Personal Data Protection Policy

Home Page
Personal Data Protection Policy

1. Introduction

The protection of personal data is of great sensitivity for and among the priority areas of our company. Managed under this policy, the most important pillar of this concept is the protection of the personal data of our employee candidates, company shareholders, company officials, and visitors, as well as employees, shareholders, and officials of the institutions we cooperate with, and third parties. The activities carried out to protect the personal data of our employees are carried out in parallel with the principles herein.

As per the Constitution of the Republic of Türkiye, everyone has the right to request the protection of personal data concerning him/her. With regard to the protection of personal data, which is a constitutional right and managed under this policy, our company pays due attention to the protection of personal data of employee candidates, company shareholders, company officials, customers, and visitors as well as employees, shareholders, and officials of the institutions we cooperate with, and third parties and considers this issue a company policy.

In this context, necessary administrative and technical measures are taken by our company for the protection of personal data processed as per the applicable legislation.

In this policy, detailed explanations will be made regarding the basic principles adopted by our company in the processing of personal data, which are listed below:

  • Processing personal data in line with the law and good faith,
  • Keeping personal data accurate and up to date when necessary,
  • Processing personal data for specific, explicit, and legitimate purposes,
  • Processing personal data in connection with the purpose for which they are processed, in a limited and suitable manner,
  • Storing personal data for the period stipulated in the applicable legislation or required for the purpose for which they are processed,
  • Informing and enlightening personal data owners,
  • Establishing the necessary system for personal data owners to exercise their rights,
  • Taking necessary measures for the protection of personal data,
  • Acting in line with the applicable legislation and the regulations of the PDP (KVK - Kişisel Veri Koruma) Board in transferring personal data to third parties in line with the requirements of the purpose of processing,
  • Showing the necessary sensitivity to the processing and protection of sensitive personal data.

1.1. Purpose of Policy

The main purpose of this policy is to make explanations about the personal data processing activities carried out by our company as per the law and the systems adopted for the protection of personal data and to ensure transparency by informing the persons whose personal data are processed by our company, especially our employee candidates, company shareholders, company officials, and visitors as well as employees, shareholders, and officials of the institutions we cooperate with, and third parties.

1.2. Scope

This policy is related to all personal data of our employee candidates, company shareholders, company officials, and visitors as well as employees, shareholders, and officials of the institutions we cooperate with, and third parties, which are processed automatically or non-automatically provided that they are part of any data recording system.

The scope of application of this policy regarding the groups of personal data owners in the above-mentioned categories may be the entire policy (for example, our employee candidates who are also our visitors) or only some of its provisions (for example, only our visitors).

1.3. Implementation of the Policy and Applicable Legislation

The applicable legal regulations in force with regard to the processing and protection of personal data will take precedence. In case of incompatibility between the legislation in force and the policy, our company accepts that the legislation in force will be applicable.

The policy is formed by concretizing and organizing the rules set forth by the applicable legislation within the scope of our company's practices. Our company maintains the necessary system and preparations with the purpose of acting in line with the effective periods stipulated in the PDP law.

1.4. Enforceability of Policy

Issued by our company and entered into force on September 10th, 2020, our policy is published on our website and made available to the relevant persons upon the request of personal data owners.

2. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

  • Technical and Administrative Measures Taken for Lawful Processing of Personal Data

With the purpose of ensuring that personal data is processed in line with the law, technical and administrative measures are taken depending on technological possibilities and implementation costs. The main measures taken are listed below:

Technical Measures Taken to Ensure Lawful Processing of Personal Data:

  • Personal data processing activities carried out within our company are audited within the framework of internationally recognized standards through the technical systems established.
  • The technical measures taken are periodically reported to the relevant person as required by the internal supervision mechanism.
  • Personnel knowledgeable in technical issues are employed.

Administrative Measures Taken to Ensure Lawful Processing of Personal Data:

  • Employees are informed and trained on the law on the protection of personal data and the processing of personal data in line with the law.
  • All activities carried out by our company are analyzed in detail for all business units, and as a result of this analysis, personal data processing activities are set forth for the commercial activities carried out by the relevant business units.
  • The personal data processing activities carried out by the business units of our company and the requirements to be fulfilled in order to ensure that these activities comply with the personal data processing standards required by the PDP Law are determined specifically for each business unit and the detailed activity it carries out.
  • With the purpose of ensuring the legal compliance requirements determined on a business unit basis, awareness is raised and implementation rules are determined for the relevant business units, and the necessary administrative measures are implemented through internal policies and training to ensure the supervision of these issues and the continuity of the implementation.
  • In the contracts and documents governing the legal relationship between our company and the employees, records that impose the obligation not to process, disclose and use personal data, except for the instructions of our company and the exceptions imposed by law, are included and the awareness of the employees is raised and audits are carried out.
  • Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

Technical and administrative measures are taken according to the nature of the data to be protected, technological possibilities, and the cost of implementation in order to prevent accidental or unauthorized disclosure, access, transfer, or any other unlawful access to personal data. The main measures taken are listed below:

Technical Measures Taken to Prevent Unlawful Access to Personal Data:

  • Technical measures are taken in line with the developments in technology, and the measures taken are periodically updated and renewed.
  • Access and authorization-based technical solutions are put into use in line with the legal compliance requirements determined on a business unit basis.
  • Access authorizations are limited and authorizations are regularly reviewed.
  • The technical measures taken are periodically reported to the relevant person as required by the internal supervision mechanism, and the issues that pose a risk are re-evaluated and necessary technological solutions are produced.
  • Software and hardware including virus protection systems and firewalls are installed.
  • Personnel knowledgeable in technical issues are employed.
  • Security scans are regularly performed to identify security vulnerabilities in applications where personal data is collected. It is ensured that the gaps found are closed.

Administrative Measures Taken to Prevent Unlawful Access to Personal Data:

  • Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.
  • Personal data access and authorization processes are designed and implemented within the company in accordance with the legal compliance requirements for processing personal data on a business unit basis.
  • Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of the PDP Law and cannot use it for purposes other than processing and that this obligation will continue after they leave their duties, and necessary commitments are obtained from them in this direction.
  • In the contracts concluded with the persons to whom personal data are transferred by our company in line with the law, provisions are added that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.
  • Storage of Personal Data in Secure Environments

Our company takes the necessary technical and administrative measures according to technological possibilities and implementation costs in order to store personal data in secure environments and to prevent the destruction, loss, or alteration of personal data for unlawful purposes.

