1. Introducton

          1.1. Purpose of the Policy

          1.2. Scope

          1.3. Implementation of the Policy and Relevant Legislation

          1.4. Enforcement of the Policy

2. Matters Regarding the Protection of Personal Data
   1. Ensuring the Security of Personal Data
   2.2. Observing the Rights of Data Subjects (Creating Channels for Requests and Evaluating Requests)
   2.3. Protection of Special Categories of Personal Data
   2.4. Raising Awareness and Auditing of Business Units Regarding the Protection and Processing of Personal Data
   2.5. Raising Awareness and Auditing of Business Partners and Suppliers Regarding the Protection and Processing of Personal Data
3. Matters Regarding the Processing of Personal Data
4. Categorization of Personal Data Processed by Our Company, Purposes of Processing, and Retention Periods
5. Categorization of Data Subjects of the Personal Data Processed by Our Company
6. Third Parties to Whom Personal Data Processed by Our Company Is Transferred and the Purposes of Such Transfer
7. Processing of Personal Data Based on Legal Grounds and Limited to Such Grounds
8. Personal Data Processing Activities at Facility Entrances and Within the Building, and Website Visitors
9. Conditions for Deletion, Destruction, and Anonymization of Personal Data
10. Rights of Personal Data Owners; Methodology for Exercising and Evaluating These Rights
11. Relationship of the Personal Data Protection and Processing Policy with Other Policies
12. Governance Structure of the Personal Data Protection and Processing Policy

 

1. Introduction

 

The protection of personal data is of great importance to our company and is one of our priorities. The most significant aspect of this matter is the protection of the personal data of our job candidates, company shareholders, company executives, visitors, employees of the institutions we collaborate with, their shareholders and executives, and third parties, which is governed by this policy. Activities related to the protection of personal data of our employees are carried out in line with the principles set forth in this policy.

According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of their personal data. In accordance with this constitutional right, our company takes the necessary measures to protect the personal data of job candidates, company shareholders, company executives, customers, visitors, employees, shareholders, and executives of institutions we collaborate with, and third parties, as regulated by this policy, and establishes this as a company policy.

In this context, the necessary administrative and technical measures are taken by our company to ensure the protection of personal data processed in accordance with the relevant legislation.

This policy will provide detailed explanations regarding the fundamental principles that our company adopts in the processing of personal data, as listed below.

• Processing personal data in accordance with the law and principles of fairness,
• Ensuring personal data is accurate and, when necessary, up-to-date,
• Processing personal data for specified, explicit, and legitimate purposes,
• Processing personal data in a manner that is relevant, limited, and proportional to the purpose for which they are processed,
• Retaining personal data for no longer than is necessary for the purposes for which it is processed or as required by relevant legislation,
• Informing and enlightening data subjects,
• Establishing the necessary system for data subjects to exercise their rights,
• Taking necessary measures to safeguard personal data,
• Ensuring compliance with relevant legislation and Personal Data Protection Board regulations when transferring personal data to third parties in accordance with the purpose of processing,
• Exercising the necessary care in processing and protecting sensitive personal data.

 

 

1.1. Purpose of the Policy

The primary purpose of this policy is to provide explanations regarding the personal data processing activities carried out by our company in compliance with the law and the systems adopted for the protection of personal data. In this context, it aims to ensure transparency by informing individuals whose personal data are processed by our company, including job candidates, company shareholders, company executives, our visitors, employees, shareholders, and executives of institutions we collaborate with, as well as third parties.

 

1.2. Scope

This policy applies to all personal data of our job candidates, company shareholders, company executives, visitors, employees, shareholders, and executives of institutions we collaborate with, as well as third parties, that are processed automatically or through non-automatic means as part of any data recording system.

The application scope of this policy for the categories of personal data subjects listed above may either cover the entire policy (for example, for job candidates who are also visitors) or only specific provisions (for example, for our visitors only).

1.3. Application of the Policy and Relevant Legislation

The relevant legal regulations currently in force regarding the processing and protection of personal data will primarily apply. In the event of any inconsistency between the applicable legislation and the policy, our company acknowledges that the applicable legislation will take precedence.

This policy has been developed by specifying and regulating the rules set forth by the relevant legislation within the framework of our company’s practices. Our company has made the necessary preparations and implemented the required systems to comply with the timelines outlined in the Personal Data Protection Law.

1.4. Effectiveness of the Policy

Our policy, which was organized by our company and came into effect on October 1, 2020, is published on our website and made available to the relevant individuals upon their request.

2. MATTERS RELATING TO THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data
2.1.1. Technical and Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

To ensure the lawful processing of personal data, technical and administrative measures are taken based on technological capabilities and the cost of implementation. The main measures taken are listed below:

Technical Measures Taken to Ensure the Lawful Processing of Personal Data:

• Personal data processing activities carried out within our company are monitored through technical systems established in accordance with internationally recognized standards.
• The technical measures taken are periodically reported to the relevant parties as part of the internal audit mechanism.
• Personnel with expertise in technical matters are employed.

Administrative Measures Taken to Ensure the Lawful Processing of Personal Data:

• Employees are informed and trained on the law of personal data protection and the lawful processing of personal data.
• All activities conducted by our company are analyzed in detail for each business unit, and as a result of this analysis, personal data processing activities related to the commercial operations carried out by each business unit are identified.
• The personal data processing activities carried out by our company’s business units are assessed, and the requirements that need to be met to ensure compliance with the personal data processing standards set out by the Personal Data Protection Law are defined for each business unit and the specific activities they carry out.
• To ensure the legal compliance requirements for each business unit, awareness is raised within the relevant units, and application rules are established; necessary administrative measures to ensure oversight and continuity of the application are implemented through internal company policies and training.
• Contracts and documents that govern the legal relationship between our company and its employees include provisions that impose obligations not to process, disclose, or use personal data, except as instructed by the company or in cases of statutory exceptions. Employees' awareness of this obligation is raised, and audits are conducted.

