1. INTRODUCTION 

The Personal Data Protection Law (“KVKK”), which has been prepared by working for many years within the framework of compliance with the European Union criteria, entered into force after being published in the Official Gazette on 07.04.2016.

The KVKK includes regulations in the same direction with the European Union’s directive 95/46/EC, and with the entry into force of the KVKK, the protection of personal data of individuals in a holistic arrangement has been put under legal regulation.

Since the data of legal persons are presently protected by the relevant laws in force, the concept of personal data has been regulated to provide protection only for natural persons in line with the KVKK and the European Union regulations.

With the KVKK, a regulation has been made regarding the protection of personal data of the person and the use of the rights specified in Article 11 of the Law, and such regulation settles issues such as defining and classifying personal data in terms of content, processing of personal data, obligation of clarification, express consent and exceptions, determination of the obligations of natural and legal persons processing personal data, establishment of Personal Data Protection Authority, complaint application procedures and sanctions. 

Within the framework of the superior service quality, the principles of respect for the rights of individuals, transparency and honesty adopted by Swedish Care Sağlık Hizmetleri A.Ş. (hereinafter referred to as the “Company”), in line with the new regulations stipulated by KVKK; regulation of internal operation of our Company within the scope of KVKK, secondary regulations, decisions and regulations of the Personal Data Protection Board, finalized court decisions and other relevant legislation is among the priorities of our company.

For this reason, this Policy has been arranged and put into effect in order to benefit personal data subjects from the rights brought by the KVKK, to fulfil the obligations of the COMPANY as a data controller in accordance with the law and secondary regulations, and to ensure the compliance process.

2. PURPOSE AND SCOPE

2.1. With the policy, it is aimed that the regulations to be made by the Company in accordance with the basic principles explained above in order to comply with the KVKK, are effectively implemented by our Company employees and business partners within the structure of the Company. 

2.2. In line with the basic regulations stipulated by the policy, administrative and technical measures implemented by the legislation in force in terms of the processing and protection of personal data within the Company’s operation shall be taken, necessary internal procedure shall be established, all necessary trainings will be made to raise awareness, appropriate and effective control mechanisms and technological infrastructure, administrative and legal system will be established by taking all necessary measures within the scope of KVKK in order for employees and business partners to comply with KVKK processes.

2.3. The policy regulates the basic principles to be observed in all these processes and the issues that our Company is obliged to guide the internal operation in accordance with the regulations introduced with the KVKK. With the internal procedures to be established within the framework of the KVKK and the relevant legislation, the compliance activities that our Company will carry out with regard to the protection of personal data will be organized. All employees of our company are obliged to act in accordance with the regulations set forth in this Policy as well as the provisions of KVKK and all other relevant legislation while performing their duties. 

2.4. In case of failure to comply with the Policy and the provisions of the relevant legislation, in addition to the criminal and legal liability stipulated by the provisions of the legislation, within the framework of the legislation regulating business life, according to the nature of the event, sanctions that can lead to the termination of the contract for a just cause shall be applied.

3. DEFINITIONS

3.1. Explicit consent: Refers to consent about a certain subject based on information and expressed in free will.

Since the burden of proof that the relevant person is informed and clarified shall be on the data controller, the storage and protection of the explicit consent and the information records of the relevant person shall be carried out in accordance with the internal procedures of the company and in any case the existing legal legislation.

3.2. Anonymisation: Refers to making personal data unlikely to be associated with any identifiable real person in any way even by pairing personal data with other data.

It is possible to anonymise the personal data with various purposes and methods that that do not violate the scope of Explicit Consent given by the KVKK and the relevant person. Necessary precautions will be taken within the company to prevent the anonymised personal data from making the person identifiable by various methods.

3.3. Relevant person: Refers to the real person whose personal data is processed.

The processing and protection of personal data and data in the nature of sensitive personal data of our company’s real person customers, legal person business partners, shareholders, managers or employees, company consultants, counsellors, solution partners, guests and employees of our company will be handled by our Company within the scope of KVKK and Policy.

