Personal Data may only be processed by the Company within the scope of the following principles and procedures.
6.1 Explicit Consent
6.1.1 Personal Data is processed by the Company only if the Data Subjects give their Explicit Consent after being informed within the framework of fulfilling the Disclosure Obligation and provided that the Data Subjects give their Explicit Consent.
6.1.2 Before obtaining Explicit Consent, the rights of Data Subjects are notified within the framework of the Disclosure Obligation.
6.1.3 Explicit Consent of the Data Subject is obtained by methods compliant with the Personal Data Protection Legislation. Explicit Consents are kept by the Company for the required period within the scope of the Personal Data Protection Legislation in a way that can be proven.
6.1.4 The Committee is responsible for ensuring the fulfillment of the Disclosure Obligation and, if necessary, obtaining Explicit Consent and maintaining the obtained Explicit Consent for all Personal Data Processing processes. All department employees processing Personal Data, the Contact Person, and the Committee are obliged to comply with the instructions of this Policy and the KVKK Procedures annexed to this Policy.
6.2 Processing of Personal Data without Explicit Consent
In cases where processing of Personal Data without Explicit Consent is envisaged within the scope of the KVKK Regulations (Article 5.2 of the KVKK), the Company may process Personal Data without obtaining the Explicit Consent of the Data Subject. In the event of processing Personal Data in this manner, the Company processes Personal Data within the limits set by the KVKK Regulations. In this context;
6.2.1 Personal Data may be processed by the Company without Explicit Consent if expressly provided for in laws.
6.2.2 If it is mandatory to protect the life or bodily integrity of the Data Subject or someone else due to actual impossibility to disclose consent or lack of legal validity of consent, Personal Data may be processed by the Company without Explicit Consent.
6.2.3 If processing of Personal Data is necessary for the establishment or performance of a contract directly related to the parties to the contract, Personal Data may be processed by the Company without the Explicit Consent of the Data Subjects.
6.2.4 If processing of Data is necessary for the Company to fulfill its legal obligations, Personal Data may be processed by the Company without the Explicit Consent of the Data Subjects.
6.2.5 Personal Data that has been made public by the Data Subject may be processed by the Company without obtaining Explicit Consent.
6.2.6 If processing of Personal Data is necessary for the establishment, exercise, or protection of a right, Personal Data may be processed by the Company without obtaining Explicit Consent.
6.2.7 Personal Data may be processed by the Company without obtaining Explicit Consent if it is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the Data Subject.
7.1 Special Categories of Personal Data may only be processed if the Data Subject gives Explicit Consent or processing is explicitly required by law, except for personal data regarding sexual life and personal health data.
7.2 Personal data related to health and sexual life may only be processed without obtaining Explicit Consent for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and their financing, by persons who are under the obligation of confidentiality (e.g., Company Physician) or authorized institutions and organizations.
7.3 Precautions determined by the Board are taken when processing Special Categories of Personal Data.
7.4 For the processing of Special Categories of Personal Data, the Company:
7.4.1. The Company will regularly provide training on KVKK Regulations and the security of Special Categories of Personal Data.
7.4.2. Confidentiality agreements will be made.
7.4.3. Access scopes and periods of users with access to Special Categories of Personal Data will be clearly defined.
7.4.4. Periodic authorization checks will be carried out.
7.4.5. In case of job changes or resignations, the authorities of the employees in this field will be immediately revoked, and the inventory allocated to the relevant employee will be immediately recovered.
7.5 In the event of transfer of Special Categories of Personal Data to electronic environments, the Company:
7.5.1. Will continuously monitor security updates of the environments where Special Categories of Personal Data are located.
7.5.2. Will perform user authorizations for software accessing Special Categories of Personal Data.
7.5.3. Will provide a two-step authentication system in case of remote access to Special Categories of Personal Data.
7.6. In case of processing of Special Categories of Personal Data in physical environment, the Company:
7.6.1. Ensures that sufficient security measures (against electrical leakage, fire, water flooding, theft, etc.) are taken according to the nature of the environment where Special Categories of Personal Data are located.
7.6.2. Ensures the physical security of these environments and prevents unauthorized access.
7.6.3. Ensures that Special Categories of Personal Data are kept in locked or sealed cabinets.
7.7. The Company may process Special Categories of Personal Data by making the data anonymous, provided that it does not harm any fundamental rights and freedoms.
