Policy on Protection, Processing, Retention and Destruction of Personal Data

INDIGO GROUP TOURISM AND TRADING INC.

POLICY ON PROTECTION, PROCESSING, RETENTION AND DESTRUCTION OF PERSONAL DATA 

1. INTRODUCTION 

1.1. Purpose and Scope of the Policy 

This Policy on Processing and Protection of Personal (“Policy”) aims to ensure compliance of İNDİGO GRUP TURİZM VE TİCARET ANONİM ŞİRKETİ (INDIGO TOURISM AND TRADING INC.) (“Company”) with the Law on Protection of Personal Data No. 6698, European Union General Data Protection Regulation and secondary regulations, and to determine the principles to be followed by the Company in fulfilling its obligations regarding the protection and processing of personal data. The policy determines the processing conditions of personal data and sets out the main principles adopted by the Company in the processing of personal data. In this framework, the Policy covers all personal data processing activities covered by the Law, the owners of all personal data processed by the Company and all personal data processed by the Company. 

1.2. Effectiveness and Amendment 

The policy was published on the website by the Company and made public. If there is a conflict between the current legislation, especially the Law, and the regulations in this Policy, the provisions of the legislation shall apply. The company reserves the right to make changes in the Policy in line with the legal regulations.

2. DATA SUBJECT, DATA PROCESSING OBJECTIVES, AND DATA CATEGORIES FOR PERSONAL DATA PROCESSING BY DATA CONTROLLER 

2.1. Data Subjects 

Data subjects under this policy shall be all natural persons whose personal data are being processed by the Company. In this context, the categories of data subjects are as follows: 

Customer: Refers to the real people who benefit from the products and services offered by the Company. 

Prospective Customer: Refers to the real people who have the potential to turn into customers, indicating the interest of using the products and services offered by the Company. 

Visitor: Refers to the real persons visiting company headquarters, hotel, campus, and website. 

Employee Candidate: Refers to the real persons who apply for a job by sending a CV to the Company or other means. 

Employee: Refers to the real persons who are working in the Company. 

Suppliers: Refers to the parties providing services for the Company to continue its commercial activities in accordance with the instructions received from the Company and based on the contract concluded with the Company 

Business Partner: Refers to the parties with which the Company has established a business partnership while carrying out its commercial activities 

Shareholders: Refers to the Company partners 

Third Parties: Refers to real persons, except for the categories of data subjects listed above.

Data subject categories are specified for general information sharing purposes. The fact that the data subject does not fall under any of these categories shall not eliminate the quality of the data subject as specified in the Law.

2.2. Personal Data Processing Purposes 

Your personal data and sensitive personal data can be processed by the Company in accordance with the personal data processing conditions specified in the Law and relevant legislation for the following purposes: 

  • Establishing, executing and developing Human Resources operations and activities 
  • Establishing, coordinating, developing and executing the Company-specific commercial activities, planning and executing the activities for business development and commercial activities 
  • Ensuring the legal, technical and commercial-occupational safety of the Company and the relevant persons who have a business relationship with the Company and carrying out activities for the fulfillment of obligations 
  • Planning, executing and managing corporate relations 
  • Establishing and executing the demand and complaint management and aftersales processes 
  • Customizing the products and services according to the individuals, especially the design and execution of activities for profiling, promotion and marketing;
  • Assessment of your wishes, complaints and suggestions, and communication,
  • Execution of contracts concluded with customers, executing, planning and managing the customer relations,
  • Planning and executing the activities for the development, monitoring and control of commercial affairs, studies and operations,
  • Planning, monitoring and executing the activities related to finance and accounting,
  • Realization, planning and execution of activities/developments and analyzes for accessing systems,
  • Planning and execution of Information Technologies and data security activities,
  • Performing activities related to control, data management, analysis, social activity, process development, and similar activities and relevant reporting, • Planning and execution of the works regarding the physical / electronic security of the Company,
  • Planning and execution of actions and brand management activities to increase the level of perception about the brand,
  • Planning and execution of customer oriented advertising, sales and marketing operations,
  • Development of products and services by analyzing the usage habits and trends of customers,
  • Performing transactions related to payments to be made within the scope of employees' contracts,
  • Performing operation, research, analysis, reporting activities for entering into a contractual relationship or renewing contract with customers,
  • Execution and follow-up of pre-contractual and post-contractual relations, aftersales services and fulfillment of obligations arising out of contractual relations,
  • Management, development, planning and execution of relations with the supplier / dealer / business partner,
  • Production and / or planning and execution of operational processes,
  • Planning and / or execution of business continuity activities,
  • Execution of strategic planning activities (all together "Purposes").

