As Magnolia Gıda Tic. A.Ş. (“Magnolia Bakery”), we show great sensitivity regarding your personal data. As Magnolia Bakery, we place importance on ensuring that all personal data belonging to individuals associated with Magnolia Bakery—including those who benefit from our products and services—are processed and stored in accordance with the Personal Data Protection Law No. 6698 (“KVKK”). Therefore, to protect your fundamental rights and freedoms, we would like to inform you within the scope of KVKK with this document.

1.⁠ ⁠Why Was KVKK Enacted?

Both public institutions and private organizations have long processed personal data in connection with fulfilling certain duties or providing services. This may arise from legal regulations, from the consent of individuals, from contractual relationships, or from the nature of the transaction. It should be noted that the protection of individuals’ fundamental rights and freedoms during the data processing activities is one of the primary concerns.

KVKK entered into force in order to regulate the processing of personal data, protect fundamental rights and freedoms, safeguard the right to privacy and information security, and determine the obligations, procedures, and principles applicable to natural and legal persons who process personal data.

2.⁠ ⁠What Is Personal Data?

Personal data refers to any information relating to an identified or identifiable natural person. Not only information such as name and surname that clearly identifies a person, but also information relating to physical, economic, social, and other characteristics of the individual constitutes personal data. The identifiability of a person refers to the possibility of associating existing data with a real person in any way that enables their identification. This covers all situations whereby a person can be identified on the basis of physical, economic, cultural, social, or psychological identity, or by linking information such as identity, tax, or insurance numbers.

3.⁠ ⁠What Is Sensitive Personal Data?

Sensitive personal data consists of individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. These categories are explicitly and narrowly defined in KVKK, and it is not possible to consider personal data outside these categories as sensitive personal data under the legislation.

4.⁠ ⁠What Is Personal Data Processing?

The obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data—whether fully or partially automated, or non-automated but part of a data filing system—are all considered personal data processing activities. All actions performed from the collection of personal data up until its deletion, destruction, or anonymization constitute personal data processing under the Law.

5.⁠ ⁠Who Is the Data Subject?

The data subject refers to the natural person whose personal data is processed. KVKK protects only the rights and freedoms of natural persons; it does not apply to legal entities.

6.⁠ ⁠Who Is the Data Controller?

A data controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data filing system. Legal entities are themselves considered data controllers with respect to their data processing activities, and the legal responsibility arises directly within the legal entity. There is no distinction between public and private legal entities in this regard.

Under the Law, the data controller is the party who determines the purpose (“why”) and the method (“how”) of the processing activity.

7.⁠ ⁠What Is Explicit Consent and When Is It Required?

Explicit consent is the freely given and informed approval of the data subject regarding the processing of their personal data, provided in connection with a specific processing activity. Explicit consent must contain a clear, affirmative declaration of intent. Unless required by other legislation, explicit consent does not need to be obtained in writing.

For example, under KVKK, health data belonging to real persons may only be processed by individuals who are not under a confidentiality obligation if explicit consent has been obtained (except in cases related to protection of public health, preventive medicine, medical diagnosis, treatment, or care services).

PERSONAL DATA PROTECTION CUSTOMER INFORMATION NOTICE

1.⁠ ⁠Purpose of the Information Notice and Our Company’s Status as Data Controller

Our company, Magnolia Gıda Tic. A.Ş. (“Magnolia Bakery”), is the “data controller” within the scope of the Personal Data Protection Law No. 6698 (“Law”) regarding personal data belonging to customers. With this Information Notice, we aim to inform customers about the personal data processing activities carried out by Magnolia Bakery under the Law.

2.⁠ ⁠Purpose of Processing Customer Personal Data

Your personal data obtained during our e-commerce activities may be processed by our company for the following purposes:

Execution of goods/services sales processes

Conducting marketing analysis activities

Conducting advertising / campaign / promotion processes

Receiving and evaluating feedback to improve business processes

Carrying out marketing processes through all commercial communication channels

Ensuring business continuity

Carrying out post-sales support services

Managing customer relationship processes

Conducting customer satisfaction activities

Conducting communication activities

3.⁠ ⁠Personal Data to Be Processed and Processing Purposes

In order to carry out our e-commerce operations, the following personal data will be obtained from you:

Identity Information: Name and surname

Contact Information: Phone number, email address, address

Customer Transaction Information: Transaction details, IP address

Other: Any information shared by the customer in the note field

4.⁠ ⁠Transfer of Customer Personal Data

Your personal data may be shared—within the purposes listed above and in line with the personal data processing conditions and purposes referred to in Articles 8 and 9 of the Law—with:

Our group companies residing in Turkey

Our affiliates

Our business partners

Our suppliers

Our shareholders

Public institutions and private organizations legally authorized to receive personal data

5.⁠ ⁠Method and Legal Basis for Collecting Personal Data

Personal data is collected electronically from customers. The personal data collected on the legal grounds mentioned above may be processed and transferred for the purposes outlined in this Information Notice and, when applicable, in the Consent Notice under Articles 5 and 6 of the Law.

6.⁠ ⁠Rights of Customers as Data Subjects

Under Article 11 of the Law, data subjects have the right to:

Learn whether their personal data is processed

Request information regarding the processing

Learn the purpose of processing and whether the data is used appropriately

Learn the third parties to whom personal data is transferred domestically or abroad

Request correction of incomplete or incorrect personal data and request notification of such correction to third parties

Request deletion or destruction of personal data when the reasons requiring processing no longer exist, and request notification of such deletion to third parties

Object to results arising from automated processing that may be unfavorable to the person

Request compensation in case of damage caused due to unlawful processing of personal data

Requests regarding these rights may be submitted by data subjects through the methods specified on the KVKK Application Form page of our website. Magnolia Bakery will assess and finalize the request within 30 days.