Personal Data Protection Policy

1. Legal Basis

regulated in Article 20 of the Constitution; this right, that everyone has the right to demand the protection of their personal data; In accordance with the Law No. 6698 on the Protection of Personal Data, on the basis of the basic legal basis that the personal data can be processed only in cases stipulated by the law or with the explicit consent of the person. We attach utmost importance to the protection and processing of Personal Data in accordance with the law and we act with this care in all our planning and activities. As a company, we are committed to protecting and processing Personal Data, which is the basis of privacy.
We take administrative and technical measures and inform and warn our personnel about the legal sanctions regulated in Article 135 of the Turkish Penal Code (TCK) numbered 5237 and the following.

2. Purpose

With the Law No. 6698 on the Protection of Personal Data in force, the protection of fundamental rights and freedoms of individuals, in particular the privacy of private life, and the obligations of natural and legal persons who process personal data, as well as the procedures and principles to be followed, are regulated in the processing of personal data. The aim of our policy, which was prepared by taking into account the regulation in question; Ensuring compliance with the obligations on the protection of personal data, processing, transferring and protecting the confidentiality of the information provided within the scope of the activities carried out by our Company, by evaluating with a risk-based approach, determining the strategies, internal controls and measures, operating rules and responsibilities, and raising awareness of the employees of the institution on these issues. At the same time; It is aimed to ensure transparency by informing the persons whose personal data are processed by our Company, especially our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions/organizations we cooperate with, and third parties.

3. Scope

This policy; It relates to all personal data of our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, which are processed automatically or non-automatically, provided that they are part of any data recording system. .

4. Definitions

4.1. Explicit Consent : Consent that is based on being informed about a particular subject and that is expressed with free will.
4.2. Anonymization: It is the change of personal data in such a way that it loses its ability to be associated with an identified or identifiable person and this situation cannot be undone. Example: Masking,
aggregation, data corruption etc. making personal data incapable of being associated with a natural person, by means of techniques.
4.3. Employee: Persons working in the Company pursuant to the employment contract concluded with the Company
4.4. Employee Candidate: Natural persons who have either applied for a job by the Company or have opened their CV and related information to the Company's inspection
4.5. Employees, Shareholders and Officials of the Institutions We Collaborate with: Natural persons, including the shareholders and officials of these institutions, working in the institutions (such as but not limited to business partners, suppliers) with which the company has all kinds of business relations
4.6. Processing of Personal Data: Obtaining, recording,
storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.
4.7. Personal Data Owner: The natural person whose personal data is processed. E.g; Customers and employees.
4.8. Personal Data: Any information relating to an identified or identifiable natural person. Processing of information regarding legal persons is not within the scope of the law. E.g; name-surname, TR, e-mail, address, date of birth, credit card number etc.
4.9. Customer: Real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company
4.10. Special Quality Personal Data: Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and
security measures, and biometric and genetic data are special data.
4.11. Potential Customer: Real persons who have requested or interested in using our products and services, or who have been evaluated in accordance with commercial practices and honesty rules that they may have
4.12. Company Shareholder: Natural persons who are shareholders of the company
4.13. Company Official : Member of the company's board of directors and other authorized natural persons
4.14. Third Party: Third party real persons (eg Family Members and relatives) who are related to these persons in order to ensure the security of commercial transactions between the Company and the above-mentioned parties or to protect the rights of the aforementioned persons and to obtain benefits
4.15. Data Processor: It is the natural and legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. For example, the firm or companies that hold the Company's data, etc.
4.16. Data Controller: The person who determines the purposes and means of processing personal data, manages the place where the data is kept systematically (data recording system), provides the necessary information to the data owner about his personal information as a result of the request / application of the data owner, and makes the referrals.
4.17. Visitor: Real persons who have entered the physical premises of the company for various purposes or visited our websites.

