KVKK

Personal Data Protection Clarification Text
DATA CONTROLLER: ARKAS TURİZM SEYAHAT ACENTASI A.Ş.
Çınarlı Mah. Ankara Asfaltı Cad. No:15/101 Konak, İzmir

ARKAS TURİZM SEYAHAT ACENTASI A.Ş. (Data Controller) processes, stores, and protects the following personal data of yours:

Identity Information: Your name and surname, your parents' names, your date of birth, place of birth, gender, nationality, Turkish ID number, identity information, blood type and religion information obtained through a copy of your ID (if available), whether you are an authorized signatory, your photo.
Contact Information: Your address, phone number, email address, and if applicable, your KEP address.
Customer Information: Customer transaction details, your signature, information about the company you work for, tax information, bank account information, professional experience, job title, profession, and position details, vehicle information, information obtained during legal proceedings, tax identification number, instructions, requests, complaints, preferences, and habits related to our products and services.
Transaction Security Information: Your MAC address, log records.
Visual and Audio Information: Your photos and camera recordings.

As a result, we would like to inform you as the Data Controller in accordance with the Personal Data Protection Law No. 6698 (the Law).

Method of Collecting Personal Data and Legal Basis

Your personal data refers to "any information related to an identified or identifiable natural person," collected in both physical and electronic environments as specified in this clarification text. Your personal data is processed based on the legal grounds outlined in Article 5 of the Law, which include "as explicitly required by law," "when processing personal data of the parties to a contract is necessary for the establishment or performance of that contract," "when processing personal data is required for the data controller to fulfill their legal obligations," "when processing personal data is necessary for the establishment, use, or protection of a right," and "when processing personal data is necessary for the legitimate interests of the data controller, provided it does not infringe on the individual's fundamental rights and freedoms." If none of these legal grounds apply, your explicit consent will be requested for the processing of your personal data. You can find cases where explicit consent is required in the "Explicit Consent Form."

Purposes of Processing Personal Data

The personal data collected will be processed for the following purposes:

• Management of emergency response processes,
• Management of information security processes,
• Conducting audits/ethical activities,
• Managing access permissions,
• Ensuring activities are conducted in accordance with regulations,
• Managing finance and accounting operations,
• Managing processes related to loyalty to company/products/services,
• Ensuring physical security of premises,
• Managing assignment processes,
• Following up and managing legal affairs,
• Conducting internal audits/investigations/intelligence activities,
• Managing communication activities,
• Executing business operations and audits,
• Managing occupational health and safety activities,
• Collecting and evaluating suggestions for the improvement of business processes,
• Managing business continuity activities,
• Managing logistics operations,
• Managing the purchase of goods/services processes,
• Managing post-sales support services for goods/services,
• Managing sales processes for goods/services,
• Managing production and operation processes for goods/services,
• Managing customer relationship management processes,
• Managing customer satisfaction activities,
• Managing organization and event operations,
• Managing advertising/campaign/promotion activities,
• Managing risk management processes,
• Conducting storage and archiving activities,
• Managing corporate social responsibility and civil society activities,
• Managing contract processes,
• Conducting strategic planning activities,
• Following up on requests/complaints,
• Ensuring the safety of movable goods and resources,
• Managing the marketing processes for products/services,
• Ensuring the security of data controller operations,
• Managing investment processes,
• Providing information to authorized individuals, institutions, and organizations,
• Managing management activities,
• Creating and tracking visitor records.

Additionally, if you provide consent for the processing of your personal data, it will also be processed for the purposes of personalizing our products and services to meet your needs and desires, measuring your satisfaction with products and services, developing and diversifying our products and services based on your needs and desires, promoting and providing information about the activities of the company and its subsidiaries/affiliates, conducting marketing analysis, and carrying out personalized campaigns, advertisements, and promotions.

Transfer of Personal Data:

In accordance with the law and the provisions mentioned above, your personal data collected will be transferred, in compliance with the basic principles stipulated by the Law and the conditions and purposes for processing personal data specified in Articles 8 and 9 of the Law, and for the purposes stated above, to domestic and international business partners, suppliers, data controller partners, and legally authorized public institutions, organizations, and individuals with whom we have a service relationship.

Your Rights as a Personal Data Subject:

As a data subject, you can submit your requests within the scope of Article 11 of the Law, which regulates the rights of the relevant person, to the data controller by following the procedures set out in the "Communiqué on the Procedures and Principles of Application to the Data Controller." Your request can be submitted in writing with a wet signature to the address of the data controller mentioned above, via an electronic signature to [email protected], or through the email address you have previously used to contact us at [email protected]. Alternatively, you can use other methods specified in the Communiqué on the Procedures and Principles of Application to the Data Controller to reach us.

The data controller will respond to your request as soon as possible and, at the latest, within 30 (thirty) days from the date of the notification, depending on the nature of your request.

For detailed information about the processing of your personal data, you can refer to the "Personal Data Protection and Processing Policy" available at www.arkasturizm.com.

 

---

 

Personal Data Protection and Processing Policy

Introduction

This policy sets out the principles and rules to be followed by ARKAS TURİZM SEYAHAT ACENTASI A.Ş. (Data Controller) regarding the collection, processing, transfer, updating, and destruction of personal data, in accordance with the Law No. 6698 on the Protection of Personal Data (the Law) and relevant national legislation.

Owner of the Policy

The owner of the Personal Data Protection and Processing Policy is the Data Controller, ARKAS TURİZM SEYAHAT ACENTASI A.Ş.

Purpose

The purpose of this policy is to provide explanations regarding the personal data processing activities and the rules adopted for the protection of personal data by the Data Controller. In this context, it aims to inform and ensure transparency for individuals whose personal data is processed by our company, including our business partners, current and prospective employees, current and potential customers, company shareholders, visitors, and third parties.

Scope

The scope of this policy includes the shareholders and partners of the Data Controller, employees, prospective employees, interns, subcontractors, suppliers, current and potential customers, visitors, and third parties whose personal data are processed.

Update

The Personal Data Protection and Processing Policy is reviewed and recorded annually, regardless of the need for changes due to corporate or legal requirements. The most up-to-date version is published on the data controller's website.

Definitions

The definitions not mentioned here will be used as defined in the Law and secondary regulations.

Explicit Consent: Consent given freely, based on being informed, for a specific subject.

Anonymization: The process of making personal data unidentifiable and unlinkable to any identifiable or identifiable natural person, even if combined with other data.

Obligation to Inform: The responsibility of the Data Controller to inform individuals whose data is processed, regarding who will process their data, for what purposes, and on what legal grounds, and to whom the data may be transferred for what purposes.

Data Subject: The natural person whose personal data is being processed.

Personal Data: Any information related to an identified or identifiable natural person. This includes information such as a person's name, surname, date of birth, place of birth, and any information regarding their physical, familial, economic, and other characteristics such as name, phone number, vehicle license plate, social security number, and passport number.

Processing of Personal Data: Any operation performed on personal data, whether automatically or non-automatically as part of a data recording system, including obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, receiving, making available, restricting, or preventing the use of the data.

Special Categories of Personal Data: Data related to a person’s race, ethnicity, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

Data Processor: A natural or legal person who processes personal data on behalf of the Data Controller, based on the authority granted by the Data Controller. These individuals process personal data within the instructions given and are authorized by the Data Controller through a personal data processing agreement.

Data Controller: A natural or legal person who determines the purposes and methods of personal data processing and is responsible for establishing and managing the data recording system.

Data Controllers Registry (VERBİS): A registration system that must be maintained by the Personal Data Protection Authority (the Authority) for Data Controllers to register, as required by the Personal Data Protection Law No. 6698.

Roles and Responsibilities

Within the scope of the Personal Data Protection and Processing Policy, four complementary roles have been defined.

Data Officer

There are two "Data Officers" assigned for the Data Controller, one as the primary and the other as a backup. The responsibilities of the Data Officer are as follows:

• The Data Officer, together with all employees of the Data Controller, is responsible for creating a detailed personal data processing inventory and coordinating related activities.
• The Data Officer follows up on changes and regulations in data processing activities and ensures the inventory is kept up-to-date.
• The Data Officer communicates any potential changes to the Data Controller's Contact Person.
• The Data Officer carries out the tasks and operations specified in the company's policies, procedures, and instructions.

Data Controller Contact Person

Each Data Controller has a designated "Data Controller Contact Person." The responsibilities of the Data Controller Contact Person are as follows:

• The Data Controller Contact Person must be aware of all processes and activities related to the protection of personal data within the assigned Data Controller.
• Represent the Data Controller in official and internal audit processes, take necessary actions, and ensure they are concluded.
• Respond to requests from the relevant individuals.
• In case of a data breach, inform company management, the Data Protection Consultation Group, and the Legal Department.
• Follow up on any changes and regulations in data processing activities reported by the Data Controller and related departments, together with the Data Officer, and ensure the inventory is kept up to date.
• If there are any changes in the registered information in VERBİS, report the changes to the Authority via VERBİS within seven days from the date the changes occurred.
• Facilitate communication with the Authority.
• In case of a data breach, ensure that legal notifications are made properly and in accordance with the procedure.
• Carry out tasks and operations specified in company policies, procedures, and instructions.

Data Controller Senior Management

1. The responsibility of the Data Controller Senior Management (such as the Chairman of the Board, CEO, etc.) is to supervise that the Data Controller Contact Person performs their duties as outlined by the law
2. Changes and appointments of the Data Controller Contact Person and the Data Officer are made by the Data Controller Senior Management upon the termination of their employment contract and are reported to the Data Protection Consultation Group.

  1. Data Protection Consultation Group

1. The KVK Advisory Group is responsible for preparing, updating, and auditing the applicable KVKK policies and procedures for the Data Controller.
2. They monitor updates and changes in the relevant legislation related to the law.
3. They take necessary actions in case of situations requiring updates to administrative and technical measures.
4. Providing KVK consultancy across Arkas Group companies.
5. They provide consultancy regarding actions related to inspections, individual notifications, complaints, etc. under the legislation, which will be reported to them by the Data Controller Contact Persons.

 Approval

The policy prepared by the KVK Advisory Group is approved by the relevant senior management representatives on behalf of the Data Controller.

Persons Whose Personal Data is Processed

The personal data of real persons such as job candidates, employees, individuals subject to news, shareholders/partners, potential buyers of products or services, interns, supplier employees, supplier representatives, individuals receiving products or services, parents/guardians/representatives, visitors, etc. are processed.

Data Categories

Personal data such as identity, contact, location, personal status, legal transactions, customer transactions, physical space security, transaction security, risk management, finance, professional experience, marketing, visual and auditory recordings, philosophical beliefs, religion, sect and other beliefs, membership in associations, health information, criminal convictions and security measures, and biometric data are processed in accordance with the purpose of personal data processing.

Activities and Purposes Related to the Processing and Sharing of Personal Data

Personal data will be processed for the following purposes, in accordance with the activities related to the processing and sharing of personal data: managing emergency response processes, implementing information security processes, managing employee satisfaction and engagement processes, fulfilling contractual and legal obligations for employees, managing employee benefits and rights processes, conducting audit/ethical activities, conducting training activities, managing access rights, ensuring compliance with regulations in activities, managing financial and accounting tasks, ensuring physical space security, managing assignment processes, monitoring and managing legal affairs, conducting internal audits/investigations/intelligence activities, managing communication activities, planning human resources processes, conducting business activities/monitoring, managing occupational health and safety activities, receiving and evaluating suggestions for improving business processes, ensuring business continuity, conducting logistics activities, managing goods/services procurement processes, managing goods/services sales processes, managing goods/services production and operation processes, organizing and event management, managing performance evaluation processes, conducting advertising/campaign/promotion processes, managing risk management processes, performing storage and archiving activities, conducting social responsibility and civil society activities, managing contract processes, conducting strategic planning activities, tracking requests/complaints, ensuring the security of movable property and resources, implementing salary policies, ensuring the security of the data controller's operations, managing work and residence permit processes for foreign employees if applicable, providing information to authorized persons, institutions, and organizations, and managing management activities.

Your personal data will be processed in accordance with the basic principles set forth by the Law and in compliance with the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law, as well as for the purposes listed above, and may be transferred domestically and internationally to our business partners, suppliers, Arkas Holding A.Ş. and its affiliated companies/organizations, and legally authorized public institutions, organizations, and individuals.

Measures Taken When Transferring Data to Third-Party Service Providers  

Personal data protection clauses are added to contracts and annexes with third-party service providers, a separate confidentiality agreement is made, additional undertakings or protocols are established, and the relevant service providers are audited to ensure that personal data is properly protected. Additionally, a "Framework Data Transfer Agreement" is arranged between group companies, subsidiaries, and affiliates to regulate the sharing of personal data within the group.

Data Protection Policies and Procedures

This policy contains the general terms and conditions for the protection and processing of personal data within the Data Controller’s organization.

1. Personal Data Retention and Destruction Policy: This policy contains the rules and procedures related to the retention and destruction processes of personal data within the Data Controller's organization.

2. Processing and Protection of Special Category Personal Data Policy: This policy includes the rules and procedures regulating the conditions and methods for processing special category personal data within the Data Controller’s organization.

3. Employee Personal Data Protection and Processing Policy: This policy outlines the rules and procedures for the protection and processing of personal data belonging to employees within the Data Controller’s organization.

