Data Protection and Processing Policy


The Personal Data Protection Law of the Republic of Turkey was prepared after many years of work within the framework of compliance with the European Union criteria and came into force by being published in the Official Gazette dated 07 April 2016.

KVKK contains regulations largely in the same direction as the European Union's directive 95/46/EC, and with the entry into force of KVKK, the protection of individuals' personal data in a holistic regulation has been regulated.

Since the data of legal entities are already protected by the relevant laws in force, the concept of personal data has been regulated in a way that provides protection only for natural persons, in line with the KVKK and the European Union regulations.

With the KVKK, regulations have been made regarding the protection of personal data of the person and the use of the rights specified in Article 11 of the Law, and the content includes the definition and classification of personal data, processing of personal data, obligation to inform, express consent and exceptions, obligations of real and legal persons who process personal data. It regulates issues such as determination, establishment of the Personal Data Protection Authority, complaint application procedures and sanctions.
 
Within the framework of the principles of superior service quality, respect for individuals' rights, transparency and honesty adopted as Oloma Software (hereinafter referred to as the "Company"), the internal functioning of our Company in line with the new regulations envisaged by the KVKK, secondary regulations, decisions and regulations of the Personal Data Protection Board. Regulation within the scope of final court decisions and other relevant legislation is among the priority issues of our company.
 
For this reason, this Policy has been drawn up and put into effect in order to benefit personal data owners from the rights brought by KVKK and to ensure compliance with the Law.

Purpose and Scope

2.1. The Policy aims to ensure that the regulations to be introduced by the Company within the framework of the basic principles explained above for compliance with KVKK are effectively implemented within the Company, by our Company's employees and business partners.

2.2. In line with the basic regulations envisaged by the Policy, administrative and technical measures introduced by the current legislation will be taken in terms of the processing and protection of personal data within the Company's operation, the necessary internal procedures will be established, all necessary trainings will be carried out to raise awareness, and the necessary measures within the scope of KVKK will be provided for employees and business partners to comply with KVKK processes. All measures will be taken and appropriate and effective control mechanisms, technological infrastructure, administrative and legal system will be established.
 
2.3. The Policy regulates the basic principles to be observed in all these processes and the issues that our Company is obliged to direct the internal functioning in accordance with the regulations introduced by KVKK. The internal procedures to be established within the framework of KVKK and relevant legislation will regulate the compliance activities that our Company will carry out regarding the protection of personal data. All employees of our company are obliged to act in accordance with the regulations introduced by this Policy, KVKK and all other relevant legislation while performing their duties.
 
2.4. In case of non-compliance with the Policy and the relevant legislative provisions, in addition to the criminal and legal liability stipulated by the legislative provisions, sanctions within the Company, depending on the nature of the incident, which may extend to the termination of the contract for justified reasons, will be applied within the framework of the legislation regulating business life.

Definitions
 
3.1. Explicit consent: It refers to consent regarding a specific issue, based on being informed and expressed with free will.
Since the burden of proof that the relevant person has been informed and enlightened will be on the data controller, the storage and protection of the relevant person's explicit consent and information records will be carried out in accordance with the company's internal procedures.
 
3.2. Anonymization: It refers to making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
Personal data, various; However, it is possible to anonymize it for purposes and methods that do not violate the scope of KVKK and the Explicit Consent given by the relevant person. Necessary precautions will be taken within the company to prevent the anonymized personal data from becoming identifiable by various methods.
 
3.3. Relevant person: Refers to the real person whose personal data is processed.
The processing and protection of personal data and special personal data of our company's real or legal person customers, legal person business partners, shareholders, managers or employees, company consultants, consultants, solution partners, guests and our company employees will be handled by our Company within the scope of KVKK and Policy.
 
3.4. Personal data: It refers to any information regarding an identified or identifiable natural person.
All information that makes a person identifiable is regulated as personal data and is registered with the Republic of Turkey. Information such as identity or citizenship number, name-surname, e-mail address, telephone number, address, date of birth, bank account number can be given as examples of personal data. This data has been classified within our company, and issues such as how, by whom, for what purpose and for how long different personal data in separate categories can be processed are regulated by the Personal Data Processing Inventory.

 3.5. Processing of personal data:
Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system, It refers to any operation performed on data, such as classifying or preventing its use.
 
3.6. Personal Data of Special Qualification: Data regarding individuals' race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric data and refers to genetic data.
 
