Personal Data Protection Policy

I. INTRODUCTION


1.1. Purpose of the Policy



Pursuant to Article 20 of the Constitution titled "Privacy of Private Life" and the Law No. 6698 on the Protection of Personal Data (“ Law ”) and the provisions of the regulations and communiqués in force, Gül Turizm ve Seyahat A.Ş. The processing of personal data obtained by the (“ Company ”), the privacy of data owners ( interns, employees and employee candidates, customers, potential customers, suppliers, shareholders/partners, company officials, visitors, business partners and other third parties ) The purpose of this Policy is to determine the principles regarding the protection of fundamental rights and freedoms, including the processing of personal data by the data controller in accordance with the law, the protection, storage and, if necessary, destruction of the personal data obtained.


1.2. Scope of the Policy



Obtaining, recording, storing, preserving, changing, rearranging all kinds of information regarding an identified or identifiable natural person as personal data by the Company as a data controller fully or partially automatically or non-automatically provided that it is a part of any data recording system. Since all kinds of transactions such as disclosure, transfer, takeover, making available, classification or prevention of use are considered as data processing activities, establishing the procedures and principles of the data processing activity carried out by the Company determines the scope of this Policy.



1.3. Implementation of the Policy and Related Legislation



This Policy has been prepared in accordance with the relevant legislation in force and the rules shown in the regulations, communiqués, decisions and guides published by the Board, in particular the Law No. 6698. If there is a change in the Law or other relevant legislation after the publication date of the Policy and the Policy becomes inconsistent with the said amendment, the amended provisions and rules will apply. All communiqués, decisions and guidelines published by the Board are followed by our Company, and the rules stipulated by the Policy are kept up to date.



1.4. Enforcement of the Policy



The policy has been published on the Company's website at www.gulturizm.com.tr and entered into force on the date of its publication.



II. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA


2.1. Ensuring the Security of Personal Data

According to Article 12 of the Law No. 6698, the data controller;

● To prevent the unlawful processing of personal data,

● To prevent unlawful access to personal data,

● To ensure the protection of personal data

It is obliged to take all necessary administrative and technical measures to ensure the appropriate level of security for the purpose.

For the reasons explained, the Company implements security measures to prevent unlawful processing of personal data, transfer and disclosure to third parties, unauthorized access and security deficiencies arising through other means. Explanations on the administrative and technical measures taken VI. It is included in the ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA .


2.2. Protection of Private Personal Data


The data that is sensitive due to its nature and may cause victimization or discrimination of the data owner if it is in the hands of third parties is accepted as special quality personal data within the scope of the Law. Sensitive personal data includes data related to the person's race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric data. and genetic data. Special categories of personal data cannot be processed without the explicit consent of the data subject.

All necessary measures are taken by the Company to protect sensitive personal data, and it is essential that such data are not obtained and processed as much as possible.


III. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA


3.1. Processing of Personal Data in Compliance with the Principles Established in the Legislation


The principles to be applied in the processing of your personal data in accordance with Article 4 of the Law are as follows:

● Compliance with the law and the rule of honesty,

● Being accurate and up-to-date when necessary,

● Processing for specific, explicit and legitimate purposes,

● Being connected, limited and restrained for the purpose for which they are processed,

● To be kept for as long as required by the relevant legislation or for the purpose for which they are processed.


3.2. Personal Data Processing Conditions


Personal data obtained by the company cannot be processed without the explicit consent of the person concerned, with the exception of the exceptions stipulated in the Law. Your personal data may be processed without express consent in the following cases:

● It is clearly stipulated in the laws,

● It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not given legal validity,

● It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

● It is mandatory for the data controller to fulfill its legal obligation,

● The person concerned has been made public by himself,

● Data processing is mandatory for the establishment, exercise or protection of a right,

● It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.


3.3. Exceptions to Obligation to Obtain Explicit Consent

a)  expressly stipulated in the law

One of the data processing conditions is that it is expressly stipulated in the law. The provisions in the laws regarding the processing of personal data may create a data processing condition. In such a case, the explicit consent of the person concerned is not sought.

b)    actual impossibility

The personal data of the person concerned can be processed without explicit consent in cases where it is necessary for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid.

c)    Being directly related to the establishment or performance of the contract

In the event that data processing is deemed necessary during the conclusion of a contract to which the data owner is a party or during the performance of the contract, the processing of personal data may come to the fore without obtaining explicit consent.

