Personal Data Protection and Processing Policy

1. Introduction
2. Objective of the Policy
3. Scope of the Policy
4. Enforcement Date of the Policy
1. Personal Data
2. Sensitive Personal Data
1. Personal Data Categorization
1. General Principles for Processing of Personal Data
2. Conditions for Processing of Personal Data
3. Conditions for Processing of Sensitive Personal Data
4. Our Intended Purposes for Processing of Personal Data
1. Conditions for Transferring Personal Data
2. Conditions for International Transfer of Personal Data
3. Our Intended Purposes for Transferring Personal Data and Third-Parties to Whom Personal Data Are Transferred
4. Personal Data Stipulated to be Transferred to Foreign Countries
1. Method for Collection of Personal Data and the Legal Basis
1. Deletion, Disposal, or Anonymization of Personal Data
2. Term for Storage and Disposal of Personal Data
1. Technical Measures Taken for Personal Data Security
2. Administrative Measures Taken for Personal Data Security
3. Physical Actions Taken for Personal Data Security
4. Procedure to be Followed for Unauthorized Disclosure of Personal Data
5. Auditting the Actions Taken for the Protection of Personal Data
6. Raising Awareness and Supervision of the Employees on Protection and Processing of Personal Data
1. Providing Clarification to the Personal Data Owner
2. Rights of the Personal Data Owner
3. Exercising of the Rights by the Personal Data Owner
4. Petition Right of the Personal Data Owner to the Personal Data Protection Board
As Ela Excellence Resort Belek (the “Company”), acting in the capacity of the "Data Controller" within the scope of the Law no. 6698 on the Protection of Personal Data (the “Law”), it is our priority for the personal data of the natural persons associated with our Company, including without limitation, our customers, potential customers, suppliers, visitors, website users, company shareholders, and officials as well as the employees, shareholders, and officials of the institutions that we collaborate with, in addition to our employees and prospective employees to be processed in compliance with the Law and secondary legislation to ensure that the relevant persons as the personal data owners exercise their rights in an efficient manner thereof. During the performance of our operations, we carry out procedures relating to processing, storage, and transfer of personal data of all personal data owners associated with our Company in line with this Policy on the Protection and Processing of Personal Data (the “Policy”) thereof. The essential principle of this Policy and our Company relating to processing of personal data is to protect such personal data and the fundamental rights and liberties of natural persons whose personal data are collected as well as taking all necessary administrative and technical measures/actions in order to protect such personal data.
Objective of the Policy
The primary objective of this Policy is to set out the methods to be followed with regards to processing, storage, transfer, and deletion, or anonymization of personal data transferred to us by personal data owners during our business, social responsibility, and similar activities by our Company acting in the capacity of the "data controller" under the Law within the framework of the principles as provided in the Law thereof.
Within this scope, we aim to ensure transparency by providing necessary information to personal data owners, including, in particular, our customers, potential customers, prospective employees, company shareholders, company officials, visitors as well as the employees, shareholders, and officials of institutions that we collaborate with and other third parties, whose personal data are processed by Ela Excellence Resort Belek companies thereof.
Scope of the Policy
This Policy is applicable to personal data of all personal data owners, including without limitation, our employees, prospective employees, shareholders/partners, visitors, business associates, customers, potential customers, suppliers, affiliates, website users/visitors, etc. in other words, all personal data owners who are associated with our Company during the performance of our activities. This Policy is not applicable to any data relating to legal entities.
In case of any conflict between the applicable legislation on processing and protection of personal data and this Policy, the provisions of the applicable legislation in force shall be applicable thereof.
Effective Date of the Policy
This Policy has entered into force to be effective as of June 1st, 2020 upon approval of the Company. The previous version of this Policy as formerly published on the website was abolished as of the effective date of this Policy thereof. In case any change to this Policy is required, the relevant provisions shall be revised accordingly. The details of such changes to this Policy are provided under Section 11 of this Policy.
Personal Data
Personal data as a term include all kinds of information on an identified or identifiable natural person. In this Policy, personal data as a term shall also include sensitive personal data in line with the applicable legislation thereof.
Sensitive Personal Data
Sensitive personal data consist of a natural person's racial or ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, physical appearance and attire, association, foundation, or trade union membership, data concerning health, data concerning sex life or sexual orientation, criminal conviction, data concerning security measures as well as biometric data and genetic data of such natural persons.
