1. Legal Basis:
    Based on Article 20 of the Constitution, which states that everyone has the right to demand the protection of their personal data, including the right to be informed about, access, request correction or deletion of their data, and to know whether it is used in accordance with its purpose. It establishes that personal data may only be processed in cases provided for by law or with the explicit consent of the individual. In line with this legal foundation and in compliance with the Personal Data Protection Law No. 6698, we prioritize the lawful protection and processing of personal data in all our planning and activities. As a company, we take all administrative and technical measures necessary for the protection and processing of personal data, which is fundamental to privacy, and we inform and warn our personnel about the legal sanctions regulated in Articles 135 and beyond of the Turkish Penal Code No. 5237.
  2. Purpose:
    The Personal Data Protection Law No. 6698 regulates the processing of personal data to protect individuals’ fundamental rights and freedoms, especially privacy, and establishes the obligations and procedures that natural and legal persons processing personal data must follow. In line with these regulations, the purpose of our policy is to ensure compliance with obligations regarding personal data protection, to evaluate risks related to the processing, transfer, and confidentiality of information obtained within the scope of our company’s activities, and to determine strategies, internal controls, operational rules, and responsibilities accordingly. It also aims to raise awareness among company employees on these matters. Additionally, we seek to ensure transparency by informing individuals whose personal data is processed by our company, including our customers, potential customers, employees, job applicants, company shareholders, company executives, visitors, employees, shareholders and executives of organizations we cooperate with, and third parties.
  3. Scope:
    This policy applies to all personal data processed by automatic or non-automatic means, provided that it is part of a data recording system, belonging to our customers, potential customers, employees, job applicants, company shareholders, company executives, visitors, employees, shareholders, and executives of organizations we cooperate with, and third parties.
  4. Definitions
    1. Explicit Consent: Consent given freely, informed, and specific to a particular matter.
    2. Anonymization: The process of rendering personal data unidentifiable and irreversible so that it cannot be associated with an identified or identifiable individual (e.g., masking, aggregation, data corruption, etc.).
    3. Employee: Individuals working at the company under an employment contract.
    4. Job Applicant: Individuals who have applied for a job or made their resumes and relevant information available for the company’s review.
    5. Employees, Shareholders, and Executives of Business Partners: Real persons working at organizations in business relations with the company, including business partners, suppliers, and others.
    6. Processing of Personal Data: Any operation performed on personal data, including collection, recording, storage, alteration, disclosure, transfer, retrieval, classification, or blocking of its use.
    7. Personal Data Subject: The individual whose personal data is processed (e.g., customers, employees).
    8. Personal Data: Any information relating to an identified or identifiable natural person (e.g., name, ID number, email, address, date of birth, credit card number).
    9. Customer: Individuals using or who have used the company’s products and services, regardless of whether they have a contractual relationship.
    10. Sensitive Personal Data: Data relating to race, ethnicity, political opinions, philosophical beliefs, religion, sect, or other beliefs, attire, association, foundation or union membership, health, sexual life, criminal convictions, security measures, and biometric and genetic data.
    11. Potential Customer: Individuals who have expressed interest in or are deemed to have an interest in our products and services.
    12. Company Shareholder: Individuals who own shares in the company.
    13. Company Executive: Board members and other authorized persons in the company.
    14. Third Party: Individuals associated with the company’s stakeholders to ensure commercial transaction security or to protect the rights and interests of such persons (e.g., family members and close relatives).
    15. Data Processor: A person or entity processing personal data on behalf of the data controller based on their authority (e.g., companies storing company data).
    16. Data Controller: The person who determines the purposes and means of processing personal data, manages the data recording system, and provides necessary information to and directs data subjects upon request.
    17. Visitor: Individuals entering the company’s physical premises for various purposes or visiting our websites.
  5. Abbreviations
    1. KVKK: Personal Data Protection Law No. 6698, published in the Official Gazette No. 29677 on April 7, 2016.
    2. Constitution: Constitution of the Republic of Turkey, published in the Official Gazette No. 17863 on November 9, 1982.
