Chapter 1. Purpose and Effectiveness of the Policy

Law No. 6698 on Protection of Personal Data (“Law”) came into force on 7 April 2016. The law sets out the procedures and principles regarding the processing of personal data by real or legal persons who are classified as “data responsible” of personal data and determine the purposes and means of processing personal data, and who are responsible for the establishment and management of the data recording system.

Personal data within the scope of the Law as “any information related to the real person whose identity can be determined or determined”; Processing means “obtaining, saving, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classification of the business data, which is fully or partially automated or non-automated provided that it is part of any data recording system. or any operation performed on the data, such as the prevention of its use".

The law, among other regulations, imposed an obligation on data subjects to inform / enlighten data owners whose personal data will be processed during the acquisition of personal data. According to the 10th article of the Law, data officers;
-The identity of the data controller and its representative, if any,
-For what purpose the personal data will be processed,
-To whom and for what purpose the processed personal data can be transferred,
-The method and legal reason of collecting personal data,
-Other rights listed in article 11 of the Law should inform them.
This document (“Politics”) has been written for the purpose of enlightening the real persons who have processed their personal data as the data controller of our Company within the scope of the above mentioned article. The subject of this Policy is our Company's customers, shareholders of corporate customers, officials and employees, potential customers, shareholders of our business partners and suppliers, officials and employees, and candidates working with our company, former employees and trainees and retired people, visitors, company officials and shareholders, business partners and supplier candidates and other third parties, and the issues related to the processing of personal data related to our employees are regulated within the scope of a separate policy text presented to the employees in accordance with the Law.


Chapter 2. Scope of the Law and Our Company's Rights and Obligations Arising from the Law

I.General Principles for the Processing of Personal Data

Pursuant to Article 4 of the Law, personal data should be processed in accordance with the procedures and principles stipulated in the Law and other relevant legislation. In this context, data supervisors are obliged to comply with the following general principles regarding the processing of personal data, except for the fulfillment of the lighting obligation mentioned in Section 1 above.

-Being in compliance with the law and honesty rules.
-Being accurate and up to date when necessary.
-Processing for specific, clear and legitimate purposes.
-Being connected, limited and restrained for the purpose for which they are processed.
-Preservation for the period required by the relevant legislation or for the purpose for which they are processed.

II.Personal Data Processing and Sharing Purposes Under the Law

a. Purposes for the Processing of Personal Data
According to the law, personal data cannot be processed as a rule without the explicit consent of the data subject. However, the Law has set out certain situations in which data can be processed without express consent in terms of personal data and special personal data under Articles 5 and 6.

Personal data in accordance with Article 5;
-Clearly prescribing data processing in law,
-It is compulsory to process related data for the protection of the life or body integrity of the person or someone else who is unable to explain his consent due to actual impossibility or whose legal validity is not given,
-Providing the processing of personal data belonging to the parties of the contract, provided that it is directly related to the establishment or performance of a contract,
-Data processing is mandatory for the data controller to fulfill its legal obligation,
-Personal data is publicized by the person concerned,
-Data processing is mandatory for the establishment, use or protection of a right,
-Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned,
Even if the data subject does not have a prior consent of the data subject (provided that the necessary lighting is provided), it can be processed.

On the other hand, the Law is biometric with its data on the race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, costume and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures. and defined genetic data as “special” or “sensitive” personal data, and stipulated harsher conditions for their processing. Accordingly, special personal data can only be processed under the following conditions, except in cases where the consent of the data owner is explicitly agreed:

  -People's race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and outfit, association, foundation or union membership, criminal conviction and security measures data, and biometric and genetic data can be processed in cases stipulated by law. -Personal data related to health and sexual life can only be processed by individuals or authorized institutions and organizations that are under an obligation to keep secrets for the purpose of protecting public health, preventive medicine, conducting medical diagnosis, treatment and care services, planning and managing health services and financing.

b. Purposes for Sharing Personal Data

In accordance with data processing, sharing (transfer) of personal data with a third party is also subject to the explicit consent of the data owner concerned. However, according to article 8 of the Law, data transfer can be carried out under conditions where data processing is permitted, and in this direction, even if the data owner's consent is not available, in case of the conditions specified in Section 2.II.a above, personal data or personal data can be transferred.

The law has made the transfer abroad to special conditions in relation to the transfer of personal data to third parties. Accordingly, personal data;
-If the data subject has explicit consent, or
-In cases where the data subject does not have explicit consent but one or more of the other conditions mentioned above are met;
-Adequate protection in the country where the data is transferred, and
-If there is not enough protection in the country where the data is transferred, it can be transferred abroad provided that the data officer undertakes adequate protection in writing with the data responsible in the relevant foreign country, and the permission of the Personal Data Protection Board is obtained.


III.Cases Outside the Scope of the Law

In accordance with Article 28 of the Law, the Law will not be applied in the following cases:

-Processing of personal data by real persons within the scope of activities related to him or his family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with.
-Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.
-Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy or personal rights, or constitute a crime.
-Processing personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to provide national defense, national security, public security, public order or economic security.
-Processing of personal data by judicial authorities or enforcement authorities regarding investigations, prosecutions, trials or execution proceedings.


