Forgot Password
or
Not registered? Sign Up!

I. INTRODUCTION

Law on Protection of Personal Data numbered 6698 ("Law") entered into force on April 7, 2016. The Law provides a definition of personal data and contains the principles of protection of personal data and the conditions which will be complied by the parties who have the responsibility in processing of this data, in their capacity as data processor. According to the Law, personal data is any kind of information related to "identified or identifiable" real person. The processing of personal data means " any process performed on personal data through automated or non-automated ways provided that the latter is being a part of any data recording system, including acquisition, recording, storage, changing, sharing with third parties, and transferring abroad of data."

In order to ensure compliance with the Law, Yemek Sepeti Elektronik İletişim Tanıtım Pazarlama Gıda Sanayi ve Ticaret Anonim Şirketi (“Yemek Sepeti”) takes necessary administrative and technical measures by adopting the principles of protection and processing of personal data set forth in the relevant legislation.
For the Protection and Processing of Personal Data Policy ("Policy"), see VI. DATA OWNER AND PERSONAL DATA CATEGORIZATION.
The statutory regulations in force regarding the processing and protection of personal data will have priority in application. In the event of any discrepancy between the applicable legislation and the Policy, Yemek Sepeti agrees that the applicable legislation will apply.
The Policy entered into force on 26/07/2017. The date of entry into force of the Policy will be updated if all or certain terms of the Policy are updated.
The Policy is published at the website of Yemek Sepeti (www.yemeksepeti.com) and is accessible by data subject. Changes and updates may be made to the Policy to ensure compliance with changing circumstances and legislation and will be made available to personal data owners through the website.

II PROCESSING OF PERSONAL DATA

II.I. PRINCIPLES FOR PROCESSING OF PERSONAL DATA

Personal data is protected through Article 20/III of the Constitution which sets forth that personal data can only be processed in cases set forth in laws or upon express consent of the individual. In line with this right granted to the personal data owners, Yemek Sepeti processes personal data as set out below and in accordance with the principles set forth in the relevant legislation or in cases where the individual has given express consent:

  • Compliance with Law and Rules of Good Faith
  • Ensuring Personal Data is accurate up-to-date whenever necessary
  • Processing for Specific, Clear and Legitimate Objectives
  • Being Related, Limited and Restrained to the Objective of Processing
  • Retention for the Period Specified in the Legislation or for the Period Necessary to Achieve the Objective of Processing.

 

II.II.  CONDITIONS AND OBJECTIVES OF PROCESSING PERSONAL DATA

Personal data, in principle, can only be processed in cases where express consent of the personal data owner is present. The Law sets forth the processing of personal data in Article 5 and processing of specific categories of personal data in Article 6. The Law has identified the certain categories of personal data as  "sensitive personal data" which carry the risk of causing the victimization or discrimination of the individuals, when processed in contravention of the Law, . Article 6 of the Law specifies sensitive personal data through an exhaustive list, which are relating  to race, ethnicity, political opinion, philosophical belief, religion, sect or other faiths, costume and clothing, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. We do not process sensitive personal data of our customers/users etc. as specified within the scope of the Policy above.
The express consent of the data subject must be informed, freely given in relation to a specific topic.
In the event of one or more of the following conditions, personal data may be processed without the explicit consent of the owner. In any case, Yemek Sepeti will process personal data in accordance with the general principles set forth in Article 4 of the Law and in accordance with the following objectives and conditions.

Regarding general qualitative personal data;

  • The Law clearly prescribes the processing of your personal data by Yemek Sepeti
  • The personal data processing activity by Yemek Sepeti is necessary for the protection of the personal data owner or any other person's life or physical integrity, where the personal data owner is physically or legally incapable of giving consent;
  • The processing of your personal data by Yemek Sepeti is directly related to and required for the execution or performance of a contract
  • The processing of your personal data is compulsory for Yemek Sepeti to fulfill its legal obligations
  • Limited processing by Yemek Sepeti of your personal data which has been revealed to the public by you
  • The processing of your personal data by Yemek Sepeti is a necessity for the establishment, use or protection of the rights of Yemek Sepeti or you or the third parties
  • It is mandatory for the legitimate interests of Yemek Sepeti to carry out the processing activities, provided that your fundamental rights and freedoms are not affected.