Personal Data Categorization
Personal data in the following categories are processed by the Company by providing information to the data subjects as per article 10 of the Law thereof. This section includes information about which personal data are processed under such categories in relation to the data subject groups as defined in this Policy and what types of personal data of the data subjects are processed under such categories thereof. Such personal data include those explicitly evident that they belong to an identified or identifiable natural person as processed, in part or in whole, by automatic systems, or otherwise by non-automatic systems provided that such personal data are part of a data recording system as follows:
Identity Information | All kind of information as contained in documents such as the driver's license, ID card, certificate of residence, passport, attorney's ID card, (birth) certificate, and marriage certificate, etc. is defined as identity information. Personal data as processed by the Company of its prospective employees, company shareholders, company officials, visitors as well as the employees, shareholders, and officials of the institutions that the Company collaborates with. |
Contact Information | Phone number, address, e-mail address, etc. are defined as contact information. Personal data as processed by the Company of its customers, potential customers, prospective employees, company shareholders, company officials, visitors as well as the employees, shareholders, and officials of the institutions that the Company collaborates with. |
Geolocation Data | Data identifying the geographical location of our employees as personal data subjects when driving Company vehicles are defined as geolocation data. Personal data as processed by the Company of the company employees. |
Customer Data | Data obtained and/or generated about the data subject as a result of our business activities and operations as carried out by our business units within this scope. Customer data as processed by the Company. |
Information on Family Members and Relatives | Information on family members and relatives of the personal data owner as processed for the purpose of protection of the legitimate interests of the Company and the personal data owner. Information on the family members of our employees as processed by the Company thereof. |
Customer Transaction Information | Such information consists of records relating to the use of our products and services as well as any necessary instructions and requests as provided by the customer as required for the use of such products and services. Customer data as processed by the Company. |
Physical Site Security Information | Personal data relating to the records and documents as obtained during entry to a physical site and during visiting such a physical site. Information as processed by the Company about our visitors, company officials, customers as well as the employees of the institutions that we collaborate with. |
Process Security Information | Personal data as processed for the purpose of ensuring our technical, administrative, legal, and commercial security during the performance of our business activities. Information as processed by the Company about our visitors, third parties, company officials as well as employees, shareholders, and officials of the institutions that we collaborate with. |
Risk Management Information | Personal data processed by such methods as implemented in line with generally accepted legal, customs of trade, and good faith principles in this regard for the purpose of the management of our commercial, technical, and administrative risks thereof. |
Financial Information | Personal data as processed in relation to any information, documentation, and records indicating any kind of financial results generated based on the type of legal relationship as established by and between the Company and the personal data owner thereof. |
Personnel Information | Any kind of personal data as processed to obtain information on the basis of constituting personal benefits of our employees or natural persons having an employee-employer relationship with the Company. Personal data as processed by the Company about our employees as well as the employees of the institutions that we collaborate with. |
Prospective Employee Information | Personal data as processed in relation to the individuals who have submitted a job application to become an employee of the Company, or evaluated as a prospective employee in line with the human resources needs of the Company as per the customs of trade and good faith principles, or those having an employee-employer relationship with the Company thereof. Information on prospective employees as processed by the Company. |
Employee Operation Information | Personal data processed in relation to all kinds of processes as performed by our employees or those having an employee-employer relationship with the Company regarding the business activities of the Company thereof. Information as processed by the Company about our employees as well as the employees of the institutions and vendors that we collaborate with. |
Employee Performance and Career Development Information | Personal data as processed for the purpose of measurement of the performance of our employees or those having an employee-employer relationship with the Company as well as planning and management of their career development in line with the Human Resources Policy of the Company thereof. Personal data as processed by the Company of the company employees. |
Fringe Benefits and Other Employee Benefits Information | Personal data as processed for the purpose of planning of fringe benefits and other employee benefits presented or to be presented in the future to our employees or those having an employee-employer relationship with the Company, determination of the objective eligibility criteria for such benefits as well as following up such entitlement thereof. Personal data as processed by the Company of the company employees. |