Chapter 3. Processing of Personal Data by Our Company

I.Categorization of Personal Data Processed by Our Company

Personal data are processed by our company under the categories defined below:

Data Category
Identity Information Information contained in documents such as driver's license, identity card, residence, passport, attorney ID, marriage certificate (eg passport no., Identity card serial number, name-name, photograph, place of birth, date of birth, age, registered to the population where it is, example of a valid identity card) Communication information Information used to communicate with the Person (eg e-mail address, phone number, mobile phone number, address) Location Data Data for locating the data subject (eg location data obtained during vehicle use) Customer information Information about customers benefiting from our products and services (eg customer number, job information, etc.) Customer Transaction Information Information on any transaction performed by customers benefiting from our products and services (eg requests and instructions, order and shopping cart information, etc.) Physical Field Security Information Personal data on records and documents received during entry into the physical space, during the stay in the physical space (eg entry-exit logs, visit information, camera recordings, etc.) Transaction Security Information Personal data processed to ensure the technical, administrative, legal and commercial security of our company and related parties (eg, information such as website password and password indicating that the transaction associated with the personal data owner is authorized to match that person and the person doing that transaction) Risk Management Information Personal data processed to manage our company's commercial, technical and administrative risks (eg IP address, Mac ID etc. records) Financial Information Personal data within the scope of information, documents and records showing any financial results created according to the type of legal relationship existing with the personal data owner (For example: information showing the financial result of the transactions made by the data owner, credit amount, card information, loan payments, interest amount to be paid and rate , debt balance, receivable balance etc.) Personal Information Personal data that are the basis of the personal rights of the employees of the company's suppliers (any information and documents that should be entered into the personal file by law) Employee Candidate Information Personal data (such as CV, interview notes, personality test results etc.) belonging to data owners who share their information to apply for a job at our company, used in the application evaluation process. Employee Transaction Information Personal data related to any kind of work performed by the company's employee of the company (eg entry-exit records, business trips, information regarding the meetings attended, security query, mail traffic tracking information, vehicle usage information, company card expenditure information) Employee Performance and Career Development Information Personal data processed for the purpose of measuring the performance of the company's supplier employees and planning and executing career developments within the scope of human resources policies (eg performance evaluation reports, interview results, career development trainings) Benefits Information Personal data processed for the follow-up of the Company's benefits and benefits offered to the supplier employees and for the benefit of the supplier employees (eg private health insurance, vehicle allocation) Marketing Information Data to be used by our company in marketing activities (eg the habits of the person collected for use for marketing purposes, reports and evaluations showing their likes, targeting information, cookie records, data enrichment activities) Legal Action and Compliance Information Personal data processed for the determination and follow-up of legal receivables and rights, and for the performance of debt and legal obligations (eg data contained in documents such as court and administrative decision) Audit and Inspection Information Personal data processed within the scope of our company's legal obligations and compliance with company policies (eg audit and inspection reports, related interview records and similar records) Special Qualified Personal Data Individuals' race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and outfit, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data Request / Complaint Management Information Personal data regarding the receipt and evaluation of any requests or complaints addressed to our company (eg requests and complaints about the company, records and reports related to them) Audiovisual Data Audiovisual recordings associated with the personal data subject (eg photos, camera recordings and sound recordings)


II.Purposes of Processing Personal Data by Our Company

Our company processes personal data within the scope mentioned above for the following purposes:

-Planning, auditing and enforcement of information security processes
-Creation and management of information technologies infrastructure
-Planning and execution of benefits and benefits for employees
-Planning and / or execution of corporate communication for employees and / or corporate social responsibility and / or non-governmental organization activities with which employees participate.
-Planning and execution of employees' access to information
-Follow-up and / or audit of employees' business activities
-Follow-up of financial and / or accounting affairs
-Tracking of legal affairs
-Planning of human resources processes
-The planning and / or execution of the activities of the activity / efficiency and / or on-site analysis of the business activities
-Planning and execution of business activities
-Planning and execution of business partners and / or suppliers' access rights to information
-Management of relations with business partners and / or suppliers
-Planning and / or execution of occupational health and / or safety processes
-Planning and / or execution of business continuity activities
-Planning and execution of corporate communication activities
-Planning and execution of corporate management activities
-Planning and execution of logistics activities
-Planning and execution of customer relationship management processes
-Planning and / or execution of customer satisfaction activities
-Follow-up of customer demands and / or complaints
-Execution of personnel procurement processes
-Fulfillment of labor contract and / or legislative obligations for company employees
-Planning and execution of company audit activities
-Planning and execution of external training activities
-Planning and execution of operational activities required to ensure that company activities are carried out in accordance with company procedures and / or relevant legislation.
-Planning and / or execution of in-company training activities
-Planning and execution of in-company orientation activities
-Ensuring the security of company operations
-Within the scope of our Company's Shopping Loan service and similar services, your TCKN information and other necessary information are shared with our business partners in our Shopping Loan process, especially the banks, and your pre-approved credit limits can be displayed to you during your shopping.
-Ensuring the security of company premises and / or facilities
-Planning and / or execution of processes for establishing and / or increasing commitment to the products and / or services offered by the company
-Planning and / or execution of the company's production and / or operational risk processes
-Performing company and partnership law transactions
-Follow-up of contract processes and / or legal requests
-Strategic planning activities
-Planning and execution of supply chain management processes
-Compensation Management
-Planning and execution of production and / or operation processes
-Planning and execution of market research activities for the sales and marketing of products and services
-Planning and execution of marketing processes of products and / or services
-Planning and execution of sales processes of products and / or services
-Ensuring that the data are correct and up to date
-Giving information to the authorized institutions from the legislation
-Creating and following up visitor records

