Declaration On Protection Of Personal Data

Migros Ticaret A.Ş. (“Migros”) Privacy and Data Security Policy (“Privacy and Security Policy”) aims to assist you in understanding why, how we collect data and what data we collect, what we do with this data and how we ensure its security. This information is important. Therefore, we recommend you to take the time to read our Privacy and Security Policy carefully. Also, if you are a member of a Migros web site, application or Money Club Card, we remind you that you can find the controls necessary to manage your information, to protect your privacy in Membership Procedures section of your relevant membership, which you access with your password. You can utilize Membership Procedures section of our service channel that you share this information, or this link or our following service to correct/update your personal data:

Our Customer Services Centre: 0850 200 40 00

Migros Management considers the application of Migros Information Security Policy as one of the vital processes of the company.

It is important for us you to know clearly how we use your information, how we you ensure your security and how you protect your privacy while you are using our services.

Our Privacy and Security Policy explains the following:
• What information we collect and how we use it?
• How our customers access and update their information?
• How we protect the collected information?

You can let us know your questions, concerns or complaints regarding Our Privacy and Security Policy through our 0850 200 40 00 call centre. Please contact us for all your requests and questions in this respect.

What information we collect and how do we collect it?

As Migros, we collect your personal information from you with the intention of offering better services to you, our customers. Personal information we collect enables us to notify you about the latest products, shopping deal opportunities, personal deal offerings and future activities of Migros. Moreover, the data we collected from you also enable us to receive feedback from you in the most accurate way about our services and departments by maintaining information exchange with you, the customers.

If you want to take a look at our Migros web sites, e-trade sites of Migros, Money Club card privileges and/or our applications, we do not request any personal information from you; however, if you want to participate in any features and services offered by our websites, applications and/or services, we may ask you to provide various personal or demographic information. Any information defining you personally and/or being used for communication is defined as personal information in our Privacy and Security Policy. These may include, for example, your name, postal address, e-mail address, telephone number, date of birth, age, sex or fields of interest and preferences associated with your personal data.

Your personal data is only collected with your consent (for example, if you provide them deliberatively by using online forms found on our websites and/or applications or during Money Club card application) and information collection process is generally materialized as follows:

• When you enrol in/become a member of websites or applications
• When you take part in message boards and other online activities
• When you send an announcement or notice to your friend
• When you participate in questionnaires/votes
• When you send feedback through "Contact Us" form
• When you enter information with respect to business (for example, curriculum vitae delivery, media requests, etc.)
• When you have request of any kind requiring personal data input
• When you are spotted out by in-store camera recording system

Type and amount of information collected with respect to abovementioned characteristics will vary depending on the activity. The data we collect during Migros service and website memberships (Apart from credit card information) are stored by us. This information may contain the following (but not limited to these):

• Name, surname
• Postal address
• E-mail address
• Telephone number
• Shopping information

You may be asked to create a user name and/or password for some activities or memberships. Moreover, you may be obliged to provide additional demographic information. This information may include the following:

• Your age or date of birth
• Your gender
• Your frequency of use
• Other information about you


Mobile applications prepared within Migros may collect some information from the users automatically. This information includes;

• Brand-model of your mobile phone,
• Internet Protocol address (IP) of your mobile phone,
• Operating system of your mobile phone,
• Location information


(Within the framework of permission you have given on your phone for use of location information). You can stop this information flow at any time by removing the application from your phone (You can adjust the data collected through your phone from the application settings and permissions section on your phone).

Social Media program of Migros covers platforms such as Facebook, Twitter and Instagram, etc… Social media content and the features being used are subject to own privacy policy of the relevant platform. Please read the privacy policies of the aforementioned companies (Facebook, Twitter, Instagram, etc.) in order to obtain information about the social media privacy policy.

Cookies and Other Technologies

We may use cookies while collecting the data to be processed in line with the purposes explained in our Privacy and Security Policy. Cookies are small text files stored on your computer or mobile device when you visit an internet site, and they keep various information concerning your visit.

Nowadays, many internet browsers have cookie blocking mode while visiting internet sites. If you activated cookie blocking mode on your web browser, you may not benefit from some features we developed for you on our web site.

As in the case of many websites, some information such as Internet Protocol (IP) addresses, browser type and license, internet service provider (ISP), referring and exit pages, operating system, date/time stamp and clickstream data are collected and saved automatically.

Another technology we use on our website is the “web beacon”. Web beacons (pixel tag), collect information such as the number of times our web site being displayed.

Migros web sites may also use other technologies such as online services, interactive applications, e-mail messages and ads, cookies and web beacons. Information collected by cookies and other technologies is considered as non-personal information and is used only to improve the service we offer to you. Your visit to our web sites means you give your consent to use of cookies and web beacons within the scope of this policy.

Link clicking URLs connecting to the content on the Migros web site are used in some of our e-mail messages. When customers click on one of these URLs, they pass through a separate web server before reaching target page on our web site. These link clicking data are monitored with the intention of determining interest in certain subjects and measuring the effectiveness of our customer communication. If you do not want to be monitored in this manner, you must not click on the text or graphic link incoming in e-mail messages.

In-store Camera Recording System

Camera recording system is used in our stores for the safety of our customers and operational purposes (for example, state of in-store traffic, etc.). Relevant recordings may be shared with the official authorities under circumstances requiring legal procedures.

How Do We Use the Collected Information?

The information being collected from you is used in line with the purpose you provided us your information, during collection of information or in line with the purposes explained in our Privacy and Security Policy. Option may be offered to use of your information for a different activity or service other than the activity or service you requested while enrolling to our websites and/or applications, providing information or updating your information.

Also, we may use your personal and/or demographic information for our analysis works. In this way, we can continually improve, personalize, customize the products and services we offer you and meet your requirements in a better way. These include merging, updating or expanding in different ways sometimes the data we obtained from external sources and/or third parties and your personal data collected through our websites and/or applications. We do not sell, rent and/or exchange your personal data.

We use and store your personal data in compliance with the statues at large with the intention of;

• Making our website and application easier to use,
• Promoting our products and services,
• Sending your online and mobile orders to your address,
• Acquainting ourselves with our members and improving our communication,
• Offering general and special campaigns/advantages,
• Running marketing activities and advertising campaigns,
• Making our departments and services customer specific and personalized,
• Performing data analysis, research, surveys and other customer satisfaction applications/notifications

We need your information in order to exceed customer expectations, to ensure their satisfaction expected from us by reaching out to them and to remain closer to the people we serve. Your personal data is not used aside from the purposes indicated above.

Migros Customer Communication Program (“Program”) is customer oriented marketing program offering general and special campaign, promotion, discount, introduction, opportunity to benefit from clubs-specific advantages and similar benefits that may also be performed together with the Program partners included in;

• Money Club Program Partners
• Migros E-Trade Sites Program Partners


and updated list, to the program members in all places of business including those in the electronic environments operated by Migros.

By becoming a member of our service and departments, our customers warrant commercial electronic message to be sent to them through all kinds of electronic media by Migros and Program partners, within the framework of the applications that may be carried into effect directly or indirectly by the Program, with respect to general and special campaigns, advantages, product, service introductions, advertising, market research surveys and other customer satisfaction applications, notices.

Members give permission for their personal data such as shopping information, name, surname, mobile phone numbers, date of birth, home city, sex, etc., location information that can be accessed due to electronic programs and non-personal information to be collected in order to be used with the intention of good and service promotion, image building, product, service and communication improvement, getting acquainted with its members, auditing, data analysis, research, understanding trends, and also to be used in marketing and advertising services, being stored in data recording systems, being shared with the execution partners such as Program partners, GSM Operators / Social Networking Sites / Cargo companies, etc. for the abovementioned purposes. Unless member indicates otherwise, he/she acknowledges his/her current data to be stored, shared, processed, in line with similar purposes listed within the scope of this article, also after the expiry of his/her membership.

Migros may share cumulative (batch) customer statistics with third parties such as its business partners (including its investors), press, etc. in a manner not to contain the personal data in the individual detail.

The Principles We Observe When Processing Your Data

When we are processing your data, we observe:

• Data to have specific scope,
• Procedures to be performed for legal purposes,
• Procedures being in compliance with law and good faith,
• Data being related, limited and restrained with the purposes that its being collected or processed,
• Processing being performed with up-to-date data,
• Data being stored throughout the necessary period for the purpose of processing.

Accessing and Updating Information

You can make sure that your contact information, preferences and other personal data are correct, complete and up-to-date by accessing your account through our websites and/or applications. Password, user name, credit card information or other personal data are never requested from you through e-mail. This method aimed at stealing and using your personal data in bad faith is called “Phishing”. When you receive a message appearing to be sent by us, but requesting your personal data, you must not reply to such message.

We are aiming to enable you access your personal data whenever you use our services. If this information is incomplete or inaccurate, we run the process necessary for you to update or delete this data (if it is not required to be retained for a justified ground concerning the company or legal purposes). We may ask you to verify your identity first to fulfil your request when you update your personal data.

You can use the membership section with a password on the website of our service channel that you share this information or this link or our following services to query your information saved in our database or to correct/update your personal data:

Our Customer Services Centre: 0850 200 40 00

Your Rights Concerning Your Data Being Collected

You have certain rights concerning the data we collected within the framework of this policy. You can;

• Find out whether the data was processed or not,
• If processed, obtain information concerning this,
• Find out the purpose of processing and whether used in compliance with the purpose or not,
• If any, find out the third parties it is being shared with domestically and abroad and the data being shared,
• Ask for it to be corrected in the case of it being inaccurate or incomplete,
• In the case of the reasons necessitating its processing being removed or data losing its actuality, ask for your data to be deleted or destroyed,
• If you have requests concerning its deletion or correction, you can ask your request to be notified to the third parties to which the data being transferred.