Legal Proceedings and Legal Compliance Information | Personal data as processed for the purpose of determination and follow-up of our legal claims and rights as well as the fulfillment of our obligations in addition to compliance to our legal obligations and corporate policies thereof. Personal data as processed by the Company of its customers, potential customers, prospective employees, company shareholders, company officials, visitors as well as the employees, shareholders, and officials of the institutions that the Company collaborates with, and those of the third parties. |
Audit and Supervision Information | Personal data as processed within the scope of compliance to legal obligations and corporate policies of the Company. Personal data as processed by the Company of its customers, potential customers, prospective employees, company shareholders, company officials, visitors as well as the employees, shareholders, and officials of the institutions that the Company collaborates with, and those of the third parties. |
Sensitive Personal Data | Personal data as defined in article 6 of the Law thereof. Personal data as processed by the Company of our prospective employees, employees, company shareholders, company officials as well as the employees of the institutions that we collaborate with. |
Health Information | Personal data such as information concerning disability status, blood type, personal health information as processed for the purpose of the fulfillment of our legal obligations as well as providing fringe benefits to our employees thereof. The Company processes the health information of its employees. |
Audio-Visual Records | Audio-visual records may be captured during the performance of our business processes and operations. Such data consist of those related to our employees and visitors. |
Marketing Information | Such information consists of personal data as processed for ensuring marketing by customization of our products and services in line with usage patterns, interests, and requirements of the personal data owner as well as any reports and assessments generated as a result of the outcomes of processing of such information thereof. Information as processed by the Company about its customers and potential customers. |
Biometric Data | Such data consist of palm print data, fingerprint data, retinal scanning data, facial recognition data, etc. Such data as processed by the Company consist of data of the employees. |
Request/Complaint Management Information | Personal data relating to the receipt and evaluation of any kind of requests or complaints submitted to the Company. Personal data as processed by the Company of its customers, potential customers, prospective employees, company shareholders, company officials, visitors as well as the employees, shareholders, and officials of the institutions that the Company collaborates with, and those of the third parties. |
General Principles for Processing of Personal Data
Personal data are processed by the Company in compliance with the procedures and principles as provided under the Law and this Policy. The Company acts in line with the following principles when processing such personal data:
Compliance to applicable law and good faith principles;
Ensuring that such personal data are accurate and up-to-date as required;
Processing of personal data for specific, explicit, and legitimate purposes;
Processing of personal data in relation to, limited and proportional to the intended purpose for processing; and
Storage of personal data for a period as provided in applicable legislation or as required for the intended purpose for processing of such personal data.
Conditions for Processing of Personal Data
The Company does not process personal data without the explicit consent of the personal data owner thereof. However, such personal data may be processed without any requirement for explicit consent of the personal data owner in case of any of the following conditions:
Such processing of personal data is explicitly provided under applicable law;
Processing of such personal data is required for the protection of life or physical integrity of the data subject or any other person in such cases where such data subject is unable to provide its explicit consent due to actual impossibility or where such explicit consent is not deemed to be legally valid thereof.
Processing of personal data of the contracting parties is required, provided that such personal data are directly related to the establishment or execution of an agreement: For instance, the bank account information of the payee may be received for the purpose of the payment of the amounts under an agreement executed by and between the parties thereof.
Processing of such personal data is required for the data controller to fulfill its legal obligations thereof.
Such personal data have been made public by the data subject itself: In other words, personal information as previously disclosed to the public may be processed without the explicit consent of the personal data owner as the legal interest for the protection of such personal data is no longer applicable.
Processing of such personal data is required for allocation, use, or protection of any claims or rights thereof.
Processing of such personal data is required for the legitimate interests of the data controller provided that such processing of personal data shall not cause any harm to the fundamental rights and liberties of the data subject thereof.
Conditions for Processing of Sensitive Personal Data
The Company does not process Sensitive Personal Data without an explicit consent of the data subject thereof. The Company shall carry out necessary processes in order to take adequate measures as determined by the Personal Data Protection Board for processing of such Sensitive Personal Data. ,
Our Intended Purposes for Processing of Personal Data
Personal Data as collected by the Company are processed for the following purposes within the scope of the conditions for processing of personal data as provided in articles 5 and 6 of the Law. In case the operation of processing of personal data for the following purposes fails to meet any of the conditions as provided under the Law, then the Company obtains the explicit consent of the personal data owner in relation to such processing of personal data thereof.