D)    Fulfilling the company's legal obligations

Personal data can be processed without obtaining explicit consent in order to fulfill the legal obligations that our Company, as the data controller, must fulfill.

to)    Being made public by the person concerned

Personal data made public by the data subject, in other words, personal data disclosed to the public in any way, can be processed without obtaining explicit consent. Even in this case, the publicized personal data cannot be used for purposes other than its intended use.

f)     Obligatory for the establishment, use and protection of a right

In cases where it is necessary for the establishment, exercise or protection of a right, it is possible to process the personal data of the person concerned without his explicit consent.

g)    Obligatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

If the processing of personal data is obligatory for the data controller and the data processing will not harm the fundamental rights and freedoms of the data subject, personal data may be processed without obtaining explicit consent.

The legitimate interest of the data controller is the interest and benefit to be obtained as a result of the processing to be carried out. Benefit of the data controller; It must relate to a legitimate, sufficiently effective, specific and already existing interest to compete with the fundamental rights and freedoms of the person concerned. It should be a process that is related to the current activities of the data controller and will benefit him in the near future.


3.4. Processing of Private Personal Data


The processing of sensitive personal data is subject to Article 6 of the Law and it is prohibited to be processed without the explicit consent of the person concerned.

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are of special nature. is personal data. The data included in this scope is limited and cannot be expanded through interpretation.

Due to its nature, special quality personal data is data that, if learned, may cause discrimination and victimization of the person concerned. Therefore, they need to be protected much more strictly than other personal data.

a)    Special categories of personal data other than health and sexual life

Special categories of personal data other than personal data related to health and sexual life can be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws.

b)    Special categories of personal data regarding health and sexual life

Special categories of personal data regarding health and sexual life can only be processed by persons or authorized institutions and organizations that are under the obligation of confidentiality for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.


3.5. Clarifying and Informing the Personal Data Owner


During the acquisition of personal data, data owners are informed in the capacity of data controller or by persons authorized by our Company. Procedures and principles regarding the notification made About the Protection of Personal Data published by the Company It is stated in the Clarification Text and the information includes the following elements in summary:

● Identity of the data controller and its representative, if any,

● For what purpose personal data will be processed,

● To whom and for what purpose personal data can be transferred,

● Method and legal reason for collecting personal data,

● Rights of the person concerned as indicated in Article 11 of the Law.

 

a)    Identity of data controller and representative

Pursuant to Article 10 of the Law, personal data obtained from data owners ( customers, employee candidates, business partners, suppliers, shareholders, company officials, visitors and other third parties ) are handled by the Company, Gül Turizm ve Seyahat A.Ş. It is processed by the relevant department, and the communication of the relevant unit can be obtained from the e-mail address of [email protected] or www.gulturizm.com.tr.

b)    Purposes of processing personal data

The processing of personal data is carried out for specific, clear and legitimate purposes and is based on informing the data owners. The purposes for which your obtained data are processed are listed in the V. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND THE PURPOSE OF PROCESSING of the Policy.

c)     Persons to whom personal data are transferred and the purposes for which they are transferred

Within the framework of the data controller's obligation to inform the data owner, the persons to whom personal data are transferred and the purposes for which they are transferred should be clearly stated. Personal data cannot be transferred to third parties without the explicit consent of the data owner. Recipient groups to whom personal data are transferred by our company and the purposes for which they are transferred IV. It is shown in the section TRANSFERRING PERSONAL DATA .

D)    Method and legal reason for personal data collection

In accordance with Articles 5 and 6 of the Law, the data controller must clearly state on which basis the personal data processing conditions are based. Data collection method and mediation are determined by the data controller. The processing conditions of personal data, that is, the conditions of compliance with the law, are listed in a limited number in the Law (art. 5-6) and these conditions cannot be extended.

The Data Controller Company evaluates whether the purpose of the personal data processing activity is primarily based on one of the processing conditions other than express consent, and if this purpose does not meet at least one of the conditions other than the express consent specified in the Law, in this case, the explicit consent of the person is sought for the continuation of the data processing activity.


