Our measures against Covid-19 Details - Healthy Tourism Certificate Click
×
BEST PRICE
GUARANTEE
+90 384 219 30 01
Checkin
--
Checkout
--
Adult
Child
#

Privacy Policy

This policy, prepared within the scope of the protection of personal data, has been prepared for use throughout our company, which is named below.

Our company;

NBA Consulting Type. Foreign Trade and Comm. Inc.

Protection of personal data is among the most important priorities of our company. The most important pillar of this issue is managed by this Policy; The protection and processing of personal data of our customers, guests, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties. The activities carried out by our Company regarding the protection of the personal data of our employees are managed under the Company Employees Personal Data Protection and Processing Policy, which was written in parallel with the principles in this Policy.

According to the Constitution of the Republic of Turkey, everyone has the right to demand the protection of their personal data. Regarding the protection of personal data, which is a constitutional right, the Company is governed by this Policy; pays due attention to the protection of the personal data of its customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions with which it cooperates, and third parties, and makes this a company policy.

In this context, necessary administrative and technical measures are taken by the shareholders of the Company within the borders of the Republic of Turkey for the protection of personal data processed in accordance with the relevant legislation.

In this Policy, detailed explanations will be made regarding the basic principles adopted by our company in the processing of personal data and listed below:

  • Processing personal data in accordance with the law and honesty rules,
  • Keeping personal data accurate and up-to-date when necessary,
  • Processing personal data for specific, explicit and legitimate purposes,
  • Processing personal data in connection with the purpose for which they are processed, limited and measured,
  • Keeping personal data for as long as required by the relevant legislation or for the purpose for which they are processed.

don't,

  • Enlightening and informing personal data owners,
  • Establishing the necessary system for personal data owners to exercise their rights,
  • To take the necessary measures in the protection of personal data,
  • To act in accordance with the relevant legislation and KVK Board regulations in the transfer of personal data to third parties in line with the requirements of the processing purpose,
  • Showing the necessary sensitivity to the processing and protection of sensitive personal data.

1.2. PURPOSE OF THE POLICY

The main purpose of this Policy is to make explanations about the personal data processing activity carried out by our company in accordance with the law and the systems adopted for the protection of personal data, in this context.

To ensure transparency by informing the people whose personal data are processed by our company, especially our customers, potential customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties.

1.3 KAPSAM

This Policy; all personal data of our customers, potential customers, employees, candidate employees, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties that are processed automatically or non-automatically provided that they are part of any data recording system. is related.

2

The scope of application of this Policy regarding the personal data owners groups in the above-mentioned categories may be the whole of the Policy (for example, our active customers who are also visitors); may also have only some provisions (eg, our visitors only).

1.4 IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION

The relevant legal regulations in force on the processing and protection of personal data will primarily be applied to our company structure. In case of inconsistency between the current legislation and the Policy, our Company accepts that the current legislation and law will be valid.

The policy is formed by embodying and arranging the rules set forth by the relevant legislation within the scope of our Company's practices. Our company carries out the necessary systems and preparations to act in accordance with the effective periods stipulated in the KVK Law.

1.5 ENFORCEMENT OF THE POLICY

This Policy, issued by our company, was created on 4.6.2018 and was revised on 11.06.2019 within the framework of our changing business processes and compliance with 6698 laws and entered into force as version 1.1. In case of renewal of all or certain articles of the Policy, the effective date of the Policy will be updated.

The policy is published on our company's website and in all affiliated businesses and facilities and is made available to the relevant persons upon the request of personal data owners.

  • MATTERS REGARDING THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the KVK Law, our company has taken the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent illegal access to the data and to ensure the preservation of the data. It has security audits and cyber security audits done with domestic audit purchases.

2.1. ENSURING THE SECURITY OF PERSONAL DATA

2.1.1. Technical and Administrative Measures Taken to Ensure Legal Processing of Personal Data Our company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data is processed in accordance with the law.

  • Technical Measures Taken to Ensure the Legal Processing of Personal Data The main technical measures taken by our company to ensure the legal processing of personal data are listed below:
    • Personal data processing activities carried out within our company are audited.
    • The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
    • In technical matters, the servers containing personal data within our company are in a single lotion, and necessary security measures have been taken on the computers and data entry computers of all our employees. This makes the data easier to manage and secure.
  • Administrative Measures Taken to Ensure Legal Processing of Personal Data The main administrative measures taken by our company to ensure the legal processing of personal data are listed below:
    • Employees are informed and trained about the law of protection of personal data and the processing of personal data in accordance with the law.
    • All activities carried out by our company are analyzed in detail specific to all business units, and as a result of this analysis, personal data processing activities specific to the commercial activities carried out by the relevant business units are revealed.

3

  • Personal data processing activities carried out by our company's business units; The requirements to be fulfilled in order to ensure that these activities comply with the personal data processing conditions required by the Law No. 6698 and GDPR compliance are determined by each business unit and the detailed activity it carries out.
  • In order to meet the legal compliance requirements determined on the basis of our business units, awareness is created specific to the relevant business units and the rules of practice are determined; Necessary administrative measures are implemented through internal policies and trainings to ensure the control of these issues and the continuity of implementation.
  • Contracts and documents governing the legal relationship between our Company and employees, except for the Company's instructions and the exceptions made by law, include records that impose the obligation not to process, disclose or use personal data, and raise awareness of employees on this issue and carry out audits.

2.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data Our company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and the cost of implementation in order to prevent the imprudent or unauthorized disclosure, access, transfer or any other unlawful access to personal data.

  • Technical Measures Taken to Prevent Unlawful Access to Personal Data The main technical measures taken by our company to prevent unlawful access to personal data are given below.
    • Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a business unit basis.
    • The technical measures taken are periodically reported to the relevant person in accordance with the internal control mechanism, the issues posing a risk are re-evaluated and the necessary technological solution is produced.
    • Software and hardware including virus protection systems and firewalls are installed.
    • All data management is centralized.
    • Employees are trained on technical measures to be taken to prevent unlawful access to personal data.
    • Access to personal data and authorization processes are designed and implemented within the Company in accordance with business unit-based legal compliance requirements.

are listed as:

  • Technical measures are taken in line with the developments in technology, the measures taken are updated and renewed periodically.
    • Administrative Measures Taken to Prevent Unlawful Access to Personal Data The main administrative measures taken by our company to prevent unlawful access to personal data are listed below:
  • Employees are informed that the personal data they have learned cannot be disclosed to others in violation of the provisions of the KVK Law and GDPR, and that they cannot use it for purposes other than processing, and that this obligation will continue after they leave their job, and necessary commitments are taken from them in this direction.
    • Technical Measures Taken for Storing Personal Data in Secure Environments The main technical measures taken by our company to store personal data in secure environments are listed below:
  • 4

    • Administrative Measures Taken for the Storage of Personal Data in Secure Environments The main administrative measures taken by our company to store personal data in secure environments are listed below:

    2.1.4. Inspection of Measures Taken for the Protection of Personal Data Our company carries out or has had it done, in accordance with Article 12 of the KVK Law. The results of these audits are reported to the relevant department within the scope of the internal operation of the Company and necessary activities are carried out to improve the measures taken.

    2.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data Our company operates the system that ensures that the personal data processed in accordance with Article 12 of the KVK Law is obtained by others illegally, and that this situation is notified to the relevant personal data owner and the KVK Board as soon as possible. If deemed necessary by the KVK Board, this situation may be announced on the website of the KVK Board or by any other method.

