TR

Personal Data Protection Law

INGREDIENTS

PART ONE: Purpose and Enforcement of the Policy

PART TWO: The Scope of the Law and the Rights and Obligations of Our Company Arising from the Law

General Principles regarding the Processing of Personal Data

Purposes of Personal Data Processing and Sharing within the Scope of the Law

Purposes related to the Processing of Personal Data

Purposes related to the Sharing of Personal Data

Cases Outside the Scope of the Law

PART THREE: Processing of Personal Data by Our Company

Classification of Personal Data Processed by Our Company

Purposes of Processing of Personal Data by Our Company

The Transfer of Personal Data by Our Company and the Classification of the Parties to Whom the Data Transfer is Carried Out

The Procedure of Processing Personal Data by Our Company

Personal Data Security

SECTION FOUR: Rights of Data Subjects Arising from the Law

Rights of Data Subjects

Exercise of Rights

CHAPTER ONE Purpose and Enforcement of the Policy

07.04.2016 the personal data protection Act No. 6698 which entered into force on the date (the“act”), personal data is “data manager” determines the purposes and means of the processing of personal data and classified as data recording system by natural or legal persons who is responsible for the establishment and management of the procedures and principles for the processing of personal data reveals.

This document (”Policy") has been prepared in order to clarify the real persons whose personal data are processed by our Company as the data controller within the scope of the article mentioned above.

Personal data under the law “all kinds of information about identified or identifiable natural person (”as the “personal data fully or partially automated, with the record to be part of any data recording system or non-automatic means obtaining, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, can be obtained, making the classification or use is defined as any operation that is performed on the data such as the Prevention of”.

The Law, among other regulations, has imposed an obligation on data controllers to inform / inform the data subjects whose personal data will be processed during the collection of personal data. 10 Of the Law. according to the article data controllers data owners;

Identity of the data controller and his representative, if any,

For which purpose the personal data will be processed,

To whom and for what purposes the processed personal data can be transferred,

The method and legal reason for the collection of personal data,

11 Of the Law. the other rights listed in the article should inform about the issues.

The subject of this policy our company's customers, corporate clients, stakeholders, officials and employees, potential customers, business partners and suppliers, our shareholders, authorities and employees, working with our candidates and our company is used in people who have retired from our company employees and interns, visitors, shareholders with company officials, our business partner and supplier candidates and other third parties, and the issues related to the processing of personal data about our employees are regulated within the scope of a separate policy text presented to employees in accordance with the Law.

CHAPTER TWO The Scope of the Law and the Rights and Obligations of Our Company Arising from the Law

1. General Principles regarding the Processing of Personal Data

4 Of the Act. as per the article, personal data must be processed in accordance with the procedures and principles stipulated in the Law and other relevant legislation. In this context, data controllers are obliged to comply with the following general principles regarding the processing of personal data, except for fulfilling the disclosure obligation specified in the First Section:

Compliance with the law and the rules of decency.

Be accurate and up-to-date when necessary.

Processing for specific, explicit and legitimate purposes.

Being connected, limited and measured with the purpose for which they are processed.

To be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

2. Purposes of Personal Data Processing and Sharing within the Scope of the Law

a. Purposes related to the Processing of Personal Data

Our company does not process Personal Data without the explicit consent of the data owner. Our Company may process Personal Data without seeking the explicit consent of the data owner in the presence of one of the following conditions. Law, 5 and 6. within the scope of its articles, it has determined a number of situations in which data may be processed without explicit consent in terms of personal data and special qualified personal data.

Personal data in accordance with Article,

Explicit provision of data processing in the laws,

The fact that the processing of the relevant data is mandatory for the protection of the life or body integrity of the person or someone else who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid,

Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract,

Data processing is mandatory in order for the data controller to fulfill its legal obligation,

The fact that the personal data has been made public by the relevant person himself,

Data processing is mandatory for the establishment, use or protection of a right,

Provided that the data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned, it may be processed even if the explicit consent of the data subject has not been obtained in advance (provided that the necessary lighting has been made).

