Company KVKK Policy

T.G.L. TETGLOBAL LOGISTICS INDUSTRY AND TRADE INC.

PERSONAL DATA PROTECTION AND PROCESSING POLICY

T.G.L. TETGLOBAL LOGISTICS INDUSTRY AND TRADE INC. PERSONAL DATA PROTECTION AND PROCESSING INFORMATION FORM

Document: T.G.L. Tetglobal Logistics Industry and Trade Joint Stock Company Personal Data Protection and Processing Policy

Purpose: To inform all natural persons, except for the company employees, whose personal data is processed by T.G.L. Tetglobal Lojistik Sanayi ve Ticaret Anonim Şirketi, about the protection and processing of their personal data.

Prepared by: T.G.L. Tetglobal Logistics Industry and Trade Joint Stock Company Legal Consultancy

Approved by: T.G.L. Tetglobal Logistics Industry and Trade Joint Stock Company KVK Board

 

1-      INTRODUCTION

As T.G.L. Tetglobal Logistics Industry and Trade Inc. (hereinafter referred to as “TGL” or the “Company”), the protection of personal data is a priority for us, and we strive to ensure compliance with relevant legislation and provide legal safeguards with the utmost care and effort.

This Personal Data Protection and Processing Policy of T.G.L. Tetglobal Logistics Industry and Trade Inc. (hereinafter referred to briefly as the “Policy”) outlines the principles adopted in the execution of personal data processing activities carried out by our Company and the fundamental principles regarding compliance with the regulations set out in the Law No. 6698 on the Protection of Personal Data (“Law”). By doing so, our Company aims to inform data subjects and ensure the necessary transparency.

All relevant information about the types of data we collect from individuals, the purposes of our data collection activities, the retention period and disposal of the collected data, data transfer issues, and your rights concerning your data is provided within this Policy.

2-      SCOPE AND DEFINITIONS OF THE POLICY

This Policy pertains to all personal data of our customers, employees, job candidates, visitors, employees of institutions we collaborate with, and third parties, whether processed automatically or non-automatically as part of any data recording system.

RELEVANT PERSON CATEGORIES DESCRIPTION
Company Stakeholder The Company’s Shareholders are real persons.
Business Partners Individuals with whom the Company forms partnerships under contractual relationships within the scope of its activities.
Stakeholders, Authorities and Employees of Company Business Partners All individuals, including employees, stakeholders, and representatives, of natural and legal persons (such as business partners and suppliers) with whom the Company has any kind of business relationship.
Company Official They are the authorized real persons of the Company in accordance with the Turkish Commercial Code.
Employee/Intern They are real persons who perform services in the Company under an employment contract. This category also includes real persons who are continuing their education but are completing their legally required internship/apprenticeship period within the Company.
Employee Candidate They are real persons who have applied for a job with the Company through any means or who have made their CV and related information available for review by the Company.
Company Customer They are real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.
Potential Customer Individuals who have shown interest in or requested the Company’s products and services, or who are assessed based on commercial practices and principles of good faith to potentially become customers.
Visitor All individuals who enter the Company’s physical premises for various purposes or visit its websites for any reason.
Third Party Individuals who are not part of the above-mentioned categories of relevant persons or Company employees.

 

The concepts used in this Policy have the following meanings:

Personal Data Any information related to an identified or identifiable natural person.
Special Personal Data Data related to an individual’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations, or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Processing of Personal Data Any operation performed on data, whether collected or processed wholly or partially through automated or non-automated means as part of any data recording system, including obtaining, recording, storing, preserving, modifying, rearranging, disclosing, transferring, receiving, making available, classifying, or preventing the use of personal data.
Data Subject, Personal Data Owner or Data Subject Refers to the Company’s stakeholders, employees, business partners, representatives, independent contractors, job applicants, visitors, Company customers, potential customers, third parties, and other individuals whose personal data is processed by the Company.
Recording Environment Any environment where personal data is processed wholly or partially through automated means or non-automated means as part of any data recording system.
Data Controller The natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system.
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Explicit Consent Consent that is informed, specific to a particular subject, and given freely and voluntarily.
Destruction The deletion, destruction, or anonymization of personal data.
Law Refers to the Law No. 6698 on the Protection of Personal Data.
Personal Data Protection Board Refers to the Personal Data Protection Board.
Anonymization of Personal Data The process of making personal data irretrievable or unidentifiable to a specific or identifiable natural person, even when combined with other data.
Deletion of Personal Data The deletion of personal data involves making the data completely inaccessible and unusable for the relevant users.
Destruction of Personal Data The process of rendering personal data completely inaccessible, non-retrievable, and unusable by anyone.
Periodic Destruction The deletion, destruction, or anonymization process performed periodically by the Company ex officio when all conditions for processing personal data specified in the law are no longer met.