2.1.2. Technical and Administrative Measures Taken to Prevent Unauthorized Access to Personal Data

To prevent the unauthorized disclosure, access, transfer, or any other form of unlawful access to personal data, technical and administrative measures are taken based on the nature of the data to be protected, technological capabilities, and the cost of implementation. The main measures taken are listed below.

Technical Measures Taken to Prevent Unauthorized Access to Personal Data:

• Technical measures are taken in line with technological developments, and these measures are periodically updated and renewed.
• Access and authorization technical solutions are implemented in accordance with the legal compliance requirements defined for each business unit.
• Access rights are restricted, and authorizations are regularly reviewed.
• The technical measures taken are periodically reported to the relevant parties as part of the internal audit mechanism, and any issues that pose a risk are reassessed and addressed with appropriate technological solutions.
• Software and hardware, including antivirus systems and firewalls, are installed.
• Personnel with expertise in technical matters are employed.
• Applications that collect personal data are regularly subjected to security scans to identify any vulnerabilities. Detected vulnerabilities are addressed and closed.

Administrative Measures Taken to Prevent Unauthorized Access to Personal Data:

• Employees are trained on the technical measures to be taken to prevent unauthorized access to personal data.
• Access and authorization processes for personal data are designed and implemented within the company in accordance with the legal compliance requirements for personal data processing at the business unit level.
• Employees are informed that they cannot disclose personal data to others in violation of the provisions of the Personal Data Protection Law or use it for purposes other than the intended purpose of processing, and that this obligation will continue even after their departure from the company. Necessary commitments are obtained from employees in this regard.
• Contracts with entities to whom personal data is lawfully transferred by our company include provisions stating that the recipients of the personal data will take the necessary security measures to protect the data and ensure compliance with these measures within their organizations.

2.1.3. Storage of Personal Data in Secure Environments

Our company takes the necessary technical and administrative measures based on technological capabilities and implementation costs to ensure that personal data is stored in secure environments and to prevent its unlawful destruction, loss, or alteration.
The main measures taken are listed below:

Technical Measures Taken to Store Personal Data in Secure Environments:

• Systems that comply with technological developments are used to store personal data in secure environments.
• Personnel with expertise in technical matters are employed.
• Technical security systems are established for storage areas, and the technical measures taken are periodically reported to the relevant parties as part of the internal audit mechanism. Any issues that pose a risk are reassessed, and necessary technological solutions are implemented.
• Backup programs are used in a lawful manner to ensure the secure storage of personal data.
• Access to data storage areas containing personal data is logged, and any unauthorized access or access attempts are promptly reported to the relevant parties.

Administrative Measures Taken to Store Personal Data in Secure Environments:

• Employees are trained to ensure the secure storage of personal data.
• If external services are procured for the storage of personal data due to technical requirements, contracts with the relevant companies to whom personal data is lawfully transferred include provisions ensuring that the recipients of the personal data will take necessary security measures to protect the data and ensure compliance with these measures within their organizations.

2.1.4. Auditing the Measures Taken for the Protection of Personal Data

In accordance with Article 12 of the Personal Data Protection Law our company conducts or has conducted the necessary audits within its organization. The results of these audits are reported to the relevant department within the company's internal operations, and necessary activities are carried out to improve the measures taken.

2.1.5. Measures to Be Taken in the Event of Unauthorized Disclosure of Personal Data

In accordance with Article 12 of the Personal Data Protection Law , our company operates a system that ensures the prompt notification of the relevant personal data subject and the Personal Data Protection Authority if personal data processed by the company is obtained unlawfully by others. If deemed necessary by the board, this incident may be published on the Board's website or through another method.

 

2.2. Safeguarding the Rights of Data Subjects (Creating Channels for Requests and Evaluating Requests)

Our company operates the necessary channels, internal processes, and administrative and technical arrangements in accordance with Article 13 of the Personal Data Protection Law to evaluate the rights of personal data subjects and to provide the required information to them.

If personal data subjects submit their requests regarding the rights listed below in writing to our company, the company's authorized personnel will respond to the request, free of charge, within a maximum of thirty days, depending on the nature of the request. However, if a fee is determined by the Board, our company will charge the fee according to the tariff set by the Board.

Personal data subjects have the following rights:

• To learn whether their personal data is being processed,
• To request information about their processed personal data,
• To learn the purpose of processing their personal data and whether it is being used in accordance with that purpose,
• To know the third parties, either domestic or international, to whom their personal data has been transferred,
• To request the correction of personal data if it is incomplete or incorrect and to request that the correction be communicated to third parties to whom the data has been transferred,
• To request the deletion or destruction of personal data when the reasons for processing have ceased, and to request that this action be communicated to third parties to whom the data has been transferred,
• To object to the result of the processing of personal data solely through automated systems if it results in an unfavorable consequence for the individual,
• To request compensation for any damages suffered due to unlawful processing of personal data.

For more detailed information about the rights of data subjects, please refer to Section 10 of this policy.

2.3. Protection of Special Categories of Personal Data

Certain personal data is given special importance under the Personal Data Protection Law  due to the risk of causing harm or discrimination to individuals if processed unlawfully. These data include: race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, clothing and appearance, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and data related to security measures, as well as biometric and genetic data.