On the other hand, the law of persons, race, ethnic origin, political opinion, philosophical belief, religion and sect, or other beliefs, costume and clothing, Association or trade union membership, health, sexual life, criminal convictions and security measures, biometric and genetic data with data on “special” or “sensitive personal data as defined and has predicted more severe conditions for their processing. Accordingly, special qualified personal data can be processed only under the following conditions, except in cases where explicit consent has been obtained from the data owner:

Of persons, race, ethnic origin, political opinion, philosophical belief, religion and sect, or other beliefs, costume and clothing, Association or trade union membership, genetic and biometric data with data on criminal convictions and security measures, in the way prescribed in the law will be processed.

In relation to health and sexual life of the personal data, however, Public Health Protection, preventive medicine, medical diagnosis, treatment and care services execution, for the purposes of the planning and management of health services financing, or authorized persons under the obligation of confidentiality will be handled by the institution.

b. Purposes related to the Sharing of Personal Data

In accordance with the data processing, the sharing (transfer) of personal data with a third party is also subject to the fact that explicit consent has been obtained from the data subject concerned in this direction. 8 of the Law, however. according to the article, data transfer can also be carried out under the conditions where data processing is permitted, and in this direction, Section 2.2 above.in the presence of the conditions specified in a, personal data or special qualified personal data may be transferred even if the consent of the data subject is not available.

With regard to the transfer of personal data to third parties, the law has attached the transfer abroad to special conditions. Accordingly, personal data;

If there is the explicit consent of the data owner, or

In cases where the data subject does not have explicit consent but one or more of the other conditions mentioned above are met;

If there is adequate protection in the country where the data is transferred and there is insufficient protection in the country where the data is transferred, it can be transferred abroad with the registration of the data controller committing to adequate protection in writing together with the data controller in the relevant foreign country and obtaining the permission of the Personal Data Protection Board.

3. Cases Outside the Scope of the Law

28 Of the Law. in accordance with the article, the Law will not be applied in the following cases:

Processing of personal data by natural persons entirely within the scope of activities related to themselves or family members living in the same residence, provided that they are not given to third parties and that the obligations related to data security are complied with.

Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.

Personal data of National Defense, National Security, Public Safety, Public Order, economic security, privacy or personal rights not to violate or did not constitute a crime, provided that art, history, literature, or scientific purposes or for the freedom of expression may be under processed.

Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized and authorized by law to ensure national defense, national security, public security, public order or economic security.

Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

SECTION THREE Processing of Personal Data by Our Company

1. Classification of Personal Data Processed by Our Company

Data Category:

Personal Data Categorization Explanation

Identity Information:

Information contained in documents such as driver's license, identity card, residence, passport, lawyer's ID, marriage certificate (e.g. TCKN, passport no., identity card serial no., name-surname, photo, place of birth, date of birth, age, place of registration with the population, sample of the birth certificate)

Contact Information:

Information used for the purpose of communicating with the person (e.g. e-mail address, phone number, mobile number, address)

Location Data:

Data used to determine the location of the data subject (e.g. location data acquired during vehicle use)

Customer Information:

Information about customers who benefit from our products and services (e.g. customer ID, professional information, etc.)

Customer Transaction Information:

Information about all kinds of transactions performed by customers who benefit from our products and services (e.g. request and instructions, order and cart information, etc.)

Physical Space: Safety Information

Personal data related to the records and documents received at the entrance to the physical space, during the stay in the physical space (eg. entry and exit logs, visit information, camera recordings, etc.)

Transaction Security Information:

Personal data processed for the purpose of ensuring the technical, administrative, legal and commercial security of our company and related parties (e.g. information such as password and password of the website that shows that the transaction associated with the personal data owner is authorized to match that person and that the person is authorized to perform that transaction)

Knowledge of Risk Management:

Personal data processed in order to manage the commercial, technical and administrative risks of our company (e.g. IP address, Mac ID, etc. history)

Financial Information:

Existing legal relationship with the owner of personal data according to the type of financial result indicating created all kinds of Information, documents and records within the scope of personal data (for example: data that indicates the result of the owner transactions financial information, loan amount, card information, credit payments, to be paid the amount and rate of interest,loan balance, loan balance, etc.)

