Turkish Tea Company
Turkish Tea Company
Turkish Tea Company
tr en
Say Hello

Protection of Personal Data

TURKISH TEA COMPANY PERSONAL DATA PROCESSING AND PROTECTION POLICY
(2025/01)
INTRODUCTION

1. Our Company, TURKISH TEA COMPANY ÇAY SANAYİ VE TİCARET ANONİM ŞİRKETİ (hereinafter referred to as the “Company” or “Turkish Tea Company”), is a legal entity located at Merkez Mah. Çuha Sok. No:4 (NEF 10) Interior Door No. 3, Kağıthane, Istanbul.

2. As the Company, we carry out data processing activities through www.turkishteacompany.com.tr, the Company’s mobile websites, and its stores, by automatic or non-automatic means. Through this text published on our website, we would like to inform our customers, users, visitors, business partners, and members about the Company’s Personal Data Processing and Protection Policy.

3. The Company makes utmost efforts to act in compliance with all applicable legislation in force regarding the processing and protection of personal data.

4. This Personal Data Processing and Protection Policy has been prepared by the Company, in its capacity as the data controller, within the scope of Article 10 of the Law No. 6698 on the Protection of Personal Data (“Law”) and the Communiqué on the Procedures and Principles to Be Followed in Fulfilling the Obligation to Inform.

5. Turkish Tea Company places great importance on the security of personal data. For this reason, this Personal Data Processing and Protection Policy (“Policy”) has been prepared in compliance with Law No. 6698 on the Protection of Personal Data (KVK Law), the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017 and entered into force, the Regulation on the Data Controllers Registry which entered into force on 1 January 2018, and other relevant regulations.

PURPOSE AND SCOPE OF THE POLICY
1. The Policy is published on the Company’s official website in a manner accessible to personal data subjects. In line with innovations and amendments to be made in the legislation, any future changes to the Policy will be published on the relevant platforms in a way that personal data subjects can easily access.

2. In the event of any inconsistency between this Policy and the legislation regarding the protection and processing of personal data, the Company acknowledges that the provisions of the legislation in force shall prevail.

3. This Policy has been prepared to ensure compliance within Turkish Tea Company (the “Company”) with Law No. 6698 on the Protection of Personal Data and the relevant secondary legislation. Through this Policy, it is aimed to ensure that our Company acts in accordance with the fundamental principles regarding the processing and protection of personal data and that these principles are integrated into the Company’s activities.

4. Within the scope of the Policy, it is aimed that all necessary administrative and technical measures for the protection of personal data are taken by Turkish Tea Company, internal procedures are established, trainings are planned and implemented to raise awareness among employees and stakeholders, and an effective audit and supervision mechanism is established to ensure the compliance of all parties with the KVKK processes.

5. With this Policy, the fundamental directives that the Company must adopt in personal data processing activities are also set forth, and it is prioritized that the Company acts in compliance with legal regulations within the framework of the relevant legislation in its internal operations.

6. All employees of the Company are obliged to comply with this Policy as well as with all relevant legal legislation shaping this Policy while performing all duties delegated to them.

7. In cases where this Policy and the relevant legislative provisions are not complied with, in addition to the criminal and legal liabilities предусмотрен by the legislation, sanctions that may lead to the termination of the contract by Turkish Tea Company for just cause may be applied, depending on the nature of the incident.

2. DEFINITIONS
2.1 The definitions set forth in this Policy bear the following meanings in accordance with the KVK Law and the relevant legislation:
 
  • Personal Data: Any information relating to an identified or identifiable natural person,
  • Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, retaining, altering, reorganizing, disclosing, transferring, taking over, making accessible, classifying, or preventing the use of personal data, whether fully or partially by automatic means or by non-automatic means provided that it forms part of a data recording system,
  • Deletion of Personal Data: The process of rendering personal data in no way accessible and reusable for the relevant users,
  • Destruction of Personal Data: The process of rendering personal data inaccessible, irretrievable, and unusable by anyone in any manner,
  • Authority: The Personal Data Protection Authority,
  • Board: The Personal Data Protection Board,
  • Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller,
  • Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
  • Data Recording System: The recording system in which personal data are processed by being structured according to specific criteria,
  • Data Subject: The natural person whose personal data are processed,
  • Regulation: The Regulation on the Data Controllers Registry,
  • Explicit Consent: Consent that is given freely, based on information, and related to a specific matter,
  • Anonymization: The process of rendering personal data in such a way that they cannot be associated with an identified or identifiable natural person under any circumstances, even by matching them with other data,
  • Special Categories of Personal Data: Personal data relating to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data,
means.

3. GENERAL PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
3.1 The Company acknowledges that it will process personal data falling within the scope of this Policy in accordance with the following principles, pursuant to Article 4 of the KVK Law:
 
  • Compliance with lawfulness and fairness: The Company, in its capacity as data controller and as a prudent merchant, acknowledges that it will conduct personal data processing activities in accordance with the Constitution, the KVK Law, and all applicable legislation currently in force or to be enacted.
  • Accuracy and Currency: Turkish Tea Company places importance and priority on ensuring the accuracy and currency of personal data processing. Accordingly, it takes all necessary administrative and technical measures within the scope of its technical capabilities to keep the data accurate and up-to-date. Within the framework of requests submitted by the relevant persons to the Company as the data controller and situations deemed necessary by the Company, erroneous or outdated data are corrected. Control and supervision mechanisms established for this purpose are operated regularly.
  • Processing for Specific, Explicit, and Legitimate Purposes: Personal data processed by Turkish Tea Company is handled lawfully and limited to the services provided or to be provided in accordance with the requirements of the relevant legislation, and the purpose of processing personal data is clearly and definitively determined before the data processing begins.
  • Processing Data in Connection with Their Purpose, Limited and Proportionate: Personal data processed by the Company is handled in connection with and limited to the purposes of processing and only to the extent necessary for achieving these purposes. In this context, it is a fundamental principle to avoid processing personal data that are unrelated to or unnecessary for the intended purpose.
  • Processing Limited to the Duration Prescribed by Legislation or Required by the Purpose of Processing: Taking into account industry practices regarding the retention of personal data, unless a longer retention period is legally specified, the Company deletes, destroys, or anonymizes processed personal data once the purpose of processing has been fulfilled or the period prescribed by the legislation has expired.

4. CONDITIONS FOR THE PROCESSING OF PERSONAL DATA
4.1 Personal data processed by the Company are processed based on the existence of at least one of the personal data processing conditions set forth in Article 5 of the Law. Explanations regarding these conditions are provided below:

4.1.1. Existence of the Data Subject’s Explicit Consent: Personal data processing activities by the Company are conducted when the data subject freely gives consent regarding the processing of their personal data, having sufficient information about the matter, with clear and unambiguous approval, and limited solely to that specific processing.

4.1.2. Personal Data Processing Activity Explicitly Prescribed by Law: In cases where there is a clear provision in the laws regarding the personal data processing activity, the Company may carry out personal data processing activities limited to the relevant legal regulation.

