KVKK

… A.Ş. AND THE GROUP OF COMPANIES AND ITS AFFILIATES

POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

Protection of personal data is among the top priorities of … Anonim Şirketi (“Company”) and its group of companies and affiliates. The most important part of this issue is the protection and processing of personal data of our employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties governed by this Policy. 

According to the Turkish Constitution, everyone has the right to demand the protection of their personal data. Regarding the protection of personal data, which is a right guaranteed by the Constitution, the company is governed by this Policy; pays due attention to the protection of the personal data of employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions with which it cooperates, and third parties, and makes this a company policy.

In this context, necessary administrative and technical measures are taken by the company for the protection of personal data processed within the framework of legal legislation.

The basic principles adopted by the company in the processing of personal data in this Policy are as follows;

  • Processing personal data in accordance with the law and honesty rules,
  • Keeping personal data accurate and up-to-date when necessary,
  • Processing personal data for specific, explicit and legitimate purposes,
  • Processing personal data in connection with the purpose for which they are processed, limited and measured,
  • Keeping personal data for as long as required by the relevant legislation or for the purpose for which they are processed,
  • Enlightening and informing personal data owners,
  • Establishing the necessary system for personal data owners to exercise their rights,
  • Taking the necessary measures in the protection of personal data,
  • To act in accordance with the relevant legislation and KVK Board regulations in the transfer of personal data to third parties in line with the requirements of the processing purpose,
  • To show the necessary sensitivity to the processing and protection of sensitive personal data.

ARTICLE 1: PURPOSE OF THE POLICY

The main purpose of the policy is the personal data processing activity carried out by the company in accordance with the law, and in this context, personal data, especially our customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties. To provide transparency and trust by informing the people whose data is processed by our company.

ARTICLE 2: CONTENT AND DEFINITIONS

This Policy; It concerns all personal data of our employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, which are processed automatically or non-automatically, provided that they are part of any data recording system.

The scope of application of this Policy regarding the groups of personal data owners in the above-mentioned categories may be the whole of the Policy; it can only be a part of it.

The definitions of the concepts in this policy text are as follows:

Recipient group : The natural or legal person category to which personal data is transferred by the data controller.

Explicit consent : Consent on a specific subject, based on information and expressed with free will

Anonymization : Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data.

Employee : Company personnel

Electronic media : Environments where personal data can be created, read, changed and written with electronic devices.

Non-electronic media : All written, printed, visual, etc., other than electronic media. other environments

Service provider : Real or legal person who provides services within the framework of a certain contract with the Institution.

Contact Person : Natural person whose personal data is processed

Relevant user : Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.

Destruction : Deletion, destruction or anonymization of personal data

Law : Law on Protection of Personal Data No. 6698

Recording medium : Any medium in which personal data is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.

Personal data : Any information relating to an identified or identifiable natural person.

Personal data processing inventory : Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the processing purposes and legal reason, the data category, the transferred recipient group and the data subject group, explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.

Processing of personal data : Obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. all kinds of operations performed on the data, such as preventing its use or use.

Board : Personal Data Protection Board

Personal data of special nature : Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data

Periodic destruction : In the event that all of the personal data processing conditions in the law are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy and to be carried out ex officio at repetitive intervals

Policy : Personal Data Retention and Disposal Policy

Company : ………………………………… (Workplace/responsible title will be written)

Data processor : Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

Data registration system : The registration system in which personal data is processed and structured according to certain criteria.

Data controller : The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data controllers registry information system : An information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in their application to the Registry and other related transactions.

VERBIS : Data Controllers Registry Information System

Regulation : Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017

ARTICLE 3: IMPLEMENTATION OF THE POLICY AND RELATED LEGISLATION

Relevant legal regulations in force on the processing and protection of personal data will find application first. In case of inconsistency between the current legislation and the Policy, our Company accepts that the applicable legislation will find an area of ​​application.

The policy is formed by concretizing and arranging the rules set forth by the relevant legislation within the scope of Company practices. 

ARTICLE 4: ENFORCEMENT OF THE POLICY

This Policy, issued by our company, enters into force on the day it is published on our website. If there is any innovation or change in the policy, the effective date will be updated.

The policy is published on the website of our Company and made available to the relevant persons upon the request of the personal data owners.

ARTICLE: 5 ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the KVKK, our company takes all necessary administrative, technical and legal measures to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure appropriate security in order to ensure the preservation of the data. provides.

ARTICLE 6: ENSURING THE SECURITY OF PERSONAL DATA

6.1 Technical and Administrative Measures Taken to Ensure Legal Processing of Personal Data

Our company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data is processed in accordance with the law.

      1. Technical Measures Taken to Ensure Legal Processing of Personal Data

The main technical measures taken by our company to ensure the legal processing of personal data are listed below:

  1. Personal data processing activities carried out within our company are audited by established technical systems.
  2. The technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism.
  3. Personnel knowledgeable in technical matters are employed.
      1. Administrative Measures Taken to Ensure Legal Processing of Personal Data

The main administrative measures taken by our company to ensure the legal processing of personal data are listed below:

  1. Employees are informed and trained on the law of protection of personal data and the processing of personal data in accordance with the law.
  2. All activities carried out by our company are analyzed in detail specific to all business units, and as a result of this analysis, personal data processing activities are revealed in the commercial activities carried out by the relevant business units.
  3. Personal data processing activities carried out by our company's business units; The requirements to be fulfilled in order to ensure that these activities comply with the personal data processing conditions sought by the Law No. 6698 are determined by each business unit and the detail activity it carries out.
  4. In order to meet the legal compliance requirements determined by our business units, awareness is created specific to the relevant business units and implementation rules are determined; Necessary administrative measures are implemented through internal policies and trainings to ensure the supervision of these issues and the continuity of implementation.
  5. Contracts and documents governing the legal relationship between our Company and employees, except for the Company's instructions and the exceptions brought by the law, include records that impose the obligation not to process, disclose or use personal data, raise awareness of employees and carry out audits.