4. Information Systems General Standards and Security Policy: This policy aims to ensure the security and confidentiality of information and data in all commercial and operational electronic, written, or other environments, and defines the general principles for the processing of personal data related to employees.

5. Informing and Obtaining Explicit Consent Texts: This ensures that individuals are informed and that personal data processing activities are conducted in compliance with the Law.

6. Internal Training: Employees are informed about the Law through internal training, aiming to increase awareness.

7. Management of Data Subject Requests Procedure: This procedure establishes the rules and conditions for investigating, responding to, and taking necessary actions regarding requests from data subjects within the Data Controller’s organization.

8. Audit of Personal Data Processing Activities: Personal data processing activities are regularly audited within the Data Controller’s organization to ensure compliance with the relevant laws and regulations.

Risk Analysi

The risk findings resulting from regular audits conducted by the Internal Audit Department are evaluated with the KVK Advisory Group. Information regarding the actions to be taken or processes that need to be changed is provided to the senior management of Arkas Holding A.Ş. and its affiliated companies, and the necessary measures are ensured to be taken by the relevant Data Controller.

Non-Policy Situation

In the event that different practices are identified outside of what is described in this policy, the individuals who detect the discrepancies will provide written information to the KVK Advisory Group, with the support of the Data Controller Contact Person and Data Officers.

Principles of Personal Data Processin

Personal data is processed in accordance with the general principles and provisions set out in the legislation to ensure compliance with the Law. In this context, the Data Controller acts in accordance with the following principles for the processing of personal data in compliance with the Law and related legislation:

Processing Personal Data in Compliance with Law and the Principle of Integrity
The Data Controller acts in accordance with the law and the principle of integrity in the activities related to the processing of personal data.

Ensuring the Accuracy and Up-to-Date Status of Personal Data
The Data Controller ensures that the personal data they process is accurate and, when necessary, kept up to date, taking into account the fundamental rights of data subjects and their legitimate interests. The Data Controller establishes the necessary systems to take the required measures in this regard.

Processing for Specific, Explicit, and Legitimate Purposes
The Data Controller determines the purpose for which personal data will be processed and informs the data subjects of these purposes before processing the personal data. Personal data is not processed for purposes other than those specified and legitimate, in accordance with the law.

Being Relevant, Limited, and Proportional to the Purpose for Which It Is Processed
The Data Controller processes personal data in a manner that is suitable for the achievement of the determined purposes, avoiding the processing of personal data that is unrelated or unnecessary for the purpose. In this context, proportionality requirements are considered, and personal data is not used for purposes other than those initially specified.

Storing Personal Data for the Period Required by Relevant Legislation or for the Purpose for Which It Was Processed
The Data Controller first determines whether the relevant legislation specifies a period for storing personal data. If a period is specified, the Data Controller complies with that period. If no period is specified, personal data is retained only for the duration necessary to fulfill the purpose for which it was processed.

Building Entries and Personal Data Processing Activities Within the Building, and Network and Website Users

The Data Controller processes personal data through security camera surveillance and the tracking of guest entries and exits within the Data Controller’s buildings and facilities for security purposes. By using security cameras and recording guest entries and exits, the Data Controller carries out personal data processing activities.

At the entrances of buildings and facilities, as well as within the premises, the Data Controller collects video recordings of visitors and all relevant individuals through a camera surveillance system. The data includes personal information such as first and last names, national ID number, driver’s license number, passport number, employee ID number, title, field of work, gender, company name, entry and exit dates and times, and vehicle license plate information, which are kept in a visitor log.

The Data Controller conducts video surveillance activities for the purpose of improving the quality of the services provided, ensuring reliability, safeguarding the security of the Data Controller, customers, and third parties, and protecting the interests of customers regarding the services they receive.

The video surveillance activities conducted for security purposes are carried out in compliance with the regulations of the Law and Law No. 5188 on Private Security Services, as well as other relevant legislation.

In compliance with Article 12 of the Law, necessary technical and administrative measures are taken to ensure the security of the personal data obtained through video surveillance activities.

For the purpose of ensuring security and for the purposes outlined in this policy, internet access may be provided to visitors who request it during their stay at the building or facilities. In this case, internet access logs are recorded in accordance with Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed by These Publications, and the relevant provisions of the related regulations. These logs are processed only when requested by authorized public institutions or organizations or during audit processes conducted within the Data Controller’s organization to fulfill the related legal obligations.

Access to the digitally recorded and stored logs is limited to a restricted number of personnel from the Information Security Unit.

The obtained log records are stored with a timestamp to ensure their immutability, and they are preserved with access restricted to a limited number of Information Security Unit personnel.
 

Processing of Customer and Business Partner Data

Personal data may be processed to communicate with customers in writing or verbally, in line with the purposes mentioned above.

Due to the relationship arising from the contract, personal data related to existing and potential customers and business partners (in the case of a business partner being a legal entity, personal data related to the authorized representative of the business partner) may be processed for the establishment, implementation, and termination of a contract without prior consent. Before the contract is made, during the contract initiation phase, personal data may be processed for purposes such as preparing an offer, preparing a purchase form, or addressing the individual’s requests related to the execution of the contract.

Personal data may also be processed for advertising purposes, market and public opinion research, but only when the purpose of collecting the information aligns with these objectives. The individuals concerned are informed about the use of their data for advertising purposes.

Due to legal obligations or because it is explicitly foreseen by law, personal data may be processed without additional consent for data processing activities, when explicitly stated in the relevant legislation or to fulfill a legal obligation specified by law. The type and scope of the data processing activity must be necessary for the legally permitted data processing activity and must comply with the relevant legal provisions.

Special categories of personal data are processed by the institution under sufficient precautions, as determined by the institution and in accordance with the provisions of the Law. Special categories of personal data, excluding health and sexual life data, are processed with the explicit consent of the data subject. If explicit consent is not available, data may be processed in accordance with the exceptions provided in the Law.

Processing of Employee and Job Candidate Data

The rules and procedures regulating the conditions and methods for the protection and processing of personal data of employees within the Data Controller's organization are included in the "Employee Personal Data Protection and Processing Policy."

Additionally, the collection and processing of personal data of employees are mandatory throughout the process of establishing, executing, and terminating the employment contract. For these processes, the employees' explicit consent may not be required. The personal data of potential job candidates is also processed during job applications. If the job application is rejected, the personal data obtained during the application is retained for the retention period, and after this period, it is deleted, destroyed, or anonymized.

Personal data related to employees may be processed without additional consent for the purpose of fulfilling legal obligations clearly stated in the relevant legislation or to comply with legal requirements.

Personal data of employees may be processed without explicit consent when the Data Controller has a legitimate interest. When personal data is processed based on the legitimate interest of the Data Controller, the proportionality of this processing is assessed to ensure that the legitimate interest does not violate a right of the employee that should be protected.

Special categories of personal data are processed only under specific conditions. Data related to race and ethnic origin, political views, religion, philosophical beliefs, sect or other beliefs, appearance, membership in associations, foundations or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data, are defined as special categories of personal data. These special categories of data can only be processed if the employee's explicit consent is obtained and necessary administrative and technical measures are taken.

The following cases constitute exceptions to this rule, and in these cases, special categories of personal data can be processed without the employee’s explicit consent: Personal data related to the health and sexual life of employees, as defined in the law; personal data related to the health and sexual life of employees may be processed by individuals or authorized institutions who are under the obligation of confidentiality and for the purpose of protecting public health, providing preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services, and financing them.

Conditions for Processing Personal Data

Detection and Processing of Personal Data

Under the law, personal data is defined as "any information relating to an identified or identifiable natural person." The concept of personal data is not limited to information such as name, surname, place of birth, and date of birth that allows individuals to be recognized and identified, but also includes all physical, social, cultural, economic, and psychological information about individuals.

In addition to identity information, other details such as citizenship number, tax number, passport number, social security number, driver's license number, vehicle license plate, home address, work address, email address, phone number, fax number, curriculum vitae, photo, video, genetic information, blood type, criminal history, and criminal record are all considered personal data, as they allow an individual to be identified or identifiable. These types of information fall under the scope of personal data protection.

In line with this definition, the Data Controller, along with its business partners, employees, customers, and third parties, determines whether the data they collect falls under the category of personal data and processes this data in accordance with the rules set out in the law.

The processing of personal data includes all types of actions performed on data, including obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, making available, classifying, or preventing the use of data, whether fully or partially automated, or through non-automated means as part of any data recording system.

Exceptions

The Data Controller processes personal data with the explicit consent of the data subjects in accordance with the Law. However, personal data processing is possible without the explicit consent of the data subject under any of the following conditions:

1. Explicit Provision in Laws: When explicitly foreseen in laws (e.g., tax law, labor law, commercial law, etc.).

2. Directly Related to the Establishment or Performance of a Contract: When the processing of personal data of the parties to the contract is necessary for the establishment or performance of a contract (e.g., employment contracts, sales contracts, transportation contracts, work contracts, etc.).

3. Inability to Express Consent Due to Physical Impossibility: In cases where the individual is unable to express their consent due to physical impossibility or when the consent is legally invalid, and the processing of data is necessary to protect the life or bodily integrity of the individual or another person.

4. Necessary for Legal Obligation: When the processing is required to fulfill the legal obligations of the data controller (e.g., financial audits, compliance with security regulations, sector-specific regulations, etc.).

5. Personal Data Made Public by the Data Subject: When the data subject has made their personal data public (e.g., voluntarily sharing personal information with the public).

6. Necessary for the Establishment, Use, or Protection of a Legal Right: When the processing of data is necessary for the establishment, exercise, or protection of a legal right (e.g., for filing a lawsuit, registration procedures, real estate transactions, etc.).

7. Necessary for Legitimate Interests of the Data Controller: When it is necessary for the legitimate interests of the data controller, provided that it does not violate the fundamental rights and freedoms of the data subject.

Processing of Special Categories of Personal Data

Under the Law, certain personal data is classified as "special categories of personal data." The Data Controller does not process such data without the explicit consent of the data subject. Explicit consent refers to "consent that is informed, based on specific information, and given voluntarily."

The Law categorizes the following data as special categories of personal data: a person's race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and appearance, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data. The list of these data types is exhaustive as defined in the Law and cannot be extended through interpretation.

The Data Controller will also take adequate measures, as determined by the Personal Data Protection Board (the Board), to protect the processing of special categories of personal data.

According to the Law, the Data Controller may only process special categories of personal data under the following conditions:

1. With the Explicit Consent of the Data Subject.

2. Under a Legal Obligation (For personal data other than health and sexual life, such data may be processed without explicit consent in situations explicitly foreseen in laws).

3. For Public Health Reasons, including the planning, management, and financing of health services (such data may be processed by individuals or authorized institutions under confidentiality obligations for purposes such as protecting public health, preventive medicine, medical diagnosis, treatment, care services, and the planning, management, and financing of health services).

 

Conditions for Transferring Personal Data

The Data Controller, by taking the necessary security measures in line with the lawful purposes of personal data processing, may transfer personal data to third parties with the explicit consent of the data subject or in compliance with the conditions set forth in Articles 5/2 and 6/3 of the Law (legal grounds). Additionally, the Data Controller may transfer personal data to third parties without explicit consent, in accordance with the data processing conditions stipulated in the Law.

The Data Controller will take the necessary administrative and technical measures to ensure the transfer of data without explicit consent is carried out in accordance with the restrictions set by the Law.

The Data Controller may transfer personal data to foreign countries that have been declared by the Personal Data Protection Board to have adequate protection, or if there is no adequate protection, to foreign countries where both the data controllers in Turkey and the foreign country provide a written commitment for adequate protection, and where the Board has granted permission for the transfer.

Obligations of the Data Controller

Obligation to Inform the Data Subjec

The Data Controller is required to inform personal data subjects about the following aspects during the collection of personal data:

• Under this obligation, the Data Controller provides information to the concerned individuals with the information notice they have prepared. The information must be provided at the time of the first contact with the individual.

• If personal data is not obtained from the individual directly, the Data Controller must inform the individual within a reasonable time frame after obtaining the personal data, especially if the data will be used for communication purposes or transferred to third parties. In such cases, the information must be provided at the time of the first communication or, if applicable, no later than the first transfer of personal data.

Obligation to Respond to the Data Subject's Requests

Data subjects can request information from the Data Controller in writing or by other methods specified by the Authority.

• The Data Controller will respond to data subjects' requests regarding their rights and will provide the necessary information as stipulated in Article 13 of the Law. The Data Controller also sets up procedures for administrative and technical regulations.

Data subject rights include:

• Learning whether their personal data is processed,
• Requesting information about personal data processing if data has been processed,
• Learning the purposes of processing and whether the data is being used appropriately,
• Knowing the third parties to whom their personal data has been transferred, both inside and outside the country,
• Requesting correction if personal data is incomplete or incorrect,
• Requesting deletion or destruction of personal data as per the relevant legislation,
• Requesting notification of changes in their personal data processing to third parties, if applicable,
• Objecting to decisions made exclusively based on automated processing of personal data,
• Requesting compensation for damages incurred due to unlawful processing of personal data.

The Data Controller processes requests sent by written or secure electronic signature or by using the "Application Form" available on the website. If the Authority determines other application methods, those methods will also be accepted.

