Sushico Berlin GmbH ("SushiCo" or "Data Controller"), as the data controller, adopts the principles stipulated by the relevant legislation in order to comply with the Personal Data Protection Law No. 6698 ("KVKK") and the European Union General Data Protection Regulation No. 2016/679 ("GDPR"), and fulfils its obligations regarding the processing, deletion, destruction, anonymisation, transfer of personal data, informing the data subject and ensuring data security. In this context, this Privacy Principles and Clarification Text on the Protection of Personal Data has been prepared and it is aimed to inform the real persons whose personal data are processed ("Data Subject") by making them accessible.
PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
1.1. Processing in accordance with the Law, Good Faith and Transparency
In the processing of personal data, we act in accordance with the principles introduced by legal regulations, the rule of trust and honesty and the principle of transparency.
1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
Periodic checks and updates are carried out in order to ensure that the processed personal data of groups of persons are accurate and up-to-date, and necessary reasonable measures are taken in this direction. In this context, systems for checking the accuracy of personal data and making necessary corrections are established within SushiCo. The member can make changes and updates from the “Account Information” page after logging in on the SushiCo website.
1.3. Processing for Specific, Explicit and Legitimate Purposes
Personal data are processed based on clear, specific and legitimate data processing purposes. The purpose for which the data will be processed is explained in detail in this text.
1.4. Being relevant, limited and proportionate to the purpose for which they are processed
Personal data are processed in a measured, purpose-related and limited manner in order to achieve the foreseen purpose(s), and the processing of personal data that is not related to the realisation of the purpose or is not needed is avoided.
1.5. Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed
SushiCo retains personal data only for the period stipulated in the relevant legislation or required for the purpose for which they are processed. In this context, firstly, it is determined whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period of time is determined, this period is complied with, and if a period of time is not determined, personal data is stored for the period required for the purpose for which they are processed. In the event that the period expires or the reasons requiring processing disappear, personal data are deleted, destroyed or anonymised in accordance with SushiCo's Personal Data Retention and Destruction Policy, unless there is a legal reason that allows them to be processed for a longer period of time.
1.6. Processing in accordance with the Integrity and Confidentiality of Data
Personal data are processed in a manner that ensures the security of personal data through the use of appropriate technical and administrative measures, including protection against unauthorised or unlawful processing or accidental loss, destruction or damage.
2- ENLIGHTENING AND INFORMING THE GROUP OF PERSONS
During the acquisition of personal data at SushiCo, the relevant groups of persons are informed and clarification is carried out. In addition, information is provided on the SushiCo website and mobile application, in the common areas within the company, in the restaurant areas, through information texts and square codes. Within the scope of the disclosure, SushiCo's identity as the data controller, the types of personal data processed, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and the rights of the groups of persons are notified.
Interested Persons can always request information via SushiCo- info@sushicodeutschland.com e-mail address. Necessary information will be provided as soon as possible upon request.
3- CATEGORISATION OF PERSONAL DATA
SushiCo processes personal data of groups of persons in the categories specified and exemplified below. Other processed personal data and information about the relevant persons are included in SushiCo's internal policies and regulations and the relevant persons are informed in this context.
Identity
Name, surname, date of birth, gender
|
Customer-Member Customer
Supplier Authorised
Supplier Employee
Employee Candidate
|
Contact
Mobile phone, e-mail address, address, postcode, landline telephone
|
Customer-Member Customer
Supplier Authorised
Supplier Employee
Employee Candidate
|
|
Location
|
Customer - Member Customer
Supplier Employee
|
|
Legal Action
|
Customer - Member Customer
|
Legal Action
Contract, legal information
|
Supplier Authorised
Supplier Employee
Employee Candidate
|
Customer Transaction
Order records, customer service records
|
Customer - Member Customer
|
Process Security
Password, Passphrase, IP information
|
Customer - Member Customer
Online Visitor
Supplier Authorised
Supplier Employee
Online Visitor
|
Finance
Receipt and invoice information, bank account information, financial information
|
Customer - Member Customer
Supplier Authorised
Supplier Employee
|
|
Professional Experience
|
Supplier Employee
Employee Candidate
|
|
Marketing
|
Customer - Member Customer
Online Visitor
|
4- PURPOSES OF PROCESSING PERSONAL DATA
Personal data are processed limited to the following conditions.