Our company takes great care in protecting special categories of personal data that are classified as "special" under the PDP Law and processed in compliance with the law. In this regard, the technical and administrative measures taken by our company to protect personal data are carefully applied with respect to special categories of personal data, and necessary audits are conducted within the company.

Detailed information regarding the processing of special categories of personal data is provided in Section 3 of this Policy.

 

2.4. Raising Awareness and Conducting Audits on the Protection and Processing of Personal Data within Business Units

Our company ensures that necessary training is provided to business units to raise awareness of preventing unlawful processing of personal data, unauthorized access to data, and ensuring the proper storage of data.

Systems are established within our company to ensure that existing employees in business units, as well as newly hired employees, develop awareness of personal data protection. If needed, professional experts are consulted on this matter.

The results of training aimed at raising awareness within business units regarding the protection and processing of personal data are reported to our company’s Human Resources department. Senior management evaluates participation in relevant trainings, seminars, and information sessions and conducts or arranges for necessary audits. In line with updates to the relevant legislation, our company regularly updates and renews its training programs.

 

2.5. Raising Awareness and Conducting Audits on the Protection and Processing of Personal Data Among Business Partners and Suppliers

Our company ensures that training sessions and seminars are provided to business partners and suppliers to raise awareness of preventing unlawful processing of personal data, unauthorized access to data, and ensuring proper data storage.

The training provided to our business partners and suppliers is periodically repeated. Systems are established to raise awareness of personal data protection among existing employees of business partners and suppliers, as well as newly hired employees. If needed, professional experts are consulted on this matter.

The results of the training aimed at raising awareness of personal data protection and processing among our business partners and suppliers are reported to our Human Resources department. Senior management evaluates participation in relevant trainings, seminars, and information sessions, and conducts or arranges for necessary audits. Our company updates and renews its training programs in line with updates to the relevant legislation.

 

3. MATTERS RELATED TO THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Compliance with Legal Principles

3.1.1. Processing in Compliance with Law and the Principle of Good Faith

Our company acts in accordance with the principles set out by legal regulations and the general rule of trust and good faith when processing personal data. In this regard, our company ensures that the proportionality requirements are considered in the processing of personal data and does not use personal data for purposes other than those required by the purpose of processing.

3.1.2. Ensuring the Accuracy and, When Necessary, the Currency of Personal Data

Our company ensures that the personal data it processes is accurate and up to date, taking into account the fundamental rights of data subjects and its legitimate interests. In this regard, necessary measures are taken. For example, our company has established a system that allows data subjects to correct and verify the accuracy of their personal data.

Detailed information on this subject can be found in Section 10 of this Policy.

3.1.3. Processing for Specific, Explicit, and Legitimate Purposes

Our company defines the legitimate and lawful purpose of processing personal data in a clear and definite manner. We process personal data only to the extent necessary and related to the commercial activities we carry out. The purposes for which personal data will be processed are determined before the commencement of the data processing activity.

3.1.4. Processing in a Way that is Relevant, Limited, and Proportionate to the Purpose

Our company processes personal data in a manner that is suitable for achieving the defined purposes, and refrains from processing personal data that is not related to or necessary for the achievement of the purpose. For example, personal data processing activities are not conducted to address potential future needs.

3.1.5. Retaining Personal Data for the Period Necessary for the Purpose or as Required by Relevant Legislation

Our company retains personal data only for the period necessary as defined by the relevant legislation or for the purpose for which it was processed. In this context, our company first determines whether the relevant legislation stipulates a retention period for personal data. If a retention period is defined, we comply with that period; if no retention period is defined, we store personal data for as long as necessary for the purpose for which it was processed. Once the retention period expires or the reasons for processing no longer exist, personal data is deleted, destroyed, or anonymized by our company. Personal data is not stored by our company for future use.

Detailed information on this subject can be found in Section 9 of this Policy.

3.2. Processing Personal Data Based on the Conditions for Personal Data Processing Defined in Article 5 of the PDP Law and Limited to These Conditions

The protection of personal data is a constitutional right. Fundamental rights and freedoms can only be limited in accordance with the reasons specified in the relevant articles of the Constitution, and only through law. In accordance with Article 20, paragraph 3 of the Constitution, personal data may only be processed in cases specified by law or with the explicit consent of the individual. In this regard, and in compliance with the Constitution, our company processes personal data only in the cases specified by law or with the explicit consent of the individual.

Detailed information on this subject can be found in Section 7 of this Policy.

3.3. Processing of Data by Our Company that is Processed by Group Companies

In order to ensure that the activities of the Group Companies are conducted in accordance with our company's principles, goals, and strategies, and to protect the rights, interests, and reputation of the Group Companies, personal data processed by the Group Companies may also be processed by our company. If the sharing of personal data between our company and the Group Companies takes place as a transfer of personal data from one data controller to another within the scope of the Personal Data Protection Law, the relevant Group Company will inform the individual at the data collection stage that their personal data may be transferred to our company.

3.4. Informing and Providing Information to the Data Subject

In accordance with Article 10 of the PDP Law, our company ensures that data subjects are informed during the collection of their personal data. In this context, our company provides information about the identity of the data subject’s representative (if any), the purposes for processing personal data, the recipients to whom personal data may be transferred and for what purposes, the method and legal basis for collecting personal data, and the rights of the data subject.

Article 20 of the Constitution establishes that everyone has the right to be informed about their personal data. Accordingly, Article 11 of the PDP Law includes the right of the data subject to request information. In this context, our company, in accordance with Article 20 of the Constitution and Article 11 of the Law, provides the necessary information when a data subject requests it.

Detailed information on these matters can be found in Section 10 of this Policy.