4.1.3. Inability to Obtain the Data Subject’s Explicit Consent Due to Practical Impossibility and the Necessity of Personal Data Processing: In cases where the data subject cannot express consent or where such consent is not deemed valid, and if processing personal data is necessary to protect the life or physical integrity of individuals, the Company conducts data processing activities within this scope.

4.1.4. Personal Data Processing Activity Being Directly Related to the Establishment or Performance of a Contract: In cases directly related to the establishment or performance of a contract, if the processing of personal data belonging to the parties of the contract is necessary, the Company conducts data processing activities accordingly.

4.1.5. Necessity of Personal Data Processing for the Company to Fulfill Its Legal Obligation: Turkish Tea Company, which has adopted as a Company policy the necessary sensitivity regarding lawfulness, conducts personal data processing activities when required to fulfill its legal obligations.

4.1.6. Public Disclosure of the Data Subject’s Personal Data: Personal data publicly disclosed (in any way made public) by the relevant individual are processed by Turkish Tea Company in accordance with the purpose of such public disclosure.

4.1.7. Necessity of Data Processing for the Establishment, Exercise, or Protection of a Right: When the processing of personal data is necessary for the establishment, exercise, or protection of a right, the Company carries out personal data processing activities in parallel with this necessity.

4.1.8. Personal Data Processing Activity Being Necessary for the Legitimate Interests of the Company, Provided That It Does Not Harm the Fundamental Rights and Freedoms of the Data Subject: If personal data processing is necessary for the legitimate interests of Turkish Tea Company and does not harm the fundamental rights and freedoms of the data subject, data processing activities may be carried out.

4.1.9. Processing of Non-Personal Information Is Not Subject to Restrictions: Non-personal information refers to data that cannot personally identify the member. For example, usage times, the location where the Site is accessed, pages viewed, test or survey results, and similar information. Our Company has the right to use this information for any purpose and may collect, share, transfer, and disclose it to third parties without obtaining consent.

4.2. The Company places special importance on the processing of special categories of personal data that carry the risk of discrimination if processed unlawfully. Within this scope, Turkish Tea Company first carefully determines whether the conditions for processing sensitive data are met, and only after ensuring compliance with the law does it proceed with data processing activities. Special categories of personal data may be processed by the Company under the following circumstances, provided that sufficient measures determined by the KVKK Board are taken:

4.2.1. Processing of Personal Health Data: Turkish Tea Company shows special sensitivity in processing special categories of personal data believed to be critically important to protect from various aspects for data subjects. Within this scope, provided that the necessary measures determined by the Board are taken, such data are not processed without the explicit consent of the data subjects. However, special categories of personal data other than health and sexual life data may be processed without the explicit consent of the data subject in cases prescribed by law. Nonetheless, health and sexual life data may be processed without explicit consent, provided that sufficient measures are taken and under the following circumstances:
 
  • Protection of public health,
  • Preventive medicine,
  • The provision of medical diagnosis, treatment, and care services,
  • The planning and management of health services and their financing.

5. METHODS OF OBTAINING AND PROCESSING PERSONAL DATA
5.1. Within this scope, your personal data may be collected in written or electronic form by the Company or by natural or legal persons processing data on behalf of the Company, by the following methods, without being limited to those listed below:
 
  • Notifications made during campaigns through communication channels such as email and phone, and social media accounts,
  • Employment contracts and internship platforms,
  • Institutions with which our Company has professional relationships, including signature circulars
  • Powers of attorney and contracts,
  • Various contracts you have signed with our Company, as well as all kinds of emails, requests, work orders, faxes, and letters you have sent to our Company,
  • Third-party companies processing data on behalf of our Company or supporting us at any stage of the membership program process,
  • Our employees and customer service channels, including digital marketing and call centers,
  • Social media channels

The legal grounds for data processing; in cases explicitly prescribed by law under Articles 5/2(a) and 6/3 of the KVKK;
  • Pursuant to Article 5/2(c), if applicable, for the establishment, performance, or termination of a contract with the data subject or the institution they are affiliated with,
  • Pursuant to Article 5/2(ç), for the Company to fulfill its legal obligations,
  • Pursuant to Article 5/2(d), if the data has been publicly disclosed by you,
  • Pursuant to Article 5/2(f), provided that it does not harm the fundamental rights and freedoms of the relevant persons, when necessary for the legitimate interests of the data controller, such as institutional promotion.
These are the cases.

5.2. PERSONAL DATA SUBJECT GROUPS AND THEIR DESCRIPTIONS
 
COMPANY OFFICIALS Members of the Company’s board of directors and other authorized natural persons.
EMPLOYEES AND INTERNS Natural persons who are employed or undertaking internships within Turkish Tea Company.
JOB APPLICANTS Natural persons who have applied for a job by any means or submitted their resume and relevant information for the Company's review, but who are not employed or interning within the Company.
GOODS AND SERVICES SUPPLIERS Natural persons, including shareholders, employees, and officials of institutions with which the Company has a business relationship—whether under a contractual relationship or not—for the purpose of providing operational services, developing investments, and conducting commercial activities; this includes business partners, goods and service suppliers, but is not limited to these.
PRODUCERS Natural persons involved in Turkish Tea Company’s tea production and supply chain who supply raw materials or by-products, cultivate, provide, or contribute to the processing of products, as well as their employees and representatives.

