DOCUMENT CODE	:	GM-P002
APPROVED BY	:	BOARD OF DIRECTORS
DATE OF APPROVAL	:	05/01/2019
LAST REVISION DATE	:	00/0000
VERSION NO	:	01
RELATED DOCUMENTS	:	Personal Transactions Protection and Processing Policy Processing of Sensitive Personal Data Policy Personal Data Protection and Processing Enlightenment Text

CONTENTS

1. PURPOSE. 2

2. SCOPE. 3

3. RESPONSIBILITY. 3

4. DEFINITIONS. 3

5. RECORDING MEDIUMS. 5

6. LEGAL, TECHNICAL OR OTHER REASONS THAT REQUIRE THE RETENTION AND DESTRUCTION OF PERSONAL DATA. 5

7. MEASURES TO PROTECT PERSONAL DATA AND PREVENT İLLEGAL PROCESSİNG AND İLLEGAL ACCESS. 6

7.1      ADMINISTRATIVE MEASURES. 7

7.2      TECHNICAL MEASURES. 7

8. MEASURES TAKEN FOR LAWFUL DESTRUCTION PERSONAL DATA. 8

8.1.     DELETION OF PERSONAL DATA. 8

8.2.     DESTRUCTION OF PERSONAL DATA. 9

8.3.     ANONYMIZATON OF PERSONAL DATA. 10

8.3.1   Anonymization Methods That Do Not Provide Value Irregularity: 11

8.3.2   Anonymization Methods That    Provide Value Irregularity: 11

8.3.3   Statistical Methods to Strengthen Anonymization: 11

9. PERSONNEL INVOLVED IN PERSONAL DATA RETENTION AND DESTRUCTION PROCESSES. 11

10.      PERSONAL DATA RETENTION AND DESTRUCTION TIMES. 12

10.1   DELETION, DESTRUCTION OR ANOYNMIZATION EX OFFICIO TIMES. 13

10.2    DELETION AND DESTRUCTION TIMES OF PERSONAL DATA UPON REQUEST OF THE PERSON CONCERNED.. 13

ANNEX 1 PERSONNEL INVOLVED IN PERSONAL DATA RETENTION AND DESTRUCTION PROCESSES. 13

1. PURPOSE

The purpose of this policy is to define the procedures and principles, internal controls and precautions, operating rules and responsibilities regarding the retention and destruction of the ANEXSERVİCES TURİZM ORGANİZASYON TAŞIMACILIK TİCARET ANONİM ŞİRKETİ (Company) for the maximum time necessary for the purpose for which the personal data are processed in accordance to the Turkish Personal Data Protection Law no. 6698 (Law).

In line with the mission, vision and basic principles of the Strategic Plan, the company has adopted as a priority the processing of data of employees, employee candidates, service providers, visitors and other third parties in accordance with Turkish Basic Law, International Agreements, Turkish Personal Data Protection Law no. 6698 (Law) and other related consents and to effectively exercise the rights of the data owners. The work and procedures regarding the retention and destruction of personal data are carried out by the company in accordance with the Policy prepared in this policy.

1. SCOPE

These policy provisions are applied to customers, visitors, employees, employee candidates, shareholders, natural person authorities, shareholders, employees of the companies with which the Company has commercial relations (group companies, partners, suppliers, consultancies, etc.) and family members of data owners,  whose personal data are processed by the Company in whole or in part, or non-automated provided that it is part of any data recording system. This policy has been prepared in accordance with the Company's "Personal Data Inventory".

1. RESPONSIBILITY

This policy has been approved and implemented by the Company’s Board of Directors. Within the framework of the policy, all activities to be carried out in the company and the measures to be taken are defined by the appropriate procedures. The Company's management is responsible for preparing, updating and implementing these procedures.

All Company employees are responsible for performing their duties in accordance with this policy and all relevant procedures and regulations.

1. DEFINITIONS

The important definitions in this policy are listed below.

Recipient Group	The category of natural or legal persons to whom personal data is transferred by the data controller.
Cloud Environments / Systems	Systems where data such as Office 365, Salesforce, Dropbox can be stored and accessed on the internet.
Direct identifiers	Identifiers that directly reveal, disclose and distinguish the person they are in contact with.
Indirect identifiers	Identifiers that come together with other identifiers to reveal, disclose and distinguish the person they are in contact with.
Data owner	Natural person whose personal data are processed.
Related user	Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, with the exception of the person or unit responsible for the technical retention, protection and backup of the data.
Destruction	Deletion, Destruction, and Anonymization of Personal Data.
Law	Turkish Personal Data Protection Law no. 6698.
Blackout	Procedures such as scratching, painting and icing all of the personal data so that they cannot be associated with an identified or identifiable natural person.
Recording Medium	Any medium in which personal data are processed, which are fully or partially automated, or processed in non-automated ways, provided that they are part of any data recording system.
Personal Data	Any information relating to an identified or identifiable natural person;
Personal Data Processing Inventory	Inventory in which are described and detailed; personal data processing activities carried out depending on the business processes of data officers; personal data processing purposes, data category, transferred recipient group and the maximum amount of time required for the purposes for which the personal data is created and associated with the data owner group, personal data foreseen to be transferred to foreign countries and data security measures.
Processing of personal data	Any operation which is performed upon personal data such as collection, recording, retention, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.
Deletion of personal data	Making personal data inaccessible and unusable to relevant users in any way.
Destruction of personal data	Making personal data inaccessible, retrievable and reusable by anyone.
Anonymization of personal data	Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data.
Board	The Board of Protection of Personal Data.
Authority	The Authority of Protection of Personal Data.
Magnetic Tape	Media that stores the data with the help of micro magnet pieces on the flexible tape
Magnetic Disc	Media that stores data with the help of micro-magnet pieces on flexible (plate) or fixed media
Masking	Operations such as deletion, scratching, painting and starring certain areas of personal data in such a way that they cannot be associated with a specific or identifiable natural person.
Periodic destruction	In the event that all the conditions in the law for processing personal data disappear, the deletion, destruction or anonymisation will be carried out ex officio at regular intervals, as specified in the Personal Data Retention and Destruction Policy.
Data processor	Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller.
Data recording system	Any recording system through which personal data are processed by structuring according to specific criteria.
Data controller	Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.

1. RECORDING MEDIUM

The personal data of the data owners are stored securely in the following recording mediums organized by the Company in accordance with the relevant legislation, in particular the provisions of the Law, and within the framework of data security principles:

1. Cloud 
2. Paper medium
3. Central servers
4. Databases
5. Hard Drives

1. LEGAL, TECHNICAL OR OTHER REASONS THAT REQUIRE THE RETENTION AND DESTRUCTION OF PERSONAL DATA      

Personal data collected by the Company are processed within the scope of the purposes set out in the Personal Data Protection and Processing Policy in accordance with the processing conditions specified in Articles 5 and 6 of the Law and stored for the following purposes:

• Management of the company, performing and auditing the activities in accordance with the law, Company strategies, policies and procedures,
• Implementing human resources policies; planning and execution of human resources processes,
• Planning and implementation of information security processes,
• Ensuring the physical, legal and commercial security of the Company, its personnel and those who have a business relationship with the Company,
• Planning and implementation of corporate communication and marketing activities,
• Fulfilling legal obligations and exercising the rights arising from the legislation in force, as required or obligated by legal regulations,
• Execution of works and transactions within the framework of signed contracts and protocols,
• Management of relations with group companies, business partners and suppliers,
• Providing communication with real / legal persons in business relationship,
• Arrangement of all records and documents that will be based on transactions,
• Legal reporting,
• Providing legally authorized institutions and organizations with information arising from the legislation,
• Fulfilment of the burden of proof as evidence in future legal disputes.

Personal data processed within the framework of the Company's activities, is stored for the period of retention envisaged under the laws given below:

• Personal Data Protection Law No. 6698   
• Turkish Commercial Code No. 6102,
• Turkish Code of Obligations No. 6098,
• Consumer Protection Law No. 6502 
• Social Insurance and General Health Insurance Law No. 5510,
• Law No. 5651 on the Arrangement of Broadcasts Made on the Internet and Combating Crimes Committed Through These Publications,
• Occupational Health and Safety Law No. 6331,
• Labour Law No. 4857,
• Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Additions,
• Other relevant laws and secondary regulations

Although it has been processed in accordance with the provisions of the law and other relevant laws, in the event that the reasons requiring its processing disappear, the personal data is deleted, destructed or anonymized by the Company ex officio or upon the request of the person concerned.

Accordingly;

• Amendment or removal of relevant legislation provisions that constitute the basis for processing personal data,
• The contract between the parties has never been established, the contract is not valid, the contract is terminated spontaneously, the contract is terminated, or the contract is returned
• The purpose that requires the processing of personal data disappears,
• It is determined that processing personal data is against the law or honesty rule,
• In cases where the processing of personal data occurs only based on explicit consent, the relevant person's withdrawal of his consent,
• The Company's acceptance of the application of the relevant person regarding the processing of personal data within the framework of the rights in paragraph 11 (e) and (f) of Article 11 of the Law,
• In cases where the company refuses the application made by the relevant person with the request of deletion or destruction of his personal data, the response he has given is insufficient or does not respond within the period stipulated by the Law; Complaints to the Board and this request is approved by the Board,
• Although the maximum period requiring the retention of personal data has passed, there are no conditions that would justify keeping the personal data longer,
• In the event of the disappearance of conditions requiring the processing of personal data in Articles 5 and 6 of the Law, personal data must be deleted, destructed or made anonymous.

1. MEASURES TO PROTECT PERSONAL DATA AND PREVENT ILLEGAL PROCESSING AND ILLEGAL ACCESS         

Technical and administrative measures are taken by the Company to ensure the appropriate level of security in order to prevent and protect the personal data from being illegally processed and accessed; Necessary audits are provided to ensure the enforcement of the provisions of the law.

1. ADMINISTRATIVE MEASURES

1. By determining the probability of occurrence of the risks that may arise regarding the protection of personal data and the losses it will cause in case of occurrence, measures are taken to reduce or eliminate the risks.
2. The duties, powers and responsibilities of the personnel involved in all processes and policies regarding the processing of personal data, ensuring the confidentiality and security and disposal are written down and made available to all personnel.
3. Personnel are provided with the necessary trainings within the scope of processing, protection and data security of personal data.
4. Keeping the policies and procedures up-to-date and providing the necessary training and informing the employees about the changes made are ensured.
5. Within the scope of the recruitment process, provisions regarding the protection and confidentiality of personal data are added to the contracts signed between the employees and the Company and signed by the employee.
6. By determining whether the processed personal data is still needed and stored in the right place, personal data retained for archival purposes will be kept in a more secure environment and unneeded personal data will be deleted, destructed or made anonymous in accordance with the Personal Data Retention and Destruction Policy.
7. Access to the personal data stored within the company is restricted to the personnel required for access based on the duty description.
8. If employees fail to comply with policies and procedures established and announced by the Company, sanctions will be imposed in accordance with the disciplinary process. 
9. With regard to the disclosure of personal data, confidentiality agreements for the protection of personal data and data security are concluded with individuals and data processors or data protection provisions are added to existing agreements.
10. within the framework of policies and procedures, regular checks are carried out for areas open to development, and necessary measures are planned and implemented.
11. In order to ensure enforcement of the legal provisions, measures are planned for the confidentiality and security deficiencies resulting from the audits, and the findings are promptly remedied.
12. If the processed personal data is obtained illegally from third parties, the data owner and the Management Board shall be informed as soon as possible.

1. TECHNICAL MEASURES

1. SSL connections, anti-virus and firewall software and hardware are used for the protection of information technology systems and data containing personal data.
2. Unused software and services are deleted from the devices.
3. The proper functioning of the software and hardware and the security measures taken are checked regularly; patch and software updates are provided to cover possible security gaps. Necessary precautions are taken by revealing risks, threats, weaknesses and openings, if any, for the company's information systems.
4. Access to systems containing personal data is provided within the framework of access policies, user and role management procedures. The scope and duration of authorization of users who have access to data are clearly defined. Information Technology employees' access to personal data is kept under control.
5. If remote access to the data is required, at least two-step authentication system is used.
6. Authority checks are carried out periodically.
7. The powers of the employees who change their duties or leave the job are revoked immediately. In this context, the inventory allocated to it by the Company is refunded.
8. Technical infrastructure is provided to prevent or prevent data from leaking out of the institution.
9. It is ensured that the log of transaction acts (log records) of all users are kept regularly.
10. The system weaknesses are controlled by receiving penetration test services regularly and when the need arises.
11. The medium and devices where personal data are stored are protected by taking physical security measures.
12. To ensure that personal data is stored safely, data is backed up and physical security of all backups is ensured.
13. Access to retention areas where personal data are stored is recorded and improper accesses or access attempts are kept under control.