3.4. Personal data: Means all kinds of information related to an identified or identifiable natural person.

All information that makes the person identifiable is arranged as personal data, and information such as T.R. identity number, name-surname, e-mail address, phone number, address, date of birth, bank account number can be given as examples of personal data. Within our company, these data have been classified, and issues such as how, by whom, for what purpose, and for how long can different personal data in separate categories to be processed are arranged with the Personal Data Processing Inventory.

3.5. Processing of personal data: Means all kinds of process carried out on the data such as obtaining, recording, storing, keeping, changing, reorganizing, disclosing, transferring, taking over, making obtainable, classifying or preventing the use of the personal data fully or partially, automatically or in non-automated way provided that it is part of any data recording system.

3.6. Sensitive Personal Data: Means personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or unions, health, sexual life, convictions and security measures, and the biometric and genetic data.

3.7. Data processor: Refers to natural or legal person who processes personal data on his/her behalf on the basis of the authority conferred by the data controller.

3.8. Data controller: Refers to natural or legal person responsible for identifying the purposes and means of personal data processing and installing and managing data registry system.

4. ENFORCEMENT OF THE POLICY AND RESPONSIBILITIES 

4.1. The Company, in its capacity as Data Controller, is responsible for the regulation of all internal operations and processes of this Policy.

4.2. A management model will be established and implemented by the Company in order to implement the regulations, procedures, guides, standards and training activities to be prepared in line with this Policy within the Company.

4.3. All employees, business partners, guests and all relevant third parties throughout the Company are obliged to cooperate with the Company in the prevention of legal responsibilities, risks and dangers that may arise in accordance with the provisions of the relevant legislation, as well as compliance with the Policy.

4.4. All departments and bodies of the Company and all personnel are obliged to act in accordance with the Policy and to ensure that the provisions of the Policy are followed.

4.5. This Policy will be announced within the Company and will always be accessible by uploading it to common data processing systems. In addition, this Policy is published on the Company website. Changes that will occur in the Policy will be updated to the information processing system and website, and therefore, data subjects will be informed by reaching the principles stipulated by the Policy. 

4.6. In case of conflict between the policy and the provisions of the legislation in force, the Company accepts that the provisions of the legislation will be applied in line with its capacity as Data Controller. 

5. PERSONAL DATA PROCESSING PRINCIPLES 

5.1. General Principles on Processing Personal Data 

The Company accepts that it will process personal data within the scope of this Policy pursuant to the 4th article of KVKK in accordance with the following principles:

5.1.1. Compliance with the law and good faith 

In its capacity as Data Controller, the Company accepts that it will carry out personal data processing activities in accordance with the provisions of all legislation that are in force, especially the Constitution and KVKK, and in accordance with the honesty rule stipulated by Article 2 of the Turkish Civil Code.

5.1.2. Accuracy and timeliness 

The Company takes all necessary measures within the scope of KVKK to ensure the accuracy and timeliness of personal data in the processing of personal data to the extent permitted by the technique. The administrative and technical mechanisms established by the Company will be operated in order to correct and control the accuracy of erroneous or out-of-date personal data in line with the requests to be notified by the relevant person to the Company in the capacity of Data Controller and in cases deemed necessary by the Company.

5.1.3. Processing for specific, explicit and legitimate purposes 

Personal data is processed by the Company in accordance with the law, limited to the services provided and the activities carried out, with the requirements of the relevant legislation provisions; the purpose of processing personal data is clearly and precisely determined before the data is processed.

5.1.4. Processing data in connection with, limited and measured to the purpose for which it is processed 

The Company processes personal data in connection with and limited to the purposes of processing and to the extent necessary for the realization of this purpose. In this context, it is essential to avoid the processing of personal data that is not related to the purpose of processing the data and is not needed. 