The main measures taken are listed below:

Technical Measures Taken for Storage of Personal Data in Secure Environments:

  • Systems up-to-date in terms of technological developments are used for the purpose of storing personal data in secure environments.
  • Personnel specialized in technical issues are employed.
  • Technical security systems are installed for storage areas, the technical measures taken are periodically reported to the relevant person as required by the internal supervision mechanism, the issues that pose a risk are re-evaluated and the necessary technological solutions are produced.
  • Backup programs are used in line with the law to ensure that personal data is stored in a secure manner.
  • Access to data storage areas containing personal data is logged and inappropriate access or access attempts are instantly communicated to the relevant persons.

Administrative Measures Taken for Storage of Personal Data in Secure Environments:

  • Employees are trained in terms of ensuring that personal data are stored in a secure manner.
  • In case of outsourcing by our company for the storage of personal data due to technical requirements, the provisions to ensure that the persons to whom the personal data will be transferred will take the necessary security measures and the people under the relevant organization will be made to comply with such measures are added to the contracts established with the relevant companies for the lawful transfer of the personal data.
  • Supervision of the Measures Taken for the Protection of Personal Data

As per Article 12 of the PDP Law, our company internally performs or outsources the necessary audits. The results of such audits are reported to the relevant department designated for internal functioning under our company and the activities required for the improvement of the measures taken are carried out.

  • Measures to be Taken In the Case of Unauthorized Disclosure of the Personal Data

In the event of acquisition of the personal data processed in line with Article 12 of the PDP Law by third parties through unlawful means, our company maintains a system which ensures that such an issue is notified to the personal data owner and the PDP Board as soon as possible. In case required by the PDP Board, such an issue may be announced on the website of the PDP Board or by other means.

2.2. Overseeing the Rights of Data Owners (Establishment of Channels for Conveying Requests and Evaluation of Such Requests)

Our company maintains the necessary channels, internal mechanisms, and administrative and technical regulations as per Article 13 of the PDP Law with the purpose of evaluating the rights of the personal data owners and the performance of the necessary notification to the personal data owner.

In the event that the personal data owners notify their requests regarding their rights given below to our company, the authorized people of our company finalize such requests in thirty days at the latest depending on the nature of the request free of charge, however, in case of a definition of a fee by the PDP Board, our company will charge the fee determined by the PDP Board to the data owner. 

The rights of the personal data owners are as follows:

  • Finding out whether their personal data are processed or not,
  • If their personal data are processed, demanding information in this regard,
  • Finding out the purpose of the processing of their personal data and whether they are used in line with such purpose,
  • Finding out the third parties inland or abroad to whom personal data are transferred,
  • Requesting correction of personal data in case of incomplete or incorrect processing and demanding notification of the processes performed within this scope to third parties to whom personal data is transferred,
  • Even though it has been processed as per the provisions of the PDP Law and other applicable laws, requesting the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and demanding notification of the processes performed within this scope to third parties to whom personal data is transferred,
  • Objecting to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
  • In case of damage due to unlawful processing of personal data, demanding compensation for the damage.

Further information on the rights of data owners is provided in Chapter 10 hereof.

2.3. Protection of Sensitive Personal Data

The PDP Law attaches special importance to certain personal data due to the risk of causing victimization or discrimination when processed unlawfully. These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Our company acts in a sensitive manner towards the protection of sensitive personal data, which is determined as "sensitive" by the PDP Law and processed in line with the law. In this context, the technical and administrative measures taken by our company for the protection of personal data are carefully implemented in terms of sensitive personal data, and necessary audits are provided within our company.

Detailed information on the processing of sensitive personal data is provided in Chapter 3 hereof.

2.4. Awareness Raising and Supervision of Business Units on Protection and Processing of Personal Data

Our company ensures that necessary training is organized for business units with the purpose of raising awareness to prevent unlawful processing of personal data, unlawful access to data and ensuring the protection of data.

Necessary systems are established to ensure that the current employees of the business units of our company and the employees who have recently joined the business unit are aware of the protection of personal data, and if necessary, people specialized in the subject are hired.

The results of the training conducted to raise the awareness of our company's business units on the protection and processing of personal data are reported to our company's Human Resources unit. In this regard, senior management evaluates the participation in relevant training, seminars, and information sessions and conducts the necessary audits. Our company updates and renews the training it offers in parallel with the updating of the applicable legislation.

2.5. Awareness Raising and Supervision of Business Partners and Suppliers on Protection and Processing of Personal Data

Our company ensures that training and seminars are organized for its business partners and suppliers in order to raise awareness on preventing unlawful processing of personal data, preventing unlawful access to data and ensuring the protection of data.

The training conducted for our company's business partners and suppliers are repeated periodically, the necessary systems are established to ensure that the current employees of the business partners and suppliers and the employees who are newly included in the business unit are aware of the protection of personal data, and if necessary, professional people are hired.

The results of the training conducted to increase the awareness of our company's business partners and suppliers on the protection and processing of personal data are reported to our company's Human Resources unit. In this regard, senior management evaluates the participation in relevant training, seminars, and information sessions and conducts the necessary audits. Our company updates and renews the training it offers in parallel with the updating of the applicable legislation.

3. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

  • Processing of Personal Data in line with the Principles Stipulated in the Legislation
    • Processing in line with the Law and Integrity

Our company acts in line with the principles introduced by legal regulations and the general rule of trust and integrity in the course of processing of personal data. In this context, our company takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than those required by the purpose.

  • Ensuring the Accuracy of Personal Data and Updating When Required

Our company ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests. We take necessary measures in this regard. For example, our company has established a system for personal data owners to correct their personal data and confirm its accuracy.

Further information on this issue is provided in Chapter 10 hereof.