    2.2. FOLLOWING THE RIGHTS OF THE DATA SUBJECT

    Creating channels to convey these rights to our company and evaluating the requests of data owners;

    Our company carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the KVK Law in order to evaluate the rights of the personal data owners and to provide the necessary information to the personal data owners.

    If personal data owners submit their requests regarding their rights listed below in writing to our Company, our Company concludes the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the KVK Board will be charged by our Company. Personal data owners;

    • Learning whether personal data is processed or not,
    • If personal data has been processed, requesting information about it,
    • Learning the purpose of processing personal data and whether they are used in accordance with the purpose,
    • Knowing the third parties to whom personal data is transferred at home or abroad,
    • Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
    • Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing have disappeared, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
    • Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
    • In case of loss due to unlawful processing of personal data, it has the right to request compensation for the damage. More detailed information on the rights of data subjects is given in Section 10 of this Policy.

    5

    2.3. PROTECTION OF PRIVATE PERSONAL DATA

    With the KVK Law, special importance is attached to certain personal data due to the risk of causing victimization or discrimination in case of unlawful processing.

    These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

    Our company acts sensitively in the protection of special quality personal data, which is determined as "special quality" by the KVK Law and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of special quality personal data and necessary audits are provided within our company.

    Detailed information on the processing of special categories of personal data is given in Section 3 of this Policy.

    2.4. RAISING AWARENESS AND SUPERVISION OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

    Our company provides necessary trainings to business units in order to prevent illegal processing of personal data, illegal access to data, and to raise awareness about data protection.

    Necessary systems are established in our company and all other branches to raise awareness of the current employees of the business units and the new employees of the business unit about the protection of personal data, and if necessary, professional people are worked with.

    2.5. RAISING AWARENESS AND SUPERVISION OF BUSINESS PARTNERS AND SUPPLIERS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

    Our company provides trainings and seminars for business partners in order to prevent the illegal processing of personal data, to prevent illegal access to data and to raise awareness about data protection.

    Necessary systems are established to raise the awareness of our company's current employees and employees who have just joined the business unit on the protection of personal data, and if necessary, professional people are worked with.

    6

    All activities carried out to raise awareness of our company's business partners on the protection and processing of personal data are reported to our Company's management and shareholders. In this direction, our company applies Supplier confidentiality agreements to all its business partners and ensures its sensitivity in the Protection of Personal Data with its business partners in accordance with the relevant contractual articles.

    Our company, in accordance with Article 4 of the KVK Law, regarding the processing of personal data; in accordance with the law and the rules of honesty; accurate and up-to-date where necessary; for specific, clear and legitimate purposes; engages in personal data processing activities in a connected, limited and measured manner for this purpose. Our company preserves personal data for as long as required by law or for the purpose of processing personal data.

    Our company processes personal data in accordance with Article 5 of the KVK Law, based on one or more of the conditions in Article 5 of the KVK Law regarding the processing of personal data.

    Our company informs the personal data owners in accordance with Article 10 of the KVK Law and provides the necessary information in case personal data owners request information.

    Our company acts in accordance with the regulations stipulated for the processing of personal data of special nature in accordance with Article 6 of the KVK Law.

    Our company acts in accordance with the regulations stipulated in the law and set forth by the KVK Board on the transfer of personal data in accordance with the 8th and 9th articles of the KVK Law.

    • MATTERS REGARDING THE PROCESSING OF PERSONAL DATA

    3.1. PROCESSING PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES OFFERED IN THE LEGISLATION

    3.1.1. Processing in Compliance with Law and Integrity

    Our company; acts in accordance with the principles brought by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our Company takes into account the proportionality requirements in the processing of personal data, and does not use personal data other than as required for the purpose.

    3.1.2. Ensuring Personal Data Are Accurate and Up-to-Date When Necessary

    Our company; It ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their own legitimate interests. It takes the necessary measures in this direction. For example, by our Company; A system has been established for personal data owners to correct their personal data and confirm its accuracy. Detailed information on this subject is given in Chapter 10 of this Policy.

    3.1.3. Processing for Specific, Explicit, and Legitimate Purposes

    Our company clearly and precisely determines the purpose of processing personal data, which is legitimate and lawful. Our company processes personal data as much as is necessary for and in connection with the service it provides. The purpose for which personal data will be processed by our company is set out before the personal data processing activity begins.

    7

    3.1.4. Being Related to the Purpose for which they are Processed, Limited and Measured

    Our company processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or that is not needed. For example, personal data processing activities are not carried out to meet the needs that may arise later.

    3.1.5. Retention for as Long as Required for the Purpose of Processing or Envisioned in the Relevant Legislation

    Our company retains personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, our Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, and if a period is not determined, it stores the personal data for the period required for the purpose for which they are processed. Personal data is deleted, destroyed or anonymized by our Company in the event that the period expires or the reasons for its processing disappear. Personal data is not stored by our Company in case of future use. Detailed information on this subject is given in Chapter 9 of this Policy.

    3.2. PROCESSING PERSONAL DATA BASED ON ONE OR MORE OF THE PERSONAL DATA PROCESSING CONDITIONS STATED IN ARTICLE 5 OF THE KVK LAW AND LIMITED TO THESE TERMS

    Protection of personal data is a constitutional right. Fundamental rights and freedoms can only be limited by law, without prejudice to their essence, depending on the reasons specified in the relevant articles of the Constitution. Pursuant to the third paragraph of Article 20 of the Constitution, personal data can only be processed in cases stipulated by the law or with the explicit consent of the person. Our company in this direction and in accordance with the Constitution; processes personal data only in cases stipulated by law or with the explicit consent of the person. Detailed information on this subject is given in Chapter 7 of this Policy.

    3.3. INFORMING AND INFORMING THE PERSONAL DATA OWNER

    Our company informs the personal data owners during the acquisition of personal data in accordance with Article 10 of the KVK Law. In this context, it clarifies the identity of our company and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the personal data owner for legal reasons. Detailed information on this subject is given in Chapter 10 of this Policy.

    Article 20 of the Constitution states that everyone has the right to be informed about their personal data. Accordingly, in Article 11 of the KVK Law, "requesting information" is also listed among the rights of the personal data owner. In this context, our company provides the necessary information in case the personal data owner requests information in accordance with the 20th article of the Constitution and the 11th article of the KVK Law. Detailed information on this subject is given in Chapter 10 of this Policy.

    3.4. PROCESSING OF SPECIAL QUALITY PERSONAL DATA

    Our company strictly complies with the regulations stipulated in the KVK Law in the processing of personal data determined as "special quality" by the KVK Law.

    In Article 6 of the KVK Law, certain personal data that carry the risk of causing victimization or discrimination when processed unlawfully are defined as "special quality". These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

    By our Company in accordance with the KVK Law; Special categories of personal data are processed in the following cases, provided that adequate measures to be determined by the KVK Board are taken:

    • If the personal data owner has express consent, or
    • If the personal data owner does not have express consent;

    8

    – Special categories of personal data other than the health and sexual life of the personal data owner, in cases stipulated by the laws,

    – Special categories of personal data regarding the health and sexual life of the personal data owner are only processed by persons or authorized institutions and organizations that are under the obligation of keeping secrets for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services.

    - The highest level of precautions have been taken within the company for the processing and recording of sensitive data, and the data is destroyed as soon as the process is completed, regardless of the destruction period.

    3.5. TRANSFERRING PERSONAL DATA

    • Our company can transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, business partners, third real persons) by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. Accordingly, our company acts in accordance with the regulations stipulated in Article 8 of the KVK Law. Detailed information on this subject is given in Chapter 6 of this Policy.