In this context, the personal data is processed by Yemek Sepeti for the following purposes:

  • Planning, supervision and carrying out of information security processes
  • Establishment and management of information technology infrastructure
  • Planning and carrying out the employees’ authority to access the user data
  • Follow-up of finance and/or accounting of the company
  • Follow-up of legal affairs
  • Planning and/or carrying out of activities of realizing efficiency/productivity and/or appropriateness analysis of business activities
  • Planning and conducting business activities
  • Planning and implementation of the restaurants and business partners and/or suppliers authority to access the data
  • Managing relationships with restaurants and business partners and/or suppliers
  • Planning and/or performance of activities to ensure business continuity
  • Planning and interpreting corporate communication activities
  • Planning and carrying out logistics activities
  • Planning and implementation of customer/user relationship management processes
  • Planning and/or performing customer/user satisfaction activities
  • Following up customer/user requests and/or complaints
  • Performing activities for determining financial risks of customers/users
  • Planning and/or conducting of after-sales support activities
  • Planning and conducting audit activities
  • Planning and conducting of operational activities necessary for the company's activities to be carried out in compliance with company procedures and/or the related legislation
  • Ensuring the safety of the company’s operations
  • Planning and conducting of related processes for obtaining the highest benefit from products or services offered by the company
  • Follow-up of contractual procedures and/or legal claims
  • Conducting of strategic planning activities
  • Planning and conducting of production and/or operation processes
  • Planning and conducting of market research activities for sales and marketing of products and services
  • Planning and conducting of marketing processes of the products and / or services
  • Planning and conducting of selling processes of products and/or services
  • Ensuring that data is accurate and up-to-date
  • Providing information to authorized entities originating from the legislation

 

III TRANSFER OF PERSONAL DATA

III. I. GENERAL PRINCIPLES ON TRANSFER OF PERSONAL DATA

Articles 8 and 9 of the Law provide for the transfer of personal data domestically and abroad. Yemek Sepeti can transfer the personal data/sensitive personal data of the data owners that it obtained in accordance with the law to third parties by taking necessary security measures in accordance with the data processing objectives. In this context, Yemek Sepeti will be able to transfer personal data to third parties under conditions of processing specified under Section II and in the presence of one of the following conditions:

  • If the owner of the personal data has given an express consent,
  • If the legislation clearly regulates the transfer of personal data,
  • If personal data is necessary for the protection of the owner's or another person's life or physical integrity, where the personal data owner is physically or legally incapable of giving express consent or the consent is not considered valid,
  • If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the consummation or performance of a contract,
  • If personal data transfer is required to fulfill any legal obligation of Yemek Sepeti,
  • If personal data is revealed to the public by the personal data owner,
  • If personal data transfer is mandatory for the establishment, use or protection of a right,
  • Personal data transfer is necessary for the legitimate interests of Yemek Sepeti, provided that it does not affect the fundamental rights and freedoms of the personal data owner.

 III.II. TRANSFER OF PERSONAL DATA ABROAD

Yemek Sepeti will be able to transfer the personal data abroad for the purpose of legitimate and rightful objectives of personal data processing as follows:

  • If the data owner has given explicit consent or
  • If the data owner has not given express consent, but one or more of the conditions specified above are present;
  • adequate protection exists in the country to which the data are transferred to, and
  • In the event that there is insufficient protection in the country to which the data is transferred, Yemek Sepeti and the relevant foreign data processor undertake in writing to provide adequate protection and the permission of the PDP Board is obtained.