The relevant activity regarding the processing of your personal data is clearly stipulated in the laws,
The processing of your personal data by SushiCo is directly related to and necessary for the conclusion or performance of a contract,
Processing of personal data is mandatory for SushiCo to fulfil its legal obligations,
Provided that the personal data has been publicised by the group of persons; processing by SushiCo limited to the purpose of publicisation,
The processing of personal data by SushiCo is necessary for the establishment, exercise or protection of the rights of SushiCo or groups of persons or third parties,
It is mandatory to carry out personal data processing activities for the legitimate interests of SushiCo, provided that it does not harm the fundamental rights and freedoms of groups of persons,
The processing of personal data by SushiCo is necessary for the protection of the life or physical integrity of the data subject or another person, and in this case, the data subject is unable to disclose his/her consent due to actual impossibility or legal invalidity, or personal data is necessary for the protection of the vital interests of the data subject or another person.
In the absence of the above-mentioned conditions, SushiCo applies for the explicit consent of the personal data owners in order to carry out personal data processing activities.
SushiCo processes personal data in its related processes for the purposes stated below:
Member Customer Personal Data;
Realisation of membership transactions.
Benefiting from the products and services offered by SushiCo, improving services, developing new services and providing information.
Performance of the Membership Agreement and Distance Sales Contract.
In case of explicit consent, promotion, providing opportunities and benefits, realisation of marketing activities.
Member Resolving customer problems and complaints.
Improving both desktop, tablet and mobile platform and mobile application experiences.
Follow-up of accounting and purchasing transactions.
Legal processes and compliance with legislation.
Responding to information requests from administrative and judicial authorities.
Ensuring information and process security and preventing malicious use.
Making the necessary arrangements to ensure that the processed data is accurate and up-to-date.
Establishment and implementation of processes for ensuring the security of information and internal process improvements.
Customer Personal Data;
Benefiting from the products and services offered by SushiCo, improving services, developing new services and providing information.
In case of explicit consent, promotion, providing opportunities and benefits, realisation of marketing activities.
Follow-up of accounting and purchasing transactions.
Legal processes and compliance with legislation.
Responding to information requests from administrative and judicial authorities.
Ensuring information and process security and preventing malicious use.
Making the necessary arrangements to ensure that the processed data is accurate and up-to-date.
Establishment and implementation of processes for ensuring the security of information and internal process improvements.
For Supplier Group (Supplier, Supplier Officer, Supplier Employee):
Managing the business process with suppliers.
Fulfilment of legal processes and legal requirements such as contracts for the required service.
Establishment of contracts with selected suppliers and execution of necessary transactions.
Realisation of purchasing, production, supply and similar transactions.
Execution of post-purchased product/service services and return/cancellation/recovery requirements and processes.
In accordance with the Occupational Health Act and the contract.
Control of the premium payments due to the employee and the state in accordance with the SSI legislation.
Checking whether the employees have qualification certificates (certificate, authorisation certificate, etc. depending on the work performed)
Ensuring the economic use of company resources and customer-oriented improvement of company operations.
Follow-up of accounting and purchasing transactions, control and approval of payments.
Legal processes and compliance with legislation, fulfilment of legal obligations.
Responding to information requests from administrative and judicial authorities.
Ensuring information and process security and preventing malicious use.
Making the necessary arrangements to ensure that the processed data is up-to-date and accurate.
Planning the control and audits of the fulfilment of commitments.
For the Candidate Employee Group:
Ensuring the finalisation and execution of human resources policies and processes.