 

3-  PRINCIPLES OF PROCESSING PERSONAL DATA  

All personal data processed by the Company is handled in accordance with the Personal Data Protection Law (KVKK) and relevant regulations. In compliance with Article 4 of KVKK, the Company processes personal data in a manner that is lawful, ethical, accurate, and up-to-date when necessary, with specific, explicit, and legitimate purposes. The processing of personal data is carried out in a manner that is relevant, limited, and proportional to the intended purpose. The principles adhered to by the Company during personal data processing are as follows:

  • Lawful and Ethical Processing: The Company processes personal data in accordance with legal regulations and the principles of general trust and fairness. The Company ensures proportionality in the processing of personal data and does not use the data beyond the requirements of its processing purpose.
  • Accuracy and Currency of Personal Data: The Company ensures that personal data is accurate and up-to-date, considering the fundamental rights of data subjects and its own legitimate interests.
  • Processing for Specific, Explicit, and Legitimate Purposes: The Company clearly defines the legitimate and lawful purposes for processing personal data. The Company processes personal data in connection with and to the extent necessary for the products and services it offers. The purpose of data processing is determined before the commencement of the data processing activity.
  • Relevance, Limitation, and Proportionality: The Company processes personal data in a manner suitable for achieving the specified purposes and avoids processing data that is irrelevant or unnecessary for achieving those purposes.
  • Retention for the Duration Required by Relevant Legislation or the Processing Purpose: The Company retains personal data for the duration necessary for the processing purpose and in accordance with the minimum duration specified by relevant legal regulations, if applicable. The Company first determines if a retention period is prescribed by law and, if so, adheres to that period. If no legal retention period is specified, the data is retained for the duration necessary for the processing purpose. At the end of the retention period, personal data is disposed of in accordance with periodic destruction schedules, data subject requests, and designated destruction methods (deletion, destruction, or anonymization).

4- CONDITIONS FOR PROCESSING PERSONAL DATA

Apart from the explicit consent of the data subject, the basis for personal data processing activities may be one of the conditions listed below or multiple conditions may serve as the basis for the same personal data processing activity. In cases where the processed data is sensitive personal data, the conditions specified in section 3.3 (“Processing of Sensitive Personal Data”) of this Policy will apply.

  • Presence of the Data Subject’s Explicit Consent

One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be provided based on information and freely given for a specific subject. However, in the presence of the personal data processing conditions listed below, personal data can be processed without the need for explicit consent from the data subject. For personal data that can be processed without explicit consent according to the law, the Company does not request explicit consent as required by legal regulations.

  • Explicit Provision in Laws

If the personal data of the data subject is explicitly provided in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, this data processing condition will be considered applicable.

  • Inability to Obtain the Data Subject’s Explicit Consent Due to Physical Impossibility

If a person is in a situation where they cannot provide consent due to physical impossibility or their consent cannot be validated, and processing their personal data is necessary to protect the life or physical integrity of themselves or another person, their personal data can be processed.

  • Direct Relation to the Establishment or Execution of a Contract

If the processing of personal data is necessary for the establishment or direct execution of a contract to which the data subject is a party, this condition will be deemed fulfilled.

  • Fulfillment of the Company’s Legal Obligations

If processing is required for the fulfillment of the Company’s legal obligations, the personal data of the data subject can be processed.

  • Data Subject’s Disclosure of Personal Data

If the data subject has made their personal data public, the personal data can be processed for the purpose of the disclosure.

  • Mandatory Data Processing for the Establishment or Protection of a Right

If data processing is mandatory for the establishment, exercise, or protection of a right, the personal data of the data subject can be processed.