 III.III. THIRD PARTIES TO WHICH PERSONAL DATA ARE TRANSFERRED TO

In accordance with the conditions set out above and in accordance with Articles 8 and 9 of the Law, Yemek Sepeti may transfer personal data of the data owners subject to this Policy to the following parties:

  • Anonymously to business partners to ensure the fulfillment of the purpose of establishing the partnership (explicit consent is obtained if further data transfer is required).
  • To restaurants in restricted manner for ensuring achievement of the objections of contract
  • Limited transfer to suppliers to ensure that Yemek Sepeti is supplied by the supplier the outsourced services which are required for Yemek Sepeti to perform its commercial activities,
  • To affiliates limited to perform the business activities of Yemek Sepeti which require participation of such affiliates,
  • To shareholders for designing strategies related to the commercial activities of Yemek Sepeti, providing necessary information in accordance with the procedures of the Company and to enable the conduct of audits in accordance with the relevant legislation,
  • To Delivery Hero GmbH and Luxembourg Investment Company 43 S.A.R.L., for the conduct of commercial and operational activities that require the participation of Delivery Hero GmbH and Luxembourg Investment Company 43 S.A.R.L.,
  • To public authorities and entities and private law persons limited to the purpose for which they have requested personal data in accordance with their legal powers.

IV. PROTECTION OF PERSONAL DATA

Yemek Sepeti takes necessary measures and other administrative and technical measures contemplated by the legislation and also those notified by PDP Board for ensuring the security and protection of the personal data processed by Yemek Sepeti in compliance with the legislation. In this context, Yemek Sepeti takes reasonable technical and administrative measures including technological opportunities and application costs to protect personal data in accordance with the law, to store them in a secure environment, to prevent unauthorized access risks and other unlawful access, to prevent accidental loss of data, to prevent deliberate damage and deletion of data. Namely;

  • Monitoring the personal data processing activities of Yemek Sepeti with the established technical systems,
  • Periodic reports on adopted technical measures,
  • Informing and training employees who process personal data in Yemek Sepeti on the legislation for protection of personal data and personal data processing in accordance with such legislation,
  • Establishing internal policies and providing training to ensure awareness and implementation of rules for specific business units and ensuring the supervision and sustainability of these rules in order to ensure legal compliance requirements on a business unit basis,
  • Incorporation of provisions in the agreements governing the legal relationship between Yemek Sepeti and its employees that oblige the employees not to process, disclose and use personal data, except for the instructions of Yemek Sepeti and exceptions imposed by law, and increasing employee awareness,
  • Access and authorization in accordance with the legal compliance requirements determined on a business unit basis, and the restriction of access rights accordingly,
  • Installation and operation of software and hardware including virus protection systems and firewalls,
  • Incorporation of provisions into the agreements entered into with third parties to whom personal data is transferred in accordance with the law, including those from who Yemek Sepeti receives external services for storing personal data, that third parties whom the personal data is transferred will take necessary security measures in order to protect the personal data and to ensure that these measures are complied with,
  • Establishment of technical security systems for storage areas using backup schemes compliant with law,

 

Yemek Sepeti is implementing a system which i enable Yemek Sepeti to notify the PDP Board and the data owner as soon as possible, whenever the data processed in compliant with Article 12 of the Law is obtained by parties by unlawful means. If deemed necessary by the PDP Board, such event can be announced on the website of the PDP Board or by any other method.

 

V. INFORMING OF THE PERSONAL DATA OWNER, RIGHTS AND PROVIDING INFORMATION

V.I. INFORMING OF THE PERSONAL DATA OWNER

Article 10 of the Law sets forth that personal data owners must be informed while obtaining their personal data. In this respect, while obtaining personal data, Yemek Sepeti will inform personal data owners in accordance with the general principles of other personal data processing activities specified in the relevant legislation, on the followings;

  • the identity of the representative, if any,
  • the purpose for which the personal data will be processed,
  • for whom and for what purpose may the data be transferred,
  • the method and legal basis of collecting personal data,
  • the rights of the personal data owner.

V. II. RIGHTS OF PERSONAL DATA OWNERS

In Article 11 of the Law, the rights of the personal data owner are listed. The data owner will be entitled to:

  • learn whether their personal data is being processed,
  • demand information if their personal data has been processed,
  • learn the purpose of processing personal data and whether they are used appropriately for the intended purpose,
  • learn the third parties to whom the personal data is transferred in the country or abroad,
  • demand correction of the personal data, if it is incomplete or incorrectly processed and request third parties to whom the data were transferred be notified of the correction process carried out in this context,
  • although the personal data was processed in accordance with the Law and with relevant provisions of other laws, demand deletion or destruction of personal data in case of cessation of the reasons that requires the processing and request third parties to whom the data were transferred be notified of this process carried out in this context;
  • object to the occurrence of an adverse consequence for the data owner due to analysis the processed data exclusively through automated systems,
  • to claim damages in the event of any loss suffered due to the processing of personal data in contravention of the law.