The Data Controller responds to the request as quickly as possible, and no later than 30 (thirty) days. The Data Controller can accept the requests and carry out the necessary actions or reject them with a reason.

In case of rejection or unsatisfactory response, or failure to respond, the data subject can file a complaint with the Authority within 30 (thirty) days after learning of the response, or within 60 (sixty) days from the application date.

Obligation to Ensure Personal Data Security

The Data Controller takes necessary technical and administrative measures to prevent unlawful processing and access to personal data and to ensure its protection.

The Authority may introduce detailed regulations regarding data security in the future, so the Data Controller will ensure compliance with these regulations and ensure the security of personal data.

The Data Controller establishes systems to monitor the functioning of technical and administrative measures and conducts necessary audits. The results of these audits are reviewed by the relevant departments within the Data Controller, and necessary measures are taken.

If personal data is accessed unlawfully, the Data Controller must notify the Authority within 72 hours (seventy-two) of becoming aware of the breach. After identifying the affected individuals, notification is made directly to them, if possible, or through appropriate methods such as publishing it on the Data Controller's website.

Technical and Administrative Measures to Ensure Lawful Data Processing

The Data Controller analyzes all processes related to personal data processing within the company and stores them in the personal data processing inventory. All activities, from data collection to deletion, are subject to a legality review.

Personal data processing activities are monitored by technical systems. In case of unlawful processing, the concerned parties are notified, and the deficiencies or legal violations are corrected.

The Data Controller educates and informs employees about personal data protection laws and the lawful processing of personal data.

Contracts and documents governing legal relationships between the Data Controller and its business partners, employees, and customers include provisions that prohibit unlawful processing, disclosure, or use of personal data.

Each department's activities are evaluated for compliance with the conditions set forth in the Law, and procedures, administrative measures, and training programs are established to ensure compliance.

Measures to Prevent Unlawful Access to Personal Data

The Data Controller takes necessary administrative and technical measures to prevent unlawful access, disclosure, viewing, or transfer of personal data. The Data Controller develops mechanisms for this and educates the relevant departments to ensure compliance with these obligations.

Personal Data Retention and Destruction Policy

Purpose

This Personal Data Retention and Destruction Policy (Policy) has been prepared in accordance with Article 5 of the "Regulation on Deletion, Destruction, or Anonymization of Personal Data" in line with the Data Controller's (Company's) personal data processing inventory.

The purpose of this Policy is to establish the principles of the Company's personal data retention and destruction practices in order to comply with the laws and secondary regulations to which the Company is subject.

This Policy has been prepared to define the procedures and principles regarding the activities of data retention and destruction carried out by the Company.

This Policy adheres to the following principles set out in the Law No. 6698 on the Protection of Personal Data (the Law). According to the Law, the processing of personal data must:

1. Be lawful and in accordance with the principles of fairness,
2. Be accurate and, when necessary, kept up to date,
3. Be processed for specified, explicit, and legitimate purposes,
4. Be relevant, limited, and proportionate to the purposes for which they are processed,
5. Be retained for the period prescribed by the relevant legislation or as necessary for the purpose for which they were processed.
6. This Policy applies to all physical and electronic documents/media, including originals and copies, created or maintained within the scope of the Company’s activities. The applicable legislation may require the Company to retain certain records for specific periods. Non-compliance with these retention periods may expose the Company to fines and sanctions, hinder the administration of justice, result in the loss of evidential qualities of legal documents, and/or significantly damage the Company’s position in legal processes. Therefore, this Policy:
7. Includes an "APPENDIX-A / Retention and Destruction Periods Table" specifying the retention periods determined by the applicable legislation and processes.
8. Also includes an "APPENDIX-B / Table of Persons Involved in the Retention and Destruction Process," which defines which individuals/departments within the Company are responsible for and involved in the retention and destruction processes and their respective duties.

Company employees are responsible for fully understanding and implementing this Policy.

Definitions
Unless they are proper nouns and are defined separately within the Policy, the terms listed below have the meanings as defined:
 

Explicit Consent   Recipient Group	Refers to consent that is based on being informed and freely given, related to a specific matter.   Refers to the category of natural or legal persons to whom personal data is transferred by the Data Controller.
Active Records	It refers to the records that are currently being used for the operation, administration, and management of the Company.
Inactive Records	Inactive records; records that are not in use, but have not yet reached their retention period because they may need to be processed later.
Anonymization	It refers to the process of making personal data unidentifiable to any specific or identifiable individual, even when combined with other data. It refers to natural persons working within the data controller's organization.
De-magnetization    Electronic Environment  Non-Electronic Environment	It refers to the process of passing magnetic media through a special device, exposing it to a high-value magnetic field, which causes the data on it to become unreadable. An electronic environment refers to settings where data is stored with minimal human intervention, and logical or arithmetic operations are applied. In these environments, operations such as data modification, deletion, retrieval, or transfer are performed using automatic or partially automated methods. The processing through non-automatic methods, connected to a data recording system, refers to the activities of processing manually prepared data, which facilitates access and understanding.
Physical Destruction (For Electronic Data) Service Providers	It refers to the physical destruction of optical media and magnetic media, such as melting, burning, or pulverizing them. It refers to natural or legal persons engaged in commercial activities to sell products or services to the Data Controller, as well as natural and legal persons acting as intermediaries for these services.
Two-Factor Authentication Secondary Legislation	It refers to an authentication system consisting of the combination of a person's username and password with an external authentication system (such as a mobile phone, personal question, cryptographic key, etc.). According to the law, it means any regulation, circular, communiqué, policy decision, or similar administrative decision or general opinion issued or taken by the Personal Data Protection Authority.
Relevant Person	It refers to the real person whose personal data is processed.
Relevant Users	It refers to the individuals who process personal data within the Data Controller organization or under the authority and instructions received from the Data Controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.
	It refers to any or all of the processes of deletion, destruction, and/or anonymization. It refers to the Personal Data Protection Law No. 6698.
	It refers to processes such as crossing out, painting over, frosting, or starring the entirety of personal data in a way that it can no longer be associated with an identified or identifiable real person.
Record Environment	It refers to any environment where personal data is processed through fully or partially automated means, or through non-automated means as part of any data recording system.
Personal Data	It refers to any information related to an identified or identifiable real person.
Registered Electronic Mail (KEP)   Personal Data Processing Inventory	It refers to the qualified form of electronic mail that provides legal evidence regarding the use of electronic messages, including their sending and delivery. It refers to the inventory created by the Data Controller in relation to personal data processing activities carried out based on their business processes. This inventory associates the purposes of personal data processing, legal grounds, data categories, the recipient group, and the group of data subjects, detailing the retention periods necessary for the purposes for which the personal data is processed, personal data to be transferred to foreign countries, and the security measures taken regarding data security.
Board	It refers to the Personal Data Protection Board.
Authority	It refers to the Personal Data Protection Authority.
KVK Consultation Group Special Categories of Personal Data	It refers to the company employees who carry out the completion of the compliance project with the Law within the company and the subsequent consulting services. It refers to data related to a person's race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
Periodic Destruction	It refers to the process of deletion, destruction, or anonymization that will be carried out automatically at recurring intervals, as specified in the Personal Data Retention and Destruction Policy, when all conditions for processing personal data mentioned in the Law are no longer applicable.
	It refers to this Personal Data Retention and Destruction Policy.
Retention and Destruction Periods Table	It refers to the "Retention and Destruction Periods Table" found in Appendix A.
	It is a file transfer protocol that uses the cryptographic network protocol SSH for transferring files. It refers to the process of making personal data completely inaccessible and irretrievable for the relevant users.
	It refers to the Data Controller.
Overwriting	It refers to the process of writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media to prevent the recovery of old data. The Data Controllers Registry (VERBIS) is a registration system where data controllers are required to register and declare information related to their data processing activities.
Data Processor	It refers to the real or legal person who processes personal data on behalf of the Data Controller based on the authority granted by the Data Controller.
Data Recording System	It refers to the recording system in which personal data is processed by being structured according to specific criteria.
Data Controller   Data Controller Contact Person   Data Officer	It refers to the real or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the Data Recording System. For real and legal persons established in Turkey, it refers to the individual notified during the registration process to communicate with the Authority regarding the obligations under the Law and secondary regulations issued based on this Law, as indicated by the Data Controller. For real and legal persons not established in Turkey, it refers to the representative of the Data Controller. It refers to the company employee appointed by the Data Controller, who creates, maintains, and updates the company’s personal data inventory in compliance with the Law, and communicates the necessary changes to the Data Controller Contact Person.
Destruction	It refers to the process of making personal data completely inaccessible, irretrievable, and unusable by anyone in any way.
	It refers to the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017, and which entered into force on January 1, 2018.

It will be accepted that definitions not included here will be used with the meanings specified in the Law and secondary regulations.

Scope
This Policy applies to the entire Company and regulates the necessary obligations. Personal data processed by the Company concerning all natural persons are within the scope of this Policy. This Policy will be applied to all recording environments where the personal data owned or managed by the Company is processed, as well as all data processing activities.
When the Company processes personal data as the Data Controller, it acts in accordance with the provisions in this Policy.
When the Company processes personal data as a Data Processor on behalf of another party, it complies with the provisions in this Policy and, where applicable, follows the instructions in any contract signed with the relevant third party that does not conflict with the Policy.
The department manager, the Data Controller Contact Person, and the Data Officer are responsible for the implementation of the Policy and ensuring compliance with the Policy.

Reasons for the Storage and Destruction of Personal Data
Our Company:

• The Tax Procedure Law No. 213,
• The Enforcement and Bankruptcy Law No. 2004,
• The Labor Law No. 4857,
• The Turkish Penal Code No. 5237,
• The Social Security and General Health Insurance Law No. 5510,
• The Law No. 5651 on the Regulation of Publications on the Internet and Fighting Crimes Committed through These Publications,
• The Turkish Commercial Code No. 6201,
• The Turkish Obligations Code No. 6098,
• The Occupational Health and Safety Law No. 6331,
• The Personal Data Protection Law No. 6698, and the related regulations,
• Other regulations published under these laws,
• Inspections by the Ministry of Labor and Social Security and the Social Security Institution,
• Statistical studies,
• Presentation for court and expert reviews,
• Upon request by local law enforcement and organized industrial zone offices,
• may process, store, and record personal data for deletion when necessary.
• The purposes for processing personal data that require storage include: managing human resources processes, ensuring corporate communication, maintaining company security, conducting statistical studies, fulfilling work and transactions resulting from signed contracts and protocols, ensuring the fulfillment of legal obligations as required or mandated by regulations, establishing communication with real/legal persons in business relationships with the company, managing occupational health and safety processes, running information systems processes, keeping visitor, camera, and meeting records, processing customer data, managing supply processes, conducting accounting and finance processes, monitoring travel processes, and processing postal, cargo, and shipment records.
  
  Recording Environments

1. Physical Records
   Physical environments, such as written, printed materials, and manual data recording systems (survey forms, visitor logbooks), consist of physical records, paper-based records, photographs, contracts, paper, microfiche, and similar media.
   Inactive records are sent to the Company's archives.

2. Electronic Records
   Personal data contained in various media such as audio recordings, photographs, videos, and audiovisual media can be stored in secure electronic environments that prevent unauthorized third-party access and processing, ensuring that the data is accessible only to those who need to process accurate and up-to-date personal data.

• Servers (domain, backup, email, database, web, file sharing, etc.),
• Software (office software, portal, etc.),
• Information security devices (firewall, intrusion detection, blocking, log files, antivirus, etc.),
• Backup cartridges,
• Personal computers (desktop, laptop),
• Mobile devices (phone, tablet, etc.),
• Optical disks (CD, DVD, etc.),
• Removable storage devices (USB, memory card, etc.),
• Printers, scanners, photocopiers, and other electronic data recording media can be listed.

1. Adequate protective measures should be taken, processes should be established, and they should be implemented by the Company to ensure that electronic records are protected against being lost, altered, and unauthorized destruction, and to ensure they remain complete, accurate, and legible during the storage process.Storage and Destruction Periods, Periodic Destruction

6.1. Appendix A includes the specific processes and their retention periods. Appendix B contains information about the individuals/units involved in these processes and their responsibilities.
6.2. In the context of this Policy, the storage calendar begins at the end of the calendar year in which the record was created. All records whose retention period has expired will be destroyed twice a year. The first periodic destruction occurs at the end of the calendar year, and the second occurs at the end of June each year. The period between the periodic destructions should not exceed six months. The personal data will be destroyed in the period that is closest to the date when the purpose of processing the personal data is no longer valid. (For example, if a record was created in March 2010 and needs to be kept for seven years, it will be destroyed on June 30, 2017; if the record had been created in November 2010, it would need to be destroyed on December 31, 2017.)

Destruction

Records must be destroyed in the following cases:
The conditions under which personal data will be deleted, and the actions to be taken when these conditions occur, will be determined by the Senior Management, Data Controller Contact Person, and the KVK Advisory Group, based on the specific circumstances of the case, the Law, Regulations, and Secondary Legislation. These actions will be documented in the company's data inventory with the most up-to-date version, including the retention periods.