3.7. Data processor: It refers to the real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Who the personnel who are authorized to access personal data and process these data within the meaning of KVKK, to what extent, for what purpose and for how long these personnel can access the data, and the operations they can perform on the data are determined on a departmental basis with internal procedures.
 
3.8. Data controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
 
EXECUTION OF THE POLICY AND RESPONSIBILITIES
 
4.1. The Company, as the Data Controller, is responsible for the implementation of this Policy in terms of regulating all internal operations and processes.
 
4.2. A governance model will be established and implemented by the Company to implement the regulations, procedures, guides, standards and training activities to be prepared in line with this Policy within the Company.
 
4.3. All employees, business partners, guests and all relevant third parties throughout the Company are obliged to cooperate with the Company in preventing legal responsibilities, risks and dangers that may arise in accordance with the provisions of the relevant legislation, as well as compliance with the Policy.
 
4.4. All departments and bodies of the Company and all relevant personnel are obliged to act in accordance with the Policy and ensure compliance with the provisions of the Policy.
 
4.5. This Policy will be announced within the Company and will also be accessible at all times by uploading to common information technology systems. Additionally, this Policy is published on the Company website. Any changes that will occur in the Policy will be updated to the information processing system and website, and thus data owners will be informed by reaching the principles stipulated in the Policy.
 
4.6. In case of a conflict between the Policy and the applicable legislative provisions, the Company accepts that the legislative provisions will be applied in its capacity as Data Controller.
 
PERSONAL DATA PROCESSING PRINCIPLES
 
5.1. General Principles in Processing Personal Data

The Company accepts that it will process the personal data within the scope of this Policy in accordance with the following principles in accordance with Article 4 of the KVKK:
 
 5.1.1. Compliance with the law and the rule of honesty
The Company, as the Data Controller, accepts that it will carry out personal data processing activities in accordance with all current and future legislation provisions, especially the Constitution and KVKK, and in accordance with the rule of honesty stipulated in Article 2 of the Turkish Civil Code.
 
 5.1.2. Accuracy and timeliness
In its personal data processing activities, the Company takes all necessary measures within the scope of KVKK to ensure the accuracy and up-to-dateness of personal data to the extent technically permitted. Administrative and technical mechanisms established by the Company will be operated to correct inaccurate or outdated personal data and to check its accuracy, in line with the requests to be notified to the Company by the relevant person as the Data Controller and situations that the Company deems necessary.
 
 5.1.3. Processing for specific, clear and legitimate purposes
Personal data is processed by the Company in accordance with the law, limited to the requirements of the relevant legislation and the services offered or to be offered, and the purpose of processing personal data is clearly and precisely determined before the data is processed.
 
5.1.4. Processing data in a limited and measured manner in connection with the purpose for which they are processed
Personal data is processed by the Company in connection with and limited to the purposes for which it is processed and to the extent necessary to achieve this purpose. In this context, it is essential to avoid processing personal data that is not related to the purpose of processing the data and is not needed.
 5.1.5. Processing limited to the period stipulated by the legislation or required by the purpose of processing.
Personal data is retained in line with the periods stipulated by the relevant legislation provisions or for the period required by the purpose of processing the data. At the end of the period stipulated by the legislation provisions or the period required by the purpose of processing the data, personal data is deleted, destroyed or anonymized by the Company. Necessary administrative and technical measures will be taken to prevent data from being retained beyond the required period.
 
TERMS OF PROCESSING OF PERSONAL DATA

Article 5 of the KVKK regulates the conditions for processing personal data. The processing of personal data by the company is carried out in accordance with the following conditions specified in the KVKK.

6.1. Existence of Explicit Consent of the Relevant Person
The main rule in the processing of personal data is that the relevant person has explicit consent for the processing of his or her data, in the absence of other data processing conditions. The Company will carry out data processing activities for the transactions covered by the consent, in line with the explicit consent of the relevant person upon being informed about the purpose for which it will be processed and in a clear manner that does not leave any room for hesitation, as stipulated by the KVKK.
 
6.2. Processing of Data Due to Legal Requirements
Pursuant to KVKK, even if there is no explicit consent of the relevant persons, in cases where it is necessary to process personal data in accordance with the legislation, data processing activities will be considered lawful, provided that other necessary criteria are met.
 
