Sectec

Personal Data Processing, Storage and Destruction Policy

Personal Data Processing, Storage and Destruction Policy

SECTEC KVKK PERSONAL DATA SECURITY MANAGEMENT SYSTEM

PERSONAL DATA

PROCESSING, STORAGE AND DISPOSAL POLICY

Document Number: PL-02

Publication Date: 20.06.2020

Revision No / Date: 00/-

Number of Pages: 1

REVISION TABLE

REVISION NO

JUSTIFICATION FOR REVISION

HISTORY

Entrance

In accordance with Law No. 6698, the safe protection, processing, transfer, deletion and destruction of personal data in both physical and digital environments is carried out by SECTEC GÜVENLİK OTOMASYON SİSTEMLERİ SAN. TRADE. It is an issue that is given great importance by A.Ş. and the necessary administrative and technical measures are taken accordingly in all our processes. All activities of our company regarding the protection of personal data are carried out in accordance with this Personal Data Storage, Processing, Transfer and Destruction Policy (“Policy”).

Our company will analyze the personal data processing activities carried out by taking this Policy as a guide and will take all kinds of technical and administrative measures to comply with the Policy. After the determined actions and measures are implemented, compliance with this policy will be ensured by operating internal audit mechanisms.

Purpose of Policy

The main purpose of this Policy is to ensure that the identified or identifiable individuals whose personal data we process; It is to inform our Company on issues such as personal data processing, storage, protection and deletion activities, measures taken in this context, rights of data owners and methods of exercising these rights.

Scope of Policy

The scope of this Policy; All processed personal data of identified or identifiable persons whose data we process. The articles specified in the policy also include all kinds of information and documents that can be associated with an identified or identifiable natural person, and the measures taken and regulations made regarding them.

Enforcement of Policy

This Policy issued by our Company entered into force on 20.06.2020. If the entire Policy or certain articles are revised, the revision date of the Policy will be stated.

In case of incompatibility between the legislation in force and the Policy, the provisions of the legislation will be applied first. If there is another policy or regulation on the same subject for more specific purposes apart from this basic Policy, the articles containing special provisions shall be applied first. Provisions of other policies and documents that conflict with this Policy and relevant legislation do not apply.

Definitions : DEFINITION

EXPLANATION

Explicit Consent

Consent regarding a specific subject, based on information and expressed with free will. Anonymization

Matching personal data with other data so that it cannot be associated with an identified or identifiable natural person. Employees Employees of our company and its affiliated companies

Employee Candidate

Candidate interviewed for recruitment purposes

Related person

Real person whose personal data is processed

Related User

Persons who process personal data within the Data Controller organization or in line with the authority and instructions received from the Data Controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.

Destruction

Deletion, destruction or anonymization of personal data

Law

Personal Data Protection Law No. 6698

recording media

Any environment where personal data is processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system

Personal Data

Any information regarding an identified or identifiable natural person

Personal Data Processing Inventory Form

Personal data processing activities carried out by data controllers depending on their business processes; It is a document that they create by associating personal data with the purposes of processing personal data, data category, transferred recipient group and data subject group, and details the maximum period required for the purposes for which personal data is processed, personal data envisaged to be transferred to foreign countries, and measures taken regarding data security.

Anonymization of Personal Data

Anonymization of personal data means making it impossible to associate personal data with an identified or identifiable natural person in any way, even if it is matched with other data.

Destruction of Personal Data

The process of deleting, anonymizing or destroying personal data

Deletion of Personal Data

The process of making personal data inaccessible and unusable for the relevant users in any way

Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, irretrievable and unusable by anyone.

KVKK

Personal Data Protection Law published in the Official Gazette No. 29677 dated 7 April 2016

KVKK Board

Personal Data Protection Board

Special Personal Data

People’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and biometric and genetic data

periodic destruction

In the event that all of the conditions for processing personal data in the KVKK are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy will be carried out ex officio at recurring intervals.