    3.5.1. Transfer of Personal Data

    In line with the legitimate and lawful personal data processing purposes, our company may transfer personal data to third parties based on one or more of the personal data processing conditions specified in Article 5 of the Law listed below, and on a limited basis:

    • If the personal data owner has express consent;
    • If there is a clear regulation in the law regarding the transfer of personal data,
    • If it is necessary for the protection of the life or physical integrity of the personal data owner or someone else, and the personal data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid;
    • If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
    • If personal data transfer is necessary for our company to fulfill its legal obligation,
    • If the personal data has been made public by the personal data owner,
    • If personal data transfer is necessary for the establishment, exercise or protection of a right,
    • If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

    3.5.2. Transfer of Private Personal Data

    Our company, by showing the necessary care, taking the necessary security measures and taking the adequate measures prescribed by the KVK Board; In accordance with the legitimate and lawful personal data processing purposes, the personal data owner may transfer the sensitive data of the personal data owner to third parties in the following cases.

    • If the personal data owner has express consent, or
    • If the personal data owner does not have express consent;

    – Special categories of personal data other than the health and sexual life of the personal data owner (race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress and dress, association, foundation or union membership, criminal conviction and security measures data and biometric and genetic data), in cases stipulated by law,

    - Special quality personal data related to the health and sexual life of the personal data owner is only valid for public health.

    by persons or authorized institutions and organizations that are under the obligation of secrecy for the purpose of protection, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

    3.6. TRANSFERRING PERSONAL DATA ABROAD

    9

    Our company does not transfer personal data abroad for the purposes of processing personal data in accordance with the law, except for the special cases specified in Articles 3.6.1 and 3.6.2. Accordingly, our company acts in accordance with the regulations stipulated in Article 9 of the KVK Law. Detailed information on this subject is given in Chapter 6 of this Policy.

    3.6.1. Transfer of Personal Data Abroad

    In line with the legitimate and lawful personal data processing purposes, our company can transfer the personal data to Foreign Countries with Sufficient Protection or Where the Data Controller Undertakes Sufficient Protection, if there is explicit consent of the personal data owner or if there is no explicit consent of the personal data owner, in the presence of one of the following conditions:

    • If there is a clear regulation in the law regarding the transfer of personal data,
    • If it is necessary for the protection of the life or physical integrity of the personal data owner or someone else, and the personal data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid;
    • If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
    • If personal data transfer is necessary for our company to fulfill its legal obligation,
    • If the personal data has been made public by the personal data owner,
    • If personal data transfer is necessary for the establishment, exercise or protection of a right,
    • If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

    3.6.2. Transfer of Private Personal Data Abroad

    Our company does not transfer data of special nature to abroad, except in the following cases.

    While not transferring data of special nature to individuals, by showing the necessary care when necessary, taking the necessary security measures and taking the adequate measures prescribed by the KVK Board;

    In line with the legitimate and lawful personal data processing purposes, the personal data owner may transfer the sensitive data of the personal data owner to the Foreign Countries where the Data Controller has Sufficient Protection or Undertakes Sufficient Protection in the following cases.

    • If the personal data owner has express consent, or
    • If the personal data owner does not have express consent;

    – Special categories of personal data other than the health and sexual life of the personal data owner (race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress and dress, association, foundation or union membership, criminal conviction and security measures data and biometric and genetic data), in cases stipulated by law,

    -Special quality personal data regarding the health and sexual life of the personal data owner can only be

    within the scope of processing by persons or authorized institutions and organizations under the obligation of secrecy, for the purpose of protection, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

    4. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSE OF PROCESSING AND STORAGE PERIOD

    Our company notifies the personal data owner of which personal data owner groups process their personal data, the purposes of processing the personal data of the personal data owner and the storage periods within the scope of the disclosure obligation in accordance with Article 10 of the KVK Law.

    10

    4.1. CATEGORIZATION OF PERSONAL DATA

    Before our company, by informing the relevant persons pursuant to Article 10 of the KVK Law, in line with the legitimate and lawful personal data processing purposes of our Company, based on and limited to one or more of the personal data processing conditions specified in the 5th article of the KVK Law, primarily the personal data in the KVK Law. Personal data in the following categories are processed within the scope of this Policy, by complying with the general principles specified in the KVK Law, including the principles specified in Article 4 regarding the processing of data, and all obligations set forth in the KVK Law. It is also stated in Section 5 of this Policy that the personal data processed in these categories are related to which data Owners regulated within the scope of this Policy.

    PERSONAL DATA

    PERSONAL DATA CATEGORY EXPLANATION

    Clearly belonging to an identified or identifiable natural person;

    partially or fully automatically or as part of a data recording system

    processed non-automatically; Driver's License, Identity Card, Residence,

    Credentials

    All documents such as Passport, Attorney's ID, Marriage Certificate

    informations.

    Clearly belonging to an identified or identifiable natural person;

    partially or fully automatically or as part of a data recording system

    Communication information

    processed non-automatically; such as phone number, address, e-mail

    informations.

    Clearly belonging to an identified or identifiable natural person;

    partially or fully automatically or as part of a data recording system

    processed non-automatically; personal data of the owner's product and

    during the use of our services or in cooperation with our employees.

    Location Data

    While using the tools of our company, the employees of the institutions we are

    information identifying the location of its location.

    Clearly belonging to an identified or identifiable natural person,

    partially or fully automatically or as part of a data recording system

    processed in a non-automatic manner; our commercial activities and this

    customeror

    Guest

    As a result of the operations carried out by our business units, the contact person

    information

    information obtained and produced about

    Clearly belonging to an identified or identifiable natural person

    and in the data recording system; about the products and services we offer

    or personal data in order to protect the legal interests of the Company and the data subject.

    FamilyIndividualsand

    Near

    information about family members and relatives of the data subject.

    information

    Clearly belonging to an identified or identifiable natural person

    and in the data recording system; use of our products and services

    necessary for the customer's use of products and services.

    Customer Transaction Information

    information such as instructions and requests.

    Clearly belonging to an identified or identifiable natural person

    and in the data recording system; physical space entry

    11

    Physical Space Security

    personal records and documents taken during the stay in the venue.

    information

    data.

    Clearly belonging to an identified or identifiable natural person

    and in the data recording system; while conducting our business activities

    Transaction Security Information

    personal data processed to ensure our technical, administrative, legal and commercial security.

    your data

    Clearly belonging to an identified or identifiable natural person

    and in the data recording system;

    commercial,

    our technical and administrative risks

    generally accepted legal, commercial practices and practices in these fields so that we can manage

    Risk Management Information

    that can be processed through the methods used in accordance with the honesty rule.

    personal data.

    Clearly belonging to an identified or identifiable natural person,

    partially or fully automatically or as part of a data recording system

    processed non-automatically; with the personal data owner of our company

    all kinds of financial results created according to the type of legal relationship it has established.

    Financial Information

    Personal data processed regarding information, documents and records showing

    Clearly belonging to an identified or identifiable natural person,

    partially or fully automatically or as part of a data recording system

    processed non-automatically; with our employees or our Company

    to the formation of personal rights of real persons who are in a working relationship

    Personal Information

    Any personal data processed for obtaining essential information.

    Clearly belonging to an identified or identifiable natural person,

    partially or fully automatically or as part of a data recording system

    processed non-automatically; with our employees or our company

    Every work-related action performed by real persons in a working relationship

    Employee Process Information and

    Personal data processed for any kind of transaction.