 6.3. The Processing of the Data of a Person Who Cannot Express His Consent Due to Actual Impossibility or Whose Consent Cannot Be Recognized as Legally Valid is Mandatory for the Protection of His or Herself or Someone Else's Life or Physical Integrity
Pursuant to KVKK, in cases where it is not possible for the relevant person to express his actual consent or his consent cannot be given legal validity, it is possible to process personal data if the processing of personal data is necessary to protect the life or physical integrity of the relevant person or someone else. The company will process personal data in cases stipulated in accordance with this regulation.
 
6.4. It is Mandatory to Process Personal Data of the Parties to a Contract, Provided That It is Directly Related to the Establishment and Performance of a Contract
Personal data of the parties to the contract will be processed by the Company, provided that it is directly related to the establishment and execution of the contract.

 6.5. It is mandatory for the Data Controller to fulfill its legal obligations
In order for the Company, which is the Data Controller in accordance with KVKK, to fulfill its obligations arising from the legislative provisions, personal data will be processed by the Company, subject to the limits of such obligation.
 
 6.6. Processing of Personal Data Made Public by the Relevant Person
If the relevant person makes his/her personal data public, such personal data will be processed by the Company in proportion to the purposes for which it is made public.
 
 6.7. Processing of Data Necessary for the Establishment, Exercise or Protection of a Right
Personal data will be processed by the Company to the extent necessary for the establishment, exercise or protection of a right.
 
 6.8. Processing of Personal Data for the Legitimate Interests of the Data Controller
Personal data may be processed in line with the legitimate interests of the Company, which is the Data Controller, provided that the fundamental rights and freedoms of the relevant person are not harmed. However, the expression of the Company's legitimate interests cannot in any way contradict the principles determined by the KVKK, the purpose of processing personal data, and cannot interfere with the essence of the right guaranteed by the Constitution.
 
CONDITIONS FOR PROCESSING SPECIAL PERSONAL DATA
 
Article 6 of the KVKK regulates the processing conditions of special personal data. In line with the said article, special personal data includes data regarding individuals' ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures. and biometric and genetic data. All business processes within the company were examined, data with this status was determined, classified and transferred to the personal data inventory. The processing processes of special personal data by the Company are carried out in accordance with the following conditions specified in the KVKK.
 
7.1. Processing of Special Personal Data in Case of Explicit Consent of the Relevant Person
In accordance with KVKK, as a rule, it is prohibited to process special personal data without the explicit consent of the relevant person. In this context, as a primary principle, the Company will try to obtain the explicit consent of the relevant persons in order to process special personal data. Data processing activities will be carried out in line with the scope of the consent of the relevant person regarding the processing of special categories of personal data. The provisions stipulated in the KVKK regarding the processing of special personal data without explicit consent are reserved. The Company will carry out data processing activities by first checking whether the data processing conditions are met in the processing of special personal data.
7.2. Processing of Special Personal Data Due to the Reason of Legislative Provisions, Despite the Lack of Explicit Consent of the Relevant Person
In cases where it is foreseen that special categories of personal data can be processed by the legislative provisions, special personal data of the relevant person, other than the health and sexual life, may be processed in accordance with the provision of Article 6/3 of KVKK. In this case, the data processing activities to be carried out by the Company will be limited to the requirements of the underlying legislation.
 
 7.3. Processing of Special Personal Data Related to Health and Sexual Life, Subject to the Obligation of Confidentiality, for the Purposes of Execution of Preventive Medicine, Medical Diagnosis, Treatment and Care Services, Planning and Management of Health Services and Financing
Pursuant to the KVKK, the processing of special personal data regarding the health and sexual life of individuals is subject to the express consent of the relevant persons, and in cases where there is no explicit consent, it is only for the purpose of carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. It is regulated that such personal data may be processed by persons who are under the obligation to keep it. The company may process special personal data regarding the health and sexual lives of persons who are under the obligation of confidentiality in accordance with the provisions of the legislation, in the relevant cases listed above, to the extent required by the provisions of this legislation.
 
 7.4. Precautions to be Taken in the Processing of Special Personal Data
In order to process special personal data, it is mandatory to take the measures determined by the Personal Data Protection Board in accordance with KVKK. The Company will process sensitive personal data in line with the measures to be determined by the Board.
 
TRANSFER OF PERSONAL DATA

Article 8 of KVKK regulates the transfer of personal data to third parties within the country. Compliance with the following criteria will be ensured in the processes regarding the transfer of personal data. It is the Company's responsibility to comply with all legislative provisions regarding the transfer of personal data and to adapt the transfer processes in accordance with the legislation provisions that are in force or will come into force.

