Personal Data Protection and Processing Policy

1-INTRODUCTION

İnsan Kaynakları Yönetim Sistemleri ve Ticaret A.Ş (Herein shall be referred as “Data Officer”) pays utmost attention to the observance of legal regulations as a requisite of its ethical values supporting commercial assets and success of the corporate, facilitating any structuring necessary for compliance with personal data protection statutes.

Personal Data Protection and Processing Policy (Herein shall be referred as “Personal Data Protection and Processing Policy or Policy”) sets forth the principles and basis adopted in processing of personal data belonging to natural persons having employment or contractual relationship with the Data Officer, ensures transparency as well as legal security of data owners in personal data processing operations carried out by Data Officer in that frame.

Personal Data Protection and Processing Policy sets forth the fundamental principles and duties of Data Officer to ensure that operations carried out by the Data Officer in respect to all the personal data processed automatically or via non-automatic methods as part of a data recording system are in compliance with the provisions of Personal Data Protection Act No. 6698 (Herein shall be referred as “KVK Act”).

Contents of this Policy are in line with the related statutes, and in case of a contradiction between the Policy and the applicable legal statutes, provisions of the statutes shall prevail.

2- DATA OFFICER

Data Officer; has the capacity of “data officer” in personal data processing activities, purpose and means of which are identified pursuant to KVK Act, and hereby announces his/her responsibilities adopted in his/her capacity as the data officer in this policy.

3- DEFINITIONS

Important terms contained in KVK Policy and the statutes are provided along with their definitions in the following table:

Personal Data	Any information pertaining to an identified or identifiable natural person
Personal Privacy Data	Data relating to race, ethnical origin, political view, philosophical beliefs, religion, religious cult or other beliefs, clothing, memberships in associations, foundations or unions, health, sexual orientation, criminal sentence, security measures as well as biometric and genetic data
Data Owner	Identified or identifiable person whose personal data is processed (Concerned person)
Explicit consent	Consent based on information in respect to a specific topic, given in free will
Anonymization	Presentation of personal data in a fashion that it cannot be related to an identified or identifiable natural person even if combined with other data
Personal Data Processing	Any action performed on personal data such as obtaining, recording, storage, maintaining, altering, re-organization, disclosure, transfer, taking over, making it obtainable, classification or preventing their use
Data Officer	Natural or legal person who determines purpose and means of personal data processing, and responsible for establishment and management of data recording system
Data Processor	External natural and legal person who carries out personal data processing operations based on the authorization given by the data officer
KVK Act (Act/Law)	Personal Data Protection Act No. 6698, dated 24 March 2016, publicized on the Official Gazette dated 7 April 2016, No. 29677
KVK Board	Personal Data Protection Board
KVK Agency (Agency)	Personal Data Protection Agency
VERBİS	Data Officers Register maintained publicly by the Chair of Personal Data Protection Agency under supervision of KVK Board

Data Officer (Company)	İnsan Kaynakları Yönetim Sistemleri ve Ticaret A.Ş
Data Officer Business Partners	Persons who are in cooperation with the Data Officer per commercial relationships
Data Officer KVK Storage and Destruction Policy	Policy issued by the Data Officer to stipulate storage, deletion, destruction and anonymization processes of the maintained personal data
Data Officer Suppliers	Third parties providing services to Data Officer on contractual basis
Data Officer Data Owner Application Form	Application form to be used by data owners in exercising their rights stipulated in Article 11 of KVK Act
Data Officer KVK Policy	Data Officer Personal Data Processing and Protection Act
Group Companies	Group companies within the organization of Data Officer
Personal Data Processing Inventory	The inventory that describes and details; personal data processing operations carried out by data officers based on their work processes; personal data processing purposes and legal grounds, data category, recipient group to whom data is transferred, maximum storage term determined in relation with the concerned persons and required for the purpose of processing, personal data anticipated for transfer to foreign countries and measures in place for the security of data
Regulation on Data Officers Registry	Regulation on Data Officers Registry effected on 1 January, 2018, and publicized in Official Gazette dated 30 December 2017, No. 30286
Data Security Board	The Board to ensure necessary coordination within the Company organization in order to facilitate, maintain and sustain compliance with personal data protection statutes by Data Officer

4- DATA SECURITY BOARD

Data Security Board is the unit responsible for protection of personal data processed by Data Officer as well as supervising compliance with personal data protection statutes. It is composed of Finance, IT and Legal Department representatives.

