Personal Data Protection, Processing, And Privacy Policy

PROF. DR. ESİN YALÇINKAYA
PERSONAL DATA PROTECTION, PROCESSING, AND PRIVACY POLICY

1- Our company, Prof. Dr. Esin Yalçınkaya (“Company”), with this (“Policy”), determines the obligations it is subject to and the procedures and principles it will comply with in obtaining, processing, deleting, destroying, or anonymizing the personal data of all its addressees.
In this context, under the Personal Data Protection Law No. 6698 (“PDPL” or “Law”), primarily Employee Candidates, Customers, Company Shareholders, Company Officials, Visitors, Employees, Shareholders, and Officials of Institutions We Cooperate With, Subcontractors, and Suppliers, as well as Third Parties, hold the title of (“Data Subject”).
Pursuant to the Law, terms and conditions regarding the personal data processing activities carried out by the company (“Data Controller”) are provided, aiming to inform data subjects, ensure transparency, and obtain their explicit consent within the scope of the situations specified below. The Privacy Policy is published on our company’s website () and is made available to relevant individuals upon the request of personal data subjects.
Accordingly, this Privacy Policy (“Policy”) has been prepared to ensure that personal data is processed in full compliance with the Personal Data Protection Law No. 6698 (“PDPL”) and to inform data subjects in this context. Separate from this Policy, the “Policy on the Processing of Personal Data of Prof. Dr. Esin Yalçınkaya Employees” has been organized for company employees.

2- This Policy relates to all personal data processed automatically or non-automatically, provided that it is part of any data recording system, primarily belonging to Employee Candidates, Customers, Company Shareholders, Company Officials, Visitors, Employees, Shareholders, and Officials of Institutions We Cooperate With, Subcontractors, and Suppliers, as well as Third Parties.
The scope of application of this Policy to the groups of personal data subjects in the categories mentioned above may be the entire Policy or only some of its provisions.

3- The relevant legal regulations in force regarding the processing and protection of personal data will find primary application. In the event of an inconsistency between the applicable legislation and the Policy, the Company accepts that the applicable legislation will prevail.

4- Within the scope of the Policy, data subjects whose personal data are processed are categorized as follows:

Employee Candidates: Real persons who apply for a job at the Company or make their CV and related information accessible to the Company by any means.
Employees, Shareholders, and Officials of Institutions We Cooperate With, Subcontractors, and Suppliers: Employees, shareholders, and officials of institutions, subcontractors, and suppliers with which the Company has a business relationship.
Customers: Real persons whose personal data are obtained due to business relationships within the scope of the activities carried out by the Company, regardless of whether there is a contractual relationship or not.
Visitors: Real persons who have entered or visited the Company’s physical facilities for various purposes.
Third Parties: Other real persons whose personal data are processed within the framework of this Policy, although not defined in the Policy.
Company Shareholder: Real persons who are shareholders of the Company.
Company Official: Real persons who are board members and other authorized individuals of the Company.

5- In the implementation of this Policy:

Explicit Consent: Consent given for a specific subject, based on information, and expressed with free will.
Anonymization: Rendering personal data in such a way that it cannot be associated with an identified or identifiable real person under any circumstances, even when matched with other data.
Personal Data: Any information relating to an identified or identifiable real person.
Special Category (Sensitive) Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometrics and genetics are special category data.
Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification, or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system.
Board: Personal Data Protection Board.
Policy: The Company’s Personal Data Protection and Processing Policy.
Data Processor: The real or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Data Controller: The person who determines the purposes and means of processing personal data and who is responsible for the establishment and management of the data registry system.

6- The issues regarding the processing of personal data belonging to our Company’s Employee Candidates, Customers, Company Shareholders, Company Officials, Visitors, Employees, Shareholders, and Officials of Institutions We Cooperate With, Subcontractors, and Suppliers, as well as Third Parties, are regulated under this Policy text in accordance with the Law.

7- Personal data obtained with the data subject’s consent or due to other legitimate reasons listed in the Law are processed limited to the extent required by the purpose stated in this policy and in the informed consent of the data subject or the legal basis. In cases where the legal basis ceases to exist and consent is absent or withdrawn, all your personal data will be deleted, destroyed, or anonymized.

8- With the Privacy Policy, it is aimed to:

Establish what information belonging to the Data Subject is collected and what is done and not done with said data,
Determine the responsibilities of the Data Subject, the Data Controller, and third parties within the scope of the Law in protecting their rights and privacy,
Explain the usage of the shared information in order to provide a functional and useful service.

9- With this text, data subjects accept that they have been informed about the processing of their personal data and the privacy policy, and that they approve the use of their personal data as specified herein.

