PERSONAL DATA PROTECTION POLICY

1. Legal Basis : We give utmost importance to the protection and processing of Personal Data in accordance with the Law No. 6698 on the Protection of Personal Data, taking as a basic legal basis that everyone has the right to request the protection of personal data related to him/her, that this right includes the right to be informed about personal data related to him/her, to access this data, to request correction or deletion of these data and to learn whether they are used for their purposes, that personal data can only be processed in cases stipulated by law or with the explicit consent of the person, and we act with this care in all our planning and activities. As a company, we take all administrative and technical measures for the protection and processing of Personal Data, which is the basis of the privacy of private life, and we inform and warn our personnel about the legal sanctions regulated in Article 135 of the Turkish Criminal Code No. 5237 (TCK) and its continuation.
2.Purpose: The Law No. 6698 on the Protection of Personal Data in force regulates the protection of fundamental rights and freedoms of individuals, especially the right to privacy, and the obligations of real and legal persons who process personal data, as well as the procedures and principles to be followed in the processing of personal data. The purpose of our policy prepared by taking into account the said regulation is to ensure compliance with the obligations regarding the protection of personal data, to evaluate the issues related to the processing, transfer and protection of confidentiality of the information obtained within the scope of the activities carried out by our Company with a risk-based approach, to determine the strategies, internal controls and measures, operating rules and responsibilities and to raise awareness of the employees of the organization on these issues. At the same time; It is aimed to ensure transparency by informing the persons whose personal data are processed by our Company, especially our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions / organizations we cooperate with and third parties.

3.Scope: This policy is related to all personal data of our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, which are processed automatically or non-automatically provided that they are part of any data recording system.
4. Definitions
4.1. Explicit Consent Consent based on being informed about a specific issue and expressed freely.
4.2. Anonymization It is the modification of personal data in such a way that it loses its ability to be associated with an identified or identifiable person and this situation cannot be reversed. Example: Making personal data impossible to be associated with a natural person through techniques such as masking, aggregation, data corruption, etc.
4.3. Employee Persons working in the Company in accordance with the employment contract made between the Company and the employee
4.4. Employee Candidate Real persons who have applied for a job to the Company by any means or who have opened their CV and related information to the Company's review
4.5. Employees, Shareholders and Authorities of the Institutions We Cooperate with Real persons, including, but not limited to, employees, shareholders and authorities of the institutions with which the Company has any kind of business relationship (such as business partners, suppliers, etc.)
4.6. Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
4.7. Personal Data Owner The natural person whose personal data is processed. For example, customers and employees.
4.8. Personal Data Any information relating to an identified or identifiable natural person. Processing of information on legal persons is not covered by the law. For example; name-surname, TC, e-mail, address, date of birth, credit card number, etc.
4.9. Customer Natural persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company
4.10. Sensitive Personal Data : Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive data.
4.11. Potential Customer Natural persons who have made a request or interest in using our products and services or who have been evaluated in accordance with the rules of commercial custom and honesty that they may have this interest
4.12. Company Shareholder: Real persons who are shareholders of the company
4.13. Company Official Members of the Company's board of directors and other authorized real persons
4.14. Third Party Third party natural persons who are related to the aforementioned parties in order to ensure the security of the commercial transactions between the Company and the aforementioned parties or to protect the rights of the aforementioned parties and to provide benefits (e.g. Family members and relatives)
4.15. Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. For example, the company or companies holding the Company's data, etc.
4.16. Data Controller The data controller is the person who determines the purposes and means of processing personal data, manages the place where the data is kept systematically (data recording system), provides the necessary information to the data subject regarding his/her personal information as a result of the request/application of the data subject and makes the necessary directions.
4.17. Visitors Natural persons who have entered the physical premises owned by the Company for various purposes or who visit our websites
5. Abbreviations
5.1 KVKK : Law No. 6698 Law on the Protection of Personal Data dated March 24, 2016 and numbered 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677.
5.2. Constitution: constitution of the Republic of Turkey dated November 7, 1982 and numbered 2709, published in the Official Gazette dated November 9, 1982 and numbered 17863.