5. Abbreviations

5.1. KVKK: Law No. 6698, Law No. 6698 on the Protection of Personal Data, dated March 24, 2016, published in the Official Gazette dated April 7, 2016 and numbered 29677.
5.2. Constitution: Published in the Official Gazette dated 9 November 1982 and numbered 17863; The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709.
5.3. KVK Board: Personal Data Protection Board
5.4. KVK Authority: Personal Data Protection Authority
5.5. Policy: Company's Personal Data Protection and Processing Policy
5.6. TBK: Published in the Official Gazette dated February 4, 2011 and numbered 27836; Turkish Code of Obligations dated 11 January 2011 and numbered 6098.
5.7. TCK: Published in the Official Gazette dated 12 October 2004 and numbered 25611; Turkish Penal Code dated 26 September 2004 and numbered 5237.
5.8. TCC: Turkish Commercial Code No. 6102, dated January 13, 2011, published in the Official Gazette dated February 14, 2011 and numbered 27846

6. Data Categories

The company may save, process or transfer data for the following categories of data.
6.1. Identity- (such as name, surname, mother's and father's name, mother's maiden name, date of birth, place of birth, marital status, identity card serial number, TR identity number) 6.2. Contact- (such as address number, e-mail address, contact address, registered e-mail address (KEP), telephone number)

6.3. Location- (location information of the location)

6.4. Personnel- (such as payroll information, disciplinary investigation, entry-exit document records, property declaration information, CV information, performance evaluation reports)

6.5. Legal Action- (such as information in correspondence with judicial authorities, information in the case file)

6.6. Customer Transaction- (call center records, invoice, promissory note, check information, information in box office receipts, order information, request information)

6.7. Physical Space Security- (such as entry and exit registration information of employees and visitors, camera recordings)

6.8. Transaction Security- (such as IP address information, website login and exit information, password and password information)

6.9. Risk Management - (such as information processed for the management of commercial, technical, administrative risks)

6.10. Finance- (such as balance sheet information, financial performance information, credit and risk information, asset information)

6.11. Professional Experience- (such as diploma information, courses attended, in-service training information, certificates, transcript information)

6.12. Marketing- (shopping history information, survey, cookie records, information obtained through campaign work)

6.13. Audio-Visual Records- (such as audio-visual recordings)

6.14. Race and Ethnicity- (such as race and ethnicity information)

6.15. Political Opinion Information - (information indicating political opinion, political party membership information)

6.16. Philosophical Belief, Religion, Sect and Other Beliefs- (information on religious affiliation, information on philosophical belief, information on sectarian affiliation, information on other beliefs, etc.)

6.17. Dress and Dress- (information on costume and clothing)

6.18. Association Membership - (such as association membership information)

6.19. Foundation Membership- (such as foundation membership information)

6.20. Union Membership - (such as union membership information)

6.21. Health Information- (such as disability information, blood group information, personal health information, device used and prosthesis information)

6.22. Sexual Life- (such as information on sexual life)

6.23. Criminal Conviction and Security Measures- (such as information on criminal convictions, information on security measures)

6.24. Biometric Data - (palm information, fingerprint information, retina scan information, facial recognition information, etc.)