  • Mandatory Data Processing for the Company’s Legitimate Interests

If data processing is necessary for the Company’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject, their personal data can be processed.

PROCESSING OF SENSITIVE PERSONAL DATA

Sensitive personal data are processed by our Company in accordance with the principles specified in this Policy, including methods determined by the Board, and with all necessary administrative and technical measures in place, under the following conditions:

Sensitive personal data, excluding health and sexual life data, may be processed without the explicit consent of the data subject if explicitly provided by the laws, meaning there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, explicit consent from the data subject will be required for the processing of such sensitive personal data.

Sensitive personal data related to health and sexual life may be processed without explicit consent by individuals or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, as well as the planning and management of health services and financing. Otherwise, explicit consent from the data subject will be required for the processing of such sensitive personal data.

6- INFORMATION TO THE DATA SUBJECT

The Company provides information to data subjects in accordance with Article 10 of the Law and secondary legislation. In this context, the Company informs data subjects about who, as the data controller, processes their personal data, for what purposes, with whom it is shared, how it is collected, and the legal basis. Additionally, the Company informs data subjects of their rights regarding the processing of their personal data. As required by the relevant article, the Company has established the necessary internal structure to ensure that data subjects are informed in every case where personal data processing activities are carried out by the Company as the data controller. The Company fulfills its Obligation to Inform fully during the collection of personal data. Furthermore, to ensure that data subjects can always access this information, the Company publishes the most up-to-date versions of the Information Texts on its website.

7-      TRANSFER OF PERSONAL DATA

The Company is responsible for transferring personal data in accordance with the provisions of the KVKK (Personal Data Protection Law) and the decisions and relevant regulations of the KVK Board (Personal Data Protection Authority).

In this regard, our Company acts in compliance with the regulations stipulated in Article 8 of the Law. However, in cases where required by KVKK and other laws, data can be transferred to authorized administrative or judicial institutions without the data subject’s explicit consent, in accordance with the provisions and limits set forth in the legislation. Additionally, data transfer is permissible without the data subject’s consent in situations specified in Articles 5 and 6 of the Law. The Company can transfer personal data to third parties in Turkey and other companies under the Company’s umbrella if there is an existing signed contract with the data subject, and unless otherwise regulated by the Law or other relevant legislation, while complying with the conditions specified in the Law and taking all security measures mentioned in the legislation.

Even without the explicit consent of the data subject, the Company may transfer personal data to third parties with the utmost care and by taking all necessary security measures, including those specified by the Board, if one or more of the following conditions are met:

  • The transfer of personal data is explicitly provided for by the laws,
  • The transfer of personal data is directly related to and necessary for the establishment or performance of a contract,
  • The transfer of personal data is mandatory for the Company to fulfill its legal obligations,
  • The personal data has been made public by the data subject, and the transfer is limited to the purpose of the disclosure,
  • The transfer of personal data is necessary for the establishment, exercise, or protection of the Company’s, the data subject’s, or third parties’ rights,
  • The transfer of personal data is necessary for the Company’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject,
  • The transfer is necessary to protect the life or physical integrity of the data subject or another person who is unable to provide consent due to physical impossibility or whose consent cannot be legally validated.

Additionally, personal data may be transferred to foreign countries that have been declared by the Board as having adequate protection (“Foreign Country with Adequate Protection”) if any of the above conditions are met. In the absence of adequate protection, data may be transferred to foreign countries where data controllers in Turkey and the relevant foreign country have provided written commitment to adequate protection and have the Board’s approval (“Foreign Country with Data Controller’s Adequate Protection”).

Personal data and sensitive personal data requested by public legal entities will be shared in accordance with Article 8 of the KVKK.