6.2 Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

Our company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and the cost of implementation in order to prevent the imprudent or unauthorized disclosure, access, transfer or any other unlawful access to personal data.

      1. Technical Measures Taken to Prevent Unlawful Access to Personal Data

The main technical measures taken by our company to prevent unlawful access to personal data are listed below:

  1. Technical measures are taken in accordance with the developments in technology, the measures taken are periodically updated and renewed.
  2. Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a business unit basis.
  3. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, the issues that pose a risk are reevaluated and the necessary technological solution is produced.
  4. Software and hardware including virus protection systems and firewalls are installed.
  5. Personnel knowledgeable in technical matters are employed.

      1. Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The main administrative measures taken by our company to prevent unlawful access to personal data are listed below:

  1. Employees are trained on technical measures to prevent unlawful access to personal data.
  2. Access to personal data and authorization processes are designed and implemented within the Company in accordance with business unit-based legal compliance requirements.
  3. Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the KVK Law and cannot be used for purposes other than processing, and that this obligation will continue after they leave their job, and necessary commitments are taken from them in this direction.
  4. Contracts concluded by our company with the persons to whom personal data are transferred in accordance with the law; Provisions are added that the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data and ensure that these measures are complied with in their own institutions.

6.3 Storing Personal Data in Secure Environments

Our company takes the necessary technical and administrative measures according to the technological possibilities and implementation cost in order to store personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.

      1. Technical Measures Taken for Storing Personal Data in Secure Environments

The main technical measures taken by our company to store personal data in secure environments are listed below:

  1. Systems suitable for technological developments are used to store personal data in secure environments.
  2. Technical personnel are employed.
  3. Technical security systems are established for the storage areas, the technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, and the necessary technological solutions are produced by re-evaluating the risky issues.
  4. In order to ensure the safe storage of personal data, backup programs are used in accordance with the law.
      1. Administrative Measures to Keep Personal Data in Secure Environments

The main administrative measures taken by our company to store personal data in secure environments are listed below:

  1. Employees are trained to ensure that personal data is stored securely.
  2. In the event that an external service is received by our company due to technical requirements regarding the storage of personal data, the contracts concluded with the relevant companies to which the personal data is transferred in accordance with the law; Provisions are included that the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data and that these measures will be complied with in their own organizations.

6.4 Supervision of Measures Taken for the Protection of Personal Data

Our company carries out the necessary inspections within its own body in accordance with the 12th article of the KVKK or has it done. The results of these audits are reported to the relevant unit within the scope of the internal operation of the company and necessary activities are carried out to improve the measures taken.

6.5 Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

Our company will ensure that the personal data processed in accordance with Article 12 of the KVKK is obtained by others illegally, and this situation is reported to the relevant personal data owner and the KVK Board as soon as possible.

If deemed necessary by the KVK Board, this situation may be announced on the website of the KVK Board or by any other method.

ARTICLE: 7 FOLLOWING THE RIGHTS OF THE DATA OWNER; CREATING CHANNELS TO TRANSFER THESE RIGHTS TO OUR COMPANY AND EVALUATION OF DATA OWNERS' REQUESTS

Our company carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the KVKK in order to evaluate the rights of the personal data owners and to provide the necessary information to the personal data owners.

If personal data owners submit their requests regarding their rights listed below in writing to our Company, our Company concludes the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the KVK Board will be charged by our Company. Personal data owners;

  1. Learning whether personal data is processed or not,
  2. If personal data has been processed, requesting information about it,
  3. Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
  4. Knowing the third parties to whom personal data is transferred at home or abroad,
  5. Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
  6. Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing have disappeared, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting that the transaction carried out within this scope be notified to the third parties to whom the personal data has been transferred,
  7. Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
  8. It has the right to demand the compensation of the damage in case of loss due to the unlawful processing of personal data.

More detailed information on the rights of data owners is included in this Policy.

ARTICLE: 8 PROTECTION OF SPECIAL QUALITY PERSONAL DATA

With the KVK Law, special importance is attached to certain personal data due to the risk of causing victimization or discrimination in case of unlawful processing.

These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Our company acts sensitively in the protection of special quality personal data, which is determined as "special quality" by the KVK Law and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of special quality personal data, and necessary audits are provided within the company.

Detailed information on the processing of special categories of personal data is included in this Policy.

ARTICLE: 9 RAISING AWARENESS AND AUDIT OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our company provides the necessary trainings to business units in order to prevent the unlawful processing of personal data, to prevent illegal access to the data, and to increase the awareness of data protection.

Necessary systems are established to raise awareness of the current employees of the company's business units and the newly recruited employees about the protection of personal data, and professional people are worked with in case of need.

ARTICLE 10: RAISING AWARENESS AND SUPERVISION OF BUSINESS PARTNERS AND SUPPLIERS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our company organizes trainings and seminars for business partners in order to prevent the illegal processing of personal data, to prevent illegal access to data, and to raise awareness about data protection.

