PERSONAL DATA PROTECTION AND PROCESSING POLICY

Contents

Contents

1.PURPOSE AND SCOPE

2. AIM

3. DEFINITIONS AND ABBREVIATIONS

4. RESPONSIBILITIES
5. PROCEDURES AND PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA

5.1-GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

5.1.1. Engaging in Personal Data Processing Activities in Compliance with Law and Honesty

5.1.2. Ensuring Personal Data is Accurate and Up to Date When Necessary

5.1.3. Processing for Specific, Clear and Legitimate Purposes

5.1.4. Being Related to the Purpose for Processing, Limited and Proportionate

5.1.5. Preservation for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed

5.2. Conditions for Processing Personal Data

5.3-Processing of Special Personal Data

5.4-TRANSFER OF PERSONAL DATA

5.4.1-TRANSFER OF PERSONAL DATA TO PERSONS DOMESTIC

5.4.2-TRANSFER OF PERSONAL DATA TO PERSONS ABROAD

5.5-COMPANY’S OBLIGATION TO DISCLOSE

5.6-RIGHTS OF THE RELATED PERSON

5.7-PRECAUTIONS TAKEN FOR DATA SECURITY

5.7.1. Administrative Measures

5.7.2. Technical Measures

6- IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION

7- ENFORCEMENT AND UPDATE OF THE POLICY

1.PURPOSE AND SCOPE

Prof. Dr. Celal Çandırlı Personal Data Processing and Protection Policy sets out the principles to be adopted by the Company and taken into account in practice regarding the protection and processing of personal data. 

The Policy aims to determine the framework and ensure coordination of the compliance activities to be carried out specifically for the relevant Company in order to comply with the Personal Data Protection (“KVK”) Law No. 6698 regarding the protection and processing of personal data as a Company. In this context, the aim is to continue to carry out its activities in accordance with the principles of legality, honesty and transparency adopted by the Company since its establishment.

GOAL 2

The Company’s KVK Policy aims to establish the necessary systems and ensure compliance with the legislation in line with the aim of raising awareness about the legal processing and protection of personal data within the Company. 

In this context, the Company’s KVK Policy aims to provide guidance in terms of the implementation of the regulations set forth by the KVK Law and relevant legislation. 

3. DEFINITIONS AND ABBREVIATIONS

Important definitions used in the Company KVK Policy are listed below:

4. RESPONSIBILITIES

All our employees, stakeholders, guests, visitors and relevant third parties throughout the Company are obliged to cooperate in the operation, activities, processes and implementation of the Company KVK Policy throughout the Company, and in preventing legal risks and imminent danger. All organs and departments of the Company are responsible for ensuring compliance with the Company KVK Policy.

5. PROCEDURES AND PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA

5.1-GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

One of the most important issues for the company is to comply with the general principles stipulated in the legislation in the processing of personal data. In this context, the Company must act in accordance with the principles listed below in the processing of personal data in accordance with the Constitution and the Personal Data Protection Law. 

5.1.1. Engaging in Personal Data Processing Activities in Compliance with Law and Honesty

The Company, in accordance with Article 4 of the KVK Law, regarding the processing of personal data; In accordance with the law and the rules of honesty; accurate and up to date when necessary; Pursuing specific, clear and legitimate purposes; Personal data processing must be carried out in a limited and measured manner in connection with the purpose. 

In this context, the Company takes into account the proportionality requirements in the processing of personal data and should not use personal data other than the purposes required. 

5.1.2. Ensuring Personal Data is Accurate and Up to Date When Necessary

The Company must ensure that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of the Relevant Person and its own legitimate interests; In this regard, it should take the necessary measures and establish systems to ensure these. 

5.1.3. Processing for Specific, Clear and Legitimate Purposes

The company must process personal data for legitimate and legal reasons and in connection with the activities it carries out and to the extent necessary. The purpose for which personal data will be processed by the company must be determined before the personal data processing activity begins. 

5.1.4. Being Related to the Purpose for Processing, Limited and Proportionate

The company processes personal data in a way that is suitable for achieving the specified purposes and should avoid processing personal data that is not relevant or needed to achieve the purpose. 

For example, personal data processing should not be carried out to meet needs that may arise later.

5.1.5. Preservation for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed

The Company complies with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the KVK Law; It must retain the personal data it processes only for the period stipulated in the relevant legislation and laws or as required by the purpose of processing personal data. 

In this context, the Company first determines whether a period of time is stipulated in the relevant legislation for the storage of personal data, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the Relevant Person’s application and with the specified destruction methods (deletion and/or destruction and/or anonymization).

Details are stated in the Personal Data Storage and Destruction Policy.

5.2. Conditions for Processing Personal Data

The processing conditions of personal data are regulated by KVKK, and personal data is processed by the Company according to the conditions stated below.