14. Personal data is ensured to be destructed in a way that cannot be recycled and leave an audit trail.
15. Necessary measures are taken to make the deleted personal data inaccessible and reusable for the relevant users.
16. Pursuant to Article 12 of the Law, all kinds of digital media where personal data are stored are protected by encrypted or crypto graphic methods in a way to provide information security requirements. Cryptographic keys are kept safe and in different mediums.
17. During the storage and use of personal data in the cloud environment, encryption with cryptographic methods and using separate encryption keys where possible for personal data, especially for each cloud solution that is served; when the cloud computing service relationship ends; all copies of encryption keys required to make personal data available are destructed.
18. If it is necessary to transfer personal data via e-mail, it is ensured that it is transferred with an encrypted corporate e-mail address or by using a Registered Electronic Mail (KEP) account.
19. When it is necessary to transfer it via media such as Portable Memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in different media.
20. While transferring between servers in different physical environments is performed, data transfer is performed by installing VPN between servers or by SFTP method.
21. Necessary precautions are taken against risks such as theft of documents, loss or being seen by unauthorized persons in the transfer of data via paper medium.

1. MEASURES TAKEN FOR LAWFUL DESTRUCTION PERSONAL DATA

1. DELETION OF PERSONAL DATA

Deletion of personal data is the process of making personal data inaccessible and reusable for the users concerned. All necessary technical and administrative measures are taken by the Company to make the deleted personal data inaccessible and reusable for the users concerned.

The process followed in the deletion of personal data is as follows:

1. Identification of personal data that will be the subject of deletion.
2. Identify relevant users for each personal data using the access authorization and control matrix or similar system.
3. Identification of the authorities and methods of the relevant users such as access, retrieval and reuse.
4. Closure and elimination of access, retrieval, reuse powers and methods of the relevant users within the scope of personal data.

Personal data are deleted by methods suitable for the recording media in which they are stored.

1. Data in the cloud is deleted by issuing a delete command. It is ensured that the user is not authorized to retrieve deleted data on the cloud system. 
2. Personal data on paper media is deleted using the blackout method. The blackout is done by truncating the personal data in the relevant documents whenever possible and making them invisible to the relevant users with solid ink so that they cannot be returned and read with technical solutions.
3. Office files on the central server are deleted with the delete command in the operating system, or the access rights of the respective user are removed from the directory in which the file is located. It is ensured that the user performing this operation is a different person than the database administrator.
4. Personal data on flash-based storage media is stored in encrypted form and deleted using software suitable for these media.
5. The personal data stored in the databases are deleted with the database commands (Delete) of the corresponding lines. It is ensured that the user performing this operation is a different person than the database administrator.

1. DESTRUCTION OF PERSONAL DATA

The destruction of personal data is to make the data inaccessible, retrievable and reusable for anyone. All necessary technical and administrative measures to destruct personal data are taken by the Company.

In order to destruct personal data, all copies of the data will be recognised and will be destructed in the following manner, one after the other, depending on the nature of the systems on which the data are available:

1. The following methods are used to destruct data on local systems:

• Demagnetize: The process of unacceptable falsification of the data on it by directing the magnetic media through a special device into a strong magnetic field.
• Physical destruction: The process of melting, burning or pulverizing optical and magnetic media.
• Overwrite: The process of preventing the recovery of old data by writing random data consisting of 0 and 1 at least seven times to magnetic media and rewritable optical media using special software.

2. The following methods are used to destruct data on environmental systems:

• Network devices (switch, router etc.): They are destructed by using one or more of the appropriate methods specified in (a).
• Flash-based environments: Flash-based hard drives with ATA (SATA, PATA etc.), SCSI (SCSI Express etc.) interface are destructed by using the <block erase> command if supported, if it is not supported, it is destructed by using the method of disposal proposed by the manufacturer or by using one or more of the appropriate methods specified in (a).
• Magnetic tape: They are destructed by exposure to very strong magnetic environments and demagnetizing or by physical destruction methods such as burning and melting.
• Units such as magnetic disc: They are destructed by exposing it to very strong magnetic environments by demagnetizing or physical destruction methods such as burning and melting.
• Mobile phones (Sim cards and fixed memory areas): They are destructed by using one or more of the appropriate methods specified in a).
• Optical discs (CD, DVD etc.): They are destructed by physical destruction methods such as burning, breaking into small pieces, melting.
• • Peripherals such as printer, fingerprint door access system, which can be removed from the data recording medium: By verifying that all data recording media are removed, they are destructed by using one or more of the appropriate methods specified in (a).
• Peripherals such as printer with fixed data recording environment, fingerprint door access system: they are destructed by using one or more of the appropriate methods specified in (a).

3. Since the personal data in the paper and microfiche media are permanently and physically written on the media, the main media is to be destructed. During this process, the data is divided with paper destroying or cutting machines, horizontally and vertically into small pieces of incomprehensible size that cannot be combined. Personal data transferred by scanning from the original paper format to the electronic medium is demagnetized, physically destroyed according to the electronic medium on which it is located, and methods such as overwriting are destructed using one or more methods.

4. For the personal data contained in the Cloud, upon termination of the Cloud Computing Service relationship, all copies of the encryption keys required to provide the personal data will be destructed.

5. The destruction of personal data in devices which are malfunctioning or sent for maintenance is done as follows:

• Personal data are destructed by using one or more of the appropriate methods specified in (a), before they are disclosed to third parties such as manufacturers, vendors, maintenance service, repair,
• In cases where destruction is not possible or appropriate, the data carrier will be removed and stored and other defective parts will be sent to third parties such as manufacturers, vendors, service providers,
• It shall be ensured that the necessary measures are taken to prevent personal data from being copied by the personnel responsible for maintenance, repair and outside personnel.

1. ANONYMIZATION OF PERSONAL DATA

When personal data is made anonymous, personal data is under no circumstances associated with an identified or identifiable natural person, even if it is compared with other data. Anonymisation means that all direct and/or indirect identifiers in a data set are removed or changed in order to prevent the identity of the data owner from being identified or from losing their distinction in a group or set in a way that cannot be attributed to any natural person. Data that does not indicate a specific person due to the blocking or loss of these functions is considered anonymous data.

In determining the anonymisation methods to be used by the company, taking into account the following characteristics of the data set, one of the methods contained in the guidelines published by the Authority on the deletion, destruction or anonymisation of personal data shall be used:

• nature of the data,
• size of the data,
• structure of data in physical environments,
• data diversity,
• the purpose of the processing requested from the data,
• frequency of data processing
• reliability of the party to whom the data is transferred,
• effort to make the data anonymous makes sense. 
• extent and scope of the damage that may be caused if the anonymity of the data is compromised,
• the distribution, centrality ratio of the data,
• control of the users via access authorization to the relevant data,
• probability that his effort to construct and implement an attack that would disrupt anonymity would be meaningful.

1. Anonymization Methods That Do Not Provide Value Irregularity:

• Extracting Variables

• Extracting Records

• Regional Hiding

• Generalization

• Lower and Upper Limit Coding

• Global Coding

• Sampling

• Masking

• Aggregation / Creating Cumulative Data

1. Anonymization Methods That Do Not Provide Value Irregularity:

• Micro Joining

• Data Exchange

• Add Noise

1. Statistical Methods to Strengthen Anonymization: 

• K-Anonymity

• L-Diversity

• T-Proximity

1. PERSONNEL INVOLVED IN PERSONAL DATA RETENTION AND DESTRUCTION PROCESSES    

All units and employees of the Company, who are involved in the processing, retention and destruction of personal data, are responsible for the fulfilment of this Policy requirements, the proper implementation of the technical and administrative measures taken under the Policy, and for storing and protecting the data they produce in their own business processes.

Regular destruction that affects business processes and leads to data integrity, data loss and results that are contrary to legal requirements is carried out by the Information Technology Department, taking into account the nature of personal data, the systems in which it is stored and the business unit that owns the data.

The titles, units and job descriptions of those involved in the retention and destruction of personal data are included in the annex of this Policy.

1. PERSONAL DELATION, DESTUCTION OR ANOYNMIZATION EX OFFICIO TIMES

 

The table showing the time of retention and destruction of personal data at the company is given below:

Data category	Maximum retention time	Destruction time
Identity, Communication, Professional Experience, Personnel, Financial, Visual and Audio Information, Risk Management, Disability, Criminal Record Registration Information of Employee	10 years after the end of the business relationship	Within 180 days after the end of the retention period
Health, Blood Group Information of Employee	15 years after the end of the business relationship	Within 180 days after the end of the retention period
Transaction / Information Security Data of Employee	During the business relationship	Within 180 days after the end of the retention period
Vehicle Data of Employee	During the business relationship	Within 180 days after the end of the business relationship
Location Data of Employee	1 month	Within 180 days after the end of the retention period
Identity, Communication and Professional Experience Information of Employee Candidate	2 years	Within 180 days after the end of the retention period
Identity, Communication, Financial, Risk Management Information of Company Partner	10 years after the end of the business relationship	Within 180 days after the end of the retention period
Identity, Communication, Financial, Visual and Audio, Risk Management Information of Supplier Authority/Employee	10 years after the end of the business relationship	Within 180 days after the end of the retention period
Transaction Safety Information of Supplier Authority/Employee	During the business relationship	Within 180 days after the end of the business relationship
Website Login - Logout Information of Visitors	2 years	Within 180 days after the end of the retention period
Identity Information of Visitors	2 months	Within 180 days after the end of the retention period
Physical Space Security Information	2 months	Within 180 days after the end of the retention period
Contract	10 years after the end of the business relationship	Within 180 days after the end of the retention period
Documents, Notebooks and Records	10 years	Within 180 days after the end of the retention period

1. DELETION, DESTRUCTION OR ANOYNMIZATION EX OFFICIO TIMES

In the event that all the conditions for processing personal data disappear in the law, personal data will be regularly deleted, destructed or anonymize by the Company within a period of six months. In the first periodic destruction process following the date on which the obligation to delete, destruct or anonymize personal data occurs, the implementation of such transactions is ensured.

If the relevant personal data has been transferred to third parties, this is notified to the data transmitting parties and / or those who process data on behalf of the Company based on the authorization granted by the Company and necessary actions are taken before these persons.

1. DELETION AND DESTRUCTION TIMES OF PERSONAL DATA UPON REQUEST OF THE PERSON CONCERNED             

In case the data owner requests the personal data to be deleted or destructed;

1. When all conditions for processing personal data have disappeared, personal data which are the subject of the request shall be deleted, destructed or anonymized by the company within thirty days at the latest and the data owner shall be informed.
2. If all the conditions for processing personal data have been disappeared and the personal data owner to the request have been transferred to third parties, this will be notified to the parties who have transferred the data and / or data processors on behalf of the Company based on the authorization granted by the Company, and the necessary actions are taken before these persons.
3. If all the conditions for processing personal data have not disappeared, this request may be rejected by explaining its justification pursuant to Article 13 of the Law, and the rejection response will be notified to the concerned person in writing or electronically within thirty days at the latest.

All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.

ANNEX 1 PERSONNEL INVOLVED IN PERSONAL DATA RETENTION AND DESTRUCTION PROCESSES         

TITLE	DEPARTMENT	DUTY DEFINITION
Senior Management	Board of Directors, General Coordinator, General Manager	Responsible for the preparation, publishing, updating of the policy and ensuring that the employees act in accordance with the policy.
Department Manager	All departments	Responsible for the execution of the Policy in accordance with its duties and for its implementation in the unit it is responsible for.
Information Technologies Manager	Information Technologies	Responsible for safely retention, processing, accessing and destructing of personal data, in accordance with the law and for the management of the personal data destruction process.
Human Resources Manager Finance Manager Accounting Manager Law Manager Quality Manager	Human Resources  Finance  Accounting  Law  Quality	Responsible for implementing personal data retention and destruction policy: Is responsible for the management of the personal data destruction process in accordance with the periodic destruction period, ensuring the compliance of the processes within its duty with the retention period.