Trainings for the company's business partners are periodically repeated, necessary systems are established to raise awareness of current employees of business partners and newly recruited employees about the protection of personal data.

The results of the training conducted to raise awareness of the company's business partners on the protection and processing of personal data are reported to the holding. Accordingly, our company evaluates the participation in the relevant trainings, seminars and information sessions and carries out the necessary audits or has them done. Our company updates and renews its trainings in parallel with the updating of the relevant legislation.

ARTICLE 11: ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

Our company, in accordance with Article 20 of the Constitution and Article 4 of the KVK Law, regarding the processing of personal data; in accordance with the law and the rules of honesty; accurate and up-to-date where necessary; for specific, clear and legitimate purposes; engages in personal data processing activities in a connected, limited and measured manner for this purpose. Our company retains personal data for as long as required by law or for the purpose of processing personal data.

Our company processes personal data in accordance with Article 20 of the Constitution and Article 5 of the KVK Law, based on one or more of the conditions in Article 5 of the KVK Law regarding the processing of personal data.

Our company informs the personal data owners in accordance with the 20th article of the Constitution and the 10th article of the KVK Law and provides the necessary information in case the personal data owners request information.

Our company acts in accordance with the regulations stipulated for the processing of personal data of special nature in accordance with Article 6 of the KVK Law.

Our company acts in accordance with the regulations stipulated in the law and set forth by the KVK Board regarding the transfer of personal data in accordance with Articles 8 and 9 of the KVK Law.

ARTICLE 12: PROCESSING PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES PROVIDED IN THE LEGISLATION

12.1 Lawful and Integrity Processing

Our company; acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our Company takes into account the proportionality requirements in the processing of personal data and does not use personal data other than as required for the purpose.

12.2 Ensuring Personal Data Are Accurate and Up-to-Date When Necessary

Our company; It ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their own legitimate interests. It takes the necessary measures in this direction. 

12.3 Processing for Specific, Explicit and Legitimate Purposes

Our company clearly and precisely determines the purpose of processing personal data, which is legitimate and lawful. Our company processes personal data as much as is necessary for and in connection with the service it provides. 

12.4 Relevance, Limitation, and Responsibility for the Purpose for which they are Processed

Our company processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or that is not needed. For example, personal data processing activities are not carried out to meet the needs that may arise later.

12.5 Retention for as Long as Required for the Purpose for which they are Processed or Provided in the Relevant Legislation

Our company retains personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, our Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, and if a period is not determined, it stores the personal data for the period required for the purpose for which they are processed. Personal data is deleted, destroyed or anonymized by our Company in the event that the period expires or the reasons requiring its processing are eliminated. Personal data is not stored by our Company for the possibility of future use. Detailed information on this subject is included in this Policy.

ARTICLE 13: PROCESSING PERSONAL DATA BASED ON ONE OR MORE OF THE PERSONAL DATA PROCESSING CONDITIONS STATED IN ARTICLE 5 OF KVKK AND LIMITED TO THESE TERMS

Protection of personal data is a constitutional right. Fundamental rights and freedoms can only be limited by law, without prejudice to their essence, depending on the reasons specified in the relevant articles of the Constitution. Pursuant to the third paragraph of Article 20 of the Constitution, personal data can only be processed in cases stipulated by the law or with the explicit consent of the person. Our company in this direction and in accordance with the Constitution; processes personal data only in cases stipulated by law or with the explicit consent of the person. Detailed information on this subject is included in this Policy.

ARTICLE 14: DISCLOSURE AND INFORMATION OF THE PERSONAL DATA OWNER

Our company informs the personal data owners during the acquisition of personal data in accordance with Article 10 of the KVK Law. In this context, it clarifies the identity of the Holding and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the personal data owner for legal reasons. Detailed information on this subject is included in this Policy.

Article 20 of the Constitution states that everyone has the right to be informed about the personal data concerning them. Accordingly, in Article 11 of the KVK Law, “requesting information” is also listed among the rights of the personal data owner. In this context, our company provides the necessary information in case the personal data owner requests information in accordance with the 20th article of the Constitution and the 11th article of the KVK Law. Detailed information on this subject is included in this Policy.

ARTICLE 15: PROCESSING OF SPECIAL QUALITY PERSONAL DATA

Our company strictly complies with the regulations stipulated in the KVK Law in the processing of personal data determined as "special quality" by the KVK Law.

In Article 6 of the KVK Law, a set of personal data that carries the risk of causing victimization or discrimination when processed unlawfully is determined as "special quality". These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

By our Company in accordance with the KVK Law; Special categories of personal data are processed in the following cases, provided that adequate measures to be determined by the KVK Board are taken:

  1. If the personal data owner has express consent, or
  2. If the personal data owner does not have express consent;
  1. Special categories of personal data other than the health and sexual life of the personal data owner, in cases stipulated by the laws,
  2. Persons or authorized institutions and organizations that are under the obligation to keep confidential, only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. processed by.

ARTICLE 16: TRANSFER OF PERSONAL DATA

Our company can transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, business partners, third real persons) by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. Accordingly, our company acts in accordance with the regulations stipulated in Article 8 of the KVK Law. Detailed information on this subject is included in this Policy.