Performance of emergency procedures;
Performance of information and/or data security procedures;
Management of access authorizations;
Ensuring security of the premises;
Performance of communication operations;
Performance of storage and archiving operations;
Performance of internal audit, investigation, and intelligence operations;
Performance of risk management procedures;
Ensuring the security of movable property and resources;
Management of organization activities and events
Performance of management activities;
Performance of business and administrative activities;
Providing support services to customers and reporting within the scope of the relevant contract and applicable service standards;
Formation, updating, and development of the services to be provided to our customers by determining the interests and requirements of our customers thereof;
Ensuring the fulfillment of our legal obligations as required or obligated by statutory regulations;
Providing campaigns, surveys, and promotions;
Contacting persons having a business relationship with the Company;
Performing advertisement and marketing operations;
Compliance management;
Vendor / supplier management, program and services;
Statutory reporting,
Optimal planning and implementation of human resources policies;
Correct planning, performance, and management of business partnerships and strategies;
Ensuring legal, commercial, and physical security of the Company and its business associates;
Ensuring corporate operation as well as planning and execution of management and communication activities;
Ensuring the highest level of data security;
Creation of databases;
Development of web services and debugging on the corporate website;
Contacting Personal Data owners who have submitted their requests and complaints to the Company as well as ensuring the management of such requests and complaints thereof;
Efficiency management;
Performance of staff recruitment procedures;
Providing the Group Companies with support relating to staff recruitment and compliance to applicable legislation;
Planning and performance of audit and supervision activities in order to ensure the performance of the operations of the Group Companies in compliance with the applicable legislation;
Providing the Group Companies with support relating to the performance of the operations under corporations law and legislation;
Performance and follow-up of financial reporting and risk management processes;
Performance and follow-up of operations under corporate law;
Performance of operations for maintaining corporate reputation;
Creation and follow-up of visitor records;
Planning and performance of the activities relating to business operations and business continuity;
Follow-up of financial and/or accounting operations;
Providing competent authorities with information in relation to applicable legislation and preparation for audits to be conducted by such competent authorities;
Planning and performance of corporate communication activities;
Planning and performance of operational procedures;
Planning and performance of the authorized staff of the business associates and/or suppliers to access information;
Planning and performance of customer relationship management procedures;
Follow-up of customer requests and/or complaints,
Follow-up of contracting procedures and/or legal claims;
Planning and performance of marketing survey activities for sales and marketing of the services;
Performance of sales and after-sale operations as well as purchasing operations;
Planning and/or performance of procedures for creating and/or increasing customer engagement to the products and/or services as provided by the Company;
For the purposes of ensuring the performance of corporate human resources policies and evaluation of job applications in compliance with corporate human resources policies;
Fulfillment of the obligations and taking necessary actions within the scope of occupational health and safety procedures;
Fulfillment of the obligations on behalf of the company employees arising out of the contract of employment and/or applicable legislation thereof;
Performance of the procedures relating to commencement and termination of the employment of the personnel;
Evaluation of wages and performance procedures as well as management of salaries and payrolls;
Planning and/or performance of in-company training activities;
For the purpose of ensuring the legal and commercial security of the Company and persons having a business relationship with the Company;
Planning and performance of necessary operational activities in order to ensure that the Company operations are carried out in compliance with corporate procedures and/or applicable legislation;
Ensuring the security of Company premises and/or buildings and facilities;
Ensuring the security of Company assets (i.e. fixtures and fittings etc.) and/or resources;
For the purpose of determination and implementation of corporate commercial and business strategies;
Performance of social responsibility activities conducted by the Company;
Planning and performance of customs operations procedures;
Completion of Excellence procedures;
Conditions for Transferring Personal Data
As a corporation, we act in compliance with the decisions and regulations as provided under the Law and taken by the Board regarding the transfer of Personal Data and we take any necessary actions thereof. Provided that the exceptional circumstances as contained in the applicable legislation are reserved, the Company does not transfer personal data and sensitive personal data to any natural persons or legal entities without the explicit consent of the Data Subject thereof. However, personal data may be transferred:
In such cases as described in article 2 of Section 4 in this Policy, or For sensitive personal data, in such cases as described in article 2 of Section 4 in this Policy, or Sensitive personal data concerning the health and sex life or sexual orientation of the Data Subject may only be transferred to the natural persons or authorized institutions and organizations under confidentiality obligation for the purposes of protection of public health, preventive healthcare, medical diagnosis, treatment and healthcare services, planning and management of healthcare services as well as their financing without any requirement for an explicit consent thereof.
Media used by the Company for the transfer of such personal data consist of methods such as corporate intranet, electronic mail, printed copy, MS Excel worksheet, VPN, and secure file transfer.
Conditions for International Transfer of Personal Data
As a rule, personal data may not be transferred abroad without the explicit consent of the Data Subject thereof. However, in case of any of the exceptional circumstances as defined in article 2 of Section 4 in this Policy and in case such third parties abroad are:
Located in any of the countries as listed by the Board to ensure adequate protection of personal data, or
In cases where such third parties are not located in any of the countries ensuring adequate data protection, then on the condition that the data controllers in Turkey and in the relevant countries abroad provide a written commitment to ensure adequate data protection and also provided that the Board grants permission thereof, then such personal data may be transferred abroad without an explicit consent thereof.
Our Intended Purposes for Transferring Personal Data and Third-Parties to Whom Personal Data Are Transferred
For the purposes as provided in Article 4 of this Policy, Personal data may be transferred to:
Our suppliers;
Business associates and business contacts;
Affiliates and group companies;
Ela Excellence Resort Belek;
Legally authorized public institutions and organizations;
Legally authorized private persons/entities;
Our shareholders;
Domestic and foreign server service providers of the Company; and
Audit firms provided that all necessary technical and administrative measures are taken in line with the principles and rules as described in this Policy.