DOCUMENT NO	:	GM-P001
APPROVED BY	:	BOARD OF DIRECTORS
DATE OF APPROVAL	:	05/01/2019
LAST REVISION DATE	:	00/0000
VERSION NO	:	01
RELATED DOCUMENTS	:	Personal Data Retention and Destruction Policy Personal Data Protection and Processing Enlightenment Text Explicit Consent Statement for Processing of Personal Data Processing of Sensitive Personal Data Policy Data owner Application Form

CONTENTS

1.     PURPOSE. 3

2.     SCOPE. 3

3.     RESPONSIBILITY. 3

4.     DEFINITIONS. 3

5.     PROCESSING OF PERSONAL DATA. 5

5.1.   GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA.. 5

5.2.   CONDITIONS FOR PROCESSING OF PERSONAL DATA.. 6

5.3.   CONDITIONS FOR PROCESSING OF SENSITIVE PERSONAL DATA.. 8

5.4.   DATA OWNER, PERSON GROUP AND PERSONAL DATA CATEGORIES PROCESSED.. 9

5.5.   PURPOSES OF PROCESSING PERSONAL DATA.. 11

5.6.   DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA.. 13

5.7.   TRANSFER OF PERSONAL DATA.. 14

5.7.1.    TRANSFER OF PERSONAL DATA DOMESTIC. 14

5.7.2.    TRANSFER OF PERSONAL DATA ABROADI 15

5.7.3.    TRANSFER OF DATA PROCESSED BY GROUP COMPANIES TO THE COMPANYI 15

6.     DATA SECURITY ISSUES. 16

6.1    ADMINISTRATIVE MEASURES. 16

6.2    TECHNICAL MEASURES. 16

7.     ENLIGHTENMENT. 17

8.     RIGHTS OF THE DATA OWNER. 18

8.1    SITUATIONS OUTSIDE THE RIGHTS OF DATA OWNERS. 18

1. PURPOSE

The purpose of this policy is to respect the fundamental rights and freedoms and privacy of individuals, especially the privacy of personal life, to ensure compliance with the obligations arising from the processing of personal data, to establish strategies, internal controls and measures, operational rules and responsibilities with regard to the processing and security of personal data, to make the data owner and the employees of the company aware while the processing of personal data by the company ANEXSERVİCES TURİZM ORGANİZASYON TAŞIMACILIK TİCARET ANONİM ŞİRKETİ (Company), in accordance with the Basic Law of the Turkish Republic and Law No. 6698 on the protection of personal data. 

1. SCOPE

These provisions apply to natural persons whose personal data are processed wholly or partly by automatic means or to natural persons whose data are not processed by automatic means, provided that they are part of a data collection system. Data owner is given in the article 5.4.

1. RESPONSIBILITY

This policy has been approved and implemented by the Company’s Board of Directors. Within the framework of the policy, all activities to be carried out in the company and the measures to be taken are defined by the appropriate procedures. The Company's management is responsible for preparing, updating and implementing these procedures.

All Company employees are responsible for performing their duties in accordance with this policy and all relevant procedures and regulations.

1. DEFINITIONS

The important definitions in this policy are listed below.

Explicit Consent	Consent on a specific subject, informative and explained by free will
Anonymization	Rendering personal data by no means identified or identifiable with a natural person even by linking with other data.
Data owner	Natural person whose personal data are processed.
Related user	Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, with the exception of the person or unit responsible for the technical retention, protection and backup of the data.
Destruction	Deletion, Destruction, and Anonymization of Personal Data
Law	Turkish Personal Data Protection Law no. 6698
Recording Medium	Any medium in which personal data are processed, which are fully or partially automated, or processed in non-automated ways, provided that they are part of any data recording system.
Personal Data	Any information relating to an identified or identifiable natural person.
Processing of personal data	Any operation which is performed upon personal data such as collection, recording, retention, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.
Deletion of personal data	Making personal data inaccessible and unusable to relevant users in any way.
Destruction of personal data	Making personal data inaccessible, retrievable and reusable by anyone.
Anonymization of personal data	Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data.
Board	The Board of Protection of Personal Data.
Authority	The Authority of Protection of Personal Data.
Sensitive Personal Data	Race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and outfit, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data of persons.
Periodic destruction	In the event that all the conditions in the law for processing personal data disappear, the deletion, destruction or anonymisation will be carried out ex officio at regular intervals, as specified in the Personal Data Retention and Destruction Policy.
Registry	Register of Data Protection Officers of the Presidency of the Data Protection Authority
Data processor	Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller.
Data recording system	Any recording system through which personal data are processed by structuring according to specific criteria.
Data controller	Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.

1. PROCESSING OF PERSONAL DATA 

1.  GENERAL PRINCIPLES RELATED TO THE PROCESSING OF PERSONAL DATA

The Company processes personal data in accordance with the procedures and principles established by law and other legislation, and the following principles are taken into account when processing personal data:

1. Compliance with laws and integrity rules

The Company will act in accordance with the law, secondary legislation and general principles of law when processing personal data under this policy. During the processing of personal data by the company, the following transaction will be applied as a minimum;

• A legitimate basis for processing personal data (e. g. explicit consent).
• The personal data may not be used in a way that leads to results against individuals without legitimate reason.
• Introduce transparency as a principle in the processing of personal data and inform people in this context.
• It is ensured that personal data are processed as little as possible and in accordance with the reasonable expectations and predictions of individuals.

2. Being true and when necessary updated 

In accordance with this principle, the following points are realized by the Company;

• Perform checks to ensure that personal data is correct,
• The sources from which the personal data originate are secure and their accuracy is checked,
• Careful consideration of requests due to incorrect personal data,
• Assessment of personal data should be updated or not,
• Technical and administrative measures are taken to keep channels open and to ensure that the information provided by the data owner is accurate and up-to-date.

3. Processing for specific, clear and legitimate purposes

The company shall ensure that the activities relating to the processing of personal data are clearly understandable to the data owner and are processed within the framework of the clear and legitimate purposes established before the start of the processing of personal data.

4. The data should be combined, limited and measured for the purpose for which they are processed

The personal data will be processed by the company only in connection with the achievement of the established objectives and only with the personal data necessary to achieve the purpose. The personal data collected will not be unlawfully disclosed to third parties and will not be used for purposes other than processing.

5. Retention for the time provided for by the relevant laws or for the time required for processing

The company stores personal data only for the period of time required by the relevant laws or for the purpose for which it is processed. If the reasons for processing cease to apply, the personal data will be deleted, destructed or made anonymous by the Company, either ex officio or at the request of the data owner. 

Retention periods and retention principles for personal data are regulated in the Personal Data Retention and Destruction Policy.

1. CONDITIONS FOR PROCESSING OF PERSONAL DATA

Personal data are processed by the company in accordance with the processing conditions set out in Article 5 of the Law. In this context, the personal data processing activities carried out will be carried out in the presence of the personal data processing conditions set out below:

1. Obtaining the explicit consent of the data owner

The Company evaluates whether the purpose of personal data processing is based on one of the processing conditions other than explicit consent. If it does not fulfil at least one of the conditions derogating from the law as the explicit consent, the consent of the person concerned shall be deemed to be given for the continuation of the data processing activity. 

In this context, the relevant personal data will be processed by the Company if the data owner consents to the Explicit Consent Statement for Processing of Personal Data regard to the processing of the data concerning him/her, with knowledge of the Personal Data Protection and Processing Enlightenment Text provided by the company, freewill, without leaving room for hesitation and limited only by the relevant transaction. 

2. Clearly prescribed by law

Insofar as the laws contain provisions for the processing of personal data, personal data will only be processed by the Company within the framework of the relevant legal provisions.

3. The person who cannot give his consent due to factual impossibility or whose consent is not legally valid is obliged to protect his/her life or the integrity of another person.

If the data owner cannot give his/her consent or his/her consent is not valid, the data may be processed by the Company in this context if the personal data are necessary to protect the life or physical integrity of the persons.

4. Requirement to process personal data of the parties to the contract where they are directly related to the conclusion or performance of a contract.

If the processing of personal data of the parties to the contract is obligatory, insofar as it is directly related to the conclusion or performance of a contract, the personal data of the persons concerned will be processed by the company, limited for this purpose.

5. The company is obliged to comply with its legal obligation

If data processing is required to fulfil the legal obligation, the personal data of the person concerned will be processed by the Company.

6. The data were published by the data owner himself/herself

Personal data which are published by the person concerned himself or herself and which are made available to the public in any way, are processed by the company restricted to the purpose.

7. Data processing is compulsory for the establishment, use or protection of a right

If the processing of personal data is necessary for the establishment, use or protection of a right, the processing of personal data is carried out by the Company in parallel with this obligation.

8. The processing of data is compulsory for the legitimate interests of the controller, provided that the fundamental rights and freedoms of the data owner are not violated

The processing of personal data is possible if the processing of data is required for legitimate reasons of the company, provided that the fundamental rights and freedoms of the data owner are not violated. A fair balance is struck between the benefits to the company from the data processing and the fundamental rights and freedoms of the data owner.

Processing conditions and examples of personal data, which are out of consent, are given in the table below:

Processing conditions	Scope	Example
Provision of the law	Tax Laws, Labour Law, Turkish Commercial Code, etc.	Keeping employee personal information in accordance with the law.
Conclusion of contract	Employment Contract, Sales Contract, etc.	Processing of personal data of employees in order to organize payroll.
Actual Impossibility	A person who cannot give consent due to de facto impossibility or is unable to distinguish.	Personal health information of the unconscious person. Location information of a kidnapped or missing person.
Legal Obligation of Data Controller	Financial Controls, Security Legislation, Compliance with Regulations.	Processing of data such as bank account number, marital status, existence of dependant, working situation of spouse, social insurance number in order to pay wages to the employee.
Publicity	The person concerned presents his information to the public.	The person declares his / her contact information publicly in order to be contacted in certain situations.
Establishment, use or protection of a right	Opening lawsuits, registration procedures, any kind of title deed etc. mandatory data in jobs.	Keeping the necessary information about an employee leaving the job during the trial timeout.
Legitimate Interest	The processing of data is compulsory for the legitimate interests of the controller, provided that the fundamental rights of the data owner are not violated	Data processing for the purpose of applying rewards and premiums that increase employee loyalty.

1. CONDITIONS FOR PROCESSING OF SENSITIVE PERSONAL DATA

When the company processes sensitive personal data, it first determines whether data processing conditions exist, after ensuring that the legal compliance requirement that data be processed is met. In this context, and subject to appropriate measures being adopted by the Management Board, specific personal data shall be processed under the following conditions:

1. Specific personal data other than health and sex life,
   • If there is an explicit consent statement of data owner or
   • in legally prescribed cases

2. Personal data relating to health and sex life,
   • If there is an explicit consent statement of data owner 
   • Without the explicit consent of the data owner, personal data relating to health and sex life may only be processed for the protection of public health, preventive medicine, medical diagnosis, treatment and care, health care, and for the purpose of planning and management of health services and financing by persons under the obligation to keep secrets or by authorized institutions and organizations.

Processing conditions and examples of sensitive personal data, excluding explicit consent, are given in the table below:

Processing conditions	Scope	Example
Provision of the law	Personal data other than health and sexual life can be processed without the explicit consent of the person concerned. Tax Laws, Labour Law, Turkish Commercial Code etc. stricter sensitive data processing conditions.	The union information of the employee should be kept in the personal file as required by the legislation.
Protection of public health, preventive medicine, medical diagnosis, treatment and care, health care, and for the purpose of planning and management of health services and financing	Processing of data for the protection of public health, preventive medicine, medical diagnosis, treatment and care, health care, and for the purpose of planning and management of health services and financing by persons under the obligation to keep secrets or by authorized institutions and organizations.	Health data processed by the doctor about his patient.

The measures taken for the processing of sensitive quality personal data are regulated in the "Processing of Sensitive Personal Data Policy".