3.5. Processing of Special Categories of Personal Data

Our company handles the processing of personal data classified as "special categories" under the PDP Law with particular attention to compliance with the provisions set forth in the Law. According to Article 6 of the Law, certain types of personal data are considered "special categories" due to the risk of causing harm or discrimination if processed unlawfully. These data include race, ethnic origin, political opinion, philosophical beliefs, religion, sect or other beliefs, clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data.

In accordance with the PDP Law, special categories of personal data are processed by our company under the following conditions, provided that sufficient precautions determined by the Personal Data Protection Board are taken:

• If the data subject has given explicit consent, or
• If the data subject has not given explicit consent:
  • For special categories of personal data excluding health and sexual life, processing is permitted under the conditions stipulated by law.
  • Special categories of personal data related to health and sexual life can only be processed by individuals or authorized institutions bound by confidentiality obligations for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

3.6. Transfer of Personal Data

Our company, in accordance with legitimate and lawful personal data processing purposes, may transfer personal data and special categories of personal data to third parties, taking the necessary security measures (see Section 2/Title 2.1).

In this regard, our company acts in compliance with the provisions set forth in Article 8 of the Personal Data Protection Law.

Detailed information on this topic can be found in Section 6 of this policy.

3.6.1. Transfer of Personal Data

In accordance with the legitimate and lawful purposes of personal data processing, our company may transfer personal data to third parties based on one or more of the personal data processing conditions specified in Article 5 of the PDP Law, and in a limited manner, as follows:

• If the data subject has given explicit consent,
• If there is an explicit provision in the law regarding the transfer of personal data,
• If it is mandatory for the protection of the life or bodily integrity of the data subject or another person, and the data subject is unable to express consent due to practical impossibility, or if the consent is not legally recognized,
• If the transfer of personal data is necessary for the establishment or performance of a contract directly related to the parties of the contract,
• If the transfer of personal data is necessary for our company to fulfill its legal obligations,
• If the personal data has been made public by the data subject,
• If the transfer of personal data is necessary for the establishment, exercise, or defense of legal claims,
• If the transfer of personal data is necessary for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.6.2. Transfer of Special Categories of Personal Data

Our company, with the necessary care and security measures (see Section 2/Title 2.1), and by implementing sufficient precautions as required by the Personal Data Protection Board may transfer special categories of personal data to third parties in accordance with legitimate and lawful personal data processing purposes under the following conditions:

• If the data subject has given explicit consent, or
• If the data subject has not given explicit consent:
  • Special categories of personal data excluding health and sexual life may be transferred in cases provided by law,
  • Special categories of personal data related to the data subject's health and sexual life may only be transferred to individuals or authorized institutions and organizations bound by confidentiality obligations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

3.7. Transfer of Personal Data Abroad

Our company, in accordance with lawful personal data processing purposes, may transfer personal data and special categories of personal data to third parties, taking the necessary security measures (see Section 2/Title 2.1).

Our company may transfer personal data to foreign countries that have been declared by the Personal Data Protection Board as countries with "Adequate Protection" or, in the absence of adequate protection, to foreign countries where the data controllers in both Turkey and the foreign country have committed to providing adequate protection in writing and have obtained permission from the Board. In this regard, our company acts in compliance with the provisions set forth in Article 9 of the Personal Data Protection Law.

Detailed information on this topic can be found in Section 6 of this policy.

3.7.1. Transfer of Personal Data Abroad

Our company, in accordance with legitimate and lawful personal data processing purposes, may transfer personal data to countries with "Adequate Protection" or to foreign countries with "Data Controllers Committed to Providing Adequate Protection" under the following circumstances:

• If there is an explicit provision in the law regarding the transfer of personal data,
• If it is mandatory to protect the life or bodily integrity of the data subject or another person, and the data subject is unable to express consent due to practical impossibility or if the consent is not legally valid,
• If the transfer of personal data is necessary for the establishment or performance of a contract directly related to the parties of the contract,
• If the transfer of personal data is necessary for our company to fulfill its legal obligations,
• If the personal data has been made public by the data subject,
• If the transfer of personal data is necessary for the establishment, exercise, or defense of legal claims,
• If the transfer of personal data is necessary for our company’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.7.2. Transfer of Special Categories of Personal Data Abroad

Our company, with the necessary care and security measures (see Section 2/Title 2.1), and by implementing the sufficient precautions required by the Personal Data Protection Board, may transfer special categories of personal data to countries with "Adequate Protection" or to foreign countries with "Data Controllers Committed to Providing Adequate Protection" under the following conditions:

• If the data subject has given explicit consent, or
• If the data subject has not given explicit consent:
  • Special categories of personal data, excluding health and sexual life, may be transferred in cases provided by law,
  • Special categories of personal data related to the data subject's health and sexual life may only be transferred under conditions where it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, or the planning and management of health services and financing, and the transfer is conducted by persons or authorized institutions and organizations under confidentiality obligations.

4. CATEGORIZATION, PROCESSING PURPOSES, AND RETENTION PERIODS OF PERSONAL DATA PROCESSED BY OUR COMPANY

4.1. Categorization of Personal Data

In our company, in accordance with the legitimate and lawful personal data processing purposes of the company, personal data is processed based on one or more of the personal data processing conditions specified in Article 5 of the Personal Data Protection Law, and in compliance with the principles outlined in Article 4 of the Law, as well as with the general principles and obligations set out in the Law. Personal data is processed under the principles established in the Law and within the limits specified in this policy for the following categories of data subjects: Group Company Customers, Visitors, Third Parties, Job Applicants, Company Shareholders, Company Executives, Employees of Partner Institutions, Shareholders, and Executives.