Personal Data Stipulated to be Transferred to Foreign Countries
Due to the ongoing abroad activities of Company, personal data limited to contact details may be transferred abroad based on the explicit consent of the personal data owners to be limited by the scope of such explicit consent and provided that it is also limited to the circumstances as required by the operational procedure with our foreign business associates located abroad.
Method for Collection of Personal Data and the Legal Basis Personal Data are collected by the Company by technical and procedural methods employed through various means such as our website, e-mails, application forms, request forms, secure electronic transactions, printed forms, log sheets, and physical channels, or in verbal, written, or digital environment, through automatic systems, in part or in whole, or through non-automatic systems provided that such personal data are part of a data recording system to be processed for the purposes of providing our business services to our customers within the framework of legitimate reasons arising out of and enforceable based on the applicable legislation, contracts, claims, customs of trade, and good faith principles as applicable in terms of the performance of our business operations in this regard as well as the fulfillment of legal obligations of the Company, fulfillment of the requirements of the business relationship established with our customers and establishment, exercising, and protection of mutual rights in this regard, and protection of the legitimate interests of the Company provided that the fundamental rights and liberties of the personal data owners having a business relationship with the Company are protected thereof. Within this context, characteristic methods for Collection of Personal Data, intended purposes for collection of personal data, and activities carried out in this regard are as follows: Security Camera Surveillance Activity At the Building and Facility Entrances and Inside the Buildings and Facilities Within the scope of security camera surveillance activity, the Company aims to improve the Excellence of services provided, to ensure the reliability of such services, to ensure the security of the Company, its customers, and others, and to protect the interests of the customers relating to the services provided to such customers thereof Legal Basis for Camera Surveillance Activity
Camera surveillance activity as undertaken by the Company is carried out in compliance with the Law on Private Security Services and applicable legislation thereof.
Providing Information on Camera Surveillance Activity
As per article 10 of the Law on the Protection of Personal Data, the Company provides the personal data owner with necessary information thereof.
With regards to camera surveillance activity, the Company published this Policy on its website (online Policy amendment) and a warning sign about camera surveillance was placed at the entrances of the locations subject to surveillance (providing on-site information).Intended Purpose for Camera Surveillance Activity and Such Activity Being Limited to the Purpose The intended purpose for camera surveillance activity as carried out by the Company is limited to the purposes as provided in this Policy. Areas where surveillance would be too invasive for the privacy of individuals beyond the intended purposes for security (e.g. restrooms, prayer rooms, etc.) are not subject to camera surveillance activity.
Ensuring Security of Captured Personal Data
In compliance with article 12 of the Law on the Protection of Personal Data, all reasonable technical and administrative measures as provided in this Policy are taken with a view to instating the security of the captured personal data by the Company as a result of camera surveillance activity.
Parties Authorized to Access the Captured Personal Data by Camera Surveillance Activity and Parties to Whom Such Personal Data Are Transferred
Only a limited number of Company employees has access to the security camera footage as captured and stored in digital environment. On the other hand, in-company security staff and administrative affairs personnel may view live feed as received from the security camera systems. Others are not allowed to access such footage.
Supervision of Visitor Entry-Exit Procedures At Building and Facility Entrances and Inside the Buildings and Facilities
The Company processes personal data for the supervision of visitors' entry and exit procedures in the Company buildings and facilities in order to ensure the security and for the purposes as defined in this Policy.
Names and last names as well as vehicle plate numbers of the persons who are visiting the Company premises as a guest are obtained and such persons as the personal data owners are duly informed by texts placed in various locations in the Company premises or otherwise made available to the guests thereof.
Website Visitors
The Company uses technical methods (e.g. cookies, etc.) to log online website activities of the visitors of the websites as owned by the Company in order to ensure that the visitors of such websites navigate the websites in line with the intended purposes of visiting such websites, provide the visitors with customized content, and carry out online advertisement activities thereof. Visitors of our website are provided with our "Cookies Policy" and comprehensive information is provided to such visitors in line with our obligation to provide required information to our visitors thereof.
Mobile Applications of the Company
The Company develops mobile applications used by our customers by downloading such applications to their mobile devices with an aim to facilitate the provision of services as provided by the Company to our customers. Explicit consent of the customers are obtained by providing comprehensive information within the scope of our obligation to provide required information to our customers using our mobile applications just before they enter any personal information thereof.