5.3. PERSONAL DATA CATEGORIES
 
PERSONAL DATA CATEGORIES DESCRIPTION
IDENTIFICATION INFORMATION These are personal data containing information about a person's identity; including name and surname, Turkish ID number, nationality, mother's and father's name, place of birth, date of birth, gender, and documents such as driver's license, ID card, and passport. It also includes information like tax number, social security number (SGK), signature details, vehicle plate number, and similar data.
CONTACT INFORMATION Information that clearly belongs to an identified or identifiable natural person; processed partially or entirely automatically, or non-automatically as part of a data recording system; such as phone number, address, email address, fax number, and similar details.
PHYSICAL LOCATION SECURITY INFORMATION Personal data related to records and documents collected upon entry to a physical location and during the stay inside the physical premises; such as camera recordings, fingerprint records, and records taken at security checkpoints, etc.
PROCESS SECURITY INFORMATION Personal data processed to ensure the technical, administrative, legal, and commercial security of both the data subject and the Company while conducting the Company's commercial activities.
RISK MANAGEMENT INFORMATION Personal data processed through methods commonly accepted in legal, commercial practices, and principles of good faith to manage commercial, technical, and administrative risks.
FINANCIAL INFORMATION Personal data processed related to all types of information, documents, and records showing financial outcomes created within the legal relationship between the Company and the data subject, including bank account number, IBAN number, credit card information, financial profile, asset data, income information, and similar personal data.
LEGAL TRANSACTION AND COMPLIANCE INFORMATION Personal data processed within the scope of compliance for the identification, determination, monitoring of the Company's legal receivables and rights, fulfillment of its debts, and legal obligations.
AUDIT AND INSPECTION INFORMATION Personal data processed within the scope of the Company's legal obligations and compliance with Company policies.
REPUTATION MANAGEMENT INFORMATION Personal data collected that is associated with the individual and aimed at protecting the Company's commercial reputation.
PERSONNEL AND PROFESSIONAL EXPERIENCE INFORMATION Personal data that clearly belongs to an identified or identifiable natural person; processed partially or entirely automatically, or non-automatically as part of a data recording system; including information legally required to be included in the personnel files of natural persons working in an employment relationship with Turkish Tea Company, which form the basis for their employment rights. This includes educational status, certificate and diploma information, foreign language skills, training and skills, CV, courses taken, leave and seniority start dates, additional leave days, leave group, exit/return dates, number of days, reasons for leave, address/phone number during leave, position name, department and unit, title, last employment start date, employment start and end dates, insurance entry/retirement, social security number, flexible working hours status, travel status, number of working days, projects worked on, total monthly overtime information, seniority compensation base date, additional seniority compensation days, days spent on strike, employee internet access logs, entry and exit logs, and any personal data processed for obtaining these records, as well as performance information necessary for the employee to progress in their current position (training and skills, information about when training was received, email, signed participation forms, customer meeting quality evaluation forms, monthly performance evaluation and target achievement status, activities).
HEALTH INFORMATION Personal data that clearly belongs to an identified or identifiable natural person; processed partially or entirely automatically, or non-automatically as part of a data recording system; including data specified in Article 6 of the Personal Data Protection Law (KVKK) such as disability status, blood type information, personal health information, information about devices and prosthetics used, and similar data.
MARKETING Personal data that clearly belongs to an identified or identifiable natural person; processed partially or entirely automatically, or non-automatically as part of a data recording system; including personal data obtained through shopping history, surveys, campaigns, contracts, and similar reasons.

5.4. MAPPING OF DATA SUBJECT GROUPS WITH THEIR RESPECTIVE DATA CATEGORIES
PERSONAL DATA CATEGORIZATION CATEGORY OF THE DATA SUBJECT RELATED TO THE PERSONAL DATA CONCERNED
IDENTIFICATION INFORMATION Employee Candidate, Employee, Other – Employee of a Legal Entity with Which a Commercial Relationship Is Established, Other – Natural and Legal Persons with Which a Commercial Relationship Is Established, Other – Person Providing a Reference for Employee Candidates, Other – Deputy General Manager / Coordinator to Be Contacted, Other – Legal Representative, Employer, Other – Belonging to Worker and/or Employer, Other – Belonging to Foreign Worker and/or Employer, Shareholder / Partner, Potential Product or Service Buyer, Supplier Employee, Supplier Authorized Representative, Person Receiving Products or Services, Intern.
CONTACT INFORMATION Employee Candidate, Employee, Other – Employee of a Legal Entity with Which a Commercial Relationship Is Established, Other – Authorized Representative of a Legal Entity with Which a Commercial Relationship Is Established, Other – Natural Person with Which a Commercial Relationship Is Established and Their Employee, Shareholder / Partner, Supplier Employee, Supplier Authorized Representative, Person Receiving Products or Services, Intern, Person Subject to News.
LOCATION Employee Candidate, Employee, Shareholder, Partner, Person Receiving Products or Services.
PERSONNEL RECORDS Employee Candidate, Employee, Other – Employee’s Spouse and Children, Other – Persons for Whom the Employee Is Legally Responsible, Intern.
FINANCE Employee, Other – Bank Employee and Other Employee, Other – Natural Person with Which a Commercial Relationship Is Established, Other – Legal Entity with Which a Commercial Relationship Is Established and Its Authorized Representative, Shareholder / Partner, Person Receiving Products or Services.
HUKUKİ İŞLEM Employee, Shareholder / Partner.
MÜŞTERİ İŞLEM Potential Product or Service Buyer, Person Receiving Products or Services.
FİZİKSEL MEKAN GÜVENLİĞİ, GÖRSEL VE İŞİTSEL KAYITLAR Employee, Employee Candidate, Potential Product or Service Buyer, Person Receiving Products or Services, Visitor, Other – Natural Person with Which a Commercial Relationship Is Established.
SAĞLIK BİLGİSİ Employee, Intern.
İŞLEM GÜVENLİĞİ Potential Product or Service Buyer, Person Receiving Products or Services.

5.5. MAIN PURPOSES OF COLLECTING AND PROCESSING PERSONAL DATA OF DATA SUBJECTS INCLUDED IN PERSONAL DATA SUBJECT GROUPS

Personal data are collected and processed by the Company for the purposes set out below:
 
  • Carrying out employee candidate application processes
  • Managing employee hiring and termination processes
  • Managing fringe benefits and benefits processes for employees
  • Fulfilling obligations arising from employment contracts and legislation for employees
  • Conducting audit and ethics activities
  • Monitoring and managing legal affairs
  • Managing contract processes
  • Planning and conducting occupational health and safety activities
  • Conducting logistics activities
  • Monitoring and handling requests and complaints
  • Conducting talent and career development activities
  • Providing relevant information to authorized public institutions and organizations
  • Ensuring and procuring the security of movable assets and resources
  • Creating and monitoring visitor records
  • Conducting investigation activities
  • Planning human resources processes
  • Making plans to ensure business continuity and carrying out the related processes

Execution
  • Taking and evaluating measures aimed at improving business processes
  • Carrying out storage and archiving activities
  • Conducting marketing processes

6. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
6.1. Pursuant to Article 7 of the Law, even if personal data have been processed in accordance with the law, in cases where the reasons requiring their processing cease to exist, and where no longer retention period is determined in compliance with the legislation by taking sector practices regarding the storage of personal data into consideration, personal data shall be deleted, destroyed, or anonymized by the Company, either ex officio or upon the request of the data subject, in accordance with the guidelines published by the Personal Data Protection Authority, periodic destruction periods, and data subject applications.

6.2. The personal data processed by the Company are addressed on a categorical basis, and maximum data retention periods have been determined for each personal data category in line with the relevant data processing purpose. Detailed information on how the retention and destruction processes are carried out, including these maximum periods, is set out in the Personal Data Retention and Destruction Policy prepared by the Company.

7. TRANSFER OF PERSONAL DATA
7.1. Turkish Tea Company undertakes to continuously comply with the conditions set forth in Articles 8 and 9 of the Personal Data Protection Law No. 6698 (KVKK) and the principles determined by the Personal Data Protection Board when transferring personal data to third parties domestically or abroad.

7.1.1. Domestic Transfer of Personal Data
Personal data may be transferred by the Company to third parties within the country, provided that at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law exists and that such processing activity is carried out in accordance with the data processing principles.

7.1.2. Transfer of Personal Data Abroad
1. Transfer to Countries with Adequate Protection:
If the country to which the transfer will be made is one of the countries declared by the Personal Data Protection Board to have adequate protection, personal data may be transferred by Turkish Tea Company to third parties abroad, provided that at least one of the processing conditions stipulated in Articles 5 and 6 of the Law exists and that the data processing activity is carried out in accordance with the fundamental principles.

