Are You Under Attack ? Are You Under Attack ?

Protection Policy

  • Home
  • Protection Policy

1. INTRODUCTION

Constitution of the Republic of Turkey

ARTICLE 20 – Everyone has the right to demand respect for his private and family life. (Additional paragraph: 12/9/2010-5982/2 Art.) Everyone has the right to request the protection of personal data concerning him/her. This right includes the right to be informed about personal data concerning him/her, to access such data, to request their correction or deletion and to learn whether they are used for their intended purposes. Personal data may only be processed in cases stipulated by law or with the explicit consent of the person. The principles and procedures regarding the protection of personal data shall be regulated by law.

11th Development Plan of the Presidency of the Republic of Turkey

Article 479. Regulations on the protection of personal data will be updated in line with technological innovations and new approaches adopted in international platforms, and technological development in this field will be encouraged.

479.1. Law No. 6698 on the Protection of Personal Data will be updated by taking into account the EU’s General Data Protection Regulation. Articles are included.

The Law on the Protection of Personal Data (“LPPD”), which was prepared within the framework of harmonization with the European Union criteria, was published in the Official Gazette dated 07.04.2016 and entered into force. The LPPD largely contains regulations in the same direction as the European Union Directive 95/46/EC, and with the entry into force of the LPPD, the protection of individuals’ personal data in a comprehensive regulation has been put under legal regulation.

The above-mentioned Constitutional provisions, the Development Plan and the Law on the Protection of Personal Data regulate the protection of personal data and the exercise of the rights specified in Article 11 of the Law and regulate issues such as the definition and classification of personal data, processing of personal data, obligation to inform, explicit consent and exceptions, determination of the obligations of real and legal persons who process personal data, establishment of the Personal Data Protection Authority, complaint application procedures and sanctions.

Within the framework of the principles of service quality, respect for the rights of individuals, transparency and honesty adopted by our Company, it is among the priorities of our Company to regulate the internal functioning of our company within the scope of KVKK, secondary regulations, decisions and regulations of the Personal Data Protection Board, finalized court decisions and other relevant legislation in line with the new regulations stipulated by KVKK. For this reason, this Policy has been prepared and put into effect in order to ensure that personal data owners benefit from the rights brought by the KVKK and to ensure the compliance process with the Law.

2. PURPOSE AND SCOPE

With the Policy, it is aimed to effectively implement the regulations to be introduced by the company within the framework of the basic principles described above for compliance with the KVKK within the company, by the employees and business partners of our company. In line with the basic regulations stipulated by the Policy, all kinds of administrative and technical measures will be taken for the processing and protection of personal data within the operation of the company, necessary internal procedures will be established, all necessary trainings will be provided to raise awareness, technological infrastructure, administrative and legal system will be established by taking all necessary measures for the compliance of employees and business partners with KVKK processes.

The Policy regulates the basic principles to be observed in all these processes and the issues that our company is obliged to guide the internal functioning of the company within the scope of the regulations introduced by the KVKK. With the internal procedures to be established within the framework of the KVKK and the relevant legislation, the compliance activities to be carried out by our company regarding the protection of personal data will be regulated. All employees of our company are obliged to act in accordance with the regulations introduced by this Policy and the provisions of KVKK and all other relevant legislation while performing their duties.

In case of non-compliance with the Policy and the provisions of the relevant legislation, in addition to the criminal and legal liability stipulated by the provisions of the legislation, sanctions that may lead to the termination of the employment contract for just cause within the framework of the legislation regulating the business life within the Company, depending on the nature of the incident, will be applied.

3. DEFINITIONS

Company: IDefence Defense Cyber Security Consultancy and Information Technologies Limited Company, shortly IDefence.

Explicit consent: It refers to the consent regarding a specific subject, based on information and expressed with free will. The storage and protection of the records that the relevant person has been informed and enlightened will be carried out according to the internal procedures of the company.