III.Transfer of Personal Data by Our Company and Categorization of Data Transfer Parties

Personal data may be transferred to our Company officials, affiliates, business partners, suppliers, shareholders, legally authorized public institutions and organizations and private institutions for the above mentioned purposes.


IV.Procedure of Processing Personal Data by Our Company

Our company enlightens data owners in accordance with Article 10 of the Law before obtaining personal data from data owners within the scope of its obligations arising from the Law as a data controller. If any data processing process carried out by our company does not meet the conditions specified in the Law and detailed in Section 2.II.a and b above, the explicit consent is obtained from the data owners and the related processes are carried out within the framework of the mentioned consent.
Within the scope of the law, open consent is defined as “consent related to a particular subject, based on information and declared with free will”, and accordingly, our Company provides its open consent after enlightening the data owners in accordance with Article 10 of the Law.
Although no period has been determined for the retention of personal data under the law, it is essential that the personal data be maintained for the period prescribed in the relevant legislation or required for the purpose for which they are processed in accordance with general principles. Our company makes an assessment based on the legislation in force and the purpose of the process in order to determine retention periods in accordance with the said principle. In this regard, our Company keeps personal data at least as long as required by its legal obligations and in any case until the relevant expiry periods expire.
Our company anonymizes, deletes or destroys personal data in accordance with the Law, after the purpose of processing related personal data disappears within the scope of any process, including the expiration of the mentioned periods. Anonymization within the scope of the law is defined as “making the personal data not to be associated with a certain or identifiable natural person by any means even by matching with other data” and our company anonymization activities are carried out in accordance with the current legislation.

V.Personal Data Security

Our company takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, deliberate deletion or damage to ensure the security of personal data. In this context, the following minimum actions are taken by our Company:
-Taking software and hardware security measures appropriate to the personal data processed
-Carrying out the inspections envisaged under the Law
-Ensuring compliance of the Company and its employees with the Law through internal trainings, policies and procedures
-Providing and recording access to information on the basis of necessity with internal authorizations
-Follow-up of personal data processing activities on a process basis
-Contractual commitments regarding the protection and security of personal data in relations with suppliers

Chapter 4. Rights of Data Owners Arising from the Law

I. Data Owners' Rights

According to Article 11 of the Law, personal data owners;

Learning whether personal data is processed about it, Requesting information about it if personal data is processed about it, Learning the purpose of processing personal data and whether it is used in accordance with its purpose, Knowing the third parties to whom personal data is transferred at home or abroad, Missing or wrong personal data requesting correction if they have been processed, requesting the deletion or destruction of personal data in case the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the Law and other relevant laws, notifying the third parties to whom the personal data has been transferred as a result of requests for correction, deletion and destruction. Request, to object to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems, It has the right to demand the removal of the damage in case it is damaged due to being processed against it.

Paragraph 2 of article 28 of the Law regulated that in certain cases, the data owner cannot make a request from the data controller other than compensation for his losses. According to this,

Personal data processing is necessary for the prevention of crime or criminal investigation,
Processing of personal data publicized by the person concerned,
The fact that personal data processing is necessary for the disciplinary investigation or prosecution by executing auditing or regulatory duties and by disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and public institutions on the basis of the authority given by the law, The personal data processing is necessary for the protection of the State's economic and financial interests in relation to budget, tax and financial matters,
In the case of the related data, the rights set out above cannot be used.

II.Exercise of Rights

Data owners will be able to use the Application Form [HKY1] to exercise the rights mentioned above.

Applications must be forwarded to the "Konutkent Mah. Dumlupınar Boulevard West Gate Residence C Blok Daire: 231 Çankaya-Ankara" address, together with documents that will identify the relevant data subject, either by hand or by a notary or by other methods specified in the Law. It can be realized by e-mail sent to the Company via the e-mail address previously reported and registered in our Company system. If a method other than the methods mentioned by the Personal Data Protection Board is envisaged, applications can also be transmitted by this method. The requests of the data subject transmitted by one of the above mentioned methods are evaluated and answered by our Company within a maximum of thirty days. Our company reserves the right to request additional information and documents from the applicant, especially in order to assess whether the applicant is the owner of the relevant data.
Data owner applications are considered free of charge by our Company as a rule. However, if a fee has been determined by the Personal Data Protection Board regarding the request of the data subject, our Company will have the right to demand payment over this fee.

DOWNLOAD KVK APPLICATION FORM