8.1 Transfer of Personal Data may be possible only in accordance with the procedures and principles specified in the KVKK Regulations.
8.2 The Company may transfer Personal Data both domestically and internationally. The Company takes the following measures for the transfer of Personal Data:
8.2.1. In international transfers, the countries to which Personal Data will be transferred are checked by the Company regarding whether they have adequate protection or not. In cases where adequate protection is not available, Explicit Consent is obtained from Data Subjects, and alternative methods such as contracts with sufficient guarantees or permissions of the Board are sought.
8.2.2. The Company carries out the necessary technical and administrative measures to ensure that Personal Data is processed within the country or abroad in accordance with the provisions of the Personal Data Protection Legislation.
8.3 In the event of any transfer of Personal Data to third parties, the Company ensures that the provisions regarding the transfer of Personal Data within the scope of this Policy and the KVKK Procedures are included in the contracts concluded with these third parties.
9.1 The Data Subject may request information about:
9.1.1 Whether Personal Data is processed or not,
9.1.2 If Personal Data is processed, requesting information about it,
9.1.3 The purpose of processing Personal Data and whether they are used for this purpose,
9.1.4 The third parties to whom Personal Data is transferred domestically or internationally,
9.1.5 Correction of Personal Data in case of incomplete or incorrect processing,
9.1.6 Requesting the deletion or destruction of Personal Data in accordance with the provisions of the Personal Data Protection Legislation,
9.1.7 Requesting notification of the transactions made pursuant to Articles 9.1.5 and 9.1.6 to third parties to whom Personal Data has been transferred,
9.1.8 Objection to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
9.1.9 Requesting the compensation of the damages in case of damage due to the processing of Personal Data unlawfully.
9.2. In case the Data Subject submits his/her requests regarding his/her rights mentioned above to the Company via the methods determined by the Board, the Company fulfills these requests free of charge within the scope of the Personal Data Protection Legislation and within the legal periods.
9.3 The Company may accept the Data Subject's requests within the scope of the Personal Data Protection Legislation and may reject them with a written response with the reasons within the legal periods.
10.1. The Company fulfills the Disclosure Obligation within the scope of the Personal Data Protection Legislation.
10.2. The Company fulfills the Disclosure Obligation by fulfilling the following obligations:
10.2.1. Informing the Data Subject about the identity of the data controller and, if any, the representative,
10.2.2. Informing the Data Subject about the purposes of processing Personal Data,
10.2.3. Informing the Data Subject about the persons to whom and the purposes for which Personal Data may be transferred domestically or internationally,
10.2.4. Informing the Data Subject about the method and legal reason of collecting Personal Data,
10.2.5. Informing the Data Subject about his/her rights mentioned in Article 9, and how to use these rights,
10.2.6. Informing the Data Subject about the obligations of the data controller specified in Article 12,
10.2.7. Informing the Data Subject about other rights not covered in Article 9 that the data subject may benefit from pursuant to the relevant laws,
10.2.8. Informing the Data Subject about the procedure and principles regarding the application to the Company within the scope of Article 13,
10.2.9. Informing the Data Subject about the rules and principles regarding the processing of Personal Data and the changes in the rules,
10.2.10. Informing the Data Subject about the measures taken by the Company regarding the security of Personal Data and the results of the conducted audits,
10.2.11. Informing the Data Subject about the consequences of not providing Personal Data.
11.1. This Policy enters into force upon approval by the Company's Board of Directors.
11.2. The Company's Legal Affairs Directorate is responsible for the implementation and monitoring of this Policy. The Legal Affairs Directorate coordinates with the relevant units and personnel in order to ensure the implementation and monitoring of the Policy.
11.3. The Company's Legal Affairs Directorate reviews this Policy and the KVKK Procedures annexed to this Policy at least once a year and submits them to the Company's Board of Directors for approval.
11.4. The amendments made in this Policy and the KVKK Procedures annexed to this Policy are notified to the relevant persons within the Company by the Company's Legal Affairs Directorate.
11.5. The Company's Legal Affairs Directorate is responsible for answering questions from the Data Subject or other relevant persons regarding this Policy and the KVKK Procedures annexed to this Policy and for providing necessary information.
11.6. This Policy is kept in the Company's archive and is published on the Company's website.
TR