2. Transfer to Countries Without Adequate Protection:
If the country to which the transfer will be made is not among the countries with adequate protection, personal data may be transferred to third parties abroad provided that the general principles set out in Article 4 of the Law are complied with, at least one of the data processing conditions specified in Articles 5 and 6 of the Law exists, and at least one of the additional conditions listed below is fulfilled:

• The explicit consent of the data subject has been obtained.
or
• The data controller/data processor located in the foreign country to which the data will be transferred undertakes in writing, together with Turkish Tea Company, to provide adequate protection, and approval has been obtained from the Personal Data Protection Board regarding this undertaking.

3. Parties to Whom Personal Data May Be Transferred
Subject to the fulfillment of the conditions specified above, Turkish Tea Company may transfer personal data to third parties within the groups listed below:
 
RECIPIENT GROUP PURPOSE OF TRANSFER
SUPPLIER Personal data limited to what is necessary to enable the provision of services obtained through outsourcing from suppliers in order for the Company to carry out its commercial activities.
LEGALLY AUTHORIZED PUBLIC INSTITUTION Personal data limited to the purpose of fulfilling information requests made by the relevant public institutions and organizations.
LEGALLY AUTHORIZED LEGAL ENTITY Personal data shared in a limited manner and solely for the purpose requested, within the scope of the legal authority of the relevant private law entities.
BANKS Personal data limited to what is necessary to ensure the fulfillment of the purposes for establishing the business partnership.
MANUFACTURERS Personal data limited to what is necessary, for the purposes of ensuring product quality, fulfilling contractual obligations, and meeting legal requirements, in order to procure raw materials or intermediate products in cooperation with suppliers in Turkish Tea Company’s production and supply processes.
DISTRIBUTORS Personal data limited to what is necessary for the purposes of carrying out product sales and marketing activities, managing logistics processes, and ensuring distribution and delivery.

8. DATA CONTROLLER’S OBLIGATION TO INFORM
8.1. Within the scope of Article 10 of the Personal Data Protection Law (KVKK), data subjects must be informed before the personal data are obtained or, at the latest, at the time they are obtained. Within the framework of this obligation to inform, the information that must be provided to data subjects is as follows:
 
  • The identity of the data controller and, if any, its representative,
  • The purpose for which personal data will be processed,
  • To whom and for what purpose the processed personal data may be transferred,
  • The method and legal basis of collecting personal data,
  • Other rights listed in Article 11 of the Personal Data Protection Law (KVKK).

In this context, the Company informs the data subject of their rights in accordance with Article 10 of the Personal Data Protection Law (KVKK) and provides guidance on how these rights may be exercised. In order to evaluate the rights of data subjects and provide the necessary information to them, the Company maintains the required channels, internal procedures, and administrative and technical arrangements in compliance with Article 13 of the KVKK.

8.2. In order to fulfill its obligation to inform, the Company has prepared disclosure statements to be presented to data subjects based on processes and the individuals whose data are processed, within the scope of the aforementioned provisions of the Personal Data Protection Law (KVKK). Following the provision of these disclosure statements to data subjects, explicit consent declarations have also been prepared for data processing activities and data categories that require obtaining the explicit consent of the data subject for Turkish Tea Company to carry out its commercial activities. In the explicit consent declarations prepared for data subjects, in line with European Union regulations underpinning the KVKK, data subjects are given the right to choose whether their personal data may be processed by the Company, and they are informed about the possible consequences if explicit consent cannot be obtained.

9. OTHER OBLIGATIONS OF THE DATA CONTROLLER
As the data controller, Turkish Tea Company undertakes to diligently fulfill all obligations imposed on it under the Personal Data Protection Law No. 6698 ("KVKK"). Within this scope, the main responsibilities under the Company's responsibility are explained below:

9.1. Obligation to Inform
Turkish Tea Company is obligated to inform the relevant individuals before starting personal data processing activities or, at the latest, at the time of data collection. Accordingly, through the disclosure texts prepared pursuant to Article 10 of the Law, data subjects are informed about:
 
  • The identity of the data controller,
  • The purposes for which the data will be processed,
  • To whom and for what purposes the data may be transferred,
  • The method and legal basis of data collection,
  • The rights set forth in Article 11 of the KVKK.
clear and understandable information is provided regarding these matters.

9.2. Obligations Regarding Data Security
Turkish Tea Company ensures that personal data:
 
  • Is prevented from being processed unlawfully,
  • Is protected against unlawful access,
  • Is securely preserved

with the purpose of taking necessary administrative and technical measures. Our Company has established a data recording system to carry out data processing activities securely, clearly defined the purposes and methods of data processing, and regularly audits the effectiveness of this system.

9.3. Audit Obligation
Turkish Tea Company conducts regular audit processes to ensure that personal data are processed in compliance with the KVKK and relevant legislation. When deemed necessary, these audit activities may be carried out internally or by obtaining services from independent audit organizations.

9.4. Confidentiality Obligation
Our Company undertakes not to share personal data accessed within the scope of duties with third parties or use it for purposes other than processing, except with the explicit consent of the relevant person or in cases required by law. This confidentiality obligation is not limited to the term of employment for employees, service providers, consultants, and data processors involved in personal data processing but continues even after the relevant person’s separation.

9.5. Obligation to Report Data Breaches
If Turkish Tea Company determines that personal data it processes has been unlawfully accessed by third parties, it shall:
 
  • As soon as possible and no later than 72 hours, to the Personal Data Protection Board,
  • Likewise, to the relevant data subject,
It is obligated to notify. The management of data breaches is conducted in accordance with internal procedures and incident response plans.

9.6. Response to Applications and Implementation of Board Decisions
Pursuant to Article 13 of the KVKK, data subjects may apply to Turkish Tea Company to exercise their rights related to their personal data. These applications shall be responded to within a maximum of 30 days,
 
  • Free of charge,
  • In writing or by methods determined by the Board
and concluded.

If the application entails a cost, Turkish Tea Company reserves the right to charge fees as specified in the tariff determined by the Personal Data Protection Board. Additionally, decisions made by the Personal Data Protection Board are promptly and fully implemented by the Company.

10. RIGHTS OF THE PERSONAL DATA SUBJECT
10.1. Pursuant to Article 11 of the Law, personal data subjects may apply to Turkish Tea Company to exercise the following rights:
  • To learn whether their personal data is being processed,
  • To request information if their personal data has been processed,
  • To learn the purpose of processing their personal data and whether it is being used in accordance with that purpose,
  • To learn the third parties to whom their personal data is transferred domestically or abroad,
  • To request the correction of incomplete or inaccurate personal data,
  • To request the deletion or destruction of personal data when the reasons for processing, as per the Law and secondary legislation, no longer exist, and to request that the transactions performed in this context be notified to third parties to whom the personal data has been transferred,
  • To request compensation for damages in case of loss due to unlawful processing of personal data.