In accordance with Article 10 of the Law, personal data in these categories is processed with the information and consent of the data subjects. The specific data subjects whose personal data is processed under these categories are also identified in Section 5 of this policy.

4.2. Purposes of Personal Data Processing

Our company processes personal data within the purposes and conditions specified in Article 5, paragraph 2, and Article 6, paragraph 3 of the Law. These purposes and conditions include:

• If the processing of personal data is explicitly foreseen by the law,
• If the processing of personal data is directly related to and necessary for the establishment or performance of a contract,
• If processing personal data is necessary for our company to fulfill its legal obligations,
• If personal data has been made public by the data subject, it may be processed by our company for the purpose of such public disclosure,
• If processing personal data is necessary for the establishment, exercise, or protection of our company’s or any third party’s legal rights,
• If the processing of personal data is necessary for the legitimate interests of our company, provided that such processing does not violate the fundamental rights and freedoms of the data subject,
• If processing personal data is necessary to protect the life or bodily integrity of the data subject or another person, and the data subject is unable to give consent due to physical or legal incapacity,
• In the case of special categories of personal data, if processing is foreseen by the law,
• For special categories of personal data related to the data subject’s health and sexual life, the processing may occur for the purpose of public health protection, preventive medicine, medical diagnosis, treatment, healthcare services, financing planning, and management, conducted by persons or authorized institutions under confidentiality obligations.

Within this scope, our company processes your personal data for the following purposes:

• Planning and execution of corporate sustainability activities,
• Event management,
• Management of relationships with business partners or suppliers,
• Execution of our company’s personnel recruitment processes,
• Supporting personnel recruitment processes of group companies,
• Execution/tracking of financial reporting and risk management operations,
• Execution/tracking of legal operations,
• Planning and execution of corporate communication activities,
• Execution of corporate governance activities,
• Execution of corporate law and partnership transactions,
• Management of requests and complaints,
• Ensuring the security of the group,
• Supporting group companies in compliance with relevant regulations,
• Planning and execution of benefits and perks for senior executives of the company and group companies,
• Planning and execution of auditing activities to ensure that the activities of group companies comply with their internal procedures and relevant regulations,
• Supporting group companies in carrying out corporate law and partnership transactions,
• Ensuring the protection of the reputation of the corporate group,
• Management of investor relations,
• Providing necessary information to relevant authorities as required by legislation,
• Creating and tracking visitor records.

If the processing activities mentioned above do not meet any of the conditions foreseen by the PDP Law, explicit consent from the data subject will be obtained for the related processing activity.

 

4.3. Retention Periods of Personal Data

Our company retains personal data for the period specified in relevant laws and regulations, if stipulated by such laws and regulations.

If the legislation does not specify a retention period for personal data, the data is processed for the duration required by the activity being carried out when the data is processed, according to our company’s practices and the commercial customs of the business. After that period, the personal data will be deleted, destroyed, or anonymized.

Detailed information on this topic is provided in Section 9 of this Policy.

If the purpose for processing personal data has been fulfilled, and the retention periods determined by relevant regulations and our company’s policies have expired, personal data may only be retained if it is necessary for potential legal disputes, as evidence, or for the enforcement of a related legal claim or defense. The retention periods in such cases are determined based on the statute of limitations for raising such claims, or by the examples of previous requests made to our company on the same matters, even after the statute of limitations has expired. In these cases, personal data will not be accessed for any other purposes and will only be accessed when necessary for use in the relevant legal dispute. Once the specified period has expired, the personal data will be deleted, destroyed, or anonymized.

5. Categorization of Personal Data Owners Processed by Our Company

The following categories of personal data owners' data are processed by our company, and the scope of this policy is limited to group company customers, visitors, third parties, employees, job applicants, company shareholders, company executives, employees, shareholders, and executives of institutions with which we collaborate.

While the individuals whose personal data is processed by our company fall within the scope mentioned above, individuals outside of these categories may also submit requests to our company under the Personal Data Protection Law. These requests will be considered in accordance with the provisions of this policy.

Below, the terms "group company customer," "visitor," "third party," "employee," "job applicant," "company shareholder," "company executive," and "employees, shareholders, and executives of institutions with which we collaborate" are further clarified.

The following table details the personal data categories and specifies the types of personal data processed for individuals within these categories.

 

6. Third Parties to Whom Personal Data Processed by Our Company Is Transferred and the Purposes of Such Transfers

In accordance with Articles 8 and 9 of the Personal Data Protection Law (see Section 3/Heading 3.5), the personal data of data subjects managed under this Policy may be transferred to the following categories of third parties:

• Our business partners,
• Our suppliers,
• Group companies,
• Our shareholders,
• Our executives,
• Public authorities and institutions with legal authorization,
• Private legal entities with legal authorization.

The scope of the third parties to whom data may be transferred and the purposes for such transfers are detailed below.

In conducting these data transfers, our company adheres to the provisions outlined in Sections 2 and 3 of this Policy.

7. Processing of Personal Data Based on Legal Grounds and Limited to These Grounds

7.1. Processing of Personal Data and Special Categories of Personal Data
7.1.1. Processing of Personal Data

The data subject's explicit consent is one of the legal grounds that makes it possible to process personal data in accordance with the law. Beyond explicit consent, personal data may also be processed if one of the following conditions exists. The legal basis for processing personal data may rely on only one of the following conditions, or it may be based on multiple conditions simultaneously. In the case of special categories of personal data being processed, the conditions outlined in Section 7.1.2. below will apply.

While the legal grounds for processing personal data may vary, our company always acts in accordance with the general principles outlined in Article 4 of the Personal Data Protection Law (see Section 3.1.) in all data processing activities.

