Privacy Policy

KVKK - Personal Data Processing and Protection Policy

KVKK - Personal Data Processing and Protection Policy

PERSONAL DATA PROCESSING AND PROTECTION POLICY

§ 1.INTRODUCTION

1.1. Introduction

As Gamze Arslan (“Company”), we attach utmost importance to the legal processing and protection of personal data in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”) and we act with this care in all our planning and activities. With this awareness, we present this Personal Data Processing and Protection Policy (“Policy”) for your information in order to fulfill the obligation to inform within the scope of Article 10 of the Law and to inform you of all administrative and technical measures we have taken within the scope of the processing and protection of personal data.

1.2. Purpose of the Policy

The main purpose of this Policy is to provide explanations on the systems for processing and protecting personal data in accordance with the law and the purpose of the Law, and to inform the persons whose personal data is processed by our Company, especially Company Shareholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers and Third Parties. In this way, it is aimed to ensure full compliance with the legislation in the processing and protection activities of personal data carried out by our Company and to protect all rights of personal data owners arising from the legislation regarding personal data.

1.3. Scope of the Policy and Personal Data Owners

This Policy has been prepared for the persons whose personal data is processed by our Company, primarily Company Shareholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers and Third Parties, through automatic or non-automatic means provided that they are part of any data recording system, and will be applied within the scope of these specified persons. This Policy will not be applied to legal entities or legal entity data in any way.

Our Company informs the Personal Data Owners in question about the Law by publishing this Policy on its website. The Personal Data Processing Policy for Employees will be applied to our Company employees. This Policy will not be applied if the data is not included in the scope of “Personal Data” within the scope specified below or if the Personal Data processing activity carried out by our Company is not carried out through the methods specified above.

In this context, personal data owners within the scope of this Policy are as follows:

Company Stakeholder

The Company's Shareholders are real persons.

Company Natural Person Business Partner

They are real persons with whom the Company has any kind of business relationship.

Stakeholders, Authorities and Employees of Company Business Partners

All natural persons, including employees, shareholders and officials of natural and legal persons (such as business partners and suppliers) with whom the Company has any kind of business relationship.

Company Official

They are the members of the Company's board of directors and other authorized real persons.

Employee Candidate

They are real persons who have applied for a job with the Company through any means or have made their CV and related information available for review by the Company.

Company Customer

They are real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.

Group Company Customer

They are real persons who use or have used the products and services offered by the Company Group Companies, regardless of whether the Company has any contractual relationship with the Group Companies.

Potential Customer

They are real persons who have requested or shown interest in using the Company's products and services or who have been assessed in accordance with commercial practices and rules of integrity as likely to have such interest.

Visitor

All real persons who enter the physical premises of the Company for various purposes or visit the websites for any purpose.

Third Party

Other natural persons who are not included in the scope of the Personal Data Protection and Processing Policy prepared for Company Employees and who are not included in any personal data owner category in this Policy.

1.4.Definitions

The concepts used in this Policy have the following meanings:

Company/ Our Company

It is GAMZE ARSLAN.

Personal Data/Data

Any information relating to an identified or identifiable natural person.

Special Personal Data/Data

Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, dress code, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.

Processing of Personal Data

It is any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, in whole or in part, by automatic means or non-automatic means provided that it is part of any data recording system.

Personal Data Owner/Relevant Person

Refers to individuals whose personal data is processed by the company.

Group Company

It refers to the company/companies affiliated with the group to which the Company is affiliated.

Data Recording System

It refers to the registration request in which personal data is structured and processed according to certain criteria.

Data Controller

It is the natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system.

Data Processor

A natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him.

Explicit Consent

It is consent regarding a specific subject, based on information and expressed with free will.

Anonymization

It is the process of making data that was previously associated with a person incapable of being associated with an identified or identifiable natural person, even by matching it with other data.

Law

Refers to the Personal Data Protection Law No. 6698.

Personal Data Protection Board

It is the Personal Data Protection Board.


