MALTEPE DEMİR SANAYİ TİCARET LTD. ŞTİ.

PERSONAL DATA PROTECTION AND PROCESSING POLICY

 

  1. INTRODUCTION
  2. PURPOSE AND SCOPE
  3. DEFINITIONS- 5
  4. ENFORCEMENT OF THE POLICY AND RESPONSIBILITIES
  5. PRINCIPLES ON PERSONAL DATA PROCESSING

5.1. General Principles on Processing Personal Data

5.1.1. Compliance with law and good faith

5.1.2. Integrity and up-to-dateness

5.1.3. Processing the personal data for certain, explicit and legitimate purposes

5.1.4. Processing the personal data for the intended purpose and in a limited and restraint manner

5.1.5. Processing the personal data for a limited period that is set forth under the applicable legislations or that are needed to attain the intended purpose.

  1. CONDITIONS FOR PROCESSING THE PERSONAL DATA

6.2. Processing the Personal Data Due to Legal Requirements

6.3. Necessity to Process the Personal Data of Those Who Are Not Able to Express Their Consent or Whose Consent Are Not Valid As Per the Applicable Law in Order to Protect the Life or Bodily Integrity of the Said Person or Other Persons

6.4. Necessity to Process the Personal Data of the Contractual Parties on the Condition that it is Directly Related to Conclusion and Performance of an Agreement

6.5. Necessity for the Data Controller to Fulfill Its Respective Legal Obligations

6.6. Processing the Personal Data Anonymized by the Related Person

6.7. Processing the Personal Data Necessary to Establish, Exercise or Protect a Right

6.8. Processing the Personal Data for the Legitimate Interests of the Data Controller

  1. CONDITIONS FOR SPECIAL PERSONAL DATA

7.1. Processing the Special Personal Data In Case of Presence of the Related Person’s Explicit Consent

7.2. Processing the Special Personal Data Although There is No Explicit Data of the Related Person Based on the Applicable Legislations

7.3. Processing the Special Personal Data Concerning Health and Sexual Life for the Purpose of Preventive Medicine, Medical Diagnosis, Performance of Treatment and Care Services, Planning and Management of Health Services and Financing on the Condition that It Will Be Under the Obligation of Secrecy

7.4. Measures To Be Taken for the Processing of the Special Personal Data

  1. TRANSFER OF THE PERSONAL DATA

8.1. Transfer of the Personal Data Locally

8.1.1. Presence of the explicit consent of the related person for the transfer of the personal data

8.1.2. Transfer of the personal data even if there is no explicit consent of the related person provided  that the conditions for processing the personal data have been fulfilled

8.1.3. Transfer of the special personal data even if there is no explicit consent of the related person provided that the respective conditions have been fulfilled and it is required by the applicable legislations

8.2. Transfer of the Personal Data Internationally

8.2.1. Presence of the explicit consent of the related person for the transfer of their personal data internationally-

8.2.2. Transfer of the personal data even if there is no explicit consent of the related person provided  that the conditions for processing the personal data have been fulfilled

  1. DELETION, DESTRUCTION AND ANONYMIZATION OF THE PERSONAL DATA
  2. OBLIGATIONS OF THE COMPANY IN THE CAPACITY OF DATA CONTROLLER

10.1. Obligation to Inform

10.2. Obligation to Ensure the Security of the Personal Data

10.2.1. Obligation to prevent the personal data from being illegally processed

10.2.1.2. Technical measures to be taken to ensure that the personal data is legally processed

10.2.1.2. Administrative measures to be taken to ensure that the personal data is legally processed

10.2.2. Obligation to prevent the personal data from being illegally accessed

10.2.2.1. Technical measures to be taken to ensure that the personal data is legally accessed and the personal data is maintained accordingly

10.2.2.2. Administrative measures to be taken to ensure that the personal data is legally accessed and the personal data is maintained accordingly

10.2.3. Inspection on the measures taken for the protection of the personal data

  1. RIGHTS OF THE RELATED PARTY
  2. ENTERING INTO FORCE AND UPDATES

 

 

  1. INTRODUCTION

The Personal Data Protection Law (the “PDPL”) a product of long years of efforts in line with the compliance with the criteria of the European Union, was published on the Official Journal of 07.04.2016 and entered into force accordingly.