  • Processing for Specific, Explicit, and Legitimate Purposes

Our company clearly and precisely determines that the purpose of processing personal data is legitimate and lawful. Our company processes as much as is necessary in connection with and necessary for the commercial activity it carries out. The purpose for which personal data will be processed by our company is determined before the personal data processing activity begins.

  • Relevance with Purpose, Limitation and Proportion

Our company processes personal data in a manner that is conducive to the realization of the specified purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed. For example, personal data processing activities are not carried out to meet the needs that may arise later.

  • Preservation for the Period Stipulated in the Applicable Legislation or Required for the Purpose for which they are Processed

Our company stores personal data only for the period specified in the applicable legislation or for the period required for the purpose for which they are processed. In this context, our company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, and if no period is determined, it keeps personal data for the period required for the purpose for which they are processed. Personal data are deleted, destroyed, or anonymized by our company in the event that the period expires or the reasons requiring their processing disappear. Personal data is not stored by our company with the possibility of future use.

Further information on this issue is provided in Chapter 9 hereof.

  • Processing Personal Data Based on and Limited to the Personal Data Processing Conditions Stipulated in Article 5 of the PDP Law

Protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted without prejudice to their essence only for the reasons set out in the relevant articles of the Constitution and only by law. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the individual. In this direction and as per the Constitution, our company processes personal data only in cases stipulated by law or with the explicit consent of the person.

Further information on this issue is provided in Chapter 7 hereof.

  • Processing of Data Processed by Group Companies by Our Company

Our company may also process personal data processed by group companies in order to carry out the activities of group companies in line with the principles, objectives, and strategies of our company and to protect the rights and interests and reputation of group companies. In the event that the personal data sharing between the group companies and our company takes place within the scope of personal data transfer from the data controller to the data controller within the scope of the PDP Law, the relevant group company informs the person that their personal data may be sent to our company at the stage of collecting the personal data of the person concerned.

  • Enlightening and Informing the Personal Data Owner

In line with Article 10 of the PDP Law, our company informs Personal Data Owners during the acquisition of personal data. In this context, our company informs about the identity of the representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal reason for collecting personal data and the rights of the personal data owner.

Article 20 of the Constitution establishes that everyone has the right to be informed about personal data concerning him or her. In this direction, "requesting information" is also listed among the rights of the personal data owner in Article 11 of the PDP Law. In this context, our company provides the necessary information in case the Personal Data Owner requests information as per Article 20 of the Constitution and Article 11 of the PDP Law.

Further information on these issues is provided in Chapter 10 hereof.

  • Processing of Sensitive Personal Data

Our company strictly complies with the regulations stipulated in the PDP Law in the course of the processing of personal data determined as "sensitive" by the PDP Law. In Article 6 of the PDP Law, certain personal data posing the risk of causing victimization or discrimination when processed unlawfully are determined as "sensitive". These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

As per the PDP Law, sensitive personal data are processed by our company in the following cases, provided that adequate measures to be determined by the PDP Board are taken:

  • If the personal data owner has explicit consent or
  • If the personal data owner does not have explicit consent;
    • Sensitive personal data other than the health and sexual life of the personal data owner;

in cases stipulated by law,

  • Sensitive personal data relating to the health and sexual life of the personal data owner

may only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services, and financing.

  • Transfer of Personal Data

Our company may transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with lawful personal data processing purposes (See Chapter 2/Title 2.1)

(See Chapter 6). In this respect, our company acts in line with the regulations stipulated in Article 8 of the PDP Law.

Further information on this issue is provided in Chapter 6 hereof.

  • Transfer of Personal Data

In line with legitimate and lawful personal data processing purposes, our company may transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the PDP Law listed below:

  • If there is explicit consent from the personal data owner,
  • If there is a clear regulation in the laws regarding the transfer of personal data,
  • If it is mandatory for the protection of the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to disclose his/her consent due to actual impossibility or his/her consent is not legally valid;
  • If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
  • If personal data transfer is mandatory for the company to fulfill its legal obligation,
  • If the personal data has been made public by the personal data owner,
  • If personal data transfer is mandatory for the establishment, exercise, or protection of a right,
  • If personal data transfer is mandatory for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
  • Transfer of Sensitive Personal Data

Our company may transfer the sensitive personal data of the personal data owner to third parties in the following cases in line with the legitimate and lawful personal data processing purposes by paying the necessary attention, taking the necessary security measures (See Chapter 2/Title 2.1) and taking adequate measures stipulated by the PDP Board.

  • If the personal data owner has explicit consent or
  • If the personal data owner does not have explicit consent;
    • Sensitive personal data other than the health and sexual life of the personal data owner;

in cases stipulated by law,

  • Sensitive personal data relating to the health and sexual life of the personal data owner

may only be transferred to persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services, and financing.

  • Transfer of Personal Data Abroad

Our company may transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with lawful personal data processing purposes (See Chapter 2/Title 2.1).

Personal data may be transferred by our company to foreign countries declared to have adequate protection by the PDP Board as "Foreign Country with an Adequate Level of Protection" or, in the absence of an adequate level of protection, to foreign countries where the data controllers in Türkiye and the relevant foreign country undertake an adequate level of protection in writing and where the PDP Board has the permission of the "Foreign Country where the Data Controller Undertakes an Adequate Level of Protection". In this respect, our company acts as per the regulations stipulated in Article 9 of the PDP Law.

Further information on this issue is provided in Chapter 6 hereof.

  • Transfer of Personal Data Abroad

In line with legitimate and lawful personal data processing purposes, our company may transfer personal data to Foreign Countries with an Adequate Level of Protection or to Foreign Countries where the Data Controller Undertakes an Adequate Level of Protection in the presence of one of the following cases if the personal data owner has explicit consent or if the personal data owner does not have explicit consent:

  • If there is a clear regulation in the laws regarding the transfer of personal data,
  • If it is mandatory for the protection of the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to disclose his/her consent due to actual impossibility or his/her consent is not legally valid;
  • If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
  • If personal data transfer is mandatory for the company to fulfill its legal obligation,
  • If the personal data has been made public by the personal data owner,
  • If personal data transfer is mandatory for the establishment, exercise, or protection of a right,
  • If personal data transfer is mandatory for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
  • Transfer of Sensitive Personal Data Abroad

By taking due care, taking the necessary security measures (See Chapter 2/Title 2.1) and taking adequate measures stipulated by the PDP Board, in line with legitimate and lawful personal data processing purposes, our company may transfer the personal data of the personal data owner to Foreign Countries with an Adequate Level of Protection or to Foreign Countries where the Data Controller Undertakes an Adequate Level of Protection in the following cases:

  • If the personal data owner has explicit consent or
  • If the personal data owner does not have explicit consent;
    • Sensitive personal data other than the health and sexual life of the personal data owner;

in cases stipulated by law,

  • Sensitive personal data relating to the health and sexual life of the personal data owner

may only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services, and financing.