One of the conditions for processing personal data is the express consent of the Relevant Person. Except for the exceptions listed in the law, the Company processes personal data only by obtaining the express consent of the Relevant Person. The explicit consent of the Relevant Person must be expressed on a specific subject, based on informed consent and with free will. In case of the existence of the situations listed in the Law, personal data may be processed even without the express consent of the Relevant Person.

In case the following personal data processing conditions are met, personal data may be processed without the need for the Relevant Person’s explicit consent. 

I. Clearly Provided in Laws 

If the personal data of the Relevant Person is clearly foreseen by the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, it can be said that this data processing condition exists.

ii. Failure to Obtain Explicit Consent of the Person Relevant Due to Actual Impossibility 

If it is necessary to process the personal data of a person who is unable to express his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect his/her life or physical integrity or that of another person, the personal data of the Relevant Person may be processed.

iii. Directly Related to the Establishment or Performance of the Contract 

This condition may be deemed to be fulfilled if the processing of personal data is necessary, provided that it is directly related to the establishment or execution of a contract to which the Relevant Person is a party. 

IV. Fulfillment of the Legal Obligations of the Data Controller 

If processing is mandatory for the Company to fulfill its legal obligations, the personal data of the Relevant Person may be processed. 

V. Publicization of the Personal Data of the Personal Data Subject 

If the Relevant Person has made his personal data public, the relevant personal data may be processed on a limited basis for the purpose of publicization. 

VI. Data Processing Is Necessary for the Establishment or Protection of a Right 

If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the Relevant Person may be processed. 

VII. Data Processing is Necessary for the Legitimate Interest of the Data Controller 

Personal data of the Relevant Person may be processed if it is necessary to process data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the Personal Relevant Person. 

5.3-Processing of Special Personal Data

The Company shows special sensitivity in the processing of special personal data, the protection of which is believed to be of more critical importance for the Relevant Person in various aspects. In this context, such data is not processed without the express consent of the Relevant Person, provided that adequate measures are taken as determined by the Board. However, special personal data, other than data related to health and sexual life, may be processed without the express consent of the Relevant Person in cases stipulated by law. However, data regarding health and sexual life can be processed without explicit consent, provided that adequate precautions are taken and in the presence of the reasons listed below.

                  .Protection of public health,

                  .Preventive Medicine ,

                  .Medical Diagnosis,

                  .Execution of treatment and care services,

                  .Planning and management of health services and financing.

5.4-TRANSFER OF PERSONAL DATA

Our company may transfer the Relevant Person’s personal data and sensitive personal data to third parties (public and private authorities, third real parties) by taking the necessary security measures in line with the legal personal data processing purposes. In this regard, the company complies with the regulations stipulated in Article 8 of the Law. 

is moving. In case there are groups of people with whom personal data is/might be shared, the relevant person is informed via a clarification text.

5.4.1-TRANSFER OF PERSONAL DATA TO PERSONS DOMESTIC

The Company carefully complies with the conditions set out in the KVKK regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. In this context, personal data is not transferred by the Company to third parties without the express consent of the Relevant Person. However, personal data may be transferred by the Company without the express consent of the Relevant Person if one of the following conditions regulated by KVKK is met:

• It is clearly stipulated in the law, 
• It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity, 
• It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract, 
• It is mandatory for the data controller to fulfill its legal obligation, 
• It has been made public by the Relevant Person himself, 
• Data processing is mandatory for the establishment, exercise or protection of a right, 
• It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the Relevant Person.

Provided that adequate precautions are taken; It is stipulated by law in terms of special categories of personal data other than health and sexual life, and in terms of special categories of personal data related to health and sexual life, 

• Protection of public health, 
• Preventive medicine, 
• medical diagnosis, 
• Carrying out treatment and care services, 
• Your personal data may be transferred without explicit consent for purposes such as planning and management of health services and financing. 

In the transfer of special personal data, the conditions specified in the processing conditions of this data are complied with.

5.4.2-TRANSFER OF PERSONAL DATA TO PERSONS ABROAD

Regarding the transfer of personal data abroad, the express consent of the Relevant Person is required in accordance with Article 9 of the KVKK. However, if there are conditions that allow the processing of personal data, including special categories of personal data, without the express consent of the Relevant Person, there must be adequate protection in the foreign country to which the personal data will be transferred. 

Personal data may be transferred abroad by the Company without the express consent of the Relevant Person. If the country to be transferred is not determined by the Board among the countries with adequate protection,

The company and the data controller/data processor in the relevant country will undertake adequate protection in writing. 

In case there are groups of people with whom personal data is/might be shared, the relevant person is informed via a clarification text.

5.5-COMPANY’S OBLIGATION TO DISCLOSE

Within the scope of Article 10 of the KVKK and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Notify, the Relevant Person must be informed before personal data is obtained or at the time of obtaining it at the latest. The information that must be conveyed to the Relevant Person within the framework of the said disclosure obligation is as follows:

Identity of the data controller and his representative, if any,

For what purpose personal data will be processed,

To whom and for what purpose the processed personal data can be transferred,

Method and legal reason for collecting personal data,

Other rights listed in Article 11 of KVKK.        