Anonymization: It refers to making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Relevant person: Refers to the natural person whose personal data is processed. The processing and protection of personal data and special categories of personal data of our Company’s real or legal person customers, legal person business partners, shareholders, managers or employees, Company consultants, consultants, solution partners, guests and stakeholders of our Company will be handled by our Company within the scope of KVKK and this Policy.

Personal data: It refers to any information relating to an identified or identifiable natural person. All information that makes the person identifiable is regulated as personal data and information such as T.R. identification number, name-surname, e-mail address, telephone number, address, date of birth, bank account number can be given as examples of personal data. These data have been classified within our company, and issues such as how, by whom, for what purpose and for how long each category of data can be processed are regulated by the Personal Data Processing Inventory.

Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Processing of personal data: It refers to all kinds of operations performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Data processor: Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. The personnel who are authorized to access personal data and who process this data in the sense of KVKK, to what extent, for what purpose, for how long these personnel can access the data and the operations they can perform on the data are determined on a department basis with internal procedures.

Data Controller: Refers to the natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system. Within the scope of KVKK, our Company will have the title of data controller and has registered to VERBIS system. During the registration, the “Supervision Commission” was established within our Company with the decision of the Board of Directors in order to carry out the transactions to be carried out in the capacity of Data Controller, and this Commission will be responsible for the follow-up and coordination of all works and transactions within the scope of KVKK and Personal Data Protection Board regulations.

Data Controller Officer: The person responsible for recording the Company Contact Person information in the Data Controllers Registry Information System (VERBIS) and changing it when necessary.

Contact Person: The person registered in the Data Controllers Registry Information System (VERBIS) by the Data Controller Officer. The Contact Person is the person responsible for correspondence with the Board, registration of the Company Data Inventory in VERBIS and data subject request management.

4. EXECUTION OF THE POLICY AND RESPONSIBILITIES

The Company, as the Data Controller, is responsible for the organization and implementation of all internal operations and processes of this Policy. The Audit Commission shall be authorized and responsible for the implementation of the regulations, procedures and training activities to be prepared in accordance with this Policy within the Company. All employees, solution partners, suppliers, guests and all relevant third parties throughout our Company are obliged to cooperate with the Audit Commission in preventing legal liabilities, risks and dangers that may arise in accordance with the provisions of the relevant legislation as well as compliance with the Policy. All personnel related to all departments of the Company are obliged to act in accordance with the Policy and to ensure compliance with the provisions of the Policy.

This Policy will be announced to all personnel who have access to personal data within the company and will also be uploaded to common information processing systems and will always be accessible. In addition, this Policy has been published on the Company website (idefence.com.tr). Changes to be made in the Policy will be added to the information processing system and the website as up to date, and in this way, it will be ensured that the data owners are informed by accessing the principles stipulated by the Policy.

In the event of a conflict between the Policy and the provisions of the legislation in force, the Company accepts that the provisions of the legislation will be applied in line with the title of Data Controller. In the event of a contradiction of this nature, the Audit Commission is obliged to manage the processes for updating the Policy in accordance with the provisions of the legislation.

5. PERSONAL DATA PROCESSING PRINCIPLES

5.1. General Principles for Processing Personal Data

The Company accepts that it will process personal data within the scope of this Policy in accordance with the following principles in accordance with Article 4 of the KVKK.

5.1.1. Compliance with the law and good faith

The Company accepts that it will carry out personal data processing activities in accordance with the principles introduced by the laws and other legal regulations that are in force and will come into force, especially the Constitution and KVKK, in the capacity of Data Controller and as a prudent merchant.

5.1.2. Accuracy and timeliness when necessary

In the processing of personal data, the Company takes all necessary measures to ensure the accuracy and timeliness of personal data to the extent permitted by the processing method. In line with the requests to be notified to the company by the data subject in the capacity of Data Controller and in cases deemed necessary by the company itself, administrative and technical mechanisms established by the company will be operated to correct inaccurate or outdated personal data and to check its accuracy.