The PDPL mainly consists of such regulations in line with the European Union’s Directive no. 95/46/EC and, the protection of the personal data of individuals under a holistic arrangement has been brought into a legal regulation upon the PDPL entering into force.

Since the data of legal entities are already protected under the respective laws and regulations, under the pertinent provisions of the PDPL, the concept of personal data has been arranged in a way that provides protection of only the personal data in line with the respective directives of the European Union.

Under the pertinent provisions of the PDPL, a regulation has been enacted entitling individuals to protect the personal data and exercise the rights as listed under the article 11 of the PDPL and, it also regulates the aspects thereof such as the definition and classification of personal data by content, the processing of personal data, the information obligation, explicit consents and exceptions, the identification of obligations of real persons and legal entities processing the personal data, the establishment of the Personal Data Protection Board, and the methods for the submission of complaints and sanctions.

Under our commitments for principles concerning the superior service quality, respect to the rights of individuals, transparency and integrity within the organization of MALTEPE DEMİR SANAYİ TİCARET LTD. ŞTİ. (hereinafter referred to as the “Company”), it is the priority of our Company that the internal operations of our Company are to be arranged in line with the new regulations under the PDPL, and as per the pertinent provisions of the PDPL, the secondary regulations thereof, the decisions and regulations of the Personal Data Protection Board, finalized court orders and other respective legislations.

Therefore, this Policy has been issued and brought into effect so that the data subjects are able to exercise the rights under the PDPL and, the compliance with the PDPL is strictly attained accordingly.

  1. PURPOSE AND SCOPE

2.1. This Policy is intended to ensure that such regulations that are to be brought into effect in line with the above-mentioned basic principles for the compliance with the PDPL are effectively applied by the employees and business partners of our Company within the organization of the Company.

2.2. In line with the basic regulations as set forth under this Policy, such administrative and technical measures are to be taken within the business course of the Company as per the applicable legislations in respect of processing and protecting the personal data; necessary internal procedures are to be formed; all the training activities required to enhance the level of awareness in this respect are to be conducted and, appropriate and efficient inspection mechanisms as well as technological infrastructure, administrative and legal systems are to be established by means of taking all necessary measures under the PDPL for the compliance of the employees and business partners with the respective processes of the PDPL.

2.3. This Policy regulates the basic principles to be observed during the performance of all these processes and, the aspects thereof for which our Company is responsible so that the internal business courses are directed in line with the regulations enacted under the scope of the PDPL. Our Company will make efforts for the compliance in respect of the personal data protection through such internal procedures to be performed pursuant to the PDPL and other respective legislations. During the performance of their tasks, all the employees of our Company are obliged to act in accordance with the regulations brought into force by this Policy and as per the pertinent provisions of the PDPL and other respective legislations.

2.4. In case of the failure to comply with this Policy and the respective legislations, in addition to the penal and legal responsibilities as set forth under the said legislations, such sanctions up to the termination of the employment for a justified reason will be enforced within the organization of the Company based on the severity thereof and in line with the applicable legislations regulating the business life.

  1. DEFINITIONS

3.1. Explicit consent: This term means a consent declared with free will based on the information about a certain subject.

Since the burden of proof that the related person has been informed accordingly is on the data controller, the explicit consent of the related  person and the information records concerning thereto are to be stored and protected in line with the internal procedures of the Company.

3.2. Anonymization: This term means the personal data has become anonymized so that it is not possible to match it with an identified or identifiable real person even by means of matching with other data.

It is possible to anonymize the personal data for various purposes and through different methods that would not breach the pertinent provisions of the PDPL and the scope of the Explicit Consent of the related person. Necessary measures will be taken within the organization of the Company to ensure that it is not possible to use the anonymized personal data to identify the related person by means of various methods.

3.3. Related person: This term means the real person, whose personal data is processed.

In line with the pertinent provisions of the PDPL and of this Policy, our Company will process and protect the personal data and the special personal data of the real person or legal entity customers as well as the legal entity business partners, shareholders, executives or employees of our Company and, the Company’s consultants, advisers, solution partners, guests and employees.