Data Recording System

Registration system where Personal Data is structured and processed according to certain criteria

VERBIS (Data Registry Information System)

Information system created and managed by the Presidency, accessible over the internet, that data controllers will use in applying to the Registry and other relevant transactions related to the Registry.

Data Processor

Natural or legal person who processes personal data on behalf of the Data Controller based on the authority given by him/her

Data Controller Representative

Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system

Rules Concerning the Processing of Personal Data

6.1 Processing of Personal Data in Accordance with the Principles Provided in the Legislation

Our company processes personal data in accordance with the provisions and rules set forth in the Personal Data Protection Law No. 6698 (“Law”) and other relevant legislation. Personal data processing principles are determined in the Law. Our company acts in accordance with these principles in every data processing activity.

6.1.1 Processing in accordance with the Law and the Rules of Honesty

Our company acts in accordance with legal regulations and the rule of honesty in the processing of personal data. In this context, our Company processes personal data in accordance with the protection legislation and the rules introduced by the relevant legislation, does not process personal data for purposes other than those announced to the data owners, and processes only the necessary personal data at a level that is compatible with the data processing purposes by applying the principles of proportionality and necessity in the processing of personal data. .

6.1.2 Ensuring Personal Data is Accurate and Up-to-Date Where Necessary

Our company takes the necessary precautions during data processing processes to ensure that the data processed is accurate and up-to-date. In this context, it provides the personal data owner with the opportunity to apply to our Company to update or correct their data.

6.1.3 Processing for Specific, Clear and Legitimate Purposes

Our company processes personal data only for legitimate purposes. Before starting data processing, our company determines the purposes of processing personal data, except for the exceptions stipulated in the KVKK, and clearly announces these purposes to the data owners during the collection of their personal data.

6.1.4 Being Relevant, Limited and Proportionate to the Purpose for which Personal Data is Processed

Personal data is processed in a limited and measured manner in relation to a clearly and precisely determined purpose, and we avoid the processing of unnecessary personal data.

6.2 Conditions for Processing Personal Data

Personal data is processed by our company based on one or more of the personal data processing conditions specified in Articles 5 and 6 of the KVKK, if the relevant person has explicit consent or is within the scope of the exceptions specified in the KVKK. Our company processes personal data in accordance with the regulations introduced in the Law. Data processing activities that do not fall within this scope are stopped.

6.2.1 Exceptional Situations Where Explicit Consent is Not Required in the Processing of Personal Data

If there is a clear regulation in the law regarding the processing of personal data

If the personal data owner is unable to express his/her consent due to actual impossibility or if it is necessary to protect the life or physical integrity of the person whose consent is given legal validity or someone else.

If it is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.

If personal data processing is necessary for our company to fulfill its legal obligations

If personal data has been made public by the personal data owner

If personal data processing is mandatory for the establishment, exercise or protection of a right

If it is necessary to process personal data for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

6.2.2 Exceptional Situations Where Explicit Consent is Not Required in the Processing of Special Personal Data

In the following exceptional cases arising from the law, special personal data are processed without explicit consent:

Special personal data other than the health and sexual life of the special personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures). relevant data and biometric and genetic data) in cases stipulated by law

Special personal data regarding the health and sexual life of the personal data owner can only be used by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. by

Provided that adequate precautions are taken

6.3 Transfer of Personal Data

6.3.1 Domestic Transfer of Personal Data

Our company may transfer the personal data it processes for personal data processing purposes to third parties by obtaining the explicit consent of the relevant person, except for the above-mentioned exceptions. If necessary, our company transfers personal data in line with the decisions and regulations stipulated in the KVKK and taken by the KVK Board.

6.3.2 International Transfer of Personal Data

In principle, personal data is not transferred abroad by our company without the explicit consent of the data owner. If one of the above-mentioned exceptions is met, the person may transfer the data to foreign countries where there is adequate protection or where there is a Data Controller Representative who undertakes adequate protection, regardless of whether the data owner has explicit consent.