16.1 Transfer of Personal Data

In line with the legitimate and lawful personal data processing purposes, our company may transfer personal data to third parties based on one or more of the personal data processing conditions specified in Article 5 of the Law listed below and in a limited manner:

  1. If the personal data owner has express consent;
  2. If there is a clear regulation in the law regarding the transfer of personal data,
  3. If it is necessary for the protection of the life or physical integrity of the personal data owner or someone else, and the personal data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid;
  4. If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
  5. If personal data transfer is mandatory for our company to fulfill its legal obligation,
  6. If the personal data has been made public by the personal data owner,
  7. If personal data transfer is necessary for the establishment, exercise or protection of a right,
  8. If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

16.2 Transfer of Sensitive Personal Data

Our company, by showing the necessary care, taking the necessary security measures and taking the adequate measures prescribed by the KVK Board; In accordance with the legitimate and lawful personal data processing purposes, the personal data owner may transfer the sensitive data of the personal data owner to third parties in the following cases.

  1. If the personal data owner has express consent, or
  2. If the personal data owner does not have express consent;

  1. Special categories of personal data other than the health and sexual life of the personal data owner (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, membership to associations, foundations or unions, criminal convictions and security measures) and biometric and genetic data), in cases stipulated by law,

  1. Persons or authorized institutions and organizations that are under the obligation to keep confidential, only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. by.

ARTICLE 17: TRANSFER OF PERSONAL DATA ABROAD

Our company can transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with the legal personal data processing purposes. Personal data by our company; To foreign countries declared to have sufficient protection by the KVK Board (“Foreign Country with Sufficient Protection”) or to foreign countries where the data controllers in Turkey and the relevant foreign country undertake an adequate protection in writing and where the permission of the KVK Board is available in case of insufficient protection. (“Foreign Country of Data Controller Undertaking Adequate Protection”) is transferred. Accordingly, our company acts in accordance with the regulations stipulated in Article 9 of the KVK Law. Detailed information on this subject is included in this Policy.

17.1 Transfer of Personal Data Abroad

In line with the legitimate and lawful personal data processing purposes, if the personal data owner has the explicit consent or there is no explicit consent of the personal data owner, the personal data can be transferred to the Foreign Countries with Sufficient Protection or the Data Controller Undertaking Sufficient Protection, in the presence of one of the following conditions:

If there is a clear regulation in the law regarding the transfer of personal data,

  1. If it is necessary for the protection of the life or physical integrity of the personal data owner or someone else, and the personal data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid;

  1. If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

  1. If personal data transfer is mandatory for our company to fulfill its legal obligation,
  2. If the personal data has been made public by the personal data owner,

  1. If personal data transfer is necessary for the establishment, exercise or protection of a right,

  1. If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

17.2 Transfer of Sensitive Personal Data Abroad

Our company, by showing the necessary care, taking the necessary security measures and taking the adequate measures prescribed by the KVK Board; In line with the legitimate and lawful personal data processing purposes, it can transfer the sensitive data of the personal data owner to the Foreign Countries where the Data Controller has Sufficient Protection or Undertakes Sufficient Protection in the following cases.

  1. If the personal data owner has express consent, or
  2. If the personal data owner does not have express consent;

  1. Special categories of personal data other than the health and sexual life of the personal data owner (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, membership to associations, foundations or unions, criminal convictions and security measures) and biometric and genetic data), in cases stipulated by law,

  1. Persons or authorized institutions and organizations that are under the obligation to keep confidential, only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. covered by the processing.

ARTICLE 18: CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSE OF PROCESSING AND STORAGE PERIOD

Our company notifies the personal data owner of which personal data owner groups are processing their personal data, the purposes of processing the personal data of the personal data owner and the storage periods within the scope of the disclosure obligation in accordance with Article 10 of the KVK Law.

ARTICLE 19: CATEGORIZATION OF PERSONAL DATA

Before our company, by informing the relevant persons in accordance with Article 10 of the KVK Law, in line with the legitimate and lawful personal data processing purposes of our Company, based on and limited to one or more of the personal data processing conditions specified in the 5th article of the KVK Law. Personal data in the following categories are processed, limited to the subjects within the scope of this Policy, by complying with the general principles specified in the KVK Law, including the principles specified in Article 4 regarding the processing of personal data, and all obligations set forth in the KVK Law. It is also stated in this Policy that the personal data processed in these categories are related to which data owners are regulated within the scope of this Policy.

IDENTITY INFORMATION; Processed partially or completely automatically or non-automatically as a part of the data recording system, which clearly belongs to an identified or identifiable natural person; All information contained in documents such as Driver's License, Identity Card, Residence, Passport, Attorney's ID, Marriage Certificate.

COMMUNICATION INFORMATION; Processed partially or completely automatically or non-automatically as a part of the data recording system, which clearly belongs to an identified or identifiable natural person; information such as phone number, address and e-mail.

CUSTOMER INFORMATION; Processed partially or completely automatically or non-automatically as a part of the data recording system, which clearly belongs to an identified or identifiable natural person; Information obtained and produced about the person concerned as a result of our commercial activities and the operations carried out by our business units in this context.

PHYSICAL SPACE SAFETY KNOWLEDGE; Personal data regarding the records and documents taken during the stay in the physical space at the entrance to the physical space, which are clearly belonging to an identified or identifiable natural person and are included in the data recording system.

PROCESS SECURITY INFORMATION; Clearly belonging to an identified or identifiable natural person and included in the data recording system; Your personal data processed to ensure our technical, administrative, legal and commercial security while carrying out our commercial activities.