    3. KVK Board: Personal Data Protection Board.
    4. KVK Authority: Personal Data Protection Authority.
    5. Policy: Company’s Personal Data Protection and Processing Policy.
    6. TBK: Turkish Code of Obligations No. 6098, published in the Official Gazette No. 27836 on February 4, 2011.
    7. TCK: Turkish Penal Code No. 5237, published in the Official Gazette No. 25611 on October 12, 2004.
    8. TTK: Turkish Commercial Code No. 6102, published in the Official Gazette No. 27846 on February 14, 2011.
  6. Data Categories:The company may collect, process, or transfer data in the following categories:
    1. Identity Data: Name, surname, parents’ names, date and place of birth, marital status, ID number, etc.
    2. Contact Data: Address, email, phone number, registered electronic mail (KEP) address, etc.
    3. Location Data: Geographic location information.
    4. Personnel Data: Payroll, disciplinary records, employment records, performance evaluations, etc.
    5. Legal Data: Information in legal correspondence and case files.
    6. Customer Transaction Data: Invoices, promissory notes, orders, requests, etc.
    7. Physical Security Data: Entry-exit records, CCTV footage.
    8. Transaction Security Data: IP addresses, website login details, passwords.
    9. Risk Management Data: Information for managing commercial, technical, and administrative risks.
    10. Financial Data: Balance sheet details, asset information.
    11. Professional Experience Data: Diplomas, certifications, training records.
    12. Marketing Data: Information obtained through marketing campaigns.
    13. Visual and Audio Data: Photographs, video recordings.
    14. Health Data: Disability status, blood type, medical conditions, use of medical devices.
    15. Criminal Conviction & Security Measures Data: Criminal records and security-related data.
  7. Purposes of Processing Personal Data: The Company may record, process, or transfer personal data for the following purposes:
    1. Execution of Emergency Management Processes
    2. Execution of Information Security Processes
    3. Execution of Employee Candidate / Intern / Student Selection and Placement Processes
    4. Execution of Employee Candidates’ Application Processes
    5. Execution of Employee Satisfaction and Loyalty Processes
    6. Fulfillment of Obligations Arising from Employment Contracts and Legislation for Employees
    7. Execution of Benefits and Rights Processes for Employees
    8. Execution of Audit / Ethical Activities
    9. Execution of Training Activities
    10. Execution of Access Authorization Processes
    11. Execution of Activities in Compliance with Legislation
    12. Execution of Finance and Accounting Processes
    13. Execution of Loyalty Processes Related to Company / Products / Services
    14. Ensuring Physical Space Security
    15. Execution of Assignment Processes
    16. Monitoring and Execution of Legal Affairs
    17. Execution of Internal Audit / Investigation / Intelligence Activities
    18. Execution of Communication Activities
    19. Planning of Human Resources Processes
    20. Execution / Supervision of Business Activities
    21. Execution of Occupational Health and Safety Activities
    22. Collection and Evaluation of Suggestions for Improvement of Business Processes
    23. Execution of Business Continuity Activities
    24. Execution of Logistics Activities
    25. Execution of Goods / Services Procurement Processes
    26. Execution of Post-Sales Support Services for Goods / Services
    27. Execution of Sales Processes for Goods / Services
    28. Execution of Production and Operation Processes for Goods / Services
    29. Execution of Customer Relationship Management Processes
    30. Execution of Activities for Customer Satisfaction
    31. Execution of Organization and Event Management
    32. Execution of Marketing Analysis Activities
    33. Execution of Performance Evaluation Processes
    34. Execution of Advertisement / Campaign / Promotion Processes
    35. Execution of Risk Management Processes
    36. Execution of Storage and Archiving Activities
    37. Execution of Social Responsibility and Civil Society Activities
    38. Execution of Contract Processes
    39. Execution of Sponsorship Activities
    40. Execution of Strategic Planning Activities
    41. Tracking Requests / Complaints
    42. Ensuring the Security of Movable Property and Resources
    43. Execution of Supply Chain Management Processes
    44. Execution of Wage Policy
    45. Execution of Marketing Processes for Products / Services
    46. Ensuring the Security of Data Controller Operations
    47. Processing Work and Residence Permits for Foreign Employees
    48. Execution of Investment Processes
    49. Execution of Talent / Career Development Activities
    50. Providing Information to Authorized Persons, Institutions, and Organizations
    51. Execution of Management Activities
    52. Creation and Monitoring of Visitor Records
  8. Personal Data Transfer Recipient Groups: The Company may transfer personal data to the following recipient groups:
    1. Shareholders
    2. Suppliers
    3. Group Companies
    4. Authorized Public Institutions and Organizations
  9. Categories of Individuals Subject to Personal Data Processing: The Company may record, process, or transfer personal data of the following categories of individuals:
    1. Employee Candidate
    2. Employee
    3. Potential Product and Service Buyer
    4. Intern
    5. Supplier Employee
    6. Supplier Representative
    7. Product or Service Recipient
    8. Visitor
  10. Personal Data Retention Periods: Personal data retention periods are detailed in the Personal Data Retention and Destruction Policy.
  11. Deletion, Destruction, or Anonymization of Personal Data
    1. Even if personal data has been lawfully processed, if the reasons requiring processing are no longer applicable, the data shall be deleted, destroyed, or anonymized by the data controller either ex officio or upon the request of the data subject.
    2. The data controller shall delete, destroy, or anonymize personal data during the first periodic destruction process following the date on which the obligation to do so arises.
    3. The procedures related to this are explained in detail in the Personal Data Retention and Destruction Policy.
  12. Transfer of Personal Data: Personal data obtained for processing in compliance with the general principles stated in the law may be transferred to third parties with the explicit consent of the data subject.
    1. Domestic Transfer: The details regarding the domestic transfer of personal data and sensitive personal data are regulated in the Personal Data Transfer Procedure.