Deletion, Disposal, or Anonymization of Personal Data The Company undertakes deletion, disposal, or anonymization of Personal Data, either ex officio or upon request by the personal data owner, in case the conditions for processing of such personal data are no longer applicable provided that applicable provisions as contained in other laws and legislation relating to deletion, disposal, or anonymization of Personal Data shall be reserved. Upon deletion of Personal Data, such data are destroyed in such a manner to prevent them being reused or recovered. Data disposal processes are carried out by documenting such disposal process in a formal report in periodic disposal periods as determined by the Company thereof.
Term for Storage and Disposal of Personal Data
The Company stores Personal Data during the period as provided in applicable legislation provided that storage of Personal Data is stipulated in such applicable legislation. In case such legislation does not set out the storage period of personal data, then Personal Data is processed for a period as required by the Company procedures and customs of trade in relation to the operations performed during processing of such personal data, and then personal data are subject to deletion, disposal or anonymization thereof.
In case the purpose for processing of personal data is no longer applicable and the storage period as provided in applicable legislation and/or as determined by the Company has also expired, then such personal data may only be stored to constitute evidence for any potential legal disputes or claim for the rights associated with such personal data or defend such rights thereof. In such cases, the Company determines the storage periods of personal data by taking into consideration the statute of limitation periods for claiming for such rights as well as previous examples contained in the requests as received by the Company on similar cases regardless of whether the statute of limitation periods has expired thereof. In that case, such stored personal data may not be accessed for any other purpose and the relevant personal data may only be accessed when they are required to be used to resolve such legal disputes thereof. Upon expiration of the storage period as defined in this paragraph, such personal data are subject to deletion, disposal, or anonymization thereof.
The Company takes all necessary technical and administrative measures and performs or gets all necessary controls done in order to ensure adequate level of security to prevent unlawful processing, unlawful access to as well as ensuring the protection of Personal Data as processed by the Company in compliance with article 12 of the Law thereof.
Technical Measures Taken for Personal Data Security
Provided that such measures are limited to those for ensuring the security and protection of personal data: Network security and application security are ensured;
Closed computer network system is used in personal data transfers through the network;
Necessary security measures with regards to the procurement, development, and maintenance of information technology systems are taken; In-company technical organization is implemented for the purposes of processing and storage of personal data in compliance with the applicable legislation thereof;
Data masking is applied as a measure whenever deemed required; Technical infrastructure is established in order to ensure the security of the databases on which personal data are intended to be stored;
Established Technical infrastructure procedures are subject to follow-ups and controls;
Reporting procedures for the technical measures taken as well as control processes are determined;
Technical measures are periodically updated and revised;
Associated risks are reviewed and necessary technological solutions are created;
Up-to-date anti-virus protection systems, firewall, and similar software or hardware security products are used and security systems in line with technological developments are installed;
Applications through which personal data are collected are subject to periodic security scans and any identified security breaches are eliminated thereof;
Backup programs are used in compliance with applicable law in order to ensure the secure storage of personal data;
Access to data storage media and/or data is strictly limited to the access of the authorized personnel and limited to the purpose for storage of personal data, and any unauthorized access or attempted access is instantly reported to the authorized personnel by keeping log entries for access to data storage spaces where such personal data are stored;
Logs are subject to periodic review;
Expert technical staff is employed;
User account management and authorization control systems are in place and subject to follow-up;
Logs are kept in such a manner to prevent any user intervention;
In case sensitive personal data are required to be transferred by e-mail, such sensitive personal data are always sent by encryption and via KEP address (registered e-mail address) or by using a corporate e-mail account;
Secure encryption and/or cryptographic keys are used for sensitive personal data and managed by different units;
Cyber attack detection and prevention systems are in place;
Penetration test is performed;
Cybersecurity measures have been taken and its implementation is subject to continuous supervision;
Encryption is ensured.