RISK MANAGEMENT INFORMATION; Clearly belonging to an identified or identifiable natural person and included in our data risk recording system; Data that can be used and processed in accordance with the generally accepted legal, commercial practice and good faith in these areas so that we can manage commercial, technical and administrative matters.

FINANCIAL INFORMATION; It is clear that it belongs to an identified or identifiable natural person, partially or completely automatically processed or non-automatically as a part of the data recording system; Personal data processed for information, documents and records showing all kinds of financial results created according to the type of legal relationship our company has established with the personal data owner.

PERSONAL INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; All kinds of personal data processed for the purpose of obtaining the information that will form the basis for the personal rights of our employees or real persons who have a working relationship with our Company.

EMPLOYEE CANDIDATE INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; Personal data processed regarding individuals who have applied to be an employee of our company or who have been evaluated as an employee candidate in line with the human resources needs of our company in accordance with commercial practices and honesty rules, or who have a working relationship with our Company.

EMPLOYEE PROCESS INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; Personal data processed for all kinds of work-related transactions carried out by our employees or real persons who have a working relationship with our company.

WORK PERFORMANCE AND CAREER DEVELOPMENT KNOWLEDGE; Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; Data processed for the purpose of measuring the performance of our employees or real persons who have a working relationship with our Company, and for the planning and execution of their career development within the scope of our company's human resources policy.

BENEFITS AND BENEFITS INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; Your personal data processed for the planning of fringe benefits and benefits that we offer and will offer to employees or other real persons who have a working relationship with our Company, to determine the objective criteria for entitlement to these, and to follow up the progress payments to these.

LEGAL PROCESS AND COMPLIANCE INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; Your personal data processed within the scope of determination, follow-up and performance of our legal receivables and rights, and compliance with our legal obligations and our company's policies.

AUDIT AND INSPECTION INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; Your personal data processed within the scope of our company's legal obligations and compliance with company policies.

PRIVATE PERSONAL DATA; Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; Data specified in article 6 of Law No. 6698.

REQUEST/ COMPLAINT MANAGEMENT INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; Personal data regarding the receipt and evaluation of all kinds of requests or complaints directed to our company.

ARTICLE 20: PURPOSE OF PROCESSING PERSONAL DATA

According to the categorization prepared by our company, the upper purposes for the processing of Personal Data are shared below:

  1. To carry out the necessary work by our relevant business units for the realization of the commercial activities carried out by our company and to carry out the related business processes,
  2. Planning and execution of our company's commercial and/or business strategies,
  3. Carrying out the necessary work by our business units and executing the relevant processes in order to benefit the relevant people from the products and services offered by our company,
  4. Planning and execution of our company's human resources policies and processes,
  5. Ensuring the legal, technical and commercial job security of the persons who have a business relationship with our company.

The data processing purposes within the scope of the above listed above are as follows:

  1. Event Management
  2. Planning and Execution of Research and Development Activities
  3. Planning and Execution of Business Activities
  4. Planning and Execution of Corporate Communication Activities
  5. Planning and Execution of Information Security Processes
  6. Establishment and Management of Information Technologies Infrastructure
  7. Planning and Execution of Business Partners and/or Suppliers' Access Authorizations to Information and Facilities
  8. Planning and Execution of Benefits and Benefits to Supplier and/or Business Partner Employees
  9. Follow-up of Finance and/or Accounting Affairs
  10. Planning and Execution of Logistics Activities
  11. Management of Relationships with Business Partners and/or Suppliers
  12. Carrying out Activities for the Determination of the Financial Risks of the Customers
  13. Planning and Execution of Customer Relationship Management Processes
  14. Follow-up of Contract Processes and/or Legal Requests
  15. Follow-up of Customer Requests and/or Complaints
  16. Planning of Human Resources Processes
  17. Execution of Personnel Supply Processes
  18. Follow-up of Legal Affairs
  19. Planning and Execution of Operational Activities Necessary for Ensuring the Conduct of Company Activities in Compliance with Company Procedures and/or Related Legislation
  20. Collection of Entry and Exit Records of Business Partner/Supplier Employees
  21. Creating and Tracking Visitor Records
  22. Planning and Execution of Company Audit Activities
  23. Planning and/or Execution of Occupational Health and/or Safety Processes
  24. Ensuring Data is Accurate and Up-to-Date
  25. Management and/or Supervision of Relationships with Affiliates
  26. Ensuring the Security of Company Campuses and/or Facilities
  27. Ensuring the Security of Company Assets and/or Resources
  28. Planning and/or Execution of Company Financial Risk Processes

In order to process personal data within the scope of personal data processing purposes other than the situations mentioned above, our Company seeks the express consent of personal data owners; The following personal data processing activities by the relevant business units are carried out with the express consent of the personal data owners. In this context; In the absence of the above-mentioned conditions, personal data processing purposes for which the express consent of personal data owners is sought;

  1. Planning and Execution of Business Partners and/or Suppliers' Access Authorizations to Information and Facilities
  2. Planning and Execution of Logistics Activities
  3. Management of Relationships with Business Partners and/or Suppliers
  4. Follow-up of Contract Processes and/or Legal Requests
  5. Planning of Human Resources Processes
  6. Execution of Personnel Supply Processes
  7. Planning and/or Execution of Customer Satisfaction Activities
  8. Planning and Execution of Operational Activities Necessary for Ensuring the Conduct of Company Activities in Compliance with Company Procedures and/or Related Legislation
  9. Collection of Entry and Exit Records of Business Partner/Supplier Employees
  10. Planning and Execution of Company Audit Activities
  11. Planning and/or Execution of Occupational Health and/or Safety Processes
  12. It can be listed as Ensuring the Security of Company Campuses and/or Facilities.