1. DATA OWNER PERSON GROUP AND PROCESSED PERSONAL DATA CATEGORIES

The group of persons whose personal data are processed by our company are as follows:

Data owner person group
Employee Candidates & Trainee Candidates	Real persons who have applied for a job to the company by any means or who have opened their CV and related information for our company review
Employees	Company employees
Trainees	High school and university students intern at the company
Family members	Family members of data owners
Visitors	All natural persons who have entered the physical campuses owned by the company for various purposes or visit our websites for any purpose
Partner Authorities & Employees	Real person authorities, shareholders, employees of the companies with which the Company has commercial relations
Group Company Authorities & Employees	Real persons whose personal data are obtained through the business relations of the Group Companies within the scope of the operations carried out by the Company.
Supplier Authorities & Employees	Real persons or natural persons authorities, shareholders, employees of the company or the legal entities outsourcing the goods and services.
Shareholders	Company shareholder natural persons
Company Authorities	Company's board members and other authorized natural persons
Potential Customers	Real persons who are likely to buy / use the products and services offered by our company / group companies
Customers / Guests	Regardless of whether there is any contract with our Company / Group companies, real persons who buy / use or use the products and services offered by our Company / Group companies.
Third Parties	Third party natural persons (eg, those declared as references) or other natural persons not covered by the Personal Data Protection and Processing Policy in order to ensure the security of business transactions between our above mentioned parties, or to protect the rights of such persons and provide benefits.

The data processed for these people are categorized as follows:

ID information	Turkish ID No., Passport No., ID Card Serial no., Driving Licence No., Tax No., Name Surname, Name of Father, Name of Mother, Nationality, Place of Birth, Date of Birth, Age, Place of Registry, (Province, District, Neighbourhood-Village, Volume No, Family Sequence Number, Sequence Number) Issuing Authority of the Identity Card, Reason of Issue, Registration Number, Issue Date, Validity Date, Previous Surname, Marital Status, Gender, Religion, Photograph; Signature example, Military status, Parental Consent
Education & Experience Information	Educational status, certificate and diploma information, foreign language information, CV and references, work experience information, course, seminar internship information, other education and skills.
Contact information	Personal / Corporate mobile-landline phone number; Personal / Corporate e-mail address; residence address; contact name and surname and phone number in case of emergency
Sensitive Personal Data	Criminal record, criminal conviction information; disability; religion; health data; blood group; race information
Family Information	ID information of mother, father, spouse and children; telephone number, profession, educational status of their children; spouse's employment status and income information; Name-surname and age of persons responsible for caring, except for spouse and minors (under 18); child birth certificate; first degree family members death certificates.
Working Information	SSK Registration number; insurance entry / pension, allocation number; social security no; tax office and number; past workplace registration information, previous workplace wage and tax deduction information; work permit (for foreign employees); incentive status; business arrangement; confidentiality commitments; general health insurance information; job offer information; position name / task, department and unit, title; deadline for employment; the date of entry and exit of work; overwork information; fixture-tool-equipment delivery documents; partnership / additional work declaration form etc.
Permission Information	Leave request forms, leave exit / return date, number of leave days, reason for leave, address / phone to be tracked; rest and incapacity reports; annual paid leave schedule; Not to come to work without permission / to arrive late for work report-warning
Performance Information	Performance evaluation and goal achievement status, activity information, discipline records
Education & Development Information	Participated trainings, seminars, gained skills, training participation and information / forms
Financial Information	Bank account number, wallet; payrolls, wage compasses, premiums, bonuses etc. documents related to payments; file and debt information on enforcement proceedings; minimum subsistence information; private health insurance information; Personal data processed for information, documents and records showing any financial results created according to the type of legal relationship established with the personal data owner.
Vehicle Data	Vehicle / vehicle usage information (License plate number, license serial number, work start date, insurance-motor insurance start date, traffic fines, accident minutes, work accident notifications, vehicle embezzlement documents)
Location Data	Vehicle location data -GPS location
Dismissal Information	Letter of Resignation, Notice of Termination, Disclaimer, Notice, Contract of Employment, SSI Exit Declaration, Last Month Payroll, Work / Service Document, Severance and Notice Payrolls, Documents Proving the Reason for Termination of Service, Minutes Arranged for the Termination of the Service Contract
Internet Access Information	Personal / Company electronic devices and internet access log records over the Company's networks, related IP addresses
System Access Authorization Information	System login-logout and activity logs, username-password, IP addresses
Audio / Visual Information	Photographs and camera recordings (Except for records within the scope of Physical Space Security Information)
Physical Space Security Information	Image records, turnstile records, security records, etc., taken at the entrance to the physical space and during the stay at the physical space.
Visit Information	Entry and exit time to company facilities, vehicle brand and license plate, company information
Marketing Information	Satisfaction surveys that show the usage habits, likes and needs of customers with personal data, campaigns, reports and evaluations obtained as a result of direct marketing studies etc.
Customer / Guest Information	Records regarding the use of products and services and instructions and requests of the customer required for the use of products and services; professional knowledge, countries visited; training; height-weight
Travel & Accommodation Information	Travel and visa information, reservation / voucher number, flight information, hotel information, check-in, check-out dates, room number
Request and Complaint Management Information	Personal data regarding the receipt and evaluation of requests and complaints about customer satisfaction surveys, products and services.

1. PURPOSES OF PROCESSING PERSONAL DATA

Personal data collected by the company are processed in accordance with the processing conditions specified in Articles 5 and 6 of the Law for the following purposes:

Main Purposes	Sub Purposes
Management of the Company, Execution and Control of the Activities, Physical, Legal and Commercial Security Supply	Making and Implementing Emergency and Crisis Management Plans
	Managing Finance and Accounting Processes
	Provision of Physical Space Security
	Management of Relations and Related Processes with Group Companies, Partners and Suppliers
	Execution of Legal Processes
	Performance of Internal Audit and Internal Control Activities
	Business Continuity Management
	Ensuring Registration and Document Layout
	Planning and Execution of Corporate Management Activities
	Execution of Risk Management Processes
	Execution of Contract Processes
	Execution of Strategic Planning Activities
	Managing Process Management and Improvement Activities
	Ensuring Company Activities are Carried out in accordance with Company Policies and Procedures and / or Relevant Legislation
	Ensuring the legal and commercial security of the company, personnel and people who have a business relationship with the Company
	Securing the Company's Assets
	Fulfilling our legal obligations and exercising our rights arising from the applicable legislation in accordance with the applicable legislation.
	Execution of Supply Chain Management Processes
	Execution of Investment Processes
	Giving Information to Authorized Persons, Institutions and Organizations
	Creating and Tracking Visitor Records
Management of Human Resources Processes	Execution of candidate application processes
	Execution of candidate selection and evaluation processes
	Carrying out activities for employee satisfaction and loyalty
	Managing processes regarding employee benefits and rights
	Follow-up and control of employees' business activities
	Conducting occupational health and safety processes
	Establishment, performance and fulfilment of the obligations assumed.
	Recruitment, personal and discharge procedures
	Career planning, execution of promotion-appointment processes
	Fulfilment of performance management processes
	Execution of Personnel Assignment and Authorization Processes
	Planning and Implementing Training and Orientation Programs
	Management of Wage Policy
	Foreign Personnel Work and Residence Permit Procedures
Information Systems & Information Security Management	Planning and Execution of Information Security Processes
	Information Systems Risk Management
	Fulfilling Legal Obligations Regarding Internet Traffic Monitoring
	Management of User Access and Authorization Processes
	Creating Log Records
Planning and Implementation of Communication and Marketing Activities	Planning and Implementation of Events and Organizations
	Execution of Loyalty Processes for Firms / Products / Services
	Execution of Communication Activities
	Statistical Analysis and Market Research
	Execution of Activities like Campaign, Promotion, Advertisement, Promotion, etc.
	Customer Relations Management
	Customer Satisfaction Management
	Planning & Management of Marketing Activities
	Execution of Sponsorship Activities
Planning and Serving Products and Services	Execution of Logistics Activities
	Execution of Goods / Services After Sales Support Services
	Execution of Operation Processes
	Communication with Customers Regarding the Products and Services Offered
	Performance of Product / Service Conditions and Fulfilment of Obligations
	Establishment and Management of Processes Regarding Planning and Sales of Products / Services
	Demand and Complaint Management

Personal data may be processed with the explicit consent of the data owner in the following cases where the conditions for processing personal data laid down in Article 5(2) and (3) of the Law are not met;

Processed Personal Data	Purpose of processing
Health and Blood Group Information and Disability Status	Compliance with occupational health and safety regulations; Recruitment and periodic inspections and examinations within the scope of health surveillance of the workplace doctor, health report, e-reçete (prescription), health screening processes and corporate health insurance processes, execution of visa processes.
Religion (obtained by obtaining a copy of the old identity card) and Nationality Information; criminal conviction information	Management of human resources processes; Creation of the personal file within the scope of the Labour Law; Visa processing of employees, company authorities, employees and guests limited to certain tours.
Audiovisual Data (Photos & camera recordings)	Planning and implementation of corporate communication activities; management of corporate social media accounts; execution of visa procedures
Birthday Information; Birth and death information of 1st degree relatives	Celebrating the birthday of employees and sharing their families' death information within the scope of internal communication activities

1. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA     

Although it has been processed in accordance with the provisions of the law and other relevant laws, in the event that the reasons requiring its processing disappear, the personal data is deleted, destructed or anonymized by the Company ex officio or upon the request of the person concerned.

Accordingly;

• Amendment or removal of relevant legislation provisions that constitute the basis for processing personal data,
• The contract between the parties has never been established, the contract is not valid, the contract is terminated spontaneously, the contract is terminated or the contract is returned
• The purpose that requires the processing of personal data disappears,
• It is determined that processing personal data is against the law or honesty rule,
• In cases where the processing of personal data occurs only based on explicit consent, the relevant person's withdrawal of his consent,
• The Company's acceptance of the application of the relevant person regarding the processing of personal data within the framework of the rights in paragraph 11 (e) and (f) of Article 11 of the Law,
• In cases where the company refuses the application made by the relevant person with the request of deletion or destruction of his personal data, the response he has given is insufficient or does not respond within the period stipulated by the Law; Complaints to the Board and this request is approved by the Board,
• Although the maximum period requiring the retention of personal data has passed, there are no conditions that would justify keeping the personal data longer,
• In the event of the disappearance of conditions requiring the processing of personal data in Articles 5 and 6 of the Law, personal data must be deleted, destructed or made anonymous.

The rules for the deletion or anonymisation of personal data are laid down in the Personal Data Retention and Destruction Policy.

1. TRANSFER OF PERSONAL DATA

The transmissions of personal data to be carried out by the Company will comply with the conditions of transmission of personal data laid down in Articles 8 and 9 of the Law.

The parties to whom personal data may be transferred and the purposes of transfer are as follows:

Parties, to whom personal data may be transferred	Transfer purposes
Legally Authorized Institutions	Meeting the information-document request within the legal authority of authorized public institutions and organizations and private law persons.
Shareholders	Corporate law, commercial activities, event management and execution of corporate communication processes.
Company Authorities	Designing, implementing and managing strategies regarding the commercial activities of the Company; carrying out monitoring, risk management and audit activities.
Work partners	Fulfilment of the purposes of establishment of business partnership and commercial activities.
Group Companies	Carrying out processes and commercial activities that also require the participation of group companies.
Suppliers	Managing processes regarding outsourced goods and services, receiving support, supervision and consultancy services, benefiting from the benefits of the personnel.
Third Parties	Information sharing within the scope of reference verification / inquiry processes for employee candidates and leaving employees.

1. TRANSFER OF PERSONAL DATA DOMESTIC

Personal data may be transferred by the company if one of the following conditions exists:

• Obtaining explicit consent of the person concerned,
• Clearly prescribed in laws,
• The person who cannot give his consent due to factual impossibility or whose consent is not legally valid is obliged to protect his/her life or the integrity of another person,
• Requirement to process personal data of the parties to the contract where they are directly related to the conclusion or performance of a contract,
• The company is obliged to comply with its legal obligation,
• The data were published by the data owner himself/herself,
• Data processing is compulsory for the establishment, use or protection of a right,
• The processing of data is compulsory for the legitimate interests of the controller, provided that the fundamental rights and freedoms of the data owner are not violated.

Sensitive personal data can be transferred by taking sufficient precautions determined by the Board and if one of the following conditions exists:

• Obtaining explicit consent of the data owner,
• It is clearly prescribed by law in terms of sensitive personal data other than health and sexual life.
• Without the explicit consent of the data owner, personal data relating to health and sex life may only be processed for the protection of public health, preventive medicine, medical diagnosis, treatment and care, health care, and for the purpose of planning and management of health services and financing by persons under the obligation to keep secrets or by authorized institutions and organizations.