5.3. KVK Board Personal Data Protection Board
5.4. KVK Authority Personal Data Protection Authority
5.5.Policy Company Personal Data Protection and Processing Policy
5.6. TBK Turkish Code of Obligations dated January 11, 2011 and numbered 6098; published in the Official Gazette dated February 4 , 2011 and numbered 27836.
5.7.TCK Turkish Penal Code No. 5237 dated September 26, 2004 and published in the Official Gazette dated October 12, 2004 and numbered 25611.
5.8.TTK Turkish Commercial Code dated January 13, 2011 and numbered 6102 published in the Official Gazette dated February 14, 2011 and numbered 27846
6.Data Categories: The Company may record, process or transfer data relating to the following categories of data.
6.1. Identity (name, surname, mother's and father's name, mother's maiden name, date of birth, place of birth, marital status, identity card serial number, TR ID number, etc.)
6.2. Contact (such as address no, e-mail address, contact address, registered electronic mail address (REM), telephone no)
6.3.Location (location information of where it is located)
6.4.Personnel (payroll information, disciplinary investigation, employment records, property declaration information, CV information, performance evaluation reports, etc.)
6.5. Legal Action (such as information in correspondence with judicial authorities, information in the case file)
6.6. Customer Transaction (such as call center records, invoice, promissory note, check information, information in box office receipts, order information, request information)
6.7. Physical Space Security (such as employee and visitor entry and exit records, camera records)
6.8. Transaction Security (such as IP address information, website login and exit information, password and password information)
6.9. Risk Management (such as information processed to manage commercial, technical, administrative risks)
6.10. (such as balance sheet information, financial performance information, credit and risk information, asset information)
6.11.Professional Experience (such as diploma information, courses attended, vocational training information, certificates, transcript information)
6.12.Marketing (shopping history information, surveys, cookie records, information obtained through campaigns)
6.13Audiovisual Recordings (such as audiovisual recordings)
6.14.Race and Ethnicity (such as race and ethnicity information)
6.15. Political Opinion Information (information indicating political opinion, such as political party membership information)
6.16 Philosophical Beliefs, Religion, Sect and Other Beliefs (such as information on religious affiliation, information on philosophical beliefs, information on sectarian affiliation, information on other beliefs)
6.17 Dress and Attire (information on dress and attire)
6.18 Association Membership (such as association membership information)
6.19 Foundation Membership (such as foundation membership information)
6.20 Union Membership (such as union membership information)
6.21 Health Information (such as information on disability status, blood type information, personal health information, device and prosthesis information)
6.22 Sexual Life (such as information on sexual life)
6.23 Criminal Conviction and Security Measures (such as information on criminal conviction, information on security measures)
6.24 Biometric Data (such as palm data, fingerprint data, retinal scan data, facial recognition data)
6.25 Genetic Data (such as genetic data) 7.Personal Data Processing Purposes The Company may record, process or transfer personal data for the following purposes.
7.1. Execution of Emergency Management Processes
7.2. Execution of Information Security Processes
7.3.Execution of Employee Candidate / Intern / Student Selection and Placement Processes
7.4.Execution of Employee Candidate Application Processes
7.5.Execution of Employee Satisfaction and Loyalty Processes
7.6.Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees
7.7.Execution of Employee Benefits and Benefits Processes
7.8.Conducting Audit / Ethics Activities
7.9.Conducting Training Activities
7.10.Execution of Access Authorizations
7.11.Execution of Activities in Compliance with the Legislation
7.12.Execution of Finance and Accounting Affairs
7.13.Execution of Company / Product / Service Loyalty Processes
7.14.Ensuring Physical Space Security
7.15.Execution of Assignment Processes
7.16.Monitoring and Execution of Legal Affairs
7.17.Conducting Internal Audit / Investigation / Intelligence Activities
7.18. Execution of Communication Activities
7.19. Planning Human Resources Processes
7.20. Execution / Supervision of Business Activities
7.21.Execution of Occupational Health / Safety Activities
7.22.Receiving and Evaluating Suggestions for Improvement of Business Processes
7.23.Execution of Business Continuity Ensuring Activities