IV. TRANSFERRING PERSONAL DATA


4.1. Domestic Transfer

Personal data cannot be transferred without the explicit consent of the person concerned. However:

● In the second paragraph of Article 5,

● Provided that adequate measures are taken, in the third paragraph of Article 6

If one of the conditions specified is present, it can be transferred without seeking the explicit consent of the person concerned.

Accordingly, provided that it is clearly stipulated in the law (1), is compulsory for the protection of the life or bodily integrity of the person or another person whose consent is not legally valid or who is unable to express his consent due to actual impossibility (2), and is directly related to the establishment or performance of a contract. It is necessary to process the personal data of the parties (3), it is necessary for the data controller to fulfill its legal obligation (4), the data subject has been made public by himself (5), the data processing is mandatory for the establishment, exercise or protection of a right (6), Provided that it does not harm the fundamental rights and freedoms of the data subject, personal data of the data subject may be transferred to third parties without their explicit consent, if data processing is necessary for the legitimate interests of the data controller.

At the same time, personal data other than health and sexual life, which are among the sensitive personal data belonging to the persons concerned, in cases stipulated by the laws; Personal data related to health and sexual life can only be provided with the express consent of the person concerned, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment, care services, planning and management of health services and financing, by persons under the obligation of confidentiality or by authorized institutions and organizations. It can be transferred to 3rd parties without calling.

Information on the recipient groups, to which your personal data processed by the Company is transferred, is included in the Annex 4 – Third Parties to which Personal Data are Transferred and the Purposes of Transfer of this Policy.


4.2. International Transfer


Personal data cannot be transferred abroad without the explicit consent of the person concerned. In so far, the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the Law and in the foreign country to which the personal data will be transferred;

● Availability of adequate protection,

● In the absence of adequate protection, data controllers in Turkey and in the relevant foreign country must undertake in writing to provide adequate protection and the Board has permission,

may be transferred abroad without seeking the explicit consent of the person concerned, provided that the


V. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND THE PURPOSE OF PROCESSING


The purposes for the processing of personal data transmitted to our Company by the data subjects are as follows:

 

Execution of our Company's Management Activities

● Management of relations with business partners and suppliers

● Organization and event management

● Conducting social responsibility and civil society activities

● Execution of strategic planning activities

● Planning and execution of corporate communication activities

● Planning and execution of corporate governance activities

● Planning and execution of company audit activities

● Planning and execution of necessary operational activities to ensure that company activities are carried out in accordance with company procedures and/or relevant legislation.

● Ensuring the security of company operations

● Realization of corporate and partnership law transactions

● Follow-up of finance and accounting works

● Carrying out internal audit, investigation, intelligence activities

● Execution of risk management processes

● Execution of emergency management processes

Continuing Our Company's Commercial Activities

● Execution of finance and accounting works

● Performing efficiency, productivity and appropriateness analyzes of business activities

planning and execution of activities

● Planning and execution of business continuity activities

● Execution of contract processes

● Activities related to sustainability

● Development of company systems

● Planning and execution of sales processes of products and services

● Conducting efficiency analysis

● Execution of investment processes

Performing Customer Relations, Offer and Marketing Activities

● Execution of loyalty processes of company products / services

● Managing customer relations processes

● Carrying out activities for customer satisfaction

● Realization of market research activities

● Execution of marketing and analysis studies

● Follow-up of requests and complaints

● Execution of marketing processes of services

Determination and Management of Our Company's Human Resources Policies

● Execution of candidate/intern/student selection and placement processes

● Execution of the application processes of working candidates

● Execution of employee satisfaction and loyalty processes

● Fulfillment of obligations arising from employment contracts and regulations for employees

