PERSONAL DATA PROTECTION POLICY

1.Purpose:

In accordance with the Personal Data Protection Law No. 6698, which is currently in force, the processing of personal data is regulated to ensure the protection of fundamental rights and freedoms of individuals, particularly the right to privacy, and to establish the obligations, procedures, and principles to be followed by natural and legal persons processing personal data.The purpose of our policy, which has been prepared in consideration of this regulation, is to ensure compliance with obligations regarding personal data protection, to evaluate the processing, transfer, and confidentiality of information obtained within the scope of the activities carried out by our organization through a risk-based approach, and to determine strategies, internal controls, operational rules, and responsibilities. Additionally, this policy aims to raise awareness among employees on these matters. Furthermore, this policy is intended  to ensure transparency by informing individuals whose personal data is processed by our Organization, including but not limited to our customers, potential customers, employees, job applicants, shareholders, company executives, visitors, employees of institutions and organizations with which we cooperate, their shareholders and executives, and third parties.

2. Scope:

This policy applies to all personal data processed, whether automatically or manually as part of any data recording system, concerning our customers, potential customers, employees, job applicants, company shareholders, company executives, visitors, employees, shareholders, and executives of business partners, and third parties.

3. Definitions

  • Explicit Consent Consent: based on being informed about a specific issue and expressed freely.
  • Anonymization: It is the modification of personal data in such a way that it loses its ability to be associated with an identified or identifiable person and this situation cannot be reversed. Example : Making personal data impossible to be associated with a natural person through techniques such as masking, aggregation, data corruption, etc.
  • Employee: Persons working in the Company in accordance with the employment contract made between the Company and the employe
  • Employee Candidate: Real persons who have applied for a job to the Company by any means or who have opened their CV and related information to the Company's review
  • Employees, Shareholders and Authorities of the Institutions: We Cooperate with Real persons, including, but not limited to, employees, shareholders and authorities of the institutions with which the Company has any kind of business relationship (such as business partners, suppliers, etc.)
  • Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
  • Personal Data Owner: The natural person whose personal data is processed. For example, customers and employees.
  • Personal Data:  Any information relating to an identified or identifiable natural person. Processing of information on legal persons is not covered by the law. For example; name-surname, TC, e-mail, address, date of birth, credit card number, etc.
  • Customer: Natural persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company
  • Sensitive Personal Data : Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive data.
  • Potential Customer: Natural persons who have made a request or interest in using our products and services or who have been evaluated in accordance with the rules of commercial custom and honesty that they may have this interest
  • Company Shareholder: Real persons  who are shareholders of the company
  • Company Official: Members of the Company's board of directors and other authorized real persons
  • Third Party: Third party natural persons who are related to the aforementioned parties in order to ensure the security of the commercial transactions between the Company and the aforementioned parties or to protect the rights of the aforementioned parties and to provide benefits (e.g. Family members and relatives)
  • Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. For example, the company or companies holding the Company's data, etc.
  • Data Controller: The data controller is the person who determines the purposes and means of processing personal data, manages the place where the data is kept systematically (data recording system), provides the necessary information to the data subject regarding his/her personal information as a result of the request/application of the data subject and makes the necessary directions.
  • Visitors: Natural persons who have entered the physical premises owned by the Company for various purposes or who visit our websites
  • KVKK : Law No. 6698 Law on the Protection of Personal Data dated March 24, 2016 and numbered 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677.
  • Constitution: constitution of the Republic of Turkey dated November 7, 1982 and numbered 2709, published in the Official Gazette dated November 9, 1982 and numbered 17863.
  • KVK Board: Personal Data Protection Board
  • KVK Authority:Personal Data Protection Authority
  • Policy: Company Personal Data Protection and Processing Policy
  • TBK: Turkish Code of Obligations dated January 11, 2011 and numbered 6098; published in the Official Gazette dated February 4 , 2011 and numbered 27836.
  • TCK: Turkish Penal Code No. 5237 dated September 26, 2004 and published in the Official Gazette dated October 12, 2004 and numbered 25611.
  • TTK:Turkish Commercial Code dated January 13, 2011 and numbered 6102 published in the Official Gazette dated February 14, 2011 and numbered 27846

4.Data Categories: The Company may record, process or transfer data relating to the following categories of data.