8-    TRANSFER OF SENSITIVE PERSONAL DATA

Sensitive personal data may be transferred by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including methods determined by the Board, under the following conditions:

  • Sensitive personal data other than health and sexual life may be processed without the data subject’s explicit consent if explicitly provided for by the laws, meaning there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, explicit consent from the data subject will be required for the processing of such data.
  • Sensitive personal data related to health and sexual life may be processed without explicit consent by individuals or authorized institutions and organizations under the obligation of confidentiality for purposes such as protecting public health, preventive medicine, medical diagnosis, treatment, and care services, as well as the planning and management of health services and financing. Otherwise, explicit consent from the data subject will be required for the processing of such data.
  • Additionally, personal data may be transferred to foreign countries that have been declared by the Board as having adequate protection (“Foreign Country with Adequate Protection”) if any of the above conditions are met. In the absence of adequate protection, data may be transferred to foreign countries where data controllers have provided written commitment to adequate protection and have the Board’s approval (“Foreign Country with Data Controller’s Adequate Protection”).

9-     PURPOSES OF PROCESSING PERSONAL DATA

The Company may carry out personal data processing activities under the conditions specified in Articles 5 and 6 of the KVKK (Personal Data Protection Law) for the following purposes:

  • Fulfillment and monitoring of legal obligations,
  • Ensuring the legal and commercial security of the Company, and continuing commercial activities,
  • Management of financial and accounting operations,
  • Execution of billing processes,
  • Management, auditing, and improvement of business processes,
  • Communication activities,
  • Contract management, including entering into, establishing, and executing contracts,
  • Management of customer relations,
  • Post-sales services,
  • Execution of audit/ethical activities,
  • Management of relationships with third parties,
  • Planning and execution of third parties’ access to information,
  • Planning and execution of logistics/transportation activities,
  • Conducting training activities,
  • Ensuring the security of Company premises and/or facilities,
  • Monitoring and execution of legal matters,
  • Management of procurement, production, and operational processes for goods and services,
  • Enhancing customer satisfaction, understanding customers, and using customer analysis for improving and developing the Company’s products and services,
  • Execution of information security processes.

If the processing activities for the mentioned purposes do not meet any of the conditions prescribed by the Law, the Company will obtain the explicit consent of the data subject for the relevant processing process.

10- RETENTION PERIODS FOR PERSONAL DATA

The personal data we collect is securely stored in physical or electronic environments for an appropriate period to fulfill the Company’s commercial activities. In this context, the Company complies with all obligations related to the protection of personal data as stipulated in the Law and other relevant legislation.

Unless otherwise permitted or required by applicable laws to retain personal data for a longer period, the Company will delete, destroy, or anonymize the data upon the expiration of its processing purposes either automatically or upon the request of the data subjects. When personal data is deleted using these methods, it will be permanently destroyed and will not be retrievable or usable in any form.

The Company determines whether a retention period is stipulated by the relevant legislation. If a retention period is prescribed, it adheres to this period. If no specific period is prescribed, personal data will be retained for as long as necessary for the purposes for which it was processed. Once the purpose for processing personal data has ended, the data will be retained only for the purpose of serving as evidence in potential legal disputes or to assert or defend any related rights associated with the personal data, and will be kept for the retention periods determined by the Company. The statute of limitations for asserting these rights is considered when determining retention periods. Upon the expiration of the retention periods, personal data will be deleted, destroyed, or anonymized.

PERIOD STORAGE PERIOD DESTRUCTION PERIOD
Preparation of contracts 10 years following termination of the contract During the first periodic destruction period following the end of the storage period
Execution of company communication activities 10 years following the end of activity During the first periodic destruction period following the end of the storage period
Execution of human resources processes 10 years following the end of activity During the first periodic destruction period following the end of the storage period
Log record tracking systems 10 years During the first periodic destruction period following the end of the storage period
Carrying out hardware and software access processes 2 years During the first periodic destruction period following the end of the storage period
Registration of Visitors and Meeting Participants 2 years following the end of the event During the first periodic destruction period following the end of the storage period
Camera Records 1 month During the first periodic destruction period following the end of the storage period
Ministries/Public institutions/Tender documents 10 years During the first periodic destruction period following the end of the storage period
Responding to court/enforcement information requests regarding personnel 10 years after the end of the employment relationship During the first periodic destruction period following the end of the storage period
Contracts signed with third parties 10 years During the first periodic destruction period following the end of the storage period
Personnel personnel file 10 years after the end of the employment relationship During the first periodic destruction period following the end of the storage period
Job applications with negative results 2 years from the date of negative result of the application During the first periodic destruction period following the end of the storage period
All documents related to wages and salaries 10 years after the end of the employment relationship During the first periodic destruction period following the end of the storage period
Personnel private health and personal accident insurance policies 10 years after the end of the employment relationship During the first periodic destruction period following the end of the storage period
Occupational health and safety practices 15 years after the end of the employment relationship During the first periodic destruction period following the end of the storage period
Payment transactions 10 years During the first periodic destruction period following the end of the storage period
The part of the contract process regarding personal data and the preservation of the contract 10 years after the end of the employment relationship During the first periodic destruction period following the end of the storage period
Request/complaint information 5 years from the date of registration During the first periodic destruction period following the end of the storage period
Filing of all kinds of documents 10 years During the first periodic destruction period following the end of the storage period
Filing of education records 10 years During the first periodic destruction period following the end of the storage period
Personal data is the subject of a crime within the scope of the Turkish Penal Code or other legislation imposing penal provisions and is related to a crime. Pursuant to Articles 66 and 68 of the Turkish Penal Code, the lawsuit shall continue within the statute of limitations and the penalty within the statute of limitations.