6.3.3 Institutions/Organizations to which Personal Data is Transferred

Institutions and organizations to which personal data may be transferred, including but not limited to those mentioned above.

6.4 Informing the Personal Data Owner

In compliance with the disclosure obligation in the Law, our company informs personal data owners about how their personal data will be processed during the collection of personal data. In this context, our Company informs data owners on at least the following issues.

Identity of the Data Controller and his representative, if any,

For what purpose personal data will be processed,

To whom and for what purpose personal data can be transferred,

Method and legal reasons for collecting personal data,

Rights of the personal data owner in accordance with Article 11 of KVKK.

Storage of Personal Data

7.1 Storing personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

Our company stores the personal data it processes in accordance with the principles set out in the Law for the period stipulated in the legislation. After the relevant regulations are put into effect by the KVK Board, a contact person will be appointed within the scope of personal data processing activities and registration to VERBIS will be carried out.

If the legislation does not stipulate a specific period for storing the relevant personal data types, personal data are retained until the purpose for which they are processed ends.

In cases where the legislation does not stipulate a specific period for the storage of the relevant personal data types, retention periods are determined specific to each data processing purpose. In this context, retention periods are determined by taking into account our Company’s practices and commercial life practices.

Personal data; Apart from the purpose of processing, it may be stored to serve as evidence in possible legal disputes, to assert a right that can be proven with personal data, to establish a defense and to respond to information requests from authorized public institutions. In establishing the periods here, limitation periods for asserting the mentioned right as well as company practice and general customs on the same issues are taken into consideration.

In cases where our Company has a legitimate interest, personal data may be stored until the end of the general limitation period (ten years) regulated in the Turkish Code of Obligations No. 6098, provided that the purpose of processing and the periods specified in the relevant laws have expired, provided that the fundamental rights and freedoms of the data owners are not harmed. . After the said statute of limitations expires, personal data will be deleted, destroyed or anonymized according to the specified procedure.

7.1.1 Precautions we take regarding the storage of personal data

The KVK Board may make detailed regulations regarding obligations regarding data security. If detailed regulations are introduced, reasonable efforts must be made to comply with the obligations in the regulations and maximum security must be ensured.

Technical Precautions:

In technical matters, authorized personnel or outsourcing is provided and permanent personnel are employed within the company.

All processes related to data processing activities within our company are analyzed on the basis of relevant departments, and in this context, a Personal Data Processing Inventory Form is prepared by each department and stored as a single data inventory.

Databases, software/hardware storage units and similar technical infrastructure where your personal data will be stored are created and used.

Risky situations are re-examined and necessary technological solutions are produced.

Relevant software and systems, including software and hardware including virus protection systems and firewalls, are installed.

Policies and related processes in accordance with all technical requirements of the KVK Law are created and implemented by our Company’s units under the name of “Personal Data Security Management System”.

Administrative Measures:

Awareness activities and training are carried out regarding the legal storage of personal data.

In case of cooperation with third parties for the storage of personal data, contracts made with the companies to which personal data are transferred; We include provisions regarding taking the necessary security measures for the protection and safe keeping of the transferred personal data of the persons to whom personal data is transferred.

We sign confidentiality agreements with the subcontractors from whom we receive services that transfer personal data to us, and we receive confirmation through these agreements that these data are transferred in accordance with the law.

Access to personal data is limited to employees assigned for the purpose of processing. Employees’ access to personal data that they do not use as part of their duties should be limited.

In order for employees to comply with this Policy, the Policy is published on our Company’s internal network and web page, and provisions are included in their employment contracts stating that they will comply with the company procedures and rules.

Provisions regarding taking necessary security measures to protect personal data are added to the contracts concluded with the persons to whom personal data is transferred.