5.1.3. Processing for specific, explicit and legitimate purposes

Personal data are processed by the Company in accordance with the law, limited to the requirements of the relevant legislation provisions and the services offered or to be offered, and the purpose of processing personal data is clearly and precisely determined before the data is started to be processed.

5.1.4. Processing data in connection with the purpose for which they are processed, limited and measured

Personal data are processed by the Company in connection with and limited to the purposes for which they are processed and to the extent necessary for the realization of this purpose. In this context, it is essential to avoid the processing of personal data that is not related to the purpose of processing and is not needed.

5.1.5. Processing for the period stipulated by the provisions of the legislation or required by the purpose of processing

Personal data are retained for the periods stipulated by the provisions of the relevant legislation or for the period required by the purpose of processing the data. At the end of the period stipulated by the provisions of the legislation or at the end of the period required by the purpose of processing the data, personal data are deleted, destroyed or anonymized by the company. Necessary administrative and technical measures will be taken to prevent the retention of data at the end of the required period.

6. CONDITIONS FOR PROCESSING PERSONAL DATA

Article 5 of the LPPD regulates the conditions for processing personal data. The processing of personal data by the Company is carried out in accordance with the following conditions specified in the KVKK.

6.1. Explicit Consent of the Data Subject

The main rule in the processing of personal data is the explicit consent of the data subject for the processing of his/her data. The Company will carry out data processing activities for the transactions covered by the consent in line with the explicit consent of the data subject upon clarification of the purpose of processing in a clear manner that will not leave any room for hesitation as stipulated by the KVKK.

6.2. Processing of Data Due to Legal Requirements

In cases where it is mandatory to process personal data in accordance with the provisions of the legislation, even without the explicit consent of the persons concerned in accordance with the KVKK, data processing activities will be deemed lawful provided that other necessary criteria are met. In this context ;

Turkish Commercial Code No. 6102
Turkish Code of Obligations No. 6098
Public Procurement Law No. 4734
Labor Law No. 4857
Law No. 5510 on Social Security and General Health Insurance
Law No. 6331 on Occupational Health and Safety
Law No. 6356 on Trade Unions and Collective Bargaining Agreements
In matters where the provisions of the legislation and other relevant legislation stipulate the processing of personal data, personal data will be processed by the company within the limits stipulated by the provisions of the legislation.

6.3. Processing of the Data of the Data Subject, who cannot express his/her consent due to actual impossibility or whose consent is not legally valid, is mandatory for the protection of his/her or someone else’s life or physical integrity

Pursuant to the LPPD, it is possible to process personal data in cases where it is not possible for the data subject to disclose his/her consent or where his/her consent cannot be legally validated, if it is mandatory to process personal data in order to protect the life or physical integrity of the data subject or someone else. The Company will process personal data in cases stipulated in accordance with this regulation.

6.4. Processing of Personal Data of the Parties to the Contract is Mandatory Provided that it is Directly Related to the Establishment and Execution of a Contract

Provided that it is directly related to the establishment and execution of the contract, personal data belonging to the parties to the contract will be processed by the company.

6.5. It is Mandatory for the Data Controller to Fulfill its Legal Obligation

In order for the company, which has the title of Data Controller in accordance with the KVKK, to fulfill its obligations arising from the provisions of the legislation, personal data will be processed by the company, subject to the limits of the said obligation.

6.6. Processing of Personal Data Publicized by the Data Subject

In the event that the data subject makes his/her personal data public, such personal data will be processed by the Company in proportion to the purposes for which they are made public.

6.7. Processing of Data Required for the Establishment, Exercise or Protection of a Right

Personal data will be processed by the company to the extent necessary for the establishment, exercise or protection of a right.