3.4. Personal data: This term means any type of information about a real person that is identified or identifiable.

All the information make the related person identifiable is defined as personal data including but not limited to Turkish ID number, name & surname, e-mail address, phone number, address, date of birth, bank account number. This data has been classified within the organization of our Company and, a Personal Data Processing Inventory has been established to define such different personal data under the separate categories is to be processed in what way, by whom, for what purposes and how long.

3.5. Personal Data Processing: This term means any type of processing carried out on the data such as collection, storage, maintenance, modification, rearrangement, disclosure, transfer, taking over, acquirement, classification or prevention of use of the personal data by means of fully or partly automatic processes or automatic processes as a part of any data recording system.

3.6. Special Personal Data: This term means such data concerning race, ethnical origin, political opinion, faith, philosophical thought, religion, sect or other beliefs, appearance, membership of an association, foundation or union, health, sexual life, conviction and security measures as well as biometrical and genetic data are considered special personal data.

3.7. Data processor: This term means a real person or legal entity that process the personal data on behalf of the data controller based on the authority granted by the data controller..

Certain internal procedures have been issued in each department for the purpose of identifying the personnel with the authority to access and process the personal in line with the pertinent provisions of the PDPL, and at what extent, for what purposes and how long they are allowed to access the same and, the transactions that they are able to perform on this data.

3.8. Data controller: This term means a real person or legal entity responsible for identifying the purposes and methods of processing the personal data, establishing and managing a data recording system accordingly.

  1. ENFORCEMENT OF THE POLICY AND RESPONSIBILITIES

4.1. In the capacity of Data Controller, the Company is responsible for the regulation and enforcement of all the internal aspects and processes of this Policy.

4.2. A governance model will be established and put into practice by the Company so that such regulations, procedures, guidance, standards and training activities to be prepared in line with this Policy are enforced within the organization of the Company.

4.3. All the employees, business partners and guests within the organization of the Company as well as all the related third parties are obliged to act in cooperation with the Company to prevent possible legal consequences, risks and dangers in accordance with this Policy and as per the respective legislations.

4.4. All the personnel in all the departments and units of the Company are responsible for acting in compliance with this Policy and ensure that the provisions of this Policy are complied with.

4.5. This Policy will be announced within the organization of the Company and, also uploaded to the common information processing systems to make it available at any time. This Policy is also published on the website of the Company. Any change to this Policy will be added to the information processing system and website to keep it updated and, in this manner, it will be ensured that the data subjects are able to access and informed of the principles as set forth under this Policy.

4.6. In case of any conflict between this Policy and the pertinent provisions of the applicable legislations, then the Company, in the capacity of Date Controller, agrees that the latter shall apply accordingly.

  1. PRINCIPLES ON PERSONAL DATA PROCESSING

5.1. General Principles on Processing Personal Data

The Company agrees that it will process the personal data that fall into the scope of this scope as per the article 4 of the PDPL in line with the principles described below.

5.1.1. Compliance with law and good faith

In the capacity of Data Controller, the Company agrees that it will engage in the personal data processing operations in line with the Constitution and the PDPL and as per all the legislations already in force or to be in force in the future and, pursuant to the good faith principles as set forth under the article 2 of the Turkish Civil Code.

5.1.2. Integrity and up-to-dateness

The Company takes all the necessary measures under the scope of the PDPL to ensure that the personal data is accurate and kept updated within the bounds of the technical possibilities during the performance of the personal data processing activities. Certain administrative and technical mechanisms are to be established by the Company in the capacity of Data Controller to correct inaccurate or outdated personal data and, inspect the accuracy thereof in line with the requests submitted by the related persons and, according to such situations deemed necessary by the Company.

5.1.3. Processing the personal data for certain, explicit and legitimate purposes

The Company processes the personal data legally in line with the pertinent legislation provisions and, in a limitation to such services offered or to be offered, and the purposes of processing the personal data are identified in a clear and definite manner before processing them.