5.1.5. Processing limited to the period foreseen by the legislation provisions or required by the purpose of processing 

Personal data are kept in line with the provisions of the relevant legislation or for the period required by the purpose of processing the data. At the end of the period stipulated by the provisions of the legislation, or at the end of the period required by the purpose of processing the data, and in the absence of any other conditions required to continue the processing of the relevant personal data, the personal data shall destructed by selecting the appropriate one among the destruction methods (Erasure, Destruction, Anonymisation) listed in the KVKK; necessary administrative and technical measures shall be taken to prevent personal data from being stored and processed at the end of the required period.

6. PROCESSING CONDITIONS OF PERSONAL DATA 

Article 5 of KVKK regulates the processing conditions of personal data. The processing of personal data by the Company is carried out in accordance with the following conditions specified in the KVKK.

6.1. Obtaining Explicit Consent of the Relevant Person 

The main rule in the processing of personal data is the explicit consent of the relevant person for the processing of his/her data in the absence of other data processing conditions. The Company shall carry out data processing activities in line with the explicit consent of the relevant person in a clear manner that will not leave any room for hesitation and upon the clarification on the purpose to be processed, for the transactions covered by the consent as stipulated by the KVKK.

6.2. Processing of Data for Legal Requirements 

In cases where it is necessary to process personal data in accordance with the provisions of the legislation, even without the express consent of the relevant persons as per KVKK, data processing activities will be deemed in accordance with the law provided that other necessary criteria are met. 

6.3. Mandatory Processing of the Data of a Person Who Cannot Explain His/her Consent Due to Actual Impossibility or whose Consent is Legally Invalid, for the Protection of Person’s or Other’s Life or Bodily Integrity 

As per the KVKK, it is possible to process personal data in cases where it is not possible for the relevant person to actually explain his / her consent or if his / her consent is legally invalid, and in order to protect the life or body integrity of the relevant person or others. The Company will process personal data in the cases foreseen in accordance with this regulation.

6.4. Processing of Personal Data Belonging to the Parties of a Contract is Necessary Provided That It is Directly Related to the Conclusion and Fulfilment of That Contract 

The personal data of the parties to the contract will be processed by the Company provided that it is directly related to the conclusion and fulfilment of that contract.

6.5. Being Mandatory for the Data Controller to Fulfil its Legal Obligation 

Personal data will be processed by the Company which has the title of Data Controller as per KVKK in order to fulfil its obligations arising from the provisions of the legislation in a manner that said obligation is connected to its boundaries.

6.6. Processing of Personal Data Made Public by the Relevant Person 

In the event that the relevant person makes his personal data public, the personal data in question will be processed by the Company in proportion to the purposes of making it public.

6.7. Processing of Data Necessary for the Establishment, Exercise or Protection of any Right 

Personal data will be processed by the Company to the extent necessary for the establishment, exercise or protection of a right.

6.8. Processing of Personal Data for the Legitimate Interests of the Data Controller 

Personal data may be processed in line with the legitimate interests of the Company, which has the title of Data Controller, provided that it does not violate the fundamental rights and freedoms of the relevant person. However, the statement of the legitimate interests of the Company cannot in any way contradict the principles determined by the KVKK, the purpose of processing personal data, and cannot interfere with the essence of the right guaranteed by the Constitution.

7. PROCESSING CONDITIONS OF SENSITIVE PERSONAL DATA 

Article 6 of the KVKK regulates the processing conditions of sensitive personal data. Sensitive personal data, in line with the said article, are the data of persons on their ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or unions, health, sexual life, convictions and security measures, and the biometric and genetic data. By examining all business processes within the company, the data in this status were determined and classified and transferred to the personal data inventory. The processes of processing sensitive personal data by the company are carried out in accordance with the following conditions specified by the KVKK.

7.1. Processing of Sensitive Personal Data with the Explicit Consent of the Relevant Person 

As a rule, according to the KVKK, it is forbidden to process sensitive personal data without the express consent of the relevant person. In this context, as a priority principle, sensitive personal data will not be processed by the Company without express consent; data processing activities shall be carried out in line with the scope of the explicit consent of the relevant person regarding the processing of sensitive personal data. The provisions stipulated with the KVKK regarding the processing of sensitive personal data without express consent are reserved. In the processing of sensitive personal data, the Company shall first check whether there are data processing conditions and then carry out data processing activities.