§ 2. PROCESSING AND TRANSFER OF PERSONAL DATA

2.1. General Principles in the Processing of Personal Data

The Company processes Personal Data in accordance with the procedures and principles stipulated in the Law and this Policy. The Company acts with the following principles when processing Personal Data:

  • Personal Data is processed in accordance with the relevant legal rules and the requirements of the principle of good faith.

  • Personal Data is ensured to be accurate and up-to-date. In this context, issues such as the sources from which the data is obtained being identified, its accuracy being confirmed, and whether it needs to be updated being assessed are carefully taken into consideration.

  • Personal Data is processed for specific, clear and legitimate purposes. The legitimate purpose means that the Personal Data processed by the Company is related to and necessary for the business it performs or the service it offers.

  • Personal Data is related to the purpose in order to achieve the purposes determined by the Company, and the processing of Personal Data that is not related to the purpose or is not needed is avoided. The processed data is limited to only what is necessary to achieve the purpose. In this context, the Personal Data processed is related to the purpose for which it is processed, limited and proportionate.

  • If there is a period of time stipulated for the storage of data in the relevant legislation, it complies with this period; otherwise, Personal Data will be stored only for the period necessary for the purpose for which it is processed. If there is no longer a valid reason for the further storage of Personal Data, the data in question will be deleted, destroyed or anonymized.

2.2. Conditions for Processing Personal Data

The Company does not process Personal Data without the explicit consent of the data owner. If one of the following conditions is met, Personal Data may be processed without the explicit consent of the data owner.

  • The Company may process the Personal Data of Personal Data Owners in cases clearly stipulated by law, even without explicit consent. For example; pursuant to Article 230 of the Tax Procedure Law, the explicit consent of the relevant person will not be required for the name of the relevant person to be included on the invoice.

  • Personal Data may be processed without explicit consent for the protection of life or physical integrity of individuals who are unable to give their consent due to a de facto impossibility or whose consent cannot be recognized as valid, or of another person. For example, in a situation where the person is unconscious or mentally ill and their consent is not valid, the Personal Data of the Personal Data Owner may be processed during medical interventions in order to protect life or physical integrity. In this context, data such as blood type, past illnesses and surgeries, and medications used may be processed through the relevant health system.

  • Personal Data of the parties to a contract may be processed by the Company, provided that it is directly related to the establishment or execution of a contract. For example, the account number of the creditor party may be obtained for the payment of money in accordance with a contract.

  • The Company may process Personal Data of Personal Data Owners if it is necessary to fulfill its legal obligations as a data controller.

  • The Company may process the Personal Data of the Personal Data Owners, which have been made public by them, in other words, disclosed to the public in any way, as long as the legal interest to protect them has disappeared.

  • The Company may process Personal Data of Personal Data Owners without seeking explicit consent in cases where data processing is necessary for the exercise or protection of a legitimate right.

  • The Company may process the Personal Data of Personal Data Owners in cases where processing of Personal Data is mandatory for the provision of its legitimate interests, provided that it does not harm the fundamental rights and freedoms of Personal Data Owners protected under the Law and Policy. The Company shows the necessary sensitivity to comply with the basic principles regarding the protection of Personal Data and to observe the balance of interests of Personal Data Owners.

2.3. Conditions for Processing Special Personal Data

The Company does not process Personal Data of a Special Nature without the explicit consent of the person concerned. However, Personal Data other than health and sexual life may be processed without the explicit consent of the person concerned in cases stipulated by law. Personal Data related to health and sexual life are processed by the Company only for the purposes of protecting public health, conducting preventive medicine, medical diagnosis and treatment and care services, planning and managing health services and their financing, and without the explicit consent of the person concerned under conditions where we are under a confidentiality obligation. The Company carries out the necessary procedures to take adequate measures determined by the Board in the processing of Personal Data of a Special Nature.