5.1.4. Processing the personal data for the intended purpose and in a limited and restraint manner

The Company processes the personal data for the intended purpose in a limited manner, and to the extent it is necessary to attain this purpose. It is a principle that the Company abstains from processing such personal data that is not in connection with the intended purpose thereof and that is not needed.

5.1.5. Processing the personal data for a limited period that is set forth under the applicable legislations or that are needed to attain the intended purpose.

Personal data is kept in line with the periods as set forth under the applicable legislations or for a period required to attain the intended purpose thereof. At the end of the period as set forth under the applicable legislations or at the end of the period required to attain the intended purpose, the Company deletes, destroys or anonymize the personal data. All types of administrative and technical measures are to be taken in order to prevent the personal data from being maintained for a period exceeding the said limits.

  1. CONDITIONS FOR PROCESSING THE PERSONAL DATA

The conditions for processing the personal data are regulated under the article 5 of the PDPL. The Company carries out the personal data processing processes in accordance with the following conditions as set forth under the PDPL.

6.1. Presence of the Related Person’s Explicit Consent

The main rule concerning the personal data processing is that there must be an explicit consent of the related person for processing the personal data if there is no other data processing conditions available. In line with the explicit consent of the related person given in a clear way that is beyond any question as provided by the PDPL and upon the information on the intended purpose thereof, the Company will carry out the data processing operations for such procedures under the scope of the said consent.

6.2. Processing the Personal Data Due to Legal Requirements

Pursuant to the pertinent provisions of the PDPL, the personal processing operations will be deemed legal where the persona data must be processed as per the applicable legislations even there is no explicit consent of the related person, on the condition that the other necessary criteria have been fulfilled accordingly.

6.3. Necessity to Process the Personal Data of Those Who Are Not Able to Express Their Consent or Whose Consent Are Not Valid As Per the Applicable Law in Order to Protect the Life or Bodily Integrity of the Said Person or Other Persons

Pursuant to the pertinent provisions of the PDPL, where it is not possible for the related party to express their consent or their consent is not deemed legally valid, then the personal data of this person may be processed if it is necessary to protect the life and bodily integrity of the said person or other persons. In line with this regulation, the Company will process such personal data accordingly.

6.4. Necessity to Process the Personal Data of the Contractual Parties on the Condition that it is Directly Related to Conclusion and Performance of an Agreement

The Company may process the personal data of the contractual parties on the condition that it is directly related to conclusion and performance of an agreement.

6.5. Necessity for the Data Controller to Fulfill Its Respective Legal Obligations

In order for the Company as Data Controller pursuant to the PDPL to fulfill its obligations under the applicable legislations, the Company will process the personal data acting within the limitations of the said obligations accordingly.

6.6. Processing the Personal Data Anonymized by the Related Person

In case the related person has anonymized their personal data, then the Company will process the said personal data in proportion to the purposes of this anonymization.

6.7. Processing the Personal Data Necessary to Establish, Exercise or Protect a Right

The Company will process the personal data to the extent it is necessary to establish, exercise or protect a right.

6.8. Processing the Personal Data for the Legitimate Interests of the Data Controller

Acting in the capacity of Data Controller may process the personal data in line with its legitimate interests on the condition that it will not harm the fundamental rights and freedoms of the related person. However, the legitimate interests of the Company may not be in contradiction to the principles as set forth under the PDPL and the purpose of processing the personal data and, it may not be intended to intervene in the basic rights guaranteed under the Constitution.

  1. CONDITIONS FOR SPECIAL PERSONAL DATA

The conditions for processing the special personal data are regulated under the article 6 of the PDPL. As per the said article, such data concerning race, ethnical origin, political opinion, faith, philosophical thought, religion, sect or other beliefs, appearance, membership of an association, foundation or union, health, sexual life, conviction and security measures as well as biometrical and genetic data are considered special personal data. All the business processes within the organization of the Company have been analyzed, the data under this status have been identified and added to the personal data inventory by means of being classified. The Company carries out the special personal data processing processes in accordance with the following conditions as set forth under the PDPL.