Planning the application selection and evaluation processes of employee candidates.
Performing the activities required to be carried out within the framework of occupational health and safety.
Communication activities required for employee candidate placement.
Planning of candidate recruitment, placement and operation processes.
For Online Visitor:
Log records of system movements of online visitors and users.
Legal processes and compliance with legislation.
Responding to information requests from administrative and judicial authorities.
Ensuring information and process security and preventing malicious use.
Fulfilment of legal obligations.
5- TRANSFER OF PERSONAL DATA
Personal data and special categories of personal data may be transferred to third parties (third party companies, third real persons) by taking necessary security measures in line with the purposes of processing, if the conditions stipulated in Article 8 and Article 9 of the KVKK are fulfilled.
Personal data may be transferred outside the Republic of Turkey due to the software and server infrastructure used/services received.
The Personal Data Protection Authority has not yet announced the list of safe countries, and in this context, in accordance with Article 9 of the KVKK, personal data can be transferred abroad with the explicit consent of the data subjects.
METHOD AND LEGAL REASON FOR COLLECTING PERSONAL DATA
Your personal data transmitted to SushiCo electronically or physically are processed for the purposes set out in this regulation in accordance with Article 5 of the KVKK and the relevant articles of the GDPR; within the framework of the following legal reasons according to the groups of persons, by fully or partially automated or non-automated means, provided that they are part of any data recording system.
For Customer Contact Group;
Protection of the rights and interests of the Customer.
Providing rights and benefits to Customers for the purpose of establishing a business relationship.
Maintaining and developing internal activities.
Fulfilment of obligations arising from legislation.
Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract.
Provided that it does not harm the fundamental rights and freedoms of the Customer, it is mandatory to process data for the legitimate interests of the data controller, such as entering customer orders into the relevant storage and analysis software in order to ensure business continuity.
Explicit consent of the Customer.
For Supplier/Business Partner Group (Supplier/Business Partner, Supplier/Business Partner Officer, Supplier/Business Partner Employee):
It is necessary for the fulfilment of the legal obligation of the data controller.
Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract.
Provided that it does not harm the fundamental rights and freedoms of the Supplier/Business Partner, it is mandatory to process data for the legitimate interests of the data controller, such as storing the contact information of those concerned in order to ensure business continuity and fast and effective communication.
Explicit consent of the Supplier/Business Partner.
For the Candidate Employee Group:
Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract.
Provided that it does not harm the fundamental rights and freedoms of the Candidate Employee, it is mandatory to process data for the legitimate interests of the data controller, such as storage and evaluations to be made for future personnel needs.
Explicit consent of the prospective employee.
For the Online Visitor Group:
Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract.
Provided that it does not harm the fundamental rights and freedoms of the Online Visitor, data processing is mandatory for the legitimate interests of the data controller, such as analysing which pages are visited more for business development purposes.
Explicit consent of the Online Visitor.
7- STORAGE PERIODS OF PERSONAL DATA
The retention periods and legal bases of personal data processed by SushiCo are given in the table below:
| Identity |
15 years from the Termination of the Legal Relationship |
Law No. 6563 on the Regulation of Electronic Commerce, Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Tax Procedure Law No. 213, Consumer Protection Law No. 6502, Labour Law No. 4857, Occupational Health and Safety Law No. 6331
|
| Contact |
10 years from the Termination of the Legal Relationship |
Law No. 6563 on the Regulation of Electronic Commerce, Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Tax Procedure Law No. 213, Consumer Protection Law No. 6502, Labour Law No. 4857, Occupational Health and Safety Law No. 6331
|
| Location |
10 years from the Termination of the Legal Relationship |
Law No. 6563 on the Regulation of Electronic Commerce, Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098
|
| Legal Action |
10 years from the finalisation of the judgement |
Code of Civil Procedure No. 6100, Code of Criminal Procedure No. 5271
|
| Customer Transaction |
10 years from the Termination of the Legal Relationship |
Law No. 6563 on the Regulation of Electronic Commerce, Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Tax Procedure Law No. 213, Consumer Protection Law No. 6502, Law No. 5651 on the Regulation of Publications on the Internet and the Fight Against Crimes Committed Through These Publications
|
| Process Security |
2 years |
Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through These Publications
|
| Finance |
10 years from the Termination of the Legal Relationship |
Law No. 6563 on the Regulation of Electronic Commerce, Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Tax Procedure Law No. 213, Consumer Protection Law No. 6502
|
| Marketing |
During the Legal Relationship |
|
8- SECURITY OF PERSONAL DATA
In order to ensure the security of personal data at SushiCo, reasonable measures are taken to prevent unauthorised access risks, accidental data loss, deliberate deletion of data or damage to data.