2.4. Conditions for Transfer of Personal Data

Our Company may transfer the Personal Data of Personal Data Owners and Special Personal Data to third parties in accordance with the Law by creating the necessary confidentiality conditions and taking security measures in line with the purposes of processing Personal Data. Our Company acts in accordance with the regulations stipulated in the Law during the transfer of Personal Data. In this context, our Company, in line with the legitimate and lawful Personal Data processing purposes, is based on one or more of the Personal Data processing conditions specified in Article 5 of the Law and limited to

Personal Data to third parties:

  • If the Personal Data owner has express consent;

  • If there is a clear regulation in the laws regarding the transfer of Personal Data, if it is mandatory to protect the life or physical integrity of the Personal Data owner or someone else, and

  • If the Personal Data owner is unable to express his/her consent due to actual impossibility or if his/her consent is not legally valid,

  • If it is necessary to transfer Personal Data belonging to the parties to a contract, provided that it is directly related to the establishment or execution of a contract,

  • If the transfer of Personal Data is mandatory for our Company to fulfill its legal obligations,

  • If the Personal Data has been made public by the Personal Data owner,

  • If the transfer of Personal Data is mandatory for the establishment, exercise or protection of a right,

  • If the transfer of Personal Data is mandatory for the legitimate interests of our Company, it may be transferred, provided that it does not harm the fundamental rights and freedoms of the Personal Data owner.

2.4.1. Conditions for Transfer of Personal Data Abroad

Our Company may transfer the Personal Data and Special Personal Data of Personal Data Owners to third parties abroad by taking the necessary security measures in line with the purposes of processing Personal Data. Our Company may transfer Personal Data to foreign countries declared by the Personal Data Protection Board as having sufficient protection or, in the absence of sufficient protection, to foreign countries where the data controllers in Turkey and the relevant foreign country have undertaken in writing to provide sufficient protection and where the Personal Data Protection Board has given its permission.

2.5. Conditions for Transfer of Special Personal Data

The Company may transfer the Personal Data Owner's Special Personal Data to third parties in the following cases, in line with legitimate and lawful Personal Data processing purposes, by showing due care, taking the necessary security measures and taking the sufficient measures prescribed by the Personal Data Protection Board.

  • In case of explicit consent of the Personal Data Owner, or

  • In case of the existence of the following conditions, without the explicit consent of the Personal Data Owner;

  • Personal Data of a Special Nature (data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data) other than the health and sexual life of the Personal Data Owner, in cases prescribed by law,

  • Sensitive Personal Data regarding the health and sexual life of the Personal Data Owner may only be disclosed by persons or authorized institutions and organizations that are under a confidentiality obligation for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing.

2.5.1. Transfer of Special Personal Data Abroad

The Company may transfer the Personal Data Owner's Special Personal Data to foreign countries where there is a data controller that has sufficient protection or undertakes sufficient protection in line with legitimate and lawful Personal Data processing purposes, by showing due care, taking the necessary security measures and taking the sufficient measures prescribed by the Personal Data Protection Board, in the following cases.

  • In case of explicit consent of the Personal Data Owner, or

  • Without the explicit consent of the Personal Data Owner, if the following conditions are met;

  • Personal Data of a Special Nature (data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data) other than the health and sexual life of the Personal Data Owner, in cases prescribed by law,

  • Sensitive Personal Data regarding the health and sexual life of the Personal Data Owner may only be disclosed by persons or authorized institutions and organizations that are under a confidentiality obligation for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing.

§ 3. PURPOSES OF PROCESSING AND TRANSFERRING PERSONAL DATA, PERSONS TO WHICH IT WILL BE TRANSFERRED

3.1. Purposes of Processing and Transfer of Personal Data

Personal Data; In accordance with the law and the purpose of the Law, the Company,

  • Planning and implementing human resources policies in the best possible way,

  • Correct planning, execution and management of commercial partnerships and strategies,

  • Ensuring the legal, commercial and physical security of himself and his business partners,

  • Ensuring institutional functioning, planning and execution of management and communication activities,

  • To ensure that Personal Data Owners benefit from our products and services in the best way possible and to recommend them by customizing them according to their demands, needs and requests,

  • Ensuring data security at the highest level,

  • Creation of databases,

  • Improving the services offered on the website and correcting errors on the website,

  • Communicating with Personal Data Owners who submit their requests and complaints and ensuring request and complaint management,