1. The Data Subject's Explicit Consent:
   One of the conditions for processing personal data is the explicit consent of the data subject. The data subject’s explicit consent must be informed, specific, and given voluntarily.

For data processing activities beyond the primary purpose of data collection (secondary processing), at least one of the conditions listed in (ii), (iii), (iv), (v), (vi), (vii), or (viii) below must be met. If none of these conditions are applicable, our company will proceed with the data processing activities based on the explicit consent of the data subject.

In cases where personal data is processed based on the data subject's explicit consent, the company obtains this consent using the relevant methods.

 

Explicit Provision in Laws
The personal data of the data subject may be processed lawfully if explicitly foreseen in the law.
Example: As per Article 230 of the Tax Procedure Law, the name of the relevant person must be included on an invoice.

Inability to Obtain Explicit Consent Due to Physical Impossibility
If a person is unable to provide explicit consent due to physical impossibility, or if their consent cannot be deemed legally valid, and processing their personal data is necessary to protect the life or bodily integrity of themselves or another person, personal data can be processed.
Example: If a shareholder collapses during the General Assembly, the company's employee may provide the shareholder’s identity information to the doctors.

Direct Relation to the Establishment or Performance of a Contract
Personal data may be processed if it is necessary for the establishment or performance of a contract, provided that it directly relates to the contract's parties.
Example: In order to fulfill a consultancy agreement with a business partner, the consultant's bank account details may be obtained to make payments.

Fulfillment of the Company's Legal Obligations
If it is necessary for the company, as the data controller, to process personal data in order to fulfill its legal obligations, the personal data may be processed.
Example: Providing the requested information to the court in accordance with a court order.

Personal Data Made Public by the Data Subject
Personal data may be processed if the data subject has made the data public themselves.
Example: A job applicant’s contact details being posted on job application websites.

Necessity of Processing for the Establishment or Defense of a Legal Claim
Personal data may be processed if it is necessary for the establishment, exercise, or defense of a legal claim.
Example: Storing data that has evidential value (e.g., an invoice) and using it when necessary.

Necessity of Processing for the Legitimate Interests of the Company
Personal data may be processed if necessary for the legitimate interests of the company, as long as it does not harm the fundamental rights and freedoms of the data subject.
Example: Recording video footage for security purposes in the company’s buildings and facilities.

7.1.2. Processing of Sensitive Personal Data

Sensitive personal data may be processed by our company only under the following conditions, and in the absence of explicit consent from the data subject, provided that sufficient measures determined by the Personal Data Protection Authority are taken:

• Sensitive personal data other than health and sexual life may be processed in cases specifically foreseen in the law.
• Sensitive personal data related to the data subject’s health and sexual life may only be processed for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, the planning and management of health services and financing, and by individuals or authorized institutions bound by confidentiality obligations.

 

8. Personal Data Processing Activities Related to Facility Entries, Building Surveillance, and Website Visitors

For the purpose of ensuring security, personal data processing activities are carried out by our company in relation to security camera monitoring and tracking guest entries and exits within our company's buildings and facilities. Personal data processing is performed through the use of security cameras and the recording of guest entry and exit details.

8.1. Surveillance Activities via Cameras at Company Building and Facility Entrances and Interiors

This section provides an explanation of our company’s camera surveillance system and how personal data, privacy, and fundamental rights are protected. Our company conducts surveillance activities with security cameras in order to protect the company’s and other individuals’ safety and security.

8.1.1. Legal Basis for Camera Surveillance

The camera surveillance activities conducted by our company are carried out in compliance with the law and relevant regulations on private security services.

8.1.2. Compliance with PDP Law for Camera Surveillance

In conducting surveillance activities for security purposes, our company acts in accordance with the regulations outlined in the Personal Data Protection Law. Surveillance via security cameras is carried out in line with the purposes defined in the relevant legislation and in compliance with the conditions for processing personal data listed in the Law.

8.1.3. Notification of Camera Surveillance Activities

In accordance with Article 10 of the Law, our company informs data subjects about the processing of personal data. We notify data subjects about the surveillance activities via multiple methods, ensuring transparency and protecting the data subject's rights and freedoms. This is achieved by publishing this policy on our website (online policy) and placing notification signs at the entrances of areas where surveillance takes place (on-site notification).

8.1.4. Purpose and Limitation of Camera Surveillance

Our company processes personal data in a manner that is connected to, limited to, and proportionate to the purpose for which it is collected, in accordance with Article 4 of the PDP Law. The purpose of video surveillance is limited to the objectives outlined in this policy. Accordingly, the areas to be monitored by security cameras, the number of cameras, and the times at which surveillance occurs are implemented in a way that is sufficient to achieve security objectives and limited to those objectives. Privacy is respected, and surveillance is not conducted in areas that would infringe on an individual’s privacy beyond the necessary security measures (e.g., bathrooms).

8.1.5. Ensuring the Security of Obtained Data

In compliance with Article 12 of the PDP Law, our company implements the necessary technical and administrative measures to ensure the security of personal data obtained through surveillance activities. (See Section 2/Heading 2.1)

8.1.6. Retention Period for Personal Data Obtained Through Surveillance

Detailed information about the retention period for personal data obtained through surveillance activities can be found in Section 4.3 of this policy, titled "Retention Periods for Personal Data."

8.1.7. Access to and Transfer of Surveillance Data

Only a limited number of company employees have access to live camera footage and digitally stored recordings. Those with access to the records are bound by confidentiality agreements, pledging to protect the confidentiality of the data they access.

8.2. Tracking of Guest Entries and Exits at Our Company’s Buildings and Facilities

In order to ensure security and for the purposes outlined in this policy, our company processes personal data to track the entries and exits of guests at our company’s buildings and facilities. The names and surnames of individuals visiting the company as guests are collected, and these data subjects are informed through texts displayed at the entrances or made available to the guests in other ways.

