Global Policy

Global Data Privacy Policy  



Arҫelik and its affiliates and subsidiaries (together “Company”, “we”, “us”) is committed to protecting the privacy of everyone we do business with, including our customers, suppliers, employees and contractors. In recognition thereof, Company has adopted this Data Privacy Policy (the “Policy”).


Applicable Data Protection Laws - all relevant privacy, data protection or related laws and regulations in Turkey (Law on the Protection of Personal Data) in the European Economic Area (EEA), in the UK and in Switzerland that apply to the Processing of Personal Data, including but not limited to the EU General Data Protection Regulation 2016/679.

Personal Data - any data relating to an identified or directly or indirectly identifiable natural person (“Data Subject”); identification can occur by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to an Individual’s physical, physiological, genetic, mental, economic, cultural or social identity.

Personnel - employees, officers, contingent workers, employed on a full or part-time basis, or retained as third-party consultants, and temporary staff acting on behalf of any Arҫelik subject to this Policy.

Process or Processing - any operation or set of operations performed upon Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, international transfer, alignment or combination, blocking, erasure or destruction.

Processor - any entity who Processes Personal Data on behalf of any Arҫelik subject to this Policy.

Security Breach - a breach of security leading to the accidental or unlawful destruction, loss, alternation, unauthorized disclosure of, or access to, Personal Data.

Security Measures - measures, including legal, organizational and technical measures aimed at ensuring the ongoing integrity, availability, and confidentiality of Personal Data and at preventing, mitigating or remedying Security Breaches.

Sensitive Personal Data - any Personal Data relating to an Individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic characteristics, biometrics, health, sex life, sexual orientation, or criminal convictions.


a. Personnel is responsible for complying with this Policy when they Process Personal Data in connection with their normal work activities.

b. Senior management within Company is responsible for enforcing compliance with this Policy, including the maintenance of  an  appropriate  governance  structure  and the allocation of resources necessary to ensure compliance and enforcement.

c. Personnel shall promptly notify the Global Data Protection Officer if they suspect orareaware that thisPolicy conflicts withany local legalor regulatory obligation or that a particular Company practice violates this Policy.

d. Company may implement additional policies, procedures or practices as may be necessary to ensure compliance with this Policy or meet local Applicable Data Protection Laws. Arҫelik shall not adopt or implement such policies, procedures or practices without prior consultation and approval from the Global Data Protection Officer


a. Company strives to Process Personal Data in a manner consistent with this Policy and with Applicable Data Protection Laws. Where Applicable Data Protection Laws impose a higher level  of  protection  than  this  Policy,  Company must comply with  such laws or regulations.

b. Basic Principles

I. Lawfulness and Purpose Limitation

Company shall only Process Personal Data lawfully, fairly and for specified, explicit and legitimate business purposes and  with  an  appropriate  justification  (legal  basis) under Applicable Data Protection Laws.  This  justification  can  be  consent  of  the Data Subjects, the performance of an agreement or  taking  steps  prior  to  entering  into an agreement, a legal obligation, or a legitimate interest of Company that is not outweighed by the interests or fundamental rights and freedoms of the Data Subjects. Where Company is required by applicable law or by internal policies to request and obtain the consent of the Data Subjects prior to the Processing of certain Personal  Data  then  Company  shall  seek  such  consent  and  honor  it.  Company  shall  keep a record of consents that it obtains and put in place  effective means for Data Subjects to withdraw their consent.

II. Data Minimization

Company shall limit its Processing of Personal Data to the minimum amount of information necessary to pursue the established purpose or purposes.  Where  possible, Company shall rely on information that does not identify Data Subjects.

Company shall minimize the extent of its Processing, access to and retention of Personal Data to what is necessary for the established purpose or purposes. Access shall be limited to a need-to-know basis. Save exceptions, Personal Data shall not be made accessible to an indefinite number of individuals.

III. Maintaining Integrity and Quality

Company shall at all times maintain the integrity of the Personal Data IT Processes   and take reasonable steps to keep Personal  Data  accurate,  complete,  up-to-date  and reliable for its intended use.