    Employee Candidate Information

    Clearly belonging to an identified or identifiable natural person,

    partially or fully automatically or as part of a data recording system

    processed non-automatically;

    To become an employee of our company

    applied or in accordance with trade and honesty rules

    As an employee candidate in line with the human resources needs of our company

    with individuals who have been evaluated or who have a working relationship with our Company

    relevant processed personal data.

    Clearly belonging to an identified or identifiable natural person,

    partially or fully automatically or as part of a data recording system

    processed non-automatically; with our employees or our Company

    by measuring the performance of real persons in a working relationship

    Employee Performance and

    careerdevelopments within the scope of our company's human resources policy

    Career Development Information

    Personal data processed for the purpose of planning and execution.

    Clearly belonging to an identified or identifiable natural person,

    partially or fully automatically or as part of a data recording system

    processed in a non-automatic manner; to Employees or to our Company

    that we offer to other natural persons in a working relationship, and

    of the fringe benefits and benefits we will offer

    planning, these

    12

    Benefits and Benefits

    Determination of objective criteria related to earnings and follow-up of progress towards them

    information

    your personal data processed by the job.

    Clearly belonging to an identified or identifiable natural person,

    partially or fully automatically or as part of a data recording system

    processed non-automatically; our legal claims and rights

    determination, follow-up and fulfillment of our debts and our legal obligations and

    Legal Process and Compliance

    Your personal data processed within the scope of compliance with our company's policies.

    information

    Clearly belonging to an identified or identifiable natural person,

    partially or fully automatically or as part of a data recording system

    processed non-automatically; Legal obligations of our company

    Audit and Inspection Information

    and your personal data processed within the scope of compliance with company policies.

    Clearly belonging to an identified or identifiable natural person,

    partially or fully automatically or as part of a data recording system

    Special Qualified Personal Data

    processed as non-automatically; 6th of Law No. 6698

    data specified in the article.

    Clearly belonging to an identified or identifiable natural person,

    partially or fully automatically or as part of a data recording system

    processed non-automatically; personal data of our products and services

    in line with the owner's habits, tastes and needs

    Personal data processed for the purpose of privatization and marketing, and

    Marketing Information

    reports and evaluations created as a result of these processing results.

    Clearly belonging to an identified or identifiable natural person,

    partially or fully automatically or as part of a data recording system

    Request/Complaint Management

    processed non-automatically; Anything directed at our company

    information

    personal information regarding the receipt and evaluation of any request or complaint.

    data

    13

    4.2. PURPOSE OF PROCESSING PERSONAL DATA

    According to the categorization prepared by our company, the upper purposes for the processing of Personal Data are shared below:

    • To carry out the necessary work by our relevant business units for the realization of the commercial activities carried out by our company and to carry out the related business processes,
    • Planning and execution of our company's commercial and/or business strategies,
    • Carrying out the necessary work by our business units and executing the relevant processes in order to benefit the relevant people from the products and services offered by our company,
    • Planning and execution of our company's human resources policies and processes,
    • Ensuring the legal, technical and commercial job security of the persons who have a business relationship with our company.
    • Compliance and legal requirements
      • Analysis and planning of processes in public and private tenders
        • In tenders, exploration and market research within the scope of project evaluation
      • Planning and Execution of Corporate Communication Activities
      • Planning and Execution of Information Security Processes
      • Establishment and Management of Information Technologies Infrastructure
      • Planning and Execution of Business Partners and/or Suppliers' Access Authorizations to Information and Facilities
      • Planning and Execution of Benefits and Benefits to Supplier and/or Business Partner Employees
      • Follow-up of Finance and/or Accounting Affairs
      • Management of Relationships with Business Partners and/or Suppliers
      • Planning and Execution of Sales Processes of Products and/or Services
      • Carrying out Activities for the Determination of the Financial Risks of the Customers
      • Follow-up of Contract Processes and/or Legal Requests
      • Follow-up of Customer Requests and/or Complaints
      • Planning of Human Resources Processes
      • Execution of Personnel Supply Processes
      • Planning and Execution of Market Research Activities for Sales and Marketing of Products and Services
      • Legal Payroll Process
      • Planning and Execution of Marketing Processes of Products and/or Services
      • Follow-up of Legal Affairs
      • Planning and Execution of Operational Activities Necessary for Ensuring the Conduct of Company Activities in Compliance with Company Procedures and/or Relevant Legislation
      • Collection of Entry and Exit Records of Business Partner/Supplier Employees
      • Creating and Tracking Visitor Records
      • Planning and Execution of Company Audit Activities
      • Planning and/or Execution of Occupational Health and/or Safety Processes
      • Management and/or Supervision of Relationships with Affiliates
      • Ensuring the Security of Company Assets and/or Resources
      • Planning and/or Execution of Company Financial Risk Processes

    The data processing purposes within the scope of the above listed above are as follows:

    14

    In order to process personal data within the scope of personal data processing purposes other than the situations mentioned above, our Company seeks the express consent of personal data owners; The following personal data processing activities by the relevant business units are carried out with the express consent of the personal data owners. In this context; In the absence of the above-mentioned conditions, personal data processing purposes for which the express consent of personal data owners is sought;

    • Planning and Execution of Business Partners and/or Suppliers' Access Authorizations to Information and Facilities
    • Management of Relationships with Business Partners and/or Suppliers
    • Planning and Execution of Sales Processes of Products and/or Services
    • Planning and Execution of Customer Relationship Management Processes
    • Planning and Execution of Market Research Activities for Sales and Marketing of Products and Services
    • Planning and/or Execution of the Processes of Establishing and/or Increasing Loyalty to the Products and/or Services Offered by the Company
    • Planning and Execution of Marketing Processes of Products and/or Services
    • Planning and Execution of Operational Activities Necessary for Ensuring the Conduct of Company Activities in Compliance with Company Procedures and/or Relevant Legislation
    • Collection of Entry and Exit Records of Business Partner/Supplier Employees
    • Planning and Execution of Company Audit Activities
    • It can be listed as Ensuring the Security of Company Campuses and/or Facilities.

    4.3. PERSONAL DATA STORAGE PERIOD

    Our company keeps personal data for the period specified in these legislations, if it is stipulated in the relevant laws and regulations.

    If the legislation regarding how long personal data should be stored is not regulated for a period of time, personal data is processed for a period of time that requires it to be processed in accordance with our Company's practices and commercial life practices, depending on the services our company provides while processing that data, and then it is deleted, destroyed or anonymized. Detailed information on this subject is given in Chapter 9 of this Policy.

    The purpose of processing personal data has ended; if the storage periods determined by the relevant legislation and the company have come to an end; Personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. Despite the expiry of the statute of limitations and the statute of limitations for the right to assert the aforementioned right in the establishment of the terms herein, retention periods are determined based on the examples in the previous requests made to our Company on the same issues. In this case, the stored personal data is not accessed for any other purpose, and only when necessary to use it in the relevant legal dispute, access to the relevant personal data is provided. Here, too, personal data is deleted after the aforementioned period expires,

    • CATEGORIZATION OF THE OWNERS OF PERSONAL DATA PROCESSED BY OUR COMPANY

    Although the personal data of the following categories of personal data subjects are processed by our company, the scope of application of this Policy is limited to our customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties.

    15

    Protection and processing of personal data of our employees will be evaluated under the Personal Data Protection and Processing Policy of our company employees.

    Although the categories of persons whose personal data are processed by our company are within the scope specified above, persons outside of these categories may also direct their requests to our Company within the scope of the KVK Law; requests of these persons will also be evaluated within the scope of this Policy.