The data collected for tracking guest entries and exits is processed solely for this purpose and is recorded in a physical data recording system.

8.3. Storage of Internet Access Logs for Visitors at Our Company’s Buildings and Facilities

To ensure security and for the purposes outlined in this policy, our company may provide internet access to visitors during their stay at our buildings and facilities. In such cases, the internet access logs are recorded in accordance with Law No. 5651 and the regulations issued based on this law. These logs are processed only when requested by authorized public institutions or for fulfilling our legal obligations during internal audit processes.

Access to these logs is restricted to a limited number of company employees. Those employees with access to the logs use them only when required by authorized public institutions or during internal audits, and they share the data only with legally authorized individuals. The limited number of employees who have access to these logs sign confidentiality agreements to ensure the protection of the data’s privacy.

8.4. Website Visitors

On our company’s websites, we record the internet activities of visitors using technical means (such as cookies) to ensure that visitors navigate the sites appropriately, provide them with personalized content, and engage in online advertising activities.

 

9. CONDITIONS FOR DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

9.1. Company’s Obligation to Delete, Destroy, and Anonymize Personal Data

As stipulated in Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law, although personal data has been processed in accordance with the relevant legal provisions, if the reasons necessitating its processing cease to exist, the personal data will be deleted, destroyed, or anonymized upon the company's decision or at the request of the data subject. The company fulfills this obligation through the methods explained in this section.

9.2. Techniques for Deletion, Destruction, and Anonymization of Personal Data

9.2.1. Techniques for Deletion and Destruction of Personal Data

The company may delete or destroy personal data based on its own decision or upon the request of the data subject when the reasons for processing the data no longer exist, even if the data was initially processed in accordance with the relevant legal provisions. The most commonly used techniques for deletion or destruction are as follows:

• Physical Destruction
  Personal data that is part of a data recording system, but processed in non-automated ways, may be physically destroyed so that the data cannot be used again after deletion.
• Secure Deletion with Software
  Personal data stored in digital environments and processed automatically or partially automatically is deleted using methods that ensure the data is irretrievably removed from the system.
• Secure Deletion by a Specialist
  In some cases, the company may contract a specialist to securely delete personal data on its behalf. In such cases, the personal data is securely destroyed by the expert in a manner that ensures the data cannot be recovered.

9.2.2. Techniques for Anonymizing Personal Data

Anonymization of personal data refers to the process of making personal data impossible to relate to any identified or identifiable individual, even when combined with other data. The company may anonymize personal data when the reasons for processing no longer exist, in compliance with the law.

According to Article 28 of the Personal Data Protection Law, anonymized personal data may be processed for purposes such as research, planning, or statistical analysis. Such processing is outside the scope of the law, and the data subject’s explicit consent will not be required. Since anonymized personal data is not considered personal data under the law, the rights detailed in Section 10 of this policy do not apply to such data. The most commonly used techniques for anonymizing personal data are as follows:

• Masking
  Masking involves removing the key identifying information from a data set, making it impossible to identify the data subject.
  Example: Removing identifying information, such as the name or ID number, from a data set, making it impossible to identify the individual.
• Aggregation
  Aggregation is the method of combining data so that individual personal data can no longer be associated with any specific person.
  Example: Showing that there are "X" number of employees of a certain age, without revealing the ages of individual employees.
• Data Derivation
  Data derivation involves creating a more general representation of the data, removing any link to a specific individual.
  Example: Using the age instead of the birth date, or specifying the region of residence rather than the exact address.
• Data Shuffling (Permutation)
  Data shuffling is the method of rearranging the values within a data set to disconnect the values from the individuals.
  Example: Modifying voice recordings so that they cannot be linked to the individual.

10. RIGHTS OF DATA SUBJECTS; METHODOLOGY FOR EXERCISING AND EVALUATING THESE RIGHTS

10.1. Rights of the Data Subject and the Exercise of These Rights

10.1.1. Rights of the Data Subject

Data subjects have the following rights:

• To learn whether their personal data is being processed,
• To request information about whether their personal data has been processed,
• To learn the purpose of processing their personal data and whether it is being used in accordance with its intended purpose,
• To know the third parties to whom their personal data is transferred, either domestically or internationally,
• If their personal data is processed inaccurately or incompletely, to request correction of the data and request that the correction be communicated to the third parties to whom the data has been transferred,
• To request the deletion or destruction of their personal data when the reasons for processing no longer exist, in accordance with the Personal Data Protection Law and other relevant legislation, and to request that this deletion or destruction be communicated to the third parties to whom the data has been transferred,
• To object to a decision that is exclusively based on automated processing of their personal data that results in unfavorable legal consequences for them,
• To request compensation for damages resulting from unlawful processing of their personal data.

10.1.2. Situations in Which the Data Subject Cannot Assert Their Rights

Pursuant to Article 28 of the Personal Data Protection Law, the following situations are excluded from the scope of the law, meaning that data subjects cannot assert their rights listed in 10.1.1 in these cases:

• Processing of personal data for the purpose of research, planning, and statistics, by anonymizing it for official statistics,
• Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, as long as it does not violate national defense, national security, public safety, public order, economic security, privacy, or personality rights, or constitute a crime,
• Processing of personal data by public institutions and organizations authorized by law for preventive, protective, and intelligence activities related to national defense, national security, public safety, public order, or economic security,
• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial, or execution procedures.