You can contact us through our 0850 200 40 00 call centre or this link for your relevant requests.

Our Data Security Criteria

Migros takes all the necessary technical and organizational precautions in order to ensure privacy and security of sensitive personal data and your personal data collected over our websites and/or other applications. These precautions feature various subjects also including the following:

• Storage of your personal data in a secure, non-public working environment that can be accessed only by Migros employees (within the scope of nondisclosure agreement made with our employees), our intermediaries and contractors
• Authentication of identity of our users, of whom we store personal data, through website or application before accessing this information


Migros takes the relevant precautions including administrative, technical and physical precautions for the protection of your personal data against loss, theft and misappropriation, and also against unauthorized access, sharing, amendment and destruction. Migros uses Secure Sockets Layer (SSL) protocol encryption in online services such as E-Trade sites and on all websites, where personal data being collected. You must use a SSL-supported browser such as Safari, Firefox, Chrome or Internet Explorer to purchase products from these services. By this means, you can protect privacy of your personal data transmitted over internet.

Migros Privacy and Security Policy and practices applied to ensure privacy are explained to the customer/individual upon the request of the customer/individual. Migros abides by the PCI DSS (Payment Card Industry Data Security Standard) regulations established with the intention of ensuring data security in card payment systems and ensures secure data transmission and operation in card payment systems. Your credit card number is transmitted to your bank after being encrypted by our online credit card application and never shared with third parties. Your credit card information is not stored/retained by Migros.

Migros, at its sole discretion, may require 3D payment option for the customers to complete their orders.

Validty of Privacy and Security Policy

Our Privacy and Security Policy is valid for all services offered by Migros (including advertising and research services, etc.).

Leaving Information and Announcement List

If you do not want to take part in our announcement and information list, you can leave any time by updating your preferences. Accessing and controlling authority of the commercial-electronic messages sent from Migros for notification and communication purposes is in your hands. If you do not want us to contact you while your membership to our service and departments continues, you can use your “CANCEL” right in digital media, and actualize your cancellation procedure by sending free SMS to 7447 or contacting our call centre. You will not be contacted until an approval invalidating this being sent by you. If you do not want to benefit from our services any longer and select to drop out of the membership, you can call our customer services line or apply to information departments found in our stores.

Privacy Questions and Reminders

This policy is subject to change due to continuous changes in internet technologies and internet-based business models not having a constant structure. All kinds of changes within the scope of our Privacy and Security Policy will be announced to our visitors over our websites and/or applications. We recommend you to visit our website periodically to follow the changes to be made on our Privacy and Security Policy.

Please contact us, if you have any questions or concerns about Migros Privacy and Security Policy or data processing.

Spam e-mails

Spamming is sending e-mail with the intention of advertising, marketing or promotion against your will and without your consent.

As Migros, we do not send spam e-mail. Sending advertising intended e-mail without the consent of the other party is illegal. We do not use your personal data (also including your e-mail address) directly for marketing or advertising purposes without your consent. At the same time, we do not share your personal data with any third party, who may use it for spam e-mails.

Our websites, services and applications offer you opportunity to receive marketing information through e-mail. Each e-mail sent to you by Migros offer you the opportunity to stop receiving marketing e-mails at any date.

If you believe for any reason that you are receiving spam e-mail from a Migros company, please contact us immediately.

Causes of Action and Miscellaneous

Migros may be obliged to disclose your personal data due to law, judicial process, actions and/or demand incoming from the public authorities within or outside the country. When it is deemed necessary or appropriate to share your data for national security, enforcement of law or other issues of importance for the public, your data may be disclosed to the relevant official authorities.

Migros Ticaret A.Ş. last amendment date: 29.06.2018 We, Migros Ticaret A.Ş, would like to inform you on “Personal Data Protection”, since the protection of the fundamental rights and freedoms and the rights of privacy of our customers and employees; and the providing and protection of the information security are among our company’s highest priority principles.

In accordance with the Law on Personal Data Protection published in the Official Gazette dated 07.04.2016 and numbered 29677 (hereinafter referred to as “Law”); your personal data (name, surname, phone number, birthdate, address, sexuality, shopping information and etc.) and data with special quality (information on association, foundation or union membership, criminal conviction, security measures, sexual life, health and biometric data), shared with our Company whether through the business relationship, the Customer Communication and Satisfaction Program and/or Money Club Program or within the scope of the virtual market membership, will be stored, protected, recorded, updated, transferred to 3rd parties, categorized and processed by our Company in full compliance with the Law.

Processing of Personal Data

In accordance with the Law, processing of Personal Data means; any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system;

Method of Collection the Personal Data

Your personal data will be stored though various methods subject to the written, electronic or oral way such as sale stores, self-checkout machines, call center, corporate websites, mobile site, mobile application or via email, SMS and other ways, or during job applications, in the course of signing the employment agreements and/or within the work time, or through various channels, such as technical communication files called “cookies” (small files placed on your hard drive) and which automatically identifies you by our computers when you visit our website.

Purpose of Processing of the Personal Data:

Your Personal Data provided to our company is being processed by our company as the data controller in order to introduce our goods and services to our customers, recognize our customers, develop products, services and communications with our customers, apply customer satisfaction exercises and make declarations as well, audit, research and analyze the data, understand the trends, form the marketing and advertising services, fulfill our responsibilities to our employees, determine the working conditions, support the recruitment research, control the working hours, record the wage and information on wage, make the legal declarations to Social Security Institution and other institutions, apply the principles of occupational health and safety, fulfill obligations arising from laws.

Transfer of the Personal Data:

Your Personal Data will be used internally by Migros Ticaret A.Ş. and also will be shared at domestic and abroad with third party organizations and institutions such as our business partners, group companies, sub-suppliers within the framework of the above mentioned reasons and the regulations set forth in the Law.

The Rights of the Personal Data Owner:

We would like to inform you, that, by applying to Migros Ticaret A.Ş. as the data controller regarding processing of your personal data, you have the rights to:

a. Get Information on whether your personal data processed or not,
b. Request information regarding your personal data processing,
c. Get Information on the purpose of processing of your personal data and on whether it using in compliance with the purpose or not,
d. Learn the third parties to whom your personal data is transmitted at domestic or abroad,
e. Request to correct the personal data in case of it is incomplete or incorrectly processed,
f. Request deletion or destruction of your personal data within the framework of the conditions set forth in Article 7 of the Law,
g. Request to inform third parties, to whom your personal data is transmitted, on the transaction made pursuant to foregoing (d) and (e) subparagraphs,
h. Object to the appearance of a result against you which is arising from the analysis of processed data through exclusively automated systems, and
i. Request to indemnify all loses in the event that you suffered a loss due to processing your personal data in violation of the Law.


Your requests and complaints on processing your personal data can be reported to the Migros Customer Services via 0850 200 40 00.

MİGROS TİCARET A.Ş.

Cookie Policy Clarification Text

As Migros Ticaret Anonim Şirketi (referred to as "Migros" or "Company”), we use certain technologies (“Cookies“) like pixels, GIFs, cookies etc. to improve your experience during your use or visit our websites ("Site"), our applications or all similar online or offline channels that we provide for your use in the digital environment (all aforementioned channels will be collectively referred to as "Platform"). Through cookies, the servers of our websites and applications recognize your devices, for example, remembering your language preferences, saved user names and passwords or the products in your shopping cart, and manage the traffic on the site. Cookies also help us to improve our software to provide you a better experience by analyzing the number and audience of visitors to our website or application and, preferably, to personalize the advertisements you view during your internet use.

The usage of these technologies is carried out in accordance with the legislation we are subject to, especially the Law on the Protection of Personal Data No. 6698 (“KVK Law/the Law”).

The purpose of this Cookie Policy is to inform you about the processing of personal data through technologies such as Cookies, which are used during your visit of the Platform. In this text, we would like to explain you what type of Cookies the Platform uses for what purposes and how you can control these.

As Migros, we can stop using Cookies on the Platform, change their types or functions, or add new cookies to our site and application. Any changes made on the current Cookie Policy will become effective as soon as they are published on the Platform. You can find the last update date at the end of the text.

Method and Legal Reason for Personal Data Collection

Your collected personal data will be processed for the purposes set out below (“Purposes”) within the personal data processing conditions and purposes specified in Article 5 of the Law. Cookies are used for different purposes in the electronic environment within the scope of your visit or use of the platform. Depending on the type of the relevant cookie used, the data processing purposes and the data processing requirements when using the relevant cookie may change within the scope of the Law that we rely on. In addition to cookies, if you are participated in the Money Program (“Program”), which is Migros' customer communication and satisfaction program, transactions in the workplaces or mobile applications of Migros or business partners included in the Program that you will contact during your physical shopping, and social media in case of membership, your personal data will be obtained through mentioned channels and processed by combining them with the data collected through cookies.

Mandatory Cookies

Mandatory cookies are the cookies which are required for the proper functioning of the online services placed and offered on your device while using the Platform. The data processing activities that we carry out during the use of these cookies is based on the data processing condition stated within the scope of Article 5 of the Law which as follows: "It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract."