7.2. Processing of Sensitive Personal Data Due to the Provisions of the Legislation Despite the Absence of Explicit Consent of the Relevant Person 

In cases where it is stipulated that sensitive personal data can be processed without explicit consent by the provisions of the legislation, sensitive personal data other than health and sexual life of the relevant person may be processed in accordance with the provision of Article 6/3 of KVKK. In this case, data processing activities to be carried out by the Company shall be limited to the requirements of the reference legislation provision. 

7.3. Processing of Sensitive Personal Data relating to Health and Sexual Life on the Condition being under the Confidentiality Obligation for the Purpose of Implementing Preventive Medicine, Medical Diagnosis, Treatment and Care Services, Planning and Management of Financing with Health Services 

As per KVKK, the processing of sensitive personal data relating to the health and sexual life of the persons is subject to the express consent of the relevant persons; in cases where there is no express consent, it is regulated that the said personal data can only be processed by persons under the obligation of confidentiality for the purpose of conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. In accordance with the provisions of the legislation, persons who are under the obligation of confidentiality may process sensitive personal data relating to the health and sexual life of the relevant persons in the above-mentioned relevant cases, to the extent required by the provisions of this legislation.

7.4. Measures to Be Taken in the Processing of Sensitive Personal Data 

In order to process the sensitive personal data, it is mandatory to take the measures determined by the Personal Data Protection Board as per KVKK. The Company will process sensitive personal data in line with the aforementioned measures to be determined by the Board. A separate policy shall be established regarding the implementation of this article.

8. TRANSFERRING OF PERSONAL DATA 

Article 8 of the KVKK has regulated the transfer of personal data to third parties in the country. In the processes of transferring personal data, compliance with the following criteria shall be ensured. It is the responsibility of the Company to act in accordance with all legislative provisions regarding the transfer of personal data and to adapt the transfer processes according to the provisions of the legislation in force or to come into force.

8.1. Transferring of Personal Data Domestically 

8.1.1. Obtaining the explicit consent of the relevant person for transferring personal data 

As per Article 8 of the KVKK, the main rule for transferring personal data to third parties is determined as the explicit consent of the person concerned. The personal data of the relevant person shall be transferred by the Company by carefully determining the consent given by the relevant person on which personal data to be transferred to third parties in the country, and the groups of persons to whom the personal data of the relevant person will be transferred and processing them in data inventory.

8.1.2. Transferring personal data provided that the conditions for the processing of personal data are met, even if the relevant person does not explain express consent 

In cases where the relevant person does not have an explicit consent for the transfer of personal data domestically, it is possible to transfer personal data to third parties under the conditions set forth in the provisions of Article 5, paragraph 2 of the KVKK that are explained with the articles 6.2., 6.3., 6.4., 6.5., 6.6., 6.7. and 6.8. of this Policy regarding the conditions of personal data processing. 

8.1.3. Transferring personal data provided that the relevant conditions are met for the transfer of sensitive personal data and the provisions of the legislation are required, even if the relevant person does not explain the express consent  

The transfer of sensitive personal data other than health and sexual life to third parties is possible due to the fact that it is foreseen that the processing of personal data can be processed in the manner and conditions specified in the legislation provisions, even in cases where the relevant person does not have an express consent to the processing activity. In this case, the Company shall have the right to transfer sensitive personal data to third parties by determining that the conditions set out in Article 7 of this Policy are met. The obligation to take the necessary measures regarding the processing of sensitive personal data is also stipulated for the transfer of this data, and these measures will be taken by the Company. 