In accordance with Article 28/2 of the Personal Data Protection Law, data subjects cannot assert any rights listed in 10.1.1, except for the right to request compensation for damages, in the following cases:

• When processing personal data is necessary for the prevention of a crime or for a criminal investigation,
• When personal data has been made public by the data subject themselves,
• When processing of personal data is necessary for public institutions and organizations or professional organizations with public institution status to carry out their regulatory, supervisory, disciplinary investigation, or prosecution tasks based on the authority granted by law,
• When processing of personal data is necessary for protecting the economic and financial interests of the state in matters related to budgeting, taxes, and finance.

10.1.3. Exercising the Rights of the Data Subject

Data subjects may exercise the rights listed under Section 10.1.1. by submitting a request to the company free of charge using the following methods or other methods determined by the Personal Data Protection Authority:

• By filling out the form available at www.aesgroup.com.tr, signing a hard copy, and submitting it in person or via notarized delivery to the address: “Nosab Şeftali Cd. 118 Sk. No: 4 Nilüfer / Bursa / Turkey”,
• By filling out and signing the form available at www.aesgroup.com.tr, and sending it to kvkk@aesgroup.com.tr.

For a third party to submit a request on behalf of a data subject, the data subject must provide a notarized special power of attorney authorizing the third party to make the request.

10.1.4. Right to Lodge a Complaint with the Personal Data Protection Authority

Under Article 14 of the Personal Data Protection Law, if a request is rejected, if the response is found to be insufficient, or if no response is provided within the statutory period, the data subject has the right to lodge a complaint with the Personal Data Protection Authority within thirty days of learning about the company's response, and in any case, within sixty days from the date of the initial request.

10.2. Company's Response to Applications

Applications related to personal data processing activities of the Group Companies must be made to the relevant group company. Applications to our company should only be made in situations where our company is considered the data controller under the Personal Data Protection Law. This applies when our company directly collects personal data from the data subject, or when the transfer of data between our company and the relevant group company is considered a data transfer from one data controller to another under the Personal Data Protection Law. In all other cases, applications regarding personal data processing activities, where the relevant group company is the data controller, should be made to the relevant group company, not to our company.

10.2.1. Procedure and Timeframe for Responding to Applications

If the data subject submits a request to our company in accordance with the procedure outlined in section 10.1.3, our company will respond to the request within a maximum of thirty days, free of charge, depending on the nature of the request. However, if the Personal Data Protection Authority determines that a fee must be charged, our company will collect the fee from the applicant in accordance with the tariff set by the Authority.

10.2.2. Information the Company May Request from the Data Subject

To determine whether the person submitting the request is indeed the data subject, our company may ask for relevant information. In order to clarify the details of the data subject's request, the company may ask the data subject additional questions regarding their application.

10.2.3. Right of the Company to Reject the Data Subject’s Application

Our company has the right to reject the data subject’s application and provide an explanation of the reasons in the following situations:

• The processing of personal data for purposes such as research, planning, and statistics through anonymization for official statistics,
• The processing of personal data for artistic, historical, literary, or scientific purposes, or under the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy, or personality rights, or does not constitute a crime,
• The processing of personal data by public institutions and organizations authorized by law for preventive, protective, and intelligence activities related to national defense, national security, public safety, public order, or economic security,
• The processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials, or execution procedures,
• The processing of personal data being necessary for preventing a crime or for a criminal investigation,
• The processing of personal data made public by the data subject themselves,
• The processing of personal data by public institutions and organizations, or professional organizations with public institution status, for regulatory or supervisory duties, disciplinary investigations, or prosecutions based on the authority granted by law,
• The processing of personal data being necessary for protecting the economic and financial interests of the state in matters related to budgeting, taxes, and finance,
• The data subject’s request may infringe upon the rights and freedoms of other individuals,
• The request involves disproportionate effort,
• The requested information is publicly available information.

 

11. Relationship of the Personal Data Protection and Processing Policy with Other Policies

Our company, through this policy, establishes the principles regarding the protection and processing of personal data and also creates fundamental policies for our group companies, in addition to internal sub-policies related to personal data protection and processing.

The principles of the company's internal policies are reflected in publicly accessible policies, as appropriate, in order to ensure that relevant stakeholders are informed and that transparency and accountability are maintained regarding the company's personal data processing activities.

 

12. Governance Structure of the Personal Data Protection and Processing Policy

To manage this policy and other policies related to it (see Section 11), a Personal Data Protection High Council ("High Council") has been established within our company by decision of the top management. Additionally, a Personal Data Protection Committee ("Committee") has been formed.

The duties of this Committee are as follows:

• To prepare and implement the fundamental policies related to the protection and processing of personal data, propose changes when necessary, and submit them to the High Council for top management's approval.
• To decide how the implementation and monitoring of personal data protection and processing policies will be carried out and ensure internal coordination and assignment within the company, submitting these decisions to the High Council for top management's approval.
• To identify the necessary actions to ensure compliance with the Personal Data Protection Law and related regulations, submit them for top management approval, monitor their implementation, and ensure coordination.
• To raise awareness about personal data protection and processing both within the company and among institutions collaborating with the company.
• To identify risks in the company’s personal data processing activities and ensure necessary measures are taken; submit improvement proposals to the High Council for top management approval.
• To ensure training sessions are organized to inform data subjects about personal data processing activities and their legal rights, and submit these proposals to the High Council.
• To address data subjects' requests at the highest level and submit these decisions to the High Council.
• To monitor developments and regulations regarding personal data protection and processing; provide proposals for actions that should be taken within the company to comply with these developments and regulations, and submit them to the High Council.
• To coordinate relations with the Personal Data Protection Authority and other relevant authorities under the High Council’s coordination.
• To perform any other duties assigned by top management and the High Council related to personal data protection.