 

11-     DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Data retained under the law will be kept for the maximum duration specified by the relevant regulations or as necessary for the purpose for which it was processed, and in any case, for the statutory limitation periods. As regulated by Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law (KVK Law), although personal data may be processed in accordance with the relevant legal provisions, it will be deleted, destroyed, or anonymized ex officio or upon your request under the conditions specified in the Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette No. 30224 on 28.10.2017, once the reasons for processing cease to exist. The retention periods for personal data are specified in the 10th section of this Policy.

All operations related to the deletion, destruction, and anonymization of personal data are recorded, and these records are kept for at least three years, except for other legal obligations.

Legal Reasons for Retention

Personal data processed by the Company within the scope of its activities is retained for the period specified in the relevant legislation. In this context, personal data is retained in accordance with:

  • Law No. 6698 on the Protection of Personal Data
  • Law No. 6098 on the Turkish Code of Obligations
  • Law No. 6102 on the Turkish Commercial Code
  • Law No. 6105 on the Protection of Consumers
  • Tax Procedure Law No. 213
  • Law No. 6563 on the Regulation of Electronic Commerce
  • Social Insurance and General Health Insurance Law No. 5510
  • Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publications
  • Law No. 6331 on Occupational Health and Safety
  • Regulation No. 28512 on Occupational Health and Safety Services
  • Law No. 4982 on the Right to Information
  • Law No. 3071 on the Use of the Right to Petition
  • Labor Law No. 4857
  • Regulation on Health and Safety Measures to Be Taken in Workplace Buildings and Attachments
  • Public Procurement Law No. 4734
  • Law No. 5018 on Public Financial Management
  • Pension Fund Law No. 5434
  • Social Services Law No. 2828

and other relevant legislation related to Company activities.

Reasons for Destruction

Personal data is:

  • Changed or abolished due to amendments to or repeal of the relevant legislative provisions that served as the basis for processing,
  • No longer needed for the purpose for which it was processed or retained,
  • Processed solely based on explicit consent, and the relevant person withdraws their consent,
  • Deleted or destroyed upon the Company’s acceptance of a request made under Article 11 of the Law for deletion and destruction of personal data,
  • The Company rejects the request for deletion, destruction, or anonymization, considers the response insufficient, or fails to respond within the period specified by the Law; in such cases, the individual may file a complaint with the Authority, and if the Authority approves the request,
  • Deleted, destroyed, or anonymized upon request or ex officio if the maximum retention period has expired and no conditions exist to justify retaining the data for a longer period.

Techniques for Destruction of Personal Data

The Company destroys personal data obtained, unless required by legal obligations or necessary for the protection of public order, provided it does not affect business processes. Personal data related to individuals is destroyed based on the Company’s decision once the requirements for continuing to provide services to customers, fulfilling legal obligations, and planning employee rights and benefits cease to exist. At the periodic destruction dates set annually, personal data deemed unnecessary for retention is destroyed in accordance with the regulations using the methods specified below.

Deletion of Personal Data

The methods for deleting personal data are specified in the table below.