Performance and Analytics Cookies

Performance cookies allow us to track and analyze the Platform traffic and the number of people using the Platform. Through these cookies, we can obtain information such as which areas on the Platform are visited most frequently or infrequently, and optimize the traffic of the Platform. The data processing activities that we carry out during the use of these cookies is based on the data processing condition stated within the scope of Article 5 of the Law which as follows: “ Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.“

Marketing and Advertising Cookies

Marketing and advertising cookies are used to promote personalized products and services to you in accordance with your viewing history and visitor profile on or off the Platform. For example, displaying advertisements related to the interests of the visitors on the pages and products viewed by the visitors. These advertisements can be displayed on digital channels owned by Migros, as well as on third-party channels, in order to make advertisements and promotions within or outside of our website. For instance, cookies can be used to track whether you click on an ad that you see on our site, and if you benefit from the service on the site in which that ad is directed after the ad has attracted your attention. Marketing and advertising cookies also enable the collection of information about your usage of social media. For example, cookies can be used to use the information of your Facebook/Twitter accounts to create personalized ads or to conduct market research.

In case where the data processing activities we carry out during the use of these cookies are related to marketing and advertising activities carried out through targeting and profiling, we rely on your "explicit consent" as a data processing condition within the scope of Article 5 of the Law. In case where data processing activities we carry out during the use of these cookies are not related to marketing and advertising activities carried out through targeting and profiling, we rely on the data processing condition within the scope of Article 5 of the Law, which as follows: “It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.“

Third Party Websites and Applications

Our program partners may also choose to share information obtained from cookies placed on their websites and applications with Migros. Migros cannot access any other cookies than those stated in the Cookies Used on the Platform table below, which are placed on websites and applications belonging to our program partners. Information shared by Program partners and affiliates or collected by Migros from the websites and applications of Program partners and affiliates may be combined with other information you share with Migros and that Migros receives about you. These cookies serve the same purposes as the cookies placed on Migros' Platform and these purposes are; personalize content (including ads), measure ads, create analytics and provide a safer experience.

Cookies placed on third-party websites and applications are included in the cookie policies of third parties, and in the table titled Third Party Websites and Applications at the bottom of the table titled “Cookies Used on the Platform” below, which cookies are placed on the websites and applications of our Program partners. You can get detailed information about their preference to share information with Migros.

In addition, if your have given permission for commercial electronic messages, your personal data is processed in a general and customized way for the purpose of presenting and promoting the products and services of the Program Partners so that you can benefit its special advantages.

Cookies for the Period of Storage

Persistent Cookies

Persistent Cookies are cookies that remain on the person's computer until a certain date or until they are deleted by the user. These cookies are mostly used to measure users' site movements and preferences. For the data processing activities we carry out during the use of these cookies, within the scope of Article 5 of the Law, “Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.”

SessionCookies

These cookies are used to separate the user's visit into sessions. The cookie is deleted when the user closes the web page that is visited or remains inactive for a certain period of time. Target and tracking cookies are used on the Website to help third parties’ provide services, especially advertising services, and to increase the effectiveness of these services. These cookies can remember the web pages and sites you visit and collect your personal data, particularly the IP address of the user device. The Website use both first party and third party cookies to collect information, remember your interests and demographic data and serve you targeted ads or improve the ads and see the number of visits and ad impressions, determine other uses of advertising services and determine the ratio between ad impressions/interactions and ad services. The Website benefits from social plugins that provide links to social networks such as Facebook and LinkedIn. When you visit the Website and use these plugins, the Website connects directly to the server of the selected social network. Afterwards, the content provided by the plugin is transmitted directly from the social networks to your web browser and attached into the website you are visiting. Thus, the relevant social network can access and process your data and combine it with the data of your account in the relevant social network. For the data processing activities we carry out during the use of these cookies, we rely on your "explicit consent" as a data processing condition within the scope of Article 5 of the Law.   

To Whom Personal Data Can Be Transferred and For What Purpose

Migros may share your personal data within the scope of the Cookie Policy, directly or indirectly, to our Program partners, to the parties listed below as “Parts with which information is Shared”, to MIGROS affiliates, to the MIGROS Family (Migros' Management Shareholders, Management Shareholders and Migros' affiliates, subsidiaries, enterprises), service providers and/or subcontractors, legally authorized public institutions and private persons, limited to the realization of the above-mentioned purposes and in accordance with the legislation. We can transfer the abovementioned personal data in accordance with the rules regarding the transfer of personal data specified in Article 8 of the Law within the scope of the data processing conditions set forth in Article 5 of the Law.

Some cookies used on the platform are provided by third party service providers other than MIGROS. These third party cookies are used to collect statistical data and thus improve the presentation and usage of the Platform.

In case that you have given an explicit consent, your identity, communication, customer transaction, marketing, transaction security datas can be transferred to abroad-resident companies (“Google Inc.”, “Facebook Inc.”, “Amazon,”) for the purpose of obtaining statistical data about Platform users and visitors and performing analyzes, displaying personalized advertisements to you within the scope of the data processing conditions regulated in Article 5 of the Law, in accordance with the rules regarding the transfer of personal data specified in Article 9 of the Law.

Cookies Used on the Platform

In below you can find different types of cookies that we use on the Platform. The Platform use both first-party cookies (placed by the Platform you visit) and third-party cookies (placed by servers other than the Platform you visit).

Mandatory Cookies
Cookie Name	Provider	Description and Preferences	Usage Period
ARRAffinity	Azure	The Azure scaling system is used to not redirect users to different servers each time they request it.	During the session
ARRAffinitySameSite	Azure	It is used to recognize the session carried out on your device.	During the Session
cookiesession1	Fortinet	Session Information	During the Session
NecessaryCookies	Migros	Mandatory cookies allowed	365 days
PerformanceAndAnalytics	Migros	Are Performance and Analytics cookies allowed?	365 days
MarketingAndAdvertisement	Migros	Are Marketing and Advertising cookies allowed?	365 days
MigrosCorporateCookieConsent	Migros	Did the user save by editing from the Cookie Settings page?	365 days

Performance and Analytics Cookies
Cookie Name	Provider	Description and Preferences	Usage Period
_ga	Google Analytics	This cookie is installed by Google Analytics. This cookie is used to calculate visitor, session, campaign data and to track site usage for the site's analytical report. Cookies store information anonymously and assign a randomly generated number to identify unique visitors.	2 years
_gid	Google Analytics	It is used for site usage according to the number of visitors and the pages visited in 1 day.	1 day
_gat*	Google Analytics*	Google uses this cookie to distinguish users.	1 min

Personalized Advertising Cookies (Marketing Cookies)
Cookie Name	Provider	Description and Preferences	Usage Period

How Can I Control the Usage of Cookies?

The preferences of our visitors and users regarding the use of cookies and similar technologies are essential for us. However, Cookies, which are mandatory for the Platform to work, must be used. In addition, we would like to remind you that some functions of the Platform may not work partially or completely in case that some cookies are turned off.

Within the scope of controlling the use of cookies; You are allowed you to view the saved cookies and delete the ones you want, block third-party cookies, block cookies from certain sites, block or delete all cookies when you close your internet browser.

Information on how the preferences for Cookies used on the Platform can be managed are as follows:

• Internet Explorer

Open Desktop and select Internet Explorer icon on the taskbar.

Select “Tools ” icon and then Select “ Internet options ”.

Select “Privacy” tab, then move the slider up located under “Settings” tab to block all cookies and click on the “OK” button.

• Google Chrome

Run Chrome on your computer.

Select “Settings” at the top right.

Select “Advanced” at the bottom.

Under "Privacyand Security" tab, Select "Content Settings".

Select “Cookies ”.

Under “All cookies and site data” tab, look for the name of “Website”.

Select “Remove” icon on the right of the site

• Mozilla Firefox

Click Firefox “Menu” button and select “Options“.

Select “Privacy and Security” panel and go to the “History” section.

Change Firefox setting to “Use custom settings for history”.

Click “Show cookies” button. The Cookies window will appear.

Type the name of the site on the  “Search” field whose cookies you want to delete. Cookies matching your search will be displayed.

Select the cookie(s) you want to delete and click the “Delete selected” option.

Close the “Cookies” window by clicking the “Close” button. Then, close the “about:preferences” page.

• Safari

Safari >  “Preferences“.

Click on “Privacy”.

Select “Website Data”.

Select one or more websites and then click on “Delete ” or “Delete All “.

• Opera

Opera > " Preferences ".

Select “Privacy item”.

Select “Website Data”.

Select one or more websites and then click "Delete" or "Delete All".

http://www.opera.com/browser/tutorials/security/privacy/

Rights of the Relevant Person Enumerated in Article 11 of the Law

We hereby declare that you, as the relevant person, have the following rights in accordance with Article 11 of the Law:

• If your personal data has been processed, requesting information about it,
• Learning the purpose of processing your personal data and whether they are used in accordance with the purpose,
• Learning the third parties to whom your personal data is transferred, in the country or in abroad,
• Requesting correction of your personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,
• Requesting the deletion or destruction of your personal data in the event that the reasons requiring its processing cease to exist despite the fact that it has been processed in accordance with the provisions of the law and other relevant laws, and requesting that the transaction carried out within this scope be notified to the third parties to whom your personal data has been transferred,
• Objecting to the emergence of a result against you by analyzing your processed data exclusively through automated systems,
• To request the compensation of the damage in case of loss due to the illegal processing of your personal data.

For your requests regarding your above-mentioned rights to our Company, please fill out the Related Person Application Form, which you can access at www.migroskurumsal.com/gizlilik#kisisel-data-protection-basvuru-formu . Our Company will conclude your request, which is free of charge, as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by our Company.

Last update date: 21.03.2022
MİGROS TİCARET A.Ş.