6.25. Genetic Data- (like genetic data) 

7. Personal Data Processing Purposes

The company may save, process or transfer personal data for the following purposes.
7.1. Execution of Emergency Management Processes
7.2. Execution of Information Security Processes
7.3. Execution of Employee Candidate / Intern / Student Selection and Placement Process
7.4. Execution of Application Processes of Employee Candidates
7.5. Execution of Employee Satisfaction and Loyalty Processes
7.6. Fulfilling Employee Contract and Legislation Obligations
7.7. Execution of Benefits and Benefits Processes for Employees
7.8. Conducting Audit / Ethical Activities
7.9. Conducting Training Activities
7.10. Execution of Access Authorizations
7.11. Execution of Activities in Compliance with the Legislation
7.12 . Execution of Finance and Accounting Affairs
7.13. Execution of Company / Product / Service Loyalty Processes
7.14. Providing Physical Space Security
7.15. Execution of Assignment Processes
7.16. Follow-up and Execution of Legal Affairs
7.17. Carrying out Internal Audit / Investigation / Intelligence Activities
7.18. Execution of Communication Activities
7.19. Planning Human Resources Processes
7.20. Execution / Supervision of Business Activities
7.21. Execution of Occupational Health / Safety Activities
7.22. Receiving and Evaluating Suggestions for the Improvement of Business Processes
7.23. Execution of Business Continuity Activities
7.24. Execution of Logistics Activities
7.25. Execution of Goods / Services Procurement Process
7.26. Execution of Goods / Services After-Sales Support Services
7.27. Execution of Goods / Service Sales Processes
7.28. Execution of Goods / Services Production and Operation Processes
7.29. Execution of Customer Relationship Management Processes
7.30. Execution of Activities for Customer Satisfaction
7.31. Organization and Event Management
7.32. Conducting Marketing Analysis Studies
7.33. Execution of Performance Evaluation Processes
7.34. Execution of Advertising / Campaign / Promotion Processes
7.35. Execution of Risk Management Processes
7.36. Execution of Storage and Archive Activities
7.37. Conducting Social Responsibility and Civil Society Activities
7.38. Execution of Contract Processes
7.39. Execution of Sponsorship Activities
7.40. Execution of Strategic Planning Activities
7.41. Follow-up of Requests / Complaints
7.42. Ensuring the Security of Movable Property and Resources
7.43. Execution of Supply Chain Management Processes
7.44. Execution of Remuneration Policy
7.45. Execution of Marketing Processes of Products / Services
7.46. Ensuring the Security of Data Controller Operations
7.47. Foreign Personnel Work and Residence Permit Procedures
7.48. Execution of Investment Processes
7.49. Execution of Talent / Career Development Activities
7.50. Providing Information to Authorized Persons, Institutions and Organizations
7.51. Execution of Management Activities
7.52. Creating and Tracking Visitor Records

8. Personal Data Transfer Recipient Groups

The Company may transfer personal data to the following Personal Data Transfer Recipient groups;
8.1. Real Persons and Private Law Legal Entities
8.2. Public
8.3. Shareholders
8.4. Business Partner
8.5. Affiliates and Subsidiaries
8.6. Supplier
8.7. Community Company
8.8. Authorized Public Institutions and Organizations

9. Persons Subject to Personal Data

The company may save, process or transfer personal data according to the following types of persons;
9.1. Employee Candidate
9.2. Employee
9.3. Subject
9.4. Person Subject to the News
9.5. Shareholder/Partner
9.6. Potential Product and Service Buyer
9.7. Exam Candidates
9.8. Intern
9.9. Supplier Employee
9.10. Supplier Representative
9.11. Person Receiving Product or Service
9.12. Parent/Guardian/Representative
9.13. Visitor

10. Personal Data Retention Periods

In the event that all the conditions for processing personal data are eliminated, the personal data is deleted, destroyed or anonymized by the data controller ex officio or upon the request of the person concerned.

11. Deletion, Destruction or Anonymization of Personal Data

11.1. Despite the fact that personal data has been processed in accordance with the law, in the event that the reasons for its processing disappear, these data are deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject.
11.2. The data controller deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises

12. Transfer of Personal Data

Personal data obtained for processing within the framework of the general principles specified in the law may be transferred to third parties by obtaining the explicit consent of the person concerned.
12.1. Domestic transfer: Details regarding the domestic transfer of personal data and personal data of a special nature are
regulated in the Personal Data Transfer procedure.
12.2. Transfer abroad: Personal data can be transferred to countries where adequate protection exists, provided that the explicit consent of the relevant person exists, in case of the existence of the conditions specified in the Law. Data transfer to countries where there is no adequate protection can be carried out in the presence of the conditions specified in the Law, in addition to the express consent, in addition to the written commitment of adequate protection and the permission of the Board.

13. General (Basic) Principles in the Processing of Personal Data

Personal data will be processed in accordance with the following basic principles as detailed in the personal data processing procedure.
13.1. Compliance with the law and the rules of honesty,
13.2. Being accurate and up-to-date when necessary,
13.3. Processing for specific, explicit and legitimate purposes,
13.4. Being connected, limited and restrained with the purpose for which they are processed,
13.5. To be kept for the period required by the relevant legislation or for the purpose for which they are processed.