All necessary technical and physical measures are taken to prevent access to personal data by anyone other than the persons authorised to access it. In this context, especially the authorisation system is designed in such a way that no one can access more personal data than necessary. While ensuring the security of special categories of personal data such as health data, stricter measures are taken compared to other personal data.
Authorised persons are subjected to the necessary security controls and internal controls. They are also trained on their duties and responsibilities.
Records of access to personal data are kept to the extent permitted by technical means and these records are examined at regular intervals. In case of unauthorised access, investigation and legal proceedings are initiated immediately.
SushiCo takes the following security measures to ensure the security of the processed data:
Network security and application security are provided.
Closed system network is used for personal data transfers through the network.
Key management is applied.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
The security of personal data stored in the cloud is ensured.
Disciplinary regulations with data security provisions for employees are in place.
Training and awareness raising activities on data security are carried out at regular intervals for employees.
An authorisation matrix has been created for employees.
Access logs are kept regularly.
Corporate policies on access, information security, use, storage and disposal have been prepared and started to be implemented.
Confidentiality commitments are made.
The authorisation of employees who change their duties or leave their jobs in this area is cancelled.
Up-to-date anti-virus systems are used.
Firewalls are used.
The signed contracts contain data security provisions.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly.
Personal data security is monitored.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
The security of environments containing personal data is ensured.
Personal data is minimised as far as possible.
Personal data is backed up and the security of backed up personal data is also ensured.
User account management and authorisation control system are implemented and these are also monitored.
In-house periodic and/or random audits are carried out and carried out.
Existing risks and threats have been identified.
Protocols and procedures for the security of special categories of personal data have been determined and implemented.
Intrusion detection and prevention systems are used.
Penetration test is applied.
Cyber security measures have been taken and their implementation is constantly monitored.
Encryption is performed.
Data processing service providers are periodically audited on data security.
Awareness of data processing service providers on data security is ensured.
Data loss prevention software is used.
9- USE OF COOKIES
SushiCo utilises certain technologies such as cookies in order to make the most efficient use of its website and applications and to improve the user experience. The use of these technologies is carried out in accordance with the applicable legislation, especially the KVKK. If the use of cookies is not preferred by the relevant persons, cookies can be deleted or blocked by the following methods.
For more information about cookies, including to see which cookies are set, visit www.aboutcookies.org or www.allaboutcookies.org.
In order to guide you how to delete cookies, you can find the descriptions with the usage details of the browsers in the list below, you can manage your preferences from these pages.
Cookie Settings for Microsoft Edge
Cookie Settings for Firefox
Cookie Settings for Chrome
Cookie Settings for Safari
To opt-out of being tracked by Google Analytics, visit http://tools.google.com/dlpage/gaoptout.