6.8. Processing of Personal Data for the Legitimate Interests of the Data Controller

Personal data may be processed in line with the legitimate interests of the company, which has the title of Data Controller, provided that it does not harm the fundamental rights and freedoms of the person concerned. However, the expression of the legitimate interests of the company can in no way be contrary to the principles determined by the KVKK, the purpose of processing personal data and cannot interfere with the essence of the right guaranteed by the Constitution.

7. CONDITIONS FOR PROCESSING SPECIAL PERSONAL DATA

Article 6 of the KVKK regulates the conditions for processing special personal data. In line with the said article, special personal data includes data related to the ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal conviction and security measures of individuals, as well as biometric and genetic data. All business processes and documents within the company have been examined and the data in this status has been determined and classified. The processing processes of special personal data by the Company are carried out in accordance with the following conditions specified in the KVKK.

7.1. Processing of Special Personal Data in Case of Explicit Consent of the Relevant Person

As a rule, it is prohibited to process special personal data without the explicit consent of the relevant person according to the KVKK. In this context, as a primary principle, the explicit consent of the relevant persons will be obtained for the processing of special personal data by the company. Data processing activities will be carried out in line with the scope of the consent of the relevant person regarding the processing of special personal data. The provisions stipulated in the KVKK regarding the processing of special personal data without express consent are reserved.

7.2. Processing of Special Personal Data Due to the Reasons Stipulated by the Legislative Provisions Despite the Lack of Explicit Consent of the Relevant Person

In cases where it is stipulated by the legislative provisions that special personal data can be processed, the special personal data of the relevant person, other than health and sexual life, may be processed in accordance with the KVKK provision. In this case, the data processing activities to be carried out by the company will be limited to the requirements of the underlying legislative provision. In legal processes such as lawsuits and enforcement proceedings arising from contracts, the submission of special personal data to legal processes, provided that it is limited to and related to the essence of the relevant legal process, the inclusion of special personal data collected by the courts ex officio or by the parties or third parties in these processes, and the storage of personal data for the period required for legal processes are considered as processing of personal data due to legislation.

7.3.Processing of Special Personal Data Regarding Health and Sexual Life for the Purposes of Preventive Medicine, Medical Diagnosis, Treatment and Care Services, Planning and Management of Healthcare Services and Financing, Subject to the Obligation of Confidentiality

According to the LPPD, the processing of special personal data regarding the health and sexual life of individuals is conditioned on their explicit consent, and in the absence of explicit consent, it is regulated that such personal data may only be processed by persons who are under the obligation of confidentiality for the purposes of conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of healthcare services and financing. In cases where the Company is under the obligation of confidentiality in accordance with the provisions of the legislation, special personal data regarding the health and sexual lives of the relevant individuals may be processed to the extent required by the provisions of this legislation.

7.4.Measures to be Taken in the Processing of Special Personal Data

In order to process special personal data, it is mandatory to take the measures to be determined by the Data Protection Board in accordance with the LPPD. The Company will process special personal data in line with the measures to be determined by the Board.

8. TRANSFER OF PERSONAL DATA

Article 8 of the KVKK regulates the transfer of personal data to third parties within the country. As a general rule, personal data should not be transferred to third parties without the explicit consent of the relevant person. The following criteria will be complied with in the processes regarding the transfer of personal data. It is the responsibility of the company to act in accordance with all legislative provisions regarding the transfer of personal data and to adapt the transfer processes according to the provisions of the legislation that is in force or will come into force, and these processes will be monitored and coordinated by the Supervisory Commission.

8.1. Transfer of Personal Data Within the Country

8.1.1. The relevant person has given explicit consent for the transfer of personal data

According to Article 8 of the KVKK, the main rule for the transfer of personal data to third parties is determined as the explicit consent of the relevant person. Personal data will be transferred by carefully determining which personal data the relevant person has given consent to be transferred to third parties within the country by the company and by processing the groups of people to whom it is transferred in the data inventory.