Policies and related processes in accordance with all administrative requirements of the KVK Law are created and implemented by our Company’s units under the name “Personal Data Security Management System”.

Destruction of Personal Data

8.1 Obligation to Destroy Personal Data

When the specified periods expire, our company destroys the relevant personal data by preparing a report and choosing one of the 3 (three) methods listed below. These:

Deletion of personal data

Destruction of personal data

It is the anonymization of personal data.

Details about these three methods are included in the following sections. In addition, personal data is deleted, destroyed or anonymized upon the request of the personal data owner.

Our Company’s “Personal Data Processing Inventory Form” is checked by the Data Controller Representative at periodic intervals of 6 (six) months, and destruction procedures, if any, are carried out as necessary, and records (destroyed documents information) logs are kept for the 3 years stipulated in the Law.

8.2 Conditions for Destruction of Personal Data

If the reasons requiring the processing of personal data specified in Articles 5 and 6 of the KVKK disappear, our Company destroys the personal data ex officio or upon the request of the relevant person (data owner), if the request is found positive as a result of the evaluation. In addition, if all the conditions for processing personal data have been eliminated and the personal data subject to the request has been transferred to third parties, our Company will notify the third party of this situation; Necessary actions are requested to be taken before the third party.

8.3 Precautions We Take Regarding the Destruction of Personal Data

Technical Precautions:

For the safe destruction of personal data, technical infrastructures and related control mechanisms and technical measures are established and the appropriate destruction method is determined.

Employees with technical expertise in the destruction of personal data are employed, or external technical support is received in cases where this process takes place.

Data on paper is destroyed by shredding machines. These machines are located in locations that data processors can easily use.

Administrative Measures:

Awareness is created by informing our employees about the obligations regulated in KVKK.

With audit mechanisms, it is checked whether the destruction of personal data is carried out on time and whether the relevant records are received. In this context, a personal data protection committee will be formed or a Data Controller Representative will be elected, and this committee or representative will hold a meeting every 6 (six) months and inspect the destruction processes of the relevant departments. This committee / representative within our company will submit the report it creates after each meeting for the information and approval of the Data Controller.

8.4 Deletion and Destruction of Personal Data

Within our company, the deletion and destruction of personal data is carried out in accordance with the principles specified in this Policy, by the methods explained below.

8.4.1 Deletion of Personal Data

The Data Controller Representative appointed within our company is obliged to take all necessary technical and administrative measures to ensure that deleted personal data are inaccessible and unusable for relevant users.

8.4.1.1 Deletion Process of Personal Data

The basic process that the Data Controller Representative must follow in deleting personal data is stated below.

Determining the personal data that will be subject to destruction in the “Personal Data Processing Inventory Form”

Detailing the groups of Relevant Users in the “Personal Data Processing Inventory Form” on a person / role basis

Determining the authorizations and methods of the relevant Users such as access, retrieval and reuse.

Closing and destroying the relevant Users’ access, retrieval and reuse authorizations and methods within the scope of personal data and keeping logs of the data to be destroyed

8.4.1.2 Methods of Deletion of Personal Data

Since personal data within our company can be stored in different recording environments, they must be deleted by methods appropriate to the recording environments. Sample methods used by our company to delete personal data are listed below:

Application Type Cloud Solutions as a Service (such as Google Suite, Google Drive)

Personal data is not kept in the cloud system applications used/planned to be used in our company.

Personal Data on Paper

Personal data in paper form within our company is destroyed by going through a paper shredder. However, in exceptional cases, it can be deleted using the blackout method. This process is carried out by cutting the personal data on the relevant document where possible, and in cases where it is not possible, by making it invisible to the relevant users by using fixed ink in a way that is irreversible and unreadable with technological solutions.

Office Files on the Central Server

If the relevant User has permanent deletion authority on the file containing personal data, he/she can delete the relevant file so that it cannot be accessed again with the delete command in the operating system of the file. If there is no permanent deletion authority, the relevant User’s access rights on the directory where the file is located are removed. While performing these operations, necessary precautions are taken to ensure that the Relevant User is not also a system administrator.