ARTICLE 21: PERSONAL DATA STORAGE PERIOD

Our company keeps personal data for the period specified in these legislations, if it is foreseen in the relevant laws and regulations.

If the legislation regarding how long personal data should be stored is not regulated for a period of time, personal data is processed for a period of time that requires it to be processed in accordance with our Company's practices and commercial life practices, depending on the services our company provides while processing that data, and then it is deleted, destroyed or anonymized. Detailed information on this subject is included in this policy.

The purpose of processing personal data has ended; if the storage periods determined by the relevant legislation and the company have come to an end; Personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. Despite the expiry of the statute of limitations and the statute of limitations for the right to assert the aforementioned right in the establishment of the terms herein, retention periods are determined based on the examples previously submitted to our Company on the same issues. In this case, the stored personal data is not accessed for any other purpose, and only when necessary to use it in the relevant legal dispute, access to the relevant personal data is provided. Here, too, personal data is deleted, destroyed or anonymized after the aforementioned period expires.

ARTICLE 22: CATEGORIZATION OF OWNERS OF PERSONAL DATA PROCESSED BY OUR COMPANY

Although the personal data of the following categories of personal data subjects are processed by our company, the scope of application of this Policy is limited to our customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties.

Protection and processing of personal data of our employees will be evaluated under the Holding Employees Personal Data Protection and Processing Policy.

Although the categories of persons whose personal data are processed by our Company are within the scope specified above, persons outside of these categories may also direct their requests to our Company within the scope of the KVK Law; requests of these persons will also be evaluated within the scope of this Policy.

The concepts of customer, potential customer, visitor, employee candidate, shareholder and board member, natural persons in the institutions we cooperate with, and third parties related to these persons, which are included in this Policy, are explained below.

ARTICLE 23: CATEGORIES AND EXPLANATIONS

Visitor; Real persons who have entered the physical campuses owned by our company for various purposes or visited our websites.

Third Parties; Third-party real persons or real persons who are not covered by this policy and company employees' personal data protection and processing policy, in order to ensure the security of commercial transactions between our company and the parties or to protect the rights of the said persons and to obtain benefits.

Employee Candidate; Real persons who have applied for a job to our company by any means or have disclosed their resume-related information to our company.

Company Shareholder; The shareholders of our company are real persons.

Company official; company's board of directors and other authorized natural persons.

Employees institutions, shareholders and officials with whom we cooperate; Natural persons (including, but not limited to, shareholders and officials of these institutions working in institutions with which our company has any business relationship (such as business partners, offices, suppliers).

ARTICLE 24: THE THIRD PARTIES TO THE PERSONAL DATA TO BE TRANSFERRED BY OUR COMPANY AND THE PURPOSE OF THE TRANSFER

Our company notifies the personal data owner of the groups of persons to whom personal data is transferred in accordance with Article 10 of the KVKK.

In accordance with Articles 8 and 9 of the KVK Law, our company may transfer the personal data of service users to the following categories of persons:

  1. To business partners of the company,
  2. company suppliers,
  3. Company affiliates,
  4. To Company Shareholders,
  5. Legally Authorized public institutions and organizations,
  6. Legally authorized private persons.

The scope and data transfer purposes of the above-mentioned persons to whom the transfer is made are as follows;

  1. Limited to ensure the fulfillment of the purposes of establishment of the business partnership,
  2. Limited to ensure that the services that our company outsources from the supplier and that are necessary to carry out the commercial activities of our company,
  3. Limited to ensuring the execution of commercial activities of our company that require the participation of affiliates,
  4. Designing the strategies and audit activities of our company in accordance with the provisions of the legal legislation and limited to audit purposes,
  5. In the event that legally authorized public institutions and organizations request information and documents from our company within the framework of legal legislation, limited to the purpose requested within our legal authorities,
  6. In case legally authorized private legal persons request information and documents from our company within the framework of legal legislation, limited to the purpose requested within our legal powers,

In the transfers made by our company, we act in accordance with the issues regulated in the policy. 

Our company informs the personal data owner about the personal data it processes in accordance with Article 10 of the KVK Law.

Although the legal grounds for the processing of personal data by our company differ, all kinds of personal data processing activities are carried out in accordance with the general principles specified in Article 4 of the Law No. 6698.

For the processing of personal data based on the explicit consent of the personal data owner, explicit consent is obtained from visitors and third parties.

The personal data of the data owner can be processed in accordance with the law, if it is expressly stipulated in the law.

The personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to express his or her consent due to actual impossibility or whose consent cannot be validated, in order to protect the life or physical integrity of himself or another person.

It is possible to process personal data if it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.

Personal data of the data subject may be processed if the processing is necessary for our company to fulfill its legal obligations as a data controller.

If the data owner has made his personal data public by himself, the relevant personal data may be processed.

If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company. (for internal calculations etc.)

Personal data processing activities carried out by our company at the entrance of the building and within the facility are carried out in accordance with the Constitution, the KVK Law and other relevant legislation.

In order to ensure security, our company carries out personal data processing activities for monitoring the entrance and exit of guests with security cameras in our company's buildings and facilities.

Personal data processing is carried out by our Company by using security cameras and recording guest entries and exits.