  • Event management,

  • Management of relationships with business partners or suppliers,

  • Carrying out personnel recruitment processes,

  • Supporting Group Companies in their personnel recruitment processes and compliance with relevant legislation,

  • Planning and execution of audit activities to ensure that the activities of the Group Companies are carried out in accordance with the relevant legislation,

  • Supporting the planning and execution processes of fringe benefits and benefits to be provided to himself and the senior executives of the Group Companies,

  • Providing support to Group Companies in carrying out corporate and partnership law transactions,

  • Execution/monitoring of financial reporting and risk management processes,

  • Execution/follow-up of company legal affairs,

  • Carrying out activities to protect its reputation,

  • Managing investor relations,

  • Providing information to authorized institutions based on legislation,

  • Creation and monitoring of visitor records.

It is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to its purposes. If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Law, your explicit consent is obtained by the Company regarding the relevant processing process.

3.2. Persons to Whom Personal Data Will Be Transferred

Personal Data may be shared with our business and solution partners, banks and third parties who perform technical, logistical and other similar transactions on our behalf, in order to ensure that the services provided to you are complete and flawless, and only to the extent that it is appropriate for the nature of the service. These third parties are the persons who must have access to the relevant information in order to provide the relevant services completely and flawlessly.

Apart from these, your Personal Data may also be transferred - only to the relevant person or institution - in cases where it is necessary to share data with third parties in order to provide the service fully and flawlessly, where it is mandatory for the Company to fulfill its legal obligations, where it is clearly stipulated in the laws or where there is a judicial/administrative order issued in accordance with the laws.

Some of the Personal Data may be shared with advertisers in an anonymized form, only in aggregate with information about other users, in order to enable advertisements to be tailored to the target audience.

Anonymized data is information that cannot be matched with our visitors/customers and does not contain your personal information or make your identity determinable. Your privacy is secured in anonymized data.

§ 4. COLLECTION METHOD AND LEGAL REASON OF PERSONAL DATA, DELETION, DESTRUCTION AND ANONYMIZATION AND STORAGE PERIOD

4.1. Method and Legal Reason for Collecting Personal Data

For the purpose of auditing compliance with Article 1, which regulates the purpose of the Law, and Article 2, which regulates the scope of the Law, Personal Data is collected in all kinds of verbal, written, electronic media; through technical and other methods, stores, sales points, call center, Company website, mobile application, and various means, in order to fulfill the responsibilities arising from the law in a complete and accurate manner within the framework of legal reasons based on legislation, contract, request and demand, and processed by the Company or data processors assigned by the Company in order to achieve the purposes stated in the Policy.

4.2. Deletion, Destruction or Anonymization of Personal Data

Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymization of Personal Data, the Company shall delete, destroy or anonymize Personal Data ex officio or upon the request of the data owner, in the event that the reasons requiring processing are eliminated, despite having processed it in accordance with the provisions of this Law and other laws. By deleting Personal Data, these data are destroyed in a way that they cannot be used again and cannot be retrieved. Accordingly, Personal Data is deleted from the means such as documents, files, CDs, diskettes and hard disks on which they are recorded, in a way that they cannot be recycled. Destruction of Personal Data refers to the destruction of data-storage materials such as documents, files, CDs, diskettes and hard disks where the data is recorded, in a way that the information cannot be retrieved and used again. By anonymizing data, it is meant that Personal Data cannot be associated with an identified or identifiable natural person, even if it is matched with other data.

4.3. Storage Period of Personal Data

The Company stores Personal Data for the period specified in the legislation, if required by the legislation. If no period is regulated in the legislation regarding the period for which personal data should be stored, Personal Data is processed for the period required by the Company's practices and commercial practices, depending on the activity carried out by the Company while processing that data, and then deleted, destroyed or anonymized.

If the purpose of processing personal data has ended; if the storage periods determined by the relevant legislation and the Company have also expired; personal data may only be stored for the purpose of providing evidence in possible legal disputes or for the purpose of asserting the relevant right related to personal data or establishing a defense. In establishing the periods herein, the storage periods are determined based on the limitation periods for asserting the said right and the examples of previous requests made to the Company on the same issues despite the expiration of the limitation periods. In this case, the stored personal data is not accessed for any other purpose and access is provided to the relevant personal data only when it is necessary to be used in the relevant legal dispute. Here again, after the mentioned period has expired, the personal data is deleted, destroyed or anonymized.