PROCESS	RETENTION PERIOD	DESTRUCTION PERIOD
Management of Occupational Health and Safety Processes	10 years from the termination of the employment relationship	Following the expiration of the retention period, during the first periodic destruction period
Management of Contract Processes	10 years from the termination of the employment relationship	Following the expiration of the retention period, during the first periodic destruction period
Management of Communication Activities	10 years from the termination of the employment relationship	Following the expiration of the retention period, during the first periodic destruction period
Management of Human Resources Processes	15 years from the termination of the employment relationship	Following the expiration of the retention period, during the first periodic destruction period
Management of Processes Related to Job Candidates	1 year from the completion of the application process	Following the expiration of the retention period, during the first periodic destruction period
Cyber Security Incident Management	5 years after being recorded	Following the expiration of the retention period, during the first periodic destruction period
Management of Hardware and Software Access Processes	2 years after being recorded	Following the expiration of the retention period, during the first periodic destruction period
Camera Recordings	1 year after being recorded	Following the expiration of the retention period, during the first periodic destruction period
Recording of Visitors and Meeting Participants	2 years after the completion of the event	Following the expiration of the retention period, during the first periodic destruction period
Customer Data	1 year after being recorded	Following the expiration of the retention period, during the first periodic destruction period
Management of Procurement Processes	10 years from the termination of the employment relationship	Following the expiration of the retention period, during the first periodic destruction period
Management of Accounting and Finance Processes	10 years from the termination of the employment relationship	Following the expiration of the retention period, during the first periodic destruction period
General Assembly and Board of Directors Transactions	Resmi ve Hukuki İşlemlerin   Yürütülmesi	Following the expiration of the retention period, during the first periodic destruction period
Management of Official and Legal Transactions	10 years after being recorded	Following the expiration of the retention period, during the first periodic destruction period
Travel Processes	20 years from the termination of the legal relationship	Following the expiration of the retention period, during the first periodic destruction period
Mail, Cargo, and Shipment Records	5 years after being recorded Following the expiration of the retention period, during the first periodic destruction period

Personal Data Processing Conditions for Erasure of Personal Data

When the conditions for processing personal data are fully eliminated:

• If the Data Subject requests the erasure of their personal data,
• If the Data Subject withdraws their explicit consent regarding the processing of their personal data,
• When the requirements and/or purposes for processing or storing personal data are eliminated,
• If the relevant legislation provisions on the processing of personal data are amended or repealed,
• When the institution properly requests the erasure of personal data,
• When the retention period for personal data expires, it will be erased.

If the conditions for processing personal data are not fully eliminated, and if the Data Subject requests the erasure of their personal data, this request may be denied with a written justification prepared by the Data Controller’s Contact Person. This written justification will be sent to the Data Subject within 30 (thirty) days from the date the request is notified to the company. If the conditions for processing personal data are fully eliminated, the personal data subject to the request will be erased. In this context, the request will be concluded within 30 (thirty) days from the date it is notified to the Data Subject, and the Data Subject will be informed.
The company, through the Data Controller’s Contact Person and the Personal Data Protection Consultation Group, selects the most appropriate destruction method. If requested by the Data Subject, the company will provide a justification for the chosen method. This explanation will be made by the Data Controller’s Contact Person, and if the Data Subject requests, it will be communicated to the Data Subject in compliance with the Law, Regulation, and secondary legislation.
If the conditions for processing personal data are fully eliminated and the personal data subject to the request has been transferred to a third party, this situation will be communicated to the third party, and the necessary actions for erasure in accordance with the Regulation will be followed.

Erasure of Records ensures that personal data cannot be accessed, restored, or reused by anyone in any way. To ensure the erasure of personal data, all copies of the data must be identified, and it must be ensured that the data cannot be accessed, restored, or reused in any way. The personal data erasure activity is carried out by the company after the Data Controller’s Contact Person signs the erasure decision. The Data Controller’s Contact Person informs the responsible individuals of the erasure activity about the necessity of the related erasure.

Electronic Records;

Electronic records can be destroyed through methods such as demagnetization, physical destruction, and overwriting. The storage media inside network devices (switches, routers, etc.) are fixed. These products often have a delete command but do not have the capability to destroy data. Data is destroyed using one or more of the methods of demagnetization, physical destruction, or overwriting.

For flash-based hard drives containing personal data with interfaces such as ATA (SATA, PATA, etc.) or SCSI (SCSI Express, etc.), if supported, the delete command should be used. If not supported, the manufacturer's recommended data destruction method should be used, or one or more of the methods of demagnetization, physical destruction, or overwriting should be applied.

In portable smartphones, delete commands are available in the built-in storage areas, but most of them do not have a data destruction command. Data is destroyed using one or more of the methods of demagnetization, physical destruction, or overwriting.

Personal data on data storage media such as CDs and DVDs is destroyed using physical destruction methods such as burning, shredding, or melting.

For personal data in peripheral devices such as printers or fingerprint door access systems with removable storage media, after it is confirmed that all storage media have been removed, an appropriate destruction method is selected based on the device's nature.

Physical records are destroyed using methods such as paper shredders or cutting machines, reducing them to unintelligible sizes (preferably shredding both vertically and horizontally) or using other methods that make them unreadable (for example, cutting the record into small pieces that cannot be reassembled or burning the physical record in an appropriate environment, etc.).

For cloud systems; the databases used for storing personal data in these systems are encrypted with cryptographic methods, and where possible, especially for each cloud solution used, separate encryption keys are used for personal data. When the cloud computing service relationship ends, all copies of the necessary encryption keys for accessing personal data are destroyed.

For malfunctioning or devices sent for maintenance; the destruction of personal data on these devices is carried out as follows:

Before transferring the relevant devices to third parties such as manufacturers, vendors, or service providers for maintenance and repair, the personal data contained within them is destroyed by the company using an appropriate method,
In cases where destruction is not possible or suitable, the data storage medium is removed and stored, and the faulty parts are sent to third parties such as manufacturers, vendors, or service providers,
Necessary measures are taken to prevent the personnel from external maintenance or repair services from copying and removing personal data from the institution. çalışanlar, kaydın nasıl yok edileceğine ve yukarıda belirtilen yok etme yöntemlerine dair Veri Sorumlusu İrtibat Kişisi'nden tavsiye alabilirler.

Deletion Process

The deletion of personal data is carried out by making it inaccessible and unusable for the relevant users in any way. The process to be followed for the deletion of personal data is as follows:

Identifying the personal data subject to deletion,
Determining the relevant users for each personal data using an access control matrix or a similar system,
Identifying the access, retrieval, and reuse rights and methods for the relevant users,
Closing and eliminating the access, retrieval, and reuse rights and methods for the relevant users in relation to their personal data.

Personal data on cloud servers (such as Office 365): For the personal data stored on servers, for those that no longer require storage, the system administrator will remove the relevant user's access rights and perform the deletion process.

Personal data on physical records: Documents with expired retention periods stored in physical environments will be destroyed or made inaccessible and unusable by the department manager responsible for document archiving.

Personal data on company servers: For the personal data stored on servers, for those that no longer require storage, the system administrator will remove the relevant user's access rights and perform the deletion process. If the relevant user is also the system administrator, the system administrator's privileges must be removed, or another deletion method must be carried out.

Personal data on portable media (such as flash drives, external HDDs): Personal data is stored in an encrypted format, and access rights are granted only to the system administrator. The encryption keys are stored securely.

Personal data in databases: Personal data in databases is deleted by removing the relevant rows from the database using database commands (such as "delete"). If the relevant user is also the database administrator, the database administrator's privileges must be removed, or another deletion method must be carried out.

---

Anonymization

Anonymization is the process of removing or altering all direct and/or indirect identifiers in a dataset, thereby preventing the identification of the individual or making the data untraceable to a real person or group.

As a result of removing or losing these features, data that no longer refers to a specific person is considered anonymized. In other words, anonymized data, which originally contained information identifying a real person before the process, can no longer be linked to the relevant person after the process, and the connection to the individual is severed.

The purpose of anonymization is to sever the link between the data and the individual it refers to. After applying automatic or non-automatic techniques such as grouping, masking, deriving, generalizing, or randomization to the records in the data storage system where personal data is kept, if the resulting data can no longer identify a specific individual, it is considered anonymized.

Some of the anonymization methods that can be used are listed below as examples:

1. Methods of Anonymization Without Providing Value Distortion:

   In methods that do not cause value distortion, no changes such as modification, addition, or deletion are made to the values of the data in the set. Instead, changes are made across all rows or columns in the set, so the overall data changes, but the values in the fields retain their original form. Some methods that do not cause value distortion are explained below with examples:

2. Removing Variables:
   This anonymization method involves completely removing one or more variables from the table. In such cases, the entire column in the table will be removed. This method may be used when the variable is a high-level identifier, no suitable alternative solution exists, the variable is too sensitive to be disclosed publicly, or it does not serve analytical purposes. For example, in a table containing personal data such as age, gender, postal code, income, and religion, the "religion" column might be removed completely.

3. Removing Records:
   In this method, anonymization is strengthened by removing a record that contains unique data, thus reducing the likelihood of drawing assumptions from the data set. Typically, removed records are those that do not share common values with other records and can easily lead to assumptions by someone familiar with the dataset. For instance, in a dataset containing survey results, if only one person from a specific sector has participated in the survey, instead of removing the "sector" variable, the record of that person may be removed.

4. Regional Hiding:
   The goal of regional hiding is to make the dataset more secure and reduce predictability risks. If the combination of values in a specific record creates a very rare situation, and this situation is likely to make that person identifiable within the related community, the exceptional value causing the situation is changed to "unknown." For example, in a table that categorizes disease status based on age, gender, and occupation, if the age of a record is 3 (indicating a child), this could create an exceptional situation. Changing the age field to "unknown" would reduce the risk of assumptions about the child's family.

5. Generalization:
   Generalization is the process of converting specific personal data into a more generalized form. It is commonly used in cumulative reporting and operations based on total figures. The resulting generalized values represent statistics or totals of groups, making it impossible to link the data back to a specific person. For example, if a person with the Turkish ID number 12345678901 purchases a product from an e-commerce platform and later buys another related product, the generalization method could be applied to represent the data as "xx% of people also bought the second product."

6. Lower and Upper Bound Coding:
   This method involves grouping values within a specific category and creating a new description for those values. Typically, low or high values of a specific variable are grouped together. For example, in a table listing annual incomes, instead of reflecting exact figures, the lower boundary might be set at 100,000 TL and the upper boundary at 120,000 TL. The data could then be grouped as: "low" for values less than or equal to 100,000 TL, "medium" for values between 100,000 and 120,000 TL, and "high" for values greater than or equal to 120,000 TL.

7. Global Coding:
   The global coding method is used for data sets that do not contain numerical values or whose values cannot be ordered numerically, and for cases where applying lower and upper boundary coding is not feasible. It is often used when grouping certain values makes prediction and assumption easier. A common and new group is created for selected values, and all records in the dataset are replaced with this new definition. For example, in a dataset of women in a particular profession, if most women are architects or engineers, the two categories might be combined into a single category called "architect or engineer."

8. Sampling:
   In sampling, instead of explaining or sharing the entire dataset, a subset of the data is shared. By doing so, it becomes impossible to know whether a known person is included in the sampled subset, reducing the risk of making accurate predictions about individuals. Simple statistical methods are used to determine the sample subset. For instance, if a dataset contains demographic information, professions, and health statuses of people living in Istanbul, and the data is anonymized and shared, the person’s record cannot be traced or predicted to be in the data, even if someone knows that person lives in Istanbul.

9. ---

   Methods of Anonymization Causing Value Distortion

10. Micro-Aggregation:
    In this method, all records in the dataset are first arranged in a meaningful order, and the dataset is divided into a specific number of subgroups. Then, the average value of the selected variable for each subgroup is calculated, and the value of that variable in the subgroup is replaced with the average. This way, the average value of that variable across the dataset is used for all records, distorting the original values.

Policy on the Processing and Protection of Sensitive Personal Data

Purpose
This Sensitive Personal Data Processing and Protection Policy (Policy) regulates the principles necessary for ensuring compliance with the applicable regulations regarding the processing of sensitive personal data as determined by our company.

Definitions
The terms used in this Policy will have the meanings assigned to them below. Definitions not provided here will be used as defined in the Law and secondary regulations.

Two-Step Authentication	It refers to an authentication system consisting of a combination of the person's username and password, along with an external authentication system (such as a mobile phone, personal question, cryptographic key, etc.).
Registered Electronic Mail (KEP)	It refers to the qualified form of electronic mail that provides legal evidence regarding the use of electronic messages, including their transmission and delivery.
Law	It refers to the Law on the Protection of Personal Data No. 6698.
Personal Data	Refers to any information relating to an identified or identifiable natural person.
Processing of Personal Data	The processing of personal data refers to any operation performed on data, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, acquiring, making accessible, classifying, or preventing the use of such data, whether fully or partially automated, or through non-automated means as part of any data recording system.
Special Categories of Personal Data (SCPD)	It refers to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and attire, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
SFTP	It is a file transfer protocol that uses the cryptographic network protocol SSH for secure file transfer.
Virtual Private Network (VPN)	It refers to a type of connection that allows data exchange over a network as if physically connected to a private network, by creating a virtual network extension over the internet or another public network.
Penetration Test  Secure Vault(Secure Vault)	It refers to the process of attempting to infiltrate information systems through every possible method. It is the software area created to protect inactive valuable data from being read, modified, or transferred.
Company	Refers to the Data Controller.
End-to-End Encryption	It refers to encryption methods that ensure the sent message can only be read by the sender and the recipient by encrypting the message.
The Data Controller Data Controller Contact Person Data Authority Authorization Matrix	Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the Data Recording System. Refers to the natural person notified during the registration process to ensure communication with the Authority regarding the obligations under the Law and secondary regulations to be issued based on this Law for real and legal persons located in Turkey, and for real and legal persons not located in Turkey, by the data controller's representative. Refers to the company employee appointed by the Data Controller, who creates, maintains, and communicates necessary changes to the company’s personal data inventory in compliance with the Law. Refers to a matrix that shows whether users in systems containing personal data have access, record creation, viewing, and modification rights.