● Execution of new rights and benefits processes for employees

● Planning and execution of employees' access to information authorizations

● Monitoring and/or supervision of employees' business activities

● Execution of assignment processes

● Execution of wage policy

● Execution of performance evaluation processes

● Planning and/or execution of in-house training activities

● Planning and execution of in-house orientation activities

● Execution of talent and career development activities

Execution of Legal, Commercial and Physical Security Processes of Our Company

● Execution of information security processes

● Creation and management of information technology infrastructure

● Conducting audit / ethical activities

● Execution of access authorizations

● Execution of activities in accordance with the legislation

● Physical space security provision

● Follow-up and execution of legal affairs

● Execution of storage and archive activities

● Ensuring the security of movable property and resources

● Ensuring the security of data controller operations

● Providing information to authorized persons, institutions and organizations

● Creation and tracking of visitor records

 

Your personal data has been categorized by the Company within the framework of the above-mentioned processing purposes and is processed in accordance with the personal data processing conditions in the Law and relevant legislation. The categorization of the processed personal data is shown in the APPENDIX 3 – Personal Data Categories section of this Policy .


VI. ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA


Administrative and technical measures are taken by the Company to securely store personal data, to prevent unlawful processing and access to personal data.

In order to ensure personal data security, it is determined what all personal data processed by the Company is and the possibility of realization of the risks that may arise regarding the protection of this data; While determining these risks, whether the personal data is sensitive personal data (1), what degree of confidentiality it requires due to its nature (2), and the nature and quantity of the damage that may arise in the case of a security breach (3) are taken into account.

After defining and prioritizing these risks; control and solution alternatives to reduce or eliminate the said risks; cost, applicability and usefulness should be evaluated in line with the principles, necessary technical and administrative measures are planned and put into practice.


6.1.
 Administrative Measures


Even if employees have limited information about attacks that will harm personal data security and cyber security, it is of great importance to ensure personal data security. For this reason, awareness and information activities are carried out in our internal organization as a data controller.

Providing necessary training on issues such as not revealing and sharing personal data unlawfully, conducting awareness activities for employees and creating an environment where security risks can be determined; It is ensured that everyone working with the data controller, regardless of their position, determines their roles and responsibilities regarding personal data security in their job descriptions and that employees are aware of their roles and responsibilities in this regard.

On the other hand, confidentiality agreements are signed as part of the recruitment processes of the employees, and a disciplinary process is carried out if the employees do not comply with the security policies and procedures.

In case of any change in the policies and procedures regarding personal data security, trainings are provided to inform and explain the change to the employees, and the information about the threats to data security and security is kept up-to-date.

Personal data must be accurate and up-to-date when necessary in accordance with Article 4(b) and (d) of the Law, and must be kept for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, the data processed are processed in accordance with the principles and rules that must be observed in data processing activities, and are kept for the period required for the purpose for which they are processed. The retention periods of personal data processed by the company are specified in VIII of this Policy. It is shown in the STORAGE AND DISPOSAL OF PERSONAL DATA .

The table below provides a summary of the administrative measures taken to ensure data security:

Administrative Measures

Preparation of Personal Data Processing Inventory

Corporate Policies (Access, Information Security, Use, Storage and Disposal etc.)

Contracts (Between Data Controller-Data Controller, Data Controller-Data Processor)

Privacy Commitments

In-house Periodic and/or Random Audits

Risk Analysis

Employment Contract, Disciplinary Regulation (Adding Legal Provisions)

Corporate Communication (Crisis Management, Informing the Board and Relevant Person, Reputation Management, etc.)

Education and Awareness Activities (Information Security and Law)

Personal Data Security Policies and Procedures

Rapid Reporting of Personal Data Security Issues

Monitoring Personal Data Security

Establishing Disciplinary Arrangements Containing Data Security Provisions for Employees

Personal Data Is Reduced As Much As Possible

Preparation and Implementation of Institutional Policies on Access, Information Security, Use, Storage and Disposal

Removal of Authorities in this Area of Employees with a Change in Job or Leaving Work

Include Data Security Provisions on Signed Contracts

Identification of Current Risks and Threats

In-house periodic and/or random inspections are made and made

Identified and Implementation of Protocols and Procedures Regarding Special Quality Personal Data Security

Raising Awareness of Data Processing Service Providers on Data Security

 

6.2. Technical Measures


Firewalls and gateways are used among the measures taken to protect my information technology systems containing personal data against unauthorized access and threats by third parties over the internet. With the firewall used, violations of the information network are stopped, and with the gateway, employees' access to websites or online platforms that pose a threat to personal data security is restricted.

