Zühre Ana PERSONAL DATA PROTECTION POLICY
• If there is explicit consent of the data subject,
• If there is a clear provision in the laws regarding the transfer of personal data,
• If it is necessary for the protection of life or physical integrity of the data subject or another person, and the data subject is unable to disclose consent due to physical impossibility or if their consent is not legally valid;
• If it is necessary for the establishment or performance of a contract directly related to the parties of the contract;
• If personal data transfer is mandatory for our company to fulfill its legal obligations.
• If personal data has been made public by the data subject,
Financial Information: Information, documents, and records showing all kinds of financial results created according to the type of legal relationship established between our company and the data subject, and personal data such as bank account number, IBAN number
Visual/Audio Information: Photograph and camera records (excluding records covered by Physical Space Security Information), audio recordings, and personal data contained in documents copying the nature.
DESCRIPTION OF PERSONAL DATA CATEGORIZATION
Personal Information: Any kind of personal data processed to establish the personal rights of individuals who are in a working relationship with our company and to enable the evaluation of job candidates at our company
Professional Information: Diploma information, courses attended, in-service training information, certificates, transcript information, etc.
Legal Transaction Information: Data processed within the scope of our company's legal receivables and rights determination, follow-up and execution of debts, and legal obligations.
Criminal Conviction and Security Measures: Information regarding criminal convictions, information regarding security measures, etc. Race, Ethnic Origin Information: Data related to the person's race, ethnic origin.
Financial Information: Information, documents, and records showing all kinds of financial results created according to the type of legal relationship established between our company and the data subject, and personal data such as bank account number, IBAN number
Visual/Audio Information: Photograph and camera records (excluding records covered by Physical Space Security Information), audio recordings, and personal data contained in documents copying the nature.
DESCRIPTION OF PERSONAL DATA CATEGORIZATION
Personal Information: Any kind of personal data processed to establish the personal rights of individuals who are in a working relationship with our company and to enable the evaluation of job candidates at our company
Professional Information: Diploma information, courses attended, in-service training information, certificates, transcript information, etc.
Legal Transaction Information: Data processed within the scope of our company's legal receivables and rights determination, follow-up and execution of debts, and legal obligations.
Criminal Conviction and Security Measures: Information regarding criminal convictions, information regarding security measures, etc. Race, Ethnic Origin Information: Data related to the person's race, ethnic origin.
Membership Information: Association membership information, foundation membership information, union membership information, etc.
Health Information: Height, weight, surgical history, active treatment information, disability status information, blood type information, personal health information, device and prosthesis information used, laboratory outputs/analysis information, patient diagnosis and treatment information, etc.
Request/Complaint Management Information: Personal data related to the receipt and evaluation of any kind of request or complaint directed to our company.
DESCRIPTION OF PERSONAL DATA CATEGORIZATION
Marketing Information: Surveys, cookie records, information obtained from social media platforms (such as Facebook, Instagram, Twitter, WhatsApp), etc.
Explicit Consent: Explicit consent of the relevant person will always be required.
Public Health: Protection of public health, preventive medicine, execution of medical diagnosis, treatment and care services, planning and management of health services
3.2. Processing Purposes of Personal Data
Our company processes personal data limited to the purposes and conditions specified within the scope of Article 5(2) and Article 6(3) of the Personal Data Protection Law.
These purposes and conditions are as follows;
• Our company's engagement in relevant activities explicitly stipulated in the laws
• The processing of your personal data by our company being directly related and necessary for the establishment or performance of a contract
• The necessity of processing your personal data by our company to fulfill its legal obligations
• Your personal data being publicly disclosed, provided that it is limitedly processed by our company for the purpose of disclosure
• The necessity of processing your personal data by our company for the establishment, exercise, or protection of our company's or your rights or the rights of third parties
• The necessity of processing personal data by our company for the protection of the life or physical integrity of the data subject or another person and where the data subject is unable to disclose his/her consent due to actual impossibility or legal invalidity
• The existence of special categories of personal data other than health and sexual life of the data subject as envisaged by the laws
In this context, our company processes your personal data limited to the purposes specified below within the scope of the personal data processing conditions stipulated in Articles 5 and 6 of the Law;
• Planning and execution of corporate sustainability activities
• Event management
• Management of relations with business partners
• Execution of our company's personnel procurement processes
• Execution/tracking of our company's financial reporting and risk management operations
• Execution/tracking of our company's legal affairs
• Planning and execution of corporate communication activities
• Execution of corporate governance activities
• Determination, planning, and implementation of our company's commercial policies
• Ensuring the legal and commercial security of natural or legal persons in relation to our company and those in business relationship with our company
• Ensuring the physical security and control of all office workplace facilities and similar locations owned by our company
• Evaluating our company's customers, Product vs. complaint management processes,
• Planning and implementation of human resources policies in the best way possible,
• Request and complaint management
• Planning and execution of audit activities to ensure that our company's activities are carried out in accordance with procedures and relevant legislation
• Conducting activities to protect the reputation of our company
• Providing information to authorized institutions due to legal requirements
• Creating and tracking visitor records
If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the KVK Law, your explicit consent will be obtained by our company regarding the relevant processing process.