8.1.2. Transfer of personal data, provided that the conditions for processing personal data are met, even if the relevant person does not give explicit consent

In cases where the relevant person does not give explicit consent for the transfer of personal data within the country, it is possible to transfer personal data to third parties under the conditions explained in Articles 6.2, 6.3, 6.4, 6.5, 6.6, 6.7 and 6.8 of this Policy regarding the data processing conditions for processing personal data and regulated by Article 5, paragraph 2 of the KVKK.

8.1.3. Transfer of personal data, provided that the relevant conditions are met and the provisions of the legislation require it, even if the relevant person does not give explicit consent

Transfer of personal data of a special nature other than health and sexual life to third parties is possible even if there is no explicit consent, since the processing of data is foreseen in the provisions of the legislation. In this case, the company may transfer special personal data to third parties by determining that the conditions set forth in Article 7 of this Policy are met. The third parties to whom special personal data will be transferred must also have taken the relevant measures.

8.2. Transfer of Personal Data Abroad

8.2.1. The relevant person’s explicit consent for the transfer of personal data abroad

According to Article 9 of the KVKK, personal data cannot be transferred abroad without the relevant person’s explicit consent as a main rule. Therefore, obtaining the relevant person’s explicit consent will be applied as the basic principle for the transfer of personal data abroad by the company. Personal data will be transferred by carefully determining which personal data the relevant person has consented to be transferred to third parties abroad by the company and by taking into account the safe country list to be published by the Data Protection Board.

8.2.2. Transfer of personal data, provided that the conditions for processing personal data are met even if the relevant person does not give explicit consent

In cases where the relevant person does not give explicit consent for the transfer of personal data abroad, the transfer of personal data to third parties abroad is possible under the conditions explained in Articles 6.2, 6.3, 6.4, 6.5, 6.6, 6.7 and 6.8 of this Policy regarding the data processing conditions for processing personal data and regulated by Article 5, paragraph 2 of the KVKK, by taking into account the safe country list to be published by the Data Protection Board. In addition, in order to transfer personal data abroad in accordance with Article 9 of the KVKK, there must be sufficient protection in the country to which the data will be transferred. The safe country list to be announced by the Board will be monitored by the Audit Commission and will be included in the company’s internal processes. Until the Board publishes the safe country list, if it is necessary to transfer personal data abroad, the company that will be the Data Controller and the third party to whom the data will be transferred undertake sufficient protection in the country to which the data will be transferred and the Board gives its permission, the company will transfer personal data abroad. If there is no sufficient protection in the country to which the data will be transferred after the Board publishes the safe country list, the personal data will be transferred abroad provided that the Company that will be the Data Controller and the third party to whom the data will be transferred undertake sufficient protection in the country to which the data will be transferred and the Board gives its permission.

9. DELETION, DESTRUCTION, ANONYMIZATION OF PERSONAL DATA

Even if personal data is processed in accordance with the provisions of the KVKK and other legislation and this Policy, it must be deleted, destroyed or anonymized by the company itself upon the elimination of the reasons requiring the processing of the data or upon the request of the relevant person. The Company shall establish an administrative and technical structure suitable for fulfilling all applicable or future legislation provisions regarding the deletion, destruction or anonymization of data.

10. OBLIGATIONS OF THE COMPANY AS THE DATA CONTROLLER

10.1. Obligation to Inform

During the collection of personal data, the Company shall inform the personal data owner about the following issues in accordance with Article 10 of the KVKK:

The identity of the data controller and its representative, if any,
The purpose for which personal data will be processed,
To whom and for what purpose personal data may be transferred,
The method and legal reasons for collecting personal data,
The rights of the personal data owner as explained in Article 11 of the KVKK.
In order for the Company to fulfill its obligation in accordance with the law, its business processes and data collection channels have been reviewed, the identified issues have been classified and transferred to the inventory, and the necessary arrangements have been made and communication channels have been established for data owners to exercise their application rights regarding their personal data.