7.1. Processing the Special Personal Data In Case of Presence of the Related Person’s Explicit Consent

As a general rule under the PDPL, it is prohibited to process the special personal data without the explicit consent of the related person. Accordingly, as a primary principle, the Company will first attempt to obtain the explicit consent of the related person in order to process the special personal data. The data processing operations will be carried out in line with the scope of the related person’s consent with respect to processing the special personal data. The pertinent provisions as set forth under the PDPL with respect to processing the special personal data without an explicit consent are reserved. The Company will check to see if the conditions for processing the special personal data have been fulfilled and, then carry out the respective personal data processing activities.

7.2. Processing the Special Personal Data Although There is No Explicit Data of the Related Person Based on the Applicable Legislations

In case the applicable legislations permit the processing of the special personal data, then the special personal data of the related person except for those concerning their health and sexual life may be processed in line with the pertinent provisions of the article 6/3 of the PDPL. In such case, the data processing operations to be carried out by the Company will be limited to the requirements as set forth under the applicable legislations.

7.3. Processing the Special Personal Data Concerning Health and Sexual Life for the Purpose of Preventive Medicine, Medical Diagnosis, Performance of Treatment and Care Services, Planning and Management of Health Services and Financing on the Condition that It Will Be Under the Obligation of Secrecy

The pertinent provisions of the PDPL provide that the special personal data of individuals concerning their health and sexual life may be processed only if there is an explicit consent of the related person, and in case there is no such an explicit consent, such personal data may be processed only by those who are under the obligation of secrecy and for the purposes of preventive medicine, medical diagnosis, performance of treatment and care services, planning and management of health services and financing. The Company may process the special personal data of individuals concerning their health and sexual life through those who are under the obligation of secrecy in line with the applicable legislations and to the extent permissible by the pertinent provisions of the applicable legislations.

7.4. Measures To Be Taken for the Processing of the Special Personal Data

In order to process the special personal data, it is mandatory to take such measures as identified by the Personal Data Protection Board pursuant to the PDPL. The Company will process the special personal data in line with such measures as defined by the Personal Data Protection Board.

  1. TRANSFER OF THE PERSONAL DATA

The pertinent provisions of the article 8 of the PDPL regulates the transfer of the personal data locally.  The processes concerning the transfer of the personal data will be in compliance with the criteria as described below. It is the responsibility of the Company to act in accordance with all the applicable legislations concerning the transfer of the personal data and, ensure that the transfer processes are made in compliance with such legislations already in force or enter into force in the future.

8.1. Transfer of the Personal Data Locally

8.1.1. Presence of the explicit consent of the related person for the transfer of the personal data

As per the article 8 of the PDPL, the main rule for the transfer of the personal data to third parties is that there must be the explicit consent of the related person. The personal data of the related person is to be transferred and recorded by the Company in the data inventory by means of carefully identifying which personal data is consented to be transferred to third parties locally and, the groups of persons to whom the related person’s personal data is to be transferred.

8.1.2. Transfer of the personal data even if there is no explicit consent of the related person provided  that the conditions for processing the personal data have been fulfilled

In case there is no explicit consent of the related person for the transfer of the personal data locally, it is possible to transfer the personal data to third persons locally under such conditions described in the articles 6.2., 6.3., 6.4., 6.5., 6.6., 6.7. and 6.8 of this Policy and regulated as per the subparagraph 2 of the article 5 of the PDPL.

8.1.3. Transfer of the special personal data even if there is no explicit consent of the related person provided that the respective conditions have been fulfilled and it is required by the applicable legislations

It is possible to transfer the special personal data except for those concerning health and sexual life to third parties even if there is no explicit consent of the related party thereto if it is provided under the applicable legislations that such personal data may be processed in a way as described under the applicable legislations. In such case, the Company may transfer the special personal data to third parties by means of ensuring that the conditions as set forth under the article 7 of this Policy have been fulfilled. It is the responsibility of the Company to take all such measures that are necessary to process the special personal data as also applied to the transfer of such personal data.