8.1. Transfer of Personal Data Domestically

8.1.1. The relevant person has explicit consent for the transfer of personal data
In accordance with Article 8 of the KVKK, the main rule for the transfer of personal data to third parties is the explicit consent of the relevant person. The personal data of the relevant person will be transferred by the Company by carefully determining which personal data of the relevant person has consented to be transferred to third parties in the country and the groups of people to whom the personal data of the relevant person will be transferred and recorded in the data inventory.
 
 8.1.2. Transfer of personal data, even if there is no explicit consent of the relevant person, provided that the conditions for processing personal data are met.
In cases where the relevant person does not have explicit consent for the transfer of personal data within the country, articles 6.2., 6.3., 6.4., 6.5., 6.6., 6.7 of this Policy regarding the data processing conditions regarding the processing of personal data. and 6.8. It is possible to transfer personal data to third parties under the conditions explained in the articles and regulated by the 2nd paragraph of Article 5 of the KVKK.
 
 8.1.3. Transfer of personal data, even if there is no explicit consent of the relevant person, provided that the relevant conditions for the transfer of special personal data are met and required by the legislation.
Transfer of special personal data, other than health and sexual life, to third parties is possible even in cases where the relevant person does not have explicit consent to the processing activity to be carried out, since it is stipulated in the legislation that personal data can be processed in the manner specified in the legislation. In this case, the Company may transfer sensitive personal data to third parties by determining that the conditions set out in Article 7 of this Policy are met. The obligation to take necessary precautions regarding the processing of special personal data is also foreseen for the transfer of this data, and these measures will be taken by the Company.

8.2. Transfer of Personal Data Abroad

8.2.1. The relevant person must have explicit consent for the transfer of personal data abroad
In accordance with Article 9 of the KVKK, as a main rule, personal data cannot be transferred abroad without the explicit consent of the relevant person. For this reason, obtaining the express consent of the relevant person will be the basic principle for the transfer of personal data abroad by the Company. The personal data of the relevant person will be transferred by the Company by carefully determining which personal data of the relevant person has consented to be transferred to third parties abroad and taking into account the safe country list to be published by the Personal Data Protection Board.

 8.2.2. Transfer of personal data, even if there is no explicit consent of the relevant person, provided that the conditions for processing personal data are met.
In cases where the relevant person does not have explicit consent for the transfer of personal data abroad, articles 6.2., 6.3., 6.4., 6.5., 6.6., 6.7 of this Policy regarding the data processing conditions regarding the processing of personal data. and 6.8. Transfer of personal data to third parties abroad under the conditions explained in the articles and regulated by the 2nd paragraph of Article 5 of the KVKK is possible, provided that the safe country list to be published by the Personal Data Protection Board or other methods to be regulated by the Personal Data Protection Board is acted upon.

In accordance with Article 9 of the KVKK, in order to transfer personal data abroad, there must be adequate protection in the country to which the data will be transferred. The safe country list to be announced by the Board will be followed by the Company and included in the Company's internal processes. Until the safe country list is published by the Board, if it is necessary to transfer personal data abroad, personal data will be transferred abroad by the Company, provided that the Company, which will be the Data Controller, and the third party to whom the data will be transferred in the country to which the data will be transferred undertake adequate protection and are given permission by the Board.

After the announcement of the safe country list by the Board, if there is not sufficient protection in the country to which the data will be transferred, personal data will be transferred abroad, provided that the company that will be the Data Controller and the third party to whom the data will be transferred in the country to which the data will be transferred undertake adequate protection and have the permission of the Board.

DELETION, DESTRUCTION, AND ANONYMOSIS OF PERSONAL DATA

Even if personal data is processed in accordance with KVKK and other legislative provisions and this Policy, it must be deleted, destroyed or anonymized by the Company when the reasons requiring the processing of data are eliminated or upon the request of the relevant person. The Company will establish an administrative and technical structure suitable to fulfill all legislative provisions that are in force or will come into force regarding the deletion, destruction or anonymization of data.

OBLIGATIONS OF THE COMPANY AS DATA CONTROLLER

10.1. Lighting Obligation

During the acquisition of personal data, the company must inform the personal data owner about the following issues in line with Article 10 of the KVKK:

 a. Identity of the data controller and his representative, if any,
b. For what purpose personal data will be processed,
c. To whom and for what purpose personal data can be transferred,
 d. Method and legal reasons for collecting personal data,
e. Rights of the personal data owner

 In order for the Company to fulfill its obligation in accordance with the law, business processes and data collection channels have been reviewed, the identified issues have been classified and transferred to the inventory, necessary arrangements have been made and communication channels have been established for data owners to exercise their right to apply regarding their personal data.
 