Personal Data Contained in Portable Media

Within our company, personal data in Flash-based storage media is stored encrypted and deleted using software suitable for these environments.

Databases

Personal data stored in our company’s databases are deleted with database commands (DELETE, etc.). While performing this process, it is taken into consideration that the Relevant User is not also the database administrator.

8.4.2 Destruction of Personal Data

Personal data destroyed by our company is rendered inaccessible, irretrievable and unusable by anyone. The Data Controller Representative is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

8.4.3 Personal Data Destruction Methods

In order to destroy personal data, all copies containing the data must be identified and destroyed one by one using one or more of the methods listed below, depending on the type of systems where the data is located.

Our company may contract with an expert to destroy personal data on its behalf, if necessary. In this case, personal data is securely destroyed by an expert in this field so that it cannot be recovered again.

Local Systems

Our company may use one or more of the following methods to destroy personal data on these local systems.

a – De-magnetization

It is the process of passing the magnetic media through a special device and exposing it to a very high magnetic field, thus corrupting the data on it in an unreadable way. Our company can contract with an expert for this process when necessary.

b – Physical destruction

It is the process of physically destroying optical media and magnetic media, such as melting, burning or pulverizing them. Data is rendered inaccessible by processes such as melting optical or magnetic media, burning them, pulverizing them, or passing them through a metal grinder. For solid state disks, if overwriting or demagnetizing is unsuccessful, this media must also be physically destroyed. Our company can contract with an expert for this process when necessary.

c – Overwrite

It is the process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media / USB memory or portable HDD. This process is done using special software. Our company can contract with an expert for this process when necessary.

Environmental Systems

Depending on the type of environment, our company may use one of the following methods to destroy personal data on the environmental systems in question.

a-Network devices (nas etc.)

The storage media inside the devices in question are fixed. Products often have a delete command but no destroy feature. It is destroyed by using one or more of the appropriate methods specified in the Local Systems section.

b-Flash based environments

Flash-based hard disks with ATA (SATA, PATA, etc.), SCSI (SCSI Express, etc.) interfaces can be destroyed by using the command if supported, by using the destruction method recommended by the manufacturer if not supported, or by using one or more of the appropriate methods specified in the Local Systems section. is being destroyed.

c-Magnetic Tape

They are media that store data with the help of micro magnet pieces on flexible tape. It must be destroyed by demagnetizing it by exposing it to very strong magnetic environments or by physical destruction methods such as burning or melting. Our company can contract with an expert for this process when necessary.

d-Units such as magnetic disk

They are media that store data with the help of micro magnet pieces on flexible (plate) or fixed media. It must be destroyed by demagnetizing it by exposing it to very strong magnetic environments or by physical destruction methods such as burning or melting. Our company can contract with an expert for this process, if necessary. e-Mobile phones (simcard and fixed memory areas)

There is a delete command in fixed memory areas on portable smartphones, but most do not have a destroy command. It must be destroyed by using one or more of the appropriate methods specified in the Local Systems section.

f-Optical discs

They are data storage media such as CDs and DVDs. It must be destroyed by physical destruction methods such as burning, breaking into small pieces, and melting. Our company can contract with an expert for this process when necessary.

g-Peripheral units such as printers and fingerprint access systems with removable data recording media

It must be verified that all data recording media have been removed and destroyed by using one or more of the appropriate methods specified in the Local Systems section, depending on their characteristics. Our company can contract with an expert for this process when necessary.

h-Peripheral units such as printers with fixed data recording media and fingerprint door access systems

Most of the systems in question have a delete command, but no destroy command. It must be destroyed by using one or more of the appropriate methods specified by the IT responsible / consultant.