10- The personal data processed by the Data Controller are categorized in accordance with the Personal Data Protection Law (PDPL) as specified below. Unless explicitly stated otherwise, the term “Personal Data” within the scope of the terms and conditions offered under this Privacy Policy will include the information below:

Identity Information: Information included in documents such as a driver’s license, identity card, and residence document, including but not limited to name-surname, TR Identity number, nationality information, mother’s and father’s name, place of birth, date of birth, gender, and SGK (Social Security Institution) number.
Contact Information: Information clearly belonging to an identified or identifiable real person, processed partially or fully automatically or non-automatically as part of a data recording system; such as phone number, address, email address, fax number, and IP address.
Customer Information: Information obtained and produced about the relevant person as a result of our commercial activities and the operations carried out by our business units in this framework.
Customer Transaction Information: Information such as records related to the use of our products and services and instructions and requests necessary for the customer’s use of products and services.
Transaction Security Information: Personal data processed to ensure technical, administrative, legal, and commercial security during the execution of commercial activities.
Risk Management Information: Personal data processed through methods used in accordance with generally accepted legal and commercial customs and good faith rules in these areas so that we can manage our commercial, technical, and administrative risks.
Financial Information: Personal data processed regarding information, documents, and records showing any financial outcome created depending on the type of legal relationship established with the personal data subject.
Employee Candidate Information: Personal data processed concerning individuals who have applied to become a company employee or have been evaluated as an employee candidate in line with our company’s human resources needs in accordance with commercial customs and good faith rules, or who are in a working relationship.
Legal Action Information: Personal data processed within the scope of determining, tracking our legal claims and rights, and fulfilling our debts.
Inspection Information: Personal data processed within the scope of the company’s legal obligations and compliance with company policies.
Special Category Personal Data: As stated in Article 6 of the PDPL; individuals’ data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometrics and genetics.
Marketing Information: Personal data processed for the customized marketing of our products and services in line with the personal data subject’s usage habits, tastes, and needs, and reports and evaluations created as a result of processing this data.
Physical Space Security Information: Information clearly belonging to an identified or identifiable real person, processed partially or fully automatically or non-automatically as part of a data recording system; personal data related to records and documents taken at the entrance to the physical space and during the stay inside the physical space; camera recordings and records taken at the security point, etc.
Visual/Audio Information: Information clearly belonging to an identified or identifiable real person; data in documents serving as copies of documents containing personal data along with photographs and camera recordings (excluding records falling under Physical Space Security Information) and voice recordings.
Request / Complaint Management Information: Personal data regarding the receipt and evaluation of any kind of request or complaint directed.

11- Data anonymized pursuant to Articles 3 and 7 of the Personal Data Protection Law will not be considered personal data, and processing activities relating to such data shall be carried out regardless of the provisions of this Privacy Policy.

12- Our company processes personal data in accordance with the basic principles in Article 4 of the Personal Data Protection Law and the principles set out in this Policy. Additionally, personal data is processed limited to the purposes and conditions within the personal data processing conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the Law. These purposes and conditions are:

It is explicitly provided for by the laws,
It is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving consent or whose consent is not deemed legally valid,
Processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the execution or performance of the contract between the data subject and the data controller,
It is explicitly provided for by the laws,
It is mandatory for the data controller to fulfill its legal obligations,
The data concerned is made available to the public by the data subject himself/herself,
Data processing is mandatory for the establishment, exercise, or protection of any right,
It is mandatory for the legitimate interests of the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

On the other hand, the Law has defined data relating to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometrics and genetics as “special category” or “sensitive” personal data and has prescribed stricter conditions for their processing. Accordingly, special category personal data can only be processed under the following conditions, except in cases where the explicit consent of the data subject has been obtained:

Data relating to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometrics and genetics may be processed in the cases prescribed by laws.
Personal data relating to health and sexual life may only be processed for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing, by persons under the obligation of secrecy or competent institutions and organizations.

13- In the absence of the conditions stated above, the Company seeks the explicit consent of personal data subjects to engage in personal data processing activities. In this framework, personal data may be processed for the following purposes, including but not limited to:

In line with the purpose of carrying out the necessary work to ensure that personal data subjects benefit from the products and services offered by the Company; following up on contract processes, customer relations, executing sales processes, conducting legal follow-ups, following up on customer requests and/or complaints,
Carrying out the necessary work to execute the commercial activities conducted by the Company, planning corporate communication activities, ensuring business continuity, establishing information technology infrastructure, following up on financial affairs, executing corporate governance activities, conducting analysis regarding business activities, planning and executing the information access authorizations of business partners and suppliers, planning and executing business activities, planning and executing research and development activities,
In line with the purpose of planning and executing the Company’s human resources policies and processes; fulfilling the obligations arising from the employment contract and legislation of employees and employee candidates, procuring the products and services needed to conduct business activities, monitoring and auditing business activities, planning and executing fringe benefits and interests, conducting personnel recruitment processes, planning performance evaluation processes, planning and executing internal training activities, planning human resources processes, planning and executing the human resources needs required for production,
In line with the purpose of ensuring the legal and commercial security of individuals who have a business relationship with the Company; planning and executing operational activities necessary to ensure that company activities are carried out in accordance with company procedures and relevant legislation, planning and executing occupational health and safety processes, providing legal information to authorized institutions, following up on legal affairs, creating and tracking visitor records, ensuring the security of company campuses and/or facilities, ensuring the security of company operations, planning and executing company audit activities, ensuring that data is accurate and up-to-date, planning and executing the company’s financial risk processes,

The Company mainly aims to obtain the explicit consent of individuals to achieve similar purposes explained above. In cases where the exceptions listed in the Law apply, limited and measured personal data is kept in accordance with these exceptions to achieve these purposes. In cases where explicit consent is lacking, personal data processing is carried out within the framework of the exceptions stated in the Law. If the exceptions in the Law do not permit the processing of personal data and there is no explicit consent of the individual, personal data is not processed.

14- Such personal information may also be used to contact the Data Subject or for the purpose of making various statistical evaluations, creating databases, and conducting market research without disclosing the Data Subject’s identity.

15- The Company may process the personal data of its employees with whom it has established a service relationship without seeking consent, to the extent necessary for the performance of the established service contract, fulfillment of mutual obligations, and the fulfillment of other Legal obligations. The Company ensures the privacy and protection of data belonging to its employees. In this context, separate from this Policy, the “Policy on the Processing of Personal Data of Prof. Dr. Esin Yalçınkaya Employees” has been organized for company employees.
The Company processes all personal data, including resumes submitted by applicants, in the applications and requests made by prospective employees without seeking consent until the application and request are concluded. If the application process is completed with a negative result, processing the data depends on the consent of the relevant person. If the relevant person gives consent, personal data may be transferred to third parties. Otherwise, the data is deleted, destroyed, or anonymized after the request and application process is definitively concluded negatively. In cases where the request or application is concluded partially or completely positively, the retention and processing of personal data are carried out according to the conditions of the newly established legal relationship.

16- The camera monitoring activity carried out by our Company is conducted in accordance with the personal data processing conditions listed in the Law on Private Security Services and the PDPL.
The Company informs the personal data subject in accordance with Article 10 of the PDPL. The Company notifies the camera monitoring activity using more than one method. Regarding the camera monitoring activity by the Company; a notification letter stating that monitoring will be carried out is posted at the entrances of the areas. In this way, it is aimed to prevent damage to the fundamental rights and freedoms of the personal data subject, ensure transparency, and inform the personal data subject.
The Company, in accordance with Article 4 of the PDPL, processes personal data in connection with the purpose for which they are processed, in a limited and measured manner.
The purpose of maintaining the video camera monitoring activity by the Company is limited to the purposes listed in this Policy. Accordingly, the monitoring areas of security cameras, their number, and when the monitoring will be carried out are implemented sufficiently to achieve the security purpose and limited to this purpose. Individuals are not subjected to monitoring in areas that could result in interference with privacy exceeding security purposes.
The Company takes necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring activities in accordance with Article 12 of the PDPL.
Only a limited number of company employees have access to live camera images and records digitally recorded and maintained.
The Company carries out personal data processing activities directed at tracking the entry and exit of visiting guests to ensure security and for the purposes stated in this Policy. The name and surname information of the people coming to our company is processed solely for the purpose of tracking their entry and exit, and the relevant personal data is recorded in the recording system in physical and electronic environments.
To ensure the security of the places where it conducts its commercial activities, the Company engages in personal data processing activities in its headquarters buildings and facilities regarding tracking guest entry and exit through security camera monitoring, recording, card reading at entrance, and identity recording activities. Security camera monitoring and identity checks at entrances, card reading, and their recording aim to protect the interests of the Company and other individuals regarding ensuring their security. In accordance with Article 12 of the relevant Law, the Company takes necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring and identity recording activities.

17- The Data Controller may share personal data and new data obtained through the use of this personal data with third parties such as outsource service providers including those sending e-mails and SMS, hosting services, law firms, company officials, business partners, legally authorized public institutions and organizations, and private institutions to achieve the purposes stated under the Privacy Policy and Personal Data Processing Clarification and Consent Text, perform the necessary work to enable the relevant individuals to benefit from the services offered, conduct commercial activities and related business processes, ensure security, detect fraudulent or unauthorized use, research operational evaluation, and achieve any of these purposes. Within the scope of these activities, third-party tracking technologies such as Meta (Facebook/Instagram) Pixel, Google Ads, Google Analytics 4, and TikTok Pixel are used to measure user experience on our website and optimize ad performance. Data transfer can also be carried out using server-side data transfer technologies (Conversions API – CAPI, etc.) as well as browser cookies.