The measures taken for the transfer of sensitive personal data are regulated in the " Processing of Sensitive Personal Data Policy".

1. TRANSFER OF PERSONAL DATA ABROAD

Personal data may be transferred abroad by the company if one of the following conditions exists:

• Obtaining explicit consent of the data owner,
• Presence of one of the conditions specified in Articles 5 (2) and 6 (3) of the Law and the presence of sufficient protection in the foreign country where personal data will be transferred,
• In the event of a lack of adequate protection, the data controllers in Turkey and in the foreign countries must suffice in writing a sufficient obligation for protection, which has the permission of the board.

In the event that Turkey or the interest of the person concerned suffers serious harm, personal data may be transferred abroad with the permission of the Executive Board, without prejudice to the provisions of the international treaty, but only with the opinion of the competent public institution or organization.

The measures taken for the transfer of sensitive personal data abroad are regulated in the " Processing of Sensitive Personal Data Policy".

1. TRANSFER OF DATA PROCESSED BY GROUP COMPANIES TO THE COMPANY

The Company's personal data, which are processed by the Group Companies, in order to carry out the activities of the Group Companies in accordance with the Company's principles, targets and strategies, and to protect the rights, interests and reputation of the group, can also be processed by the Company. G In the event that the personal data sharing between the Group Companies and the Company takes place within the scope of the Law within the scope of the personal data transfer from the data controller to the data controller, the relevant Group Company enlightens the person that the personal data can be sent to the Company at the stage of collecting the personal data of the relevant person.

1. DATA SECURITY ISSUES

Any necessary technical and administrative measures are taken by the Company to ensure the appropriate level of security in order to prevent and protect the personal data from being processed and accessed unlawfully; Necessary audits are provided to ensure the enforcement of the provisions of the law.

1. ADMINISTRATIVE MEASURES

1. By determining the probability of occurrence of the risks that may arise regarding the protection of personal data and the losses it will cause in case of occurrence, measures are taken to reduce or eliminate the risks.
2. The duties, powers and responsibilities of the personnel involved in all processes and policies regarding the processing of personal data, ensuring the confidentiality and security and disposal are written down and made available to all personnel.
3. Personnel are provided with the necessary trainings within the scope of processing, protection and data security of personal data.
4. Keeping the policies and procedures up-to-date and providing the necessary training and informing the employees about the changes made are ensured.
5. Within the scope of the recruitment process, provisions regarding the protection and confidentiality of personal data are added to the contracts signed between the employees and the Company and signed by the employee.
6. By determining whether the processed personal data is still needed and stored in the right place, personal data retained for archival purposes will be kept in a more secure environment and unneeded personal data will be deleted, destructed or made anonymous in accordance with the Personal Data Retention and Destruction Policy.
7. Access to the personal data stored within the company is restricted to the personnel required for access based on the duty description.
8. If employees fail to comply with policies and procedures established and announced by the Company, sanctions will be imposed in accordance with the disciplinary process. 
9. With regard to the disclosure of personal data, confidentiality agreements for the protection of personal data and data security are concluded with individuals and data processors or data protection provisions are added to existing agreements.
10. Within the framework of policies and procedures; regular checks are carried out for areas open to development, and necessary measures are planned and implemented.
11. In order to ensure enforcement of the legal provisions, measures are planned for the confidentiality and security deficiencies resulting from the audits, and the findings are promptly remedied.
12. If the processed personal data is obtained illegally from third parties, the data owner and the Management Board shall be informed as soon as possible.

1. TECHNICAL MEASURES

1. SSL connections, anti-virus and firewall software and hardware are used for the protection of information technology systems and data containing personal data.
2. Unused software and services are deleted from the devices.
3. The proper functioning of the software and hardware and the security measures taken are checked regularly; patch and software updates are provided to cover possible security gaps.
4. Access to systems containing personal data is provided within the framework of access policies, user and role management procedures. The scope and duration of authorization of users who have access to data are clearly defined. Information Technology employees' access to personal data is kept under control.
5. If remote access to the data is required, at least two-step authentication system is used.
6. Authority checks are carried out periodically.
7. The powers of the employees who change their duties or leave the job are revoked immediately. In this context, the inventory allocated to it by the Company is refunded.
8. Technical infrastructure is provided to prevent data from leaking out of the institution.
9. It is ensured that the log of transaction acts (log records) of all users are kept regularly.
10. The system weaknesses are controlled by receiving penetration test services regularly and when the need arises.
11. The medium and devices where personal data are stored are protected by taking physical security measures.
12. Ensuring that personal data is stored safely, data is backed up and physical security of all backups is ensured.
13. Personal data is ensured to be destructed in a way that cannot be recycled and leave an audit trail.
14. Pursuant to Article 12 of the Law, all kinds of digital media where personal data are stored are protected by encrypted or crypto graphic methods in a way to provide information security requirements. Cryptographic keys are kept safe and in different mediums.
15. During the storage and use of personal data in the cloud environment, encryption with cryptographic methods and using separate encryption keys where possible for personal data, especially for each cloud solution that is served; when the cloud computing service relationship ends; all copies of encryption keys required to make personal data available are destructed.
16. If it is necessary to transfer personal data via e-mail, it is ensured that it is transferred with an encrypted corporate e-mail address or by using a Registered Electronic Mail (KEP) account.
17. When it is necessary to transfer it via media such as Portable Memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in different media.
18. While transferring between servers in different physical environments is performed, data transfer is performed by installing VPN between servers or by SFTP method.
19. Necessary precautions are taken against risks such as theft of documents, loss or being seen by unauthorized persons in the transfer of data via paper medium.

1. ENLIGHTENMENT

The processed personal data cannot be disclosed to anyone else in violation of the provisions of the Law and cannot be used for purposes other than processing. During the acquisition of personal data, the Company informs the relevant people about the following subjects with the "Personal Data Protection and Processing Enlightenment Text". 

1. Company information,
2. The purposes of processing personal data,
3. To whom and for what purpose the processed personal data can be transferred,
4. Method and legal reason of collecting personal data,
5. Rights of the person under the Law.

The “Personal Data Protection and Processing Enlightenment Text" is also provided on the Company website.

If personal data cannot be obtained directly from the person due to the actual impossibility or inaccessibility of the person concerned;

•     Within a reasonable time from the acquisition of personal data,

•     In case personal data will be used for communication with the person concerned, during the initial communication,

•     If personal data is to be transferred, the obligation to enlighten the relevant person is fulfilled at the latest when personal data is transferred for the first time.

There is no obligation of illumination if personal data that is publicized by the person concerned is processed.

1. RIGHTS OF DATA OWNER

The data owner has the following rights about him/her by applying to our Company;

a)  Find out if personal data is processed,

b)     If personal data is processed, requesting information about it,

c)  Learning the purpose of processing personal data and whether they are used in accordance with its purpose,

ç)  To know the third parties to whom personal data are transferred domestically or abroad,

d)     Requesting correction of personal data if it is incomplete or incorrectly processed,

e)     Request personal data to be deleted or destructed,

f)  to request notification of transactions made in accordance with clauses (d) and (e) to third parties to whom personal data are transferred,

g)  To object to the emergence of a result against the person by analysing the processed data exclusively through automated systems,

ğ)  In the event that personal data is damaged due to illegal processing, the data owner has the right to demand the removal of the damage.

The company has established the operation and necessary communication channels for the management, fulfilment and recording of personal data owners’ applications.

The data owner conveys his requests regarding the implementation of the Law to the Company by filling out the "Data owner Application Form" at www.a-energy.com.tr with the information and documents that will determine his/her identity and by the following methods or other methods determined by the Board.

• After the Data owner Application Form has been filled out, a wet signed copy will be sent to the company’s address “BARBAROS MAHALLESİ SERİK CAD. E Apt. NO: 305 E/1 AKSU ANTALYA”.
• After the Data owner Application Form is filled and signed with the “secure electronic signature” within the scope of the Electronic Signature Law No. 5070, it will be sent to the registered e-mail [email protected]. 

The company concludes its requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires a separate cost, the fee at the tariff determined by the Board may be charged.

The company accepts the request or rejects it by explaining its reason and informs the person in writing or electronically. In case the request in the application is accepted, the Company fulfils the requirement. In case the application is caused by the Company's error, the fee collected is returned to the concerned person.

In case the application is rejected, the answer is insufficient or the application is not answered in due time; the person concerned may complain to the Board within thirty days from the date when the Company has learned the answer, and within sixty days from the date of application.

1.  SITUATIONS OUTSIDE THE RIGHTS OF DATA OWNERS

Personal data owners will not be able to assert their rights in case of the following situations where the provisions of the law are not applied:

• Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defence, national security, public security, public order, economic security, privacy or personal rights, or constitute a crime.
• Processing personal data for purposes such as research, planning and statistics by anonymizing with official statistics.
• Processing personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to provide national defence, national security, public security, public order or economic security.
• Processing of personal data by judicial authorities or enforcement authorities regarding investigations, prosecutions, trials and execution proceedings.

Except for the obligation of illumination and the right to demand compensation, provided that it complies with the purpose and basic principles of the Law, personal data owners will not be able to assert their rights if:

• Personal data processing is necessary for crime prevention or criminal investigation.
• Processing of personal data personalized by the personal data owner.
• In case that personal data processing is necessary for the disciplinary investigation or prosecution by the authorized public institutions and organizations and the professional institutions that are public institutions based on the authority given by the law.
• Personal data processing is necessary to protect the state's economic and financial interests in relation to budget, tax and financial matters.

DOCUMENT NO	:	GM-P003
APPROVED BY	:	BOARD OF DIRECTORS
DATE OF APPROVAL	:	05/01/2019
LAST REVISION DATE	:	00/0000
VERSION NO	:	01
RELATED DOCUMENTS	:	Personal Data Protection and Processing Policy Personal Data Retention and Destruction Policy Personal Data Protection and Processing Enlightenment Text Personal Data Processing Explicit Consent Statement

CONTENTS

1.     PURPOSE. 3

2.     SCOPE. 3

3.     RESPONSIBILITY. 3

4.     DEFINITIONS. 3

5.     PROCESSING OF SENSITIVE PERSONAL DATA. 5

5.1.       GENERAL PRINCIPLES REGARDING THE PROCESSING OF SENSITIVE PERSONAL DATA.. 5

5.2.       CONDITIONS FOR PROCESSING OF SENITIVE PERSONAL DATA.. 5

5.3.       DATA OWNER, PERSON GROUP AND PERSONAL DATA CATEGORIES PROCESSED.. 6

5.4.       PURPOSES OF PROCESSING SENSITIVE PERSONAL DATA.. 7

5.5.       DELETION, DESTRUCTION AND ANONYMIZATION OF SENSITIVE PERSONAL DATA.. 8

5.6.       TRANSFER OF SENSITIVE PERSONAL DATA.. 8

5.6.1.    TRANSFER OF SENSITIVE PERSONAL DATA DOMESTIC. 8

5.6.2.    TRANSFER OF SENSITIVE PERSONAL DATA ABROAD.. 9

6.     DATA SECURITY ISSUES. 9

6.1    ADMINISTRATIVE MEASURES. 9

6.2    TECHNICAL MEASURES. 10

7.     RIGHTS OF DATA OWNER. 11

1. PURPOSE 

The purpose of this policy is to ensure compliance with the obligations within the scope of processing sensitive personal data, determination of controls and precautions, rules and responsibilities related to processing and security of sensitive personal data and to make the data owner and the employees of the company aware, in addition to the regulations within the scope of the "Protection and Processing of Personal Data Policy" (law) while the processing of personal data by the company ANEXSERVİCES TURİZM ORGANİZASYON TAŞIMACILIK TİCARET ANONİM ŞİRKETİ (Company), in accordance with the Basic Law of the Turkish Republic and Law No. 6698 on the protection of personal data.

1. SCOPE

These policy provisions apply to customers, employees, family members of employees, trainees, customers, shareholders whose data are processed by the Company wholly or partly by automatic means or who are processed automatically by being part of a data collection system.

1. RESPONSIBILITY

This policy, which is an annex to the Company's Personal Data Protection and Processing Policy, has been approved by the Company's Board of Directors and came into force. All activities and measures to be taken within the framework of policies and within the Company are determined by relevant procedures.  The Company's Senior Management is responsible for the preparation, updating and implementation of these procedures.