4. CATEGORIZATION, PROCESSING PURPOSES AND STORAGE PERIODS OF PERSONAL DATA PROCESSED BY OUR COMPANY

  • Categorization of Personal Data

Within our company, in line with the legitimate and lawful personal data processing purposes of the company, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the PDP Law, personal data in the following categories, limited to the subjects within the scope of this policy (Group Companies Customer, Visitor, Third Party, Employee Candidate, Company Shareholder, and Company Official as well as Employees, Shareholders, and Officials of the Institutions we cooperate with) and in compliance with the general principles specified in the PDP Law and all obligations regulated in the PDP Law, especially the principles specified in Article 4 regarding the processing of personal data, are processed by informing the relevant persons in line with Article 10 of the PDP Law. It is also stated in Chapter 5 hereof which data owners the personal data processed in these categories are related to within the scope of this policy.

PERSONAL DATA CATEGORIZATION

INFORMATION ON PERSONAL DATA CATEGORIZATION

Identity Information

Information clearly belonging to an identified or identifiable natural person,

processed partially or fully automatically or non-automatically as part of the data recording system, containing information about the identity of the person. Documents such as driver's license, identity card and passport containing information such as name-surname, Turkish ID number, nationality, mother's name-father's name, place of birth, date of birth, gender, and information such as tax number, SSI number, signature information, vehicle license plate, etc.

Contact Information

Information such as telephone number, address, e-mail address, fax number, and IP address, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system.

Location Data

Information clearly belonging to an identified or identifiable natural person,

processed partially or completely automatically or non-automatically as part of the data recording system, information that determines the location of the personal data owner within the framework of the operations carried out by our company's business units, during the use of the products and services of the group companies or the use of the vehicles of our company by the employees of the institutions we cooperate with, GPS location, travel data, etc.

Family Members and Relatives

Information about the personal data owner's family members (e.g. spouse, mother, father, child), relatives and other persons who can be contacted in case of emergency within the framework of the operations carried out by our company's business units, related to the products and services offered by the group companies, or in order to protect the legal and other interests of our company and the personal data owner, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system

Physical Space Security Information

Personal data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of a data recording system; personal data relating to records and documents taken at the entrance to the physical space, during the stay in the physical space; camera records, fingerprint records and records taken at the security point, etc.

Financial Information

Information clearly belonging to an identified or identifiable natural person,

Personal data processed partially or completely automatically or non-automatically as part of the data recording system, personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the company with the personal data owner and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information

Visual/Auditory Information

Photographs and camera recordings (except for recordings within the scope of physical space security information), voice recordings and data contained in documents that are copies of documents containing personal data, which clearly belong to an identified or identifiable natural person

Personnel Information

All kinds of personal data that clearly belong to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed to obtain information that will be the basis for the formation of the personal rights of natural persons who are in a working relationship with our company

Sensitive Personal Data

Data clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, data specified in Article 6 of the PDP Law (for example, health data including blood type, biometric data, religion and membership association information)

Request/Complaint Management Information

Information clearly belonging to an identified or identifiable natural person,

personal data processed partially or completely automatically or non-automatically as part of the data recording system, personal data regarding the receipt and evaluation of any request or complaint addressed to our company
  • Purposes of Processing Personal Data

Our company processes personal data limited to the purposes and conditions under the personal data processing conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the PDP Law. These purposes and conditions are as follows: 

  • Clear stipulation in the laws that our company is engaged in the relevant activity regarding the processing of the relevant personal data,
  • Processing of personal data by our company which is directly related and necessary for the establishment or performance of a contract,
  • Processing of personal data which is mandatory for our company to fulfil its legal obligation,
  • Provided that the personal data has been made public by you, processing by our company in a limited manner for the purpose of your publicization,
  • Processing of the personal data by our company which is mandatory for the establishment, use, or protection of the rights of our company or you or third parties,
  • Provided that it does not harm your fundamental rights and freedoms, the necessity of carrying out personal data processing activities for the legitimate interests of the company,
  • Processing of personal data by our company which is mandatory for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to disclose his/her consent due to actual or legal invalidity,
  • Stipulation in the laws in terms of sensitive personal data other than the health and sexual life of the personal data owner,
  • In terms of sensitive personal data related to the health and sexual life of the personal data owner, it is processed by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

In this context, our company processes your personal data for the following purposes:

  • Planning and execution of corporate sustainability activities,
  • Event management,
  • Management of relationships with business partners or suppliers,
  • Execution of our company's personnel recruitment processes,
  • Supporting the personnel recruitment processes of group companies,
  • Execution/follow-up of financial reporting and risk management transactions of our company,
  • Execution/follow-up of our company's legal affairs,
  • Planning and execution of corporate communication activities,
  • Execution of corporate governance activities,
  • Realization of company and partnership law transactions,
  • Request and complaint management,
  • Ensuring the security of community values,
  • Supporting group companies in terms of compliance with the relevant legislation,
  • Supporting the planning and execution processes of the fringe benefits and benefits to be provided to senior executives of our company and group companies,
  • Planning and execution of audit activities to ensure that the activities of group companies are carried out in accordance with their own procedures and relevant legislation,
  • Supporting group companies in the realization of corporate and partnership law transactions,
  • Carrying out activities to protect the reputation of the group of companies,
  • Managing investor relations,
  • Providing information to authorized institutions due to legislation,
  • Creation and follow-up of visitor records.

In case the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the PDP Law, your explicit consent is obtained by the company regarding the relevant processing process.