8.2. Transfer of the Personal Data Internationally

8.2.1. Presence of the explicit consent of the related person for the transfer of their personal data internationally

Pursuant to the article 9 of the PDPL, it is the main rule that the personal data may not be transferred internationally without the explicit consent of the related person. Therefore, it is a principle that the Company will obtain the explicit consent of the related person to transfer their personal data internationally. The Company will transfer the personal data of the related person internationally by means of carefully identifying which personal data is consented to be transferred to third parties internationally and considering the list of secure countries as published by the Personal Data Protection Board.

8.2.2. Transfer of the personal data even if there is no explicit consent of the related person provided  that the conditions for processing the personal data have been fulfilled

In case there is no explicit consent of the related person for the transfer of the personal data internationally, it is possible to transfer the personal data to third persons internationally under such conditions described in the articles 6.2., 6.3., 6.4., 6.5., 6.6., 6.7. and 6.8 of this Policy and regulated as per the subparagraph 2 of the article 5 of the PDPL provided that the Company will act considering the list of secure countries as published by the Personal Data Protection Board or in line with such other methods announced by the said board.

As per the article 9 of the PDPL, for the transfer of the personal data internationally, there must be a sufficient level of protection in the country to which the personal data is to be transferred. The list of secure countries announced by the Personal Data Protection Board will be closely monitored by the company and included into the respective internal processes.  In case it has become necessary to transfer the personal data internationally before the list of secure countries is published by the Personal Data Protection Board, then the Company will transfer the personal data internationally on the condition that the Company acting in the capacity of Data Controller and, the third party located in the country to which the personal data is to be transferred warrant a sufficient level of protection and permitted by the Personal Data Protection Board accordingly.

In case there is no sufficient level of protection in the country to which the personal data is to be transferred after the list of secure countries is published by the Personal Data Protection Board, then the Company will transfer the personal data internationally on the condition that the Company acting in the capacity of Data Controller and, the third party located in the country to which the personal data is to be transferred warrant a sufficient level of protection and permitted by the Personal Data Protection Board accordingly.

  1. DELETION, DESTRUCTION AND ANONYMIZATION OF THE PERSONAL DATA

Even if the personal data has been processed pursuant to the PDPL and other respective legislations as well as this Policy, the personal data must be deleted, destructed or anonymized by the Company when the reasons for processing the personal data is no longer valid or upon the request of the related person. The Company will establish an administrative and technical structure sufficient to allow it to comply with all the applicable legislations already in force or entering into force in the future concerning the deletion, destruction and anonymization of the personal data.

  1. OBLIGATIONS OF THE COMPANY IN THE CAPACITY OF DATA CONTROLLER

10.1. Obligation to Inform

The Company is required to inform the personal data subject of the following subjects when the personal data is being obtained in line with the article 10 of the PDPL.

  1. Identification of the data controller and the representative thereof, if any,
  2. Purpose of processing the personal data,
  3. To whom and for what purposes the personal data may be transferred,

ç. Method of and legal reasons for processing the personal data,

  1. Rights granted to the personal data subject

The respective business processes and data collection channels gave been reviewed, the findings thereof have been classified and transferred to the inventory, necessary arrangements have been carried out so that the data subjects are able to exercise the right to make an application concerning their personal data and, communication channels have been established so that the Company is able to fulfill its respective obligation in accordance with the applicable laws and regulations.

10.2. Obligation to Ensure the Security of the Personal Data

10.2.1. Obligation to prevent the personal data from being illegally processed

In addition to the obligation to ensure that the personal data is processed pursuant to the PDPL and other applicable legislations and, as per such principles and conditions as set forth under this Policy, the Company is obliged to take all technical and administrative measures in line with the applicable regulations in order to prevent that the personal data from being processed in contradiction to the said obligations.

Accordingly, the Company has established such systems intended to prevent the personal data from being illegally processed, identified such personnel required to observe and inspect these systems and, form the respective procedures. The Company will follow such updates due to technical reasons and legal reasons and, update the system in accordance therewith.

10.2.1.2. Technical measures to be taken to ensure that the personal data is legally processed

A “Personal Data Processing Inventory” has been issued by means of analyzing the personal data processing operations carried out by the departments of the Company. An administrative structure and, the infrastructure of the necessary equipment and software are being formed in order to monitor and audit all the processes from the collection to the deletion of the personal data.

