PERSONAL DATA PROCESSING AND SECURITY POLICY

1.1 PURPOSE

The protection of personal data is among the top priorities of ÜNLEM BİLİŞİM TEKNOLOJİ ANONİM ŞİRKETİ (“Company”), which makes every effort to comply with all applicable legislation in this regard. The Personal Data Protection Law No. 6698 ( “Law”) classifies any information relating to an identified or identifiable natural person as “Personal Data” and imposes obligations on data controllers regarding the processing standards for such data and its protection.

This ÜNLEM BİLİŞİM TEKNOLOJİ ANONİM ŞİRKETİ Personal Data Processing and Security Policy (‘Policy’) sets out the principles adopted in the execution of Personal Data processing activities carried out by our company and the minimum data security measures to be taken by the Company during Personal Data processing activities.

1.2 SCOPE

This Policy relates to Personal Data belonging to identified or identifiable natural persons as defined by the Law, which is processed within the company by automated means or by non-automated means as part of a data recording system.

MATTERS RELATING TO THE PROCESSING OF PERSONAL DATA

General Principles to be Observed During the Processing of Personal Data

Our company processes Personal Data in accordance with the procedures and principles stipulated in the Law and other relevant legislation. Accordingly, our company acts in accordance with the principles listed below (‘General Principles’) when processing Personal Data.

Our company processes Personal Data:

  • In accordance with the law and rules of good faith,
  • Accurately and, where necessary, in an up-to-date manner,
  • For specific, clear and legitimate purposes,
  • In a manner that is relevant, limited and proportionate to the purpose for which it is processed,

Conditions for Processing Personal Data

The law stipulates conditions for processing personal data due to the potential harm caused to individuals when such data is processed unlawfully. Personal Data is processed by our company in accordance with the principles set out in this Policy and by taking all necessary administrative and technical measures, including the minimum security measures determined or to be determined by the Personal Data Protection Board (‘Board’), and provided that at least one of the following conditions is met.

  • Where the explicit consent of the Data Subject is present,

Personal Data may be processed without the explicit consent of the Data Subject in the following circumstances:

  • It is expressly provided for by law
  • It is necessary to protect the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally valid, or of another person
  • It is necessary for the establishment or performance of a contract, provided that it is directly related to the contract and the processing of personal data belonging to the parties to the contract is necessary.
  • It is necessary for the data controller to fulfil its legal obligations.
  • It has been made public by the data subject.
  • It is necessary for the establishment, exercise or protection of a right.
  • It is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

MATTERS RELATING TO THE TRANSFER OF PERSONAL DATA

Our company may transfer Personal Data to third parties (‘Third Parties’) in accordance with the lawful purposes of Personal Data processing, taking the necessary security measures. In this regard, our company acts in accordance with the provisions set forth in Articles 8 and 9 of the Law. If the relevant person has given their explicit consent, our company may transfer Personal Data in line with the purposes of data processing and in accordance with the General Principles, taking the necessary security measures, including the methods prescribed by the Board.

Personal data may be transferred to Third Parties without the explicit consent of the Data Subject if the following conditions are met:

  • Special Category Personal Data, excluding data relating to the health and sex life of the Data Subject, in cases stipulated by law,
  • Special Category Personal Data relating to the data subject's health and sexual life may only be transferred by persons or authorised companies and organisations bound by confidentiality obligations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.
  • In the cases specified in Article 2.2 of this policy.

INFORMING RELEVANT PERSONS WHEN PERSONAL DATA IS COLLECTED

Pursuant to Article 10 of the Law, data controllers or their authorised representatives must inform data subjects when personal data is collected. In fulfilling its obligation to inform data subjects, our company informs them of at least the following matters:

  • The identity of the data controller and, if applicable, their representative,
  • The purpose for which the personal data will be processed,
  • To whom and for what purpose the personal data may be transferred,
  • The method and legal basis for collecting personal data,
  • The rights granted to data subjects as listed in Article 11 of the Law and how these rights may be exercised.

Except in cases where alternative methods and techniques are adopted, the company fulfils its obligation to provide information by presenting information texts to the relevant persons in physical or electronic form in a manner that can be proven afterwards. Company employees involved in the processing of personal data must ensure that the relevant individuals are provided with the necessary information texts and informed prior to the collection of personal data.