    The concepts of customer, potential customer, visitor, employee candidate, shareholder and board member, natural persons in the institutions we cooperate with, and third parties related to these persons, which are within the scope of this Policy, are explained below.

    Personal data Category

    Explanation

    Does not have any contractual relationship with our company

    Customer

    using the products and services offered by our Company, regardless of

    or legal entities that have used

    Requested or interested in using our products and services, or

    Potential Customer

    in accordance with the rules of commercial practice and honesty that may have this interest.

    legal entities considered as

    Those who entered the physical campuses owned by our company for various purposes,

    Visitor

    or natural persons or legal entities visiting our websites

    Commercial transaction between our company and the abovementioned parties

    to ensure their safety or to protect the rights of said persons, and

    Third Party

    third party real person who is related to these persons in order to obtain benefits

    persons (e.g. Guarantor, Companion, Family Members and relatives) or this policy and

    Our Company's Employees Personal Data Protection and Processing Policy

    other natural persons not included in the scope

    Have applied for a job in our company by any means or have a CV

    Employee Candidate

    and natural persons who have opened their relevant information to our company's inspection.

    Company Shareholder

    Our company's shareholders are natural persons and Legal Persons

    Company official

    Member of our company's board of directors and other authorized real persons

    In Collaboration

    In institutions with which our company has all kinds of business relations (business partner,

    Institutions We Are

    such as, but not limited to, suppliers)

    Employees, Shareholders

    natural persons, including shareholders and officials

    and Officials

    The following table details the above-mentioned categories of personal data owners and the types of personal data that are processed by the persons in these categories.

    PERSONAL DATA

    DATA OWNER WITH RELATED PERSONAL DATA

    CATEGORIZATION

    CATEGORY

    Credentials

    Customer, Potential Customer, Employee Candidate, Company Shareholder, Company

    Officials, Visitors, Employees of the Institutions We Collaborate with,

    Shareholders and Officials, Third Party

    Communication information

    Customer, Potential Customer, Employee Candidate, Company Shareholder, Company

    Officials, Visitors, Employees of the Institutions We Collaborate with,

    Shareholders and Officials, Third Party

    Location Data

    Customer,

    Worker,

    Institutions We Collaborate With

    Employees

    Customer information

    Customer

    Family Members and Close

    Customer,

    Visitor,

    Employee Candidate,Third Person,Collaborative

    information

    Employees, Shareholders and Officials of the Institutions We Are

    Customer Transaction Information

    Customer

    16

    Physical Space Security

    Visitors, Company Officials, Institutions We Collaborate With

    information

    Employees, Shareholders and Officials

    Transaction Security Information

    Customer, Visitor, Third Party, Company Officials, Collaborating

    Employees, Shareholders and Officials of the Institutions We Are

    Risk Management Information

    Customer, Potential Customer, Employee Candidate, Company Shareholder, Company

    Officials, Visitors, Employees of the Institutions We Collaborate with,

    Shareholders and Officials, Third Party

    Financial Information

    Customer,Employee,Shareholder,Company Officer,Company

    Shareholders, Employees of the Institutions We Collaborate with,

    Shareholders and Officials

    Personal Information

    Employees, Shareholders of the Institutions We Collaborate with and

    Officials

    Employee Candidate Information

    Employee Candidate, Employees of the Institutions We Collaborate With

    Employee Process Information

    Employees of Institutions We Collaborate With

    Employee Performance and

    Employees of Institutions We Collaborate With

    Career Development Information

    Benefits and Benefits

    Employees of Institutions We Collaborate With

    information

    Legal Action and Compliance

    Customer, Potential Customer, Employee Candidate, Company Shareholder, Company

    information

    Officials, Visitors, Employees of the Institutions We Collaborate with,

    Shareholders and Officials, Third Party

    Audit and Inspection Information

    Customer, Potential Customer, Employee Candidate, Company Shareholder, Company

    Officials, Visitors, Employees of the Institutions We Collaborate with,

    Shareholders and Officials, Third Party

    Special Qualified Personal Data

    Customer, Employee Candidate, Company Shareholder, Company Official, Collaboration

    Employees, Shareholders and Officials of the Institutions We Are In

    Marketing Information

    Customer, Potential Customer

    Request/Complaint Management

    Customer, Potential Customer, Employee Candidate, Company Shareholder, Company

    information

    Officials, Visitors, Employees of the Institutions We Collaborate with,

    Shareholders and Officials, Third Party

    • THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY OUR COMPANY

    AND INTENDED TRANSFER

    Our company notifies the personal data owner of the groups of persons to whom personal data is transferred in accordance with Article 10 of the KVK Law.

    In accordance with Articles 8 and 9 of the KVK Law (See Section 3/Title 3.5), our company may transfer the personal data of customers to the following categories of persons:

    • To our business partners,
    • Our company's suppliers,
    • To the affiliates of our company,
    • To Our Company's Shareholders,
    • Legally Authorized public institutions and organizations,
    • Legally authorized private legal persons.

    The scope of the above-mentioned persons to whom the transfer is made and the data transfer purposes are stated below.

    17

    Data transfer

    Definition

    Data Transfer Purpose

    To-do contacts

    Our company's commercial activities

    Attributing only legal requirement

    our company's products and

    business partnership within the scope of transactions

    sales, promotion and

    fulfillment of its founding objectives.

    marketing, after-sales support,

    limited to providing

    joint customer loyalty programs

    limited as legal requirement, for example

    Business partner

    business partnership for purposes such as conducting

    to the relevant banks for collection transactions

    identifies its parties.

    nervously,

    Our company's commercial activities

    Our company is outsourced from the supplier

    while executing our Company's orders and

    provided by our Company as a commercial

    contract in accordance with the instructions

    necessary to carry out its activities

    supplier

    service to our company

    the provision of services to our Company

    identifies the offering parties.

    in order to provide limited

    Our participation

    with the company of which our company is a shareholder

    The participation of our company's affiliates

    business activities that require

    limited to ensuring

    aspect

    Our Shareholders

    According to the provisions of the relevant legislation

    According to the provisions of the relevant legislation

    Regarding our company's commercial activities

    Regarding our company's commercial activities

    strategies and control

    strategy design and control

    designing activities

    limited to the purposes

    authorized to

    our shareholders

    Legally Authorized

    According to the provisions of the relevant legislation

    Relevant public institutions and organizations

    Public Institution and

    To obtain information and documents from our company

    requested within its legal authority.

    Organizations

    authorized public institutions and organizations

    limited to the purpose

    Legally Authorized Private

    According to the provisions of the relevant legislation

    Legal authority of the relevant private legal persons

    Legal Persons

    To obtain information and documents from our company

    limited to the purpose requested within

    authorized private law persons

    aspect

    In the transfers made by our company, we act in accordance with the issues regulated in the 2nd and 3rd Sections of the Policy.

    • PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS LAW

    Our company informs the personal data owner about the personal data it processes in accordance with Article 10 of the KVK Law.

    7.1. PROCESSING PERSONAL DATA AND SPECIAL QUALITY PERSONAL DATA

    7.1.1. Processing of Personal Data

    The express consent of the personal data owner is only one of the legal bases that makes it possible to process personal data in accordance with the law. Apart from express consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity can be only one of the conditions stated below, or more than one of these conditions can be the basis of the same personal data processing activity. In case the processed data is special quality personal data; 7.1.2 under this section below. The conditions in the title apply.

    Although the legal grounds for the processing of personal data by our company differ, all kinds of personal data processing activities are carried out in accordance with the general principles specified in Article 4 of the Law No. 6698 (See Section 3.1.).