18- Personal data collected for the legal reasons stated above can be processed and transferred for the purposes specified in the applicable legislation and this Privacy Policy. In line with legitimate and lawful personal data processing purposes, the Company may transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the PDPL listed below:

If the personal data subject has explicit consent,
If there is an explicit regulation in the laws that personal data will be transferred,
If it is mandatory for the protection of life or physical integrity of the personal data subject or of any other person who is bodily incapable of giving consent due to actual impossibility or whose consent is not deemed legally valid;
If it is necessary to transfer the personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is mandatory for the Company to fulfill its legal obligation,
If the personal data has been made public by the personal data subject,
If personal data transfer is mandatory for the establishment, exercise, or protection of a right,
If personal data transfer is mandatory for the legitimate interests of the Company, provided that it does not violate the fundamental rights and freedoms of the personal data subject.

The Company, by showing due care, taking necessary security measures, and taking adequate precautions foreseen by the PDP Board; may transfer the special category personal data of the personal data subject to third parties in the following cases in line with legitimate and lawful personal data processing purposes.

If the personal data subject has explicit consent, or
If the personal data subject does not have explicit consent; The special category personal data of the personal data subject other than health and sexual life (data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometrics and genetics), in the cases prescribed by laws. The special category personal data relating to the health and sexual life of the personal data subject can only be transferred by persons under the obligation of secrecy or authorized institutions and organizations for the purpose of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing.

19- In line with legitimate and lawful personal data processing purposes, if the personal data subject has explicit consent or if the personal data subject does not have explicit consent but one of the following conditions exists, the Company may transfer personal data to Foreign Countries where the Data Controller is Located that Have Adequate Protection or Undertake Adequate Protection:

If there is an explicit regulation in the laws that personal data will be transferred,
If it is mandatory for the protection of life or physical integrity of the personal data subject or of any other person who is bodily incapable of giving consent due to actual impossibility or whose consent is not deemed legally valid;
If it is necessary to transfer the personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is mandatory for the Company to fulfill its legal obligation,
If the personal data has been made public by the personal data subject,
If personal data transfer is mandatory for the establishment, exercise, or protection of a right,
If personal data transfer is mandatory for the legitimate interests of the Company, provided that it does not violate the fundamental rights and freedoms of the personal data subject.

20- The Company, by showing due care, taking necessary security measures, and taking adequate precautions foreseen by the PDP Board; may transfer the special category data of the personal data subject to Foreign Countries where the Data Controller is Located that Have Adequate Protection or Undertake Adequate Protection in the following cases in line with legitimate and lawful personal data processing purposes.

If the personal data subject has explicit consent, or
If the personal data subject does not have explicit consent; The special category personal data of the personal data subject other than health and sexual life (data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometrics and genetics), in the cases prescribed by laws. The special category personal data relating to the health and sexual life of the personal data subject can only be processed by persons under the obligation of secrecy or authorized institutions and organizations for the purpose of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing.

21- Personal data collected for the legal reasons stated above can be processed and transferred for the purposes specified in Articles 5 and 6 of Law No. 6698 and in this Privacy Policy.

22- According to Article 11 of the Law, personal data subjects have the right to:

Learn whether personal data relating to them are being processed,
Request information regarding this if their personal data have been processed,
Learn the purpose of processing personal data and whether they are used in accordance with their intended purpose,
Know the third parties to whom their personal data is transferred domestically or abroad,
Request the correction of their personal data if it is processed incompletely or incorrectly,
Request the deletion or destruction of personal data in the event that the reasons requiring their processing cease to exist, despite having been processed in accordance with the provisions of the Law and other relevant laws,
Request that the operations carried out as a result of correction, deletion, and destruction requests be notified to third parties to whom personal data has been transferred,
Object to the occurrence of a result against the person themselves by analyzing the processed data exclusively through automated systems,
Demand compensation for the damages in case they suffer damage due to the unlawful processing of personal data.

23- Pursuant to paragraph 1 of Article 13 of the PDPL, you must submit your request to exercise the above-mentioned rights to our Company in “writing” or by other methods determined by the Personal Data Protection Board.
In this framework, for the applications you will make to our Company within the scope of Article 11 of the PDPL, you can submit your request to exercise your above-mentioned rights along with the necessary identifying information and your explanations regarding the right you wish to exercise, specifying which right stated in Article 11 of the PDPL your use relates to, via registered mail with return receipt requested to the following address:
PROF. DR. ESİN YALÇINKAYA
ADDRESS: Mustafa Kemal Mahallesi 2079 Sok. Via Green İş Merkezi B blok 3 Kat No:20 Çankaya/Ankara
It is not possible for third parties to make a request on behalf of personal data subjects. In order for a person other than the personal data subject to make a request, there must be a special power of attorney issued by the personal data subject on behalf of the person making the application regarding the subject.