Detailed regulations regarding the Company's techniques for storing, deleting, destroying and anonymizing Personal Data are included in the Company's Personal Data Storage and Destruction Policy.

§ 5. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to prevent the unlawful processing of the Personal Data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and to ensure the appropriate level of security, and to conduct or have conducted the necessary audits within this scope.

5.1. Ensuring the Security of Personal Data

5.1.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data

The Company takes technical and administrative measures in accordance with technological possibilities and implementation costs to ensure that Personal Data is processed in accordance with the law.

  • Technical Measures Taken to Ensure Lawful Processing of Personal Data

The main technical measures taken by the Company to ensure the lawful processing of Personal Data are listed below:

  • Personal Data processing activities carried out within the Company are supervised by established technical systems.

  • The technical measures taken are periodically reported to the relevant party as required by the internal audit mechanism.

  • Personnel knowledgeable in technical matters are employed.

  • Administrative Measures Taken to Ensure Lawful Processing of Personal Data

The main administrative measures taken by the Company to ensure the lawful processing of Personal Data are listed below:

  • Employees are informed and trained about Personal Data protection law and the lawful processing of Personal Data.

  • All activities carried out by the Company are analyzed in detail across all business units, and as a result of this analysis, Personal Data processing activities are revealed in terms of the activities carried out by the relevant business units.

  • Personal Data processing activities carried out by the Company's business units; the requirements to be fulfilled to ensure that these activities comply with the Personal Data processing conditions sought by the Law are determined specifically for each business unit and the detailed activity it carries out.

  • In order to ensure legal compliance requirements determined on a business unit basis, awareness is created and application rules are determined for the relevant business units; necessary administrative measures are implemented through in-company policies and training to ensure the control of these issues and the continuity of the application.

  • The contracts and documents governing the legal relationship between the Company and its employees include records that impose obligations not to process, disclose or use Personal Data, except for the Company's instructions and exceptions provided by law, and employees are made aware of this issue and audits are conducted to fulfill obligations arising from the Law.

5.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The Company takes technical and administrative measures in accordance with the nature of the data to be protected, technological possibilities and implementation costs to prevent reckless or unauthorized disclosure, access, transfer or any other unlawful access of Personal Data.

  • Technical Measures Taken to Prevent Unlawful Access to Personal Data

The main technical measures taken by the Company to prevent unlawful access to Personal Data are listed below:

  • Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.

  • Access and authorization technical solutions are implemented in accordance with legal compliance requirements determined on a business unit basis.

  • Access rights are limited and reviewed regularly.

  • The technical measures taken are periodically reported to the relevant party as required by the internal audit mechanism, and the issues that pose a risk are re-evaluated and the necessary technological solutions are produced.

  • Software and hardware including virus protection systems and firewalls are installed.

  • Personnel knowledgeable in technical matters are employed.

  • Applications in which Personal Data is collected are subject to regular security scans to identify security vulnerabilities. Any vulnerabilities found are closed.

  • Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The main administrative measures taken by the Company to prevent unlawful access to Personal Data are listed below:

  • Employees are trained on technical measures to prevent unlawful access to Personal Data.

  • Access to and authorization processes for Personal Data are designed and implemented within the Company in accordance with legal compliance requirements for processing Personal Data on a business unit basis.

  • Employees are informed that they cannot disclose the Personal Data they have learned to anyone else in violation of the provisions of the Law and cannot use it for purposes other than processing, and that this obligation will continue after they leave office, and the necessary commitments are obtained from them in this regard.

  • Provisions are added to the contracts concluded by the Company with the persons to whom Personal Data is lawfully transferred, stating that the persons to whom Personal Data is transferred will take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organizations.

5.1.3. Storing Personal Data in Secure Environments

The Company takes the necessary technical and administrative measures, in accordance with technological possibilities and implementation costs, to store Personal Data in secure environments and to prevent its destruction, loss or alteration for unlawful purposes.