Requests to be submitted within this scope must be clear and understandable, including identity and address information, and delivered in writing with a wet signature by hand, by mail, or through a notary to the following address: Merkez Mah. Çuha Sok. No:4 (NEF 10) D.3, Kağıthane, Istanbul.

10.2. In accordance with Article 14 of the KVKK, personal data subjects may file a complaint with the Personal Data Protection Board within thirty days from the date they learn of the Company’s response, and in any case within sixty days from the date of application, in cases where the application is rejected, the response is deemed insufficient, or no response is provided within the legal timeframe.

11. COMPANY'S RESPONSE TO APPLICATIONS
11.1. If the personal data subject submits their request to the Company in accordance with the procedure set forth in this policy, the Company shall conclude the relevant request free of charge within a maximum of thirty days, depending on the content of the request. However, if a fee is prescribed by the Personal Data Protection Board (KVK Board), the Company shall collect the fee determined by the Board from the applicant.

11.2. The Company may request information from the applicant to verify whether the person is indeed the personal data subject. Additionally, the Company may direct questions to the personal data subject to clarify the details related to their application.

11.3. The Company reserves the right to reject the applicant's request in the following cases, providing the reasons for the rejection:
  • Processing of personal data for research, planning, and statistical purposes by anonymizing the data through official statistics.
  • Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy, or personal rights, and does not constitute a crime.
  • Processing of personal data by judicial authorities or enforcement bodies in relation to investigation, prosecution, trial, or execution procedures.
  • The processing of personal data being necessary for the prevention of a crime or the investigation of a crime.
  • The processing of personal data that has been made public by the data subject themselves.
  • The processing of personal data being necessary for the performance of auditing or regulatory duties, or for disciplinary investigation or prosecution, by authorized and competent public institutions and organizations, or professional organizations with the status of a public institution, based on the authority granted by law.
  • The possibility that the data subject's request may infringe upon the rights and freedoms of others.
  • The requested information being publicly available.
  • Requests involving disproportionate effort.

12. REVISION AND TERMINATION
In the event that this Policy is revised or terminated, the revised version or the new policy example will be announced in the relevant places.

13. EXECUTION
The execution of this Policy is the responsibility of the data controller and the company’s board of directors, who are obliged to fulfill the data controller’s obligations. All department managers established to be responsible for monitoring and coordinating all work and processes within the scope of the KVKK Law and Data Protection Board regulations are accountable.

KVKK INFORMATIVE TEXT REGARDING THE PROCESSING OF PERSONAL DATA
1. INTRODUCTION
Turkish Tea Company Çay Sanayi Ve Ticaret Anonim Şirketi ("the Company") or ("Turkish Tea Company") demonstrates utmost sensitivity regarding the protection of personal data and takes all necessary measures to safeguard the rights of personal data owners, which are protected under the Constitution of the Republic of Turkey and the Law No. 6698 on the Protection of Personal Data ("KVKK"). This Policy has been prepared to set forth the principles and rules to be applied by the Company regarding compliance with the regulations on the processing and protection of personal data as stipulated in the KVKK. This Policy may be periodically updated when necessary to ensure compliance with the KVKK and secondary legislation. Updates will be published on the Company’s official website at www.turkishteacompany.com.tr.

2. PURPOSES OF PROCESSING AND TRANSFER OF PERSONAL DATA
2.1. Kişisel veriler; hukuka ve Kanun'un amacına uygun olarak Turkish Tea Company'nin insan kaynakları politikalarının, ticari ortaklıklarının, yönetim ve iletişim faaliyetlerinin ve stratejilerinin doğru şekilde planlanması, yürütülmesi ve yönetilmesi, ürün ve hizmetlerden veri sahiplerinin en iyi şekilde faydalandırılması, talep, ihtiyaç ve beklentilere göre kişiselleştirilmiş öneriler sunulması, veri güvenliğinin en üst düzeyde sağlanması, internet sitesinde sunulan hizmetlerin geliştirilmesi ve olası hataların giderilmesi, talep ve şikâyetlerini ileten veri sahipleriyle iletişime geçilmesi ve şikâyet yönetiminin sağlanması, etkinliklerin yönetilmesi, yetkili kurum ve kuruluşlara mevzuattan kaynaklanan bilgi verilmesi, ziyaretçi kayıtlarının oluşturulması ve takibi amaçlarıyla sınırlı olarak; Kişisel Verilerin Korunması Kanunu'nun 5. ve 6. maddelerinde belirtilen kişisel veri işleme şartları kapsamında işlenmektedir.

2.2. Personal data may also be shared, recorded, and transferred to electronic systems with the company’s partners, business associates, successors, and/or third parties/organizations they designate within the framework of the personal data transfer conditions set forth in Articles 8 and 9 of the Law.

2.3. If the processing activity conducted for the aforementioned purposes does not meet any of the conditions foreseen under the Law, your explicit consent will be obtained separately by Turkish Tea Company regarding the relevant processing procedure.

2.4. Detailed information about which personal data are collected, stored, and transferred by our Company can be found in the Turkish Tea Company KVKK Policy. The policy is accessible on our Company’s official website at www.turkishteacompany.com.tr under the title KVKK and Privacy Policy.

3. METHODS OF COLLECTING YOUR PERSONAL DATA AND OUR LEGAL GROUNDS
3.1. We collect your personal data through automatic methods, including but not limited to the following: from dealers using a shared customer management and cash register system, stores, business partners, or suppliers; information you verbally provide to sales consultants in stores recorded into our systems via security cameras and devices located in the stores; information provided during your purchases made through websites/mobile applications selling products of the Store/Site or the Company, or when you register as a member on the Site, recorded into our systems; all types of purchases, collections, deliveries, transactions, survey completions, registrations, behavioral actions and activities on the Store/Site recorded into our systems; your requests and complaints conveyed to us during mutual communication via our Communication Channels or Stores being recorded. Additionally, we collect your data through non-automatic methods, such as receiving information/documents related to you from official institutions, organizations, and judicial/administrative authorities, and recording documents related to your return/review processes.

3.2. Your personal data;
  • Regarding the establishment of site membership and the fulfillment of our obligations under the membership agreement, as well as sales and after-sales support processes,
    “the necessity of processing personal data belonging to the parties of the contract directly related to the establishment or performance of a contract.”
  • Your “explicit consent” given for personal data processing and commercial communication activities within the scope of marketing, segmentation, and analysis studies related to site membership,
  • The necessity of processing personal data for the legitimate interests of the data controller regarding the detection and prevention of suspicious transactions related to site membership and site usage, ensuring transaction security, operational processes (strategic planning, analysis, and business development activities), and customer relationship processes.
  • Regarding the recording processes through security cameras in stores, “the necessity of processing personal data for the legitimate interests of the data controller,” “the necessity of processing and transferring data for the establishment, exercise, or protection of rights,” and “the fulfillment of legal obligations.”
  • Regarding our obligations arising from legislation, “the fulfillment of legal obligations” and “explicit provisions in the laws.”
  • Regarding legal disputes, investigations, and other judicial/official processes, “the necessity of processing and transferring data for the establishment, exercise, or protection of rights.”
  • We collect/process data based on the legal grounds that the data subject has made the information public themselves.