Meetings are held as deemed necessary by the Board or a request is made in that respect. Revisions and compliance of the policies with the statutes are checked by Data Security Board. To this end, following operations and compliance processes are carried out by Data Security Board:

Ensuring that the roles and appointments required in the field of personal data protection are fulfilled,
Preventing illegal transfer and disclosure of and access to personal data in accordance with the Act and Board decisions, taking and implementing measures in vulnerable areas,
Facilitating inspections on implementation of data security measures and administrative decisions,
Implementation of additional measures for storage of personal privacy data as needed,
Organizing trainings as needed in order for adoption of data protection culture within the company organization,
Ensuring implementation of relevant documents for compliance with the statutes and facilitating necessary inspections,
Supervising whether group companies fulfill their responsibilities arising from the statutes,
Supervising relationships with KVK Agency and KVK Board.

4.1. ROLES AND DUTIES

Replacement of the “Contact person” who will be performing VERBIS registration and information entry duties as well as communications with the Agency shall be made per Data Security Board and Board of Directors resolution.

Pursuant to “Personal Data Owner Relations Guideline”, “Esra Akça Şaşmazer” who will be performing the duties of ‘Data owner relations and control of functionality of relevant mechanisms’ is appointed by Data Security Board or Board of Directors resolution.

In addition to the aforementioned baseline duties, certain duties and responsibilities can be assigned to the officers that may be appointed to ensure compliance with personal data confidentiality.

4.2. PREPARATION OF POLICY, PROCEDURE, GUIDELINES AND CODES

Data Security Board ensures revision of the following documents for compliance with personal data protection statutes on behalf of the Data Officer within capacity of data officer.

Personal Data Protection Policy
Personal Data Storage and Destruction Policy
Personal Data Breach Procedure
Other texts that are required under the Act

5-POLICY PRINCIPLES

5.1. BASIC PRINCIPLES

Following basic principles are adopted by Data Officer in respect to processing of personal data.

5.1.1. Processing personal data in accordance with law and ethical codes

Data Officer conducts personal data processing operations primarily in accordance with Republic of Turkey Constitution and KVK Act as well as data confidentiality statutes and codes of honesty.

5.1.2. Ensuring that the processed personal data are accurate and current

Data Officer ensures that the personal data being processed are accurate and current, takes necessary administrative and technical measures in that respect, and supervises the process.

5.1.3. Processing personal data in connection with the purpose, in a limited and reasonable manner

Data Officer shall process personal data in connection with the purpose to the reasonable extent required for performance of those services. To this end; purpose of processing personal data is identified before starting personal data processing operations. In other words, personal data cannot be processed merely assuming that they might be used in the future (storage of personal data is also considered as data processing operation). Accordingly, Data Officer considers fundamental rights of data owners and its own legitimate interests.

5.1.4.Storing personal data for the term anticipated in the relevant statutes or the term needed for the purpose of processing

Data Officer shall process personal data for the term stipulated in the relevant statutes if any. In case there is no such term specified in the statutes, such data are stored for a limited term required for the purpose of processing. Data Officer shall destroy personal data by erasing, destruction or anonymization at the end of the term stipulated under statutes or the when the reasons of processing such data no longer exists. To this end, established Data Officer Personal Data Storage and Destruction Policy shall be observed.

5.2. LEGAL PROCESSING OPERATIONS

Data Officer shall observe data processing conditions stipulated in articles 5 and 6 of KVK Act along with the fundamental principles in personal data processing operations.

Data Officer shall configure necessary mechanisms within internal systems to ensure processing of personal data in accordance with laws. Additionally, Data Officer shall carefully execute the process by ensuring personnel awareness on confidentiality via in-house trainings.

Data Officer shall operate in line with Republic of Turkey Constitution in particular as well as Turkish Criminal Code No. 5237, KVK Act, similar applicable laws and rules stipulated in Data Officer KVK Policy in processing personal data.

5.2.1. Data Processing Conditions

Personal data are processed in accordance with the Board resolutions provided that explicit consent is obtained from the Data Owner. Data processing operations can be carried out without seeking explicit consent when minimum one of the following conditions is met:

Explicit consent: Processing of data after obtaining consent of personal data owner legally and in their free will for a specific topic upon providing information.
Anticipation/requirement under laws: Processing of data if there is a clear provision in statutes about processing of personal data or if it is required for performance of legal obligations of Data Processor.
Inability to obtain explicit consent due to physical reasons: Processing of data if the data owner is in a state that prevents giving an explicit consent due to physical reasons or his/her consent cannot be recognized as valid, if it is required to protect the life or physical integrity of data owner or a third persons.
In connection with an agreement: Processing of personal data belonging to the parties if it is directly connected with the establishment or performance of an agreement.
Publicizing of personal data by data owner: Processing of data limited to scope of publicizing when the data is directly publicized by the Data Owner.
Processing of data when it is required for claiming, exercising or protecting a right.
Legitimate operations of data officer: Processing of data as required for legitimate interests of Data Officer, provided that fundamental rights and freedom of the Data Owner are ensured.