  • Storage Periods of Personal Data

In case it is stipulated in the relevant laws and regulations, our company stores personal data for the period specified in these regulations.

In the event that a period of time is not regulated in the legislation regarding how long personal data should be kept, Personal Data is processed for the period required to be processed in line with the practices of the company and the customs of its commercial life, depending on the activity carried out by our company while processing that data, and then deleted, destroyed, or anonymized.

Further information on this issue is provided in Chapter 9 hereof.

In the event that the purpose of processing personal data has expired and the storage periods determined by the relevant legislation and our company have come to an end, personal data can only be stored with the purpose of constituting evidence in possible legal disputes or asserting the relevant right related to personal data or establishing a defense. In the establishment of the periods herein, storage periods are determined based on the statute of limitations for the assertion of the right in question and the examples of the requests previously addressed to our company on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose, and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. Also here, personal data are deleted, destroyed, or anonymized following the expiration of the aforementioned period.

5. CATEGORIZATION OF THE OWNERS OF THE PERSONAL DATA PROCESSED BY OUR COMPANY

Even though the personal data of the categories of personal data owners listed below are processed by our company, the scope of application of this policy is limited to group company customers, visitors, third parties, employees, employee candidates, company shareholders, and company officials as well as employees, shareholders, and officials of the institutions we cooperate with.

Although the categories of persons whose personal data are processed by our company are within the scope of the above-mentioned scope, persons outside of these categories may also direct their requests to our company within the scope of the PDP Law and the requests of these persons will also be evaluated within the scope of this policy.

Below, the concepts of group company customer, visitor, third party, employee, employee candidate, and company shareholder, as well as company official, employees, shareholders, and officials of the institutions we cooperate with, are clarified within the scope of this policy.

PERSONAL DATA OWNER CATEGORY

DESCRIPTION

Group Companies Customer

Natural persons whose personal data are obtained through the business relations of group companies within the scope of the operations carried out by our company's business units, regardless of whether they have any contractual relationship with our company

Visitor

Natural persons who have entered the physical premises owned by our

company for various purposes or who visit our websites

Third Party

Other natural persons (e.g. guarantors, companions, family members and relatives, former employees) who are not covered by this policy and the policy on the protection and processing of personal data of employees of the company

Employee Candidate

Natural persons who have applied for a job at our company by any means or who have allowed access of their CV and related information to our company's review

Company Shareholder

Natural persons who are shareholders of the company

Company Official

Members of the company's board of directors and other authorized natural persons

Employees, Shareholders, and Officials of the Institutions We Cooperate with

Natural persons working in organizations with which our company has any kind of business relationship (such as but not limited to business partners, suppliers), including shareholders and officials of these organizations

The table below details the categories of personal data owners mentioned above and the types of personal data processed belonging to the persons within these categories.

PERSONAL DATA OWNER CATEGORIZATION

CATEGORY OF DATA OWNER TO WHICH THE RELEVANT PERSONAL DATA RELATES

Identity Information

Group Company Customer, Employee Candidate, Company Shareholder, Company Official, and Visitor as well as Employees, Shareholders, and Officials of the Institutions We Cooperate With, and Third Parties

Contact Information

Group Company Customer, Employee Candidate, Company Shareholder, Company Official, and Visitor as well as Employees, Shareholders, and Officials of the Institutions We Cooperate With, and Third Parties

Location Data

Employees of the Institutions we cooperate with, Company Officials

Family Members and Relatives

Group Companies Customers, Visitors, Employee Candidates, and Third Parties as well as Employees, Shareholders, and Officials of Institutions We Cooperate With

Physical Space Security Information

Visitors, Employee Candidates, Company Shareholders, and Company Officials as well as Employees, Shareholders, and Officials of the Institutions We Cooperate With, and Third Parties

Financial Information

Group Company Customer, Employee Candidate, Company Shareholder, Company Official, and Shareholder as well as Employees, Shareholders, and Officials of the Institutions We Cooperate With, and Third Parties

Visual/Auditory Information

Group Company Customer, Employee Candidate, Company Shareholder, Company Official, and Visitor as well as Employees, Shareholders, and Officials of the Institutions We Cooperate With, and Third Parties

Personnel Information

Employees, Shareholders, and Officials of the Institutions We Cooperate With, Employee Candidate, and Third Parties

Sensitive Personal Data

Group Company Customer, Employee Candidate, Company Shareholder, and Company Official as well as Employees, Shareholders, and Officials of the Institutions We Cooperate With, and Third Parties

Request/Complaint Management Information

Group Company Customer, Employee Candidate, Company Shareholder, Company Official, and Visitor as well as Employees, Shareholders, and Officials of the Institutions We Cooperate With, and Third Parties

6. THIRD PARTIES TO WHOM PERSONAL DATA PROCESSED BY OUR COMPANY ARE TRANSFERRED AND THE PURPOSES OF TRANSFER

As per Articles 8 and 9 of the PDP Law (See Chapter 3/Title 3.5), our company may transfer the personal data of the data owners governed by the Policy to the categories of persons listed below:

  • To our company's business partners,
  • To our company's suppliers,
  • To group companies,
  • To our company's shareholders,
  • To our company's corporate officers,
  • To legally authorized public institutions and organizations,
  • To legally authorized private law persons.

The scope of the above-mentioned persons to whom data is transferred and the purposes of data transfer are stated below.

PERSONS TO WHOM DATA CAN BE TRANSFERRED

DESCRIPTION

DATA TRANSFER PURPOSE

Business Partner

It defines the parties with whom our company has established business partnerships for purposes such as 

carrying out various projects and receiving services, either personally or together with group companies, while carrying out its commercial activities.

Limited to ensure the fulfillment of the purposes for which the business partnership was established.

Supplier

It is defined as the parties that provide services to our company on a contractual basis in accordance with the orders and instructions of our company during the execution of our company's commercial activities.

Limited to the purpose of providing our company with the services outsourced by our company from the supplier and necessary to fulfill our company's commercial activities.