Scope
In accordance with Article 12 of the Law, the Company, as the data controller, is required to take all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing and access of personal data, and to ensure the preservation of personal data.
Additionally, in accordance with the Personal Data Protection Board's (Board) decision numbered 2018/10 dated 31/01/2018 regarding the "Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data" (special categories of personal data decision), users with access rights to personal data must have their authorization scopes and durations clearly defined.
This Policy covers the regulations related to the measures that the Company must take in the processing of special categories of personal data in accordance with the Law and the principle decision on special categories of personal data.

Principles Regarding the Measures to be Taken in the Processing of Special Categories of Personal Data
The electronic and physical environments where special categories of personal data are processed, stored, and/or accessed are specified in the inventory. Special categories of personal data are classified as high-risk personal data.
Access to special categories of personal data is restricted to Company employees and subcontractor employees. Except in cases where there are legal grounds provided in the Law, service providers or employees outside the Company cannot be granted access to special categories of personal data.
Company employees must have signed the "General Standards and Security Policy for Information Systems" and must have received training determined by the Company regarding the protection of personal data and special categories of personal data in accordance with the Law and its secondary legislation. The Company organizes activities within the organization to increase employee awareness about personal data protection.
In addition, "Personal Data Protection and Processing Policy" and "Personal Data Retention and Destruction Policy" have been published by the Company, which include the principles regarding the confidentiality of special categories of personal data that all employees must adhere to. Along with these, the main policy to be followed regarding the confidentiality of special categories of personal data is this policy.
For special categories of personal data stored in electronic environments...

For special categories of personal data stored in electronic environments:

Cryptographic encryption methods or data recording systems containing encryption systems are used in the environments where special categories of personal data are recorded.
Encryption methods to be used in the transfers of special categories of personal data ensure at least End-to-End Encryption protection, using email systems that provide such encryption or ensuring the installation of such systems.
Cryptographic keys are stored in a secure environment (secure vault).
Transaction logs of actions performed on the data are logged, timestamped, and stored with access controls applied in a secure environment.
Security updates published by manufacturers are applied to data systems.
Security tests for the environments where the data is located are conducted once a year, and test results are recorded.
Access control methods are applied for data access. These methods are tracked according to the "Information Systems Access Control Management Policy."

For special categories of personal data processed, stored, and/or accessed in physical environments:

The environments and characteristics of special categories of personal data are defined in the personal data inventory by each department.
Necessary precautions should be ensured depending on the nature of the environment where special categories of personal data are stored.
In the event of a data breach, the Company operates a "Crisis Intervention Procedure" to fulfill legal obligations and to act in accordance with regulations.
The security of all physical environments containing special categories of personal data is ensured by controlling access through card systems, encrypted systems, fingerprint scanning, locked cabinets, etc., to prevent unauthorized access and egress.
For the transfer of special categories of personal data, the methods outlined below are applied. The transfer is only conducted by authorized employees who have the right to transfer such data.
 

Transfer Path	Transfer Method
Transfer via e-mail	An encrypted corporate e-mail address or a Registered Electronic Mail (KEP) account is used.
Transfer via media such as Portable Memory, CD, DVD	It is encrypted using cryptographic methods and the cryptographic key is kept in a different environment.
Transfer between servers in different physical environments	Data transfer is made between servers by establishing a VPN or using the SFTP method.
Transfer via paper media	Precautions are taken against risks such as theft, loss of data or documents being seen by unauthorized persons, and the document is sent to the person concerned as "TOP CONFIDENTIAL".

 
All authorizations of employees regarding sensitive personal data (including access and transfer authorization, if any) are removed as of the moment their duties end. In this context, records are kept showing that access has been terminated, authorizations have been revoked, documents kept in the physical environment have been delivered to the authorities, and every item in the company inventory given to these people is taken back.  

Other Security Measures
Other security measures to be taken are determined in the "Information Systems General Standards and Security Policy" and the "Personal Data Storage and Destruction Policy".

Other Legal Regulations
In addition, in terms of the implementation of this Policy, sector practices, professional rules and other regulations, especially technical and administrative measures to ensure the appropriate level of security specified in the Personal Data Security Guide published on the website of the Personal Data Protection Authority (Authority), are taken into account.
Within the scope of this Policy, the Company regularly carries out or has the necessary audits carried out in order to ensure the implementation of the Law and the principle decision regarding special categories of personal data.

Notification of Violation
In case of a breach of special personal data and any personal data breach, including special personal data, the "Crisis Response Document" process is executed.
In accordance with Article 12 of the Law, if the processed personal data is obtained by others through illegal means, the Company is obliged to notify the relevant party and the Board within 72 hours.

APPLICATION
​8.1. Publishing: This Policy will be presented to employees by the Data Controller.
8.2. Effective Date: This Policy enters into force as soon as it is published.
8.3. Changes: Before changes to be made to this Policy, the Data Controller Contact Person or the Data Controller may make a request to the Data Controller. Policy changes are made by the Data Controller.

Storage
The Data Controller is obliged to publish and keep this Policy. Each department manager is responsible for the implementation of this Policy. Questions regarding the application of this Policy should be directed to the Data Controller Contact Person and the Data Controller.

Policy on Protection and Processing of Employee Personal Data

Entrance  
Within the scope of this Policy, in addition to the categorization of personal data specified in the "Personal Data Protection and Processing Policy" on www.arkasturizm.com, personal data of employees in the following categories are processed.
Employee Information: personal data processed within the scope of activities carried out to ensure the commercial and legal security of the company and employees during their employment (including vehicle information, education information, marital status information, reference information). Employee Candidate Information: any personal data processed to obtain information that will be the basis for evaluating employee candidates for the appropriate position in the recruitment processes (including military service status information, education information, reference information). Performance and Career Development Information: Personal data processed for the purpose of measuring the performance of Data Controller employees, planning and executing their career development within the scope of our Company's human resources policy, and auditing the said activities.
Before a complaint procedure or disciplinary process is initiated against an employee based on the data obtained as a result of the processing of employees' personal data related to business activities, employees are given the right to see the data obtained, to make a statement about this data and to defend it.

Categorizing Personal Data
Processed personal data obtained through the continuation of employees' work may also be processed for other lawful purposes, in accordance with the conditions specified in Article 5 of the Law and the storage of personal data registered in Article 4. Users are informed about what these questions are by the Data Controller through appropriate procedures.
Giving Users the Right to Defense Against Information Obtained as a Result of the Processing of Personal Data Regarding People's Business Activities
Data Controller, employees; What kind of personal data processing activity was carried out within the scope of work-related activities (such as e-mail control, use of vehicle tracking devices, camera monitoring) is informed about the processing and information of these personal data.
Data Controller; It is necessary to monitor the details of whether the work and working rules are complied with during working hours, whether the employee complies with the suitability, whether there are any actions that may disrupt peace and order in the environment of the places, and the parts related to the personal processing of the employee with the system must be explained and informed in detail.
Warnings are placed at the Data Controller, in accordance with the nature of the working environment, in order to inform employees about what personal data processing activities are carried out by their employers regarding their business activities and to raise awareness.

Use of Personal Data Obtained as a Result of Processing Personal Data Regarding Employees' Business Activities for Other Purposes
The Data Controller determines which business activities and for what purposes the employees process their personal data (such as e-mail control, use of vehicle tracking devices, camera monitoring) and determines the personal data processing methods that will be suitable for the purposes of processing personal data and the desired result.
As a result of the evaluation carried out within the data controller, the data controller ensures that the personal data processing purposes or methods to be carried out specific to the business activities of the employees comply with the personal data protection rules.
The data controller informs its employees who are responsible for the personal data processing activities to be carried out specific to the employees' business activities, about the protection of personal data and other legislation on the subject, the issues that need to be taken into consideration within the scope of the relevant legislation, and the obligations of the Data Controller arising from the legislation. Additional confidentiality and security obligations are added to the contracts made with employees who have access to personal data obtained as a result of these activities, or privacy policies/declarations of commitment are signed by these individuals.

Informing employees about the Personal Data Processing Activities of the Data Controller regarding their Business Activities
Under this section, issues regarding which personal data can be processed (communication, vehicle use, etc.) and the principles to be followed by the Data Controller in this regard are detailed, specific to the transactions carried out by the employees during the execution of the Data Controller's activities.
Determining the Purposes and Which Business Activities of Employees' Personal Data Will Be Processed
The data controller takes all reasonable precautions to ensure the security of employee data. The measures taken are designed to prevent unauthorized access risks, accidental data loss, intentional deletion of data or damage to data.
The data controller appoints responsible employees within the company for personal data processing activities specific to the employees' business activities. In this context, the number of employees who will be responsible for personal data processing activities and who will have access to personal data obtained as a result of this processing is kept as limited as possible. In this context, the data controller removes or limits the access rights of employees who currently have unnecessary access to this data. Necessary physical security measures are taken to ensure that only authorized persons have access to employees' personal data. In this context, access authorized persons are also prevented from having unnecessarily broad authority.
In accordance with the Law No. 5651 on Regulating Publications on the Internet and Combating Crimes Committed through These Publications, measures such as audit trails are taken on information systems to ensure that it is determined who has accessed the personal data of employees. In this context, access records to be created are regularly checked and investigation mechanisms are created for unauthorized access.
It is essential that other employees who have access to employees' personal data are subjected to the necessary security checks. In addition, it is ensured that these people sign a confidentiality agreement/undertaking that provides the necessary protections or that provisions in this context are included in their employment contracts and that these people are constantly trained about their responsibilities.
If personal data belonging to employees is removed from the workplace through various means such as laptops, necessary security measures are taken and relevant employees are informed about these measures.

Processing of Personal Data Regarding the Activities Performed by Employees at the Workplace Security of Personal Data
The Data Controller may use external service providers for the processing of employees' personal data. However, the Data Controller must take the following precautions regarding external service providers:
Checking that the external service provider has taken the technical and administrative security measures required by the relevant legislation and sector practices, Checking at regular intervals that the external service provider has taken the technical and administrative security measures required by the relevant legislation and sector practices, Making a contract with the external service provider containing the conditions for taking the necessary technical and administrative security measures, Taking the necessary legal, administrative and technical measures in case personal data is sent to external service providers abroad.
The data controller maintains the personal data of employees for the period necessary for the purpose for which they are processed and in accordance with the minimum periods stipulated in the legal legislation governing the relevant activity.
In this context, our Company first determines whether a period of time is stipulated in the relevant legislation for the storage of personal data, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the data owner's application and with the specified destruction methods (deletion and/or destruction and/or anonymization).

Use of External Service Providers for the Processing of Personal Data
If the names and other personal data of some employees are published in media such as annual reports, publications or websites, these situations are evaluated specifically and it is determined whether there is a need for explicit consent. If it is determined that explicit consent is required, the explicit consent of the relevant employees is obtained before the publication of personal data. When obtaining explicit consent, the types of personal data to be shared are notified to the employee one by one.

Storage Period of Employees' Personal Data
The data controller can only publish the personal data of employees by paying attention to the following conditions:
There is a legal right or obligation for the publication of personal data or the employee has given explicit consent for publication, and the personal data is not clearly unsuitable for publication. The data controller acts with an approach that balances the benefits to be obtained as a result of the publication of personal data and the expectations that the privacy of employees will be protected.
If employees' personal data is shared with third parties, the data sharing must be based on one of the conditions set out in the Law before the data is shared.
If employees have not been informed before, they are informed about this sharing at the latest at the time of sharing. However, if this information violates the law or serves as a warning about an investigation to be carried out by the competent authorities, the relevant employee will not be informed about the issue.
Requests for sharing of personal data of employees outside the company, which are not carried out routinely, and sharing within this scope may be recorded by the Data Controller. In this context, at least the person who approved the sharing, the person who requested the sharing, the reason for sharing, the date and time of sharing, and the types of data shared are recorded. These records are checked and reviewed regularly.
Publication of Personal Data Information and Record Keeping Regarding Personal Data Sharing If it is mandatory to protect the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to express his/her consent due to actual impossibility or if his/her consent is not given legal validity; If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract, If personal data transfer is mandatory to fulfill a legal obligation, If personal data has been made public by the personal data owner, If personal data transfer is mandatory for the establishment, exercise or protection of a right, If personal data transfer is mandatory for the legitimate interests of the relevant group companies, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
The data controller determines internal procedures regarding the sharing of employees' personal data. It is ensured that data sharing requests are answered by competent employees.
Necessary measures are taken to confirm the reality and accuracy of data sharing requests coming from outside the company (such as judicial authorities, administrative authorities, insurance company requests). It is essential that data sharing requests from outside the company be made in writing.
If personal data of employees is sent abroad upon request, all administrative, legal and technical measures are taken regarding the transfer of personal data abroad.
If sharing personal data of employees constitutes a legal obligation, personal data can only be shared in accordance with the scope of this legal obligation.
Without prejudice to the legal conditions regarding international data transfer and transfer of sensitive personal data; Employees' personal data can only be transferred to third parties if one of the following conditions is met:
If there is explicit consent of the data owner, if there is a clear regulation in the law regarding the transfer of personal data, General Rules on Personal Data Sharing
The data controller takes all kinds of administrative, legal and technical measures to ensure that employees can exercise their legal rights, make the necessary applications and respond to their applications within 30 days at the latest, and inform employees about this by designing the relevant processes.
Every necessary care is taken to avoid disclosing the personal data of third parties in the responses given by the data controller to employees who exercise their legal rights.
 