However, the above-mentioned rights cannot be claimed pursuant to Article 28 of the Law if:

  • the processing of personal data for official statistics and after anonymizing the data and using it for purposes such as research, planning and statistics.
  • processing of personal data for art, history, literature or scientific purposes or within the bounds of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, secrecy of private lives or personal rights or does not constitute a crime.
  • the processing of personal data is necessary within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to perform do so for national defense, national security, public safety, public order or economic security.
  • processing of personal data by judicial authorities or execution officers are necessary for investigation, prosecution, trial or execution of proceedings.

According to Article 28/2 of the Law; personal data owners will not be entitled to claim their rights specified above, except for the right to claim damages:

  • Personal data processing is required to prevent crime or to investigate a crime.
  • Processing personal data that is revealed public by the personal data owner him/herself.
  • Personal data processing is necessary for the disciplinary investigation or prosecution for performing supervision and organization duties by public authorities and the public institutions and public organizations as well as professional entities which are classified as public institutions based on the authority granted by law.
  • Personal data processing is required to protect the economic and financial interests of the state in relation to budget, tax and financial matters.

V.III. PROVIDING INFORMATION TO PERSONAL DATA OWNERS

Personal data holders’ requests of information about their personal data in accordance with Article 20 of the Constitution and the “information request” right they have which is mentioned above, are met by Yemek Sepeti in compliance with the Law.


Yemek Sepeti implements necessary channels, internal operations, administrative and technical regulations in accordance with Article 13 of the Law in order to provide the required information to personal data owners. Accordingly, personal data owners can make requests to regarding their rights free of charge and such requests are responded positively or negatively by Yemek Sepeti according to the nature of the claim within 30 days. However, if the transaction also requires cost expenditure, Yemek Sepeti will be able to charge the fee at the rate determined by the PDP Board.


The personal data holders are required to submit their requests regarding the abovementioned rights via "Yemek Sepeti Elektronik İletişim Tanıtım Pazarlama Gida Sanayi ve Ticaret A.Ş. Application Form" which is provided in Annex-1.


The applications to be made by personal data owners will be made in one of the following methods, together with the documentation for determining the identity of the personal data owner:

  • Fill in the form and submit the copy bearing the wet signature via notary or registered letter with the registered letter to the following address: Esentepe Mah. Büyükdere Cad. No:175/1/1 Şişli/İST.
  • Send the form signed with a secure electronic signature issued within the scope of Electronic Signature Law No. 5070 by e-mail to the following registered address: yemeksepeti@hs02.kep.tr.
  • Send the request to info@yemeksepeti.com (In order to be able to determine whether the applicant is the actual personal data owner from the media which the application was made, the person will be contacted by telephone in order to determine the true identity of the applicant and whether the applicant has actually made the application. In this context, the applicant's final order information will be confirmed and the application will be admitted for evaluation if the data owner and the requesting person match.)
  • Through any method prescribed by the Personal Data Protection Board.

 

In order for third parties to be able to request an application on behalf of personal data owners, the data owner must have issued a special power of attorney through a notary in the name of the applying third party.


Yemek Sepeti may request information from the applying person in order to determine if the applicant is the personal data owner, and may also ask questions about the application for clarification of the application.

 

If the application is rejected, the answer is found to be inadequate or the application is not replied to within the specified time, pursuant to Article 14 of the Personal Data Protection Act, the Applicant may apply to PDP Board within thirty days of receiving Yemek Sepeti’s response and in any case within sixty days of application.

 

VI. DATA OWNER AND PERSONAL DATA CATEGORIZATION

VI. I. DATA OWNER CATEGORIZATION

Yemek Sepeti has categorized the owners of the personal data it processes as set out below. Data owner categorization created under this Policy is associated with the following personal data owners. Data owners outside this scope will also be able to direct their requests to Yemek Sepeti in accordance with the Policy.