Group Companies

Group companies

Limited to ensuring the execution of commercial activities that require the participation of Group companies

Shareholders

Natural persons who are shareholders of our company

Limited to the purposes of the activities we carry out within the scope of corporate law, event management, and corporate communication processes in accordance with the provisions of the relevant legislation.

Corporate Officers

Members of the Board of Directors and other authorized natural persons

As per the provisions

of the relevant legislation, limited to the purposes of designing the strategies regarding the commercial activities of our company, ensuring its management at the highest level and supervision.

Legally Authorized Public Institutions and Organizations

Public institutions and organizations authorized to receive information and documents from our company according to the provisions of the relevant legislation

Limited to the purpose requested by the relevant public institutions and organizations within the legal authority.

Legally Authorized Private Law Persons

Private law persons authorized to receive information and documents from our company in accordance with the provisions of the relevant legislation

Limited to the purpose requested by the relevant private law persons within their legal authority

In the transfers made by our company, we act in line with the matters regulated in Chapters 2 and 3 hereof.

7. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW

  • Processing of Personal Data and Sensitive Personal Data
    • Processing of Personal Data

The explicit consent of the personal data owner is just one of the legal grounds that make it possible to process personal data in line with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity. In the event that the processed data is sensitive personal data, the conditions set out below under title 7.1.2. under this Chapter shall apply.

Although the legal basis for the processing of personal data by our company varies, we act in line with the general principles specified in Article 4 of the PDP Law (See Chapter 3.1.) in all kinds of personal data processing activities.

  1. Explicit Consent of the Personal Data Owner:

One of the conditions for processing personal data is the explicit consent of the owner. The explicit consent of the personal data owner must be related to a specific subject, based on information, and freely given.

For personal data processing activities other than the purpose of processing (primary processing) for the reasons for obtaining personal data (secondary processing), at least one of the conditions in (ii), (iii), (iv), (v), (vi), (vii) and (viii) of this title is sought. In the event that none of these conditions is present, these personal data processing activities are carried out by our company based on the explicit consent of the personal data owner for these processing activities.

For the processing of personal data based on the explicit consent of the personal data owner, the explicit consent of the personal data owners is obtained through the relevant methods.

  1. Explicit Provision in the Laws:

The personal data of the data owner may be processed as per the law in case it is clearly stipulated in the law.

Example: Inclusion of the name of the relevant person on the invoice as per Article 230 of the Tax Procedural Law.

  • Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility:

The personal data of the data owner may be processed in case it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself/herself or another person.

Example: The identity of a shareholder who fainted at the General Assembly meeting is given to the doctors by a company employee.

  1. Direct Relevance to the Establishment or Performance of the Contract:

Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data in case it is necessary to process personal data belonging to the parties to the contract.

Example: Obtaining the consultant's bank account information in order to make a payment to the consultant for the performance of a consultancy contract concluded with a business partner consultant.

  1. Fulfillment of Our Company's Legal Obligation:

The personal data of the data owner may be processed in case the processing is mandatory for our company to fulfill its legal obligations as a data controller.

Example: Submission of court-ordered information to the court.

  1. Publicization of Personal Data by the Personal Data Owner:

In the event that the data owner has made his/her personal data public by himself/herself, the relevant personal data may be processed.

Example: Publishing the contact details of a prospective employee on websites that allow job applications.

  • Data Processing is Mandatory for the Establishment or Protection of a Right:

The personal data of the personal data owner may be processed in case data processing is mandatory for the establishment, exercise, or protection of a right.

Example: Storing evidential data (e.g. an invoice) and use of it when necessary.

  • Data Processing Being Mandatory for the Legitimate Interest of the Company:

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, personal data may be processed in case it is mandatory to process data for the legitimate interests of the company.

Example: Camera recording for security purposes in buildings and facilities belonging to the company.

  • Processing of Sensitive Personal Data

By our company, sensitive personal data is processed in the following cases, provided that adequate measures to be determined by the PDP Board are taken when the personal data owner does not have explicit consent:

  • Sensitive personal data other than the health and sexual life of the personal data owner, in cases stipulated by law,
  • Sensitive personal data relating to the health and sexual life of the personal data owner can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

8. PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT AT FACILITY ENTRANCES AND INSIDE THE BUILDING AND WEBSITE VISITORS

In order to ensure security, our company carries out personal data processing activities for the monitoring of guest entrances and exits through security cameras in our company's buildings and facilities. Personal data processing activity is carried out by our company through the use of security cameras and recording of guest entrances and exits.

  • Camera Surveillance Activities Carried Out at the Entrances and Inside the Buildings and Facilities of Our Company

In this chapter, explanations will be made regarding our company's camera surveillance system and information will be provided on how personal data, confidentiality, and fundamental rights of the person are protected. Within the scope of security camera surveillance activity, our company aims to protect the interests of the company and other persons in ensuring the security of the company and other persons.

  • Legal Basis for Camera Surveillance Activity

Camera surveillance activities carried out by our company are carried out in line with the law on private security services and the relevant legislation.

  • Execution of Monitoring Activities through Security Cameras as per PDP Law

Our company acts in line with the regulations in the PDP Law in executing camera surveillance activities for security purposes. In order to ensure security in its buildings and facilities, our company executes security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in line with the personal data processing conditions listed in the PDP Law.

  • Announcement of Camera Monitoring Activity

The personal data owner is informed by our company as per Article 10 of the PDP Law. Our company provides notification through more than one method with regard to the camera surveillance activity in the disclosure made regarding general issues (See Chapter 3/Headline 3.5). Thus, it is aimed to prevent damage to the fundamental rights and freedoms of the personal data owner, to ensuring transparency and enlightenment of the personal data owner.

For camera surveillance by our company, this policy is published on our website (online policy regulation) and a notification letter regarding the monitoring is posted at the entrances of the areas where the monitoring is executed (on-site disclosure).

  • Purpose of Camera Surveillance and Limitation to Purpose

As per Article 4 of the PDP Law, our company processes personal data in a limited and measured manner in connection with the purpose for which they are processed. The purpose of video camera surveillance by our company is limited to the purposes listed herein. Accordingly, the monitoring areas, the number of surveillance cameras, and the time of monitoring are implemented as sufficient to achieve the security purpose and limited to this purpose. Areas that may result in interference with a person's privacy in excess of security purposes (e.g. toilets) are not subject to monitoring.