Principles Regarding the Sharing of Employees' Personal Data with Third Parties and the Exercise of Employees' Legal Rights
Employees have the following rights:
Learning whether personal data has been processed, Requesting information about personal data if they have been processed, Learning the purpose of processing personal data and whether they are used in accordance with their purpose, Knowing the third parties to whom personal data has been transferred domestically or abroad, Requesting correction of personal data if they have been processed incompletely or incorrectly and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred, Requesting the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the law and other relevant legal provisions, and requesting the deletion or destruction of personal data in the event that the reasons requiring processing of personal data are eliminated, even though the personal data has been processed in this context. To request notification to third parties to whom the data has been transferred, to object to the emergence of a result against the person by analyzing the processed data exclusively through automatic systems, request compensation for damages in case of damage due to unlawful processing of personal data.
Legal Rights of employees in cases where vehicles are allocated to employees by the data controller; The allocated vehicles can be tracked for purposes such as determining the distance traveled, measuring fuel consumption, obtaining location data and similar purposes. Employees are informed in advance about this follow-up.
 
Legal Rights of Employees Regarding Personal Data Collected About Them
The data controller can place security cameras at various points to ensure the security of the workplace. The field of view of these security cameras is not the entire workplace; Care is taken to cover only areas with special risks, entrance - exit and similar areas. The data controller takes care to inform employees about the areas where security cameras are filmed, monitored by security cameras, and the purposes of monitoring.
Tracking of Vehicles Provided by the Company
The principles regarding the processing of personal data regarding electronic communication transactions carried out by employees in connection with their business activities are stated in the "Information Systems General Standards and Security Policy" of the Data Controller.

Security Camera Application at Workplace
The Data Controller prevents arbitrary access to employees' personal data solely due to the existence of a disciplinary investigation. In this context, employees' personal data cannot be accessed solely due to disciplinary investigation, if it does not comply with the purposes for which personal data was obtained or if accessing personal data is considered a disproportionate action compared to the seriousness of the subject of the investigation.

Processing of Personal Data Regarding Electronic Communication Transactions Performed by Employees in Connection with Their Business Activities
Data controllers must comply with the obligations regarding the protection of employees' personal data during disciplinary investigations. In this context, the following actions are taken in particular:
Harmonizing the policies and procedures regarding disciplinary investigations with the obligations regarding the protection of personal data, Informing the persons authorized to conduct disciplinary investigations that personal data within the scope of disciplinary investigations can also be accessed within the scope of the right to access the personal data of employees, Taking measures to ensure that personal data is not obtained by unlawful methods during disciplinary investigations, Paying attention to the accuracy and up-to-date personal data to be used during disciplinary investigations, Safely storing personal data and records regarding disciplinary investigations, Unfounded allegations about employees, if they are not deleted, If there is no legal reason, ensuring that the employee is deleted from their files.
All transactions that change the company structure, including company mergers and acquisitions, are evaluated under this section.
When the data controller feels the need to share the personal data of employees for the purpose of changing the company structure; First of all, it ensures that these personal data are anonymized and shared to the extent possible.
For employee personal data that cannot be shared by anonymization, a commitment is received from the other party that it will only use these personal data limited to transactions related to the change of company structure, that the personal data will be protected in accordance with the data security provisions of the Law and will be processed in accordance with the relevant provisions of the Law, that the personal data will not be transferred to third parties and that the personal data will be deleted or destroyed after the relevant transactions are completed.
Processing of Employees' Personal Data in Disciplinary Investigations Processing of Employees' Personal Data in Company Mergers and Acquisitions and Other Transactions Changing the Company Structure
The data controller can compare personal data sets in different units in order to prevent irregular transactions of employees. The rules for personal data set comparisons to be carried out within the scope of combating irregularities are determined by the data controller. The data controller shares the personal data of its employees for the purpose of detecting irregular transactions only in case of the following or similar conditions:
It is legally mandatory to share the personal data of the relevant employee, there is a strong suspicion that it will not be possible to prevent or detect a crime if the employee's personal data is not shared, and data sharing is necessary in order to properly implement the Data Controller's Policies and Procedures.
The data controller may process personal data to the extent necessary to ensure equal opportunity among employees. In this context, the Data Controller aims to ensure equality of opportunity among its employees by identifying inequalities in processes such as recruitment, promotion, working conditions, internal career planning and development, and by identifying examples of egalitarian practices. Personal data may be processed for the purposes of ensuring equality between men and women in business life, and in this context, for the purposes of implementing both legally mandatory (such as opening a breastfeeding room, nursery) and practices determined by the Data Controller.
Personal data processed is checked at regular intervals to ensure equal opportunities. Personal data processed in order to ensure equal opportunities are anonymized and used to the fullest extent possible.

Processing of Employees' Personal Data within the Scope of Fighting Against Irregularities
Private health insurance, life insurance, personal accident insurance, company vehicle, private pension, flexible fringe benefit program or similar benefits are called fringe rights and benefits under this heading.
The data controller takes care to share data at a minimum level when sharing employees' personal data with third parties from whom services are received in order to provide fringe rights and benefits to employees. Only personal data that is necessary to provide the relevant benefits and benefits are shared with the mentioned third parties. In addition, necessary precautions are taken to ensure that the personal data collected in this context is not used for any other purpose.
Whether the personal data to be shared with third parties from whom services are received is evaluated before sharing, whether they are sensitive personal data or not.
Employees are informed about personal data sharing with third parties from whom services are provided. In this context, it is explained to the employee which personal data of the employees are shared and for what purpose they will be used.

Processing of Employees' Personal Data within the Scope of Observing Equal Opportunities Processing of Employees' Personal Data in Situations Where Side Rights and Benefits Are Provided
The Data Controller will provide the information required within the scope of the Law and relevant legislation for the processing of employee personal data for the aforementioned purposes and, if necessary, obtain the relevant explicit consents.
 
Special Situations Where Employees' Personal Data Are Processed
Data Controller obtains and processes employee personal data for the following purposes:
Supporting the processes of determining and monitoring the performance evaluation criteria of the Data Controller's employees, supporting the work/residence permit application processes of the Data Controller's foreign employees, supporting the planning and monitoring processes of fringe rights and benefits provided to the Data Controller's employees, supporting the Data Controller in the planning and execution of wage management and bonus processes of the Data Controller's employees, supporting strategic human resources planning, backup processes and organizational development activities, appointment, promotion and termination of senior managers. Implementing decisions and making relevant announcements, supporting senior managers in determining wage and bonus packages, supporting the planning and execution of employee loyalty measurement processes, supporting the planning and execution of career development, training and talent management activities of the Data Controller's employees, Supporting the recruitment processes, supporting the company and partnership law transactions, supporting the Data Controller in complying with the legislation to which he/she is subject, carrying out studies to protect the Group's reputation, sustainability and social responsibility studies, organizing events throughout the Data Controller, carrying out auditing activities to ensure that the Data Controller's activities are carried out in accordance with other Data Controller policies and relevant legislation, carrying out communication and communication activities for the Data Controller's employees, and ensuring employee satisfaction and loyalty.
The Data Controller clearly informs employees about the purpose for which health checks and tests are carried out.
The Data Controller cannot secretly collect biometric/genetic samples (fingerprints, hair strands, etc.) from the employee under any circumstances. Activities carried out based on legal reasons constitute an exception.

Purposes of Processing Employee Data
On behalf of the Data Controller, Data Controller Health Authorities may collect health data of employees through medical examinations and tests within the scope of the occupational health and safety program.
The data controller determines in advance the purposes for which examinations and tests will be carried out. Taking into account the purposes of the data controller, the data controller follows methods that can be less involved in the person's health data. For example, it can conduct a health survey to find out the employee's health data instead of looking at the examination results.
Not Using the Samples Obtained from the Inspection for Other Than the Specified Processing Purpose
The Data Controller may request that the candidates who are likely to be hired be tested to decide whether they are suitable for the job in question. They may also carry out these tests to comply with any legal obligations or to determine the type of insurance to which the prospective employee will be subject.
The Data Controller determines in advance the purposes for which examinations and tests will be carried out.
The Data Controller follows methods that can be less involved in the person's health data, taking into account their purposes.
During the recruitment process, a medical examination or health test is carried out only if the person is actually hired (unless there is a health-related condition that prevents him from doing the relevant job).
The Data Controller informs the candidate early in the job application process that a health examination or test may be performed if there is a high probability of being hired.

 Collecting Health Data of Employees Through Examinations and Tests
The Data Controller takes care to ensure that the policies followed regarding the processing of employees' health data are transparent.
Data Controller; It determines the conditions regarding the places where health tests will be performed, the nature of the tests, and how the data obtained as a result of the tests will be used and protected. It takes care to inform employees about these conditions.

Processing of Health Data of Candidates Possible to be Recruited through Examination and Tests
As a general principle, workplace physicians, nurses, etc. who are authorized by the Data Controller and have the obligation to keep confidentiality. Authorized persons (Data Controller Health Authorities) are responsible for processing health data obtained from examinations and tests. The provisions of the "Processing and Protection of Special Personal Data Policy" will apply to the principles regarding the collection and processing of this data.

Informing employees of the Company Policy Regarding the Processing of Health Data
When sharing health data, these sharing processes are carried out by taking into account the legal obligations imposed on special personal data and in accordance with these obligations.
The Data Controller ensures that people dealing with employees' health data are informed and trained about the above situations at regular intervals. In addition, arrangements are made to ensure that the Data Controller receives the necessary support from the authorities assigned to protect personal data.
As a rule, the Data Controller does not make employees' health data accessible to other employees. However, if it is required by law, if it is legally required to process a job and this data in relation to this job due to the legitimate interests of the Data Controller; The personnel assigned to this job are provided with the right of access by taking the necessary administrative and technical measures to process these personal data, provided that they are limited to fulfilling the requirements of the job.

Processing of Health Data Obtained from Examinations and Tests
It is ensured that the Data Controller employees who will process or authorize the processing of employees' health data are informed about the relevant legislation and the created privacy policy.
The employee's health data is analyzed by people qualified to do this job. The Data Controller takes care to inform employees in a clear manner for what purposes their health data is used and who accesses this data and for what purpose.

Sharing and Accessing Health Data
The data controller ensures that only the truly necessary information is collected in the health surveys to be administered to employees and takes care not to request unnecessary information.
The data controller cannot require employees to give general explicit consent to share all their health data with the company. Companies may only request that health data that is deemed truly necessary for the stated purpose be shared with the company.

Determination of Persons Who Will Process Health Data
Health data is among the special categories of personal data. Employee health data, especially employee accident and illness reports, are stored separately from other personal data. The use of employee health data is avoided as much as possible when using information regarding the days when the employee did not come to work or the accidents and other incidents in which he was involved.

Processing of Health Data Related to the Specified Purpose, Limited and Measured General Approach to the Processing of Employees' Health Data
Not Processing Health Data Unless Necessary and Keeping It Separately Data Related to the Health of Employees

Some of the personal data are regulated separately as "personal data of special nature" within the scope of the Personal Data Protection Law and are subject to special protection. special personal data; Data regarding race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction, and biometric and genetic data.
The data controller may process health data in the following cases, provided that adequate measures are taken to be determined by the Personal Data Protection Board in cases where there is no explicit consent of the employee:
 Special personal data, other than the employee's health and sexual life, can be collected only in cases stipulated by law, and special personal data regarding the employee's health and sexual life can be processed by persons or authorized institutions and organizations under the obligation of confidentiality, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. It can only be processed if there is explicit consent of the employee.
The data controller takes the necessary measures to ensure that employees' personal data is up-to-date. In this context;  Employees' personal data (address, phone number, family/relative information, etc.) that are likely to change are determined; personal data that is likely to change is not available to anyone electronically; It is ensured that it can only be seen by the relevant employee and other access authorities; if employees do not have the opportunity to see personal data that is likely to change electronically; Necessary measures are taken to display these personal data in physical environment; Employees are ensured to keep their personal data, which may change, up to date.
Apart from these methods, the data controller; It takes the necessary measures to keep the personal data of its employees being processed according to its specific conditions up to date.