24- In accordance with Article 13 of the PDPL, our Company concludes the application requests made by the personal data subject free of charge as soon as possible and within 30 (thirty) days at the latest depending on the nature of the request. However, if the transaction requires an additional cost, it is possible to charge the fee in the tariff determined by the PDP Board.
Our company may accept the application request of the personal data subject, or it may reject it by explaining its reasoning for the reasons listed below and notify the relevant person of its response in writing or electronically.

Preventing the rights and freedoms of other persons,
Requiring disproportionate effort,
The information is public knowledge,
Endangering the privacy of others,
The existence of one of the situations falling outside the scope pursuant to the PDPL. In cases where the personal data subject’s application is rejected, the response given is found insufficient, or the application is not responded to in due time; the data subject has the right to file a complaint with the PDP Board within thirty days from the date they learn of the data controller’s response, and in any case within sixty days from the application date.

The Company takes the necessary technical and administrative measures to ensure that personal data is not processed unlawfully, that personal data is not accessed unlawfully, and to ensure the preservation of personal data under the conditions determined in the relevant legislation or expressed in this Privacy Policy. Furthermore, the Data Controller does not disclose the personal data obtained from the data subject to anyone else contrary to the provisions of this Privacy Policy and the Personal Data Protection Law and does not use it outside the purpose of processing.

25- This Privacy Policy may be updated from time to time to adapt to changing conditions and legislation.

26- Although no period has been determined for the retention of personal data under the Law, in accordance with general principles, it is essential to retain personal data for the period prescribed in the relevant legislation or for the period necessary for the purpose for which they are processed. The Data Controller Company makes an assessment based on the applicable legislation and the purpose of the process for each data processing process in order to determine retention periods in accordance with the said principle. Accordingly, personal data is retained as a minimum for the period required by its legal obligations and until the statute of limitations periods subject to the relevant Law expire.
Personal data may be retained for the purpose of carrying out necessary defenses within the scope of any dispute that may arise between you and the Data Controller. Upon the disappearance of the processing purpose of the relevant personal data within the scope of any process, including the expiration of the aforementioned periods, the personal data is anonymized, deleted, or destroyed in accordance with the Law.

27- Your personal data that we collect must be accurate and up-to-date when necessary. Therefore, in the event of any change in your personal data, you may notify the relevant unit of our Company of this issue.

28- Our Company makes the necessary assignments within the Company and establishes procedures accordingly to fulfill its obligations under the PDPL and to implement the matters stated in this Policy.

29- All kinds of content (text, image, audio, etc.) on the “…” website are for informational purposes only. These contents never replace a doctor’s examination, medical diagnosis, or treatment. A personal diagnosis should not be made and treatment should not be initiated based on the information on the site. Be sure to consult your doctor for any professional help regarding your health condition.
The policy containing the items listed above is presented to the personal data subject along with other relevant clarification and consent texts, primarily the “Clarification and Consent Text Regarding the Personal Data Protection, Processing, and Privacy Policy of Prof. Dr. Esin Yalçınkaya.” In addition, upon the request of personal data subjects, the said policy is presented to the relevant individuals and access to it is provided.

PROF. DR. ESİN YALÇINKAYA
PERSONAL DATA RETENTION AND DESTRUCTION POLICY

1- The Personal Data Retention and Destruction Policy (“Policy”) has been prepared by Prof. Dr. Esin Yalçınkaya (“Company”) in her capacity as the data controller to determine the procedures and principles subject to our obligations pursuant to the Personal Data Protection Law No. 6698 (“PDPL”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”) and to inform data subjects about the principles of determining the maximum retention period necessary for the purpose for which personal data are processed and the processes of deletion, destruction, and anonymization.

2- Within the scope of this Policy, real persons processed by automatic or non-automatic means provided that they are part of any data recording system include customers, prospective customers, employee candidates, employees, company shareholders, company officials, visitors, business partners, employees, shareholders, and officials of institutions we collaborate with, subcontractors, and suppliers, as well as third parties.
The policy is applied in activities carried out regarding the processing and protection of all personal data managed by our Company.

3- This policy is published on our company’s website () and is made available to relevant individuals upon the request of personal data subjects.