  • Identity Information (Full name, mother’s and father’s name, mother’s maiden name, date of birth, place of birth, marital status, national ID card serial number, national identification number, etc.)
  • Contact Information (Address number, email address, contact address, registered electronic mail (KEP) address, phone number, etc.)
  • Location Data (Location information of the individual)
  • Personnel Information (Payroll records, disciplinary investigation records, employment entry-exit records, asset declaration details, CV details, performance evaluation reports, etc.)
  • Legal Transactions (Information in correspondence with judicial authorities, case file details, etc.)
  • Customer Transactions (Call center records, invoice, promissory note, check details, teller receipts, order details, request details, etc.)
  • Physical Space Security (Entry and exit records of employees and visitors, CCTV recordings, etc.)
  • Transaction Security (IP address details, website login and logout records, password and credential details, etc.)
  • Risk Management (Data processed for managing commercial, technical, and administrative risks, etc.)
  • Financial Information (Balance sheet details, financial performance data, credit and risk details, asset information, etc.)
  • Professional Experience (Diploma details, attended courses, in-service training details, certifications, transcript information, etc.)
  • Marketing Information (Shopping history details, survey responses, cookie records, data obtained through marketing campaigns, etc.)
  • Visual and Audio Records (Visual and audio recordings, etc.)
  • Health Information (Disability status details, blood type, personal health details, information regarding medical devices and prosthetics, etc.)

4.2. Personal Data Processing Purposes The Company may record, process or transfer personal data for the following purposes.

  • Execution of Emergency Management Processes
  • Execution of Information Security Processes
    Execution of Employee Candidate / Intern / Student Selection and Placement Processes
  • Execution of Employee Candidate Application Processes
  • Execution of Employee Satisfaction and Loyalty Processes
  • Fulfillment of Obligations Arising from
  • Employment Contract and Legislation for EmployeesExecution of Employee Benefits and Benefits Processes
  • Conducting Audit / Ethics Activities
  • Conducting Training Activities
  • Execution of Access Authorizations
  • Execution of Activities in Compliance with the Legislation
  • Execution of Finance and Accounting Affairs
  • Execution of Company / Product / Service Loyalty Processes
  • Ensuring Physical Space Security
  • Execution of Assignment Processes
  • Monitoring and Execution of Legal Affairs
  • Conducting Internal Audit / Investigation / Intelligence Activities
  • Execution of Communication Activities
  • Planning Human Resources Processes
  • Execution / Supervision of Business Activities
  • Execution of Occupational Health / Safety Activities
  • Receiving and Evaluating Suggestions for Improvement of Business Processes
  • Execution of Business Continuity Ensuring Activities
  • Execution of Logistics Activities
  • Execution of Goods / Service Procurement Processes
  • Execution of Goods / Services After Sales Support Services
  • Execution of Goods / Service Sales Processes
  • Execution of Goods / Services Production and Operation Processes
  • Execution of Customer Relationship Management Processes
  • Execution of Activities for Customer Satisfaction
  • Organization and Event Management
  • Conducting Marketing Analysis Studies
  • Execution of Performance Evaluation Processes
  • Execution of Advertising / Campaign / Promotion Processes
  • Execution of Risk Management Processes
  • Execution of Storage and Archive Activities
  • Implementation of Social Responsibility and Civil Society Activities
  • Execution of Contract Processes
  • Execution of Sponsorship Activities
  • Execution of Strategic Planning Activities
  • Tracking Requests / Complaints
  • Ensuring the Security of Movable Property and Resources
  • Execution of Supply Chain Management Processes
  • Execution of Wage Policy
  • Execution of Marketing Processes of Products / Services
  • Ensuring the Security of Data Controller Operations
  • Foreign Personnel Work and Residence Permit Procedures
  • Execution of Investment Processes
  • Execution of Talent / Career Development Activities
  • Providing Information to Authorized Persons, Institutions and Organizations
  • Execution of Management Activities
  • Creating and Tracking Visitor Records

4.3. Personal Data Transfer Recipient Groups:

The Company may transfer personal data to the following Personal Data Transfer Recipient groups.