3.3. Storage Periods of Personal Data
Our company stores personal data for the periods specified in the relevant laws and regulations, if any. If no period is specified in the legislation regarding how long personal data should be kept, Personal Data is processed for the period requiring our company's practices and commercial life at the time of processing of
Our company processes the personal data of the categories of data subjects listed below, and the scope of this Policy is limited to Partners, Customers, Visitors, Third Parties, Employees, Employee Candidates, Company Officials, Employees and Officials of the Institutions with which we collaborate, in accordance with the provisions of the Turkish Personal Data Protection Law.
While the categories of individuals whose personal data are processed by our company are within the scope mentioned above, individuals outside these categories may also address their requests to our Company within the scope of the Law on the Protection of Personal Data; these requests will also be evaluated within the scope of this Policy. Personal data categories and the types of personal data processed within these categories are defined in Article 3.1.
5. THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED AND PURPOSES OF TRANSFER
Our company informs the data subjects about the groups of persons to whom personal data is transferred in accordance with Article 10 of the Personal Data Protection Law.
In accordance with Articles 8 and 9 of the Personal Data Protection Law, our company may transfer the personal data of data subjects managed by the Policy to the following categories of persons:
• Our authorized managers and employees
• Legally authorized public institutions and organizations
• Legally authorized private law persons
The scope of the aforementioned persons to whom the transfer is made and the purposes of data transfer are specified below.
6. PERSONAL DATA PROCESSING ACTIVITIES WITHIN BUILDINGS, FACILITIES, AND WEBSITE VISITORS
Our company may carry out personal data processing activities for security purposes, monitoring through security cameras within our company office, and monitoring visitor entries and exits for our company buildings and facilities.
6.1. Camera Monitoring Activities Conducted within our Company Office
This section will provide explanations regarding our company's camera monitoring system and inform about how the privacy of personal data and fundamental rights of individuals are protected. Our company aims to protect its own and others' security interests through security camera monitoring activities.
6.2. Monitoring of Visitor Entries and Exits in our Company Buildings and Facilities
Our company may carry out personal data processing activities such as monitoring visitor entries and exits within our company buildings and facilities for security purposes and for the purposes stated in this Policy.
6.3. Restriction of Internet Access Provided to Visitors in our Office
For security purposes and as stated in this Policy, our company's Wi-Fi internet connection within our office premises is restricted from external access and not shared with visitors. This prevents external interference with the computer connected to the internet network and ensures data security in accordance with Law No. 6698. If the Wi-Fi connection within our office premises is opened to visitors in the future, log records of internet access will be kept in accordance with the Law No. 5651 on the Regulation of Internet Broadcasts and Crimes Committed through These Broadcasts, and related regulations, and these records will be processed only to fulfill our legal obligations when requested by authorized public institutions and organizations or during internal audit processes of our company. Feasibility and cybersecurity studies have been conducted regarding internet access for visitors within our office premises, and implementation will be carried out upon decision by our company officials.
6.4. Website Visitors
In our company's internet sites and applications, cookies, pixels, gifs, and other technologies (collectively referred to as 'cookies') are used to enhance your experience. Cookies are small text files that are transferred to your hard drive by a web server and then stored on your computer. Some cookies help better understand Customer/User behavior; provide information about the use and visit data of our website, help us improve our site. Cookies are also used to remember customers/users' personal information while using the website or application, making it easier to use the website and applications.
Some information is automatically collected and stored in log files. This information includes Internet Protocol (IP) addresses, browser type and language, Internet service provider (ISP), referring and exit websites and applications, operating system, date/time stamp, and clickstream data.