Processing of Special Qualified Employee Data
The data controller collects personal data from employees based on a clear and predictable need, and ensures that the collected data is suitable to meet the aforementioned needs.
In order to ensure compliance with the above-mentioned principle, all forms and input methods through which employees enter personal data are audited. This audit is performed as soon as possible for existing forms and input methods; It is completed before starting to use newly created forms and input methods.
As a result of the audit, parts that collect unnecessary data are removed from the relevant form and input method.

Ensuring Personal Data is Up to Date
If at least one of these conditions is met, personal data processing can be carried out. Data processing activity may be carried out based on one or more of the conditions.
In cases where explicit consent is required, such explicit consent is completed before personal data is processed.
The data controller determines and implements the most useful method for informing employees regarding the storage, use and sharing of their personal data, according to their specific conditions.

Collecting Personal Data as Necessary in Line with Needs
The data controller, its employees; informs them about which personal data are processed about them, for what purposes and reasons personal data will be processed, from which sources personal data are collected, with whom these personal data will be shared and how they will be used.
The data controller evaluates the personal data they process and processes this data based on at least one of the conditions set out in the Law. These conditions;
The employee has express consent, Data processing is clearly foreseen in the relevant laws, The employee's explicit consent cannot be obtained due to actual impossibility, Data processing is directly related to the establishment or execution of a contract, Data processing is mandatory for the data controller to fulfill its legal obligation, Personal data has been made public by the personal data owner himself, Data processing is mandatory for the establishment or protection of a right, Data is processed based on legitimate interest.

General Approach to Processing Employees' Personal Data
Informing Employees and Personal Data Processing Conditions If the data controller wishes to evaluate unsuccessful applications for positions that may be opened in the future, they may keep the personal data of the candidates in the records. If personal data will be kept for this purpose; They inform the candidates about this in the job application form or additional explanatory documents and state that the information can be deleted from the records if they request.

Processing of Employee Data
The data controller carefully determines which personal data will be transferred to the personal files of successful candidates accepted to the open position from the personal data obtained during the candidacy process.

Personal Data of Candidates whose applications were not accepted
The data controller takes all kinds of technical, administrative and legal measures to prevent unlawful processing of personal data related to the recruitment process and unlawful access to these data.
The data controller stores the candidate's personal data regarding the recruitment process for a period of time appropriate to the purposes for which these data are processed. In accordance with labor law and other relevant regulations, if the reasons requiring processing are eliminated, personal data is deleted, destroyed or anonymized by the data controller or upon the request of the candidate.
Unless there is a valid reason (such as the resolution of possible disputes), the data controller will not store the relevant personal data after the statute of limitations expires for requests that may arise due to the recruitment process.
If an investigation has been made about the candidate's situation during the recruitment process or data has been obtained from third parties in any way, the information obtained from third parties will be deleted as soon as possible.

Personal Data of Recruited Candidates That Should Be Transferred to Employee Records
During the recruitment process, the Data Controller shows the same care to job candidates as it does to protect employees' personal data. In this context; If applications are submitted digitally, the data controller uses a secure system. Applications submitted electronically are recorded in directories or systems that can only be accessed by people responsible for the recruitment process. If applications are submitted via mail or fax, the applications are forwarded to the authorized person responsible for human resources. The security of the physical documents obtained is ensured.
The data controller limits access to candidates' personal data to those responsible for carrying out the recruitment processes. These persons are informed at regular intervals about the security measures to be taken when processing the personal data of the candidates.

Storage Period of Personal Data Regarding the Recruitment Process
If the collection of information and documents from a third party during the research depends on the consent of the candidate, the data controller must obtain explicit consent from the candidate. The method of obtaining direct consent from the candidate is preferred whenever possible, rather than a third party obtaining explicit consent from the candidate.

Storage and Security of Candidates' Personal Data
While the data controller is doing research about the candidate; People who have previous work experience and training process and who have a one-to-one work/education relationship with the candidate are reached. The information obtained as a result of the research is evaluated according to the reliability of the source, and no employment decision is based on a source whose reliability is questionable. The data controller informs the relevant employee or the person who will undertake the research about the research method, and takes care not to obtain personal data regarding a person other than the candidate during the research.

Information Systems General Standards and Security Policy

• Security consists of three elements called "confidentiality", "integrity" and "accessibility". If any of these security elements are damaged, a corporate security vulnerability occurs.
• Confidentiality: To ensure that information does not fall into the hands of unauthorized persons,
• Integrity: The information should not be changed by unauthorized persons,
• Accessibility: It refers to the accessibility and usability of information by relevant and authorized persons.

 
The purpose of this policy is;

1. To ensure the security and confidentiality of information and data in all kinds of commercial and operational physical or electronic environments within the Data Controller,
2. To ensure the physical security of all electronic information system equipment belonging to the Data Controller,
3. To ensure the efficient use of electronic information systems equipment and related service resources supplied by the Data Controller in any way (purchasing, producing, establishing partnerships) for the purpose of carrying out business in general, and to prevent their use for personal benefit or malicious purposes,
4. To ensure that all electronic information systems equipment and related service resources used within the Data Controller are legal and licensed,
5. To protect the corporate identity and structure of the Data Controller and to support the development of its corporate structure,
6. To carry out information security processes in compliance with laws and regulations.

Definitions
Information Systems: Electronic, magnetic, written and other media and equipment, systems, personal computers (PC), servers, laptops (laptops, notebooks) on which data/information is kept, recorded, processed, transmitted and stored; smartphones, tablets, active devices, floppy disks, cartridges, CD, DVD, BD media, backup units, wired/wireless communication devices, routers, hubs, switches and modems; It refers to network connections and systems, such as fax, printer, photocopier, as well as all software, programs, applications and the like connected to and belonging to the systems.
Information Systems Directorate (BSD): Refers to the internal unit of the Data Controller that provides support to the Data Controller and provides services in the field of information technologies.
Information Systems Security (BSG): It refers to the sub-unit responsible for information systems security working under the Information Systems Directorate and providing support to the Data Controller.
Confidential/Valuable Information: Information that is owned by the Data Controller and has commercial, material, moral value or any potential commercial value or may be a competitive element; Information regarding the Data Controller's specific methods, working style, business volume, prepared or ongoing projects, trade secrets, technical information including licenses of all kinds of information systems, infrastructure, information / data collection, storage, transmission and access methods, security vulnerabilities in information systems, any technical or confidential information belonging to special confidential or security systems, software, programs and source codes, passwords, special authorization parameters, electronic mail (e-mail) addresses, company phone numbers, financial information, new business or service ideas, sales strategies, solutions, customer lists and portfolios, industrial designs, brand / product names, records, documents, pictures, drawings, schemes, industrial property and copyright information, logos, emblems, slogans, all kinds of products, equipment, etc. produced and used in electronic or other media. represents information.
Service Desk: Refers to the BSD unit that provides support to Data Controller employees regarding the use of information systems and accepts the first application for the solution of questions and problems.
Law: Refers to the Personal Data Protection Law No. 6698. It is the law that was adopted on 24/3/2016 and entered into force on 7/4/2016, to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data and to determine the obligations of natural and legal persons who process personal data and the procedures and principles to be followed.
Personal Data: It refers to any information regarding an identified or identifiable natural person. Data such as the person's name, surname, date of birth and place of birth, information about the person's physical, family, economic and other characteristics, name, telephone number, motor vehicle license plate, social security number, passport number are personal data.
Special Personal Data: Data regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
System Devices: Critically important devices that can only be intervened and accessed/used by authorized employees, that must be located in a designated area/region where there are no system rooms or system rooms, that ensure the uninterrupted operation of all information systems and data communication channels of companies, and that support their infrastructure; all kinds of information systems, electricity and energy production and support devices, UPS, generators, etc. It refers to the equipment, hardware, software, programs and applications of all these systems.
System Access Connections/Sessions: Providing connections, logging in, accessing, etc. through information systems, domain, network areas and systems, server systems using certain parameters, username/password or any similar authorized access equipment. (domain/network login/logon, AS400 sign on etc.) expresses actions/situations.
Third Parties: Any official or non-governmental institution, company, organization, organization, person or persons other than the Data Controller.
Data/Information: Personal computers, servers, laptops, smartphones, tablets, handheld computers, active devices, floppy disks, cartridges, CD, DVD, BD media, backup units, wired/wireless communication devices, routers, hubs, switches, modems, network connections and systems, etc. all kinds of electronic/magnetic media, systems and equipment and their software, programs, applications, etc. with all data and information processed, kept, recorded, transmitted and stored on it; fax, printer, photocopy, handwriting, etc. Files, texts, printouts, documents, etc. produced with It refers to all data and information kept, recorded, transmitted and stored in places.
Data Communication Channels: It refers to information systems that allow access to all kinds of general purpose data/information or confidential/valuable information, or the transmission, copying and transportation of all this data/information from the environment where it is located to other environments by various means (wire/wireless communication, Internet, telephone, GSM, e-mail, copying over the network, moving to backup devices, media such as CD, DVD, BD, etc., fax, modem, photocopier, printer, etc.).
Data Controller: VOLCAR OTOMOBİL VE YEDEK PARÇA SANAYİ VE TİC.A.Ş. It refers to existing and future subsidiaries, affiliates and all companies that they have established or will establish partnerships with, regardless of the partnership share ratios. It also refers to the natural or legal person who determines the purposes and methods of processing personal data and is responsible for establishing and managing the data recording system.
Data Controller Contact Person: Refers to the natural person notified by the data controller for real and legal persons resident in Türkiye, and by the data controller representative for real and legal persons who are not resident in Türkiye, during registration in the registry, in order to ensure communication with the Authority, regarding their obligations under the Law and secondary regulations to be issued based on this Law.

Scope
This policy covers all employees working within the Data Controller (payroll, contract, intern, under other special agreements, etc.) with all kinds of authority, title and purpose. All Data Controller employees are obliged to read, know and comply with the standards and rules specified in this policy.

Authority and Responsibilities
Responsibilities of Data Controllers
He is responsible for conveying the importance of the determined policies and standards to the employees in his unit and regularly reviewing them within the scope of corporate and legal requirements.
He/she must help employees in his/her unit understand the policies and standards and ensure compliance with the policies.
He/she must help create and establish security awareness among employees in his/her unit.
Responsibilities of Data Controller employees
It is responsible for carrying out information systems operations in line with the determined rules and standards, with support from the Service Desk units working within BSD when necessary.
When they observe behavior contrary to relevant security standards and policies, they report it to the Service Desk or BSG units as soon as possible.  

BSG Unit Responsibilities
Information systems security

Responsibilities of BSD Relevant Units
He/she is obliged to know and apply the relevant safety standards and technical regulations. The Data Controller supports its employees according to the determined policies and standards.