10.2. Obligation to Ensure the Security of Personal Data

10.2.1. Obligation to prevent unlawful processing of personal data
In addition to processing personal data in accordance with the provisions of KVKK and other legislation and the principles and conditions regulated by this Policy, the Company is also obliged to take technical and administrative measures introduced by the legislation to prevent the processing of personal data in violation of the said obligations.
In this context, the Company has established systems to prevent the unlawful processing of personal data, has identified the relevant personnel and established procedures to supervise and control these systems. The company will also update the system by keeping track of any updates that may occur for both technical and legal reasons.

 10.2.1.2. Technical measures to be taken for the legal processing of personal data
Personal data processing activities carried out by company departments were analyzed and a "Personal Data Processing Inventory" was prepared in this context. The necessary administrative structure, hardware and software infrastructure is created to monitor and control all processes from collection to deletion of personal data.

 10.2.1.2. Administrative measures to be taken for the lawful processing of personal data
a. In order to inform all its personnel about the processing of personal data in accordance with the law and KVKK, the Company will prepare this Policy and the documents that will be required thereafter and deliver them to each personnel, organize the necessary training activities and keep the training participation documents in their personnel files.
 
b. The Company states that it must comply with the obligations stipulated by the KVKK in order to process personal data in accordance with the law, that personal data should not be disclosed, that personal data should not be used unlawfully, and that the obligation of confidentiality regarding personal data is fulfilled in all documents that regulate the relationship between the Company and its personnel and that contain personal data. It has added records that it continues even after the termination of the employment contract with the company, and failure of the personnel to comply with these obligations requires the imposition of sanctions that may lead to termination of the employment contract.
 
c. The Company limits access to personal data within the scope of the personal data inventory to be created and the authorization matrices created, in line with the purpose of processing and to the relevant personnel. It is not possible for all Company personnel to access all of the personal data processed by the Company as Data Controller, and action will be taken within the framework of access authorizations arranged according to departments.
 
d. All activities of the Company were analyzed and department-specific personal data processing activities were determined. The Company has made policies, procedures and other internal regulations to monitor whether the operations of the departments are carried out in a way that fulfills the obligations based on KVKK and this Policy and to ensure the continuity of these practices, and updates will be notified to the personnel using all communication channels. With the release of the update, new procedures and policies come into force; In order for the updates to be binding, it is not required that they be notified to the personnel.
 
10.2.2. Obligation to prevent unlawful access to personal data
 
10.2.2.1. Technical measures to be taken to ensure lawful access to personal data and preservation of personal data
 
a. The company will take measures in accordance with technical developments, periodically update and renew the measures taken depending on the speed of development of the technique, and have the reliability of the system tested through penetration tests and other methods. The Company will make all necessary efforts to comply with these new requirements if the Personal Data Protection Board makes regulations regarding such penetration tests and other security measures or refers to technical standards.
 
b. Access and authorization technical solutions will be implemented by the Company in accordance with the legal compliance criteria to be determined on a departmental basis, and software and hardware solutions will be implemented to meet the requirements of the measures specified in the administrative and technical measures table published by the Personal Data Protection Board.
 
c. The technical measures taken will be reported periodically to the relevant person in accordance with the internal audit mechanism. Risk-posing issues will be re-evaluated and necessary technical solutions will be produced.
 
d. The Company will install relevant security software and systems, including software and hardware containing virus protection systems and firewalls, on all systems used during its activities and authorized to access personal data.
 
e. Personnel knowledgeable in technical matters will be employed in terms of data security.
 
f. In order to access personal data in accordance with the law, access authorizations should be defined in line with the criteria to be determined on a departmental basis, the access and authorization of user accounts regarding the systems from which personal data will be accessed should be restricted and the devices that can access the systems should be limited.
 
g. The Company will ensure that the necessary software and hardware are installed to prevent external infiltration into the systems where personal data is stored and to monitor possible risks, have penetration tests carried out, ensure that the same security measures are taken in terms of backups to prevent data loss, and will ensure that the third real and/or third parties are working within the scope of disaster planning. It will make the necessary agreements with legal entities to take the security measures introduced by this Policy and to store the data in accordance with KVKK.
 