IV. Retaining and Deleting Personal Data

Company  shall  not  retain  Personal  Data  for  longer  than  necessary.  Personal  Data shall be destroyed or anonymized in compliance with  applicable Company  policies and record retention schedules, including the Company Records Retention Policy. These Company policies and record retention schedules take into account Company’s business needs, its legal obligations, and scientific, statistical or historical research considerations.

c. Transparency

I. Company shall provide clear information to Data Subjects about, at a minimum:

  •  the identity and the contact details of Company acting as the controller.of the Personal Data and of its Global Data Protection Officer, if such exists, or of its Data Protection Officers at local level;
  • thecategoriesofPersonalDatarelatingtoDataSubjectsthatCompanyProcesses;
  • the purposes for which the Personal Data is Processed, and the justifications for such Processing;
  • disclosures of the Personal Data to third-party recipients;
  • the rights of Data Subjects in respect of  their  the  Personal  Data, their right to lodge a complaint with a supervisoryauthority;
  • transfers of Personal Data outside Turkey, the EEA, the UK and Switzerland and the legal safeguards applying to such transferred Personal Data;
  •  the retention period or the criterion used to determine the retention period of the Personal Data;
  • whether the provision of the Personal Data is mandatory and the possible consequences if the Individual fails to provide the Personal Data; and
  •  the existence of automated decision-making which produces legal or similar effects and information about the logic involved, where relevant.

II. Data Subjects shall be provided with any additional information required by local Applicable Data Protection Laws.

III. Save limited exceptions, the information set out above shall be provided to the Data Subjects at the time their Personal Data is obtained.

IV. All communications to Data Subjects about the Processing of their Personal Data shall be approved by the local Data Protection Officer and, where necessary, by the Global Data Protection Officer based on Company’s templates.

V. Applicable Data Protection Laws may provide for derogations to the transparency requirement in exceptional cases, for example, where providing such information imposes a disproportionate burden. Such derogations shall not be relied upon without prior consultation of the Global Data Protection Officer.

d. Rights of Data Subjects

I. Company shall consider any request from Data Subjects in relation to their rights of access, rectification, restriction, data portability, erasure, or opposition or any clear indication that the Data Subjects want to withdraw their consent. Such requests shall be free of charge.

II. Company shall respond to such requests within one month and make all efforts to meet the request within this timeframe in accordance with the Company Data Subject Rights Policy.

III. Company is not obliged to meet a request when it cannot lawfully relate Personal Data to the Individual making the request or when a request is manifestly unfounded or excessive because of its repetitive nature.

e. Maintaining Appropriate Security and Reporting Security Breaches

I. Company shall implement Security Measures to protect Personal Data, in particular in case of transmissions of Personal Data over a network or the storage of Personal Data on portable devices or media. These Security Measures shall take into account the risks represented by the Processing, the nature of the Personal Data concerned, the state of the art and cost of the implementation of the Security Measures.

II. The Security Measures shall be set out in written security policies and procedures.

III. Personnel shall promptly report a Security Breach to the Global Data Protection Officer and Information Security and Telecommunications Departments of Arҫelik and keep a record of the Security Breaches in accordance with the Company Data Breach Policy.

f. Disclosure of Personal Data

I. Company shall only disclose Personal Data to third parties, such as law enforcement authorities or courts, business partners, suppliers or customers where specifically authorized to do so by applicable laws in Turkey, the EEA, the UK or Switzerland or otherwise in accordance with Applicable Data Protection Laws.

II. When relying on Processors, Company shall select Processors carefully and subject them to contractual controls in order to protect the confidentiality and security of the Personal Data concerned and meet the requirements of Applicable Data Protection Laws.

g. International Transfers of Personal Data

I. Company shall only transfer Personal Data to a country outside Turkey, the EEA, the UK and Switzerland in accordance with the requirements set out in Applicable Data Protection Laws.

II. Save limited exceptions under Applicable Data Protection Laws, Company shall put in place appropriate safeguards, such as transfer agreements to overcome restrictions on international transfers of Personal Data under Applicable Data Protection Laws.

III. Company may only rely on exceptions under Applicable Data Protection Laws to restrictions on international transfers following review and approval by the Global Data Protection Officer.

h. Training

Employees Processing Personal Data as part of their role or function shall be regularly trained on compliance with this Policy. Training should be adapted to the role or function of the Personnel concerned.

i. Monitoring and Records

I. The Global Data Protection Officer and the local Data Protection Officers shall conduct periodic reviews and audits to ensure compliance with this Policy.

II. Company shall maintain a record of Processing operations. The record must be made available to supervisory authorities upon request.

j. Compliance and Waivers

I. Requirements imposed by this Policy may be waived only on a case-by-case basis in exceptional circumstances and subject to conditions, following approval from the Global Data Protection Officer.

II. Any member of Personnel not compliant with this Policy may be subject to disciplinary measures, including termination of employment.


Company shall circulate this Policy to the Personnel and may translate the Policy into local languages for information purposes. In case of discrepancies between local language and the English version, the English version of the Policy shall prevail.
Questions or concerns regarding this Policy or privacy matters more generally must be directed to the Global Data Protection Officers Office (contactable via phone on +90 212 314 34 34 or e-mail at