4- In the implementation of this Policy:

Relevant Person: Persons processing personal data within the data controller organization or in accordance with the authority and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backing up of data.
Destruction: Deletion, destruction, or anonymization of personal data.
Law: Personal Data Protection Law No. 6698.
Recording Medium: Any medium containing personal data processed wholly or partially automatically or non-automatically, provided that it is a part of any data recording system.
Personal Data: Any information relating to an identified or identifiable real person.
Personal Data Subject: The real person whose personal data is processed.
Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification, or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system.
Personal Data Processing Inventory: The inventory detailed by data controllers by associating their personal data processing activities depending on their business processes with personal data processing purposes, data category, transferred recipient group, and data subject group, and explaining the maximum period required for the purposes for which personal data are processed, the personal data envisaged to be transferred to foreign countries, and the measures taken regarding data security.
Board: Personal Data Protection Board.
Authority: Personal Data Protection Authority.
Special Category Personal Data: Data relating to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometrics and genetics.
Periodic Destruction: The process of deletion, destruction, or anonymization to be performed ex officio at recurring intervals specified in the personal data retention and destruction policy in case all the conditions for processing personal data specified in the Law cease to exist.
Data Retention and Destruction Policy: This Policy, upon which data controllers base the process of determining the maximum period required for the purpose for which personal data is processed and the deletion, destruction, and anonymization process.
Personal Data Protection, Processing, and Privacy Policy: The policy on the company’s internet address determining the procedures and principles regarding the management of personal data.
Registry: The data controllers registry kept by the Presidency of the Personal Data Protection Authority.
Data Processor: The real and legal person processing personal data on behalf of the data controller based on the authority given by them.
Data Recording System: The recording system in which personal data is structured according to specific criteria and processed.
Data Controller: The real or legal person determining the purposes and means of processing personal data and responsible for establishing and managing the data recording system.

For definitions not included in this Policy, the definitions in the Law are valid.

5- All unit managers of the Company provide effective support for the proper implementation of technical and administrative measures regarding the processing, retention, and destruction of personal data in their units. For this purpose, unit managers ensure the training and awareness raising of unit employees, monitor and inspect operations, assist in preventing the unlawful processing of personal data and unlawful access to processed data, and in taking and implementing technical and administrative measures for data security.
By increasing the knowledge and awareness of Relevant Users regarding the protection of personal data, they actively support the execution of processing, retention, and destruction processes regarding personal data in accordance with the legislation.
The titles, units, and job descriptions of those involved in the personal data retention and destruction processes are as follows:

General Manager: Responsible for carrying out all transactions related to the protection and destruction of personal data and implementing the policy in their capacity as the data controller representative.
Human Resources Manager: Responsible for the preparation, development, execution, publication in relevant media, and updating of the policy, ensuring the compliance of the processes within their duty with the retention period, and managing the personal data destruction process, training, and information according to the periodic destruction period.
Accounting Manager: Responsible for the preparation, development, execution, publication in relevant media, and updating of the policy, ensuring the compliance of the processes within their duty with the retention period, and managing the personal data destruction process according to the periodic destruction period.
Information Systems Manager: Responsible for the technical storage, protection, and backing up of data, and the determination and application of technical solutions needed in implementing the policy.
Other Unit Managers: Responsible for the implementation of the policy in their own units and the monitoring and inspection of the application, ensuring the compliance of the processes within their duty with the retention period, and managing the personal data destruction process according to the periodic destruction period.
Relevant User and Data Processors: Responsible for ensuring that processes related to data processing and retention are in accordance with the procedure and the law.
Specially Authorized Relevant User: Responsible for protecting, retaining, and keeping personal data deleted upon procedure or request of the relevant person inaccessible to relevant users until it is destroyed.

6- Personal data stored by the Company is kept in a recording medium suitable for the nature of the relevant data. The recording media used for storing personal data are listed below. On the other hand, due to their nature, personal data may be featured in a medium different from those specified here. In any case, the data controller company processes and protects personal data within the framework of international data security principles in accordance with the Law, the Personal Data Protection, Processing, and Privacy Policy, and this Personal Data Retention and Destruction Policy.

Electronic Media: Digital media such as Servers, portable disks, software, information security devices, employee computers, optical disks, removable memories, printers, scanners, and photocopiers.
Physical Media: Other media such as paper, manual data recording systems, written, printed, visual media where data is kept by being printed on paper or microfilms.
Cloud Media: Media that are not located with the company but are in use by the company and where encrypted internet-based systems are used.

7- All administrative and technical measures taken within the framework of the principles in Article 12 of the PDPL to securely store your personal data, prevent unlawful processing and access, and destroy data lawfully are specified below.