DATA RECORDING ENVIRONMENT EXPLANATION
Personal Data Located on Servers For personal data on servers, once the retention period has expired, the system administrator will remove access permissions for the relevant users and proceed with the deletion process.
Personal Data in Electronic Environment For personal data stored in electronic environments, once the retention period has expired, it will be rendered inaccessible and unusable for all employees other than the database administrator (relevant users).
Personal Data in the Physical Environment For personal data held in physical environments, once the retention period has expired, it will be rendered inaccessible and unusable for all employees other than the unit manager responsible for document archiving. Additionally, a blackout process will be applied by crossing out, painting over, or erasing the data so that it becomes unreadable.
Personal Data on Portable Media For personal data stored on flash-based storage media, once the retention period has expired, the data will be encrypted by the system administrator. Access permissions will be granted only to the system administrator, and the encrypted data will be stored in secure environments with encryption keys.
  • ​​​​​​​Destruction of Personal DataThe methods for the destruction of personal data are specified in the table below.
DATA RECORDING ENVIRONMENT EXPLANATION
Personal Data in the Physical Environment Personal data on paper that has reached the end of its retention period will be irreversibly destroyed using paper shredders.
Personal Data Contained in Optical / Magnetic Media Personal data on optical and magnetic media that has reached the end of its retention period will be rendered physically unreadable in an irreversible manner.

 

  • Anonymization of Personal Data

Anonymization of personal data refers to making personal data unidentifiable or untraceable to any specific, identifiable individual, even if it is matched with other data. To achieve anonymization, personal data must be processed in such a way that it cannot be associated with any identifiable or identifiable individual, using appropriate technical methods in terms of data storage and related activities.

The Company can anonymize personal data when the reasons for processing personal data no longer exist, in accordance with the law. According to Article 28 of the Law, anonymized personal data can be processed for purposes such as research, planning, and statistics. Such processing is outside the scope of the Law, and therefore the rights outlined in Section 13 of this Policy do not apply to this data.

Techniques for Anonymizing Personal Data

  • Masking: Data masking involves removing the key identifying information from a data set to make personal data anonymous. Example: Transforming data so that the identification of the data subject is impossible by removing information such as name, ID number, first name, last name, etc.
  • Aggregation: Data aggregation combines many data points to make personal data unidentifiable. Example: Reporting that there are 100 customers born in 1975 without showing individual birth years.
  • Data Derivation: Data derivation creates more general content from personal data to make it unidentifiable. Example: Stating ages instead of birthdates; indicating the district or city of residence instead of the full address.
  • Data Shuffling (Permutation): Data shuffling mixes the values within a personal data set to sever the connection between the values and individuals. Example: Altering audio recordings so that they cannot be associated with or recognized as belonging to a specific person.

Periodic Destruction Period

According to Article 11 of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, the Company has set a periodic destruction period of 6 months. Therefore, the Company performs periodic destruction processes every June and December.

KVK Management Structure – Duties and Responsibilities

All unit managers of the Company provide effective support for the proper implementation of technical and administrative measures related to the processing, storage, and destruction of personal data within their units. Unit Managers are responsible for ensuring employee training and awareness, monitoring and auditing processes, and helping with the implementation of technical and administrative measures to prevent unlawful processing and access to personal data, and ensuring data security.

Unit Managers actively support the increase of knowledge and awareness about personal data protection among individuals authorized to use personal data within the Company’s data processing activities and ensure that data processing, storage, and destruction activities are carried out in compliance with regulations.

The titles, units, and responsibilities of those involved in the storage and destruction processes of personal data are as follows:

  • General Manager: As the Data Controller Representative, responsible for all processes related to the protection and destruction of personal data and the implementation of the policy.
  • Human Resources Manager: Responsible for ensuring compliance with the retention period of processes within their purview and managing the personal data destruction process according to the periodic destruction period.
  • Information Systems Manager: Responsible for the technical storage, protection, and backup of data, as well as determining and implementing the technical solutions required for the implementation of the policy.
  • Other Unit Managers: Responsible for implementing and monitoring the policy within their respective units.