In addition, regular checks are made regarding the proper functioning of the software and hardware and whether the security measures taken for the systems are sufficient. Access to systems containing personal data is restricted, and within this scope, employees are granted access to the extent necessary for their jobs and duties, and their authorities and responsibilities, and access to the relevant systems is provided by using a user name and password. While creating the aforementioned passwords, numbers or letter sequences associated with personal information that can be easily guessed are avoided as much as possible.

Access authorization and control matrices are created within the data controller organization, and products such as antivirus and antispam, which regularly scan the information system network and detect dangers, are used to protect against malicious software.

In order to ensure data security, necessary measures are taken to ensure that documents in paper media containing personal data and servers, backup devices, CD, DVD, USB and other similar storage devices are only accessible to authorized personnel and to increase physical security in this regard.

The table below provides a summary of the administrative measures taken to ensure data security:

Technical Measures

Authority Matrix

Authority Control

User Account Management

Network Security

Application Security

Encryption

Data Loss Prevention Software

Backup

Firewalls

Current Anti-Virus Systems

Deletion, Destruction, or Anonymization

Key Management

 

VII. BUILDING, FACILITY ENTRANCES AND PERSONAL DATA PROCESSING IN THE BUILDING AND FACILITY


7.1. Camera Monitoring Activity at Building, Facility Entrances and Inside

Within the scope of the Law on Private Security Services, camera monitoring is carried out in order to ensure the security of the Company building, workplaces, outbuildings, parking lot and its surroundings, and to protect the interests of the Company and other persons. The camera monitoring activity is carried out in accordance with the Law and is carried out within the scope of the data processing conditions listed both in the Law and in this Policy.

7.2. Monitoring of Guest Entrance and Exit Carried out at Building, Facility Entrances and Inside

Identity information of the guests visiting our Company is subject to personal data processing in order to control and monitor the entrances and exits to the company buildings and facilities and to ensure security. The personal data processed within the scope of this activity are only limited to the guests' entry and exit, and the relevant personal data is recorded in the data recording system in electronic or physical environment.


VIII. STORAGE AND DISPOSAL OF PERSONAL DATA


8.1. Retention Periods of Personal Data


Your personal data held by our company are kept for as long as the data processing activity is necessary; In the event that the obligation to delete, destroy or anonymize personal data arises, it is deleted, destroyed or anonymized within the first periodic destruction period following the date of occurrence of this obligation.

The period of time for periodic destruction is limited to a maximum of 6 months.

Our company acts in accordance with the general principles set forth in article 4 of the Law and the technical and administrative measures set forth in article 12 in the deletion, destruction or anonymization of your personal data.

All transactions regarding the deletion, destruction or anonymization of personal data are recorded by us and are kept for at least 3 years in accordance with legal obligations.

Personal data specialist personnel assigned by the Company regarding the storage and destruction of data is the person responsible for the execution and supervision of the personal data storage and destruction policy.


8.2. Obligation to Delete, Destroy and Anonymize Personal Data


which requires processing in accordance with the provisions of the "Regulation on the Deletion, Destruction or Anonymization of Personal Data" published in the Official Gazette dated 28 October 2017 and numbered 30224, prepared by Article 7 of the Law and the Personal Data Protection Board. In case the reasons disappear, it is deleted, destroyed or anonymized ex officio or upon the request of the relevant data owner.

a)    Deletion of personal data

Deletion of personal data is the process of making personal data inaccessible and non-reusable for relevant users.

All necessary technical and administrative measures are taken to ensure that the deleted personal data cannot be accessed and reused for the relevant users.

b)    Destruction of personal data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

c)    Anonymization of personal data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

All kinds of technical and administrative measures are taken by our Company to anonymize your personal data, and they are anonymized by applying methods in accordance with our personal data retention and destruction policy.


8.3. Deletion, Destruction and Anonymization Techniques of Personal Data


The techniques for deleting, destroying or anonymizing the personal data processed by our company are shown below, and which of the techniques to apply may vary depending on the nature of the personal data processed.