5.2.2. Conditions for Processing Personal Privacy Data

Personal Privacy Data can be processed in accordance with applicable statutes, Board resolutions, policies implemented by Data Officer and explicit consent pursuant to article 6 of the Act if following conditions are present.

5.2.3 Special Conditions Pertaining to Data Processing Operations

Ensuring supplemental rights and interests arising from Labor Law,
Ensuring equal opportunity,
Preventing any conflicts with the law,
Providing references,
Processing in company merge and transfer as well as other actions that change company structure,
Processing of your personal data in disciplinary investigations and inspection processes,
Maintaining health data separately, and persons authorized to process health data
Alcohol and drug tests
Processing of personal data related to use of electronic communication means
Processing of personal data related to security camera applications
Processing of personal data related to internet use
Processing of personal data related to equipment provided by the company
Processing of personal data related to requesting information on employees from third persons

5.3. LEGAL DATA TRANSFER

Personal data transfer conditions stipulated in Articles 8 and 9 of KVK Act are observed by Data Officer in share of personal data with group companies and 3^rd parties or providing access to personal data by 3^rd parties. The 3^rd parties to whom data are transferred shall be subject to all necessary measures and inspections o ensure security of the said personal data.

5.3.1. Personal Data Transfer

Personal Data can be transferred upon explicit consent of the Data Owner as well as under presence of the following conditions without explicit consent, provided that necessary protective measures are in place and statutes as well as Data Officer policies are observed:

Explicit consent: Transfer of data after obtaining consent of personal data owner legally and in their free will for a specific topic upon providing information.
Anticipation/requirement under laws: Transfer of data if there is a clear provision in statutes about processing of personal data or if it is required as part of performance of legal obligations of Data Processor.
Inability to obtain explicit consent due to physical reasons: Transfer of data if the data owner is in a state that prevents giving an explicit consent due to physical reasons or his/her consent cannot be recognized as valid, if it is required to protect the life or physical integrity of data owner or a third persons.
In connection with an agreement: Transfer of personal data belonging to the parties if it is directly connected with the establishment or performance of an agreement.
Publicizing of personal data by data owner: Transfer of data limited to scope of publicizing when the data is directly publicized by the Data Owner.
Transfer data when it is required for claiming, exercising or protecting a right,
Legitimate operations of data officer: Transfer of data as required for legitimate interests of Data Officer, provided that fundamental rights and freedom of the Data Owner are ensured.

5.3.2. Transfer of Personal Privacy Data

Personal privacy data can be transferred provided that sufficient technical and administrative measures are ensured, and following conditions are present:

Personal privacy data other than those related to health and sexual life can be transferred without explicit consent of the Data Owner if explicitly regulated under laws. In case of lack of such regulation under laws, data can be transferred per explicit consent of the concerned person.

If the specified data transfer conditions are present, personal data can be transferred to the foreign countries that are safe/having adequate protection determined and announced by the Board, or in the absence of adequate protection, to the foreign countries permitted by the Board provided that data officers in Turkey and the foreign country can execute a written undertaking for ensuring adequate protection measures for data transfer stipulated in statutes and by the Board; also if Binding Company Codes are applied provided that restrictions and conditions stipulated by the Board are observed.

6-OBLIGATIONS

Data owners shall be informed about the purpose of processing personal data, to whom data can be transferred, for which purposes can the data be processed or transferred and data collection methods by the Company. Data owners shall also be informed about their rights pertaining to personal data and how to exercise such rights as part of the informing process.

Data Officer shall comply with the obligations stipulated in KVK Act for data officers. To this end, primary obligations of Data Officer are listed below as part of this policy:

6.1. Obligation to Fulfill KVK Board Resolutions

Data Officer shall immediately fulfill resolutions notified by KVK Board, executive organ of KVK Agency which regulates personal data protection operations and is administrative authority of our country in this field, due to a complaint or as a result of an investigation conducted ex officio. Furthermore, Data Officer shall also adopts principle resolutions established by KVK Board as a data privacy code.

6.2. Data Owner Relations Obligation

Data Officer shall conclude requests by data owners about their personal data as soon as possible and maximum within thirty (30) days depending on the nature of request pursuant to article 13 of KVK Act in its capacity as data officer.