Technical Measures
Takes the following technical measures in accordance with the qualities of the relevant data and the medium where the data is kept in all media where personal data is stored:

Only up-to-date and secure systems compliant with technological developments are used in environments where personal data is kept.
Security systems for the environments where personal data is kept are used.
Security tests and research are conducted to detect security vulnerabilities on information systems, and existing or potential risk factors identified as a result of the tests and research are resolved.
By restricting data access in environments where personal data is kept, only authorized personnel are allowed to access these data limited to the purpose of storing personal data, and all accesses are recorded. Whether the data is of special nature and its degree of importance are also taken into account in limiting access.
Maintains sufficient technical personnel to ensure the security of the environments where personal data is kept within the Company. Ensures that the access authorizations of employees working in information technologies units to personal data are kept under control.
The destruction of personal data is ensured in a way that it cannot be recycled and will not leave an audit trail.
Pursuant to Article 12 of the Law, all kinds of digital media where personal data is stored are protected by encrypted methods to meet information security requirements.

Administrative Measures
Takes the following administrative measures in accordance with the qualities of the relevant data and the medium where the data is kept in all media where personal data is stored:

Efforts are made to raise awareness and educate all company employees who have access to personal data on matters of information security, personal data, and privacy of private life.
Legal and technical consultancy services are procured to track developments in the field of information security, privacy of private life, and protection of personal data and to take necessary actions.
In case personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties to protect personal data, and all necessary care is taken to ensure that the relevant third parties comply with their obligations in these protocols.
In the event that the processed personal data is obtained by others through unlawful means, it notifies the relevant person and the Board of this situation as soon as possible.
Conducts and procures necessary audits to ensure the enforcement of Law provisions within the Company. Resolves privacy and security vulnerabilities that arise as a result of audits.

8- Personal data belonging to data subjects are securely stored by the company in physical or electronic environments within the boundaries specified in the PDPL and other relevant legislation, particularly for the continuation of commercial activities, fulfilling legal obligations, planning and performing employee rights and fringe benefits, managing customer relations, and other purposes included in the Personal Data Protection, Processing and Privacy Policy. Personal data held by the Company is deleted, destroyed, or anonymized ex officio in accordance with this destruction policy upon the request of the relevant person or in the event that the reasons listed in Articles 5 and 6 of the Law disappear. The reasons listed in Articles 5 and 6 of the Law are as follows:

It is explicitly provided for by the laws.
It is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving consent due to actual impossibility or whose consent is not deemed legally valid.
It is necessary to process the personal data of parties of a contract, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to fulfill their legal obligation.
It has been made public by the relevant person themselves.
Data processing is mandatory for the establishment, exercise, or protection of a right.
Data processing is mandatory for the legitimate interests of the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the relevant person.

9- The procedures and principles regarding the techniques for deleting and destroying personal data by the Company are listed below.
DELETION OF PERSONAL DATA

Blacking Out Personal Data on Paper Media: The method of physically cutting personal data off the relevant document or rendering it invisible by using permanent ink in a way that cannot be reversed and cannot be read by technological solutions.
Secure Deletion from Software: The method of deleting personal data kept in cloud media or local digital media so that it can no longer be accessed.

DESTRUCTION OF PERSONAL DATA

Physical Destruction: A system of physically destroying personal data so that it cannot be used later is applied. Documents on paper media are destroyed with document shredders in a way that they cannot be put back together. Optical and magnetic media containing personal data are physically destroyed by melting, burning, or pulverizing.
De-magnetizing: The method of corrupting the data on the magnetic media unreadably by passing it through special devices where it will be exposed to high magnetic fields.
Overwriting: A destruction method that eliminates the readability and recoverability of old data by randomly writing data consisting of 0s and 1s at least seven times over magnetic media and rewritable optical media via special software.

ANONYMIZATION OF PERSONAL DATA

Removing Variables: The method of anonymization by removing highly descriptive variables from the data set created after aggregating data collected from the relevant person.
Regional Hiding: If a single piece of data is of an identifying nature because it creates a highly visible combination, hiding the relevant data provides anonymization. It is the process of deleting information that may have a distinguishing characteristic regarding the data forming an exception.
Generalization: The process of aggregating personal data belonging to many people and turning it into statistical data by removing distinguishing information.
Lower and Upper Bound Coding: The method of rendering values in a data group containing predefined categories anonymous by merging them through determining a specific criterion.
Micro Aggregation: All data is first organized in a meaningful sequence, separated into groups, and anonymization is achieved by replacing the relevant data in the current group with the value obtained by taking the average of the groups.
Data Mixing and Distortion: Direct or indirect identifiers within personal data are mixed with other values or distorted, cutting their relationship with the relevant person and causing them to lose their identifying characteristics.

