The main purpose of the Personal Data Protection, Processing, and Deletion Policy is to inform the relevant individuals about the methods implemented for the processing, protection, and deletion of personal data carried out in compliance with the law by our company. Within this framework, transparency is aimed at by informing individuals, primarily our website members, customers, and potential customers, as well as our employees, job applicants, managers, company visitors, employees of companies we collaborate with, and other individuals whose personal data is processed, about the methods implemented to protect and delete these data.

The Personal Data Protection, Processing, and Deletion Policy cover all personal data, whether processed through automated or non-automated means, of website members, customers, potential customers, employees, job applicants, managers, company visitors, employees of companies we collaborate with, and third parties.

Objectives

Our company takes the necessary measures to ensure the processing, protection, and deletion of personal data in compliance with the law by creating internal procedures.

Definitions

• Explicit consent: Informed, freely given, and specific consent on a particular subject.
• Anonymization: Rendering personal data in a way that the identity of a real person is no longer determinable, even when matched with other data.
• Data subject: The real person whose personal data is processed.
• Personal data: All kinds of information related to an identified or identifiable real person.
• Processing of personal data: Any operation performed on personal data, whether fully or partially automated or not, including collection, recording, storage, preservation, alteration, disclosure, transfer, retrieval, making available, categorization, or use that are performed on data.
• Board: Personal Data Protection Board.
• Institution: Personal Data Protection Institution.
• Law: Law on the Protection of Personal Data.
• Data processor: Real or legal person who processes personal data on behalf of the data controller.
• Data recording system: Record system where personal data is structured according to specific criteria.
• Data controller: Real or legal person who is responsible for determining the processing purposes and means of the personal data, and for establishing and managing the data recording system.

Principles for Processing Personal Data

• Compliance with the law and fairness: Our company acts in compliance with the law and fairness when processing personal data, taking into account the principles of proportionality and necessity.
• Accuracy and currency: Our company takes care to ensure the accuracy and currency of personal data it processes and takes the necessary measures for this purpose.
• Processing for specific, explicit, and legitimate purposes: Our company processes personal data only to the extent required for the service provided and is related to the purpose of processing. If the purpose of processing personal data is not clear due to the nature of the service provided, the purpose is additionally presented to the data subjects. Personal data are not processed for purposes other than those specified.
• Being relevant to the purpose: Personal data are processed to the extent necessary for achieving the purpose and are not processed in cases that are not necessary.
• Being kept for the period required by the relevant legislation or for the purpose of processing: Our company keeps the processed personal data in accordance with the periods stipulated by the Law or limited to the purpose of processing.

Principles of Processing Personal Data

Our company acts in compliance with the conditions specified in the Law and the related legislation during the processing of personal data. In this context, personal data is processed if the conditions are met; otherwise, personal data is not processed or, if processed, the processing is stopped. As a general rule, personal data are processed with the explicit consent of the data subjects. However, in the presence of the following situations specified in the Law, personal data may be processed without the explicit consent of the related individual:

a) When explicitly prescribed by the laws. b) When it is obligatory for the protection of life or physical integrity of the individual who is unable to disclose their consent due to actual impossibility or whose consent is not legally valid, or someone else. c) When it is directly related to the establishment or execution of a contract and is necessary for the performance of the contract, provided that the processing of personal data belonging to the parties is required. ç) When it is obligatory for the data controller to fulfill his/her legal obligation. d) When the data subject discloses his/her personal data himself/herself. e) When data processing is obligatory for the establishment, use, or protection of a right. f) When data processing is obligatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Personal data considered to be of a more sensitive nature are not processed without the explicit consent of the data subject. The Law allows for special measures to be taken when processing special categories of personal data. Within this scope, when processing personal data of a more sensitive nature, the measures determined by the Board are taken. On the other hand, except for health and data related to sexual life, personal data of a more sensitive nature, excluding health and data related to sexual life, may be processed without the explicit consent of the data owner in cases stipulated by laws.

Ensuring the Security of Personal Data

Our company takes advantage of technological possibilities to ensure the legal processing and storage of personal data and takes necessary technical and administrative measures. Employees, business partners, and suppliers, in the course of their work, are informed not to disclose personal data unlawfully to third parties and not to use them for purposes other than processing, and necessary commitments are obtained from them. Our company uses technological possibilities and takes necessary technical and administrative measures to prevent unauthorized or unlawful disclosure, access, transfer of personal data.

Transferring Personal Data

Our company acts in compliance with the regulations specified in the Law and establishes the necessary organization for the transfer of personal data to domestic and foreign institutions and organizations. Necessary security measures are taken when transferring personal data in line with the processing purposes. Mechanisms are established, and preventive measures are taken to prevent the illegal processing of personal data by others if personal data processed are unlawfully obtained by others.

Rights of the Data Subject

Our company makes the necessary arrangements for the use of rights within the scope of the Law by data subjects whose personal data are processed. In accordance with the Law, data subjects have the following rights:

1. Learning whether personal data is processed,
2. Requesting information if personal data has been processed,
3. Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
4. Knowing the third parties to whom personal data are transferred, within the country or abroad,
5. Requesting correction of personal data if it is incomplete or incorrectly processed,
6. Requesting deletion or destruction of personal data within the framework of the conditions set out in the relevant law, if the reasons requiring processing are removed,
7. Requesting the notification of the transactions made pursuant to subparagraphs (e) and (f) to third parties to whom personal data are transferred,
8. Objecting to the occurrence of a result against the individual himself by analyzing the processed data exclusively through automated systems,
9. Requesting the compensation of the damage if he/she suffers damage due to the unlawful processing of personal data.

If the data subject wishes to exercise one of the rights listed above, the request is met within a maximum of 30 days, free of charge. If the requests require an additional cost, this cost may also be requested from the data subject.

Security and Privacy

Our company takes the necessary technical and administrative measures