Paper etc. Similar Environments

Paper shredding or shredding machines are used to destroy personal data in paper, microfiche and similar media. Personal data transferred from the original paper format to the electronic environment by scanning must be destroyed by using one or more of the appropriate methods specified in the Local Systems section, depending on the electronic environment in which they are located. Our company can contract with an expert for this process when necessary.

Cloud Environment

During the storage and use of personal data in cloud systems, it should be encrypted with cryptographic methods and, where possible, separate encryption keys should be used for personal data, especially for each cloud solution from which service is received. When the cloud computing service relationship ends; All copies of the encryption keys necessary to make personal data usable must be destroyed. In addition to the above environments, the destruction of personal data in devices that malfunction or are sent for maintenance is carried out as follows.

Destroying the personal data contained in the relevant devices by using one or more of the appropriate methods specified in the Local Systems section, before transferring them to third institutions such as manufacturers, dealers and services for maintenance and repair operations,

In cases where destruction is not possible or appropriate, disassembling and storing the data storage medium and sending other defective parts to third institutions such as manufacturers, dealers and service,

Necessary precautions must be taken to prevent personnel coming from outside for purposes such as maintenance and repair from copying personal data and taking them out of the institution.

8.5 Techniques for Anonymizing Personal Data

Our company can anonymise personal data if necessary and when the reasons requiring the processing of personal data processed in accordance with the law no longer exist. Anonymization techniques to be used by our company if needed are listed below.

masking

Data masking is the method of anonymizing personal data by removing the basic identifying information of personal data from the data set.

“ Name, TR Identity Number, etc. that enable the identification of the personal data owner. by removing the information and turning it into a data set in which identification of the personal data owner becomes impossible.”

“If part of the person’s credit card number is marked with an asterisk, there is masking. (09988 **** **** 87806)”

consolidation

With the data aggregation method, many data are aggregated and personal data is made unable to be associated with any individual.

“Revealing that there are Z employees aged X without showing the ages of the employees one by one.”

“Data regarding the number of female employees in the company being Z and 40% of them being university graduates and 60% having master’s degrees have been anonymized.”

Data Derivation

With the data derivation method, a more general content is created from the content of personal data and it is ensured that personal data cannot be associated with any individual.

“In case the person’s direct age is written instead of the Day/Month/Year details of the date of birth, anonymization is made by deriving data.”

Data Hashing

With the data mixing method, the connection between values and individuals is broken by mixing the values in the personal data set.

“Changing the quality of voice recordings so that the voices cannot be associated with the data subject.”

“Data mixing is done when the values showing the ages of people in a class where the age average is wanted to be taken are interchanged with each other.”

Titles, Units and Job Descriptions of Those Involved in Personal Data Storage and Destruction Processes

All processes related to data processing activities within our company are analyzed on the basis of relevant departments, and in this context, a PERSONAL DATA TYPE RECORDING TIME AND LOCATIONS LIST is prepared by each department. The persons who are involved and responsible for the storage and destruction of personal data are the most authorized employees of each relevant department on a departmental basis.

Protection of Personal Data

In accordance with Article 12 of the KVKK, our company takes the necessary technical and administrative measures to ensure the security of personal data and to prevent unlawful access to personal data and unlawful processing of these data.

Our company pays utmost attention to the protection of sensitive personal data. In this context, the technical and administrative measures taken by our Company to protect personal data are carefully implemented in terms of special personal data and the necessary inspections are provided within our Company.

Our company takes utmost care to ensure that if the personal data it processes are obtained by others through illegal means, this situation is reported to the relevant personal data owner and the Board as soon as possible.

10.1 Security of Personal Data

10.1.1 Audit of Measures Taken for the Protection of Personal Data

Our company carries out internal audits in accordance with Article 12 of KVKK. The final report of the audit is reported to the relevant managers, and in case of a problem, necessary regulatory and preventive actions are taken.