  • Natural Persons and Private Law Legal Entities
  • Open to All Shareholders
  • Business Partner
  • Subsidiaries and Subsidiaries
  • Supplier
  • Group Company
  • Authorized Public Institutions and Organizations

4.4. Personal Data Subjects

The Company may record, process or transfer personal data according to the following types of persons.

  • Employee Candidate
  • Employee
  • Shareholder/Partner
  • Potential Product and Service Buyer
  • Trainee
  • Supplier Employee
  • Supplier Officer
  • Product or Service Recipient
  • Parent/Guardian/Representative
  • Visitor

4.5. Personal Data Retention Periods :

Personal data retention periods are set out in detail in the Personal data Retention and Destruction policy.

4.6. Erasure, Destruction or Anonymization of Personal Data :

  • Although personal data has been processed in accordance with the law, in the event that the reasons requiring its processing disappear, such data shall be deleted, destroyed or anonymized by the data controller ex officio  or upon the request of the data subject.
  • The data controller shall  erase, destroy or anonymize personal data at the first periodic destruction following the date on which the obligation to erase, destroy or anonymize personal data arises.
  • The actions to be taken regarding these issues are explained in detail in the Personal Data Storage and Destruction Policy.

4.7. Transfer of Personal Data:

Personal data obtained in accordance with the general principles set forth in the law may be transferred to third parties in the manner specified by the law.

  • Domestic transfer: Personal data and sensitive personal data cannot be transferred to third parties without the explicit consent of the data subject. However, as an exception, personal data may be transferred without the explicit consent of the data subject under the conditions specified in the Law, including:If it is explicitly provided for by law,If it is necessary to protect the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally valid,If it is necessary for the establishment or performance of a contract, provided that it is directly related to the parties of the contract,If it is necessary for the data controller to fulfill its legal obligations,If the data has been made public by the data subject,If data processing is necessary for the establishment, exercise, or protection of a legal right,If data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
  • Transfer abroad:With the amendments made to Law No. 6698, a phased regime has been introduced for the transfer of personal data abroad. In this context, personal data may be transferred abroad if:One of the conditions specified in Articles 5 and 6 of the Law is met, and There is an adequacy decision regarding the country, sectors within the country, or international organizations where the transfer will take place. If no adequacy decision is available, personal data may be transferred abroad if:One of the conditions specified in Articles 5 and 6 of the Law is met, and The data subject has the ability to exercise their rights and access effective legal remedies in the recipient country, and One of the appropriate safeguards specified in the Law is provided by the parties. If neither an adequacy decision nor appropriate safeguards exist, personal data may only be transferred abroad in exceptional cases explicitly specified in the Law and on a temporary basis.

4.8. General (Basic) Principles in the Processing of Personal Data:

Personal data will be processed in accordance with the following basic principles as detailed in the Personal data processing procedure.

  • Compliance with the law and good faith,
  • Being accurate and up to date when necessary,
  • Processing for specific, explicit and legitimate purposes,
  • Being relevant, limited and proportionate to the purpose for which they are processed,
  • Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

4.9. Explicit Consent

It is consent on a specific issue, based on information and expressed with free will. As stated in detail in the procedure for obtaining explicit consent, explicit consent must be related to a specific subject, the consent must be based on information and must be disclosed with free will.

4.10. Obligation to inform

During the acquisition of personal data, the relevant persons are informed by the company. As regulated in detail in the Disclosure Procedure, this disclosure includes at least the following topics.

  • Identity of the data controller and its representative, if any,
  • The purpose for which personal data will be processed,
  • To whom and for what purpose personal data may be transferred,
  • The method and legal grounds for collecting personal data,
  • Other rights of the person concerned listed in Article 11 of the Law.

4.11. The rights of the person concerned

In accordance with Article 11 of the Law, which regulates the rights of the data subject, the data subject has the right to:

  • Learn whether their personal data is being processed,
  • Request information if their data is being processed,
  • Learn the purpose of processing and whether the data is being used in accordance with its purpose,
  • Know the third parties to whom the data is transferred, both domestically and internationally,
  • Request the correction of data if it is incomplete or inaccurate,
  • Request the deletion or destruction of their data under the conditions stipulated in Article 7 of the Personal Data Protection Law,
  • Request notification of the actions taken on their data to the third parties to whom it has been transferred, based on the correction and deletion requests above,
  • Object to the result of an exclusively automated decision-making process that produces adverse legal effects,
  • Request compensation for the damages caused by unlawful processing of their personal data.