8.2. International Transfer of Personal Data 

8.2.1. The explicit consent of the relevant person for the international transfer of personal data 

As per Article 9 of the KVKK, personal data cannot be transferred internationally without the express consent of the relevant person. For this reason, the explicit consent of the relevant person will be applied as a basic principle for the international transfer of personal data by the Company. The personal data of the relevant person will be transferred by the Company by carefully determining which personal data of the relevant person has consented to be transferred to third parties abroad, and in any way in accordance with the regulations of the KVKK on this issue.

8.2.2. Transfer of personal data, provided that the conditions for processing personal data are met, even if the relevant person does not have explicit consent

In cases where the relevant person does not have an explicit consent to transfer their personal data abroad, transfer of personal data to third parties abroad under the conditions set forth in Articles 6.2., 6.3., 6.4., 6.5., 6.6., 6.7. and 6.8. of this Policy regarding data processing conditions regarding the processing of personal data and regulated by paragraph 2 of Article 5 of the KVKK, is possible, provided that the safe country list to be published by the Personal Data Protection Board or other methods to be regulated are followed.

In accordance with Article 9 of the KVKK, in order to transfer personal data abroad, sufficient protection must be found in the country where the data will be transferred. The safe country list to be announced by the Board will be followed by the Company and included in the Company’s internal processes. Until the safe country list is published by the Board, if the personal data needs to be transferred abroad, the Company will be the Data Controller and the personal data will be transferred abroad by the Company, provided that the third party to whom the data will be transferred undertakes sufficient protection in the country where the data will be transferred and the Board gives permission. 

After the announcement of the safe country list by the Board, if there is not sufficient protection in the country to which the data will be transferred, personal data will be transferred abroad provided that the company that will carry the title of Data Controller and the third party to whom the data will be transferred in the country where the data will be transferred undertake adequate protection and the Board has the permission.

9. DELETING, EXTERMINATING, ANONYMISING PERSONAL DATA

Personal data, even if it is processed in accordance with KVKK and other legislative provisions and this Policy, should be deleted, destroyed or anonymised by the Company in the absence of a legal obligation to process the data and in the absence of a legal obligation to process the data or at the request of the relevant person. The company will establish the administrative and technical structure suitable to fulfil the provisions of the legislation in force or to come into force regarding the deletion, destruction or anonymisation of data to the extent that its administrative, technical, economic and legal situation and infrastructure allow, and within the framework of the objective diligence that can be expected from it.

10. OBLIGATIONS OF THE COMPANY WITH THE CAPACITY OF DATA CONTROLLER

10.1. Disclosure Obligation

During the acquisition of personal data, the company should inform the personal data subject about the following issues in line with Article 10 of the KVKK:

1. Identity of the data controller and, if any, its representative,
2. For what purpose personal data will be processed,
3. To whom and for what purpose personal data can be transferred,
4. Methods and legal reasons for collecting personal data,
5. Rights of personal data subject

In order for the Company to fulfil its obligation in accordance with the law, the business processes and data collection channels have been reviewed, the identified issues have been subjected to a classification and transferred to the inventory, the necessary arrangements have been made for the data subjects to use their application rights regarding their personal data, and communication channels have been established.

10.2. Obligation to Ensure the Security of Personal Data

10.2.1. Obligation to prevent the unlawful processing of personal data

In addition to the processing of personal data in accordance with the provisions of the KVKK and other legislation and the principles and conditions set out in this Policy, the Company is also obliged to take technical and administrative measures introduced by the legislation to prevent the unlawful processing of personal data against these obligations.

In this context, the Company has established systems to prevent unlawful processing of personal data, identified relevant personnel and established procedures to monitor and control these systems. The company will follow the requirements and updates that will arise in the light of both technical and legal reasons, and will update the system accordingly.

10.2.1.2. Technical measures to be taken for legal processing of personal data

Personal data processing activities carried out by company departments were analysed and a “Personal Data Processing Inventory” has been prepared in this context. The necessary administrative structure and hardware and software infrastructure are established for the monitoring and control of all processes from the collection to deletion of personal data. 