10.2.1.2. Administrative measures to be taken to ensure that the personal data is legally processed

  1. In order to inform all the personnel of the processing of the personal data as per the PDPL and the applicable regulations, the Company will issue this Policy and all the documentation that would be necessary subsequently and, organize the required training activities and, keep the certificate of attendance thereto in the personal files.
  2. Such records have been added thereto indicating that all types of documents regulating the relationships between the Company and the personnel and those that contain personal data are required to be treated in accordance with the respective obligations as set forth under the PDPL to ensure that the personal data is legally processed, that the personal data must not be disclosed, that the personal data must not be used in contradiction to the applicable regulations and, the confidentiality obligation concerning the personal data will survive the termination of the employment agreement with the Company and, such sanctions up to the termination of employment must be imposed in case of the failure of the personnel to comply with these obligations.
  3. The Company limits the access to the personal data under the scope of the personal data inventory to be formed and, the power matrixes formed to the intended purpose thereof and the respective personnel. It is not possible for all the personnel of the Company to access all the personal data processed by the Company acting in the capacity of Data Controller and, the access powers as defined for each department will apply accordingly.

ç. The personal data processing operations carried out in each department have been identified by means of analyzing all the business operations of the Company. The Company has formed such policies, procedures and other internal arrangements intended to audit to see if the business operations of the departments are carried out in accordance with the PDPL and as per the respective obligations set forth under this Policy and, ensure the continuation of these practices and, all the updates in connection therewith will be notified to the personnel using all the available communication channels. Upon the issuance of the said updates, the new procedures and policies will enter into force, these updates are binding irrespective the personnel have been notified accordingly.

10.2.2. Obligation to prevent the personal data from being illegally accessed

10.2.2.1. Technical measures to be taken to ensure that the personal data is legally accessed and the personal data is maintained accordingly

  1. The Company will take measured as per the technical developments, periodically update and renew such measured to keep up with the advanced technologies, and have the reliability thereof tested by means of penetration tests and other methods. In case the Personal Data Protection Board issues regulations concerning such penetration tests and other security measures or refers to certain technical standards, the Company will make all efforts to comply with these new requirements.
  2. Technical solutions in respect of access and authorization will be put into practice in line with the legal compliance criteria as identified by the Company for each department and, such hardware and software solutions will be applied to ensure that such measures listed in the list of administrative and technical measures published by the Personal Data Protection Board in this respect are complied with.
  3. All the technical measures taken in this manner will be periodically reported to the respective personnel as per the internal inspection mechanisms. Such aspects that pose a risk will be reviewed and, necessary technical solutions will be produced accordingly.

ç. The Company will install the respective security software and systems including such software and hardware that contain virus protection systems and firewalls on all the systems that are used during the performance of its business operations and that are entitled to access the personal data.

  1. Such personnel with a sufficient level of knowledge on technical issues in respect of data security will be employed.
  2. Access authorizations must be defined in line with the criteria to established for each department to ensure legal access to the personal data, the access and authorizations of the respective user accounts concerning the systems accessing the personal data must be restricted and, the number of equipment able to access these systems must be limited.
  3. In order to prevent the systems, where the personal data is maintained, from being penetrated, monitor the possible risks, the Company will ensure that necessary software and hardware is installed, have the penetration tests carried out, ensure that the same security measures are taken for the backups intended to avoid any loss of data, and enter into agreements with third parties engaging in the field of disaster recovery as intended to take such security measures as set forth under this Policy and, that such data is stored in compliance with the PDPL

10.2.2.2. Administrative measures to be taken to ensure that the personal data is legally accessed and the personal data is maintained accordingly

  1. It will be ensured that all the personnel of the Company are trained about the technical measures to be taken to prevent the personal data from being illegally accessed.
  2. The Company limits the access to the personal data in line with the personal data inventory to be formed to the respective personnel in line with the intended purpose thereof. It should not be possible for all the personnel of the Company to access all the personal data processed by the Company acting in the capacity of Data Controller and, the access powers should be regulated considering the intended purpose of processing the personal data.
  3. Such records have been added thereto indicating that all types of documents regulating the relationships between the Company and the personnel are required to be treated in accordance with the respective obligations as set forth under the PDPL to ensure that the personal data is legally processed, that the personal data must not be disclosed, that the personal data must not be used in contradiction to the applicable regulations and, the confidentiality obligation concerning the personal data will survive the termination of the employment agreement with the Company.
  4. The Company will prepare all procedures and documents concerning the authority to access the personal data and, ensure that all the respective personal receive the same.