Personal Data Owner Category
Customer/User: Regardless of any contractual relationship with Yemek Sepeti, the persons who currently uses or have used the products and services offered by our company.
Potential Customer: Real persons who have used or are interested in using our products and services or who have been assessed in accordance with commercial practices and honesty rules to have such interest.
Shareholder, Officer, Employee of Corporate Customer: Regardless of any contractual relationship with Yemek Sepeti, employees, shareholders and officer of a legal entity who currently uses or has used the products and services offered by Yemek Sepeti.
Third Party: Individuals who are not covered by this Policy.
Restaurant: Companies that delivers orders to customers under a contractual relationship with Yemek Sepeti.
Business Partner’s Shareholder, Officer, Employee: Real person employees who work in entities that are in any business relationship with Yemek Sepeti, as well as shareholders and officers of those entities.
Supplier's Shareholder, Officer, Employee: Real person employees who work in entities that are in business relationship with Yemek Sepeti and provide products or services, as well as shareholders and officers of those entities.
Prospective Business Partner: Individuals or employees, shareholders or officers of the entities that Yemek Sepeti intends to establish a business relationship with.
Visitor: Individuals who have entered the physical premises of Yemek Sepeti for any purpose or who have visited our websites.

 VI.II. PERSONAL DATA CATEGORIZATION

In this Policy, the personal data processed by Yemek Sepeti is categorized. The personal data of the personal data owners included in the data owner categories mentioned above are associated with the following personal data categories.

Personal Data Categorization
Identity Information: Data regarding identity of an individual, evidently belonging to an individual with a definite identity or to an identifiable individual, part or whole of which is processed automatically, or non-automatically as part of the data recording system; containing information on the identity of the individual.
Contact Information: Data evidently belonging to an individual with a definite identity or to an identifiable individual, part or whole of which is processed automatically, or non-automatically as part of the data recording system; such as telephone number, address, e-mail address, fax number, IP address.
Location Data: Data evidently belonging to an individual with a definite identity or to an identifiable individual, part or whole of which is processed automatically, or non-automatically as part of the data recording system; information detecting the location of the employees of entities which Yemek Sepeti is in cooperation within the frame of operations carried out by business units of Yemek Sepeti.

Customer Information: Data evidently belonging to an individual with a definite identity or to an identifiable individual and included in the data recording system; containing information such as records related the use of our products and services and the instructions and requests necessary for the customer for using the products and services.
Customer Transaction Information: Data evidently belonging to an individual with a definite identity or to an identifiable individual and included in the data recording system; containing information such as records related the use of our products and services and the instructions and requests necessary for the customer for using the products and services.
Information on Family Members and Relatives: Data evidently belonging to an individual with a definite identity or to an identifiable individual, part or whole of which is processed automatically, or non-automatically as part of the data recording system; containing information on family members and relatives of the personal data owner and persons to be accessed to in the event of an emergency involving the owner, to protect legal and other benefits of Yemek Sepeti and the personal data owner, within the frame of operations carried out by business units of Yemek Sepeti.
Physical Site Security Information: Data evidently belonging to an individual with a definite identity or to an identifiable individual, part or whole of which is processed automatically, or non-automatically as part of the data recording system; personal data related to records of entrance into and staying in a physical site.
Transaction Security Information: Data evidently belonging to an individual with a definite identity or to an identifiable individual and included in the data recording system, containing personal information such as IP address, system login information credentials, login credentials accessed by suppliers when providing support services, user transactions in the purse system (such as password resetting, password creation), etc. in order to secure our technical, administrative, legal and commercial security while conducting our business activities.
Incident Management Information: Information and assessments related to events that are associated with the personal data owner and are likely to affect the our company – its employees – its shareholders (e.g., information gathered about a person who is tried as a defendant in a criminal case by searching the details of the scope of the criminal investigation, in order to inform the public about the business activities of our company with that person for preventing our company’s image from being adversely affected.)
Financial Information: Data evidently belonging to an individual with a definite identity or to an identifiable individual, part or whole of which is processed automatically, or non-automatically as part of the data recording system; containing information, documents and records showing any kind of financial result created according to the type of legal relationship that Yemek Sepeti has established with the personal data owner such as bank account number, IBAN number, credit card information, financial profile, etc.
Audiovisual Data: Data evidently belonging to an individual with a definite identity or to an identifiable individual, including photographs and camera recordings (except records entered under Physical Space Security Information), voice recordings, and copies of documents containing personal data.
Legal Transaction and Compliance Information: Data evidently belonging to an individual with a definite identity or to an identifiable individual, and contained in the data recording system, containing data with respect to determination of our legal receivables and rights, follow up and satisfaction of our debts and our legal obligations, processed within the scope of compliance with the policies of our company.
Audit and Inspection Information: Information on audit and inspection records, reports and reviews made in association with the personal data owner and information and comments on inspections made with that respect and information gathered and comments made in relation thereto.