10.2.1.2. Administrative measures to be taken for legal processing of personal data

1. The company will arrange the documents that will be required to inform all of its personnel about the processing of personal data in accordance with the law and KVKK, and will deliver them to each personnel, organize the necessary training activities and keep the training participation documents in their personal files.
2. The company has added records to the documents regulating the relationship with its personnel concerning that it is necessary to act in accordance with the obligations stipulated by KVKK in order to access personal data in accordance with the law and to store personal data in accordance with the law, that personal data should not be disclosed unlawfully, that personal data should not be used illegally and that the confidentiality obligation regarding personal data continues even after the termination of the employment contract with the Company; and personnel’s failure to comply with these obligations requires the implementation of sanctions that may terminate the employment contract.
3. The company limits access to personal data within the scope of the personal data inventory to be created and authorization matrices to be created, in line with the purpose of processing and to the relevant personnel. It is not possible for all company personnel to access all of the personal data processed by the Company in the capacity of Data Controller, and action will be taken within the framework of access authorizations arranged according to departments.
4. By analysing all activities of the company, personal data processing activities specific to the department have been determined. The company has made the necessary policies, procedures and other internal regulations to check whether the operations of the departments are carried out to fulfil the obligations based on KVKK and this Policy and to ensure the continuity of these practices; and this policy, procedure and other internal regulations will be communicated to the staff using appropriate communication channels. With the publication of the update in this policy, procedure and other internal regulations, new procedures and policies come into force; for the updates to be binding, it is not required that they have been communicated to the staff. 

10.2.2. Obligation to prevent unlawful access to personal data

10.2.2.1. Technical measures to be taken to ensure access to personal data in accordance with the law and protection of personal data

1. The company will take measures in accordance with technical developments to the extent that its administrative, technical, economic and legal situation and infrastructure allow and within the framework of the objective due diligence that may be expected from it, update and renew the measures taken periodically depending on the speed of development of the technique and test the reliability of the system with eligible methods suitable for the purpose. The company will do all the necessary work to comply with these new requirements in case the Personal Data Protection Board makes regulations regarding security measures or refers to technical standards. 
2. Access and authorization technical solutions will be commissioned by the company in accordance with the legal compliance criteria and objective criteria to be determined on the basis of the department, and when necessary, software and hardware solutions will be implemented to fulfil the requirements of the measures specified in the administrative and technical measures table published by the Personal Data Protection Board. 
3. The technical measures taken will be periodically reported to the relevant person in accordance with the internal inspection mechanism. The necessary technical solutions will be produced by re-evaluating the risk factors.
4. The company will do the necessary work to install the relevant security software and systems, including software and hardware, including the necessary virus protection systems and firewalls, to the systems used during its activities and authorized to access personal data.
5. In terms of data security, if necessary, the issues of employing personnel in technical matters or purchasing services will be evaluated.
6. In order to access personal data in accordance with the law, access authorizations should be defined in line with the criteria to be established on the basis of the department, the access and authorization of the user accounts related to the systems to be accessed should be restricted in accordance with the scale and framework required by the job description of the relevant personnel/official and the devices that can access the systems should be restricted. 
7. The company will ensure that the necessary software and hardware are installed to prevent external infiltration of the systems where personal data is stored and to monitor possible risks, and will ensure that the necessary security measures are taken in terms of backups to prevent data loss; it will cooperate with third real and / or legal third parties when necessary within the scope of emergency planning in order to take the security measures imposed by this Policy and to store the data in accordance with KVKK.

10.2.2.2. Administrative measures to be taken to access personal data in accordance with the law and to preserve personal data

1. All Company personnel will be trained on the technical measures to be taken to prevent illegal access to personal data.
2. In line with the personal data processing inventory to be created, the company will restrict access to personal data to the relevant personnel in line with the purpose of processing. All Company personnel should be prevented from accessing all personal data processed by the Company as Data Controller, and their access authorizations should be arranged considering the purpose of data processing.
3. The company has added records to the documents regulating the relationship with its personnel concerning that it is necessary to act in accordance with the obligations stipulated by KVKK in order to access personal data in accordance with the law and to store personal data in accordance with the law, that personal data should not be disclosed unlawfully, that personal data should not be used illegally and that the confidentiality obligation regarding personal data continues even after the termination of the employment contract with the Company; and personnel’s failure to comply with these obligations requires the implementation of sanctions that may terminate the employment contract.
4. The procedure and all necessary documents will be prepared and published by the Company regarding the authorization to access personal data, these documents will enter into force as of the date of publication and will be notified to the personnel through appropriate communication channels.