10.2. Obligation to Ensure Security of Personal Data

10.2.1. Obligation to prevent unlawful processing of personal data

In addition to processing personal data in accordance with the provisions of the KVKK and other legislation and the principles and conditions set forth in this Policy, the Company is also obliged to take all kinds of technical and administrative measures to prevent the processing of personal data in violation of these obligations. In this context, the Company has established systems to prevent unlawful processing of personal data, has designated the relevant personnel to monitor and audit these systems, and has established its procedures. The Company will follow up on updates that may occur due to both technical and legal reasons and will also update the system. Our Company will ensure that if personal data processed in accordance with the KVKK is obtained by others through unlawful means, this situation is reported to the relevant personal data owner and the KVK Board as soon as possible.

10.2.2. Technical measures to be taken for the lawful processing of personal data

The personal data processing activities carried out by the Company departments have been analyzed and a “Personal Data Inventory” has been created within this scope. The necessary administrative structure, hardware and software infrastructure have been established for the monitoring and auditing of all processes from the collection of personal data to its deletion. The Audit Commission is responsible for the monitoring, updating, auditing and reporting of these structures.

10.2.3. Administrative measures to be taken for the lawful processing of personal data

The Company will prepare and deliver the documents that will be required after this Policy to each employee in order to inform all its personnel about the KVKK and the lawful processing of personal data, and will organize the necessary training activities and keep the training participation documents in their personnel files.

The Company has added records to all documents that regulate the relationship between its personnel and contain personal data, stating that the obligations stipulated by the KVKK must be complied with for the lawful processing of personal data, that personal data must not be disclosed, that personal data must not be used against the law, and that the confidentiality obligation regarding personal data continues even after the termination of the employment contract with the company, and the failure of the personnel to comply with these obligations requires the application of sanctions that may lead to the termination of the employment contract.

The Company limits access to personal data within the scope of the personal data inventory to be created and the data matrices created, in line with the purpose of processing and to the relevant personnel. It is not possible for all of the Company personnel to access all of the personal data processed by the Company as the Data Controller, and the process will be carried out within the framework of the access authorizations arranged according to the departments.

All of the Company’s activities were analyzed and personal data processing activities were determined specific to the department. The Company has made policies, procedures and other internal arrangements to supervise whether the operations of the departments are carried out in a way that fulfills the obligations based on the KVKK and this Policy and to ensure the continuity of these practices, and the updates will be notified to the employee using all communication channels, the new procedures and policies come into force with the publication of the update, and it is not required to be notified to the employee for it to be binding. The coordination of the audits to be carried out and the documents to be prepared for the departments to operate in accordance with the KVKK will be carried out together with the department managers and the Audit Commission.

10.2.4. Obligation to prevent unlawful access to personal data

10.2.4.1. Technical measures to be taken for accessing and preserving personal data in accordance with the law

The Company will take measures in accordance with technical developments, periodically update and renew the measures taken depending on the speed of development of technology, and test the reliability of the system with penetration tests and other methods. In the event that the Data Protection Board makes regulations regarding such penetration tests and other security measures or refers to technical standards, the Company will carry out all necessary work to comply with these new requirements.
The technical measures taken will be reported periodically to the relevant party and the Audit Commission as required by the internal audit mechanism. The issues that pose a risk will be re-evaluated and the necessary technical solutions will be produced.
The Company will install relevant security software and systems, including virus protection systems and software and hardware containing firewalls, on all systems used during its operations and authorized to access personal data. In order to access personal data in accordance with the law, access authorizations must be defined in line with the criteria to be determined on a department-role basis, the access and authorizations of user accounts related to the systems where personal data will be accessed must be restricted, and the devices that can access the systems must be limited. The Audit Commission and department managers will carry out the processes of organizing separate procedures and conducting audits for each department in terms of technical measures.
The Company will ensure that the necessary software and hardware are installed to prevent external intrusion into the systems where personal data is stored and to monitor possible risks, conduct penetration tests, ensure that the same security measures are taken in terms of backups to prevent data loss, and make the necessary agreements with third parties and/or legal entities that work within the scope of disaster planning to implement the security measures introduced by this Policy and to store data in compliance with the KVKK.
10.2.4.2.Administrative measures to be taken for accessing and preserving personal data in accordance with the law