7.24.Execution of Logistics Activities
7.25.Execution of Goods / Service Procurement Processes
7.26.Execution of Goods / Services After Sales Support Services
7.27.Execution of Goods / Service Sales Processes
7.28.Execution of Goods / Services Production and Operation Processes
7.29.Execution of Customer Relationship Management Processes
7.30.Execution of Activities for Customer Satisfaction
7.31.Organization and Event Management
7.32.Conducting Marketing Analysis Studies
7.33.Execution of Performance Evaluation Processes
7.34.Execution of Advertising / Campaign / Promotion Processes
7.35.Execution of Risk Management Processes
7.36.Execution of Storage and Archive Activities
7.37.Implementation of Social Responsibility and Civil Society Activities
7.38.Execution of Contract Processes
7.39.Execution of Sponsorship Activities
7.40.Execution of Strategic Planning Activities
7.41.Tracking Requests / Complaints
7.42.Ensuring the Security of Movable Property and Resources
7.43.Execution of Supply Chain Management Processes
7.44.Execution of Wage Policy
7.45.Execution of Marketing Processes of Products / Services
7.46.Ensuring the Security of Data Controller Operations
7.47.Foreign Personnel Work and Residence Permit Procedures
7.48.Execution of Investment Processes
7.49.Execution of Talent / Career Development Activities
7.50.Providing Information to Authorized Persons, Institutions and Organizations
7.51.Execution of Management Activities
7.52.Creating and Tracking Visitor Records
8.Personal Data Transfer Recipient Groups The Company may transfer personal data to the following Personal Data Transfer Recipient groups.
8.1.Natural Persons and Private Law Legal Entities
8.2.Open to All
8.3.Shareholders
8.4.Business Partner
8.5.Subsidiaries and Subsidiaries
8.6.Supplier
8.7.Group Company
8.8.Authorized Public Institutions and Organizations
9.Personal Data Subjects - The Company may record, process or transfer personal data according to the following types of persons.
9.1. Employee Candidate
9.2. Employee
9.3. Subject
9.4. Person Subject to News
9.5.Shareholder/Partner
9.6. Potential Product and Service Buyer
9.7. Examination Candidates
9.8. Trainee
9.9. Supplier Employee
9.10. Supplier Officer
9.11.Product or Service Recipient
9.12. Parent/Guardian/Representative
9.13. Visitor
10.Personal Data Retention Periods : Personal data retention periods are set out in detail in the Personal data Retention and Destruction policy.
11. Erasure, Destruction or Anonymization of Personal Data :
11.1 Although personal data has been processed in accordance with the law, in the event that the reasons requiring its processing disappear, such data shall be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject.
11.2 The data controller shall erase, destroy or anonymize personal data at the first periodic destruction following the date on which the obligation to erase, destroy or anonymize personal data arises.
11.3 The actions to be taken regarding these issues are explained in detail in the Personal Data Storage and Destruction Policy.
12. Transfer of Personal Data Personal data obtained for processing within the framework of the general principles specified in the Law may be transferred to third parties with the explicit consent of the person concerned.
12.1 Domestic transfer: Details regarding the domestic transfer of personal data and sensitive personal data are regulated in the Procedure for Transfer of Personal Data.
12.2 Transfer abroad: Personal data may be transferred to countries with adequate protection in the presence of the conditions specified in the Law, provided that the data subject has explicit consent. Data transfer to countries where there is no adequate protection can be realized in the presence of the conditions specified in the Law, in addition to the existence of explicit consent, the written commitment of adequate protection and the permission of the Board. Details on the subject are regulated in the Procedure on Transfer of Personal Data.
13. General (Basic) Principles in the Processing of Personal Data: Personal data will be processed in accordance with the following basic principles as detailed in the Personal data processing procedure.
13.1 Compliance with the law and good faith,
13.2 Being accurate and up to date when necessary,
13.3 Processing for specific, explicit and legitimate purposes,
13.4 Being relevant, limited and proportionate to the purpose for which they are processed,
13.5 Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
14.Explicit Consent : It is consent on a specific issue, based on information and expressed with free will. As stated in detail in the procedure for obtaining explicit consent, explicit consent must be related to a specific subject, the consent must be based on information and must be disclosed with free will.