4.12.Methods of Exercising the Data Subject's Rights

Data subjects have the right to contact the Company to: learn whether their personal data is being processed, request it if it is processed, correct any incomplete or incorrect data, delete or destroy data if it is unlawful, and request the notification of any such actions to third parties to whom the data has been disclosed. Additionally, they can request compensation for damages caused by unlawful processing of their personal data. The data subject may exercise their rights using the procedures and complaint methods outlined below.

Application:

 To exercise their rights, data subjects must first apply to the data controller. A complaint to the Board cannot be filed without exhausting this process.

Application Procedure:

As specified in the clarifying texts, data subjects may submit their requests to 0630003487100013 MERSİS No’lu  Esentepe Mah. Harman 1 Sk. Nida Kule Blok No: 7-9 İç Kapı No: 68 Şişli / İstanbul  in writing or via registered electronic mail (KEP) at nebim@hs03.kep.tr, with identification information in accordance with the "Notification on the Application Procedure and Principles to the Data Controller."

Complaint:

A data subject may file a complaint if their application to the Company is rejected, if the response provided is insufficient, or if no response is given within 30 days. It is not possible for data subjects to go directly to the Board without applying to the Company first.

4.13. Obligation to Fulfill Board Decisions

If the Board determines the existence of a violation as a result of the examination to be carried out ex officio upon a complaint or upon learning of the alleged violation, it decides to remedy the breach of law by the Company and notifies the decision to the relevant parties. As stated in detail in the Procedure for Fulfillment of Board Decisions, the Company shall fulfill this decision without delay and within thirty days at the latest from the date of notification.

4.14. Data Controllers Registry (VERBIS) registration obligation

The Company registers and updates these records as specified in the Data Controllers Registry (VERBIS) registration procedure in the registration system where data controllers are obliged to register and declare information about data processing activities.

4.15.  Personal Data Breach

In the event that the processed personal data is obtained by others illegally, the Company shall notify the relevant person and the Board as soon as possible as specified in the Personal Data Breach Procedure. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.

4.16.Personal Data Security Measures

The Company takes the following technical and administrative measures at a level appropriate to the Company structure in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data.

  • Network security and application security are ensured.
  • Closed system network is used for personal data transfers through the network.
  • Key management is in place.
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
  • There are disciplinary regulations for employees that include data security provisions.
  • Training and awareness raising activities on data security are carried out for employees at regular intervals.
  • Authorization matrix has been created for employees.
  • Access logs are kept regularly.
  • Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
  • Data masking measures are applied when necessary.
  • Confidentiality commitments are made.
  • Employees who are reassigned or leave their jobs are no longer authorized in this area.
  • Up-to-date anti-virus systems are used.
  • Firewalls are used .
  • The signed contracts contain data security provisions.
  • Extra security measures are taken for personal data transferred via paper and the relevant document is sent in the format of a confidential document.
  • Personal data security policies and procedures have been determined.
  • Personal data security issues are reported quickly.
  • Personal data security is monitored.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • Physical environments containing personal data are secured against external risks (fire, flood, etc.).
  • The security of environments containing personal data is ensured.
  • Personal data is minimized as much as possible.
  • Personal data is backed up and the security of backed up personal data is also ensured.
  • User account management and authorization control system are implemented and monitored.
  • Internal periodic and/or random audits are conducted and carried out.
  • Log records are kept without user intervention.
  • Existing risks and threats have been identified.
  • Protocols and procedures for the security of sensitive personal data have been determined and implemented.
    If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using a KEP or corporate mail account.
  • Secure encryption/cryptographic keys are used for sensitive personal data and managed by different units.
  • Intrusion detection and prevention systems are used.
  • Penetration test is applied.
  • Cyber security measures have been taken and their implementation is constantly monitored.
  • Encryption is performed. 
  • Data processing service providers are periodically audited on data security.
  • Awareness of data processing service providers on data security is ensured.
  • Data loss prevention software is used.