Personal Data Protection and Processing Policy

1. PURPOSE

As a part of its legal and social responsibility; Migros Ticaret A.Ş. ”) (hereinafter referred to as “Migros” or “Company”), is obliged to act in accordance with the current legislation on the protection of personal data, particularly the Constitution of the Republic of Turkey (“Constitution”), International Conventions and the Law on the Protection of Personal Data No. 6698 (“the PDPL) by making compliance with the relevant legislation a life cycle. Migros carries out the necessary studies on the protection of personal data in order to protect the privacy of the person and ensure data security. As part of these efforts, Migros has prepared a Compliance Policy (Policy) with the Law on the Protection of Personal Data.

As a part of its legal and social responsibility Migros; With this Policy, Migros aims to inform its customers, potential customers, employees, employee candidates, suppliers, tenants, lessors, Company shareholders, Institution officials, visitors, service providers, 3rd parties with whom it works, employees of private and public legal entities and its shareholders about the compliance of the processes related to the protection and processing of personal data of the authorities and third parties with the legislation and these processes.

Migros; In cases where the personal data of the parties to the contract is required to be processed, provided that it is directly related to the establishment or performance of a contract, in cases expressly stipulated in the law, in cases where it is necessary to fulfill its legal obligation as a data controller, it is compulsory for the establishment, exercise or protection of a right, in cases where data processing is mandatory for legitimate interests, provided that it does not harm the fundamental rights and freedoms of the person concerned, and in cases where explicit consent is sought, it operates with explicit consent.

Migros processes personal data for the following purposes;

• To promote the goods and services offered by our company, to get to know the members and/or customers, to increase communication, to increase the image, to develop and improve its products, services and communication, to register members in clubs established by Migros (for example, Migros Family Club), general or member-specific personalized preparing and sending promotions/promotions/campaigns/advantages and announcements, providing a better shopping experience to customers, performing customer surveys, customer satisfaction applications and information, auditing, data analysis (clustering, data analysis such as credit scoring within the framework of collaborations, modeling, statistical calculations) studies), research, understanding trends, marketing and advertising services
• Ensuring participation in campaigns with automatic participation, benefiting from these campaigns and informing if there are any gains as a result of the campaign, communicating about the gain and announcing this achievement in various channels,
• In order for you to use the advantages of the Money program with your memberships in our company's www.migros.com.tr, www.macrocenter.com.tr, Migros Virtual Market mobile application, Macroonline mobile application and Money Pay, one of our program partners, within the scope of the above-mentioned Customer Communication and Satisfaction Programs to be matched.
• Providing personalized shopping service
• To provide general and personalized campaign information through commercial communication channels, to carry out commercial communication activities if you agree to be made, to inform about new features and changes in websites and mobile applications.
• Creating general or personalized advertisements, segmentation and marketing analysis studies, advertisements and marketing/communication activities (mobile application and internet) of Migros, suppliers and other 3rd parties in mobile applications, websites, social media or other 3rd party environments. notifications on the websites, pop-up display, personalized offers, customizing user screens, advertising, etc.),
• If location sharing is turned on on your mobile device, creating and delivering the closest and most suitable offers to you.
• To ensure that the necessary work is carried out by our relevant business units in order to carry out the commercial activities carried out by the Company and that the related business processes are carried out,
• To plan and execute the commercial and/or business strategies of the Company,
• To ensure the legal, technical and commercial safety of the Company and the persons who have a business relationship with the Company.
• To record and confirm the identity, address, contact and other necessary information of the shopper/shopper via the website/mobile applications, and to issue all records and documents that will form the basis of the transaction in electronic (internet/mobile etc.) or paper media,
• To carry out the consultancy service procurement process of our customers and suppliers,
• To fulfill the obligations undertaken in accordance with the contracts we have concluded in accordance with the provisions of the relevant legislation, to fulfill our legal obligations and to use our rights arising from the current legislation,
• To provide information to public officials on matters related to public safety upon request and in accordance with the legislation,
• To use as evidence in disputes that may arise
• Planning of company recruitment and employee processes Planning and execution of market research activities for sales and marketing of products and services,
• Planning and execution of corporate communication activities,
• Planning and execution of logistics activities,
• Creation and follow-up of visitor records,
• Ensuring transaction and information security, preventing transactions that may include fraudulent or illegal activities,
• Providing customers with a better shopping experience,
• Providing personalized shopping services (customer surveys, customer satisfaction applications and notifications, auditing, data analysis, research, statistical studies, understanding trends, using in marketing and advertising services),
• The proper and proper performance of Migros' services;
• Fulfillment of obligations within the scope of legal legislation,
• To make our website and applications easier to use,
• Information storage, reporting, informing and providing information to audit companies, the relevant attorney or proxy, as stipulated by the regulatory and supervisory authorities.
• Planning, auditing and execution of information security processes,
• Preparation and submission of various reports, studies and/or presentations;
• Collecting, evaluating and responding to the complaints, questions, requests and suggestions of the person concerned;
• Planning and execution of customer relationship management processes
• Planning and execution of sales and marketing processes of products and/or services
• Fulfilling the requirements of the contracts concluded with the customer,
• Follow-up and execution of legal affairs
• Follow-up of contract processes and/or legal requests,
• Getting to know our members and improving our communication,
• To provide better and reliable service to our customers, to develop more suitable services and products and to maintain them uninterruptedly.
• Customizing and recommending the products and services offered by Migros according to customers' tastes, usage habits and needs,
• Visiting the Company or its website, attending trainings, seminars or organizations organized by the Company, when call centers or website are used to use Migros services.
• Management of relations with business partners and/or suppliers,
• Company Headquarters, Branch offices, warehouses, stores and Miget etc. ensuring the security of its facilities,
• Planning and execution of emergency management processes,
• Planning and execution of personnel processes for subcontractor employees,
• Follow-up of finance and/or accounting works,
• Planning and monitoring of building and/or construction works,
• Execution of management activities,
• Providing information to authorized persons, institutions and organizations,
• Execution of talent / career development activities,
• Execution of investment processes,
• Ensuring the security of data controller operations,
• Execution of the wage policy,
• Execution of supply chain management processes,
• Ensuring the security of movable property and resources,
• Follow-up of requests / complaints,
• Execution of strategic planning activities,
• Execution of sponsorship activities
• Conducting Social Responsibility and Civil Society Activities
• Execution of Storage and Archive Activities
• Execution of Performance Evaluation Processes
• Organization and Event Management
• Execution of Activities for Customer Satisfaction
• Execution of Customer Relationship Management Processes
• Execution of Goods / Services Production and Operation Processes
• Execution of Goods / Services Sales Processes
• Execution of Goods / Services After-Sales Support Services
• Execution of Goods / Services Procurement Processes
• Execution of Business Continuity Ensuring Activities
• Receiving and Evaluating Suggestions for Improvement of Business Processes
• Execution of Occupational Health / Safety Activities
• Execution / Supervision of Business Activities
• Planning of Human Resources Processes
• Execution of Communication Activities
• Carrying out Internal Audit / Investigation / Intelligence Activities
• Execution of Assignment Processes
• Ensuring Physical Space Security
• Execution of Company / Product / Services Loyalty Processes
• Execution of Finance and Accounting Affairs
• Execution of Access Authorizations
• Execution of Training Activities
• Execution of Audit / Ethical Activities
• Execution of Benefits and Benefits Processes for Employees
• Fulfilling Employment Contract and Legislative Obligations for Employees
• Execution of Employee Satisfaction and Loyalty Processes
• Execution of Application Processes of Employee Candidates
• Execution of Employee Candidate / Intern / Student Selection and Placement Processes
• Execution of Information Security Processes
• Execution of Collective Bargaining Agreement activities concluded with the union

In this Policy, detailed explanations are provided by Migros regarding which data is personal data, which personal data is stored, administrative and technical measures taken for the protection of personal data, and the processing and preservation of personal data, enlightening and informing the relevant persons, transferring them to third parties and their protection.

2. SCOPE

This Policy applies to all personal data that are processed automatically or non-automatically, provided that it is a part of any data recording system of; customers, potential customers, employees, employee candidates, suppliers, tenants, lessors, service providers, 3rd parties and 3rd party employees, shareholders and partners, visitors, employees of private law and public law legal entities/institutions that cooperate, its shareholders and officials, third parties.