In this context, our Company acts in accordance with the Constitution, the KVK Law and other relevant legislation. Our company, within the scope of monitoring with security cameras; It aims to increase the quality of the service provided, to ensure its reliability, to ensure the safety of the company, employees and other persons, and to protect the interests of third parties regarding the service they receive.  The camera monitoring activity carried out by our company is carried out in accordance with the Law on Private Security Services and the relevant legislation. Our company acts in accordance with the regulations in the KVK Law in the execution of camera surveillance activities for security purposes.

Our company carries out security camera monitoring activities in order to ensure security in its buildings and facilities, for the purposes stipulated in the laws and in accordance with the personal data processing conditions listed in the KVK Law.

Announcement of the monitoring activity by our company is made in accordance with Article 10 of the KVK Law.

Our company, in addition to the lighting it makes on general issues, also makes notifications with more than one method regarding the camera monitoring activity in accordance with the EU regulations. Thus, it is aimed to prevent harming the fundamental rights and freedoms of the personal data owner, and to ensure transparency and enlightenment of the personal data owner.

Our company processes personal data in a limited and measured manner in connection with the purpose for which they are processed, in accordance with Article 4 of the KVK Law.

The purpose of maintaining the video camera monitoring activity by our company is limited to the purposes listed in this Policy. In this direction, the monitoring areas, the number of security cameras and when they will be monitored are sufficient to achieve the security purpose and are implemented in a limited manner for this purpose. Areas (for example, toilets) that may result in interference with the privacy of the person exceeding the security objectives are not subject to monitoring.

In accordance with Article 12 of the KVK Law, our company takes the necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring.

Only a limited number of company employees have access to the records recorded and maintained in the digital environment. On the other hand, live camera images can be watched by outsourced security services. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality agreement.

By our company; Personal data processing is carried out in order to ensure security and for the purposes specified in this Policy, to monitor guest entries and exits in company buildings and facilities.

While obtaining the names and surnames of the persons who come to the company premises as guests, or through the texts posted by the Company or made available to the guests in other ways, the personal data owners in question are informed in this context. The data obtained for the purpose of tracking guest entry-exit is processed only for this purpose, and the relevant personal data is recorded in the data recording system in the physical environment.

For the camera monitoring activity by our company; This Policy is published on the website of our company ( online policy regulation ) and a notification letter stating that monitoring will be carried out is posted at the entrances of the areas where monitoring is performed ( on-site lighting ).

On the websites owned by our company; to ensure that the visitors of these sites perform their visits on the sites in accordance with the purposes of their visit; Internet movements within the site are recorded by technical means in order to show them customized content.

Detailed explanations on the protection and processing of personal data regarding these activities of our company are included in the texts of the "Holding Website Privacy Policy" of the relevant websites.

Although our company has been processed in accordance with the provisions of the relevant law as regulated in article 138 of the Turkish Penal Code and article 7 of the KVK Law, in the event that the reasons requiring processing disappear, personal data is deleted upon our company's own decision or upon the request of the personal data owner. is made anonymous. Our company fulfills this related legal obligation through legal methods.

ARTICLE 25: TECHNIQUES FOR DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA

25.1 Techniques for Deletion and Destruction of Personal Data

Despite the fact that it has been processed in accordance with the provisions of the relevant law, our company may delete or destroy personal data upon its own decision or upon the request of the personal data owner, in the event that the reasons requiring processing are eliminated. The most commonly used deletion or destruction techniques by our company are listed below:

      1. Physically Destroy

Personal data can also be processed in non-automatic ways, provided that it is part of any data recording system. While such data is being deleted/destroyed, a system of physical destruction of personal data is applied so that it cannot be used later.

25.1.2 Securely Delete from Software 

While deleting/destroying data processed by fully or partially automated means and stored in digital media; methods are used to delete the data from the relevant software in a way that cannot be recovered again.

      1. Secure Erase by Expert 

In some cases, the company may hire an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by the person who is an expert in this field, in a way that cannot be recovered.

25.2 Techniques for Anonymizing Personal Data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching them with other data. Our company can anonymize personal data when the reasons that require the processing of personal data processed in accordance with the law are eliminated.

In accordance with Article 28 of the KVK Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the KVK Law and the explicit consent of the personal data owner will not be sought. Since the personal data processed by anonymization will be outside the scope of the KVK Law, the rights set out in the Policy will not be valid for these data.

The most commonly used anonymization techniques by our company are as follows;

  1. Masking 

With data masking, it is a method of anonymizing personal data by removing the basic determinant information of personal data from the data set.

  1. Consolidation

With the data aggregation method, many data are aggregated and personal data is rendered unrelated to any person.

  1. Data Derivation 

With the data derivation method, a more general content is created than the content of the personal data and it is ensured that the personal data cannot be associated with any person.

  1. Data Hash

With the data mixing method, the values ​​in the personal data set are mixed and the link between the values ​​and the individuals is broken.

Our company informs the personal data owner of the rights of the personal data owner in accordance with Article 10 of the KVK Law and guides the personal data owner on how to use these rights. It carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with the article.