For this, first of all, determining the personal data that is the subject of deletion, destruction or anonymization (1), identifying the relevant users for each personal data using the access authorization and control matrix or a similar system (2), accessing the relevant users, It is necessary to determine the authorizations and methods such as retrieval and reuse (3), and to close and eliminate the access, retrieval, reuse authorization and methods of the relevant users within the scope of personal data (4).

The way to delete personal data is as follows:

● Deletion command in cloud or application type solutions,

● Blackening, cutting or making invisible data on paper media,

● Deletion of data on removable media using appropriate software.

The way to destroy personal data is as follows:

● Physical destruction of optical media and magnetic media by melting, burning or pulverizing,

● Other destruction on paper or electronic media.


IX. RIGHTS OF THE PERSONAL DATA OWNER AND THE USE OF THESE RIGHTS


9.1. Rights of Personal Data Owner

In accordance with the Law No. 6698, in the capacity of data owner:

● Learning whether your personal data is processed,

● If your personal data has been processed, requesting information about it,

● Learning the purpose of processing your personal data and whether they are used in accordance with the purpose,

● Knowing the third parties to whom personal data is transferred at home or abroad,

● Requesting correction of personal data in case of incomplete or incorrect processing,

● Requesting the deletion or destruction of your personal data within the framework of the conditions stipulated in Article 7,

● Requesting notification of the third parties to whom personal data has been transferred, regarding the correction, deletion or destruction of data in case of incomplete or incorrect processing,

● Objecting to the emergence of a result against you by analyzing your processed data exclusively through automated systems,

● You have the right to demand the compensation of the damage in case of any damage due to the illegal processing of your personal data.


9.2. Exercise of Personal Data Owner's Rights


Requests regarding the implementation of the Law by the data subject can be sent to
[email protected] .tr or Gül Turizm ve Seyahat A.Ş. address should be forwarded to the Company. In the application requests, the " Data Owner " published by the Company on the website Application Form ” must be used.


9.3. Our Company's Response to Applications


The application is finalized by the Company as soon as possible depending on the nature of the request. This period cannot exceed 30 days. In so far, if the transaction requires any cost, a fee may be charged according to the tariff determined by the Personal Data Protection Board.


APPENDIX – 1: Definitions

Explicit consent: Consent on a specific subject, based on information and expressed with free will,

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data,

Recipient group: The natural or legal person category to which personal data is transferred by the data controller,

Direct identifiers: identifiers that , by themselves, directly reveal, disclose and distinguish the person with whom they are in a relationship,

Indirect identifiers : Identifiers that come together with other identifiers, revealing, disclosing and making distinguishable the person they are in a relationship with,

Relevant person: The real person whose personal data is processed,

Relevant user: Real or legal persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,

Destruction: Deletion, destruction or anonymization of personal data,

Law: Law on Protection of Personal Data No. 6698, dated 24/3/2016,

Blackening: Processes such as scratching, painting and icing all of the personal data in a way that cannot be associated with an identified or identifiable natural person,

Recording medium: Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system,

Personal data: Any information relating to an identified or identifiable natural person,

Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as the classification or prevention of its use,

Board : Personal Data Protection Board,

Institution : Personal Data Protection Authority,

Data processor : The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,

Data registration system: The registration system in which personal data is processed and structured according to certain criteria,

Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

means.

 

APPENDIX – 2: Personal Data Owners

Data Subject Categories

Explanation

Worker

It refers to the people working within the company.

Employee Candidate

It refers to real persons who apply for a job by sending a CV or other methods to the Company.

Intern

It refers to the people who use the profession that they have been trained in the company practically to increase their knowledge of the profession.

Customer

It refers to the real persons who benefit from the services offered by the Company.

Potential Customer

It refers to real persons who show interest in using the services offered by the Company and have the potential to become customers.

supplier

It refers to natural persons and legal entity employees from whom services are provided.

Shareholders/ Partners

Refers to individuals who own at least one share of the Company.

Company official

Refers to the authorized persons operating on behalf of the company in matters authorized by the company.

Visitor

It refers to the third persons who visit the workplace and the website.

Work partners

It refers to the real persons and legal entity employees who are engaged in business and transactions in order to carry out service development and all other commercial activities.