The following entities that process and store personal data within Migros and all processes related to these entities are within the scope of this Policy;

• All printed or written documents, documents, files containing personal data

Open Consent	Consent on a particular subject, based on information and expressed with free will.
Personal Data	Any information relating to an identified or identifiable natural person. For example; name- surname, T.C. Identification Number, e-mail address, phone information, address, date of birth, credit card number, etc.
Special Qualified Personal Data	Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data
Related person	Natural person whose personal data is processed
Anonymization	Making personal data not to be associated with an identified or identifiable natural person in any way, even by matching with other data.
Worker	Migros employees
Employee Candidate	Natural persons who have applied for a job at Migros by any means or have opened their CV and related information to Migros' review.
Constitution	Constitution of the Republic of Turkey
the PDPL	Law No. 6698 on the Protection of Personal Data
the PDP Board	Personal Data Protection Board
the PDP Institution	Personal Data Protection Authority
Processing of Personal Data	Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.
Customer	Real persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company.
Data Processor	It is the natural and legal person who processes personal data on behalf of the data controller based on the authority given by him. For example, the cloud computing company that keeps the data of our Company, the interviewers who have the customers sign the forms, the call center that makes calls within the framework of the instructions, etc.
Data Recording System	The registration system in which personal data is processed and structured according to certain criteria
Data Controller	The natural or legal person who determines the purposes and means of processing personal data, establishes and manages the place where the data is kept systematically (data recording system) is the data controller. The data controller is Migros, our company.
Data Controllers Registry	The Data Controllers Registry, which is open to the public and kept by the Presidency of the PDP Institution under the supervision of the PDP Board
Visitor	Real persons who have entered the physical campuses owned by the institution for various purposes or visited the websites
Employees, Shareholders and Officials of the Institutions We Cooperate With	Real persons who are employees, shareholders and officials of institutions (including but not limited to performance assistant, business partner, supplier, program partner, etc.) that have a business relationship with Migros
Suppliers	Third parties from which Migros purchases products and/or services on a contract basis
Potential Customer	Real persons who have requested to purchase and/or use our products and services, or who have been evaluated in accordance with commercial practices and honesty rules
Policies and Procedures	Policies and procedures prepared by Migros to comply with the Personal Data Protection Law
Company	Migros Ticaret A.Ş.
Company Shareholders	Migros shareholder real persons
Company official	Migros board member and other authorized natural persons
Migros Personal Data Application Form	The application form that data owners will use when using their applications regarding their rights in Article 11 of the PDPL
Third Party	Third real persons who are in relationship with these parties in order to ensure the security of commercial transactions between the parties described above and Migros or to protect the rights of the said parties and to obtain benefits.

PERSONAL DATA CATEGORY	PERSONAL DATA CATEGORY DISCLOSURE
Credentials	In documents such as driver's license, identity card, residence, passport, attorney's ID, marriage certificate, T.C. identification number, nationality information, mother's name, father's name, place and date of birth, gender, SSI number, signature information, vehicle license plate etc. all information
Communication information	It is clear that it belongs to a real person; information such as phone number, address, e-mail, fax number
Special Qualified Information	“Racial, ethnic origin, political thought, philosophical belief, religion, sect or other belief, costume and dress, association, foundation or union membership information, health and sexual data on life, criminal convictions and security measures, and biometric and genetic data.
Location Information	Location data obtained through the applications used by customers, obtained during the use of company vehicles, and digital cards given to visitors, employees and employee candidates
Physical Space Security Information	Personal data such as camera records, fingerprint records, retna scanning, records taken at the security point, records taken at the entrance to the physical space and during the stay in the physical space processed to be kept in the data recording system, to ensure our security in every aspect while carrying out our commercial activities.
Customer information	Information obtained and produced from real person customers as a result of our commercial activities and the operations of the relevant units within the scope of these activities.
Customer Transaction Information	The information obtained within the scope of the records for the purchase of our products and services and the instructions required for the purchase of our customer in the data recording system, and the personalization of the usage and purchasing habits in line with the taste and needs of the personal data subject who purchases and/or uses our products and services. Personal data processed for
Request/Complaint Management Information	Personal data regarding the receipt and evaluation of all kinds of requests or complaints directed to Migros communication channels by real persons, whether they are Migros customers or not.
Reputation and Incident Management Information	In order to protect the commercial reputation of Migros and to ensure that the public is informed correctly, social media etc. related to events that have the potential to affect Migros employees and shareholders. Personal data collected from media, evaluations (posts about Migros, etc.)
Financial Information	IBAN number, credit card information, financial profile, income information etc. personal data processed within the scope of the records showing all kinds of financial results within the framework of the legal relationship established by Migros with the personal data subject.
Marketing Information	Personal data processed for tailoring and marketing our products and services in line with the usage habits, tastes and needs of the person concerned, and reports and evaluations created as a result of these processing results
Risk Management Information	In order to manage our commercial, technical and administrative risks, personal data processed through the methods used in accordance with the generally accepted legal, commercial practice and good faith in these areas
Transaction Security Information	Your personal data processed in order to ensure our technical, administrative, legal and commercial security during the execution of our activities (for example, log records, IP information, identity verification information)
Audio/Visual Information	Photographs and camera recordings (excluding recordings included in the Physical Space Security Information) and sound recordings
Audit and Inspection Information	Personal data processed for the execution of our company's operational, financial, fraud and compliance audit activities

• All applications containing personal data
• All databases containing personal data
• All systems containing personal data,
• All devices containing personal data,
• All audio recordings containing personal data,
• All logs containing personal data (audit traces),
• All image records containing personal data,

Anonymized and unidentifiable data such as data obtained for statistical evaluations or studies that do not contain personal data, data relating to legal entities and data that are not considered personal data pursuant to Law No. 6698 are not subject to this Policy.

3.ENFORCEMENT AND UPDATES

Policies and procedures will be published by Migros on the Corporate website and made available to all employees and the public. In case of conflict with the legislation in force, especially the Law No. 6698, and the regulations included in this Policy and procedures, the provisions of the legislation shall apply. The Company reserves the right to make changes in this Policy and procedures in line with the legal regulations. In case of a change in this Policy or in the matters in the Policy and procedures, or in case of new processes coming to the agenda, the Policy will be updated immediately and the updated version will be published on the Corporate website.

4. DEFINITIONS

In order to be kept in the data recording system, camera records, fingerprint records, retna scanning, records taken at the security point, records taken at the entrance to the physical space, records taken during the stay in the physical space, etc. personal data to ensure our security in every aspect while carrying out our commercial activities.

5. CATEGORIZATION OF PERSONAL DATA

Within the scope of data processing activities carried out by Migros, the categories and explanations of personal data, which are processed partially or completely automatically or non-automatically as part of the data recording system, to which the real person belongs and/or can be determined, are as follows:

6. PROCESSING OF PERSONAL DATA

Migros takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data is processed in accordance with the law. Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the PDPL and cannot be used for purposes other than processing, and that this obligation will continue after they leave their job, and necessary commitments are taken from them in this direction.

Migros' personal data processing activity includes any action taken towards data using automatic, semi-automatic or non-automatic means, without any restrictions.

Migros has the right to process the information of a data subject during the use of its services and after the termination of the relationship, by complying with the principles set out below.

Migros protects the personal data of the person concerned or the third parties specified by the person concerned, with the measures/actions it has taken;

• Migros raises awareness among data processing institutions, such as business partners and suppliers, to which personal data has been transferred, on the prevention of unlawful processing of personal data, the prevention of illegal access to data, and the provision of legal protection of data.
• Obligations that Migros has to comply with when processing personal data as a data controller and the obligation to comply with the legal, administrative and technical measures it has developed in this regard are consistent with the nature of the data processing activities performed by the 3rd parties with whom Migros has relations with various titles, such as suppliers and business partners and it is checked whether these obligations are fulfilled.
• Migros takes the necessary technical and administrative measures, according to technological possibilities and implementation costs, in order to store personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes. In addition to the PDPL technical measures, Migros also takes the necessary security measures regarding current threats in order to protect the data in question in the field of cyber security.
• Migros carries out the necessary inspections within its own body or has it done, in accordance with Article 12 of the PDPL. The results of these audits are reported and necessary activities are carried out to improve the measures taken.
• Migros operates the system that ensures that the personal data processed in accordance with Article 12 of the PDPL is obtained by others illegally, and this situation is reported to the relevant person and the PDP Board as soon as possible.

6.1. Scope of Processing of Personal Data

The scope of the processing of personal data is as in the 2nd and 6th headings. Migros shall have the right to process the information of the person concerned during the period of using Migros services and after the termination of the relationship, in accordance with the principles set forth in this Policy.

Personal data processing by Migros includes any action taken towards data using automatic, semi-automatic or non-automatic means, without any restrictions. In other words, personal data processing; Receiving, collecting, recording, photographing, sound recording, video recording, organizing, storing, modifying, transferring, disseminating or presenting, grouping or combining, blocking, deleting or destroying data from related persons or third parties, reinstatement, retrieval or disclosure, obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, transferring abroad, acquiring data by fully or partially automatic or non-automatic means provided that it is a part of any recording system means making it available, classifying, or preventing its use.

6.3. Processing of Personal Data in Compliance with the Principles Established in the Legislation

Pursuant to Article 5 of the PDPL, personal data can only be processed in accordance with the procedures and principles stipulated in the PDPL and other relevant legislation. As Migros, personal data is processed in accordance with the procedures and principles set forth in the PDPL and other relevant legislation; Within the scope of the PDPL, it is clearly regulated that the following principles must be complied with in the processing of personal data.

• Processing of Personal Data in Compliance with the Law and the Rules of Integrity

Migros carries out the processing of personal data in accordance with the Constitution of the Republic of Turkey, the PDPL and other relevant legal regulations, legal regulations, within the principle of honesty and based on the relationship of trust.

• Ensuring the Accuracy and Up-to-Dateness of Processed Personal Data

Migros; While executing personal data processing activities, it has established systems and processes to ensure the accuracy and up-to-dateness of the personal data it processes. In this context, Migros takes the necessary measures to correct the personal data of the persons concerned and confirm their accuracy.

• Processing of Personal Data for Specific, Explicit and Legitimate Purposes

Migros, within the scope of the disclosure obligation in Article 10 of the PDPL, clearly and precisely determines the purpose of processing personal data before starting the processing of personal data, and processes it for clear and lawful purposes (For detailed information on the obligation to clarify, see. Policy section 9.1)

• Purpose-Related, Limited and Moderate Processing of Personal Data

Migros processes personal data to the extent necessary and in connection with the purpose of realizing the service it has determined and provided before starting the processing activity. Migros does not process personal data with the assumption that it is not related to the realization of the purpose or that it will be needed in the future. The processing of personal data is limited to Migros' activities and legal obligations.