    18

    A - Explicit Consent of the Personal Data Owner

    One of the conditions for the processing of personal data is the explicit consent of the owner. The explicit consent of the personal data owner should be disclosed on a specific subject, based on information and free will.

    Personal data processing activities (secondary processing) other than the purpose of processing (primary processing) for the reasons for obtaining personal data are listed in (ii), (iii), (iv) (v), (vi) and (vii) of this title. at least one of the conditions is sought; If one of these conditions is not met, these personal data processing activities are carried out by our Company based on the express consent of the personal data owner for these processing activities.

    For the processing of personal data subject to the express consent of the personal data owner, explicit consent is obtained from the supplier, potential customers, customers and visitors, using the relevant methods. .

    B - Explicitly Provided in Laws

    The personal data of the data owner can be processed in accordance with the law, if it is expressly stipulated in the law.

    C - Failure to Obtain Explicit Consent of the Related Person Due to Actual Impossibility

    The personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to express his or her consent due to actual impossibility or whose consent cannot be validated, in order to protect the life or physical integrity of himself or another person.

    Example: Giving the blood group information of the unconscious visitor to the doctors by his friends.

    D - Direct Concern with the Establishment or Performance of the Contract

    Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process the personal data of the parties to the contract.

    Example: Collection of employee information in order to fulfill the legal obligation as per the Labor Law

    E - Fulfilling the Legal Obligation of the Company

    Personal data of the data subject may be processed if the processing is necessary for our company to fulfill its legal obligations as a data controller.

    Example: Submission of information requested by court order to the court.

    F- Making Personal Data Public by the Personal Data Owner

    If the data owner has made his personal data public by himself, the relevant personal data may be processed.

    Example: This data of a person who states that he wants to buy a car with certain features on a website and writes his phone number can now be processed without his explicit consent, limited to this scope. In this context, people who want to sell the car with the relevant feature will be able to reach the relevant person without the need for any consent.

    G - Mandatory Data Processing for the Establishment or Protection of a Right

    19

    If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.

    Example: Storing the evidential data (sales contract, invoice) and using it when necessary.

    H - Obligatory Data Processing for the Legitimate Interest of Our Company

    Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company.

    Example: Processing of personal data by Accounting for the purpose of making internal calculations.

    7.1.2. Processing of Private Personal Data

    By our company; If the personal data owner does not have the express consent of the personal data owner, sensitive personal data is processed in the following cases, provided that adequate measures to be determined by the KVK Board are taken:

    • Special categories of personal data other than the health and sexual life of the personal data owner, in cases stipulated by the laws,
    • Persons or authorized institutions and organizations that are under the obligation to keep confidential, only for the protection of public health, the execution of preventive medicine, medical diagnosis, treatment and care services, the planning and management of health services and their financing. by.
    • WEBSITE VISITORS BY BUILDING, FACILITY ENTRANCES AND PERSONAL DATA PROCESSING ACTIVITIES IN THE BUILDING FACILITY

    Personal data processing activities carried out by our company at the entrance of the building and within the facility are carried out in accordance with the Constitution, the KVK Law and other relevant legislation.

    In order to ensure security, our company carries out personal data processing activities for monitoring the entrance and exit of guests with security cameras in our company's buildings and facilities.

    Personal data processing is carried out by our Company by using security cameras and recording guest entries and exits.

    In this context, our company acts in accordance with the KVK Law and other relevant legislation.

    is doing.

    8.1. MONITORING ACTIVITY WITH CAMERA IN AND AT BUILDING AND FACILITY ENTRANCES

    In this section, explanations will be made about the camera monitoring system of our Company and information will be given on how personal data, privacy and fundamental rights of individuals are protected.

    Our company, within the scope of monitoring with security cameras; It aims to increase the quality of the service provided, to ensure its reliability, to ensure the safety of the company, visitors, employees and other persons, and to protect their legitimate interests.

    20

    8.1.1. Legal Basis for Surveillance Activity

    The camera monitoring activity carried out by our company is carried out in accordance with the Law on Private Security Services and the relevant legislation.

    8.1.2. Carrying out Surveillance Activities with Security Cameras According to KVK Law

    Our company acts in accordance with the regulations in the KVK Law in the execution of camera surveillance for security purposes.

    Our company carries out security camera monitoring activities in order to ensure security in its buildings and facilities, for the purposes stipulated in the laws and in accordance with the personal data processing conditions listed in the KVK Law.

    8.1.3. Announcement of Monitoring Activity with Camera

    10 of the KVKK Law by our company.

    in accordance with the article,

    personal data owner

    It is illuminated.

    In addition to the clarification on general issues (See Section 3/Title 3.3), our company notifies with multiple methods regarding the camera monitoring activity in accordance with the regulations in the EU and within the scope of GDPR.

    Thus, it is aimed to prevent harming the fundamental rights and freedoms of the personal data owner, to ensure transparency and to enlighten the personal data owner.

    For the camera monitoring activity by our company; This Policy is published on the website of our company (online policy regulation) and a notification letter stating that monitoring will be carried out is posted at the entrances of the areas where monitoring is performed (on-site lighting).

    8.1.4. Purpose and Purpose of Surveillance with Cameras

    Our company processes personal data in a limited and measured manner in connection with the purpose for which they are processed, in accordance with Article 4 of the KVK Law.

    The purpose of maintaining the video camera monitoring activity by our company is limited to the purposes listed in this Policy. In this direction, the monitoring areas, the number of security cameras and when they will be monitored are implemented as sufficient to achieve the security purpose and in a limited manner for this purpose. Areas that may result in interference with the privacy of the person exceeding the security objectives (for example, toilets) are not subject to monitoring.

    8.1.5. Ensuring the Security of Obtained Data

    In accordance with Article 12 of the KVK Law, our company takes the necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring. (See Chapter 2/Title 2.1)

    8.1.6. Retention Period of Personal Data Obtained by Camera Monitoring Activity

    For detailed information on the retention period of personal data obtained by our company through camera monitoring, please see section 4.3 of this Policy, titled Personal Data Retention Periods. included in the article.

    21

    8.1.7. Who Has Access to the Information Obtained as a Result of Monitoring and To Whom This Information is Transferred

    Only a limited number of company employees have access to the records recorded and preserved in the digital environment, with the approval of the management. Live camera images, on the other hand, can be watched by security missions. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality agreement.

    8.2. FOLLOW-UP OF GUEST ENTRANCES AND EXITS EXECUTED AT AND IN THE BUILDING AND FACILITY ENTRANCES

    These personal data owners are enlightened in this context through texts posted by the company or made available to visitors in other ways. It is processed for the purpose of tracking visitor entry-exit and providing security only, and the relevant personal data is recorded in the data recording system in the physical environment.

    8.3. STORAGE OF RECORDS REGARDING THE INTERNET ACCESS PROVIDED TO OUR VISITORS AND GUESTS IN THE BUILDINGS AND FACILITIES

    To ensure security by our company and for the purposes specified in this Policy; Internet access can be provided by our Company to our Visitors who request it during their stay in our Building. In this case, the log records of your internet access are recorded in accordance with the Law No. 5651 and the provisions of the legislation arranged according to this Law; These records are only processed when requested by authorized public institutions and organizations or to fulfill our legal obligations in the audit processes to be carried out within the Company.

    Only a limited number of employees of our company and the IT unit in our center have access to the log records obtained within this framework. Company employees who have access to the aforementioned records access these records only for use in requests or audit processes from authorized public institutions and organizations, and share them with legally authorized persons. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality agreement.