10.2.3. Control of the measures taken for the protection of personal data

In terms of technical and administrative measures to be taken, the company should set up systems for making and having the necessary inspections regarding the functioning of the measures. These inspection results should be reported to the relevant department within the scope of the internal operation of the Company, and the necessary activities should be carried out to improve the measures taken.

The necessary processes should be designed by the company to increase the awareness of departments, business partners and suppliers on the protection and processing of personal data and to control them; follow-up, verification tests and inspections of periodic reports and actions within the scope of reports should be carried out. In order to make the necessary follow-up on this matter, the Company may assign one or more persons from within or outside the organization.

The Company is responsible for fulfilling the obligations of third parties to whom personal data is transferred, to process and preserve the data in accordance with the provisions of this Policy and KVKK and to access the data in accordance with the law, pursuant to Article 12 of the KVKK. For this reason, the Company must take commitments to meet these conditions in agreements to be executed when transferring personal data to third parties and in all arrangements related to personal data transfer. Again, the Company should specifically inform all of its personnel in terms of responsibilities arising from the processes of transferring personal data to third parties.

11. RIGHTS OF THE RELEVANT PERSON

Pursuant to Article 11 of the KVKK, the relevant person has the following rights against the Company that has the title of Data Controller:

1. To learn whether their personal data has been processed and to request information if their personal data has been processed,
2. To learn the purpose of processing and whether the personal data are used appropriately,
3. To know the persons to whom personal data are transferred,
4. To request correction of personal data in case of incomplete or incorrect processing and to request the deletion of personal data if the conditions are met and to request that these requests be forwarded to third parties,
5. To object to the emergence of a result against them by analysing the processed personal data exclusively through automated systems,
6. To request compensation for the loss in case of damage due to the illegal processing of their personal data.

In the event that personal data subjects submit their requests regarding their rights listed above to the Company in writing or by other methods to be determined by the Board, in accordance with the “Notice on Application Procedures and Principles to Data Controller”, Pursuant to Article 13 of the KVKK, the Company must finalize the relevant request as soon as possible and within thirty days at the latest, depending on the nature of the request. If the request requires an additional cost, the fee in the tariff determined by the Board may be charged. If it is understood that the application is caused by the fault of the Company, the fee collected is returned to the relevant person.

While the relevant application is finalized by the company, information should be provided in a language and format that the relevant person can understand; and this information should be sent to the relevant person in writing or electronically in line with the request of the person or if the person does not have a request, in accordance with the method chosen by the Company.

Depending on the nature of the request, the company may either accept the request of the relevant person or reject it by explaining the reason. If the request is accepted, the company will fulfil the requirement without delay and the relevant person is informed.

Necessary warnings must be made to all personnel within the company and awareness must be created concerning that in cases where the personal data subject’s application is rejected, the response is insufficient or the application is not responded in time, the data subject has the right to complain to the Board within 30 days from the date of learning the answer of the data controller and in any case within 60 days from the date of application and that they cannot take action against the Data Controller without exhausting the remedies.

12. ENFORCEMENT AND UPDATES

The Policy and amendments to this Policy will enter into force with the approval of the managing body of the company.

The policy is regularly reviewed once a year and updated if deemed necessary. However, in line with legislative amendments, amendments in a technical standard referred to by the legislation, the actions and/or decisions of the Personal Data Protection Board and court decisions, the Company reserves the right to review, update, change or annul this Policy and create a new policy at any time.

The decision-making authority regarding the annulment of the policy belongs to the managing body of the company.