If you wish to disable cookies, you can do so through your web browser and mobile device settings. As per the above information, depending on the technological infrastructure requirements prepared by our company, and the cookies prescribed by the infrastructure used, will be used. We may discontinue using the cookies used on the web pages prepared by our company, change their types or functions, or add new cookies. Therefore, we reserve the right to change the Cookie Disclosure Text and the provisions of this protocol at any time.
The cookies we use on our website; perform basic functions necessary for the operation of the site, analyze the site, improve the performance of the site, and active to increase ease of use. Our company does not use specially developed / operated information gathering technologies and cookies that collect data.
6.5. Website Data Log
You can access our company's website without being a member. Like many websites, your web browser is set to automatically transmit some technical data to our web server, and some information is saved in data log records without your consent; (For example, entry date, entry time, IP address, addresses of pages viewed within the site, etc.)
When you access this information on the website, technical data is necessary for delivering the requested content to you correctly over the internet and collecting these unavoidable technical aspects of website use. In addition to this data, it also identifies the IP address and data log records of users to detect system-related problems and quickly resolve such problems, and uses them accordingly. IP addresses can be used to generally identify users and collect comprehensive demographic information.
6.6. E-Mail Newsletters within the Scope of Website Memberships
During membership application or during your membership, you can choose and/or reject marketing activities. You can update your preference at any time. If you wish to unsubscribe from our daily e-mail distribution list, you can unsubscribe from the link "Please click here to unsubscribe from our e-bulletin list" at the bottom of the e-mails we send. In case the cancellation link does not work due to technical problems, you can call our Customer Service by phone or send an email to unsubscribe from these bulletins.
7. CONDITIONS FOR DELETING, DESTROYING, AND ANONYMIZING PERSONAL DATA
In accordance with Article 138 of the Turkish Penal Code and Article 7 of the PDPL, although processed in accordance with the relevant legal provisions, personal data is deleted, destroyed, or anonymized by our Company's decision or upon the request of the data subject if the reasons requiring its processing are no longer valid. Personal data is processed according to the data retention and destruction policy.
8. MATTERS RELATED TO THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the PDPL, our Company takes necessary technical and administrative measures to prevent the unlawful processing of personal data, prevent unlawful access to data, and ensure the preservation of data security, and conducts necessary audits within this scope.
Our institution has extended its data / information protection processes operated under quality and information security management systems established for the protection and storage of corporate information to include personal data.
8.1. Ensuring the Security of Personal Data
8.1.1. Technical and administrative measures taken to ensure the lawful processing of personal data
Institutional responsibilities for data processing have been determined and defined within the relevant job descriptions. Data processing environments and processing conditions have been made appropriate according to data processing responsibilities.
8.1.2. Technical and administrative measures taken to prevent unlawful access to personal data
Access authorizations of users responsible for data processing in the institution have been arranged according to relevant applications. Users who are not responsible for data processing do not have permissions in relevant applications. In this context, passwords used by data processing responsibles are regularly changed.
Administrative and technical measures include the following issues. Our company is obliged to take all technical and administrative measures to prevent unauthorized access to personal data, even if third parties have illegally accessed personal data; it takes all technical and administrative measures in accordance with relevant legislation and decisions of the Board to prevent any damage to individuals. Technical measures are taken in line with technological developments and measures taken periodically updated and renewed.
• Access and authorization technical solutions are being implemented.
• The technical measures taken are periodically audited by our company,
• Virus protection software and hardware systems have been installed.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• Corporate policies have been prepared and implemented regarding information security, storage, and disposal.
• Awareness training on data security has been provided to personnel.
8.1.3. Secure Storage of Personal Data
Personal data at the institution is stored in physical and electronic environments depending on its characteristics. Access to physical environments is controlled. Cabinets containing personal data are kept locked. Data in electronic environments is processed based on access rights. Computers processing personal data are protected with advanced passwords consisting of 12-character combinations of lowercase/uppercase letters and numbers, which are periodically changed. Unauthorized access to data is restricted through an authorization matrix system.
8.1.4. Audit of Measures Taken for the Protection of Personal Data
The data recording systems used within our company for the technical measures taken are periodically monitored to ensure compliance with the Personal Data Protection Law and relevant legislation.
8.1.5. Measures to Be Taken in Case of Unauthorized Disclosure of Personal Data
Our company, as the data controller, is obliged to inform the individuals whose personal data has been unlawfully disclosed and the Personal Data Protection Board.
In case of intentional disclosure of personal data with clear/objective evidence, the "Personnel Discipline Regulation" will be immediately enforced, and legal and administrative processes will be promptly initiated.