    8.4. WEBSITE VISITORS

    On our company website; to ensure that the visitors of this site perform their visits on the site in accordance with the purposes of their visit; Although it can show them customized content and engage in online advertising activities, it does not record their internet activity by technical means.

    • SECTION 9 – CONDITIONS FOR DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA

    Although our company has been processed in accordance with the provisions of the relevant law as regulated in article 138 of the Turkish Penal Code and article 7 of the KVK Law, in the event that the reasons requiring processing are eliminated, personal data is deleted upon our company's own decision or upon the request of the personal data owner. is made anonymous.

    9.1. OBLIGATION TO DELETE, DESTROY AND ANONYMIZE PERSONAL DATA

    Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law, in the event that the reasons requiring processing are eliminated, at our Company's own decision or upon the request of the personal data owner.

    22

    personal data is deleted, destroyed or anonymized. In this context, our Company fulfills its obligations with the methods described in this section.

    9.2. TECHNIQUES FOR DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA

    9.2.1. Deletion and Destruction Techniques of Personal Data

    Despite the fact that it has been processed in accordance with the provisions of the relevant law, our company may delete or destroy personal data upon its own decision or upon the request of the personal data owner, in case the reasons requiring processing are eliminated. The most commonly used deletion or destruction techniques by our company are listed below:

    • Physical Destruction
    • Secure Deletion Softare
    • Sending to a Specialist for Secure Deletion

    Personal data can also be processed in non-automatic ways, provided that it is part of any data recording system. While such data is being deleted/destroyed, a system of physical destruction of personal data is applied so that it cannot be used later.

    While deleting/destroying data processed by fully or partially automated means and stored in digital media; methods are used to delete the data from the relevant software in a way that cannot be recovered again.

    In some cases, our company may hire an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by the person who is an expert in this field, in a way that cannot be recovered.

    9.2.2. Techniques to Anonymize Personal Data

    Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching them with other data. Our company can anonymize personal data when the reasons that require the processing of personal data processed in accordance with the law are eliminated.

    In accordance with Article 28 of the KVK Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the KVK Law and the explicit consent of the personal data owner will not be sought. Since the personal data processed by anonymization will be outside the scope of the KVK Law, the rights regulated in Section 10 of the Policy will not be valid for this data.

    The most used anonymization techniques by our company are listed below:

    • Masking

    With data masking, it is a method of anonymizing personal data by removing the basic determinant information of personal data from the data set.

    Example: Name, TR Identity Number, etc. that enables the identification of the personal data owner. converting the personal data into a data set where it becomes impossible to identify the owner of the personal data by extracting the information.

    • Aggregation

    23

    With the data aggregation method, many data are aggregated and personal data is rendered unrelated to any person.

    Example: Revealing that there are Z number of employees at the age of X without showing the age of the employees one by one.

    • Veri Türetme (Data Derivation)

    With the data derivation method, a more general content than the content of the personal data is created and it is ensured that the personal data cannot be associated with any person.

    Example: Specifying ages instead of birth dates; specifying the area of residence instead of the full address.

    • Veri Karma (Data Shuffling, Permutation)

    With the data mixing method, the values in the personal data set are mixed and the bond between the values and individuals is broken.

    Example: Changing the quality of the sound recordings so that the sounds and the data owner cannot be associated.

    • RIGHTS OF PERSONAL DATA OWNERS; METHODOLOGY FOR THE USE AND ASSESSMENT OF THESE RIGHTS

    Our company informs the personal data owner of the rights of the personal data owner in accordance with Article 10 of the KVK Law and guides the personal data owner on how to use these rights. It carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with the article.

    10.1 DATA SUBJECT'S RIGHTS AND USE OF THESE RIGHTS

    10.1.1. Rights of Personal Data Owner

    Personal data owners have the following rights:

    • Learning whether personal data is processed or not,
    • If personal data has been processed, requesting information about it,
    • Learning the purpose of processing personal data and whether they are used in accordance with the purpose,
    • Knowing the third parties to whom personal data is transferred at home or abroad,
    • Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
    • Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing have disappeared, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,

    24

    • Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
    • To request the compensation of the damage in case of loss due to unlawful processing of personal data.

    10.1.2. Circumstances in which the Personal Data Owner cannot assert his rights

    Personal data owners cannot claim the rights of personal data owners listed in 10.1.1. in these matters, since the following cases are excluded from the scope of the KVK Law in accordance with Article 28 of the KVK Law:

    • Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.
      • Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime.
    • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.

    (4) Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

    Pursuant to article 28/2 of the KVK Law; In the cases listed below, personal data owners cannot claim their other rights listed in 10.1.1., except for the right to demand the compensation of the damage:

    • Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.

    10.1.3. Exercise of Personal Data Owner's Rights

    Personal data owners, 10.1.1 of this section. They will be able to submit their requests regarding their rights listed under the heading below to our Company free of charge:

    1 - By filling out the petition in which their demands are clearly stated, or by filling out the KVKK Application Form, which can be obtained in our company or on our website, and send the wet signed version with registered return or Notary.

    For OUR COMPANY;

    NBA Consulting Type. Foreign Trade and Comm. Inc.

    Gedik Sok. No: 8 Uchisar NEVSEHIR / TURKEY

    25

    2 - By filling in the KVKK Application Form, which can be obtained from our company, where their demands are clearly stated, or from our official website, and by sending an e-mail to [email protected] of the secure electronic signed form after signing with your "secure electronic signature" within the scope of Electronic Signature Law No. 5070 .

    3 – By filling out the KVKK Application Form to the address where the service is received, by personally applying to the facility where the service is received, with its wet signature.

    It is not possible to make a request by third parties on behalf of personal data owners.

    In order for a person other than the personal data owner to make a request, there must be a special power of attorney issued by the personal data owner on behalf of the person to apply.

    In the application to be made by the personal data owners to exercise their rights, only the above 2 methods will be used by the Relevant Person (Personal Data Owner) in accordance with the "Law on Protection of Personal Data No. 6698" linked above.

    10.1.4. Personal Data Owner's Right to Complain to the KVK Board

    In cases where the application is rejected in accordance with Article 14 of the KVK Law, the response given is insufficient or the application is not answered in due time; A complaint can be made to the KVK Board within thirty days from the date our company learns of the answer, and in any case within sixty days from the date of application.

    10.2. RESPONDING TO APPLICATIONS WITHIN THE SCOPE OF KVKK AND GDPR

    10.2.1. Our Company's Response Procedure and Time to Applications

    Personal data owner, 10.1.3 of this section. In the event that he/she submits his/her request to our Company in accordance with the procedure in the section titled, our Company will conclude the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.

    However, if the process requires a separate cost, our Company will charge the applicant the fee in the tariff determined by the KVK Board. 10.2.2. Information Our Company May Request from the Applicant Personal Data Owner Our company may request information from the person concerned in order to determine whether the applicant is the owner of personal data.

    Our company may ask questions about the personal data owner's application in order to clarify the issues in the personal data owner's application.

    10.2.3. Our Company's Right to Reject the Application of the Personal Data Owner

    Our company may reject the application of the applicant in the following cases by explaining the reason:

    • Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.