14. Explicit Consent

It is the consent of a particular subject, based on information and expressed with free will. Explicit consent must be related to a specific subject, consent must be based on information and must be disclosed with free will.

15. Clarification obligation:

During the acquisition of personal data, the relevant persons are informed by the company. As detailed in the Clarification Text, this information
includes at least the following subjects.
15.1. Identity of the data controller and its representative, if any,
15.2. The purpose for which personal data will be processed,
15.3. To whom and for what purpose personal data may be transferred,
15.4. Method and legal reason for collecting personal data,
15.5. Other rights of the person concerned as listed in Article 11 of the Law.

16. Methods of claiming rights of the person concerned

Relevant persons, by applying to the Company; To learn whether the personal data concerning them are processed, to request them if they have been processed, to correct them if the content of the data is incomplete or incorrect, to delete and destroy them if it is unlawful, to notify the third parties to whom the data has been disclosed, and to inform the third parties of the actions to be taken accordingly, and to pay for the damages due to the illegal processing of the data. have the right to demand removal. The person concerned can first use their right of application and complaint by notifying the company of these requests.
16.1. Application: It is obligatory for the persons concerned to apply to the data controller in order to exercise their rights. A complaint cannot be made to the Board before this remedy is exhausted.
16.2. Complaint: In order for the person concerned to apply for a complaint, the application to the Company must be rejected, the response given is insufficient, or the application must not have been answered within 30 days. It is not possible for the persons concerned to directly complain to the Board without applying to the Company.

17. Obligation to Fulfill Board Decisions

If the Board determines the existence of a violation as a result of the investigation to be carried out on matters falling within its scope of duty, upon a complaint or ex officio if it learns about the alleged violation, it decides that the unlawful violations will be eliminated by the Company and notifies the relevant parties of the decision. The company fulfills this decision without delay and within thirty days at the latest from the date of notification.

18. Data Controllers Registry (VERBIS) registration obligation

The Company registers and updates the registration system, where data controllers have to register and declare information about data processing activities, as specified in the Data Controllers Registry (VERBIS) registration procedure.

19. Personal Data Violation

In case the processed personal data is obtained by others through illegal means, the Company notifies the person concerned and the Board as soon as possible. If necessary, the Board may announce this situation on its own website or by any other method it deems appropriate.

20. Personal Data Security Measures

The Company takes the following technical and administrative measures in accordance with the structure of the Company in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data.
20.1. Network security and application security are provided.
20.2. A closed system network is used for personal data transfers via the network.
20.3. Key management is implemented.
20.4. Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
20.5. There are disciplinary regulations that include data security provisions for employees.
20.6. Training and awareness activities are carried out periodically for employees on data security.
20.7. An authorization matrix has been created for employees.
20.8. Access logs are kept regularly.
20.9. Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
20.10. Data masking is applied when necessary.
20.11. Confidentiality commitments are made.
20.12. The authorizations of employees who have a change of job or quit their job in this field are removed.
20.13. Current anti-virus systems are used.
20.14. Firewalls are used.
20.15. The signed contracts contain data security provisions.
20.16. Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
20.17. Personal data security policies and procedures have been determined.
20.18. Personal data security issues are reported quickly.
20.19. Personal data security is monitored.
20.20. Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
20.21. Physical environments containing personal data are secured against external risks (fire, flood, etc.).
20.22. The security of environments containing personal data is ensured.
20.23. Personal data is reduced as much as possible.
20.24. Personal data is backed up and the security of the backed up personal data is also ensured.
20.25. User account management and authorization control system are implemented and these are also followed.
20.26. In-house periodic and/or random audits are conducted and made.
20.27. Log records are kept without user intervention.
20.28. Existing risks and threats have been identified.
20.29. Protocols and procedures for special quality personal data security have been determined and implemented.
20.30. If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using a KEP or corporate mail account.
20.31. Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
20.32. Intrusion detection and prevention systems are used.
20.33. Penetration test is applied.
20.34. Cyber ​​security measures have been taken and their implementation is constantly monitored.
20.35. Encryption is done.
20.36. Data processing service providers are periodically audited on data security.
20.37. Awareness of data processing service providers on data security is ensured.

20.38. Data loss prevention software is used.