LEGAL RIGHTS OF GROUPS OF PERSONS AND METHODS OF EXERCISING THEM
Rights Regarding Personal Data within the Scope of KVKK
The rights that groups of persons can use regarding their personal data are set out in Article 11 of the KVKK and are as follows:
To learn whether personal data is being processed,
Request information if personal data has been processed,
To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
To know the third parties to whom personal data are transferred domestically or abroad,
To request correction of personal data in case of incomplete or incorrect processing,
To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVKK and to request that the transactions made in accordance with these provisions be notified to third parties to whom personal data are transferred,
To object to the emergence of a result to the detriment of the person himself/herself by analysing the processed data exclusively through automated systems,
In case of damage due to unlawful processing of personal data, to demand compensation for the damage.
Rights Regarding Personal Data Under GDPR
The rights that groups of persons may exercise in relation to their personal data are set out in Chapter 3 (Articles 12-23) of the GDPR and are listed below:
If your personal data is processed based on your explicit consent, to withdraw such consent;
To request the restriction of the processing of your personal data in the following cases;
If the accuracy of your personal data has been challenged by you, for a period of time during which we can check such accuracy,
If the data processing is unlawful but you would prefer to restrict the use of your data rather than delete it,
If the processing of your personal data is no longer necessary for the purpose of the relevant data processing but is necessary for the establishment, exercise or presentation of your legal claims and demands, upon your request or
During the examination of whether the objection is invalid due to our interests after the right of objection you have exercised pursuant to Article 21 of the GDPR;
To object to the processing of your personal data if your personal data is processed, including profiling applications, on the grounds of public interest or on the basis of the authorisation granted to the data controller by law or on the basis of the legitimate interest of the data controller or a third party;
Access the following information;
Confirmation of the processing of personal data concerning you and, in this case, your respective personal data and the respective purposes and categories of data processing,
The data recipients or categories of data recipients to whom your personal data have been or will be shared, and if possible, the period for which your personal data will be stored, and if this is not possible, the criteria used to determine such period,
The existence of the right to restrict, delete or destroy the processing of personal data, to object to the processing of personal data and to apply to the supervisory authority; and
The information that the personal data is obtained from the data subject or a third party, and
Access to information on the existence of automated decision-making mechanisms we use, including profiling, and the rationale behind them and their potential consequences and significance for you;
If your personal data is processed on the basis of your explicit consent or a contractual provision and the data processing is carried out through automated mechanisms, to have your data transferred to you or, if technically reasonable, to another data controller in an organised, usable and machine-readable format;
You have the right to obtain information about the existence of and the rationale behind the automated decision-making mechanisms we use, including profiling, and their possible consequences and significance for the person concerned.
Principles on the Exercise of Rights Regarding Personal Data
In order to exercise the rights related to personal data, data subjects may apply through the following methods and channels by using the SushiCo Web Page and the KVK Application Form on the link below.
| Application Procedure |
Application Address |
| The electronic message you will send via KEP |
The electronic message you will send via email info@sushicodeutschland.com |
| The message you will send with your e-mail address registered in our system or with secure electronic signature, mobile signature |
info@sushicodeutschland.com |
| Written application to be submitted in person or through a notary public |
Stuttgarter Platz 22, 10627 Charlottenburg, Berlin
|
Applications in accordance with these procedures and the application procedures in the KVKK regulations will be answered within 30 days at the latest. In the event that your application is rejected, you find the answer insufficient or we cannot respond to the application in due time; You can complain to the KVK Board within thirty days from the date you learn our answer and in any case within sixty days from the date of application.
SushiCo's Data Protection Committee monitors and enforces the requirements of the GDPR to ensure that your personal data is always processed in an open, accurate and lawful manner. You can reach our Data Protection Committee from the contact information below:
E-mail: info@sushicodeutschland.com
11- EFFECTIVENESS AND UPDATEABILITY
The current version of this Privacy Policy and Clarification Text entered into force on April 2024. The regulation is updated in order to comply with the legislation in the light of current Board decisions and requirements and is monitored by the SushiCo Data Protection Committee and published on the website.
Sushico Berlin GmbH
Stuttgarter Platz 22, 10627 Charlottenburg, Berlin
Telephone: +491724288445
E-mail: info@sushicodeutschland.com