Personal Information:

All kinds of personal data processed for obtaining information that will be the basis for protecting the personal rights of natural persons who are in a working relationship with the Personal Data Owner (all kinds of information and documents that must be entered into the personal file by law)

Employee Candidate Information:

Personal data belonging to the data subjects who share their information to apply for a job with our company and used in the application evaluation process (e.g. resume, interview notes, personality tests results, etc.)

Employee Transaction Information:

Personal data related to all kinds of work-related transactions carried out by the Company's supplier employees (e.g. entry-exit records, business trips, information about the meetings he attended, security query, information about monitoring mail traffic, vehicle usage information, company card spending information)

Marketing Information:

Data that will be used by our company in marketing activities (e.g. the habits of the person collected for marketing purposes, reports and evaluations showing their likes, targeting information, data enrichment activities)

Legal Process and Compliance Information:

Personal data processed for the purpose of determination and follow-up of legal receivables and rights and performance of debts and legal obligations (e.g. data contained in documents such as court and administrative authority decisions)

Audit and Inspection Information:

Personal data processed within the scope of our company's legal obligations and compliance with company policies (e.g. audit and inspection reports, relevant interview records and similar records)

Special Quality Personal Data:

Of persons, race, ethnic origin, political opinion, philosophical belief, religion and sect, or other beliefs, costume and clothing, Association or trade union membership, health, sexual life, criminal convictions and security measures, with data on genetic and biometric data.

Request / Complaint

Management Knowledge:

Personal data related to the receipt and evaluation of all kinds of requests or complaints addressed to our company.
   

Visual and Auditory Data:

Visual and audio recordings associated with the personal data owner (e.g. photos, camera recordings and audio recordings)

2. KPurposes of Processing of Personal Data by Our Company

Our company processes personal data for the following purposes within the scope specified above:

Planning, supervision and execution of information security processes

Creation and management of information technology infrastructure

Planning and execution of benefits and benefits for employees

Corporate communication for employees and / or planning and / or execution of corporate social responsibility and / or non-governmental organizations activities in which employees participate

Planning and execution of employees' access to information powers

Monitoring and/or supervision of employees' work activities

Follow-up of financial and/or accounting affairs

Follow-up of legal affairs

Planning of human resources processes

Performance of efficiency/efficiency and/or availability analyses of business activities planning and/or execution of activities

Planning and execution of business activities

Planning and execution of information access authorizations of business partners and/or suppliers

Management of relations with business partners and/or suppliers

Planning and/or execution of occupational health and/or safety processes

Planning and/or execution of business continuity activities

Planning and execution of corporate communication and management activities

Planning and execution of logistics activities

Planning and execution of customer relationship management processes

Planning and/or execution of customer satisfaction activities

Follow-up of customer requests and /or complaints

Execution of personnel procurement processes Jul

Fulfillment of obligations arising from employment contract and / or legislation for company employees

Planning and execution of company audit activities

Planning and execution of training activities outside the company

Planning and execution of the operational activities necessary to ensure that the company's activities are carried out in accordance with the company's procedures and / or relevant legislation Jul

Planning and/or execution of in-house training activities

Ensuring the Jul-tainment of the company's operations

Ensuring the security of the company's Jul-tions and/or facilities

Planning and / or execution of the processes of creating and / or increasing loyalty to the products and / or services offered by the company

Planning and/or execution of the Company's production and/or operational risk processes

Realization of company and partnership law transactions/p>

Follow-up of contract processes and/or legal requests

Execution of strategic planning activities

Planning and execution of supply chain management processes

Wage management

Planning and execution of production and/or operation processes

Planning and execution of Sunday research activities for the sale and marketing of products and services

Planning and execution of marketing processes of products and / or services

Planning and execution of sales processes of products and / or services

Ensuring that the data is accurate and up-to-date

Providing information to authorized organizations based on legislation

Creation and tracking of visitor records

3. The Transfer of Personal Data by Our Company and the Classification of the Parties to Whom the Data Transfer is Carried Out

Personal data may be transferred by our Company to our Company officials, subsidiaries, business partners, suppliers, shareholders, public institutions and organizations authorized by law and private institutions for the purposes specified above.