3.3. You may, at any time and without providing any reason, stop the relevant commercial communication by performing the unsubscribe action indicated in the commercial electronic messages we send and/or withdraw your explicit consent regarding site membership, thereby terminating your membership and stopping any personal data processing activities based on explicit consent.

4. PERSONAL DATA RETENTION PERIODS BY THE COMPANY
1. Turkish Tea Company retains personal data for the periods specified in the Personal Data Protection Law ("KVKK") and relevant legislation, if such periods are prescribed in the applicable laws.

2. If no retention period is specified in the relevant legislation regarding personal data storage, Turkish Tea Company retains personal data for the necessary duration considering commercial customs, the nature of the activity subject to processing, and the purposes of data processing; upon expiration of this period, personal data are deleted, destroyed, or anonymized.

3. Detailed information about deletion, destruction, or anonymization can be found in the Turkish Tea Company Data Destruction Policy. Our Destruction Policy is accessible on our Company’s official website.

5. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
5.1. Even if personal data have been processed by the Company in compliance with the KVKK and other relevant laws, when the reasons requiring the processing of personal data cease to exist and retention periods expire, the data shall be deleted, destroyed, or anonymized either ex officio or upon the request of the data subject.

6. RIGHTS OF THE PERSONAL DATA OWNER UNDER THE KVKK LAW
6.1. Pursuant to Article 11 of the Personal Data Protection Law, as the Data Subject, you may apply to the Company;
 
  • To learn whether your personal data have been processed.
  • If your personal data have been processed, to request information about this processing.
  • To learn the purpose of processing your personal data and whether they are used in accordance with this purpose.
  • To know the third parties to whom your personal data have been transferred, domestically or abroad.
  • If your personal data have been processed incompletely or inaccurately, to request correction and to ask that this correction be communicated to the third parties to whom your personal data have been transferred.
  • Although your personal data have been processed in accordance with the KVKK and other relevant legislation, to request deletion or destruction of your personal data and notification of this request to third parties to whom the personal data have been transferred if the reasons requiring processing no longer exist, taking into account principles such as purpose, duration, and legitimacy.
  • To object to the emergence of a result against yourself by solely analyzing the processed data through automatic systems.
  • To request compensation for damages if you suffer harm due to unlawful processing of your personal data.

6.2. Within this scope, you can submit your requests regarding the above rights by filling out the Turkish Tea Company Data Subject Application Form in accordance with the specified procedures and principles, and sending it to us through the communication methods indicated in the form. (You can access the application form via our website.) The Company will finalize the request free of charge as soon as possible and no later than 30 (thirty) days, depending on the nature of the request. However, if the Personal Data Protection Board imposes a fee and additional costs arise for the Company to process the requests, the fees specified in the tariff determined by the Board may be charged by the Company. In cases where your personal data is processed based on explicit consent, please note that if you withdraw this consent, you will be removed from the membership program that requires such consent, and you will no longer be able to benefit from the advantages provided through these processes as of the relevant date.

You can always follow changes related to personal data legislation and our practices on the relevant page of our website.

6.3. For any questions, you can reach us via our website or through other contact channels provided on our site.

For your requests;

Data Controller:
TURKISH TEA COMPANY ÇAY SANAYİ VE TİCARET ANONİM ŞİRKETİ
Address: Merkez Mah. Çuha Sok. No. 4 (NEF 10) D. 3, Kâğıthane, İstanbul 34406. Türkiye
E-mail: info@turkishteacompany.com.tr

REGARDING THE PROCESSING OF PERSONAL DATA
CONSENT TEXT
Our company, TURKISH TEA COMPANY ÇAY SANAYİ VE TİCARET ANONİM ŞİRKETİ, acts as the "data controller" within the scope of Law No. 6698 on the Protection of Personal Data ("the Law") regarding personal data of customers. Through this Consent Text, it aims to obtain the explicit consent of customers for the personal data processing activities conducted by Turkish Tea Company, as specified below, in accordance with the said Law.

For the situations listed below where the conditions for processing personal data set forth in Articles 5/2 and 6/3 of the KVKK Law cannot be met, it is essential for the Company to obtain the explicit consent of customers to process their personal data. Data processing activities for processes that do not require explicit consent continue within the scope of the Informative Text, and for processes requiring explicit consent, data is processed in accordance with the fundamental principles set forth in the Informative Text.

Within this scope, customers' personal data are processed by Turkish Tea Company for the purposes specified in the Personal Data Processing and Protection Policy and in accordance with the procedures outlined therein.

In this context, personal data may be processed for purposes including, but not limited to: creating campaigns aimed at customers; offering special opportunities that Turkish Tea Company’s business partners provide to the Company’s customers; conducting cross-selling; determining target audiences; monitoring customer behavior to carry out activities that enhance user experience; improving the operation of the Company’s website and mobile application and personalizing them according to customer needs; conducting direct and indirect marketing, personalized marketing, and remarketing activities; executing personalized segmentation, targeting, analysis, and internal company reporting; planning and conducting market research and customer satisfaction activities; customizing and promoting the Company’s products and services according to the preferences, usage habits, and needs of the relevant individuals; and planning and implementing customer relationship management processes. More broadly, these activities encompass the planning and execution of sales and marketing processes for the Company’s products and/or services, and the planning and execution of loyalty-building or enhancing processes related to the Company’s products and/or services. Processing will be carried out based on the consent given by the Customer and data may be shared with the parties specified in the Informative Text for these purposes.

REGARDING THE DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
1. PURPOSE OF THE DESTRUCTION POLICY
This Policy outlines the procedures for the deletion, destruction, or anonymization of personal data processed in accordance with the Personal Data Protection Law, when the conditions for processing personal data as regulated in Articles 4, 5, and 6 of the Law cease to exist, either ex officio or upon request by Turkish Tea Company.

2. DEFINITIONS
  • Consent: The consent given freely and explicitly based on being informed regarding a specific matter.
  • Anonymization: The process of rendering personal data in such a way that it cannot be associated with an identified or identifiable natural person, even by matching with other data.
  • President: The President of the Personal Data Protection Authority.
  • Data Subject: The natural person whose personal data is processed.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing of Personal Data: Any operation performed on personal data, wholly or partly by automatic means or otherwise, including collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or prevention of use.
  • Board: The Personal Data Protection Board.
  • Authority: The Personal Data Protection Authority.
  • Data Processor: The real or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
  • Data Recording System: The system in which personal data is processed structured according to specific criteria.
  • Regulation: The Regulation on the Registry of Data Controllers.
  • Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

3. DATA STORAGE ENVIRONMENTS FOR PERSONAL DATA
Electronic Environments:
  • Microfilm
  • Email Inbox
  • Microsoft Office Programs
  • Image and Sound Recording Devices

Physical Environments:
  • Department Cabinets
  • Folders
  • Archive

4. REASONS REQUIRING RETENTION AND DESTRUCTION
Personal data, by Turkish Tea Company;
  • To sustain commercial activities,
  • To fulfill legal obligations,
  • To plan and fulfill employee rights and benefits,
  • To manage customer relations
are securely stored for these purposes.