  • Technical Measures Taken to Store Personal Data in Secure Environments

The main technical measures taken by the Company to store Personal Data in secure environments are listed below:

  • Systems compatible with technological developments are used to store Personal Data in secure environments.

  • Personnel specialized in technical matters are employed.

  • Technical security systems are established for storage areas, security tests and research are conducted to identify security vulnerabilities on information systems, and existing or potential risk issues identified as a result of the tests and research are eliminated. The technical measures taken are periodically reported to the relevant party as required by the internal audit mechanism.

  • Backup programs are used in accordance with the law to ensure the safe storage of Personal Data.

  • Access to the environments where Personal Data is kept is restricted, allowing only authorized persons to access this data limited to the purpose for which the personal data is stored, and access to the data storage areas where Personal Data is located is logged, and any inappropriate access or access attempts are instantly communicated to the relevant parties.

  • Administrative Measures Taken to Store Personal Data in Secure Environments

The main administrative measures taken by the Company to store Personal Data in secure environments are listed below:

  • Employees are trained to ensure that Personal Data is stored securely.

  • Legal and technical consultancy services are received to follow the developments in the fields of information security, confidentiality of private life and protection of personal data and to take the necessary actions.

  • In the event that the Company receives an external service due to technical requirements regarding the storage of Personal Data, the contracts concluded with the relevant companies to which Personal Data is lawfully transferred shall include provisions stating that the persons to whom Personal Data is transferred shall take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organizations.

5.1.4. Audit of Measures Taken for the Protection of Personal Data

The Company conducts or has conducted the necessary audits within its own organization in accordance with Article 12 of the Law. The results of these audits are reported to the relevant department within the scope of the Company's internal operations and the necessary activities are carried out to improve the measures taken.

5.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

The Company operates a system that ensures that if Personal Data processed in accordance with Article 12 of the Law is obtained by others through illegal means, this situation is reported to the relevant Personal Data Owner and the PDP Board as soon as possible. If deemed necessary by the PDP Board, this situation may be announced on the PDP Board's website or by another method.

5.2. Observance of the Legal Rights of Personal Data Owners

The Company observes all legal rights of Personal Data Owners through the implementation of the Policy and the Law and takes all necessary measures to protect these rights. Detailed information on the rights of Personal Data Owners is provided in the sixth section of this Policy.

5.3. Protection of Special Personal Data

The law attaches special importance to certain Personal Data due to the risk of causing victimization and/or discrimination when processed illegally. These data include data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. The Company shows utmost sensitivity to the protection of special Personal Data determined as “special” by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of personal data are also implemented with utmost care in terms of Special Personal Data, and the necessary controls are provided within the Company in this regard.

§ 6. RIGHTS OF THE PERSONAL DATA OWNER, EXERCISE AND EVALUATION OF RIGHTS

6.1. Information to the Personal Data Owner

The Company, in accordance with Article 10 of the Law, provides information to Personal Data Owners during the collection of Personal Data. In this context, if any, the identity of the Company representative, for what purpose the Personal Data will be processed, to whom and for what purpose the processed Personal Data can be transferred, the method and legal reason for collecting Personal Data, and the rights of the Personal Data Owner are provided.

6.2. Rights of the Personal Data Owner According to the Personal Data Protection Law

The Company informs you of your rights pursuant to Article 10 of the Law; provides guidance on how to exercise these rights and carries out the necessary internal functioning, administrative and technical arrangements for all of these. The Company provides the following to persons whose Personal Data is collected pursuant to Article 11 of the Law;

  • Learning whether personal data is being processed,

  • To request information regarding the processing of personal data,

  • To learn the purpose of processing Personal Data and whether they are used in accordance with their purpose,

  • To know the third parties to whom Personal Data is transferred, either domestically or abroad,

  • To request correction of personal data if it is processed incompletely or incorrectly,

  • Request the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law,

  • Request that the transactions made pursuant to subparagraphs (d) and (e) of Article 11 of the Law be notified to third parties to whom personal data has been transferred,

  • To object to a result that is to the detriment of the person himself/herself, as a result of the analysis of the processed data exclusively through automatic systems,

  • To request compensation in case of damages due to unlawful processing of Personal Data.

explains that they have rights.