15 Obligation to inform : During the acquisition of personal data, the relevant persons are informed by the company. As regulated in detail in the Disclosure Procedure, this disclosure includes at least the following topics.
15.1 Identity of the data controller and its representative, if any,
15.2 The purpose for which personal data will be processed,
15.2 To whom and for what purpose personal data may be transferred,
15.2 The method and legal grounds for collecting personal data,
15.2 Other rights of the person concerned listed in Article 11 of the Law.
16. The rights of the person concerned: By applying to the Company, the data subjects have the right to learn whether personal data relating to them are processed, to request them if they have been processed, to request the correction of the content of the data if it is incomplete or incorrect, to request the deletion or destruction of the data if it is unlawful, and to notify the third parties to whom the data are disclosed and to request the compensation of their damages due to the unlawful processing of the data. The data subject may exercise his/her rights of application and complaint, the details of which are set out in the Data Subject's Rights Procedure.
16.1. Application : In order to exercise their rights, data subjects must first apply to the data controller. A complaint cannot be filed with the Board without using this remedy.
16.1. Complaint: In order for the relevant person to file a complaint, the application to the Company must be rejected, the response must be found inadequate or the application must not be responded to within 30 days. It is not possible for the relevant persons to file a complaint directly to the Board without applying to the Company.
17.Obligation to Fulfill Board Decisions : If the Board determines the existence of a violation as a result of the examination to be carried out ex officio upon a complaint or upon learning of the alleged violation, it decides to remedy the breach of law by the Company and notifies the decision to the relevant parties. As stated in detail in the Procedure for Fulfillment of Board Decisions, the Company shall fulfill this decision without delay and within thirty days at the latest from the date of notification.
18.Data Controllers Registry (VERBIS) registration obligation: The Company registers and updates these records as specified in the Data Controllers Registry (VERBIS) registration procedure in the registration system where data controllers are obliged to register and declare information about data processing activities.
19. Personal Data Breach : In the event that the processed personal data is obtained by others illegally, the Company shall notify the relevant person and the Board as soon as possible as specified in the Personal Data Breach Procedure. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.
20.Personal Data Security Measures : The Company takes the following technical and administrative measures at a level appropriate to the Company structure in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data.
20.1. Network security and application security are ensured.
20.2. Closed system network is used for personal data transfers through the network.
20.3. Key management is in place.
20.4.Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
20.5. There are disciplinary regulations for employees that include data security provisions.
20.6.Training and awareness raising activities on data security are carried out for employees at regular intervals.
20.7. Authorization matrix has been created for employees.
20.8. Access logs are kept regularly.
20.9. Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
20.10. Data masking measures are applied when necessary.
20.11.Confidentiality commitments are made.
20.12.Employees who are reassigned or leave their jobs are no longer authorized in this area.
20.13.Up-to-date anti-virus systems are used.
20.14.Firewalls are used.
20.15.The signed contracts contain data security provisions.
20.16.Extra security measures are taken for personal data transferred via paper and the relevant document is sent in the format of a confidential document.
20.17.Personal data security policies and procedures have been determined.
20.18.Personal data security issues are reported quickly.
20.19.Personal data security is monitored.
20.20.Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
20.21.Physical environments containing personal data are secured against external risks (fire, flood, etc.).
20.22.The security of environments containing personal data is ensured.
20.23.Personal data is minimized as much as possible.
20.24.Personal data is backed up and the security of backed up personal data is also ensured.
20.25.User account management and authorization control system are implemented and monitored.
20.26.Internal periodic and/or random audits are conducted and carried out.
20.27.Log records are kept without user intervention.
20.28.Existing risks and threats have been identified.
20.29.Protocols and procedures for the security of sensitive personal data have been determined and implemented.
20.30.If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using a KEP or corporate mail account.
20.31.Secure encryption/cryptographic keys are used for sensitive personal data and managed by different units.
20.32.Intrusion detection and prevention systems are used.
20.33.Penetration test is applied.
20.34.Cyber security measures have been taken and their implementation is constantly monitored.
20.35.Encryption is performed.
20.36.Data processing service providers are periodically audited on data security.
20.37.Awareness of data processing service providers on data security is ensured.
20.38. Data loss prevention software is used.