5. EXPLANATIONS REGARDING THE REASONS FOR RETENTION AND DESTRUCTION
5.1. Turkish Tea Company processes the personal data of data subjects;
  • Properly sustaining commercial activities,
  • Fulfilling legal obligations,
  • Planning and fulfillment of employee rights and benefits,
  • For the purposes of managing customer relationships, personal data is securely stored in the physical and/or electronic environments mentioned above, within the framework of the KVKK Law and relevant legislation.

5.2. Reasons Requiring Retention
  • Personal data being directly and closely related to the establishment and performance of contracts to which the company is a party or will be a party.
  • Retention of personal data for the purpose of establishing, exercising, or protecting a right.
  • The necessity of retaining personal data for the legitimate interests of Turkish Tea Company, provided that it does not harm the fundamental rights and freedoms of individuals.
  • The obligation of Turkish Tea Company to retain personal data in order to fulfill its legal obligations.
  • Retention of relevant personal data due to explicit provisions in the legislation.
  • Retention activities requiring explicit consent, provided that data subjects have given their explicit consent in this regard.

5.3. Situations Requiring Deletion, Destruction, or Anonymization
In the following situations, personal data shall be deleted, destroyed, or anonymized by Turkish Tea Company either ex officio or upon request:
  • Changes to or repeal of the legislation underpinning the processing/storage of personal data.
  • The purpose requiring the processing/storage of personal data ceases to exist.
  • All conditions for processing personal data as set forth in Articles 5 and 6 of the Law are no longer met.
  • In cases where processing is based solely on explicit consent, the data subject withdraws their consent.
  • Acceptance of the data subject’s application under Articles 11/2-(e) and (f) of the Law.
  • If the data controller rejects the application, the response is deemed inadequate, or no response is given within the legally prescribed time, and the complaint made to the Board is found justified.
  • The maximum retention period for personal data has expired, and there is no justified reason to retain the data for a longer period.

6. MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the KVKK Law, Turkish Tea Company takes necessary technical and administrative measures to ensure an adequate level of security to prevent the unlawful processing of personal data being processed, to prevent unauthorized access to the data, and to ensure that the data is stored in compliance with the law. Accordingly, our Company conducts or commissions the required audits. All technical and administrative measures taken have been specially arranged by the Company. In the event that personal data is unlawfully accessed by third parties despite all technical and administrative precautions taken, the Company immediately takes urgent measures to rectify the situation in the shortest possible time and reviews its precautions.

1. Technical Measures:
  • Considering the conscious or unconscious threats posed by employees within the organization, security controls have been implemented through log reporting on software and hardware devices across all relevant areas to control access to information and prevent unauthorized access.
  • Technical measures are taken in line with technological advancements, and these measures are periodically updated and renewed.
  • Access and authorization technical solutions are implemented in accordance with legal compliance requirements determined at the business unit level.
  • Access rights are restricted and regularly reviewed.
  • Technical measures taken are periodically monitored, and issues posing risks are reassessed to develop necessary technological solutions.
  • Software and hardware, including antivirus systems and firewalls, are installed, and related audits are maintained.
  • Knowledgeable personnel are employed for technical matters, and internal training is conducted.
  • Regular security scans are performed on applications collecting personal data to identify security vulnerabilities, and identified gaps are promptly closed.
  • Penetration testing services are procured when needed to check system vulnerabilities.
  • Personal data destruction is carried out in a way that it cannot be recovered and leaves no audit trail.

2. Administrative Measures:
  • Employees are trained on the technical measures to be taken to prevent unlawful access to personal data held by the Company.
  • Access and authorization processes for personal data within the Company are designed and implemented in accordance with legal compliance requirements at the business unit level. The sensitivity and importance of the data are also considered when limiting access.
  • The Company includes provisions in its agreements with personnel, emphasizing compliance with the obligations under the KVKK Law regarding lawful processing of personal data, non-disclosure, prohibition of unlawful use, and confidentiality obligations that continue even after termination of employment. Non-compliance may lead to disciplinary actions including termination of employment.
  • Employees are informed that they cannot disclose personal data to others unlawfully or use it outside the intended purpose, and this obligation continues even after leaving the job. Necessary commitments are obtained from employees accordingly.
  • Contracts with third parties to whom personal data is lawfully transferred include provisions requiring those parties to implement necessary security measures to protect personal data and ensure compliance within their organizations.
  • In case personal data is unlawfully accessed by others, the Company promptly notifies the relevant data subject and the Personal Data Protection Board.
  • The Company employs knowledgeable and experienced personnel regarding personal data processing and provides necessary training on data protection legislation and data security.
  • The Company conducts or commissions audits to ensure compliance with the Law within its legal entity, addressing any confidentiality or security vulnerabilities revealed by the audits.
  • Turkish Tea Company is responsible under Article 12 of the KVKK Law for ensuring that third parties to whom personal data is transferred process, store, and access the data lawfully according to this Policy and the KVKK Law. Therefore, the Company obtains contractual commitments including audit rights from third parties to ensure these conditions. Additionally, all personnel are specially informed about their responsibilities regarding the transfer of personal data to third parties.

7. MEASURES TAKEN REGARDING THE DESTRUCTION OF PERSONAL DATA
Although processed in accordance with the relevant legal provisions, Turkish Tea Company may delete or destroy personal data at its own discretion or upon the request of the data subject if the reasons requiring the processing cease to exist. An effective data tracking process will be managed by Turkish Tea Company to define and monitor the destruction processes of personal data. The carried-out process will sequentially involve identifying the data to be deleted, identifying the relevant persons, determining their access methods, and promptly deleting the data thereafter.

Depending on the medium where the data is recorded, the Company may use one or more of the following methods to destroy, delete, or anonymize personal data:

7.1. Methods for Deletion, Destruction, and Anonymization of Personal Data
7.1.1. Deletion of Personal Data
Deletion of personal data is the process of making personal data completely inaccessible and unusable for the relevant users in any way. As a method of deleting personal data, the Company may use one or more of the following methods:
 
  • Personal data in paper form will be processed by blackout methods such as crossing out, painting over, cutting, or erasing.
  • Access rights of users to office files in the central archive will be revoked.
  • Rows or columns containing personal information in databases will be deleted using the 'Delete' command.
  • When necessary, deletion will be carried out securely with the assistance of an expert or experts.

7.1.2. Destruction of Personal Data
Kişisel verilerin yok edilmesi, kişisel verilerin hiç kimse tarafından hiçbir şekilde erişilemez, geri getirilemez ve tekrar kullanılamaz hale getirilmesi işlemidir.
 
  • Physical Destruction
  • Destruction Using a Paper Shredder
  • De-magnetization: A method where magnetic media is passed through special devices exposing it to strong magnetic fields, rendering the data on it unreadable and corrupted.