6.3. Cases Where the Personal Data Owner Cannot Claim His Rights

Since the following cases are excluded from the scope of the Law in accordance with Article 28 of the Law, Personal Data Owners cannot assert their rights listed in Article (6.2) of this Policy in the following cases:

  • Personal Data is processed by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that it is not disclosed to third parties and that obligations regarding data security are complied with.

  • Processing of Personal Data by making it anonymous with official statistics for purposes such as research, planning and statistics.

  • Processing of Personal Data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy or personal rights or does not constitute a crime.

  • Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.

  • Processing of Personal Data by judicial authorities or enforcement authorities in connection with investigation, prosecution, trial or execution proceedings.

Pursuant to Article 28/2 of the Law; Personal Data Owners cannot assert their rights listed in Article (6.2) of this Policy, except for the right to request compensation for damages, in the cases listed below:

  • Processing of Personal Data is necessary for the prevention of crime or criminal investigation.

  • Processing of personal data made public by the Personal Data Owner.

  • Personal Data processing is necessary for the performance of supervisory or regulatory duties and disciplinary investigations or prosecutions by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law.

  • The processing of Personal Data is necessary to protect the economic and financial interests of the State in relation to budgetary, tax and financial matters.

6.4. Personal Data Owner's Exercise of Rights

Personal Data Owners may submit their requests regarding their rights listed in Article (6.2) of this Policy with information and documents that will identify them and through the methods specified below or other methods determined by the Personal Data Protection Board. https://www.lunagupy.com/kvkk-form They can fill out and sign the Application Form, which you can access from the link below, and send it to the Company free of charge:

  • After completing the application form, a signed copy must be delivered personally or through a notary public to Zafer Mah. Turgut Özal Cad. No:69 Buca/İzmir.

  • After completing the application form and signing it with your “secure electronic signature” within the scope of the Electronic Signature Law No. 5070, the secure electronically signed form is sent via e-mail,

  • The applicant must come in person, submit an application with a document proving his/her identity and information and documents regarding the application subject, and submit the application form using the e-mail address previously notified to the Company and registered in the Company's system.

In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.

6.5. The Company's Procedure and Time for Responding to Applications

The Company shall finalize the requests included in the application free of charge as soon as possible, within thirty days at the latest, depending on the nature of the request. However, if the transaction in question requires an additional cost, the fee determined by the Personal Data Protection Board may be charged. The Company may accept the request or reject it by explaining the reason; it shall notify its response in writing or electronically. If the request included in the application is accepted, the Company shall fulfill the requirements of the request.

6.6. Personal Data Owner's Right to Complain to the Personal Data Protection Board

In cases where the application is rejected, the response is found insufficient or the application is not responded to in a timely manner, the data owner has the right to lodge a complaint with the Personal Data Protection Board within thirty days from the date on which he/she learns of the response and, in any case, within sixty days from the date of application.

§ 7. MANAGEMENT STRUCTURE IN ACCORDANCE WITH THE COMPANY’S PERSONAL DATA PROCESSING AND PROTECTION POLICY

The Personal Data Committee has been established within the Company in accordance with the decision of the Company's senior management to manage this Policy and other policies related to and affiliated with this Policy. The Personal Data Committee is authorized and tasked to perform the necessary procedures for the storage and processing of Personal Data Owners' data in accordance with the law, this Policy and other policies related to and affiliated with this Policy. Detailed regulations regarding the persons assigned to the Personal Data Committee and their duties are included in the Personal Data Storage and Destruction Policy published on the Company's website.

§ 8. UPDATES, ADAPTATIONS AND CHANGES

8.1. Update and Compliance

The Company reserves the right to make changes to this Policy and other policies related to and related to this Policy due to changes in the Law, in accordance with the decisions of the Personal Data Protection Board or in line with the developments in the sector or in the field of informatics. Changes made to this Policy are immediately incorporated into the text and explanations regarding the changes are explained at the end of the Policy.