• Retention of Personal Data for the Period Envisioned in the Relevant Legislation or Required for the Purpose of Processing

Migros retains personal data for a limited period of time stipulated in the PDPL and the relevant legislation or required for the purpose for which they are processed. In this respect, Migros stores personal data for a period of time, if it is stipulated in the relevant legislation, and for the period required for the purpose for which it is processed, if a period is not foreseen. Migros does not store personal data for future use.

Migros deletes, destroys or anonymizes personal data in the event that the period expires or the reasons for its processing disappear.

6.4. Terms of Processing Personal Data

In accordance with the regulation in Article 5 of the PDPL, Migros processes personal data only in cases stipulated in the law or in cases where explicit consent is required, with the explicit consent of the data subject. However, in accordance with paragraph 2 of Article 5 of the PDPL; The Legislator has allowed the processing of personal data even in the absence of explicit consent. According to this; Personal data may also be processed by Migros in the presence of one and/or several of the other conditions specified in the following clauses: "Explicitly Prescribed by Law" and "Mandatory Data Processing for the Legitimate Interest of Migros, Provided Not to Harm the Fundamental Rights and Freedoms of the Data Subject". Although the existence of only one of the conditions stated below is sufficient for personal data processing; More than one of the aforementioned conditions may also be the basis for the same personal data processing activity.

In case the processed data is special quality personal data, the conditions to be applied are specified in 7.1 of the Policy. It is also mentioned in the section.

• 6.4. Terms of Processing Personal Data

The personal data of the data owner may be processed by Migros without the explicit consent of the data owner, in accordance with the law, if it is expressly stipulated in the law. For example; Personal data is processed while keeping the workplace registry file of the employees within the framework of the Labor Law and relevant legislation.

• The Person Who Is Incapable of Expressing His Consent Due to Actual Impossibility or For whose Consent is Not Legally Recognized Being Obligatory for the Protection of Himself or Another Person's Life or Bodily Integrity

The personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to express his or her consent due to actual impossibility, or whose consent cannot be validated, in order to protect the life or physical integrity of himself or another person.

In cases where the personal data owner cannot explain his consent or his consent cannot be validated, the personal data of the data owner may be processed if it is necessary to process the personal data of the person himself or another person in order to protect his life or physical integrity. For example; The family of our customer, who had an accident in the sales store operated by Migros, was given to the store officials by his family.

• It is Necessary to Process the Personal Data of the Parties to the Contract, Provided that it is Directly Related to the Establishment or Performance of a Contract

Provided that it is directly related to the conclusion or performance of a contract, personal data may be processed by Migros if it is necessary to process the personal data of the parties to the contract. For example, informing the name, surname, address and telephone information of the customer shopping on the e-commerce site of Migros to the employees of the company carrying the products for the delivery of the products ordered.

• The Personal Data Owner Has Made His Personal Data Public by Himself

If the data owner has personally made his personal data public (social media, etc. in any way or form), the relevant personal data may be processed without seeking explicit consent.

• Mandatory Data Processing for the Establishment or Protection of a Right

If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed. For example, keeping the sales contract with evidence and using it when necessary.

• Obligatory Data Processing for the Legitimate Interest of Migros, Provided Not to Harm the Fundamental Rights and Freedoms of the Related Person

Although the protection of personal data is a constitutional right; Provided that the fundamental rights and freedoms of the personal data owner are not harmed, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of Migros. For example, personal data processing activities in the calculations to be made by the financial affairs department.

• Finding the Explicit Consent of the Personal Data Owner

One of the conditions for the processing of personal data is the explicit consent of the personal data owner, in the absence of the exceptions specified in Article 5 of the Law. The personal data owner must declare that he has been sufficiently informed about a particular subject and, based on this information, he has consented to the processing of his personal data with his free will and without hesitation.

7. PROCESSING OF SENSITIVE PERSONAL DATA

7.1. Conditions of Processing of Sensitive Personal Data

Personal data determined as "sensitive" within the scope of the PDPL due to the risk of causing victimization or discrimination of individuals when processed unlawfully, are also specified in this Policy due to this sensitivity.

The processing of sensitive personal data defined in paragraph 1 of Article 6 of the PDPL is prohibited without the explicit consent of the data owner, as stated in the second paragraph of Article 6 of the PDPL. Paragraph 3 of Article 6 of the PDPL regulates the exceptions to this rule.

Sensitive personal data are processed in accordance with the above-mentioned law, provided that adequate measures to be determined by the PDP Board are taken by Migros.

7.2. Protection of Sensitive Personal Data

With the Personal Data Protection Law, some personal data are also stated in this Policy due to the risk of causing victimization or discrimination when processed unlawfully. Processing of Sensitive Personal Data, 7.1 of the Policy clearly stated in the article.

For employees involved in the processing of special categories of personal data; Regular trainings are provided on the law and related regulations as well as special quality personal data security, confidentiality agreements are made, the users who have access to data, the scope and duration of their authorization are defined clearly, authorization checks are carried out periodically, and the employees who have a change of job or quit their job are given regular training. Their authorizations in the field are immediately revoked and in this context, necessary measures are taken to return the inventory allocated to the employee by Migros as the data controller.

Environments where sensitive personal data are processed, stored and/or accessed, and electronic media; keeping data using cryptographic methods, keeping cryptographic keys secure and in different environments, securely logging all access to data and transaction records of all movements on the data, constantly monitoring security updates for the environments in which the data is located, regularly performing/performing the necessary security tests, testing Necessary measures are taken to record the results of the test, to close the security gaps in the test results as soon as possible, to authorize the user for this software if the data is accessed through a software, to record the test results,  if remote access to the data is required, it is taken to necessary measures to provide at least a two-stage authentication system.

Environments where sensitive personal data are processed, stored and/or accessed, and physical environment; Necessary measures are taken to ensure that adequate security measures are taken (against situations such as electricity leakage, fire, flood, theft, etc.) according to the nature of the environment in which special quality personal data is located, to prevent unauthorized entries and exits by ensuring the physical security of these environments, and to record the access of authorized persons.

8. TRANSFER OF PERSONAL DATA

In accordance with the purposes of Migros to serve the data owner properly, transfer/sharing of data related to the data owner and/or third parties indicated by the data owner may be required within the scope of data processing.

Personal data, the business units to carry out the necessary work to benefit from the products and services offered by Migros, the products and services offered are customized according to the tastes, usage habits and needs of the customers, and the legal and commercial security of those who have a business relationship with Migros (for the communication carried out by Migros) administrative operations, ensuring the physical security and supervision of Migros' locations, business partner/customer/supplier (authorized or employee) evaluation processes, reputation research processes, legal compliance process, audit, financial affairs, etc.), Migros' commercial and business operations To business partners, suppliers, Authority officials, shareholders, affiliates, subsidiaries, legally authorized public institutions and private individuals, MİGROS Family (Migros' Management Shareholders, Management Shareholders) for the purposes of determining and implementing strategies and ensuring the execution of human resources policies. and Migros' affiliates, subsidiaries, businesses) service providers and/or subcontractors and GSM Operators in the country and abroad due to information technologies, cloud service providers and social networking sites (due to the relevant servers being abroad). It can be transferred within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9.

Migros may transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, group companies, third real persons, public institutions within the scope of relevant laws) by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. In this regard, Migros acts in accordance with the regulations stipulated in Article 8 of the PDPL.

Migros applies the exceptions for the transfer process specified in this Policy article, as specified in the 2nd paragraph of Article 8 of the PDPL.

Provisions in other laws regarding the transfer of personal data are reserved.

8.1. Domestic Transfer of Personal Data

Migros' ability to provide better service to the personal data owner, to meet their demands more accurately, to improve their service and communication, to provide customer satisfaction practices and information, and to eliminate technical problems, etc. In accordance with the purposes of data processing, it may be necessary to transfer/share the data related to the data owner and/or the third parties indicated by the data owner to third parties. In this regard, Migros acts in accordance with the regulations stipulated in Article 8 of the PDPL and the regulations in this Policy within the scope of the said article. 8.3 of this Policy. The table in the article contains the transfer purposes.

8.1.1. Domestic Transfer of Private Personal Data

Migros can transfer the sensitive data of the personal data owner to third parties by showing the necessary care and taking the necessary security measures, by taking the adequate measures prescribed by the PDP Board; in line with its legitimate and lawful purposes while taking into account the conditions set out in the 7th section of this Policy.

8.2. Transfer of Personal Data Abroad

Migros may transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with its lawful purposes. Personal data processed by Migros can be transferred, provided that the data controllers in Turkey and in the relevant foreign country undertake in writing to provide adequate protection and have the permission of the PDP Board; In accordance with Article 9 of the PDPL, provided that adequate measures are taken with the 2nd paragraph of the 5th article of the PDPL, in case one of the conditions specified in the 3rd paragraph of the 6th article of the PDPL is met, and adequate protection is provided by the PDP Board of the foreign country to which the personal data will be transferred.

8.2.1. Transfer of Private Personal Data Abroad

Migros can transfer the sensitive data of the personal data owner to the countries that are declared to have sufficient protection or to which adequate protection is committed by the data controller located in a foreign country, taking into account the conditions regulated in the 7th section of this Policy  by showing due diligence, taking the necessary security measures and taking the adequate measures prescribed by the PDP Board; In line with the legitimate and lawful personal data processing purposes.