7.1.3. Anonymization of Personal Data
Anonymization of personal data refers to rendering personal data in such a way that it cannot be associated with an identified or identifiable natural person, even when combined with other data. Turkish Tea Company may use one or more of the following methods to anonymize personal data:
 
  • Masking: Masking is a method of anonymizing personal data by removing the key identifying information from the data set. For example, converting a data set into one where identification of the personal data subject is impossible by removing information such as name, Turkish ID number, or other identifying details.
  • Removing Records: In the removing records method, data entries containing uniqueness are removed from the data set, thereby anonymizing the stored data.
  • Regional Obfuscation: In the regional obfuscation method, if a single piece of data creates a rare combination that is identifying, the related data is hidden to achieve anonymization. For example, if only one producer declares 1,200 kg in “İkizdere/Anzer” district; instead of “District: İkizdere/Anzer,” it is replaced with “Province: Rize,” and instead of “Harvest: 1,200 kg,” it is written as “Harvest: 1–1.5 tons.” The certificate number “TR-123” is not shown, and only “Organic: Yes/No” information is left. In accordance with Article 28 of the Personal Data Protection Law (KVK), anonymized personal data can be processed for purposes such as research, planning, and statistics. Such processing is outside the scope of the KVK Law and does not require the explicit consent of the personal data owner.

Turkish Tea Company will unilaterally decide on and implement the deletion, destruction, or anonymization of personal data. Additionally, within the scope of Article 13 of the Regulation, if the data subject selects one of the categories of deletion, destruction, or anonymization of their personal data during their application, the Company will have discretion regarding the methods to be used within the selected category.

8. PERSONAL DATA RETENTION AND DESTRUCTION PERIODS
The Company retains personal data for the period necessary for the purpose for which they are processed. If the primary purpose of collecting the personal data or, if applicable, the secondary processing basis specified in this Policy ceases to exist, the personal data may continue to be retained by the Company for the periods stated.

If there is a period prescribed by legislation regarding the retention of the relevant personal data, that period shall be observed. In the absence of a legally prescribed period, personal data shall be retained for the maximum duration permitted under the law and secondary regulations. These periods are determined by evaluating the Company’s data categories and data subject groups; this evaluation ensures compliance with legal obligations and takes into account the statute of limitations period set forth in the Turkish Code of Obligations (10 years).

When the obligation to delete, destroy, or anonymize arises due to the expiration of these periods, Turkish Tea Company shall delete, destroy, or anonymize the personal data in the first periodic destruction process following this date.

8.1. PERIODIC DESTRUCTION PERIODS
The Company’s periodic destruction period is 6 months. Personal data whose retention period has expired shall be destroyed in accordance with the procedures set forth in this Policy within 6-month periods. The data will be deleted in a manner that ensures they cannot be recovered, including from any physical media such as documents, files, CDs, diskettes, hard drives, or similar storage devices.

All operations related to the deletion, destruction, and anonymization of personal data are recorded, and these records are retained for at least three years, except for other legal obligations.

Regarding the monitoring of the periodic destruction process, the Company is obliged to register with the Data Controllers’ Registry before starting to process data and to take all administrative and technical measures throughout the process.

8.2. PERSONEL
Within the scope of the Personal Data Protection Law (KVK Kanunu), Turkish Tea Company, as the data controller, has provided necessary personnel training on the protection of personal data and has informed employees and responsible parties about the destruction processes.

In this context, the Company shall be responsible for auditing whether the Relevant Users comply with this Policy and the Personal Data Policy prepared within the framework of the Law and the Regulation. Employees are obligated to report to the company management the actions they have carried out in accordance with this Policy within the specified periodic destruction periods.

9. APPLICATION OF THE DATA SUBJECT
Pursuant to Article 13 of the Personal Data Protection Law (KVK Kanunu), the data subject may apply to Turkish Tea Company by submitting an application petition, which is attached to the Personal Data Policy, to request the deletion or destruction of their personal data.
 
  • If all conditions for processing personal data have ceased to exist, the data controller deletes, destroys, or anonymizes the personal data subject to the request. The data controller finalizes the data subject's request within thirty days at the latest and informs the data subject.
  • If all conditions for processing personal data have ceased to exist and the personal data subject to the request have been transferred to third parties, the data controller notifies the third parties of this situation and ensures that necessary actions are taken with the third parties within the scope of the Regulation.
  • If all conditions for processing personal data have not ceased to exist, this request may be rejected by the data controller with justification, and the rejection response is notified to the data subject in writing or electronically within thirty days at the latest.

Turkish Tea Company may refuse the deletion of personal data belonging to the data controller for the following reasons:
(1) Processing personal data for research, planning, and statistical purposes through official statistics and anonymization.
(2) Processing personal data for artistic, historical, literary, scientific purposes or within the scope of freedom of expression, provided that national defense, national security, public safety, public order, economic security, privacy, or personality rights are not violated and no crime is committed.
(3) Processing personal data within preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order, or economic security.
(4) Processing personal data by judicial authorities or enforcement agencies regarding investigation, prosecution, trial, or execution procedures.
(5) Processing personal data as necessary for preventing crime or conducting criminal investigations.
(6) Processing personal data that has been made public by the data subject themselves.
(7) Processing personal data based on the authority granted by law for regulatory, supervisory, disciplinary investigation, or prosecution purposes by competent public institutions, organizations, or professional bodies with public institution status.
(8) Processing personal data as necessary for protecting the economic and financial interests of the state concerning budget, tax, and financial matters.
(9) The request of the data subject may impede the rights and freedoms of others.
(10) Requests that require disproportionate effort.
(11) v

10. EXERCISE OF THE DATA SUBJECT'S RIGHTS
Data subjects may submit their requests regarding the rights set forth in this section to Turkish Tea Company free of charge by providing information and documents that verify their identity and by using the methods specified below or other methods determined by the Personal Data Protection Board. They must complete and sign an application form, which is attached to the Personal Data Policy:

a) Sending an email to info@turkishteacompany.com.tr,
b) Submitting the Application Form in person or via a notary to the address Merkez Mah. Çuha Sok. No. 4 (NEF 10) D. 3, Kâğıthane, Istanbul.

Data subjects may authorize third parties to submit applications on their behalf only if the third party holds a special power of attorney prepared through a notary on behalf of the data subject.

10.1 Right of the Personal Data Owner to File a Complaint to the Personal Data Protection Board (KVK Board)
In accordance with Article 14 of the Personal Data Protection Law (KVK Law), if the application is rejected, the response is deemed insufficient, or no response is given within the legal period, the data subject may file a complaint to the KVK Board within thirty days from the date the Company’s response is learned, and in any case, within sixty days from the date of the application.

10.2. Information the Company May Request from the Personal Data Owner Who Makes an Application
The Company may request information from the applicant to verify whether the applicant is the personal data owner. The Company may also direct questions to the personal data owner to clarify matters related to their application.
Become a Tea Club Member
Contact Line

More Information Accept Reject