STORAGE AND DESTRUCTION OF PERSONAL DATA

In accordance with the obligation to erase, destroy or anonymise personal data as stipulated in Article 7 of the Law, all personal data processed by our company in compliance with the provisions of the Law and other legislation shall be erased, destroyed or anonymised upon the decision of our company or at the request of the Data Subject, if the reasons for processing such data no longer exist. destroyed, or anonymised. Detailed information regarding the storage and destruction of personal data can be found in the ÜNLEM BİLİŞİM TEKNOLOJİ ANONİM ŞİRKETİ PERSONAL DATA STORAGE AND DESTRUCTION PROCEDURE, which is accessible via Confluence.

ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA

Our company takes all necessary measures, within its means and according to the nature of the data to be protected, to prevent the unlawful disclosure, access, transfer or other security breaches of Personal Data. In this context, our company takes all necessary administrative and technical measures; the relevant measures are reviewed and updated in accordance with the current Board decisions, and in the event of disclosure of personal data by unlawful means, action is taken in accordance with the measures envisaged by the Law. The data security measures mentioned in this section are the minimum measures to be taken by the company during the processing of Personal Data.

ADMINISTRATIVE MEASURES TAKEN BY OUR COMPANY TO ENSURE THE LAWFUL PROCESSING OF PERSONAL DATA AND TO PREVENT UNLAWFUL ACCESS TO PERSONAL DATA

  • Risks that may arise in relation to Personal Data within our company have been identified and the necessary measures to be taken against them have been determined.
  • Our company trains its employees on the processing and protection of Personal Data, ensures they are aware of these issues, and conducts awareness campaigns for them.
  • An Employee Confidentiality Agreement is signed with employees who have access to Personal Data in order to ensure the security of this data.
  • The scope and duration of employees' access to Personal Data is limited.
  • Authorisation checks are carried out periodically.
  • Access rights of employees who change roles or leave the company are immediately revoked. In this context, any inventory assigned to them is retrieved.

TECHNICAL MEASURES TAKEN BY OUR COMPANY TO ENSURE THE LAWFUL PROCESSING OF PERSONAL DATA AND TO PREVENT UNLAWFUL ACCESS TO PERSONAL DATA

If the environments where Personal Data is processed, stored and/or accessed are electronic environments;

  • Our company applies an authorisation matrix when accessing Personal Data.
  • Authorisation checks are performed on employees who access Personal Data.
  • Logs of all actions performed on Personal Data are securely recorded.
  • Security updates for environments containing Personal Data are continuously monitored, necessary security tests are regularly performed/commissioned, and test results are recorded.
  • If Personal Data is accessed via software, user authorisations for this software are implemented, necessary security tests are regularly performed/commissioned, and test results are recorded.
  • If remote access to Personal Data is required, at least a two-step authentication system is provided.

If the environments where Data is processed, stored and/or accessed are physical environments:

  • It is ensured that adequate security measures (against electrical leakage, fire, flooding, theft, etc.) are taken according to the nature of the environment where Personal Data is located.
  • The physical security of these environments is ensured and unauthorised entry and exit is prevented.

MEASURES TAKEN BY OUR COMPANY TO ENSURE THE LAWFUL TRANSFER OF PERSONAL DATA

  • If it is necessary to transfer Personal Data via email, our company transfers it using a corporate email address or a Registered Electronic Mail (KEP) account.
  • If transfer via media such as Portable Memory, CD, or DVD is necessary, the data is encrypted.
  • If transfer between servers in different physical environments is necessary, data transfer is carried out between servers using the sFTP method.
  • If personal data needs to be transferred via paper media, necessary precautions are taken against risks such as theft, loss, or unauthorised viewing of the documents.

MEASURES TO BE TAKEN IN THE EVENT OF UNLAWFUL DISCLOSURE OF PERSONAL DATA

Within the scope of the personal data processing activities carried out by our company, if Personal Data is obtained unlawfully by unauthorised persons, the situation will be reported to the Board within 72 (seventy-two) hours at the latest, in accordance with the Board's decision dated 24 January 2019 and numbered 2019/10, and the relevant persons affected by the breach will be informed as soon as possible.