10.2.3. Inspection on the measures taken for the protection of the personal data

The Company must design such systems intended to carry out or cause to be carry out necessary inspections on the course of the technical and administrative measures to be taken. The results of these inspections should be reported to the respective department under the scope of the internal course of the Company and, operations necessary to improve the measures taken need to be carried out.

The Company must design necessary processes intended to inspect and enhance the awareness of its departments, business partners and suppliers in respect of the protection and processing of the personal data and, the respective procedures must be conducted to monitor, carry out the verification tests and inspections on the periodic reports and, the actions taken under the scope thereof.

Pursuant to the article 12 of the PDPL, it is the responsibility of the Company to ensure that the third parties to whom the personnel data has been transferred fulfill their obligations to process, store and access the personal data as per the applicable legislations and regulations. Therefore, the Company should obtain such commitments intended to fulfill these conditions in any type of any arrangements in connection with the agreements to be entered before the transfer of the personal data to the third parties and, with the personal data transfer. The Company should inform all the personnel of the responsibilities from the transfer of the persona data to the third parties.

  1. RIGHTS OF THE RELATED PARTY

As per the article 11 of the PDPL, the related party has the following rights against the Company acting in the capacity of Data Controller:

  1. Learn if their personal data is processed or not and, request the respective information if the personal data has been processed,
  2. Learn the purpose of the processing of their personal data and if the same is used for the intended purposes;
  3. Know about those to whom their personal data has been transferred,

ç. Ask for correction if their personal data has been deficiently or wrongly processed and, for the deletion of their personal data if the respective conditions have been fulfilled and, request that these requests are communicated to the respective third parties,

  1. Object to any negative consequences against them as a result of analyses of the personal data exclusively by means of automatic systems,
  2. Ask for indemnification if they incur loss due to the illegal processing of their personal data.

In case the personal data subject submits to the Company their requests concerning their rights listed above in writing or by means of such other methods as specified by the Personal Data Protection Board, as per the article 13 of the PDPL, the Company is required to conclude the said request as soon as possible and not later than within the period of thirty days depending on the nature of the request. In case this request requires an extra cost, a fee indicated in the tariff as determined by the Personal Data Protection Board may be collected. In case it is found out that the application is attributable to the fault of the Company, then the fee collected will be returned.

During the conclusion of the respective application, the Company should inform the related person in the language and format that the related person is able to understand and, ensure that this information is sent in writing or electronically according to the request of the related person or if there is no such request, then as per the method chosen by the Company.

The Company is free to accept the application submitted by the related person depending on the nature of the request or refuse it by means of explaining the reason thereof. In case the application has been accepted, the Company will fulfill the requirements of the request without any delay.

All the personnel of the Company must be warned and made aware that in case the application of the personal data subject is refused or the data subject find the response insufficient or in case of the failure to respond to the application in due time, then the data subject will be entitled to submit a complaint to the Personal Data Protection Board.

  1. ENTERING INTO FORCE AND UPDATES

This Policy will enter into force as of the date it is approved by the Board of Managers of the Company. A governance model will be established to carry out such actions concerning the changes to this Policy and how such changes will enter into force and, these changes will enter into force upon the General Manager of the Company.

This Policy will be reviewed and updated at least once a year. However, in case of amendments to the applicable legislations, changes to a technical standard referred to and in line with the actions and/or decisions of the Personal Data Protection Board as well as the competent court decisions, the Company reserves the right to review and, update, change or replace this Policy with a new one if it deems necessary.

The Board of Managers of the Company is authorized to make a decision to abolish this Policy.