If sensitive personal data needs to be transferred via e-mail, it will be transferred cryptically with a corporate e-mail address or by using a Registered Electronic Mail (KEP) account; if it is transferred via media such as portable memory, CD, DVD, it will be encrypted with cryptographic methods and the cryptographic key is kept in a different environment; If transferring is carried out between servers in different physical environments, performing data transfer between servers by establishing a VPN or using SFTP method, taking necessary precautions against risks such as theft, loss or viewing of documents by unauthorized persons if data is required to be transferred via paper media, and sending the document in "confidential documents" format. Necessary precautions and measures are also taken if a transfer is required by a method other than the methods mentioned.

8.3. Third Parties and Purposes of Transfer of Personal Data

In accordance with Articles 8 and 9 of the PDPL, Migros may transfer the personal data of its customers to the following categories of persons:

(i) Business partners,
(ii) its suppliers,
(iii) Affiliates,
(iv) To the holding to which it is affiliated,
(v) Other companies belonging to the holding to which it is affiliated,
(vi) To its shareholders,
(vii) Legally authorized public institutions and organizations,
(viii) Legally authorized private legal persons,
(ix) To other third parties in accordance with the data transfer terms,
(x) Lawyers/Law firms/Consultants.

The scope and data transfer purposes of the persons mentioned above are stated below; Migros acts in accordance with the issues regulated in Section 10 of the Policy.

Persons to whom Data Transfer can be made	Definition	Purpose of Data Transfer
Business partner	It defines the parties with which Migros establishes business partnerships for purposes such as sales, promotion and marketing of Migros products and services, after-sales support, and execution of joint customer loyalty programs.	In order to ensure the fulfillment of the purposes of the establishment of the business partnership, the necessary works are carried out by the business units in order to benefit from the products and services offered,
Supplier	It defines the parties that provide services to our Company on a contractual basis in accordance with the orders and instructions of our Company while carrying out the commercial activities of Migros.	In order to ensure that Migros provides the services that are outsourced by Migros from the supplier and necessary to carry out the commercial activities of Migros.
Our Affiliates	Companies of which Migros is a shareholder	Limited to ensuring the execution of commercial activities that require the participation of Migros' subsidiaries.
Affiliated Holding	Fatih Sultan Mehmet Mahallesi, Balkan Caddesi No. 58 Buyaka E Blok Tepeüstü, Umraniye	Limited to use for planning and auditing the strategies of Migros regarding its commercial activities.
Other Companies belonging to the Holding to which it is Affiliated	Anadolu Grup Holding A.Ş., located at 34771 Istanbul, TURKEY.
Our Shareholders	Other companies of Anadolu Grubu Holding A.Ş. operating in various sectors	Limited to the purposes of designing strategies and auditing of Migros' commercial activities in accordance with the provisions of the relevant legislation.
Legally Authorized Public Institutions and Organizations	Our shareholders, who are authorized to design strategies and audit activities regarding Migros' commercial activities in accordance with the provisions of the relevant legislation	Limited to the purpose requested by the relevant public institutions and organizations within their legal authority.
Legally Authorized Private Law Persons	Public institutions and organizations authorized to receive information and documents from Migros in accordance with the provisions of the relevant legislation	Limited to the purpose requested by the relevant private legal persons within the scope of their legal authority.
Lawyers/Law firms/Consultants	Private law persons authorized to receive information and documents from Migros in accordance with the provisions of the relevant legislation	For the resolution of disputes that may arise with real person customers / business partners / suppliers, etc.
Other Third Parties in Compliance with Data Transfer Terms	Private law persons that Migros receives support in resolving legal disputes	Private law persons

The scope and data transfer purposes of the persons mentioned above are stated below; Migros acts in accordance with the issues regulated in Section 10 of the Policy in the transfers made.

9. RIGHTS AND OBLIGATIONS REGARDING PERSONAL DATA

9.1. Obligation to Inform Relevant Persons by Migros

Pursuant to Article 10 of the PDPL; Migros is obliged to inform the relevant persons during the acquisition of personal data.

In this context, Migros informs the data owners that during the collection of personal data, the personal data will be processed by it, the purposes for which the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of personal data collection and legal reasons and the rights of the data owner in accordance with Article 11 of the PDPL informs what is going on and obtains explicit consent if necessary.

9.2. Rights of Relevant Persons

The personal data owner may apply to Migros in accordance with Article 11 of the PDPL and make the following requests:

1. To learn which of their personal data are kept in Migros or not,
2. To learn whether personal data is processed or not,
3. If personal data has been processed, requesting information about it,
4. To learn the purpose of processing personal data and whether it is used in accordance with its purpose,
5. To know the third parties to whom personal data is transferred in the country or abroad,
6. To request correction of personal data if it is incomplete or incorrectly processed,
7. Within the scope of Article 7 of the PDPL, although it has been processed in accordance with the provisions of the PDPL and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing are eliminated, and to request the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
8. To request notification of the transactions made in accordance with subparagraphs (d) and (e) above, to third parties to whom personal data is transferred,
9. To object to the emergence of a negative result due to the analysis of the processed personal data exclusively with automated systems,
10. To request the compensation of the damage in case of damage due to unlawful processing of personal data

9.3. Circumstances Excluded from the Rights of the Personal Data Owner

It has been regulated that the provisions of the PDPL will not be applied in case of the existence of the conditions specified in the first paragraph of Article 28 of the PDPL. In this context, it is not possible for the persons concerned to assert their rights listed in the PDPL regarding the personal data processed by Migros.

Except for the right of the persons concerned to demand the compensation of the damage in the cases specified in the 2nd paragraph of Article 28 of the PDPL; They cannot claim their other rights listed in the PDPL.

9.4. Right of Application of Personal Data Owner to Migros

Related persons, in accordance with the 1st paragraph of Article 13 of the PDPL and the "Communiqué on the Procedures and Principles of Application to the Data Controller", can submit their requests regarding the exercise of the rights legally granted to them in writing at www.migroskurumsal.com. They must fill the form and submit it to Migros with a wet signature or a secure electronic signature. Requests with secure electronic signatures are sent to migrosticaretas@hs01.kep.tr, and requests with wet signatures to Atatürk Mah. Turgut Özal Bulvarı No: 7 Ataşehir-İSTANBUL address. Again, by filling out the Migros Personal Data Application Form available at www.migroskurumsal.com, it should be sent via e-mail to kisiselverikoruma@migros.com.tr using the e-mail addresses previously notified to Migros and registered in the Migros system.

In the application;

i) Name, surname and signature if the application is written,
ii) For citizens of the Republic of Turkey, T.R. identification number, nationality for foreigners, passport number or identification number, if any,
iii) Domicile or workplace address for notification,
iv) E-mail address, telephone and fax number, if any, for notification,
v) The subject of the request must be present. Information and documents related to the subject must be attached to the application.

It is not possible to make a request by third parties on behalf of the Relevant Persons, and in order for a third party to make a request, the personal data owner must be authorized with a special power of attorney issued on behalf of the third party to apply.

9.5. Responding to Applications of Relevant Persons by Migros

Pursuant to Article 13 of the PDPL; The requests included in the application submitted by the personal data owner in accordance with the above procedure, will be concluded free of charge by Migros as soon as possible and within thirty days at the latest, depending on the nature of the request. Migros may accept the application or reject it by explaining the reason. Migros notifies the reply in writing or electronically (via e-mail) to the contact address provided to it. The person making the request did not provide the contact information, verification could not be made, the Migros Personal Data Application Form was not filled in completely and completely as specified, the information was incomplete, Migros is also not obliged to respond in cases where the requester does not provide the contact information, verification cannot be made, the Migros Personal Data Application Form is not filled in completely and completely as specified, the information is incomplete and the application is not made through the channels specified in Article 9.4. and in the specified ways. In cases where the contact address given by the relevant person cannot be reached, the relevant person will be deemed to have responded to his/her application. In case the transaction to be carried out requires a separate cost, Migros may charge the applicant the fee in the tariff determined by the PDP Board. If the application is due to Migros' fault, the fee will be refunded to the person concerned.

Migros may request information from the relevant person in order to determine whether the applicant is the relevant person and to clarify the requests included in the application.

Migros' responsibility cannot be mentioned in case the requests that are not delivered in accordance with the procedure specified in section 9.4 of the Policy and/or with a legally valid notification do not reach Migros or if the response does not reach the applicant.

9.6. Right of Personal Data Owner to Complain to the PDP Board

The personal data owner can make a complaint to the Board as specified in Article 14 of the PDPL. Personal data owner, Article 13 of the PDPL and 9.4 of this Policy. Without using the right of application set out in the section of the PDPL, the applicant cannot apply to the PDP Board.

10. Technical and Administrative Measures Taken to Safely Keep Personal Data and to Prevent Unlawful Processing and Access

In accordance with Article 12 of the PDPL, Migros takes all kinds of technical and administrative measures to ensure the level of security, and in this context, it carries out the necessary audits or has it done within the framework of contracts made with third party companies. The incompatibilities emerging as a result of these studies are tried to be closed as soon as possible based on risk analyzes such as cost, effort, and the criticality of the non-compliance.

10.1. Confidentiality in the Processing of Personal Data

Personal data processed by Migros in accordance with the law are subject to data security. Migros takes all necessary technical and organizational measures to ensure the confidentiality and security of sensitive personal data and your personal data collected through our websites and/or other applications.

It is prohibited for any Migros employee to access, process or use this data for private or commercial purposes, to share this data with unauthorized persons or to make this data accessible by any other method. Migros employees can access personal data only in accordance with the type and scope of their duties. For this, roles and responsibilities are detailed and separated. Any employee of Migros who is not authorized within the framework of their legitimate duty to process this data means an unauthorized transaction.