In order to fulfill its disclosure obligation, the Company has prepared disclosure statements on the basis of the process and persons whose data are processed, to be presented to the Relevant Person within the scope of the above-mentioned KVK provision. 

On the other hand, within the framework of Article 28, Paragraph 1 of the KVKK, the Company has no obligation to inform in the cases listed.

• Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with, 
• Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics, 
• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime, 
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public safety, public order or economic security, 
• Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or enforcement proceedings. 

However, Article 28(2) of the KVKK. In accordance with the article, the Company’s obligation to inform will not be applicable in the following cases: 

• Processing personal data is necessary for the prevention of crime or criminal investigation, 
• Processing of personal data made public by the Relevant Person himself, 
• Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by the law, 

• Personal data processing is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters. 

5.6-RIGHTS OF THE RELATED PERSON

Regarding the personal data processed by the Company in accordance with the principles set out in this Policy, necessary precautions have been taken to ensure that the Relevant Person exercises the rights granted in Article 11 of the KVKK. The rights in question are: 

1. a) Learning whether personal data is processed or not, 
2. b) Requesting information if personal data has been processed, 
3. c) Learning the purpose of processing personal data and whether they are used for their intended purpose, 
4. d) Knowing the third parties to whom personal data is transferred domestically or abroad, 
5. e) Requesting correction of personal data if they are incomplete or incorrectly processed, 
6. f) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law, 
7. g) To request that the transactions carried out in accordance with articles (e) and (f) above be notified to third parties to whom personal data has been transferred, 
8. h) Object to the emergence of a result against the person by analyzing the processed data exclusively through automatic systems, 
9. i) Request compensation for the damage in case of damage due to illegal processing of personal data. 

Depending on the nature of the request, the Company will finalize the request free of charge as soon as possible and within thirty (30) days at the latest. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board will be collected by the Company from the relevant parties. In addition, during the process of finalizing the Relevant Person’s requests, the Company may request additional information or documents from the applicants.

On the other hand, within the framework of Article 28 Paragraph 1 of KVKK, the Relevant Person cannot use the above rights listed in Article 11 of KVKK in the following cases:

• Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with, 
• Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics, 
• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime, 
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public safety, public order or economic security, 
• Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or enforcement proceedings. 

However, within the framework of the second paragraph of Article 28 of the KVKK, the above rights listed in Article 11 of the KVKK, excluding the right to compensation for damage, will not be applicable in the following cases:

• Processing personal data is necessary for the prevention of crime or criminal investigation, 
• Processing of personal data made public by the Relevant Person himself, 

• Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by the law, 
• Personal data processing is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters. 

5.7-PRECAUTIONS TAKEN FOR DATA SECURITY

Being aware of the importance of ensuring security in every aspect within the company, the Company, in accordance with Article 12 of the KVK Law, aims to ensure the appropriate level of security to prevent the personal data it processes from being processed unlawfully, to prevent the data from being accessed unlawfully, and to ensure the preservation of data. It must take the necessary technical and administrative measures and carry out the necessary inspections in this context.

The company must take the necessary technical and administrative measures, within technological possibilities, to ensure that personal data is processed in accordance with the law.

5.7.1. Administrative Measures

• The company carries out the necessary inspections and has them carried out in its own institution or organization in order to ensure the implementation of the provisions of the Law. 
• If the processed personal data is obtained by others through illegal means, the Company notifies the relevant person and the Board as soon as possible. 
• Regarding the sharing of personal data, the Company signs framework agreements with the persons with whom personal data is shared or ensures data security by adding provisions to the agreements. 
• The company employs personnel who are knowledgeable and experienced about the processing of personal data and provides its personnel with necessary training on the protection of personal data. 

5.7.2. Technical Measures

• The company employs knowledgeable and experienced people to ensure data security and provides its personnel with necessary training on the protection of personal data. 
• It carries out the necessary internal controls within the scope of the established systems. 
• It carries out the processes of risk analysis, data classification, IT risk assessment and business impact analysis within the scope of the established systems. 
• It ensures the provision of technical infrastructure and the creation of relevant matrices to prevent and/or monitor the leakage of personal data outside the institution. 
• It ensures that employees’ access to personal data in information technology companies is kept under control. 

6- IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION

The relevant legal regulations in force regarding the processing and protection of personal data will primarily be applied. In case of incompatibility between the legislation in force and the Policy, the Company accepts that the applicable legislation will apply. 

The policy embodies and regulates the rules set forth by the relevant legislation within the scope of Company practices.

7. ENFORCEMENT AND UPDATE OF THE POLICY 

The Policy is deemed to have entered into force upon its publication on the Company’s website. The policy is reviewed as needed and necessary sections are updated.