10.1.2 Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

Our company operates a system that ensures that if personal data processed in accordance with Article 12 of the KVK Law is obtained by others through illegal means, this situation is notified to the relevant personal data owner and the KVK Board as soon as possible.

If deemed necessary by the KVK Board, this situation may be announced on the KVK Board’s website or by another method.

10.2 Protection of Special Personal Data

Special personal data are defined in the definitions section.

Our company acts sensitively in the protection of special personal data, which are determined as special by KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company to protect personal data are carefully implemented in terms of special personal data and the necessary inspections are provided within our Company.

Data Owner’s Rights and Rules for the Exercise of These Rights

11.1 Rights of Personal Data Owner

Personal Data Owner has the following rights over his personal data.

Learning whether personal data is processed or not,

Requesting information if personal data has been processed,

Learning the purpose of processing personal data and whether they are used for their intended purpose,

Knowing the third parties to whom personal data is transferred at home or abroad,

Requesting correction of personal data if they are incomplete or incorrectly processed,

Requesting the deletion or destruction of personal data in case the reasons requiring the processing of personal data disappear,

Requesting that the correction, deletion or destruction mentioned above be notified to third parties to whom personal data has been transferred,

Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,

Request compensation for damages in case of damage due to unlawful processing of personal data.

11.2 Personal Data Owner’s Exercise of His Rights

If a separate method is determined by the KVK Board, the Personal Data Owner may send his/her request regarding his/her personal data via this method or in writing with a wet signature to our Company’s address.

In the application that the Personal Data Owner will make to exercise the above-mentioned rights and includes explanations regarding the right he/she requests to use; The requested matter must be clear and understandable, the requested subject must be related to the applicant personally, or if acting on behalf of someone else, he must be specifically authorized in this matter and this authority must be documented, and the application must include identity and address information and documents proving his identity must be attached to the application.

These requests will be made on an individual basis and requests made by unauthorized third parties regarding personal data will not be taken into consideration.

11.3 Evaluation of the application

Requests regarding personal data are responded to as soon as possible and within thirty days at the latest, depending on the nature of the request. While the application is being evaluated, additional information and documents may be requested.

11.4 Our right to reject the application

If all the conditions for processing personal data have not been eliminated, this request may be rejected by our Company by explaining the reason and the rejection response will be notified to the relevant person in writing or electronically within thirty days at the latest.

11.5 Application evaluation procedure

If the request is accepted, the relevant action is taken and notification is made in writing or electronically. If the decision to destroy personal data is taken by our Company as a result of reviewing the accepted applications, the destruction process is carried out by the Data Controller Representative within 30 (thirty) days at the latest or within the period stipulated in the Law, by using the appropriate one of the methods specified in this Policy and the relevant The person is informed. If the request is rejected, the reason is explained and the applicant is notified in writing or electronically.

Information Regarding Our Company’s Data Processing Processes

12.1 Types of Personal Data Processed by the Company

Within our Company, personal data is processed in accordance with the law and the rules of honesty, based on one or more of the personal data processing conditions specified in Article 5 of the Law and limited to one or more of the personal data processing conditions specified in Article 5 of the Law, by informing the relevant persons in accordance with Article 10 of the Law. Storage and destruction periods are specified in the Personal Data Processing Inventory Form.

Personal Data Processing Activities Performed within Our Company’s Facilities and Data Processing Activities Performed on the Website

13.1 Camera Monitoring within Our Company’s Facilities

In order to ensure security by our Company, personal data processing activities are carried out for monitoring guest entries and exits through security cameras in our Company’s buildings and facilities.

Personal data processing is carried out by our Company by using security cameras and recording guest entries and exits. In this context, our Company acts in accordance with the Constitution, KVKK and other relevant legislation.

The monitoring areas of security cameras, their number and when they will be monitored are implemented in a way that is sufficient to achieve the security purpose and is limited to this purpose. Areas that may interfere with a person’s privacy in a way that exceeds security purposes are not monitored. The rules regarding security, preservation and deletion stipulated in the processing of personal data are also applied to camera recordings.

