "About the Application" section of the "Settings" page of the "Profile" tab of the Uludağ Et Lokantası application.

5.6. Notifications Sent from Uludağ Et Lokantası Application

As Uludağ Et Lokantası, we can send instant notifications to our customers who give their explicit consent, and communicate via phone and e-mail, in accordance with the purpose and legal reasons explained in the Customer Personal Data Clarification Text. Our customers can manage their communication preferences for instant notifications sent by Uludağ Et Lokantası from the "Notification Settings" page in the "Settings" page of the Uludağ Et Lokantası mobile application, in the "Profile" tab.

5.7. Updating Personal Data

Within the scope of our obligation to keep the personal data arising from the KVK Legislation complete, accurate and up-to-date, we provide mechanisms that will allow the relevant persons to change and correct their personal data. For example, our customers always have the opportunity to update their personal data other than their e-mail address, through the Uludağ Et Lokantası application and the "Profile" tab on the Uludağ Et Lokantası website.

As Uludağ Et Lokantası, we work with infrastructure and information service providers in Turkey and abroad in order to provide the services we provide. In this context, the personal data of the persons concerned can be collected in the country and abroad, in line with the express consent of the persons concerned, in the presence of any of the reasons for compliance with the law set forth in Article 8 of the KVKK, titled the transfer of personal data, and Article 9, titled the transfer of personal data abroad.

As Uludağ Et Lokantası, we keep the personal data we process for as long as required by the purpose of processing personal data and within the scope of Uludağ Et Lokantası's Personal Data Retention and Disposal Policy, without prejudice to the storage periods stipulated in the legislation.

In this direction, within the scope of processes that require personal data processing, it determines a storage period for the data processed by the unit performing the activity; In the event that personal data is processed for more than one purpose, we destroy (delete, destroy or keep anonymized) the data if all the purposes of processing the personal data disappear or there is no legal obstacle to the deletion of the data upon the request of the person concerned. We act in accordance with the KVK Legislation in terms of deletion, destruction or anonymization.

We destroy personal data at the request of the data subject or ex officio, provided that the period stipulated in the relevant legislation or required for the purpose for which it was processed has expired. We carry out such destruction (deletion, destruction and anonymization) operations within the scope of Uludağ Et Lokantası's Personal Data Retention and Disposal Policy, without prejudice to the provisions of the relevant legislation.

Selects the appropriate method of deleting, destroying or anonymizing personal data, unless otherwise specified by the Board; If the person concerned has a request for the destruction of his personal data, after determining the appropriate method for the destruction of personal data, we explain this situation to the person concerned with the justification.

As Uludağ Et Lokantası, we take the necessary technical and administrative measures to ensure the protection of personal data. For example, we use intrusion detection and prevention software to detect and prevent possible cyber attacks, determine and limit the access authorizations of our employees to personal data, and use data loss prevention software. In this section, we have detailed the measures we have taken to ensure the confidentiality and security of personal data.

9.1. Administrative Measures

The administrative measures taken by Uludağ Et Lokantası for the protection of personal data are given below:

• Institutional policies on access, information security, use, storage and destruction regarding the processing and protection of personal data have been prepared and implemented.

• Personal data security policies and procedures have been determined.

• Existing risks and threats regarding personal data have been determined.

• Employees who have a change of job or quit their job are entitled to access personal data.

• Signed contracts contain data security provisions.

• There are disciplinary regulations regarding data security for employees.

• Personal data processing inventory has been prepared.

• It is ensured that employees receive training on data security-related issues such as not unlawful disclosure and sharing of personal data, and awareness activities are carried out for employees.

• Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.

• Necessary security measures are taken regarding entry and exit to non-electronic media containing personal data.

• The security of non-electronic media containing personal data against external risks (fire, flood, etc.) is ensured.

• The security of environments containing personal data is ensured.

• Confidentiality commitments are made to ensure the confidentiality of personal data.

• Data transfer agreements are signed with data controllers and processors to whom personal data is transferred, and awareness of Data Processors is ensured.

• In the event that personal data is unlawfully obtained by third parties, the procedures to be applied are determined to notify the relevant persons and the Board.