12-  Technical and Administrative Measures

To ensure the secure storage of personal data, prevent unlawful processing and access, and ensure lawful destruction of personal data, the Company implements technical and administrative measures as required by Article 12 and Article 6, Paragraph 4 of the Law, in accordance with the sufficient measures determined and announced by the Board for special categories of personal data.

Technical Measures

The technical measures taken by the Company regarding the personal data it processes include:

  • Penetration Testing: Risks, threats, vulnerabilities, and any potential exposures related to the Company’s IT systems are identified through penetration tests, and necessary measures are taken accordingly.
  • Up-to-Date and Secure Systems: Up-to-date and secure systems are used in environments where personal data is stored, in line with technological developments.
  • Secure Logging Systems: Secure logging systems are utilized in electronic environments where personal data is processed.
  • Security Testing and Research: Security tests and research are conducted to identify vulnerabilities in IT systems. Appropriate technical measures are taken based on the results, and technical controls are implemented to address identified risks.
  • Access Restrictions: Access to environments where personal data is stored is restricted to authorized personnel only, and all access is logged.
  • Measures for Deleted Data: The Company takes necessary measures to ensure that deleted personal data cannot be accessed or reused by relevant users.
  • Technical Personnel: The Company employs sufficient technical personnel to ensure the security of environments where personal data is stored.
  • Encryption and Physical Security: Security measures are implemented through encryption in electronic environments where special categories of personal data are processed and stored. Unauthorized physical access is prevented.
  • Training and Authorization: Employees involved in processing special categories of personal data receive training on data security, and access rights for users are defined.

Administrative Measures

The administrative measures taken by the Company regarding the personal data it processes include:

  • Awareness Training: All Company employees with access to personal data receive training to increase awareness and understanding of information security, personal data protection, and privacy.
  • Legal and Technical Consulting: Legal and technical consulting services are obtained to follow developments in information security, privacy, and personal data protection, and to take necessary actions.
  • Disciplinary Regulations: Disciplinary regulations including data security provisions are established for employees.
  • Authorization Matrix: An authorization matrix is created for employees.
  • Confidentiality Agreements: Employees are required to sign confidentiality agreements related to the Company’s activities.
  • Disclosure Obligation: The Company fulfills its obligation to inform relevant individuals before starting personal data processing.
  • Data Processing Inventory: An inventory of personal data processing activities is prepared.
  • Periodic/Routine Audits: Periodic and random audits are conducted within the Company.
  • Protocols with Third Parties: When personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties to ensure data protection. All necessary diligence is observed to ensure third parties comply with their obligations under these protocols.

13-      Rights of Data Subjects and Exercising These Rights

Rights of the Data Subject

Data subjects have the following rights:

  1. Learn Whether Personal Data is Processed: They have the right to know whether their personal data is being processed.
  2. Request Information About Processed Data: If their personal data is processed, they can request information about it.
  3. Learn the Purpose of Processing: They have the right to learn the purpose of processing their personal data and whether it is being used for the intended purpose.
  4. Know Third Parties to Whom Data is Transferred: They can inquire about third parties, both within and outside the country, to whom their personal data has been transferred.
  5. Request Correction of Incorrect Data: They can request correction of any incomplete or incorrect personal data and request that this correction be notified to third parties to whom the data has been transferred.
  6. Request Deletion or Destruction of Data: If the reasons for processing their personal data no longer apply, they can request its deletion or destruction, and request that this action be notified to third parties to whom the data has been transferred.
  7. Object to Automated Processing Results: They can object to any result that is produced solely through automated processing of their personal data, which may have a negative impact on them.
  8. Request Compensation for Damages: They can request compensation for damages resulting from unlawful processing of their personal data.

Exercising Data Subject Rights

Data subjects can submit their requests regarding the rights listed in Section 13.1 (“Rights of the Data Subject”) to our Company using the methods specified by the Board. They can use the “Company Data Subject Application Form” available on our company’s website.