Only authorized units can access camera recordings. Apart from this, camera recordings are shared with third parties in cases such as a customer complaint, an internal disciplinary process, a request for information regarding an ongoing legal dispute, and similar situations.

13.2        Tracking Guest Entrance and Exit at the Entrances and Exits of Our Company’s Buildings and Facilities

By our company; Guest entrances and exits can be monitored in our Company’s buildings and facilities to ensure security and for the purposes specified in this Policy.

While the names and surnames of people who come to our Company’s buildings as guests are obtained, the personal data owners in question are clarified in this context through information boards within the Company, texts made available to guests or in other ways. The data obtained for the purpose of tracking guest entry and exit is processed only for this purpose and the relevant personal data is recorded. Data regarding guest entries and exits are deleted after the retention period expires.

13.3       Website Visitors

On the websites owned by our company; To ensure that people visiting these sites carry out their visits on the sites in accordance with the purposes of their visit; Internet movements within the site are recorded through technical means (e.g. cookies) in order to show them customized content and engage in online advertising activities.

13.4        Keeping Records Regarding Internet Access Provided to Our Visitors in Our Company’s Buildings and Facilities

To ensure security by our company and for the purposes specified in this Policy; Our Company can provide internet access to our Visitors upon request during their stay in our Buildings and Facilities. In this case, log records regarding your internet access are recorded in accordance with Law No. 5651 and the mandatory provisions of the legislation issued in accordance with this Law; These records are processed only upon request by authorized public institutions and organizations or to fulfill our legal obligations during audit processes to be carried out within the Company. Only a limited number of our Company employees have access to the log records obtained in this context. Company employees who have access to the aforementioned records access these records only for use in requests or audit processes from authorized public institutions and organizations and share them with legally authorized persons. A limited number of people who have access to the records declare with a confidentiality agreement that they will protect the confidentiality of the data they access.

ANNEX 1

Personal Data Types

Explanation

Personal Data Category

TR ID number, nationality information, passport number, name-surname, place of birth, date of birth, age, place of registration, copy of certified identity card, tax number, SSI number, gender and similar information.

Information contained in documents such as driver’s license, identity card, residence, passport, attorney’s ID, marriage certificate, which clearly belong to an identified or identifiable natural person and are included in the data recording system.

Identity Information

E-mail address, telephone number, address, IP address and similar information

Information that clearly belongs to an identified or identifiable natural person and is included in the data recording system and is used to communicate with the person.

Communication information

Location data obtained during the use of company vehicles

Data that clearly belongs to an identified or identifiable natural person and is included in the data recording system and serves to determine the location of the data owner.

Location Data

Identity information, contact information, professional, educational information and similar information about the personal data owner’s children, spouses

Information about the family members and relatives of the personal data owner, which clearly belongs to an identified or identifiable natural person and is included in the data recording system, and is processed in order to protect the legal interests of the relevant company and the data owner.

Family Members and Relative Information

Entry and exit logs, visit information, camera recordings and similar information

Personal data regarding records and documents clearly belonging to an identified or identifiable natural person and included in the data recording system, taken upon entering the physical location and during the stay in the physical location.

Physical Location Security Information

Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship that OUR COMPANY has established with the personal data owner, and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information.

Personal data within the scope of information, documents and records that clearly belong to an identified or identifiable natural person and are included in the data recording system and show all kinds of financial results created according to the type of legal relationship existing with the personal data owner.

Financial Information

All kinds of information and documents that are required to be included in the personnel file by law; Salary amount, SSI premiums, payrolls and similar information

Personal data that clearly belongs to an identified or identifiable natural person and is included in the data recording system and is the basis for the formation of employees’ personal rights.

Personal Information

CV, interview notes, personality test results and similar information

To apply for a job in our Company, which is clearly belonging to an identified or identifiable natural person and is included in the data recording system