• Policies and procedures for the security of sensitive personal data have been determined and implemented.

• Service providers that process personal data are made aware of data security.

• In-house periodic and/or random audits are conducted and made.

9.2. Technical Measures

The technical measures taken by Uludağ Et Lokantası for the protection of personal data are given below:

• Network security and application security are provided.

• A closed system network is used for personal data transfers via the network.

• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.

• The security of personal data stored in the cloud is ensured.

• Authorization matrix has been created for employees.

• Personal data is backed up and the security of the backed up personal data is ensured.

• Personal data security issues are reported quickly.

• Personal data security is monitored.

• User account management and authorization control system is implemented and these are also followed.

• Access logs are kept regularly.

• Log records are kept without user intervention.

• Secure encryption/cryptographic keys are used for sensitive personal data and are managed by different units.

• Encryption method is used.

• Data masking is applied when necessary.

• Penetration test is applied.

• Cyber security measures have been taken and their implementation is constantly monitored.

• Intrusion detection and prevention systems are used.

• Current anti virus systems are used.

• Data loss prevention software is used.

9.3. Responsibilities of Employees

Employees who process data in data processing activities carried out within the scope of Uludağ Et Lokantası's activities are obliged to pay attention to the following matters within the scope of the procedures and principles mentioned in this Policy, in the personal data processing processes in question:

• All employees with access to personal data must act in accordance with the procedures and principles set forth in this Policy and other relevant policies and procedures regarding the protection of personal data.

• Employees must perform data processing activities in accordance with the principles of protection of personal data specified in KVKK.

  • While the employees obtain the personal data of the person concerned;

  • For what purpose personal data will be processed

  • Information on the identity of the data controller and its representative, if any

  • To whom and for what purpose the processed personal data can be transferred

  • Method of obtaining personal data and legal reason

  • Rights of the related persons arising from KVKK

must make sure that the relevant person is informed.

• Employees should ensure that explicit consent is obtained before processing the personal data of the data subject, unless one of the cases where personal data is processed without the need for explicit consent.

• Employees must ensure that all technical and administrative security measures are taken to prevent the unlawful processing of personal data.

• Employees should ensure that data transfer is carried out in accordance with the purpose of transfer and not exceeding the purpose of transfer.

• Employees should ensure that personal data is not accessed by unauthorized persons during data transfer.

• Employees should be involved in data processing activities within the scope of the purposes necessitating data processing and without exceeding their limits.

• If employees become aware of a personal data breach, they should immediately notify authorized persons within the Company.

Article 11 of the KVKK regulates the rights of the persons concerned regarding their personal data. These rights are as follows:

1. Learning whether Uludağ Et Lokantası processes your personal data

2. Requesting information on data processing if Uludağ Et Lokantası processes personal data

3. Learning Uludağ Et Lokantası's personal data processing purposes and whether it uses personal data in accordance with its purpose

4. Learning whether personal data is transferred to third parties; If it is transferred, to learn the third parties to which it is transferred at home or abroad

5. To request correction of personal data if it is incomplete or incorrectly processed and to notify third parties, if any, of the action taken within this scope

6. To request the deletion or destruction of personal data, in case the reasons requiring the processing of personal data processed in accordance with the KVKK and relevant legislation disappear, and to request that the third parties, if any, be notified of the transaction carried out in this context

7. To object to situations where a result against the data subject arises by analyzing the processed personal data exclusively through automated systems

8. Demanding the compensation of the damage in case the person concerned suffers damage due to the illegal processing of personal data

Your requests to exercise your above-mentioned rights:

1. Using your e-mail address registered in our systems, to florya@uludagkebap.com,

2. To gokhan.uludag.1@hs01.kep.tr via your registered e-mail (KEP) address or

3. Adding the documents proving your identity, in writing, to Basınköy Mh. Atatürk Köşkü Caddesi No:2 34153 Bakırköy/İstanbul

please send it.

This Policy is reviewed by Uludağ Et Lokantası as needed and updated when necessary.

Otherwise, if changes are made in the KVK Legislation, the changes in the relevant legislation are immediately applied, even if the Policy has not been updated.

Last Updated: 25/05/2021