All Company employees are responsible for performing their duties in accordance with this policy and all relevant procedures and regulations.

1. DEFINITIONS

The important definitions in this policy are listed below.

Explicit Consent	Consent on a specific subject, informative and explained by free will
Anonymization	Rendering personal data by no means identified or identifiable with a natural person even by linking with other data.
Data owner	Natural person whose personal data are processed.
Related user	Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, with the exception of the person or unit responsible for the technical retention, protection and backup of the data.
Destruction	Deletion, Destruction, and Anonymization of Personal Data
Law	Turkish Personal Data Protection Law no. 6698
Recording Medium	Any medium in which personal data are processed, which are fully or partially automated, or processed in non-automated ways, provided that they are part of any data recording system.
Personal Data	Any information relating to an identified or identifiable natural person.
Processing of personal data	Any operation which is performed upon personal data such as collection, recording, retention, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.
Deletion of personal data	Making personal data inaccessible and unusable to relevant users in any way.
Destruction of personal data	Making personal data inaccessible, retrievable and reusable by anyone.
Anonymization of personal data	Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data.
Board	The Board of Protection of Personal Data.
Authority	The Authority of Protection of Personal Data.
Sensitive Personal Data	Race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and outfit, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data of persons.
Periodic destruction	In the event that all the conditions in the law for processing personal data disappear, the deletion, destruction or anonymisation will be carried out ex officio at regular intervals, as specified in the Personal Data Retention and Destruction Policy.
Registry	Register of Data Protection Officers of the Presidency of the Data Protection Authority
Data processor	Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller.
Data recording system	Any recording system through which personal data are processed by structuring according to specific criteria.
Data controller	Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.
Processing of personal data	Any operation which is performed upon personal data such as collection, recording, retention, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.

1. PROCESSING OF SENSITIVE PERSONAL DATA

1. GENERAL PRINCIPLE RELATED TO THE PROCESSING OF SENSITIVE PERSONAL DATA

The personal data at the company are processed in accordance with the procedures and principles stipulated in the Law and other laws, and the principles set out in the "Personal Data Protection and Processing Policy" are taken into consideration in the processing of personal data.

1. CONDITION FOR PROCESSING OF SENSITIVE PERSONAL DATA

When the company processes sensitive personal data, it first determines whether data processing conditions exist, after ensuring that the legal compliance requirement that data be processed is met. In this context, and subject to appropriate measures being adopted by the Management Board, specific personal data shall be processed under the following conditions:

1. Specific personal data other than health and sex life,
   • If there is an explicit consent statement of data owner or
   • in legally prescribed cases

2. Personal data relating to health and sex life,
   • If there is an explicit consent statement of data owner 
   • Without the explicit consent of the data owner, personal data relating to health and sex life may only be processed for the protection of public health, preventive medicine, medical diagnosis, treatment and care, health care, and for the purpose of planning and management of health services and financing by persons under the obligation to keep secrets or by authorized institutions and organizations.

During the acquisition of sensitive personal data, the Company informs the data owner about the following issues with the "Protection and Processing of Personal Data Enlightenment Text":

1. Company information,
2. The purposes of processing personal data,
3. To whom and for what purpose the processed personal data can be transferred,
4. Method and legal reason of collecting personal data,
5. Rights of the person under the Law.

The relevant personal data will be processed by the Company if the data owner consents to the Explicit Consent Statement for Processing of Personal Data regard to the processing of the data concerning him/her, with knowledge of the Personal Data Protection and Processing Enlightenment Text provided by the company, freewill, without leaving room for hesitation and limited only by the relevant transaction.

Insofar as the laws contain provisions for the processing of personal data, personal data will only be processed by the Company within the framework of the relevant legal provisions.

The processed personal data cannot be disclosed to anyone else in violation of the provisions of the Law and cannot be used for purposes other than processing.

Processing conditions and examples of sensitive personal data, excluding explicit consent, are given in the table below:

Processing conditions	Scope	Example
Provision of the law	Personal data other than health and sexual life can be processed without the explicit consent of the person concerned. Tax Laws, Labour Law, Turkish Commercial Code etc. stricter sensitive data processing conditions.	The union information of the employee should be kept in the personal file as required by the legislation.
Protection of public health, preventive medicine, medical diagnosis, treatment and care, health care, and for the purpose of planning and management of health services and financing	Processing of data for the protection of public health, preventive medicine, medical diagnosis, treatment and care, health care, and for the purpose of planning and management of health services and financing by persons under the obligation to keep secrets or by authorized institutions and organizations.	Health data processed by the doctor about his patient.

1. DATA OWNER PERSON GROUP AND PROCESSED PERSONAL DATA CATEGORIES

The group of persons whose personal data are processed by our company are as follows:

Data owner person group
Employees	Company employees
Trainees	High school and university students intern at the company
Family members	Family members of data owners
Shareholders	Company shareholder natural persons
Customers	Regardless of whether there is any contractual relationship with our company, real persons who have purchased / used our products and services.

The sensitive personal data processed for these people are as follows:

Sensitive Personal Data

Nationality, religion, criminal record, disability, health and blood group information

1.  PURPOSES OF PROCESSING sensıtıve PERSONAL DATA

The personal data collected by the company are processed in accordance with the processing conditions specified in Article 6 of the Law for the following purposes:

Main Purposes	Sub Purposes
Management of the company, performing the activities in accordance with the law, Company policies and procedures	Fulfilling our legal obligations and exercising our rights arising from the current legislation in accordance with the applicable legislation.
	Establishment and management of processes related to the planning and sales of products / services; performance of product and service conditions and fulfill the obligations assumed completely and correctly
	Providing accommodation, tour and visa services to customers
	Follow-up of contract processes and / or legal transactions
	Execution of the operational processes
	Risk management, auditing and control activities
	Arrangement of all records and documents that will be based on transactions
	Providing information from the legislation to public / private institutions and organizations authorized to receive information and documents in line with the relevant legislation provisions.
	Providing information to audit companies in accordance with the Law to ensure compliance with legal obligations and company policies
	Ensuring the physical, legal and commercial security of the company, personnel and people who have business relations with the Company
Execution of human resources policies; planning and execution of human resources processes	Establishment, performance and fulfilment of the obligations assumed.
	Conducting recruitment and personal processes
	Establishment, use or protection of processes related to benefits and interests such as corporate health insurance and private pension
	Compliance with occupational health and safety regulations; Recruitment and periodic inspections and examinations within the scope of health surveillance of the workplace doctor, health report, e-reçete (prescription), health screening processes.

In cases where the personal data processing conditions specified in Article 6 (3) of the Law are not met, personal data may be processed on the explicit consent of the data owner.

1. DELETION, DESTRUCTION AND ANONYMIZATION OF SENSITIVE PERSONAL DATA             

Although it has been processed in accordance with the provisions of the law and other relevant laws, in the event that the reasons requiring its processing disappear, the personal data is deleted, destructed or anonymized by the Company ex officio or upon the request of the person concerned.

In terms of deletion, destruction or anonymization of personal data, it is complied with the general principles in article 4 of the Law and the technical and administrative measures to be taken within the scope of article 12, the relevant legislation provisions, Board decisions and Personal Data Retention and Destruction Policy.

1. TRANSFER OF SENSITIVE PERSONAL DATA 

In the case of sensitive personal data transfers to be carried out by the company, it will act in accordance with the sensitive personal data transfer conditions arranged by the Board Decision.

The parties to which sensitive personal data can be transferred and the transfer purposes are as follows:

Parties, to whom personal data may be transferred	Transfer purposes
Legally Authorized Institutions	Meeting the information-document request within the legal authority of authorized public institutions and organizations and private law persons.
Work partners	Fulfilment of the purposes of establishment of business partnership and commercial activities.
Group Companies	Carrying out processes and commercial activities that also require the participation of group companies.
Suppliers	Managing processes regarding outsourced goods and services, receiving support, supervision and consultancy services, benefiting from the benefits of the personnel.

1.  TRANSFER OF SENSITIVE PERSONAL DATA DOMESTIC

 

Sensitive personal data can be transferred by taking sufficient precautions determined by the Board and if one of the following conditions exists:

1. Obtaining explicit consent of the data owner.
2. It is clearly prescribed by law in terms of sensitive personal data other than health and sexual life.
3. Without the explicit consent of the data owner, personal data relating to health and sex life may only be processed for the protection of public health, preventive medicine, medical diagnosis, treatment and care, health care, and for the purpose of planning and management of health services and financing by persons under the obligation to keep secrets or by authorized institutions and organizations.

Adequate measures taken for the transfer of personal data of special nature are regulated in Article 6 of this Policy.

1. TRANSFER OF SENSITIVE PERSONAL DATA ABROAD

 

Personal data may be transferred abroad by the company if one of the following conditions exists:

1. Obtaining explicit consent of the data owner,
2. It is clearly prescribed by law in terms of sensitive personal data other than health and sexual life and

• Adequate protection in the foreign country where personal data will be transferred,
• In the absence of adequate protection, adequate protection of data in a responsible and Turkey in the foreign countries to commit themselves in writing and the permission of the Board,

Without prejudice to the provisions of international conventions, where the interest of Turkey or the data owner will be seriously damaged personal data can only be transferred abroad with the permission of the Board, by obtaining the opinion of the relevant public institution or organization.

Adequate measures taken for the transfer of sensitive personal data abroad are regulated in Article 6 of this Policy.

1. DATA SECURITY ISSUES

Any necessary technical and administrative measures are taken by the Company to ensure the appropriate level of security in order to prevent and protect the personal data from being processed and accessed unlawfully; Necessary audits are provided to ensure the enforcement of the provisions of the law.

  

1.  ADMINISTRATIVE MEASURES

1. By determining the probability of occurrence of the risks that may arise regarding the protection of sensitive personal data and the losses it will cause in case of occurrence, measures are taken to reduce or eliminate the risks.
2. The duties, powers and responsibilities of the personnel involved in all processes and policies regarding the processing of sensitive personal data, ensuring the confidentiality and security and disposal are written down and made available to all personnel.
3. Personnel are provided with the necessary trainings within the scope of processing, protection and data security of personal data.
4. Keeping the policies and procedures up-to-date and providing the necessary training and informing the employees about the changes made are ensured.
5. Within the scope of the recruitment process, provisions regarding the protection and confidentiality of personal data are added to the contracts signed between the employees and the Company and signed by the employee.
6. By determining whether the processed personal data is still needed and stored in the right place, personal data retained for archival purposes will be kept in a more secure environment and unneeded personal data will be deleted, destructed or made anonymous in accordance with the Personal Data Retention and Destruction Policy.
7. Access to the personal data stored within the company is restricted to the personnel required for access based on the duty description.
8. If employees fail to comply with policies and procedures established and announced by the Company, sanctions will be imposed in accordance with the disciplinary process. 
9. With regard to the disclosure of personal data, confidentiality agreements for the protection of personal data and data security are concluded with individuals and data processors or data protection provisions are added to existing agreements.
10. Within the framework of policies and procedures, regular checks are carried out for areas open to development, and necessary measures are planned and implemented.
11. In order to ensure enforcement of the legal provisions, measures are planned for the confidentiality and security deficiencies resulting from the audits, and the findings are promptly remedied.
12. If the processed personal data is obtained illegally from third parties, the data owner and the Management Board shall be informed as soon as possible

    1. TECHNICAL MEASURES

1. SSL connections, anti-virus and firewall software and hardware are used for the protection of information technology systems and data containing personal data.
2. Unused software and services are deleted from the devices.
3. The proper functioning of the software and hardware and the security measures taken are checked regularly; patch and software updates are provided to cover possible security gaps.
4. Access to systems containing personal data is provided within the framework of access policies, user and role management procedures. The scope and duration of authorization of users who have access to data are clearly defined. Information Technology employees' access to personal data is kept under control.
5. If remote access to the data is required, at least two-step authentication system is used.
6. Authority checks are carried out periodically.
7. The powers of the employees who change their duties or leave the job are revoked immediately. In this context, the inventory allocated to it by the Company is refunded.
8. Technical infrastructure is provided to prevent data from leaking out of the institution.
9. It is ensured that the log of transaction acts (log records) of all users are kept regularly.
10. The system weaknesses are controlled by receiving penetration test services regularly and when the need arises.
11. Adequate security measures (against electricity leakage, fire, flooding, theft, etc.) are taken depending on the nature of the environment where sensitive personal data are available. By ensuring the physical security of these environments, unauthorized entry and exit are prevented.
12. Ensuring that sensitive personal data is stored safely, data is backed up and physical security of all backups is ensured.
13. Sensitive Personal data is ensured to be destructed in a way that cannot be recycled and leave an audit trail.
14. Data in any electronic environment where sensitive personal data are stored is kept using cryptographic methods. Cryptographic keys are kept safe and in different environments. Cryptographic keys are kept safe and in different environments.
15. During the storage and use of personal data in the cloud environment, encryption with cryptographic methods and using separate encryption keys where possible for personal data, especially for each cloud solution that is served; when the cloud computing service relationship ends; all copies of encryption keys required to make personal data available are destructed.
16. If it is necessary to transfer sensitive personal data via e-mail, it is ensured that it is transferred with an encrypted corporate e-mail address or by using a Registered Electronic Mail (KEP) account.
17. When it is necessary to transfer it via media such as Portable Memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in different media.
18. While transferring between servers in different physical environments is performed, data transfer is performed by installing VPN between servers or by SFTP method.
19. Necessary precautions are taken against risks such as theft of documents, loss or being seen by unauthorized persons in the transfer of data via paper medium.