Administrative Measures Taken for Personal Data Security
Provided that such measures are limited to those for the protection of personal data:
Corporate policies and procedures are created for access to personal data by those, including employees of our group companies and affiliates, data security, data usage, storage, and disposal, and policies for using tools and equipment associated with the use of databases and applications containing personal data are issued and implemented thereof;
Employees are duly informed and trained on protection and processing of personal data in compliance with applicable law;
Data security training and awareness activities for employees are organized on a regular basis;
Within the scope of the agreements with our employees and/or corporate policies as published, actions to be taken in case of any unlawful processing of personal data by our company employees are determined;
Agreements and procedures as executed with our employees contain provisions imposing obligations to prevent unlawful processing, disclosure, and use of personal data in such an unlawful manner thereof, and relevant awareness and control activities are carried out in this regard;
Company employees are subject to disciplinary actions relating to data security;
Our employees are informed about the fact that their obligations not to disclose to others any personal data they have in possession in any manner as contrary to the provisions of the Law and not to process such personal data for any purpose other than the intended purpose for processing of such personal data shall continue to be applicable to them even after they have left their job and such employees provide a written commitment not to disclose or process such personal information thereof;
Corporate policies on access, data security, use, storage, and disposal of personal data are issued and implemented;
The agreements as executed by and between the Company and the parties, to whom personal data are transferred in compliance with applicable law, contain provisions ensuring that the parties, to whom personal data are transferred, shall take the necessary security measures for the protection of such personal data and ensure compliance with such measures in their own institutions thereof;
The scope of access to personal data by our company employees is determined based on the roles and responsibilities/functions of such employees, and their authorities to access such personal data are limited accordingly whereas their authorities are periodically reviewed, an authorization matrix is designated, and the authorizations of the employees who leave their job or are subject to reassignment are removed thereof;
Recent developments on the data security, right of privacy, and protection of personal data are followed and necessary legal and technical consultancy services are procured in order to take any necessary actions thereof;
Compliance of collaborated data processors and other data controllers to the Law and secondary legislation is investigated, necessary instructions are provided, and their awareness on compliance is ensured;
Any issues about personal data security are duly reported without delay;
Personal data security is subject to follow-up;
Personal data volume is reduced as much as possible;
Personal data are subject to backup and the security of such personal data subject to backup are also ensured;
Internal periodic and/or random controls are performed and/or get to be performed;
Current risks and threats are identified;
Protocols and procedures for the security of sensitive personal data have been determined and implemented;
Necessary security measures are taken for entry to and exit from the environments/media containing personal data;
The environments containing personal data are protected against external risks (e.g. fire, flood, etc.);
Awareness of service providers who process personal data is ensured for data security;
Technical staff is employed accordingly; and
The system ensuring timely reporting to the relevant personal data owner and the Personal Data Protection Board in case of any unlawful access to such personal data by unauthorized parties have been established and implemented.
Physical Actions Taken for Personal Data Security
Occupation-based physical access measures are taken at the locations where personal data are stored;
Documents as well as archiving/storage equipment containing personal data are stored in locked cabinets;
Card pass systems are used in working spaces;
Working spaces are monitored by closed-circuit camera system (CCTV) without intrusion to the privacy of the employees;
Documents and storage equipment containing personal data are securely disposed of, and are subject to backup to prevent data loss in line with the rules and principles as provided under the Law on the Protection of Personal Data and this Policy thereof.
Procedure to be Followed for Unauthorized Disclosure of Personal Data
Pursuant to article 12 of the Law, the Company notifies the relevant data owner and the Board as soon as possible and within 72 hours at the latest from the determination of the unlawful access by third parties of the processed Personal Data.
Auditting the Actions Taken for the Protection of Personal Data
Pursuant to article 12 of the Law on the Protection of Personal Data, the Company performs or causes to perform internal audits every 6 months as required thereof. The audit results are reported to the relevant department within the scope of the internal procedures of the Company and the necessary actions are taken in order to improve the measures taken thereof.
Raising Awareness and Supervision of the Employees on Protection and Processing of Personal Data
The Company ensures organization of necessary training to be provided to its current employees and new employees recently recruited in any business unit, in order to raise awareness on prevention of unlawful processing of and unlawful access to personal data as well as ensuring protection of such personal data thereof. The current employees of the Company are provided with awareness training every 4 months thereof.
Providing Clarification to the Personal Data Owner During the collection of Personal Data as per article 10 of the Law, the Company provides clarification/information to the personal data owner about the identity of the Company representative, if any, intended purposes for processing of Personal Data, to whom and for what purposes such Personal Data as processed may be transferred, the method for collection of Personal Data and legal basis thereof as well as the rights of the Personal Data Owner thereof.
Rights of the Personal Data Owner Pursuant to article 11 of the Law, the Company provides information to the personal data owners about their rights as follows:
Learning about whether such personal data are processed;
Requesting for information if such personal data have been processed;
Learning about the purpose for processing of personal data and whether such personal data are used in line with their intended purposes thereof;
Being informed about domestic or foreign third parties to whom such personal data are transferred;
Requesting for correction of any incomplete or inaccurate information in case such personal data as processed contain any incomplete or inaccurate information thereof;
Requesting for deletion or disposal of personal data within the scope of the conditions as provided in article 7 of the Law thereof;
Requesting for notification of the processes carried out pursuant to items (d) and (e) of Article 11 of the Law to the third parties to whom such personal data have been transferred;
Raising an objection in case of any result against the personal data owner arising out of the analysis of the processed data exclusively through automatic systems; and
Requesting for compensation of damages in case the personal data owner incurs damages and/or loss due to unlawful processing of its personal data
Exercising of the Rights by the Personal Data Owner
Personal data owners may submit to the Company their requests for exercising their rights as defined in this Policy through our website at by the methods as described in our website, by completing the "Application Form" and complying with the conditions as provided in the "Application Form" thereof.