8.2. Safeguarding Data Subject Rights and Evaluation of Data Subjects' Requests
Our company executes necessary channels, internal procedures, and administrative and technical regulations in accordance with Article 18 of the Personal Data Protection Law for evaluating data subjects' rights and providing required information. Detailed information is provided in Section 10 of this Policy.
8.3. Protection of Special Categories of Personal Data
Special attention is given to certain personal data categories due to the risk of causing harm or discrimination to individuals when processed unlawfully under the Personal Data Protection Law. These data include race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership in associations, foundations or trade unions, health, sex life, criminal record, and security measures-related data, as well as biometric and genetic data.
Our company does not collect special categories of personal data within the scope of its activities and does not retain data within this scope as defined by law.
8.4. Increasing Awareness and Audit of Personal Data Protection and Processing by Company Departments
To verify that processes such as collection, processing, classification, deletion/destruction, revocation of access rights, and anonymization of personal data are effectively implemented, internal audits and external resources will conduct annual audits within the framework of Internal Audit/Quality practices.
Principal administrative measures include at least the following:
• Employees are informed about data protection laws and the lawful processing of personal data.
9. RIGHTS OF DATA SUBJECTS; EXERCISE AND EVALUATION OF THESE RIGHTS
Our company informs the data subjects of their rights in accordance with Article 10 of the Personal Data Protection Law, guides them on how these rights can be exercised, and implements necessary channels, internal processes, administrative, and technical regulations in accordance with Article 13 of the Personal Data Protection Law for the evaluation of the rights of data subjects and providing them with the necessary information.
9.1. Rights of the Data Subject and Exercise Thereof
9.1.1. Rights of the Data Subject
Data subjects have the following rights:
• To know whether personal data is being processed,
• To request information if personal data has been processed,
• To learn the purpose of processing personal data and whether they are used in accordance with the purpose, and to know the third parties to whom personal data have been transferred, domestically or internationally,
• To request correction of incomplete or incorrect personal data and to request notification of this correction to third parties to whom personal data have been transferred,
• To request the deletion or destruction of personal data in accordance with the provisions of the Personal Data Protection Law and other relevant laws, despite being processed in compliance with these laws, if the reasons necessitating their processing cease to exist, and to request notification of this deletion or destruction to third parties to whom personal data have been transferred,
• To object to the occurrence of a result against the person due to the exclusive analysis of processed data by automated systems,
• To request compensation in case of damage due to the unlawful processing of personal data.
9.1.2. Instances Where the Data Subject Cannot Exercise Their Rights
Data subjects cannot exercise the rights listed in 9.1.1. due to the following instances, which are excluded from the scope of the Personal Data Protection Law in accordance with Article 28 of the Personal Data Protection Law:
• Processing of personal data for research, planning, and statistical purposes by anonymizing them through official statistics,
• Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights, without constituting a crime,
• Processing of personal data by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security, within the scope of preventive, protective, and intelligence activities,
• Processing of personal data by judicial authorities or enforcement authorities for investigation, prosecution, trial, or execution proceedings.
In accordance with Article 28/2 of the Personal Data Protection Law, except for the right to request compensation for damage in the instances listed below, data subjects cannot assert the other rights listed in 9.1.1.:
• Processing of personal data necessary for preventing the commission of a crime or for the investigation of crimes,
• Processing of personal data already made public by the data subject,
• Processing of personal data necessary for the conduct of disciplinary inquiries or prosecutions by authorized public institutions and organizations having the status of public institutions in the field of supervision or regulation,
Data subjects may submit their requests regarding their rights listed under section 9.1.1. to our Company with information and documents identifying their identity and through the methods specified below or other methods determined by the Personal Data Protection Board:
The use of rights within the scope of the Law must be made in accordance with the conditions and methods specified in the communiqué published by the Personal Data Protection Authority. The application must be made using the form available in the Application Form tab on the website.
By completing the application form obtained from the website and providing identity verification documents:
• You can deliver it signed to the address "...".
• You can send the signed form via Notary Channel to the address "...".
• You can submit it electronically signed to the addresses "...".
In order for third parties to apply on behalf of data subjects, a special power of attorney issued by the data subject through a notary must be provided. Applications made without an attached power of attorney will be considered invalid.