Managers should inform their employees about the obligation to protect data privacy at the beginning of the employment relationship. This obligation will continue after the termination of employment.

10.2. Security in the Processing of Personal Data

Personal data is protected by Migros against unauthorized access, illegal data processing or disclosure, and accidental loss, alteration or destruction of data. Personal data is stored in secure working environments that are not open to the public and can only be accessed by authorized Migros employees (within the scope of the Confidentiality Agreement with our employees), our agents and contractors.

For our customers whose personal data are stored before accessing personal data (for e-commerce sites and Money program applications), the identity information of the data owner is verified via the website or application. Again, identity information is verified through the HR portal used by our employees.

This provision shall apply whether the data is processed electronically or on paper. Until the emergence of new data processing methods, especially new information technology systems, the following technical and administrative measures are defined and implemented to protect personal data. These measures have been designed taking into account the most advanced technology available, the risks of data processing and the need to protect data.

10.3. Technical Measures

Within Migros, personal data processing activities and their storage in a secure environment are carried out with technical systems, and technical solution applications are made. Technical measures are taken in accordance with the developments in technology, the measures taken are periodically updated and renewed.

The technical measures taken are periodically reported to the relevant person in accordance with the internal control mechanism, and the necessary technological solutions are produced by re-evaluating the risky issues.

In addition, knowledgeable and experienced personnel in technical matters are employed. When necessary, knowledgeable and experienced employees are also utilized through service procurement from 3rd party companies.

On the other hand, the main methods regarding the technical measures to be taken by the data controllers in order to prevent the illegal processing of personal data by the Personal Data Protection Authority and illegal access to personal data and to ensure the protection of personal data are listed in the "Personal Data Security Guide (Technical and Administrative Measures)" guide has published. In addition to taking the precautions in this guide, Migros also takes the necessary security measures based on other published standards regarding security and current threats.

10.4. Administrative Measures

Employees are informed and trained about the law of protection of personal data and the processing of personal data in accordance with the law, that they cannot be disclosed to others in violation of the legislation and cannot be used for purposes other than processing.

Except for Migros instructions and exceptions made by law, records and commitments are added to the contracts and documents between Migros and its employees, which impose an obligation not to process, disclose or use personal data.

Necessary administrative measures are taken to monitor the compliance of the employees with the obligation not to process, disclose and use personal data and to ensure the continuity of the application.

In case of receiving technical services from third parties regarding the storage of personal data and persons to whom personal data is transferred by Migros in accordance with the law; Provisions are added regarding the prevention of unlawful processing of personal data, the prevention of illegal access to data, and the provision of necessary measures to ensure that the data is kept in accordance with the law, and that these measures will be complied with in its own organizations.

Migros provides trainings and seminars for its business partners to prevent unlawful processing of personal data, prevent unlawful access to data, and ensure data protection.

On the other hand, the main methods of administrative measures to be taken by data controllers in order to prevent the illegal processing of personal data and illegal access to personal data by the Personal Data Protection Authority and to ensure the preservation of personal data are listed in the "Personal Data Security Guide (Technical and Administrative Measures)" guide has published.

10.5. Execution of Audit Activities

Migros, in accordance with Article 12 of the PDPL, carries out the necessary audits within its own and its business partners or has it done within the framework of contracts made with third party companies. The results of these audits are reported to the relevant department within the scope of the internal operation of the company and necessary activities are carried out to improve all the measures taken.

10.6. Measures to be Taken in Case of Unlawful Disclosure of Personal Data

In the event that personal data processed in accordance with the PDPL and the relevant legislation are obtained by others illegally, Migros is obliged to do what is stated in accordance with the 5th paragraph of Article 12 of the PDPL; The necessary system has been established in order to ensure that the necessary determination and notification are made. An emergency committee has been assigned and authorized in this regard, and this committee will convene urgently as soon as possible after the occurrence of the incident and will carry out the first response and effectiveness with the decision taken at this meeting. The process will be monitored and managed by this committee, and the necessary precautions and measures will be taken within 72 hours at the latest, and the PDPL will be notified.

Following the notification made to the PDP Board, the PDP Board may announce this situation as specified in the 5th paragraph of the 12th Article of the the PDPL.

11. RECORDING

11.1. Store, Headquarters Building etc. Registration and Tracking of the Entry and/or Inside

Personal data processing activities are carried out by monitoring with security cameras in stores, buildings and facilities for the purposes of increasing the quality of the service offered by Migros, ensuring its reliability, ensuring the safety of the company, customers and other persons, and protecting the interests of customers regarding the service they receive. The camera monitoring activity carried out by our company is carried out in accordance with the Law on Private Security Services and the relevant legislation. Areas that may result in interference with the privacy of the person exceeding the security objectives (for example, toilets) are not subject to monitoring.

In accordance with Article 10 of the PDPL, the personal data owner is clarified by Migros by publishing the Privacy and Data Security Policy on the website and by posting a notification letter stating that monitoring will be carried out at the entrances of the areas where the monitoring is performed, and the personal data obtained is in the administrative and protected by technical measures.

11.2. Store, Headquarters Building etc. Guest Entry/Exit Tracking

Migros carries out personal data processing activities by obtaining the identity information of the visitors and logging into the Visitor Program in order to monitor visitor entries and exits in Migros buildings and facilities for the purposes specified in this Policy and to ensure security.

11.3. Ensuring Institutional Facility Security and Website Visitors

In order to ensure security by the institution, personal data processing activities are carried out in order to monitor the entrance and exit of guests with security cameras in the buildings and facilities of the institution.

Video recordings of the visitors are taken through the camera monitoring system at the building, facility entrances and inside the facility of the Institution. In addition, the identity information of the visitors is obtained, and they are entered into the Visitor Program and stored.

The institution, within the scope of monitoring activity with security cameras; It aims to increase the quality of the service provided, to ensure its reliability, to ensure the safety of the Institution, customers and other persons, and to protect the interests of the customers regarding the service they receive.

In accordance with Article 12 of the PDPL, the Authority takes necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring.

Log records regarding internet access are recorded in accordance with the Law No. 5651 and the mandatory provisions of the legislation regulated according to this Law; These records are only processed when requested by authorized public institutions and organizations or for the purpose of fulfilling the relevant legal obligation in the audit processes to be carried out within the Agency.

On the websites owned by Migros; to ensure that the visitors of these sites perform their visits on the sites in accordance with the purposes of their visit; Internet movements within the site are recorded by technical means (such as cookies) in order to show them customized content and to engage in online advertising activities.

Detailed explanations regarding the protection and processing of personal data regarding these activities are included in the texts of the “Migros Website Privacy and Data Security Policy” of the relevant websites.

11.4. Roles and Responsibilities

Although the General Manager is responsible for the implementation of this Policy in the operation, activities and processes of Migros; In the implementation of the regulations, procedures, guidelines, standards and training activities prepared in accordance with this policy, the relevant Deputy General Directorates and Directors department/unit/person will be the source of advice and guidance.

All of our employees, stakeholders, guests, visitors and related third parties across Migros are obliged to cooperate with the Personal Data Protection Committee team in order to prevent legal risks and imminent danger, along with compliance with this policy. All organs and departments of Migros are responsible for overseeing compliance with this policy. In case of non-compliance, the Personal Data Protection Committee must be informed.

12. INTER-COMPANY GOVERNANCE WITHIN THE PROTECTION AND PROCESSING OF PERSONAL DATA

The Personal Data Protection Committee ("Committee") has been established within Migros in order to monitor and manage the actions necessary to comply with the Law No. 6698. The main duties of the Committee are as follows:

1. To prepare the basic policies regarding the protection and processing of personal data and, if necessary, to prepare and submit them to the approval of the senior management,
2. To decide how to implement and control the policies regarding the protection and processing of personal data, and to distribute and coordinate the necessary tasks within the company within this framework.
3. To determine the issues that need to be done in order to ensure compliance with the legislation numbered 6698 and to submit the necessary actions to the approval of the senior management; to monitor and coordinate its implementation,
4. To raise awareness within the Company and before the Company's business partners about the protection and processing of personal data,
5. To determine the risks that may arise in Migros' personal data processing activities and to ensure that the necessary measures are taken; submitting improvement suggestions to the top management for approval,
6. To follow the relevant legislation on the protection of personal data, to update the prepared texts and policies,
7. To design trainings on the protection of personal data and the implementation of policies and to carry out the trainings after obtaining the necessary approvals,
8. Establishing a mechanism to quickly meet the applications of Relevant Persons and deciding on them,
9. Related persons; To coordinate the execution of information and training activities to ensure that they are informed about personal data processing activities and their legal rights,
10. To follow the developments and regulations on the protection of personal data; To advise senior management on what needs to be done in accordance with these developments and regulations,
11. Coordinating the relations with the PDP Board and the PDPInstitution,
 
12. Fulfilling other duties assigned by the senior management regarding the protection of personal data.
13. To determine the risks that may arise in the personal data processing activities of the Company and to ensure that the necessary measures are taken; presenting improvement suggestions.

13. REVIEW

This policy is reviewed once a year by the Personal Data Protection Committee and necessary updates are made. After the approval of the senior management, the updated policy is started to be used by informing the relevant persons/parties.

14. FINAL PROVISIONS

This Policy was prepared and approved by the Personal Data Protection Committee and was last updated on 30.11.2021. In case this policy is translated into a language other than Turkish, the Turkish text should always be taken into account in the different expressions between the two policies. This policy cannot be reproduced or distributed without the written permission of Migros Ticaret A.Ş.