Petition Right of the Personal Data Owner to the Personal Data Protection Board
If the application as submitted by the personal data owner is rejected by the Company, or the personal data owner considers that the response provided was not satisfactory, or the Company fails to provide a response in due time, the personal data owner shall be entitled to submit an official complaint to the Board within thirty (30) days from the receipt of the response and in any case, within sixty (60) days from the date of application thereof.
Data Controller's Right to Reject the Application of the Personal Data Owner
The Company is entitled to reject the application as submitted by the personal data owner in case certain conditions are met as described in this Policy. Conditions where the Company as the Data Controller is entitled to exercise its right to reject the application of the personal data owner are as follows:
Regarding the personal data subject to the application submitted by the relevant personal data owner;
In case such personal data are processed for purposes such as research, planning, and statistics, etc. after anonymization of such personal data by official statisticalization procedures;
In case such personal data are processed for the purposes such as art, history, literature, or science or within the context of freedom of expression provided that such processing of personal data shall not violate or constitute any crime against national defense, national security, public safety, public order, economic security, right of privacy, or personal rights thereof;
In case such personal data are processed within the scope of preventive, protective, and intelligence actions as conducted by the competent public institutions and organizations as designated and authorized by law to ensure national defense, national security, public safety, public order, or economic security;
In case such personal data are processed by judicial or execution authorities in relation to investigation, prosecution, litigation, or execution;
In case processing of personal data is required for prevention of committing a crime or for criminal investigation;
Processing of personal data as previously made public by the personal data owner;
In case processing of personal data is required for the performance of supervisory or regulatory functions as well as disciplinary investigation or prosecution by the competent public institutions and organizations as well as public professional organizations as designated and authorized by law;
In case processing of personal data is required for the protection of the economic and financial interests of the State in relation to budgetary, taxation, and financial matters;
In case the request of the relevant personal data owner may potentially hinder the rights and liberties of others;
In case of requests requiring disproportionate efforts; and
In case the requested information is publicly available information, then
the Company as the Data Controller may exercise its right to reject the application thereof.
As per the resolution of the Company senior management, the Personal Data Committee was formed within the Company for the management of this Policy as well as other policies arising out of and in relation to this Policy thereof. The Personal Data Committee shall be authorized and be responsible for the performance of all necessary procedures for storage and processing of the personal data of Personal Data Owners in compliance with the applicable law, this Policy as well as other policies arising out of and in relation to this Policy thereof. The main responsibilities of the Personal Data Committee are as follows:
Drafting basic policies on Protection and Processing of Personal Data, and submitting such policies to the senior management for approval of the same for implementation;
Deciding on the performance and procedures for implementation and control of the policies on Protection and Processing of Personal Data, ensuring internal assignment and coordination within this scope, and submission of the same to the senior management for approval thereof;
Determination of the actions required to ensure compliance to the Law on the Protection of Personal Data and applicable legislation, and submission of such required actions to the senior management for approval as well as ensuring supervision and coordination of the implementation of such actions thereof;
Raising awareness about the Protection and Processing of Personal Data within the Company as well as in other institutions that the Company collaborates with;
Determination of any potential risks relating to the processing of personal data by the Company and ensuring that all necessary actions are taken as well as submission of proposals for improvement to the senior management for their approval;
Designation and ensuring implementation of training activities for the protection of personal data as well as for the implementation of the policies thereof;
Providing the ultimate and final resolution of the applications as submitted by personal data owners;
Coordination of informing and training activities to ensure that personal data owners are duly informed about the operations regarding the processing of personal data as well as about their legal rights thereof;
Drafting amendments to basic policies on Protection and Processing of Personal Data, and submitting such policies to the senior management for approval of the same for implementation;
Following the developments and regulations on the Protection of Personal Data, providing the senior management with recommendations on the actions as required to be taken within the Company in line with such developments and regulations thereof;
Coordination of the relationship between the Committee and the Personal Data Protection Board thereof; and
Performance of other functions to be assigned by the senior management of the Company on the protection of personal data.
The Company reserves the right to make changes to this Policy and other policies arising out of and in relation to this Policy in line with any amendment to the Law and secondary legislation as well as any resolutions of the Committee and/or any developments in the industry or informatics thereof. Any changes to this Policy are immediately incorporated into the text and any comments relating to such changes are provided in this section. 01/06/2020 : This Policy on the Processing and Protection of Personal Data entered into force upon approval by the Company thereof.