  • Ensuring the Security of the Data Obtained

As per Article 12 of the PDP Law, necessary technical and administrative measures are taken by our company to ensure the security of personal data obtained as a result of camera surveillance activities. (See Chapter 2/Title 2.1)

  • Storage Period of Personal Data Obtained by Camera Surveillance Activity

Detailed information about the storage period of personal data obtained by our company through camera surveillance activities is given in Article 4.3 hereof titled Storage Periods of Personal Data.

  • Persons Who Have Access to Information Obtained as a Result of Monitoring and Persons to Whom This Information is Transferred

Only a limited number of company employees have access to live camera footage and digitally recorded and stored records. A limited number of persons who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.

  • Monitoring of Guest Entry and Exit at the Entrances of Our Company's Building, Facility Entrances, and Interior

Personal data processing activities are carried out by our company with the purpose of ensuring security and monitoring guest entrances and exits in our company's buildings and facilities for the purposes specified hereunder. As the names and surnames of the persons who come to the company premises as guests are obtained, or through the texts posted in the company or otherwise made available to the guests, the personal data owners in question are enlightened in this regard. The data obtained for the purpose of tracking guest entry-exit are processed only for this purpose and the relevant personal data are physically recorded in the data recording system.

  • Storage of Records Regarding Internet Access Provided to Visitors in Our Company's Buildings and Facilities

In order to ensure security and for the purposes specified herein, our company may provide internet access to our visitors who request it during their time in our buildings and facilities. In this case, log records regarding internet access are recorded as per Law No. 5651 and the mandatory provisions of the legislation regulated in line with this law. These records are processed only if requested by authorized public institutions and organizations or in order to fulfill our legal obligation in the supervision processes to be carried out within the company.

Only a limited number of company employees have access to the log records obtained within this framework. Company employees who have access to the aforementioned records access these records only for use in requests or supervision processes from authorized public institutions and organizations and share them with legally authorized persons. A limited number of persons who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.

  • Website Visitors

On the websites owned by our company, internet movements within the website are recorded by technical means (such as cookies-cookie) in order to ensure that visitors to these sites perform their visits on the sites in accordance with their purpose of visit, to show them customized content, and to engage in online advertising activities.

9. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

  • Our Company's Obligation to Delete, Destroy and Anonymize Personal Data

Although it has been processed in line with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the PDP Law, personal data shall be deleted, destroyed, or anonymized upon the decision of our company or upon the request of the personal data owner if the reasons requiring its processing disappear. In this context, the company fulfills its related obligation through the methods described in this chapter.

  • Methods for Deletion, Destruction, and Anonymization of Personal Data
    • Methods for Deletion and Destruction of Personal Data

Although it has been processed in line with the provisions of the relevant law, the Company may delete or destroy personal data based on its own decision or upon the request of the personal data owner in the event that the reasons requiring its processing disappear. The most commonly used deletion or destruction methods used by our company are listed below:

  • Physical Destruction

Personal data may also be processed by non-automatic means, provided that they are part of any data recording system. When such data is deleted/destroyed, the system of physically destroying the personal data in such a way that it cannot be used later is applied.

  • Secure Deletion Software

When deleting/destroying data processed by fully or partially automated means and stored in digital media, methods are used to delete the data from the relevant software so that it cannot be recovered again.

  • Sending to a Specialist for Secure Deletion

In some cases, our company may engage a specialist to erase personal data on its behalf. In this case, the personal data will be securely deleted/destroyed by a specialist in this field in a way that cannot be recovered again.

  • Methods for Anonymizing Personal Data

Anonymization of personal data refers to making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching it with other data. Our company can anonymize personal data when the reasons requiring the processing of personal data processed in as per the law disappear.

In line with Article 28 of the PDP Law, anonymized personal data may be processed for purposes such as research, planning, and statistics. Such processing is outside the scope of the PDP Law and the explicit consent of the personal data owner will not be sought. Since personal data processed by anonymization will be outside the scope of the PDP Law, the rights set out in Chapter 10 of the policy will not apply to this data. The anonymization methods most commonly used by our company are listed below.

  • Masking

Data masking is a method of anonymizing personal data by removing the basic identifying information of personal data from the data set.

Example: The removal of information such as name, Turkish Identity Number, etc., which enables the identification of the personal data owner, and transforming it into a data set in which it becomes impossible to identify the personal data owner.

  • Aggregation

With the data aggregation method, many data are aggregated and personal data cannot be associated with any individual.

Example: Demonstrating that there are Z number of employees aged X without showing the age of the employees individually.

  • Data Derivation

By use of the data derivation method, a more general content is created from the content of the personal data and it is ensured that the personal data cannot be associated with any person.

Example: Specifying ages instead of dates of birth, specifying the region of residence instead of the street address.

  • Data Shuffling, Permutation

With the data shuffling method, the values in the personal data set are mixed and the link between the values and the individuals is broken.

Example: Changing the nature of voice recordings so that the voice cannot be associated with the data owner.

10. RIGHTS OF PERSONAL DATA OWNERS, METHODOLOGY FOR THE EXERCISE AND EVALUATION OF THESE RIGHTS

  • Rights of the Data Owner and Exercise of These Rights
    • Rights of the Personal Data Owner

Personal data owners have the following rights:

  1. Finding out whether his/her personal data is being processed,
  2. If their personal data are processed, demanding information in this regard,
  3. Finding out the purpose of the processing of their personal data and whether they are used in line with such purpose,
  4. Finding out the third parties inland or abroad to whom personal data are transferred,
  5. Requesting correction of personal data in case of incomplete or incorrect processing and demanding notification of the processes performed within this scope to third parties to whom personal data is transferred,
  6. Even though it has been processed as per the provisions of the PDP Law and other applicable laws, requesting the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and demanding notification of the processes performed within this scope to third parties to whom personal data is transferred,
  7. Objecting to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
  8. In case of damage due to unlawful processing of personal data, demanding compensation for the damage.
  • Cases where the Personal Data Owner cannot assert his/her rights

Pursuant to Article 28 of the PDP Law, personal data owners cannot assert the rights of personal data owners listed in 10.1.1. in the relevant matters, since the following cases are excluded from the scope of the PDP Law:

  1. Processing of personal data for purposes such as research, planning, and statistics through anonimization with official statistics,
  2. Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights or constitute a crime,
  3. Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law in order to ensure national defense, national security, public security, public order, or economic security,
  4. Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials, or executions.