1. RIGHTS OF DATA OWNER

The rights of the data owner under the Law, the methods of transmitting their requests regarding the implementation of the Law, and the provisions regarding the finalization of the requests by the Company are regulated in the Protection and Processing of Personal Data Policy.

The purpose of this Cookie Policy is to provide information to you regarding processing of personal data which are obtained because of the usage of cookies by Platform users/members/visitors (Data Owner’) while running the mobile application and the web-page (‘Website’)  www.a-energy.com.tr (all together hereinafter referred to as ‘Platform’), which are operated by ANEXSERVİCES TURİZM ORGANİZASYON TAŞIMACILIK TİCARET ANONİM ŞİRKETİ (the ‘Company’). The expression of ‘personal data’ included in this policy covers the information listed below:

• Customer Information

• Device Information 

• Behaviours

• Demographic Information 

• Marketing Information 

• Behavioural Advertising

You may visit the Platform without giving any personal information.  Cookies are used during your visit in order to collect information about Platform usage, to ensure that our visitors benefit from the Platform in the most efficient manner and to improve user experience.

By visiting the Platform, you are deemed to have approved the use of the information, collected thanks to cookies, in compliance with the Policy of Protecting and Processing Personal Data which is presented in the following address:  https://www..... If you do not want the cookies to be used in such manner, you must adjust the settings of your browser or abstain from using the Platform. Deactivating the cookies that we use may affect your user experience in the Platform.

What are the Cookies and why are the Cookies used?

Cookies are the text files with small sizes which are stored in your device or the network server through the browsers by websites you visit. Cookies cannot collect any information, including your personal information stored in your computer or files. In order to receive more information about cookies please visit the following websites:  www.aboutcookies.org and  www.allaboutcookies.org. The purposes of using cookies in the Platform are listed below:

• Improve the services rendered to you by means of increasing the functionality and performance of the Platform;
• To improve the Platform and offer new features over the Platform and customise the features offered according to your preferences;
• To ensure legal and commercial security of the Platform, you and our Company;
• To benefit from cookies within the scope of direct and indirect marketing activities.

Categories of the Cookies Used in the Platform

(Technical Cookies)	Thanks to technical cookies running of the Site is ensured and pages and areas of the website that do not run or respond are determined.
(Authentication Cookies)	In case the visitors log in the Site by entering their passwords, Authentication Cookies detects the visitor as the user of the website in each page visited by the visitor so that, visitors do not have to enter their passwords in each page.
(Flash Cookies)	These are the cookies that are used to activate the image or audio contents present in the Site.
(Customization Cookies)	Customization Cookies are used to remember the preferences of users while visiting different pages of a different website. For instance, it remembers the language preference that you have previously selected.
(Analytical Cookies)	Analytical Cookies make it possible to generate the analytical results such as number of visitors who visit the Site and the pages displayed in the Site, the time when the Site is visited and scrolling motions between different internet sites.

Cookies Used in the Platform

Cookie Type	Explanation, Duration and Preferences
Analytical Cookies
For Advertisement	It is used in order to display behavioural or target-oriented advertisements to visitors. It is possible to accept or reject them through browser settings.
Market Analysis	It is used in order to conduct a market analysis. It is possible to accept or reject them through browser settings.
Campaign/Promotion	It is used in order to calculate the effect of campaigns. It is possible to accept or reject them through browser settings.
Facebook	These kinds of cookies makes it possible to monitor Facebook members (or non-members) with the intent of market analysis and product development. It is possible to accept or reject them through browser settings.
Twitter	These cookies are used to monitor members or non-member visitors of social media networks with the intent of market analysis and product development. It is possible to accept or reject them through browser settings.
Google Analytical	These kinds of cookies ensures collecting all statistical data and thus improving the presentation and usage of the Site. Google enables us to have a better understanding on the users by adding data regarding societal statistics and interests to such statistics. Our website uses Google Analytical cookies. Data that are collected by means of such cookies are transmitted to Google servers located in USA and these data are preserved in compliance with the data protection principles of Google. In order to receive further information about principles of Googles regarding the analytical data processing activities and protection of personal data please click  here. Controlling the Cookies https://tools.qooqle.com/dlpaqe/qaoptout
Technical Cookies
Session	Session cookies are used in order to maintain the continuity of the session. It is possible to accept or reject them through browser settings.
Load-Balancing	Load Balancing Cookies are used in order to reduce the load on server by dispersing the load. It is possible to accept or reject them through browser settings.
Security	Security cookies are used for the security controls. It is possible to accept or reject them through browser settings.
Fraud Detection	These kinds of cookies are used in order to detect clicking tricks. It is possible to accept or reject them through browser settings.
Authentication Cookies
User ID	User ID cookies are used in order to display to users only their own information. It is possible to accept or reject them through browser settings.
Customization Cookies
Language	It memorizes the language selected by user and offers options in accordance with the selection of language. It is possible to accept or reject them through browser settings.
Mobile	It is used to display the main website if the user visits the Site through a mobile device. (For example, the device activated the flash or user is in a mobile site which do not require a Flash.) The From Site is recorded in order to comprehend the user preferences better. It is possible to accept or reject them through browser settings.
Flash Cookies
Flash Cookies	It activates the audio and video contents to be played. It is possible to accept or reject them through browser settings.

 

Is It Possible to Avoid the Usage of Cookies by Data Owners?

Data owners have the ability to customise their preferences regarding cookies by changing their browser settings. If the browser, which is used, provides the user with such opportunity then, it is possible to change the preferences regarding Cookies through the browser settings. Thus, while it may vary across the possibilities offered by the browser used data owners have the opportunity to block usage of cookies or to receive a warning before using cookies or deactivate or delete only the certain Cookies.

Preferences regarding cookies may be required to be determined and adjusted separately for each different device through which the user gain access to the Platform.

Adobe Analytics	http://www.adobe.com/uk/privacy/opt-out.html
AOL	https://help.aol.com/articles/restore-security-settings-and-enable-cookie-settings-on-browser
Google Adwords	https://support.google.com/ads/answer/2662922?hl=en
Google Analytics	https://tools.google.com/dlpage/gaoptout
Google Chrome	http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95647
Internet Explorer	https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies
MozillaFirefox	http://support.mozilla.com/en-US/kb/Cookies
Opera	http://www.opera.com/browser/tutorials/security/privacy/
Safari	https://support.apple.com/kb/ph19214?locale=tr_TR

DATA OWNER APPLICATION MANAGEMENT POLICY 

DOCUMENT NO	:	GM-P004
APPROVED BY	:	BOARD OF DIRECTORS
DATE OF APPROVAL	:	05/01/2019
LAST REVISION DATE	:	00/0000
VERSION NO	:	01
RELATED DOCUMENTS	:	Personal Data Retention and Destruction Policy Data Owner Application Form

 

CONTENTS

1.& PURPOSE. 2

2.& SCOPE. 3

3.& RESPONSIBILITY. 3

4.& DEFINITION.. 3

5.& APPLICATION RIGHT. 4

6.& APPLICATION PROCEDURES. 5

7.& APPLICATION RECORDING. 6

8.& APPLICATION EVALUATION.. 7

8.1. PERSONAL DATA DETECTION.. 7

8.2. INFORMATION REQUEST FOR PERSONAL DATA PROCESSED.. 7

8.3. CORRECTION REQUEST FOR PERSONAL DATA PROCESSED.. 7

8.4. DELETION/ DESTRUCTION REQUEST FOR PERSONAL DATA PROCESSED.. 7

8.5. REQUEST FOR NOTIFICATION OF CORRECTION / DELETION / DESTRUCTION REQUESTS REGARDING THE PROCESSED PERSONAL DATA TO THE DATA TRANSMITTED PARTIES. 8

8.6. OBJECTING TO THE EMERGENCE OF A RESULT AGAINST THE PERSON HIMSELF/HERSELF. 8

8.7. REQUEST TO ELIMINATE THE LOSS, IN CASE THE PERSONAL DATA IS DAMAGED DUE TO UNLAWFUL PROCESSING OF PERSONAL DATA.. 8

9.& RESPONDING APPLICATION.. 8

10. FEE. 9

1. PURPOSE

The purpose of this policy is to explain the operation and communication channels established regarding the management, execution and recording of the applications of the data owners with the implementation of the Law by the company ANEXSERVİCES TURİZM ORGANİZASYON TAŞIMACILIK TİCARET ANONİM ŞİRKETİ (company) in the capacity of data controller in accordance with Personal Data Protection Law No. 6698 (Law). 

1. SCOPE

These policy provisions apply to natural persons who have personal data processed by the Company in full or partial automation, or non-automated means provided that they are part of any data recording system.

1. RESPONSIBILITY

This policy has been approved and implemented by the Company’s Board of Directors. Within the framework of the policy, all activities to be carried out in the company and the measures to be taken are defined by the appropriate procedures. The Company's management is responsible for preparing, updating and implementing these procedures.

Contact Person

• is responsible for ensuring communication in responding to requests to be made by the data owners to the Company.
• is responsible for ensuring that the applications of the data owner are answered within 30 days at the latest in line with the responses conveyed by the relevant departments.
• is responsible for ensuring the communication between the Board and the Company and meeting the requests of the Board.

Department Managers

• Department managers are responsible for ensuring that the contact applications received by them are examined and responsed within 1 week at the latest.

1. DEFINITIONS

Anonymization	Rendering personal data by no means identified or identifiable with a natural person even by linking with other data.
Application	Application made under Article 13 of the Law
Secure Electronic Signature	The electronic signature, which is linked exclusively to the signer and is created using the secure electronic signature creation tool available only to the signer, identifies the signer using the qualified electronic certificate and ensures that changes have been made to the signed electronic data.
Data owner	Natural person whose personal data are processed.
Destruction	Deletion, Destruction, and Anonymization of Personal Data
Contact Person	Legal person reported to the Registry by the data officer for communication with the institution during registration, regarding the obligations of its representative under the Law and secondary regulations to be issued based on this Law of the legal person representative of data controller not residing at Turkey with legal persons residing at Turkey.
Law	Turkish Personal Data Protection Law no. 6698
Recording Medium	Any medium in which personal data are processed, which are fully or partially automated, or processed in non-automated ways, provided that they are part of any data recording system.
Registered e-mail (REM) address	Qualified form of electronic mail that provides legal evidence regarding the use of electronic messages, including their delivery and delivery.
Personal Data	Any information relating to an identified or identifiable natural person.
Anonymization of personal data	Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data.
Processing of personal data	Any operation which is performed upon personal data such as collection, recording, retention, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.
Deletion of personal data	Making personal data inaccessible and unusable to relevant users in any way.
Destruction of personal data	Making personal data inaccessible, retrievable and reusable by anyone.
Board	The Board of Protection of Personal Data.
Authority	The Authority of Protection of Personal Data.
Mobile signature	Electronic signature created using a mobile device
Data controller	Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.