Response to Applications by the Company

Our Company takes the necessary administrative and technical measures to respond to applications from data subjects in accordance with the Law and secondary regulations. If a data subject submits a request related to the rights listed in Section 13.1 in accordance with the procedure, our Company will address the request as quickly as possible and within 30 (thirty) days at the latest, free of charge. However, if the process incurs additional costs, the Company may charge a fee as specified in Article 7 of the “Communiqué on Application Procedures and Principles for Data Controllers” published by the Personal Data Protection Authority. Specifically:

  • Up to 10 Pages: No fee is charged for responses provided in writing up to 10 pages.
  • Beyond 10 Pages: A fee of 1 Turkish Lira per page may be charged for pages beyond 10.
  • Response on Digital Media: If the response is provided on a digital medium such as a CD or flash drive, the fee cannot exceed the cost of the recording medium

14-  Special Circumstances of Personal Data Processing

1. Camera Surveillance Activities in Company Buildings and Facilities

For the purpose of ensuring security, our Company conducts camera surveillance activities in its buildings and facilities in compliance with the Private Security Services Law and related regulations.

In accordance with Article 10 of the Law, the Company informs data subjects about camera surveillance activities through various methods. The Company processes personal data related to surveillance in a manner that is connected, limited, and proportionate to the purpose for which it is collected, as per Article 4 of the Law. The purposes of video camera surveillance are limited to those specified in this Policy. Accordingly, the areas monitored by security cameras, the number of cameras, and the timing of surveillance are designed to be adequate and limited to achieving security purposes. Surveillance does not extend to areas where it would infringe on personal privacy beyond security objectives. Access to live camera feeds and digital recordings is restricted to a limited number of Company employees who have signed confidentiality agreements to protect the privacy of the data.

2. Tracking of Visitor Entry and Exit at Company Buildings and Facilities

For security and the purposes outlined in this Policy, the Company processes personal data related to tracking visitor entry and exit at its buildings and facilities. When visitors enter the Company premises, their names and surnames are collected, and they are informed about this data processing through texts posted at the Company or other means. The data collected for tracking visitor entry and exit is used solely for this purpose and is recorded in physical and/or electronic data recording systems.

3. Personal Data of Visitors to the Company’s Website

Users of the Company’s website who wish to make requests or suggestions can provide their personal information, such as name, surname, email, message, sector, and subject of the form, either via email to kvkk@tetglobal.com or by filling out the form on the Company’s website. Users acknowledge that they share this personal data voluntarily. This data will be processed only for evaluating the requests and suggestions made by the users. Additionally, the IP addresses of website visitors, along with information such as the start and end times of the service, the type of service utilized, the amount of data transferred, and any subscriber identification information, are processed in accordance with the Law No. 5651 on the Regulation of Publications on the Internet and the Fight Against Crimes Committed by Means of Such Publications (referred to as “Law No. 5651”). More detailed information can be found in the Keşşaf Internet Site Cookie and Privacy Policy.

4. Personal Data Processing During Internet Access at Company Facilities

During the provision of internet access services at the Company’s facilities, personal data related to IP addresses, the start and end times of the service, the type of service used, the amount of data transferred, and any subscriber identification information is processed and stored in accordance with Law No. 5651 and its secondary regulations (such as regulations). These records are processed and stored explicitly as required by law. They are only shared with authorized public institutions and organizations upon request or during internal audit processes to fulfill legal obligations.

15-  Training

The Company provides regular training to its employees on personal data protection in accordance with this Policy, KVKK Procedures, and KVKK Regulations. The training particularly emphasizes the definitions and protection measures for Special Categories of Personal Data.

If a Company employee has physical or digital access to personal data, the Company provides training specific to this access, such as on the computer programs accessed.

16-  Audit

The Company reserves the right to conduct regular audits without prior notice to ensure compliance with this Policy and KVKK Regulations by all employees, departments, and contractors. The Company performs necessary routine audits in this scope.

17-  Data Breach Procedure

The Company operates a system to ensure that, in the event of personal data being unlawfully obtained by others in violation of this Personal Data Protection and Processing Policy or KVKK, the situation is reported to the relevant individual and the Board as soon as possible. If deemed necessary by the Board, this situation may be announced on the Board’s website or through other methods.

18-  Changes to the Policy

The Company may amend this Policy from time to time. Updated versions of the Policy, reflecting any changes, will be shared with employees or made available to relevant individuals via the website for review.

Effective Date of the Policy

This version of the Personal Data Protection Policy comes into effect upon publication on the Company’s website.