2.3. Personal Data Categories 

Your personal data, categorized below by the Company, shall be processed in accordance with the personal data processing conditions specified in the Law and related legislation: 

PERSONAL DATA CATEGORIZATION STATEMENT 

Identity Information: All information regarding the identity of the person covered in the documents such as driver's license, identity card, residence paper, passport, attorney ID, marriage certificate 

Contact Information: Information for contacting the data subject, such as phone number, address, e-mail 

Information on Family Members and Relatives: Information on the products and services we are offering or about the family members and relatives of the personal data subject processed to protect the legal interests of the Company and the data subject 

Customer Transaction Information: Information on the use of our products and services, as well as information and instructions required by the customer to use the products and services 

Physical Space Security Information: Records such as video camera footage recordings, telephone calls, voice recordings and personal data related to documents taken during the entrance to the physical space and during the stay in the physical space 

Transaction Security Information: Your personal data processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities 

Financial Information: The personal data processed regarding the information, documents and records indicating all kinds of financial outcomes created according to the type of legal relationship established by our company with the personal data subject 

Legal Action and Compliance Information: Personal data processed within the scope of determination and follow-up of legal receivables and rights, performance of our debts and compliance with our legal obligations and our company's policies 

Personnel Information: Payroll information, Disciplinary investigation, Employment document records, declaration of property, Background information, Performance evaluation reports etc. 

Professional Experience Information: Diploma information, Courses attended, Vocational training information, Certificates, Transcript information etc. 

Marketing Information: Shopping history information, Surveys, Cookie Records, Information obtained through campaign works etc. 

Visual and Audio Recordings: Video and audio recordings.

Sensitive Personal Data: Information about security measures with biometric and genetic data of people with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership to an association, foundation or trade union, medical condition, sexual life, criminal conviction. 

Other Information: Personal data regarding the receipt and assessment of any requests or complaints directed to our Company, information and records about the requests made by the person regarding the products and services, satisfaction surveys conducted with the person to be used for marketing, personal hobbies to be used for marketing, personal habits to be used for marketing, reports and evaluations showing personal tastes to be used for marketing, information and evaluations obtained as a result of campaign works for marketing purposes, information and records collected on the person's complaints about products and services, information on the special days. 

3. PRINCIPLES AND CONDITIONS RELATING TO PROCESSING PERSONAL DATA 

3.1. Principles Relating to Processing Personal Data 

Your personal data shall be processed by the company in accordance with the personal data processing principles set out in Article 4 of the Law. It is mandatory to comply with these principles in terms of each personal data processing activity:

  • Processing of personal data in accordance with law and integrity rules; the Company shall act in accordance with the laws, secondary regulations and general principles of law in the processing of your personal data; attach importance to processing personal data limited to the purpose of processing and to take into account reasonable expectations of data subjects.
  • Having accurate and up-to-date personal data; the Company shall pay attention to whether your personal data processed by it is up-to-date and to perform actuality checks on the data. Data subjects shall be entitled to request correction or deletion of their correct and outdated data.
  • Processing personal data for specific, clear and legitimate purposes; the Company shall determine the purposes of data processing prior to each personal data processing activity and ensure that these objectives are not illegal.
  • Personal data should be linked, limited and measured for the purpose for which it is processed; the data processing activity shall be limited by the company to the personal data required to achieve the purpose of collecting and necessary steps shall be taken to prevent the processing of personal data not related to this purpose.
  • Retention of personal data for as long as required by legislation or processing purposes; Personal data shall be deleted, destroyed or anonymized after the purpose of personal data processing by the Company or after the period stipulated in the legislation expires. 