All Company personnel will be trained on technical measures to be taken to prevent unlawful access to personal data.
The Company will limit access to personal data to relevant employees in line with the purpose of processing in line with the personal data inventory to be created. All Company personnel should be prevented from accessing all personal data processed by the Company as Data Controller, and access authorizations should be arranged considering the purpose of data processing.
The Company will add records to all documents regulating the relationship between the Company and its personnel stating that the obligations stipulated by the KVKK must be complied with for the lawful processing of personal data, personal data must not be disclosed, personal data must not be used in violation of the law, and the confidentiality obligation regarding personal data continues even after the termination of the employment contract with the Company.
The Company will prepare the procedures and all necessary documents regarding access authorizations to personal data and deliver them to its employees.

10.2.5. Supervision of measures taken for the protection of personal data

The company should establish systems to conduct and have conducted the necessary audits regarding the operation of the measures in terms of the technical and administrative measures to be taken. The company should design the necessary processes for increasing the awareness of departments, business partners and suppliers regarding the protection and processing of personal data and for their auditing. The company is responsible for ensuring that third parties to whom it transfers personal data fulfill their obligations to process and store data in accordance with the law and to access data in accordance with the provisions of this Policy and the KVKK, in accordance with Article 12 of the KVKK. Therefore, the company should obtain commitments that include the provision of these conditions and granting it the authority to conduct audits in the contracts and all kinds of arrangements to be made when transferring data to third parties. Again, the company should specifically inform all its employees about the responsibilities arising from the processes of transferring personal data to third parties.

11. RIGHTS OF THE RELATED PERSON

According to Article 11 of the LPPD, the relevant person has the following rights against the company as the Data Controller:

To learn whether personal data is processed and to request information about it if personal data is processed,
To learn the purpose of processing and whether it is used in accordance with the purpose,
To know the persons to whom personal data is transferred,
To request correction in case of incomplete or incorrect processing and to request the deletion of personal data if the conditions are met and to request that these requests be communicated to third parties,
To object to the emergence of a result against him/her by analyzing the processed data exclusively through automated systems,
To claim damages in case of damages due to unlawful processing.
In case personal data owners submit their requests regarding the rights listed above to the company in writing or through other methods to be determined by the Board, the company must finalize the relevant request free of charge as soon as possible and within thirty days at the latest, according to Article 13 of the LPPD, depending on the nature of the request. If the request requires an additional cost, the fee determined by the Board may be charged. If it is understood that the application is due to the Company’s mistake, the fee charged will be refunded to the relevant person.

When the relevant application is finalized by the Company, information will be provided in a simple language that the person can understand and this information will be sent to the relevant person in writing or electronically. Depending on the nature of the request, the Company may accept the application of the relevant person or reject it by explaining the reason. If the application is accepted, the Company will fulfill the request without delay. In cases where the personal data owner’s application is rejected, the response given is insufficient or the application is not responded to in a timely manner, the necessary warnings will be made within the Company and awareness will be raised that they have the right to complain to the Board within 30 days.

12. ENFORCEMENT AND UPDATES

The necessary work on the changes to be made to the policy and the implementation of these changes is carried out in accordance with the Decisions of the Personal Data Protection Commission. The policy will be reviewed once a year as a regular procedure. However, if deemed necessary, our Company has the right to review, update, change or eliminate this Policy and create a new Policy within a shorter period of time. The Company’s Board of Directors has the authority to decide on the repeal of the Policy.