Pursuant to Article 28/2 of the PDP Law, In the cases listed below, personal data owners cannot assert their other rights listed in 10.1.1. except for the right to demand compensation for the damage:

  1. Processing of personal data being necessary for the prevention of crime or criminal investigation,
  2. Processing of personal data made public by the personal data owner himself/herself,
  3. Personal data processing being necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law,
  4. Processing of personal data being necessary for the protection of the economic and financial interests of the state in relation to budgetary, tax, and fiscal matters.
  • Exercise of the Rights of the Personal Data Owner

Personal Data Owners will be able to submit their requests regarding their rights listed under Title 10.1.1. of this Chapter to our company free of charge by filling out and signing the Application Form with the information and documents that will identify their identity and by the methods specified below or by other methods determined by the Personal Data Protection Board:

  • After filling out the form available at aesgroup.com.tr, a wet signed copy of the form must be submitted in person or through a notary public to "Nosab Şeftali Cd. 118 Sk. No: 4 Nilüfer/Bursa/Türkiye" address,
  • Filling in and signing the form available at aesgroup.com.tr and sending it to kvkk@aesgroup.com.tr.

In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.

  • Personal Data Owner's Right to File a Complaint to the PDP Board

Pursuant to Article 14 of the PDP Law, the personal data owner may file a complaint to the PDP Board within thirty days from the date of finding out the answer of our company and in any case within sixty days from the date of application in case the application is rejected, the answer given is insufficient or the application is not responded in due time.

  • Our Company's Response to Applications

Applications regarding the personal data processing activities of Group Companies must be made to the relevant group company. It is only necessary to apply to our company in cases where our company is deemed to be the data controller within the scope of the PDP Law. This situation may exist in cases where our company collects personal data directly from the data owner or where the data sharing between the relevant group company and our company is considered as data transfer from the data controller to the data controller within the scope of the PDP Law. Apart from these, applications regarding personal data processing activities for which the relevant group company is deemed to be the data controller should be made to the relevant group company, not to our company.

  • Procedure and Duration of Our Company's Response to Applications

In the event that the personal data owner submits his/her request to our company in line with the procedure in the section titled 10.1.3. of this Chapter, our company will finalize the relevant request free of charge within thirty days at the latest, depending on the nature of the request, however, in case a fee is stipulated by the PDP Board, the fee in the tariff determined by the PDP Board will be charged by our company to the applicant.

  • Information That May Be Requested by Our Company From the Applicant Personal Data Owner

Our company may request information from the relevant person in order to determine whether the applicant is the owner of personal data. With the purpose of clarifying the issues in the application of the personal data owner, our company may ask questions to the personal data owner regarding his/her application.

  • Our Company's Right to Refuse the Personal Data Owner's Application

In the following cases, our company may reject the application of the applicant by explaining its reasoning:

  1. Processing of personal data for purposes such as research, planning, and statistics through anonimization with official statistics,
  2. Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights or constitute a crime,
  3. Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law in order to ensure national defense, national security, public security, public order, or economic security,
  4. Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials, or executions,
  5. Processing of personal data being necessary for the prevention of crime or criminal investigation,
  6. Processing of personal data made public by the personal data owner himself/herself,
  7. Personal data processing being necessary for the execution of supervisory or regulatory duties and

disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law,

  1. Processing of personal data being necessary for the protection of the economic and financial interests of the state in relation to budgetary, tax, and fiscal matters.
  2. The request of the personal data owner being likely to impede the rights and freedoms of other persons,
  3. Demands that require disproportionate effort,
  4. The requested information being publicly available.

11. THE RELATIONSHIP OF THE POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA WITH OTHER POLICIES

Our company establishes basic policies for group companies as well as sub-policies for internal use on the protection and processing of personal data related to the principles set forth herein.

The principles of the company's internal policies are reflected in publicly available policies to the extent relevant, and it is aimed to inform those concerned within this framework and to ensure transparency and accountability with regard to the personal data processing activities carried out by the company.

12. PERSONAL DATA PROTECTION AND PROCESSING POLICY GOVERNANCE STRUCTURE

In line with the decision of the senior management of the company, the Supreme Board for the Protection of Personal Data ("Supreme Board") and the Personal Data Protection Committee ("Committee") have been established within our company to manage this policy and other policies related to this policy (See Chater 11).

The duties of this Committee are as follows:

  • To prepare and put into effect the basic policies on the protection and processing of personal data and amendments, if necessary, and to submit them to the Supreme Board for the approval of the senior management,
  • To decide how the implementation and supervision of the policies on the protection and processing of personal data will be carried out and to submit the issues of making internal assignments and ensuring coordination within this framework to the Supreme Board for the approval of the senior management,
  • To determine the matters that need to be executed to ensure compliance with the PDP Law and related legislation, submitting them to the senior management for approval, and submitting them to the Supreme Board to oversee their implementation and ensure their coordination,
  • To raise awareness within the company and among the organizations with which the company cooperates on the protection and processing of personal data,
  • To ensure that necessary measures are taken by identifying the risks that may arise in the personal data processing activities of the company; to submit improvement suggestions to the Supreme Board for the approval of senior management,
  • To forward to the Supreme Board in order to organize training on the protection of personal data and the implementation and dissemination of policies with the purpose of ensuring that personal data owners are informed about personal data processing activities and their legal rights,
  • To forward the applications of personal data owners to the Supreme Board for a decision at the highest level,
  • To follow the developments and regulations on the protection of personal data, to convey to the Supreme Board their suggestions on what needs to be done within the company in line with these developments and regulations,
  • To maintain relations with the PDP Board and Authority under the coordination of the Supreme Board,
  • To perform other duties to be assigned by the company's senior management and the Supreme Board with regard to the protection of personal data.