 

APPENDIX – 3: Categories of Personal Data

Credentials

 

Identity data of natural persons. Information contained in documents such as driver's license, identity card, residence, passport, attorney's ID, marriage certificate (For example, TCKN, passport no., identity card serial no., name-surname, photo, place of birth, date of birth, age, registered in the population. place, copy of proof of identity card)

 

Communication information

 

Information used by our company to contact him (For example, phone number, e-mail address, residential address)

 

Personal Information

 

Personal data related to personal rights obtained from company suppliers, business partners employees (information included in personal information in accordance with the legislation)

 

Legal Action and

Compatibility Information

 

Data processed for the purpose of fulfillment of obligations arising from the legislation, other legal transactions and follow-up of receivables (For example, data in a court decision or administrative authority decision)

 

Customer information

 

Data obtained from our company's customers (For example, customer number, sector and profession information, etc.)

 

Customer Transaction Information

 

Information on transactions performed by our company's customers (For example, order request, instruction information, etc.)

 

Physical Space

Safety Information

 

Personal data collected during the entrance and exit to the company premises and during the stay in the physical space (For example, visitor information, camera recordings, etc.)

 

Transaction Security Information

 

Personal data processed for the purpose of ensuring information security, administrative, legal and commercial security of our company (For example, matching customer and order information)

 

Information on Financial Assets

 

All kinds of documents and record information showing the financial information of the personal data owner with whom a legal relationship is established with the company (For example, the current account of the data owner, other debit-credit balances and account and card information)

 

Employee Candidate Information

 

Name-surname, date of birth, place of birth, signature, marital status, address, telephone, gsm, important disease information, health status, emergency contact person, emergency telephone number, certificate information, educational status information, foreign language status information, professional experience information, reference information, information contained in the submitted resume, job interview notes data

 

Employee Information

 

Data regarding the qualification documents obtained from our employees (For example, training certificate information, certificate name, institution from which the training certificate was obtained, training place, name of the training / seminar attended, certificate date, faculty / department, name of the institution studied, city of study, end date of education , education level, type of institution studied, department, name of the institution where he works, city where he works, country where he works, field in which the firm operates, field of study in the institution, date of employment in the institution, etc.)

 

 

Employee Process Information

 

Personal data regarding all kinds of transactions kept at the Company due to the activities carried out by our employees (For example, information on company expenditures, international travel information, e-mail correspondence, entry-exit records, meeting attendance information, etc.)

 

Employee Performance

and Career Development

information

 

Personal data processed within the scope of employee performance evaluation and management of career development process (For example, in-service trainings, performance evaluation reports, etc.)

 

Data on Family Status

 

Information on family status of employees and customers

 

Marketing Information

 

be used by our company in marketing activities for individuals and that serve the purpose of marketing the Company's products and services (such as habits of the person collected for marketing purposes, targeting information, cookie records, etc.)

 

Visual and Audio Data

 

Visual and audio recordings associated with the personal data owner (For example, photographs, camera and audio recordings, etc.)

 

Audit and Inspection

information

 

Data processed within the scope of compliance with the obligations arising from the legislation and Company policies (For example, inspection reports, related interview records, etc.)

 

Request/Complaint

Management Information

 

Personal data processed within the scope of the management and evaluation process of any request or complaint directed to our company

 

Special Qualified Personal

Data

 

Data on health, criminal convictions and security measures

 

 

 

 

 

APPENDIX – 4: Third Parties to which Personal Data is Transferred and Purposes of Transfer

Transferred Person/Unit

Scope

Purpose of Transfer

Shareholders

Company shareholders

Limited transfer of personal data for the purpose of fulfilling the information flow between the company and the shareholders.

Work partners

Parties with which business partnerships are established within the scope of commercial activities carried out by the company

Limited transfer of personal data in order to ensure that the activities with business partners are carried out

Authorized public institutions and organizations

Legal relations between the legally authorized public institutions and organizations and the Company

Limited for the purpose of sharing/transferring the information and documents requested by the relevant public institutions and organizations from our Company.

suppliers

Parties from whom services are provided in order to continue the commercial activities of the company

Transfer of personal data limited to the provision of services received from suppliers

Whatsapp Telefon