ARTICLE 26: RIGHTS OF THE DATA SUBJECT AND THE USE OF THESE RIGHTS

26.1 Rights of Personal Data Owner

Personal data owners have the following rights:

  1. Learning whether personal data is processed
  2. If personal data has been processed, requesting information about it
  3. Learning the purpose of processing personal data and whether they are used in accordance with the purpose
  4. Knowing the third parties to whom personal data is transferred at home or abroad
  5. Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred
  6. Requesting the deletion or destruction of personal data in the event that the reasons requiring processing are eliminated, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred
  7. Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems
  8. Requesting the compensation of the damage in case of loss due to unlawful processing of personal data

26.2 Circumstances in which Personal Data Owner Cannot Claim Their Rights

Since the following cases are excluded from the scope of the KVK Law in accordance with Article 28 of the KVK Law, the personal data owners cannot claim the rights listed below in these matters:

  1. Processing of personal data for purposes such as research, planning and statistics by anonymizing with official statistics
  2. Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.

  1. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  2. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings

Pursuant to article 28/2 of the KVK Law; In the cases listed below, personal data owners cannot claim their other rights listed below, except for the right to demand the compensation of the damage:

  1. The processing of personal data is necessary for the prevention of crime or for criminal investigation.
  2. Processing of personal data made public by the personal data owner.
  3. Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.
  4. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

26.3 Exercise of Personal Data Owner's Rights

Personal data owners will be able to submit their requests regarding the above-listed rights of this section to our Company, free of charge, using the following method:

  1. After filling the form on …..com and signing it with wet signature, …. by applying in person to
  2. After filling the form on …..com and signing it with wet signature, …. by courier or mail to your address,
  3. After completing the form at …..com and signing with your “secure electronic signature” within the scope of Electronic Signature Law No. 5070, the form with secure electronic signature will be sent to …@....com with an e-mail.

It is not possible to make a request by third parties on behalf of personal data owners.

In order for a person other than the personal data owner to make a request, there must be a special power of attorney issued by the personal data owner on behalf of the person to apply.

Personal data owners, in their application to exercise their rights, will fill in the "Application Form Regarding the Applications to be Made by the Relevant Person (Personal Data Owner) to the Data Controller in accordance with the Law on Protection of Personal Data No. 6698" linked above. The method of application to be made in this form is also explained in detail.

26.4 Right of Personal Data Owner to Complain to the KVK Board

In cases where the application is rejected, the response given is insufficient, or the application is not answered in due time, in accordance with Article 14 of the Personal Data Owner KVK Law; A complaint may be made to the KVK Board within thirty days from the date our company learns of the answer, and in any case within sixty days from the date of application.

ARTICLE 27: COMPANY'S ANSWER TO APPLICATIONS

27.1 Our Company's Response Procedure and Time to Applications

In case the personal data owner submits his request to our Company in accordance with the procedure in the above section of this section, our Company will conclude the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.

However, if the transaction requires a separate cost, our Company will charge the applicant the fee in the tariff determined by the KVK Board.

27.2 Information Our Company May Request from the Applicant Personal Data Owner

Our company may request information from the person concerned in order to determine whether the applicant is the owner of personal data.

Our company may ask questions about the personal data owner's application in order to clarify the issues in the personal data owner's application.

27.3 Our Company's Right to Refuse the Application of the Personal Data Owner

Our company may reject the application of the applicant in the following cases by explaining the reason:

  1. Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.
  2. Personal data can be used to protect national defense, national security, public security, public order,

  1. to be processed for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate economic security, privacy or personal rights, or constitute a crime.
  2. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  3. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
  4. The processing of personal data is necessary for the prevention of crime or for criminal investigation.
  5. Processing of personal data made public by the personal data owner.
  6. Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.
  7. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
  8. The possibility of the personal data owner's request to prevent the rights and freedoms of other persons
  9. Making requests that require disproportionate effort.
  10. The requested information is publicly available.

ARTICLE 28: THE RELATIONSHIP OF THE COMPANY'S PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES

The basic policies regarding the protection and processing of personal data, which are related to the principles set forth by the company with this Policy, are indicated. By linking these policies with the basic policies of the Company in other areas, harmonization is also ensured between the processes that the Company operates with different policy principles for similar purposes.

"Personal Data Protection Board" has been established within the body of the Company in accordance with the decision of the Company's senior management in order to manage this policy and other policies related to and related to this policy. The duties of this board are listed below.

  1. To prepare the basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect.
  2. To decide how to implement and control the policies regarding the Protection and Processing of Personal Data, and to make internal assignments and ensure coordination within this framework, to submit to the approval of the senior management.
  3. To determine the issues that need to be done in order to ensure compliance with the Law on the Protection of Personal Data and the relevant legislation and to submit the necessary actions to the approval of the senior management; Supervising and coordinating its implementation.
  4. To raise awareness within the Company and the institutions with which the Company cooperates on the Protection and Processing of Personal Data.
  5. To determine the risks that may occur in the personal data processing activities of the company and to ensure that the necessary measures are taken; submitting improvement proposals to senior management for approval.
  6. To design and implement trainings on the protection of personal data and the implementation of policies.
  7. To decide on the applications of personal data owners at the highest level.
  8. Personal data owners; To coordinate the execution of information and training activities to ensure that they are informed about personal data processing activities and their legal rights.

  1. To prepare the changes in the basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect.
  2. To follow the developments and regulations on the Protection of Personal Data; To advise senior management on what needs to be done within the Company in accordance with these developments and regulations.
  3. Coordinating relations with the Personal Data Protection Board and Institution.
  4. To perform other duties assigned by the senior management of the company regarding the protection of personal data.

Some of the stated policies are for internal use. It is aimed to reflect the principles of the internal policies of the company to the policies open to the public to the extent relevant, to inform the relevant parties in this framework and to ensure transparency and accountability about the personal data processing activities carried out by the Company.