10- Retention and Destruction Periods

PROCESS	RETENTION PERIOD	DESTRUCTION PERIOD
Recruitment documents and personnel data that is the basis for notices made to the Social Security Institution regarding the term of service and wage	Kept for 10 years starting from the beginning of the calendar year following the continuation and termination of the employment contract.	Within 180 days following the end of the retention period
Personnel data other than recruitment documents and personnel data that is the basis for notices made to the Social Security Institution regarding the term of service and wage	Kept for 10 years starting from the beginning of the calendar year following the continuation and termination of the employment contract	Within 180 days following the end of the retention period
Data Included in the Workplace Personal Health File	Kept for 10 years starting from the continuation and termination of the employment contract	Within 180 days
Occupational health and safety practices	Kept for a period of 10 years following the termination of the employment relationship.	Within 180 days following the end of the retention period
Responding to court/execution information requests regarding personnel	Kept for a period of 10 years following the termination of the employment relationship.	Within 180 days following the end of the retention period
Personnel Financing Processes	Kept for a period of 10 years following the termination of the employment relationship.	Within 180 days following the end of the retention period
Identity information, contact information, financial information, Business Partner/Solution Partner/Consultant employee data regarding the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and the company	Kept for 10 years during the business/commercial relationship with the Company and from its termination, pursuant to Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.	Within 180 days following the end of the retention period
Visitor’s name, surname, vehicle license plate, and camera recordings taken at entrances to physical spaces	Kept for a period of 2 years.	Within 180 days following the end of the retention period
Information contained in the Employee Candidate’s resume and job application form	Kept until the resume loses its currency, up to a maximum of 2 years.	Within 180 days following the end of the retention period
Information contained in the Intern’s internship file	Kept for 10 years starting from the beginning of the calendar year following the continuation and termination of the internship relationship.	Within 180 days following the end of the retention period
Customer’s name, surname, TR Identity No., contact information, payment information and methods, product/service preferences, transaction history	Kept for 10 years starting from the provision of each product/service purchased by the Customer, pursuant to Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.	Within 180 days following the end of the retention period
Identity information, contact information, financial information taken during contract negotiations regarding the establishment of a commercial relationship between the Potential Customer and the company	Kept for a period of 2 years.	Within 180 days following the end of the retention period
Identity information, contact information, financial information regarding the execution of the commercial relationship between collaborating institutions, companies and customers and the company, and employee data of the institution, company, customer the company collaborates with	Kept for 10 years during the business/commercial relationship with the Company and from its termination, pursuant to Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.	Within 180 days following the end of the retention period
Planning and Execution of Corporate Communication Activities	Kept for a period of 10 years following the termination of the employment relationship.	Within 180 days following the end of the retention period
Other Data Processed or Necessary to be Processed for the Establishment or Performance of a Contract	Kept for 10 years during the business/commercial relationship with the Company and from its termination, pursuant to Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.	Within 180 days following the end of the retention period
Information belonging to company partners and board members	Kept for a period of 10 years.	Within 180 days following the end of the retention period
Accident Reporting	Kept for a period of 10 years.	Within 180 days following the end of the retention period
Document preparation	Kept for a period of 10 years.	Within 180 days following the end of the retention period
Filing of training records	Kept for a period of 10 years.	Within 180 days following the end of the retention period

11- Although no period has been determined for the retention of personal data under the Law, in accordance with general principles, it is essential to retain personal data for the period prescribed in the relevant legislation or for the period necessary for the purpose for which they are processed. The Data Controller Company makes an assessment based on the applicable legislation and the purpose of the process for each data processing process in order to determine retention periods in accordance with the said principle. In the event that a longer period is regulated in accordance with the legislation, or a longer period is stipulated for the statute of limitations, statutory periods for dropping a right, retention periods, etc., according to the legislation, the periods in the provisions of the legislation are accepted as the maximum retention period. Accordingly, personal data is retained as a minimum for the period required by legal obligations and until the statute of limitations periods subject to the relevant Law expire.
Personal data may be retained for the purpose of carrying out necessary defenses within the scope of any dispute that may arise between you and the Data Controller. Upon the disappearance of the processing purpose of the relevant personal data within the scope of any process, including the expiration of the aforementioned periods, the personal data is anonymized, deleted, or destroyed in accordance with the Law.

12- Personal data whose retention period has expired or whose retention purpose has disappeared are deleted, destroyed, or anonymized by being destroyed once every six months through a process to be carried out ex officio at recurring intervals specified in this Personal Data Retention and Destruction Policy. Periodic destruction operations are also carried out separately in January and July of each year.

13- Our Company makes the necessary assignments within the Company and establishes procedures accordingly to fulfill its obligations under the PDPL and to implement the matters stated in this Policy.

14- By monitoring the changes that may occur in Company activities and processed personal data groups, changes to be made in legal legislation, and Personal Data Protection Board principle decisions, this policy is reviewed according to emerging needs, and the necessary sections are updated, changed, or recreated.