10.2.2.2. Administrative measures to be taken to access personal data in accordance with the law and to preserve personal data

a. All Company personnel will be trained on the technical measures to be taken to prevent unlawful access to personal data.
 
b. The Company will limit access to personal data to relevant personnel in line with the purpose of processing, in line with the personal data processing inventory to be created. All Company personnel should be prevented from accessing all personal data processed by the Company as Data Controller, and access authorizations should be regulated taking into account the purpose of data processing.
 
c. The Company shall include in all kinds of documents regulating the relationship between it and its personnel, that in order to process personal data in accordance with the law, it must comply with the obligations stipulated by the KVKK, that personal data must not be disclosed, that personal data must not be used unlawfully, and that the obligation of confidentiality regarding personal data is in accordance with the employment contract with the Company. Records were added that it continued even after its termination.

d. The company will prepare the procedure and all necessary documents regarding access authorizations to personal data and deliver them to all its personnel.
 
10.2.3. Audit of measures taken to protect personal data

In terms of the technical and administrative measures it will take, the company must establish systems to carry out the necessary inspections regarding the operation of the measures and to have them carried out. These audit results should be reported to the relevant department within the scope of the internal functioning of the Company and the necessary activities should be carried out to improve the measures taken.

By the company; Necessary processes should be designed to increase the awareness and control of departments, business partners and suppliers about the protection and processing of personal data, and periodic reporting and actions within the scope of the reports should be followed up, verification tests and audits should be carried out.

The Company is responsible, in accordance with Article 12 of the KVKK, for the third parties to whom it transfers personal data to fulfill their obligations to process and maintain the data in accordance with the law and to access the data in accordance with the provisions of this Policy and KVKK. For this reason, the Company must obtain commitments to meet these conditions in contracts to be made when transferring personal data to third parties and in all arrangements related to personal data transfer. Again, the Company must specifically inform all its personnel regarding the responsibilities arising from the transfer of personal data to third parties.

RIGHTS OF THE RELATED PERSON
 
In accordance with Article 11 of the KVKK, the relevant person, as the Data Controller, has the following rights against the Company:

a. To find out whether personal data has been processed and to request information if personal data has been processed,
b. To learn the purpose of processing and whether it is used in accordance with the purpose,
 c. Knowing the persons to whom personal data is transferred,
 d. To request correction in case of incomplete or incorrect processing and to request the deletion of personal data if the conditions are met and to request that these requests be forwarded to third parties,
 e. To object to the emergence of a result against oneself by analyzing the processed data exclusively through automatic systems,
 f. To claim damages in case of loss due to illegal processing.
 
In case personal data owners submit their requests regarding the rights listed above to the Company in writing or by other methods to be determined by the Board, in accordance with Article 13 of the KVKK, the Company must conclude the relevant request as soon as possible and within thirty days at the latest, depending on the nature of the request. If the request requires an additional cost, the fee at the tariff determined by the Board may be charged. If it is understood that the application is due to the Company's error, the fee received will be refunded to the relevant person.

While the relevant application is being finalized by the Company, information should be provided in a language and format that the relevant person can understand, and this information should be sent to the relevant person in writing or electronically, in line with the person's request or, if the person does not have a request, in line with the method chosen by the Company.

Depending on the nature of the request, the company may accept the application of the relevant person or reject it by explaining the reason. If the application is accepted, the requirements of the request will be fulfilled by the Company without delay.

Necessary warnings should be made to all personnel within the Company and awareness should be provided that the personal data owner has the right to complain to the Board within 30 days in cases where his/her application is rejected, the answer given is insufficient, or the application is not responded to in time.

EFFECTIVENESS AND UPDATES
 
This Policy entered into force on the date it was approved by the Company Management. The changes to be made in the Policy and the necessary work to put these changes into effect will be made by a governance model to be created, and the changes have entered into force with the approval of the Company General Manager.

The policy is normally reviewed and updated once a year. However, the Company reserves the right to review this Policy and, when necessary, to update, change or eliminate the policy and create a new policy in line with legislative changes, changes in a technical standard referred to, actions and/or decisions of the Personal Data Protection Board and court decisions.

The authority to decide on the repeal of the Policy belongs to the Company.







We use cookies to ensure that our site works well for you and so that we can continually improve it. Cookies that are necessary to keep the site functioning are always on.
You can access our cookie policy from here.