9.1.4. Right of Data Subject to Lodge a Complaint with the DPA
In case the application is rejected, the response is found insufficient, or no response is received within the specified period after the data subject learns of our Company's response; within thirty (30) days from the date of receiving the response and in any case within sixty (60) days from the application date, the data subject may lodge a complaint with the DPA in accordance with Article 14 of the PDP Law.
9.2. Response by Our Company to Applications
Applications related to personal data processing activities must be made to our Company. Your applications must include full name, signature, T.C. identity number, residence or business address, e-mail address, telephone and fax numbers, and the subject matter of the request, as required by the "Communiqué on Principles and Procedures for Application to Data Controller." Applications that do not include these elements will be rejected by our Company.
9.2.1. Method and Period for Our Company to Respond to Applications
If the data subject submits their request to our Company in accordance with the procedure set out in section 9.1.3., our Company will finalize the relevant request within thirty (30) days at the latest, depending on the nature of the request. However, if a fee is specified by the DPA, our Company will charge the fee specified in the tariff determined by the DPA from the applicant.
9.2.2. Information Our Company May Request from the Data Subject Applying
Our Company may request information from the person applying to determine whether they are a data subject. Our Company may also ask the data subject questions related to their application to clarify the issues. The information provided and documents submitted in this form may be collected in written, verbal, electronic, or physical form and processed by our Company solely for the purposes of evaluation, response, and conclusion of the application made under Article 13 of the Law. Within the scope of this review, relevant information may be shared with third parties and companies such as law firms, consultancy firms, etc., engaged by our Company for the conclusion of the application.
9.2.3. Right of Our Company to Reject Data Subject's Application
Our Company may reject the application of the applicant with reasons provided in the following cases:
• Processing of personal data for research, planning, and statistical purposes by anonymizing them through official statistics.
• Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights, without constituting a crime.
• Processing of personal data by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security, within the scope of preventive, protective, and intelligence activities.
• Personal data subjects can submit their requests regarding their rights listed under Section 9.1.1. with information and documents verifying their identity, using the methods specified below or other methods determined by the Personal Data Protection Board, to our Company through the Application Form:
Requests related to the exercise of rights under the Law must be made in accordance with the conditions and methods specified in the communiqué published by the Personal Data Protection Authority. The application should be made using the form available in the Application Form tab on the website.
By completing the application form obtained from the website and submitting it signed along with identity verifying documents:
• You can deliver it to "...".
• You can send the signed form to "... "via Notary.
• You can submit it electronically signed to "... "or "... "addresses.
In order for third parties to submit an application on behalf of the data subject, a special power of attorney issued by the data subject through a notary must be attached. Applications made without a power of attorney will be deemed invalid.
9.1.4. Right of the Personal Data Subject to Complain to the DPA
In cases where the application is rejected in accordance with Article 14 of the Law on the Protection of Personal Data, if the response is found insufficient or if no response is given within the required period from the date our Company learns of the response; the data subject may file a complaint with the DPA within thirty (30) days from the date of learning the Company's response and within sixty (60) days from the application date at the latest.
9.2. Response by Our Company to Applications
Applications related to personal data processing activities must be submitted to our Company. Your applications must include full name, signature, T.C. identification number, residential or business address, email address, telephone and fax numbers, and the subject matter of the request, as required by the Communiqué on Principles and Procedures for Application to the Data Controller. Applications that do not include these elements will be rejected by the Company.
9.2.1. Method and Period of Response by Our Company to Applications
If the data subject submits their request to our Company in accordance with the procedure specified in Section 9.1.3. of this section, our Company will conclude the relevant request within thirty (30) days at the latest, depending on the nature of the request, free of charge. However, if a fee is specified by the DPA, our Company will collect the fee from the applicant at the tariff determined by the DPA.
9.2.2. Information Our Company May Request from the Data Subject Making the Application
Our Company may request information from the individual making the application to determine whether they are the data subject. To clarify the issues raised in the data subject's application, our Company may direct questions to the data subject regarding their application. The information and documents specified in this form and submitted to us may be collected in written, oral, electronic, or physical form, pursuant to Article 13 of the Law, based on the application made.
9.2.3. Right of Our Company to Reject the Application of the Data Subject
Our Company may reject the application of the data subject with reasons explained in the following cases:
• Processing of personal data for research, planning, and statistical purposes by making them anonymous through official statistics.
• Processing of personal data for purposes such as art, history, literature, or scientific research or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights or constitute a crime.
• Processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities within the scope of ensuring national defense, national security, public security, public order, or economic security.
•