Personal Data Protection, Processing, and Privacy Policy
Personal Data Protection, Processing, and Privacy Policy
I. INTRODUCTION
The Law on the Protection of Personal Data No. 6698 (“Law”) came into effect on April 7, 2016. The Law defines personal data and sets out principles for their protection as well as the conditions that must be followed by those acting as data controllers when processing these data. According to the Law, personal data refers to any information relating to an identified or identifiable natural person. The processing of personal data refers to any operation performed on personal data, including its collection, recording, storage, alteration, sharing with third parties, and transfer abroad, whether automated or not. Restaon® takes the necessary administrative and technical measures to ensure compliance with the Law by adopting the principles regarding the protection and processing of personal data laid down in the relevant legislation. For the scope of this Personal Data Protection and Processing Policy (“Policy”), see VI. DATA OWNER AND PERSONAL DATA CATEGORIZATION. The currently applicable legal regulations regarding the processing and protection of personal data will take precedence. In the event of any inconsistency between the applicable legislation and the Policy, Restaon® acknowledges that the provisions of the applicable legislation will prevail. This Policy has been in effect since 26/07/2017. If the entire Policy or specific provisions are updated, the effective date of the Policy will be updated accordingly. The Policy is published on Restaon®'s website (www.restaon.com) and is accessible to personal data owners. Changes and updates may be made to the Policy to comply with changing conditions and regulations, and these will be presented to personal data owners through the relevant website.
II. PROCESSING OF PERSONAL DATA
II.I. PRINCIPLES OF PROCESSING PERSONAL DATA
Article 20/III of the Constitution guarantees that personal data can only be processed in the cases provided for by law or with the explicit consent of the person. In line with these rights granted to personal data owners, Restaon® processes personal data in accordance with the principles specified in the relevant legislation or in cases where explicit consent of the person exists, as follows:
- Processing in Compliance with the Law and the Principle of Integrity
- Ensuring the Accuracy and Timeliness of Personal Data
- Processing for Specific, Clear, and Legitimate Purposes
- Being Relevant, Limited, and Proportionate to the Purposes of Processing
- Retaining for the Period Required by Relevant Legislation or for the Purpose of Processing
II.II. CONDITIONS AND PURPOSES OF PROCESSING PERSONAL DATA
Personal data can generally only be processed with the explicit consent of the data owner. Article 5 of the Law provides the conditions for the processing of personal data, and Article 6 provides the conditions for the processing of sensitive personal data. The Law defines personal data that, when processed unlawfully, carries the risk of causing individuals to suffer harm or discrimination as “sensitive personal data.” Article 6 of the Law lists sensitive personal data in a limited manner, including a person's race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, membership in associations, foundations or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data. We process sensitive personal data of customers/users as mentioned in the Policy above. The explicit consent of the data owner must be given regarding a specific matter, based on being informed and freely. In the presence of one or more of the conditions mentioned below, personal data may be processed without obtaining the explicit consent of the owner. Restaon® processes personal data in any case in accordance with the general principles specified in Article 4 of the Law, in accordance with the purposes and conditions outlined below.
III. TRANSFER OF PERSONAL DATA
III.I. GENERAL PRINCIPLES FOR THE TRANSFER OF PERSONAL DATA
Articles 8 and 9 of the Law contain provisions regarding the transfer of personal data both domestically and internationally. Restaon® may transfer personal data/sensitive personal data of the data owner to third parties by taking necessary security measures in accordance with the purposes of data processing, which it has obtained lawfully. Accordingly, Restaon® may transfer personal data under the conditions specified in Section II and if one of the following conditions is met:
- If the data owner has given explicit consent,
- If there is a clear provision in the laws regarding the transfer of personal data,
- If it is necessary to protect the life or physical integrity of the data owner or another person, and if the data owner is unable to express consent due to actual impossibility, or if their consent is not given legal validity;
- If it is necessary to transfer personal data related to the parties of a contract that is directly related to the establishment or performance of that contract;
- If the transfer of personal data is necessary for Restaon® to fulfill its legal obligations;
- If personal data has been disclosed by the data owner;
- If the transfer of personal data is necessary for the establishment, exercise, or protection of a right;
- If the transfer of personal data is necessary for Restaon®’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data owner.
III.II. TRANSFER OF PERSONAL DATA ABROAD
Restaon® may transfer personal data of the data owner abroad in the following cases, in line with legitimate and lawful purposes of processing personal data:
- If the data owner has given explicit consent, or
- If the data owner has not given explicit consent but one or more of the conditions mentioned above are met; (i) If there is adequate protection in the country to which the data is transferred, and (ii) If there is no adequate protection in the country to which the data is transferred, Restaon® shall ensure adequate protection in writing with the data controller in the relevant foreign country, and obtain the approval of the KVK Board (Data Protection Authority).
III.III. THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED
Restaon® may transfer the personal data of the data owners governed by the Policy to the following parties in accordance with the conditions stated above and in compliance with Articles 8 and 9 of the Law:
- Anonymous to partners to ensure the fulfillment of the objectives of the partnership,
- Limited to restaurants for fulfilling the contractual purposes,
- Limited to suppliers for providing the necessary services to Restaon® to carry out its commercial activities,
- Limited to subsidiaries for conducting commercial activities that require the participation of Restaon®'s subsidiaries,
- To shareholders for designing strategies regarding Restaon®'s commercial activities in compliance with relevant legislation,
- With the Delivery Hero Group, to which we belong, to ensure the conduct of commercial and operational activities requiring the involvement of the Delivery Hero Group,
- To relevant public institutions and private legal entities requesting data under their legal authority.
IV. PROTECTION OF PERSONAL DATA
Restaon® takes the necessary administrative and technical measures in accordance with the relevant legislation to ensure the security and lawful processing of personal data. This includes the lawful processing of personal data, their storage in secure environments, the prevention of unauthorized access risks, and any other unlawful access, the prevention of accidental data loss, and the prevention of intentional damage or deletion of the data.
V. INFORMATION, RIGHTS, AND NOTIFICATION OF PERSONAL DATA OWNERS
V.I. INFORMATION OF PERSONAL DATA OWNERS
The law states that personal data owners must be informed when their data is collected. In line with this, Restaon® informs personal data owners in accordance with the general principles of personal data processing laid down in the relevant legislation.
V.II. RIGHTS OF PERSONAL DATA OWNERS
Article 11 of the law lists the rights that personal data owners have. Accordingly, the data owner has the right to:
- Learn whether their personal data are being processed,
- Request information regarding their processed personal data,
- Learn the purpose of processing their personal data and whether they are used accordingly,
- Know the third parties to whom their personal data have been transferred, both domestically and abroad,
- Request the correction of their personal data if they have been processed incompletely or inaccurately,
- Request the deletion or destruction of their personal data if the reasons for processing have ceased to exist, even if they were processed lawfully,
- Object to the emergence of a result against them by means of the exclusively automated analysis of processed data,
- Request compensation for the damages incurred due to unlawful processing of their personal data.
VI. CATEGORIZATION OF OWNERS AND PERSONAL DATA
VI.I. CATEGORIZATION OF OWNERS
Restaon® has categorized the owners of personal data processed within its organization as follows.
VI.II. CATEGORIZATION OF PERSONAL DATA
Under this Policy, the personal data processed by Restaon® have been categorized. The personal data of owners listed in the categories above are associated with the following categories of personal data.