Marketing Information: Data evidently belonging to an individual with a definite identity or to an identifiable individual, and contained in the data recording system, containing personal data processed for the customization and marketing of our products and services in accordance with the usage habits, liking and needs of the personal data owner and the reports and evaluations created in result of processing these results.
Reputation Management Information: Information collected in relation to an individual and collected to protect the commercial reputation of the company (e.g., information from the complaints site (Şikayetvar), information from twitter and Facebook, information shared about upper management and shareholders of the company, and evaluation reports and assessments based on the result of such processing.)

Request/Complaint Management Information: Data evidently belonging to an individual with a definite identity or to an identifiable individual, part or whole of which is processed automatically, or non-automatically as part of the data recording system; collected for any and all requests and complaints made to Yemek Sepeti and their evaluation.

VII.PRINCIPLES ON THE RETENTION PERIOD OF PERSONAL DATA

Personal data is retained by Yemek Sepeti for periods stipulated in the relevant legislation and in accordance with legal obligations.
If a period is not prescribed in the legislation on how long personal data should be stored, the personal data is processed in connection with the activity carried out by Yemek Sepeti at that time for a period of time required to be processed in accordance with the practices of Yemek Sepeti and in accordance with commercial practices, and then deleted, destroyed or anonymized.

If the personal data is requested to be deleted / anonymized by the personal data owner with the purpose of ending the processing or the storage periods specified by the relevant legislation have come to an end, it can only be kept as evidence for possible legal disputes, or for the purpose of establishing a defense or advocating the right to in relation to the personal data. Yemek Sepeti takes into account the time limits stipulated in the relevant legislation when determining the periods of storage of personal data. The personal data stored for this purpose is only accessible by certain persons when it is required to be used in the relevant legal dispute and is not accessed for any other purpose. At the end of this process, personal data is either deleted, destroyed or anonymized.

 

VIII CONDITIONS OF DELETION DESTRUCTION AND ANONYMISATION OF PERSONAL DATA

As per Article 138 of the Turkish Criminal Code and Article 7 of the Law, personal data shall be deleted, destroyed or anonymized upon decision of Yemek Sepeti or upon request of the personal data owner in the event that the basis for which the personal data was processed is eliminated, even if the data was processed in accordance with the relevant legislation.

IX. YEMEKSEPETI MANAGEMENT INFRASTRUCTURE FOR PROCESSING AND STORAGE OF PERSONAL DATA

Within Yemek Sepeti, a Personal Data Protection Committee ("Committee") has been established for managing this Policy, related policies and other outputs, and for ensuring the tracking the continuity of compliance with the Law.


 The duties of this Committee are:

  • Establishing, updating, and enforcing fundamental policies on the protection and processing of personal data.
  • Taking actions needed for the enforcement and supervision of policies on protection and processing of personal data, and coordination by internal assignments.
  • Ensure compliance with laws and related legislation and follow developments related to the protection and processing of personal data and take necessary actions with that respect.
  • To raise awareness in institutions within Yemek Sepeti and in entities which cooperate with Yemek Sepeti on preservation and processing of personal data.
  • To evaluate personal data owners' applications and to provide solutions that are compliant with the law.
  • To identify the risks that may arise in the personal data processing activities of Yemek Sepeti and to take necessary measures.
  • To carry out the relations with PDP Board and its institution.
Online Market Siparişi
7/24 market alışverişini yapabileceğin Banabi'ye buradan geçebilirsin!
Kapat Banabi'ye Git