    26

    • Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime.
    • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
    • Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
    • The processing of personal data is necessary for the prevention of crime or for criminal investigation.
    • Processing of personal data made public by the personal data owner.
    • Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.
    • The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
    • The request of the personal data owner is likely to prevent the rights and freedoms of other persons (10) The requests that require disproportionate effort are made.
    • The requested information is publicly available.
    • – THE RELATIONSHIP OF THE COMPANY'S PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES

    The basic policies regarding the protection and processing of personal data, which are related to the principles set forth by the company with this Policy, are listed below. By linking these policies with the basic policies of the Company in other areas, harmonization is also ensured between the processes that the Company operates with different policy principles for similar purposes. Some of the policies used within our company are for internal use. It is aimed to reflect the principles of internal policies to the public policies to the extent relevant, to inform the relevant parties in this framework and to ensure transparency and accountability regarding the personal data processing activities carried out by the Company.

    • COMPANY PERSONAL DATA PROTECTION AND PROCESSING POLICY GOVERNANCE

    STRUCTURE

    Our company has established a governance structure in order to comply with the regulations of the KVK Law and to ensure the enforcement of the Personal Data Protection and Processing Policy.

    "Personal Data Protection Committee" has been established in accordance with the decision of the Company's senior management to manage this policy and other policies related to and related to this policy (See Section 11) within the company. Duties of this committee are stated below.

    • To prepare the basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect.
    • To decide how to implement and control the policies on the Protection and Processing of Personal Data, and to make internal assignments and ensure coordination within this framework, to submit to the approval of the senior management.
    • To determine the issues that need to be done in order to ensure compliance with the Law on the Protection of Personal Data and the relevant legislation and to submit the necessary actions to the approval of the senior management; To monitor and coordinate its implementation.
    • To raise awareness within the Company and the institutions with which the Company cooperates on the Protection and Processing of Personal Data.
    • To determine the risks that may occur in the personal data processing activities of the company and to ensure that the necessary measures are taken; submitting improvement proposals to senior management for approval.
    • To design and implement trainings on the protection of personal data and the implementation of policies.
    • To decide on the applications of personal data owners at the highest level.

    27

    Regarding personal data processing activities and legal rights of personal data owners

    To coordinate the execution of information and training activities to ensure that they are informed.

    • To prepare the changes in the basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect.
    • To follow the developments and regulations on the Protection of Personal Data; on what needs to be done within the Company in accordance with these developments and regulations.
    • Coordinating the relations with the Personal Data Protection Board and Institution.
    • Carrying out other duties to be assigned by the company's senior management regarding the protection of personal data.

    making recommendations to senior management.

    ANNEX-1 DEFINITIONS

    Explicit Consent: Consent about a specific subject, based on information and expressed with free will

    Anonymization: Personal data will lose its quality as personal data and this situation will be restored.

    Ex: Masking, aggregation, data corruption etc.

    making personal data incapable of being associated with a natural person, by means of techniques.

    Employee Candidate: Real persons who have applied for a job in our company by any means or have opened their CV and related information to our company's review.

    Shareholders and Officials: Natural persons, including shareholders and officials of these institutions, working in institutions (including but not limited to business partners, suppliers, etc.) with which our company has any business relationship.

    Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.

    Personal Data Owner: The real person whose personal data is processed.

    E.g; Customers and employees. Personal Data Any information relating to an identified or identifiable natural person. Therefore, the processing of information regarding legal persons is not within the scope of the Law. E.g; name-surname, TCKN, e-mail, address, date of birth, credit card number, etc.

    Visitor: Real and legal persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company.

    Special Quality Personal Data: Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are special data.

    Potential Customer: Real persons who have requested or interested in using our products and services or who have been evaluated in accordance with commercial practices and honesty rules that they may have.

    Company Shareholder: The shareholders of our company are natural persons

    Company Official: Member of our company's board of directors and other authorized natural persons

    Third Party: Third party real persons (For example, Guarantor, Companion, Family Members and relatives) who are related to these persons in order to ensure the security of commercial transactions between our company and the above-mentioned parties or to protect the rights of the aforementioned persons and to obtain benefits.

    Data Processor: It is the natural and legal person who processes personal data on behalf of the data controller based on the authority given by him. For example, the cloud computing company that keeps your company's data

    Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system) is the data controller.

    28

    Visitor: Real persons who have entered the physical campuses owned by our company for various purposes or visited our websites.

    ANNEX-2 DATES THAT ARE IMPORTANT FOR THE IMPLEMENTATION OF THE KVK LAW

    April 7, 2016

    As of April 7, 2016, our Company complies with the following obligations:

    is moving:

    (i)

    General rules and principles regarding the processing of personal data

    (ii)

    Obligations regarding the disclosure of personal data owners

    (iii)

    Obligations to ensure data security

    October 7, 2016

    As of October 7, 2016, the following regulations came into effect.

    and our Company acts in accordance with these regulations:

    - Regarding the transfer of personal data to third parties and abroad

    provisions

    - The owner of the personal data, who is the owner of the personal data,

    Application to our company

    against their rights (learning whether their personal data is being processed, requesting information)

    transferring, learning from transferees, requesting correction) and

    Regulations on making a complaint to the KVK Board.

    Consent legally obtained before 7 April 2016 7

    As of April 7, 2017 , unless a contrary statement is made by the personal data owner as of April 2017, it will be deemed to be in compliance with the KVK Law.

    • As of April 7, 2017, the Regulations on the KVK Law will come into force and our Company will act in accordance with these regulations.

    April 7, 2018 Personal data processed before April 7, 2016 will be harmonized with the KVK Law or deleted or anonymized by our Company until April 7, 2018.

    APPENDIX-3 PROCESSING OF PERSONAL DATA OF EMPLOYEE CANDIDATES AND BUSINESS PARTNERS

    PERSONAL

    YOUR RIGHTS

    DATA

    COLLECTION AND PROCESSING OF PERSONAL DATA

    USING AND

    OWNER

    APPLICATION

    Personal data of employee candidates collected during the recruitment process

    Employee candidates also

    with special categories of personal data collected according to the nature of the business,

    from their ownership

    29

    Worker

    By our company; 4.2 of the policy. With Chapter 7

    with the rights arising

    candidates

    It is processed for the purposes stated and listed below:

    their respective requests,

  • Putting the candidate's qualification, experience and interest into the open position.
  • to our company,this

    assessing suitability,

    10 of the policy.

  • If necessary, the accuracy of the information submitted by the candidate
  • described in the section

    to check or contact third parties and

    by the method

    to research about

    they can transmit.

  • Communicate with the candidate about the application and recruitment process.
  • to pass or, where appropriate, subsequently domestically.

    or with a candidate for any position opened abroad

    To contact,

  • The requirements of the relevant legislation or the authorized institution or
  • meet the demands of the organization,

  • To develop the recruitment principles implemented by our company, and
  • improve The personal data of the employee candidates are as follows:

    It can be collected by methods and means:

  • Digital application published in written or electronic media
  • form; • Candidates send e-mail, cargo, reference and

    CVs submitted by similar methods,

  • Employment or consulting companies;
  • By means of video conferencing, telephone or face-to-face
  • during the interview,

  • To confirm the accuracy of the information conveyed by the candidate
  • with the controls made by our company for the purpose of

    research,

  • Constructed by experts with experience and the results
  • recruitment that detects the talent and personality traits examined

    tests.

    Employee candidates data

    Work

    Our company is responsible for the commercial activities it has established with its business partners.

    from their ownership

    of partners

    within the scope of fulfillment of business partners' employees

    with the rights arising

    Employees

    4.2 of the Policy. in section and 7.

    their respective requests,

    It can operate within the scope of the purposes described in the section.

    to our company,this

    10 of the policy.

    described in the section

    by the method

    they can transmit.

    Click here for the KVKK Application Form.