    2. International Transfer: If explicit consent is obtained from the data subject and the conditions specified in the law are met, personal data may be transferred to countries with adequate protection. If the destination country does not have adequate protection, data transfer may only occur if the required legal conditions are met, including a written commitment to provide adequate protection and the approval of the relevant authority. Further details are provided in the Personal Data Transfer Procedure.
  13. General (Fundamental) Principles in Personal Data Processing: Personal data shall be processed in accordance with the fundamental principles detailed in the Personal Data Processing Procedure, as follows:
    1. Lawfulness and fairness
    2. Accuracy and, where necessary, keeping data up to date
    3. Processing for specific, explicit, and legitimate purposes
    4. Processing data in a manner that is relevant, limited, and proportionate to the intended purpose
    5. Retaining data for the duration required by relevant legislation or for the purpose for which it is processed
  14. Explicit Consent: Explicit consent refers to a freely given, informed, and specific declaration of will regarding a particular subject. As detailed in the Explicit Consent Procedure, explicit consent must be:
    1. Related to a specific matter
    2. Based on adequate information
    3. Given freely
  15. Obligation to Inform: When personal data is obtained, the Company is responsible for informing the data subject. As outlined in the Information Procedure, this notification must at least include:
    1. The identity of the data controller and, if applicable, its representative
    2. The purpose of processing personal data
    3. The recipients to whom personal data may be transferred and the purposes of such transfers
    4. The method and legal basis of personal data collection
    5. The rights of the data subject as specified in Article 11 of the law
  16. Methods for Exercising Data Subject Rights

Data subjects may apply to the Company to:

  • Learn whether their personal data is being processed
  • Request access to their processed personal data
  • Request correction if their personal data is incomplete or incorrect
  • Request deletion, destruction, or anonymization of their data if it has been unlawfully processed
  • Request that such actions be communicated to third parties to whom the data has been disclosed
  • Request compensation for damages arising from unlawful data processing

Data subjects may exercise these rights as specified in the Data Subject Rights Procedure.

  1. Application: Data subjects must first apply to the data controller to exercise their rights. Complaints cannot be submitted to the relevant authority without exhausting this option.
  2. Complaint: If an application to the Company is rejected, the response is found unsatisfactory, or no response is provided within 30 days, the data subject may file a complaint with the relevant authority. Direct complaints to the authority without first applying to the Company are not permitted.
  1. Obligation to Comply with Authority Decisions: If the authority determines that a violation has occurred based on a complaint or an ex officio investigation, it may order the Company to remedy the violation. As stated in the Compliance with Authority Decisions Procedure, the Company must implement the decision without delay and no later than 30 days from the date of notification.
  2. Data Controllers Registry (VERBIS) Registration Obligation: The Company is required to register with the Data Controllers Registry (VERBIS), where data controllers declare and update information regarding their data processing activities as detailed in the VERBIS Registration Procedure.
  3. Personal Data Breach Notification: If personal data is obtained unlawfully by unauthorized parties, the Company shall notify the affected individuals and the authority as soon as possible, in accordance with the Personal Data Breach Procedure. The authority may also announce the breach via its website or other appropriate means if necessary.
  4. Personal Data Security Measures: The Company takes the following technical and administrative measures at an appropriate level to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the security of personal data.
    1. Network security and application security are ensured.
    2. A closed network system is used for personal data transfers via the network.
    3. Security measures are taken within the scope of procurement, development, and maintenance of information technology systems.
    4. Disciplinary regulations containing data security provisions are in place for employees.
    5. Regular training and awareness programs on data security are conducted for employees.
    6. An authorization matrix has been established for employees.
    7. Corporate policies regarding access, information security, usage, storage, and disposal have been developed and implemented.
    8. Confidentiality agreements are signed.
    9. Authorization rights of employees who change roles or leave the company are revoked.
    10. Up-to-date antivirus systems are used.
    11. Firewalls are utilized.
    12. Signed contracts include data security provisions.
    13. Personal data security policies and procedures have been established.
    14. Monitoring of personal data security is conducted.
    15. Necessary security measures are taken for access to physical environments containing personal data.
    16. Security measures are implemented to protect physical environments containing personal data from external risks (fire, flood, etc.).
    17. Security of environments containing personal data is ensured.
    18. Personal data is minimized as much as possible.
    19. Personal data is backed up, and the security of backed-up data is also ensured.
    20. A user account management and authorization control system is implemented and monitored.
    21. Periodic and/or random internal audits are conducted.
    22. Existing risks and threats have been identified.
    23. Protocols and procedures for the security of sensitive personal data have been established and implemented.
    24. If sensitive personal data is sent via email, it is encrypted and transmitted using a KEP (Registered Electronic Mail) or corporate email account.
    25. Service providers processing data are periodically audited for data security.
    26. Awareness of data security is ensured for service providers processing data.