1. Rules and Application
   Data/information in electronic or other media within the institution is the property of the Data Controller and all legal rights belong to the Data Controller.
   All kinds of information systems, data communication channels, data/information, etc. within the Data Controller. It must be used for business purposes only.
   Data Controller employees must pay utmost attention and comply with the principles of physical protection, access control, backup, security and confidentiality during the use of all kinds of information systems, data communication channels, data and information. Portable devices, especially those that are vulnerable to loss and theft, should not be left unattended and their security should be ensured.
   1. It is essential to ensure the confidentiality of confidential/valuable information and all kinds of personal data belonging to the Data Controller. It is forbidden to take all this valuable information and personal data out of the Data Controller through data communication channels and to transmit or use it to third parties in any way and for any purpose. In addition, special personal data and personal data used in corporate processes cannot be kept in the employee's home, on laptops or other personal portable devices, or in other areas outside the workplace, whether electronic or physical copies. In special cases where data/information needs to be taken out of the institution, the "Information Systems General Standards and Security Policy" published by the relevant Data Controller will be applied.
      Data Controller employees may use information systems that are not owned by the Data Controller in buildings, offices, companies, etc. can't put it in, can't use it. In special cases where necessary, entry can only be made under the supervision of an authorized employee with BSD knowledge and approval.
   2. Only authorized employees within the Data Controller BSD can access system rooms and system devices where these rooms are not available. In cases where people other than this employee need to enter the system rooms or access the system devices, the "Information Systems General Standards and Security Policy" published by the relevant Data Controller will be applied.
      In cases where third parties need to use the Data Controller's information systems and all kinds of information on these systems through data communication channels, the "Information Systems General Standards and Security Policy" published within the relevant Data Controller will be applied.
   3. No documents can be left on the desktop after working hours; documents containing confidential/valuable, personal and corporate data, and special project files should be kept in locked drawers and cabinets that are part of the office desks. Likewise, small papers with passwords and usernames cannot be left on or around the work desk.
      Data Controller employees must not allow access to the information systems they use through data communication channels without their consent and knowledge. When they are done working in information systems, they must run password-controlled screen savers or log out of the system by closing access connections / sessions (logout/logoff, etc.).
   4. Without BSD knowledge and approval, no software, hardware or system can be copied or installed into information systems through data communication channels, regardless of the purpose. Data Controller employees cannot make changes to the software, hardware or system settings on any personal computer delivered to them ready-made by BSD. In cases where changes are required, only BSD User Support teams who are authorized for those systems will make any settings changes.
      All software used in the information systems within the Data Controller is licensed and legal; BSD determines the product standards for these systems. Data Controller employees cannot act contrary to the Law on Intellectual and Artistic Works No. 5846, which also covers computer programs.
   5. An anti-virus program will be installed and always active on personal computers or server systems. If Data Controller employees notice that a virus protection program is not installed on the computers they use, that the program is not working, or that the computer is infected with malware, they must notify the Service Desk units as soon as possible.
      User IDs or passwords are personal and should not be shared with anyone. Our employees are responsible for all use of the user ID or password, including any unauthorized use, and for any corporate damages that may be caused by any abuse that may occur. In cases where the security of the user ID or password is in doubt, passwords should be changed and the Service Desk unit should be contacted immediately. Data Controller employees are responsible for all usernames, passwords, authorization systems, etc. in information systems. During their use, they must read the "Security Standards to be Followed in Password Selection and Use" document published by BSD within the Data Controller and choose and use a password in accordance with all the rules specified in the document.
   6. Confidential/valuable data and personal data cannot be shared or transmitted insecurely (unencrypted) via the network. Data Controller employees will be able to get support from our Service Desk unit for the appropriate method and policy to be used in encrypting data and information for this purpose. Likewise, in cases where confidential/valuable data and personal data need to be shared with another employee within the company, internal correspondence envelopes should be sent "personally" only to the relevant person.
      No alternative internet service can be used other than the internet service provided by the institution within the Data Controller. Data Controller employees will make requests for authorized Internet access or any other access requirements within or outside the company over the Internet, in accordance with the BSG policies and standards published throughout the Data Controller.
      The Internet should only be used to access relevant legal, official and corporate websites within the scope of company legislation, research/development related to its business, information collection, needs and purposes. Institutional devices can be controlled centrally by BSG experts when deemed necessary for security purposes.
   7. Data Controller employees may use company e-mail systems, addresses and e-mail boxes only for business purposes. By using company e-mail addresses, we cannot send personal harming, obscene content, insults, threats, profanities, political messages, slogans, propaganda, etc. to our employees or third parties. containing e-mail cannot be forwarded; Company e-mail systems and addresses cannot be used in illegal transactions that would violate corporate company policies, rules or country laws.
      Data Controller employees should never open e-mails sent from addresses they do not know, whose attachments, subject or content are suspicious or unclear, should not forward them to any other address, and should notify the Service Desk units as soon as possible. Similarly, if Data Controller employees receive a virus notice, news or warning from any source (e-mail, media, Internet or any other way), they must never pass this information on to any third party or colleague and forward it to the Service Desk.
      Memberships to any list service (social media, mailing list, newsgroup) or similar common electronic mail systems and distribution groups for business purposes must be approved by BSD through Service Desk units.
   8. All Internet access and e-mail usage by the Data Controller's employees are recorded and monitored in the information security control systems within the Data Controller, in accordance with the Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed through These Publications.
      In order to protect the Data Controller's data, additional security measures will need to be taken for the employee by connecting to corporate resources via data communication channels outside the company. In these cases, the controls (improvement, editing, encryption and malicious code prevention) to be applied by BSD experts on the information systems used by the employee (personal computer, smartphone, tablet, etc.) must be kept in working order during access to corporate resources.
   9. Users' access rights to the Data Controller's corporate system resources are regulated according to business needs. Data Controller employees are obliged to report any nonconformities they see in themselves or their colleagues, such as exceeding or sharing authority, to the Service Desk unit as soon as possible.
      Common sharing areas and electronic mail systems are not suitable for archival storage of personal data. The Data Controller reserves the right to remove from its information systems any data, systems and materials that are considered to be criminal or illegal and to initiate official action regarding this.
      It is prohibited to use information systems and equipment within the Data Controller and cloud storage and messaging services (Dropbox, Gdrive, Onedrive, Whatsapp, Hangouts, Box, etc.) outside the scope of work. It is the responsibility of BSD units to determine and put into service corporate applications for such requirements, taking into account business priorities.
   10. Our company acts in accordance with the principles imposed by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our company takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than what is required. For this reason, our employees should not store and use their personal data and sensitive personal data in corporate resources that are not requested by the Data Controller's administrative and business units. All personal data that are not business-related and are for personal/private use (except those that are duly informed and express consent is obtained by the data controller) should not be kept in e-mail boxes, instant messaging software, office documents, portable computers and common sharing areas allocated by the data controller. In addition, employees are obliged to ensure that all personal data they process is kept secure. Personal Data cannot be shared or disclosed verbally, in writing or otherwise, with any unauthorized third party, even accidentally or otherwise. Situations that violate the principles specified in the article, such as unauthorized sharing of personal data, must be immediately reported to the Data Controller Contact Person.
   11. Every employee, in case his/her relationship with the institution is terminated; He/she must deliver back to the Data Controller all kinds of confidential/valuable information, data/information and all information systems in which they are kept or recorded and written down, to the Data Controller within 1 business day at most following the written date of termination of employment. Each employee who is dismissed or leaves the job voluntarily shall be subject to the provisions of Article 5.1 of this Policy indefinitely, starting from the date of termination of his/her relationship with the Data Controller. and 5.4. is obliged to comply with the articles.

For Research
Crisis Intervention Procedure
 
1.    Aim
According to the 5th paragraph of Article 12 of the Personal Data Protection Law No. 6698 (Law), ARKAS TURİZM SEYAHAT ACENTASI A.Ş. (The Company) is obliged to notify the relevant party and the Personal Data Protection Board (Board) as soon as possible if the processed personal data is obtained by others through illegal means.
This Crisis Response Procedure (Procedure) has been prepared to inform employees about how to intervene in the crisis that may occur if personal data is obtained by others illegally, in other words, in the event of a personal data breach, and what steps to take.
 
2.      Liability
All employees are responsible for the implementation of the Procedure. Employees who act contrary to the Procedure will be subject to the provisions of the "Disciplinary Regulation".
 
3.     Responsibility
Personal data breach occurs in situations such as unlawful acquisition of personal data, unauthorized access to personal data unlawfully, accidental/intentional disclosure of personal data to unauthorized persons, unlawful deletion, modification or disruption of the integrity of personal data.
The following situations are generally considered a personal data breach:

1. Theft or loss of physical documents or electronic devices containing personal data,
2. Seizure of personal usernames and passwords by unauthorized persons,
3. Illegal disclosure of confidential information,
4. Accidentally forwarding or sending e-mails containing personal data and/or confidential information to unrelated persons outside the company,
5. Unlawful access to personal data through viruses or other attacks (e.g. cyber attack) on IT equipment, systems and networks.

In the above-mentioned or similar situations, action should be taken as specified in this Procedure.
 
4.      Crisis Response Team
A Crisis Response Team (Team) will be formed, which will include participants determined from the following departments, in order to intervene in the crisis situation that has occurred or may occur in the event of a personal data breach and to fulfill the obligations stipulated under the Law:

• Data Controller Contact Person [1]
• Data Controller Chief Executive (General Manager)
• Manager of the Department Where the Violation Occurred
• KVK Advisory Group
• Senior Managers Authorized by the Data Controller regarding KVK (KVK Top Managers)  

The members of the Crisis Intervention Team established within our companies are included in the annex of this Procedure (ANNEX-2 / Crisis Intervention Team)
 
5.    Crisis Intervention Process
In accordance with the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10 regarding the Personal Data Breach Notification Procedures and Principles, the Company must notify the Board without delay and within 72 hours at the latest from the date it learns of the personal data breach, and following the identification of the persons affected by the data breach, the contact address of the relevant person can be reached as soon as possible. Notification must be made through appropriate methods, such as directly or, if unreachable, published on the Company's own website.
In order to fulfill these obligations, certain steps must first be followed within the company in the event of a data breach:
Preliminary assessment of the crisis,
Carrying out prevention and rescue efforts,
Assessment of risks,
Notification,
Evaluation and Improvement.
 
Preliminary Assessment of the Crisis  
In case of an actual or potential data breach within the Company, all relevant employees are obliged to notify the Data Controller Contact Person immediately and without delay. In this context, the relevant employee prepares a report containing the following issues and reports the data breach to the Data Controller Contact Person.
The date and time of the personal data breach,
Date and time of detection of personal data breach,
Explanations regarding the personal data breach incident,
Number of people and records affected by the personal data breach, if known,
Explanations regarding the steps taken and precautions taken, if any, on the date when the personal data breach was detected,
Name and surname of the employee(s) who prepared the report, contact information and report date.
The Data Controller Contact Person makes a preliminary assessment, taking into account the issues specified within the scope of the report. While making this assessment, it takes into account whether there is actually a data breach, the scope of the breach, and its possible effects, and initiates a comprehensive investigation with the Team to investigate the data breach.

Carrying out Prevention and Rescue Works
Prevention and recovery efforts are carried out under the supervision of the team in order to reduce the effects of the data breach on the Company and the relevant persons. In this context, first of all, the departments that need to be informed about the data breach are identified and these people are given guidance on the steps to be taken to control the breach, prevent it if possible, and reduce the damages.
Subsequently, an attempt is made to identify the people and records that will be affected by the data breach, and the contact information of these people, if any, is also determined. Simultaneously, it is evaluated whether there are other institutions or organizations that need to be notified due to the data breach.

Assessment of Risks
Personal data breaches can have many negative effects on people affected by the breach, such as identity theft, restriction of rights, fraud, financial loss, loss of reputation, loss of security of personal data, discrimination. Therefore, it is very important to carefully evaluate what the possible consequences of a personal data breach may have on the Company and the people affected by the breach and to reveal the risks.
When assessing risks by the team, the nature, sensitivity and volume of personal data affected by the breach, the number of individuals and groups of individuals affected, the impact of the data breach on the Company's activities and reputation, the measures taken to reduce the impact of the data breach and the possible consequences of the breach should be considered separately. Depending on the outcome, a data breach is considered a “low, medium or high risk”:

• Low level of risk: The breach does not cause any negative impact on the individuals involved or the impact is negligible.
• Moderate risk: The breach may cause adverse effects on those involved, but the impact is not large.
• High level of risk: The breach causes significant adverse effects on affected individuals.[3]

The Team informs the Data Controller Senior Management about data breaches defined as medium and especially high risk.

Notification
The data breach must be reported to third parties outside the Company, both within the scope of legal liability and for purposes such as taking precautions regarding the data breach and reducing the possible effects of the breach.

Notification to the Board
The Data Controller Contact Person is primarily obliged to notify the Board of this situation without delay and within 72 hours at the latest from the moment he becomes aware of the personal data breach. For this reason, it is important for all employees within the Company to immediately report any data breach to the Data Controller Contact Person in order to prevent the Company from facing any sanctions.
In the notification to be made to the Board, the Personal Data Breach Application Form[4] published on the website of the Personal Data Protection Authority (Authority) is used. In cases where it is not possible to provide the information in the form at the same time, this information can be provided gradually without delay.
If a notification cannot be made to the Board within 72 hours for a justified reason, the reasons for the delay will be explained to the Board along with the notification to be made.

Notification to Persons Affected by the Breach
Following the identification of the persons affected by the personal data breach, the Company must notify the relevant persons as soon as possible, directly if the contact address of the relevant person can be reached, or by appropriate methods (for example, publishing an announcement regarding the situation on the website) if the contact address of the relevant person is reachable. These notifications are made by the Data Controller Contact Person with the support of the Team.
Regarding the minimum elements that should be included in the data breach notification made by the data controller to the relevant person, in accordance with the Decision of the Personal Data Protection Board dated 18.09.2019 and numbered 2019/271, the violation notification to be made by the Company to the relevant person must be made in clear and plain language and must include at least the following elements:

• When the violation occurred,
  Which personal data are affected by the breach on the basis of personal data categories (distinguishing personal data/special personal data),
  Possible consequences of personal data breach,
  Measures taken or proposed to be taken to reduce the negative effects of the data breach,
  The names and contact details of the contact persons who will enable the relevant persons to obtain information about the data breach, or the exact address of the data controller's website, call center, etc. Including elements of communication channels.

 
Other Notices
In addition to the notifications that the Company is legally required to make, it may also be necessary to notify third parties, taking into account issues such as the nature and magnitude of the data breach, and whether the breach constitutes a crime. These persons may be other data controllers or data processors, external consultants, judicial authorities, banks. The team also evaluates whether there is such a requirement and makes notifications if necessary.

Evaluation and Improvement
All information regarding personal data breaches, their effects and the measures taken by the Company must be recorded and made available for review by the Board. The Data Controller Contact Person and the Team make an evaluation to determine whether the steps taken regarding the data breach are appropriate and what the issues that can be developed/improved in the event of a possible data breach. In this context, the Team prepares an evaluation and improvement report that includes the following elements.

• What steps should be taken to reduce the effects of possible personal data breaches
  Whether any policies, procedures or reporting need improvements as a result of a personal data breach
  Whether it is necessary to take additional administrative and/or technical measures to prevent the recurrence of personal data breach,
  Requirement for staff awareness training to prevent recurrence of the violation,
  Whether additional investment in resources/infrastructure is required to reduce breach exposure and cost impacts

 
Relevant Policies and Procedures
This Procedure should be considered together with all policies and procedures put in place regarding the protection and processing of personal data within the Company.
 
Update
This Procedure is reviewed and recorded once a year, regardless of any changes in its content of corporate or legal origin. Even if the procedure has not been updated, changes to the legislation will be implemented immediately.