4. The Procedure of Processing Personal Data by Our Company

Our Company, in the capacity of data controller, within the scope of its obligations arising from the Law, before obtaining personal data from data subjects, Jul 10 of the Law. it illuminates the data owners in accordance with the article. Any data processing process carried out by our Company is specified in the Law and Section 2.2 above.if it does not meet the conditions detailed in a and b, explicit consent is obtained from the data owners and the relevant processes are carried out within the framework of the said explicit consent Jul.

Within the scope of the Law, explicit consent is defined as “consent related to a specific subject, based on being informed and explained with free will”, and in this direction, our Company protects data subjects under Article 10 of the Law.according to the article, he provides their explicit consent after illuminating Jul.

Although no period is specified for the storage of personal data within the scope of the law, it is essential that personal data be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed in accordance with the general principles. In order to determine the retention periods in accordance with this principle, our Company makes an assessment based on the legislation in force regarding each data processing process and the purpose of the process. In this respect, our Company stores personal data for the minimum period required by its legal obligations and in any case until the relevant statute of limitations expires.

Our Company anonymizes, deletes or destroys personal data in accordance with the Law upon the disappearance of the purpose of processing the relevant personal data within the scope of any process, including the expiration of the mentioned periods. Anonymization under the law, “personal data with other data by matching a specific ID to be associated with identified or identifiable natural person should in no way even brought in our company activities is defined to be in accordance with applicable regulations and anonymisation is carried out.

5. Personal Data Security

Our Company takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, intentional deletion or damage of data in order to ensure the security of personal data. In this context, the following minimum actions are taken by our Company:

Taking appropriate software and hardware security measures for the processed personal data

Carrying out the audits foreseen within the scope of the law

Ensuring compliance of the Company and employees with the Law through internal trainings, policies and procedures

Ensuring and recording access to information based on necessity with internal authorizations

Follow-up of personal data processing activities on a process-by-process basis

Obtaining contractual commitments related to the protection and security of personal data in relations with suppliers

PART FOUR

Rights of Data Subjects Arising from the Law

1. Rights of Data Subjects

11 Of the Law. personal data owners according to the article;

To learn whether personal data about oneself has been processed or not,

If personal data about him has been processed, request information about it,

To learn the purpose of the processing of personal data and whether they are used in accordance with the purpose,

To know the third parties to whom personal data is transferred in the country or abroad,

Requesting correction of personal data in case of incomplete or incorrect processing,

Request deletion or destruction of personal data in case of disappearance of the reasons requiring processing, despite the fact that it has been processed in accordance with the law and other relevant provisions of the law,

Requesting notification of the transactions made as a result of correction, deletion and destruction requests to third parties to whom personal data has been transferred,

By analyzing the processed data exclusively through automated systems, one don't argue with the emergence of a result against one's self,

In case of damage caused due to the unlawful processing of personal data, they have the right to demand compensation for the damage.

28 Of the Law. 2 of the article. in certain cases, the data subject cannot make a claim other than compensation for damages from the data controller. According to this,

The processing of personal data is necessary for the prevention of the commission of a crime or for the investigation of a crime,

Processing of personal data made public by the data subject himself,

The fact that personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations, as well as professional organizations that are public institutions, based on the authority granted by law,

The fact that the processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and financial matters,

in such cases, the rights specified above cannot be used for the relevant data.

2. Exercise of Rights

Data subjects will be able to use the Application Form to exercise the rights mentioned above.

Applications along with the documents relevant data that will determine the identity of the owner, of the wet form, or a signed copy by hand or by a notary mAh Maslak Ayazağa Cad Peace through law with other methods specified in 4B / 601 Sariyer Istanbul 5070 sending or organized under the law on electronic signature, signed with a secure electronic signature info@techyhouse.com registered address or by electronic mail, aiming to which events are recorded in system and follows the company's previously reported from the electronic mail address that will be sent by e-mail can be carried out. If a method other than the methods mentioned by the Personal Data Protection Board is foreseen, applications may also be submitted using this method.

Data owner requests transmitted by one of the methods mentioned above are evaluated and answered by our Company within a maximum of thirty days. Our company reserves the right to request October information and documents from the applicant, especially for the purpose of evaluating whether the applicant is the owner of the relevant data.

As a rule, data owner applications are evaluated free of charge by our Company. However, if a fee has been determined by the Personal Data Protection Board regarding the request of the data subject, our Company will have the right to pay this fee.