Data Owners can exercise the following rights by filing application over web site of the Data Officer pursuant to Article 11 of KVK Act:

Find out whether their personal data are processed or not,
Request information if their personal data are processed,
Find out purpose of processing personal data and if they are used for intended purpose,
The third parties in and out of the country to whom their personal data is transferred,
Ask for correction if their personal data are processed inaccurately or incomplete, and request notification of the third parties to whom their personal data is transferred about any actions taken in that respect,
Ask for deletion or destruction of their personal data if reasons to process personal data no longer exists even if the same is processed in accordance with KVK Act and other applicable law provisions, and request notification of the third parties to whom their personal data is transferred about any actions taken in that respect,
Object to any consequences that may arise against them due to analysis of processed data exclusively by means of automated systems,
Assert claim for compensation of any damages incurred due to illegal processing of personal data.

6.3. Obligation of Registration to Data Officers Register and Notification

Data Officer shall be registered to Data Officers Register in accordance with article 16 of KVK Act as well as principles and basis stipulated by regulations if the criteria provided in Regulation on Data Officers Register are met.

6.4. Obligation to Inform Data Owner

Data Officer manages processes required to ensure informing of data owners by authorized persons during obtaining personal data in accordance with Article 10 of KVK Act and Communiqué on Principles and Basis to be Observed in Fulfilling Information Obligation. You may view KVK Information Statement publicized on web site to fulfill information obligation.

6.5. Obligation to Ensure Security of Personal Data

Data Officer shall take any and all technical and administrative measures to ensure sufficient level of security in order to;

Prevent illegal processing of personal data,
Prevent illegal access to personal data, and
Ensure protection of personal data

with awareness on importance of ensuring security of personal data and paying regard to fundamental rights and freedoms of data owners in accordance with article 12 of KVK Act. Additionally, necessary inspections shall be conducted to ensure functioning of mechanisms for data security.

7-ENSURING SECURITY OF PERSONAL DATA

Data Officer shall, depending on the nature of data to be protected, take all necessary measures to prevent illegal processing of personal data, illegal access to personal data or to avoid security vulnerabilities that may arise in any other means as well as to ensure secure storage of personal data.

7.1. ADMINISTRATIVE MEASURES

Data Officer shall establish Personal Data Processing Inventory containing personal data categories, data owners, processing purposes and security measures in place.
Organizational policies and procedures on protection of personal data shall be established, and their functionality and continuity shall b ensured.
Confidentiality agreements shall be entered with employees.
In-house protection awareness is raised through awareness trainings and meetings.
In case personal data are subject to transfer, necessary measures shall be ensured by group companies or 3^rd party companies.
Provisions in compliance with the laws shall be included in employment contracts and discipline codes.
Registration and information entry to Data Officers Register Information System VERBİS procedures shall be completed if the criteria are met.
Data Security provisions shall be included in agreements entered with data processors.

7.2. TECHNICAL MEASURES

Data Officer shall ensure security of physical and electronic media containing personal data.
Personal data back-up copies shall be taken on regular basis against malware, and security of back-up copies shall be ensured.
Preventive systems and software shall be installed on information network to ensure cyber security.
Access authorization of Data Officer employees shall be established by continuously ensuring their duties and authorization controls.
Data security trainings shall be planned.
Data leakage test standards shall be identified.

7.3. PERSONAL DATA BREACH

Data Officer shall inform KVK Board and concerned data owners within 72 hours in case processed personal data are illegally accessed by unauthorized persons. Data Officer Data Breach Procedure (link) is established for that purpose; and all breach exercises within the organization of Data Officer are set by Data Security Board hereunder this procedure.

8-DESTRUCTION OF PERSONAL DATA

Data Officer shall have all internal systems established for destruction of personal data in accordance with Personal Data Storage and Destruction Policy developed for deletion, anonymization or destruction of personal data when the reasons for processing data no longer exists even though they are legally processed pursuant to article 7 of KVK Act.

9-REVISION

This Policy shall become effective upon its approval by Data Security Board. Data Security Board shall govern any changes to be made on this Policy except for abolition of this Policy, as well as how this policy will be put in effect.

KVK Act shall be published on internet site by Data Officer, and presented to public access. This Policy shall be reviewed on annual basis under any circumstances, and if changes are necessary, it shall be submitted to Data Security Board approval, and updated. In case of a contradiction between this policy and the applicable statues, KVK Act in particular, provisions of statutes shall prevail.

Data Officer reserves the right to make changes to KVK Policy in line with the legal arrangements by KVK Agency, the administrative authority.

Any revisions to this policy and the statutes shall be included in the policy accompanied with the date and topic, and shall become integral part of the policy after necessary announcements are made. Current version of KVK Policy shall be published on Data Officer’s internet site.