1. APPLICATION RIGHT

Pursuant to Article 11 of the Law, the data owner has the right to apply to our Company to

request the following:

Find out if personal data is processed,

b) If personal data is processed, requesting information about it,

c)  Learning the purpose of processing personal data and whether they are used in accordance with its purpose,

ç)  To know the third parties to whom personal data are transferred domestically or abroad,

d) Requesting correction of personal data if it is incomplete or incorrectly processed,

e) Request personal data to be deleted or destructed,

f)  to request notification of transactions made in accordance with clauses (d) and (e) to third parties to whom personal data are transferred,

g)  To object to the emergence of a result against the person by analysing the processed data exclusively through automated systems,

ğ)  In the event that personal data is damaged due to illegal processing, the data owner has the right to demand the removal of the damage.

The data owner can benefit from this right provided that the application is made in Turkish.

Personal data owners will not be able to assert their rights in case of the following situations where the provisions of the law are not applied:

• Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defence, national security, public security, public order, economic security, privacy or personal rights, or constitute a crime.
• Processing personal data for purposes such as research, planning and statistics by anonymizing with official statistics.
• Processing personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to provide national defence, national security, public security, public order or economic security.
• Processing of personal data by judicial authorities or enforcement authorities regarding investigations, prosecutions, trials and execution proceedings.

Except for the obligation of illumination and the right to demand compensation, provided that it complies with the purpose and basic principles of the Law, personal data owners will not be able to assert their rights if:

• Personal data processing is necessary for crime prevention or criminal investigation.
• Processing of personal data personalized by the personal data owner.
• In case that personal data processing is necessary for the disciplinary investigation or prosecution by the authorized public institutions and organizations and the professional institutions that are public institutions based on the authority given by the law.
• Personal data processing is necessary to protect the state's economic and financial interests in relation to budget, tax and financial matters.

1. APPLICATION PROCEDURES

The data owner may submit his or her requests to the Company for the implementation of the law by filling in the data owner application form at www.a-energy.com.tr with the information and documents that determine his or her identity, using the methods indicated below.

• After the application form has been filled in, the data owner writes ‘“Personal Data Protection Law Information Request’’ on the envelope - the notification, and transmits it either manually or through a notary, to the address BARBAROS MAHALLESİ SERİK CAD. E Apt. NO: 305 E/1 AKSU ANTALYA.

•&   After the application form has been filled in, the data owner signed it with the “secure electronic signature” within the scope of Electronic Signature Law No. 5070 and sent it to [email protected] address by writing “Personal Data Protection Law Information Request” to the subject part by registered e-mail.

In written applications, the date when the document is notified to the Company is the application date. For applications made with the other method, the date the application reaches the Company is the application date.

1. APPLICATION RECORDING

If the Application Form is submitted by hand, the identity of the person concerned is determined by checking the identity document (Name-Surname, Identity Number).

In order for a person other than the personal data owner to make a request, the original power of attorney issued on behalf of the person to apply by the personal data owner must be submitted. A copy of the power of attorney is kept in the annex.

The application for personal data of persons under the age of 18 can be made by their legal representative. In this case, copies of the documents that determine the authority of the legal representative are requested and a copy of it is kept in the application annex.

In applications made with secure electronic signature, the identity of the applicant can be legally determined with a qualified electronic certificate based on e-signature.

Applications made in writing by the data owner in person or through a notary are recorded in the Documents Registry by the Correspondent and delivered to the Contact Person against the signature.

Applications made to the registered e-mail address are sent to the Contact Person by e-mail by the Financial Advisor or authorized person.

The Contact Person checks whether the application is in accordance with the procedures set out in this Policy and whether the information and documents required to be included in the application form are complete. For applications that are not in accordance with the procedure, they contact the person concerned to provide the necessary information. Nevertheless, applications that are inappropriately and incomplete information / documented are rejected after being notified in writing to the person concerned.

Applications received in accordance with the procedure are forwarded by the Contact Person to the relevant department manager listed below, according to the category of the applicant.

• Candidate employee, former employee: Human Resources

• Supplier: Accounting / Purchasing

• Customer / Guest: Related Department

• Visitor: Security

• Other: Information Technologies / Law

1. APPLICATION EVALUATION

 

1. PERSONAL DATA DETECTION

In order to evaluate the requests of the data owners, firstly, it should be determined by the relevant department whether the personal data of the applicant is processed before the Company.

For this purpose, firstly, the relevant process, data category, recording medium and storage location in the Personal Data Inventory are determined based on the information in the Application Form. In addition to the review made on the Data Inventory, the data owner information on the application form is checked by searching on the Company databases.

If the personal data specified by the relevant person in the application form are not found in the relevant processes and systematic testing, the Contact Person is informed by e-mail.

If personal data specified by the relevant person in the application form are encountered in the relevant processes and systematic testing, one of the following steps is carried out in accordance with the request of the personal data owner and the requirement is fulfilled.

1. INFORMATION REQUEST FOR PERSONAL DATA PROCESSED

In line with the request of the person concerned, specified in the 11/1 of the Law and in the in the clause  (a) (b) (c) and (ç) of article 5 of this Policy, personal data processed in the Personal Data Inventory, the data processing purpose, the transmitted party and the transfer purpose information are sent to the Contact Person by e-mail.

1. CORRECTION REQUEST FOR PERSONAL DATA PROCESSED

In line with the request of the relevant person specified in the 11/1 of the Law and in the clause (d) of article 5 of this Policy, the personal data provided by the data owner and the documents proving them and the information in the Company records are compared. The data determined to be processed as defective or incomplete at the company are forwarded to the relevant department where the data is recorded together with the proving documents for correction and updated.

Information regarding the updated data is sent to the Contact Person by e-mail.

1. DELETION/DESTRUCTION REQUEST FOR PERSONAL DATA PROCESSED

In line with the request of the relevant person specified in 11/1 of the Law and in the clause (e) of article 5 of this Policy, it is determined in which processes that the Personal Data Inventory should be stored and processed due to legal obligation.

If there is no obligation to store and process due to legal obligation, related personal data will be deleted and destroyed in accordance with the Personal Data Retention and Destruction Policy. Upon completion of the deletion / destruction process, the information that the relevant personal data has been deleted and destructed is shared with the Contact Person.

If there is an obligation to process and store due to legal obligation, the Contact Person is informed that his request could not be fulfilled because the legal obligation, which is the basis for personal data processing, has not disappeared.

1. REQUEST FOR NOTIFICATION OF CORRECTION / DELETION / DESTRUCTION REQUESTS REGARDING THE PROCESSED PERSONAL DATA TO THE DATA TRANSMITTED PARTIES

In line with the request of the person concerned specified in the 11/1 of the Law and in clause (f) of article 5 of this Policy, The categories of people whose data are transferred from the Personal Data Inventory are determined.

If the person's request for correction / deletion or destruction has been fulfilled, the parties whose data are transferred are asked to carry out the same transactions and to confirm in writing that the request has been fulfilled.

Information about the request of the person's correction / deletion or destruction has been fulfilled by the third parties to whom the personal data is transferred is sent to the Contact Person by e-mail.

1. OBJECTING TO THE EMERGENCE OF A RESULT AGAINST THE PERSON HIMSELF/HERSELF   

In line with the request of the relevant person specified in the 11/1 of the Law and in the clause (g) of article 5 of this Policy, the process alleged to have a result against the data subject is examined.

If it is determined that there is no deficiency and error in the personal data processed in the process or during the process, it is informed to the Contact Person in this direction.

If any deficiencies or errors are detected in the process or in the personal data processed during the process, the information that the change made has been in favor of the person and the systems have been updated in this way is sent to the Contact Person via e-mail.

1. REQUEST TO ELIMINATE THE LOSS, IN CASE THE PERSONAL DATA IS DAMAGED DUE TO UNLAWFUL PROCESSING OF PERSONAL DATA

 

In accordance with the request of the relevant person specified in the 11/1 of the Law and in the clause (ğ) article 5 of this Policy, the loss request is examined with the participation of the Legal Advisor and the relevant departments. The action to be taken as a result of the examination and the response to the application are determined and processed through Legal Counseling.

Elimination of the damage caused by the person concerned due to the processing of personal data in violation of the Law is carried out with the approval of the Senior Management (Board of Directors / General Coordinator).

1. RESPONDING APPLICATON

Data Owner requests must be evaluated and finalized by the Company as soon as possible and within 30 days at the latest.

Examination of the applications submitted to the relevant departments should be finalized within 1 week from the date of receipt and notified to the Contact Person.

The Contact Person sends the information and documents related to the application to the Legal Advisor in order to examine the answers and actions taken from the relevant departments in terms of compliance with the legal order and the Law.

The letter prepared by the legal advisor according to the approval of the law and the result of the examination in response to the application is sent to the data owner by the Contact Person within thirty (30) days at the latest. The reply letter should include at least the following information;

1. Information about the company or its representative,
2. The applicant’s name and surname, for the citizens of the Republic of Turkey T. C. identity number, nationality for foreigners, passport number or identity number, if any, place of residence or workplace based on notification, e-mail address based on notification, telephone and fax number,
3. Request subject
4. Company's explanations regarding the application

Personal data of third parties may not be included in the responses to the application. In cases where the application cannot be responded without including the personal data belonging to third parties, the information of the third party is concealed / anonymized or shared by the relevant person.

The responses given to the applications made through the notary public are printed on the company letterhead and signed in two copies by the signatory authorities of the Company. The reply letter is recorded in the Document Registry and given to the correspondent to be sent to the applicant by mail.

The responses given by electronic signature are signed by the signature officers of the Company with electronic signature using a secure electronic signature. The reply is sent to the applicant's electronic mail account.

All the records, examination results, inquiries, correspondence, legal opinions and responses regarding the relevant application, written in the electronic directory created by the Contact Person, are stored in the archive.

1. FEE

The company concludes the requests in the application free of charge. However, if the transaction requires additional cost, the following tariff determined by the Board with the approval of the senior management may be applied:

• If the application of the person concerned is to be responded in writing, there is no fee for up to ten pages. 1 Turkish Lira transaction fee may be charged for each page above ten pages.
• If the response to the application is given in a recording medium such as CD, flash memory, the fee that can be requested by the Company cannot exceed the cost of the recording medium.

In case the application is caused by the Company's fault, the fee collected is returned to the relevant person.

Some rights are granted to owners of personal data pursuant to the Law and in accordance with the 11^th Clause of Personal Data Protection Law numbered 6698 (the Law). In order to exercise your rights within the scope of the Law, please submit your requests to the Company, which is your data supervisor, to the following addresses by filling out this application form clearly and fully pursuant to first subparagraph of the 13^th clause of Law:

• A copy which bears the wet signature to "BARBAROS MAHALLESİ SERİK CAD. E Apt. NO: 305 E/1 AKSU ANTALYA" in person by hand or through public notary.
• By sending the form that bears the secure electronic signature to  [email protected]. via registered electronic mail after the form is signed by means of ‘‘secure electronic signature’’ within the scope of Electronic Signature Act numbered 5070.

We will reply your application as promptly as practicable or within 30 days at the latest. In the case that the information and documents you submitted to us are incomplete or incomprehensible, we will get in contact with you in order to clarify your application.

 

1. INFORMATION OF THE DATA OWNER

Name-Surname
Republic of Turkey Identity Number (For the citizens of Republic of Turkey)
Nationality and passport/Identity Number (For foreigners)
Phone Number
Residential Address/Workplace Address
E-mail Address

1. YOUR RELATIONSHIP WITH OUR COMPANY (Please specify your relationship with our Company such as customer, business partner, employee candidate, former employee, employee of the third party company and shareholder).

☐ Customer ☐ Visitor	☐ Business Partner  ☐ Employee
☐ Other (please specify)

 

1. CONTENT OF THE APPLICATION (Please specify your demand within the scope of the Law and your personal data regarding the application in detail. Please attach the relevant information and documents to your application.)

 

1. STATEMENT OF THE APPLICANT 

In accordance with the requests I specified above, I kindly request my application that I submitted to your company to be evaluated within the scope of 13^th clause of the Law and to be informed in this regard. I hereby declare and undertake that the information and document which I provided to you through this application and your Company may demand additional information in order to complete my application and that I have been informed about the fact that I may be required to pay the amount determined by the Board in case any additional cost arises.

Notification Method of the Application Response (Please select one of the following)

 

☐ I want it to be sent to the address that I stated via mail.

☐ I want it to be sent to my e-mail address that I stated.

 

Applicant/Owner of Personal Data   

 

Name and Surname  : 

Application Date  : 

Signature    :