3.2. Conditions Relating to Processing Personal Data

Your personal data shall be processed by the Company in the presence of at least one of the personal data processing conditions stipulated in Article 5 of the Law. Explanations regarding these conditions are given below: 

  • In cases where the personal data subject has granted explicit consent and other data processing conditions do not exist, the personal data of the subject can be processed by the Company through data subject's free will and by giving approval with sufficient knowledge about the personal data processing activity only limited to that transaction without leaving any hesitation in accordance with the general principles set out under heading 3.1.
  • Personal data may be processed by the Company without the express consent of the data subject if the personal data processing activity is clearly prescribed by law. In such case, the Company will process personal data within the framework of the relevant legal regulation.
  • In the event that the explicit consent of the data subject cannot be obtained due to actual impossibility and personal data processing is mandatory, personal data belonging to the data subject, who is unable to disclose or validate his/her consent, will be processed by the Company if personal data processing is necessary to protect the life or bodily integrity of the data subject or a third party.
  • If the personal data processing activity is directly related to drawing up or performing of a contract, personal data processing activity will be carried out if it is necessary to process personal data belonging to the parties of the contract already drawn up or currently signed between the data subject and the Company.
  • In the event that it is mandatory to carry out personal data processing activities with the aim of fulfilling the legal duty, the data controller shall process the personal data in order to fulfill the legal obligations stipulated under the current legislation.
  • The fact that the data subject has publicized his/her personal data, and the personal data which has been publicized in any way by the data subject and made public for everyone after being publicized can be processed by the Company, even if the data subject does not have explicit consent of the data, limited to the purpose of publicizing the data.
  • In the event that personal data processing is mandatory for the establishment, exercising or protection of a right, the Company will be able to process the personal data of the data subject without obtaining the explicit consent.
  • In the event that data processing is mandatory for the legitimate interests of the data controller, personal data may be processed by the Company, provided that the balance of interest is observed for the data subject and that the data subject's legitimate rights and freedoms are not harmed. In this context, the Company shall primarily determine the legitimate interest to be obtained as a result of the processing activity in the processing of the data based on the legitimate interest. The Company shall evaluate the possible impact of the personal data processing on the rights and freedoms of the data subject and, if it is of the opinion that the balance is not disturbed, the processing shall be performed. 

3.3. Conditions Relating to Processing Sensitive Personal Data 

Sensitive personal data are specified in a limited number in the Article 6 of the Law. These data are as follows: information about security measures with biometric and genetic data of people with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership to an association, foundation or trade union, medical condition, sexual life, criminal conviction. The Company can process sensitive personal data by providing additional measures determined by the Personal Data Protection Board in the following cases: 

Processing of sensitive personal data other than health and sexual life can be processed if the data subject gives explicit consent or when it is clearly prescribed by law. • The personal data relating to health and sexual life can be processed by the authorized institutions and organizations and the persons under the obligation of keeping secret for planning and managing the financing planning and healthcare services and executing protective medicine, medical diagnosis, treatment and care services and protecting public health without explicit consent of the data subject.

4. PERSONAL DATA TRANSFER

The Company can transfer personal data at home or abroad in case there are conditions for the transfer of personal data in accordance with the additional regulations listed in Articles 8 and 9 of the Law and determined by the Personal Data Protection Board.

The transfer of your personal data to third parties inside the country shall be performed by the Company, provided that at least one of the data processing conditions set out in Articles 5 and 6 of the Law and described under Heading 3 of this Policy exists and that the data processing conditions comply with the basic principles. 

In the absence of the person's explicit consent, the transfer of personal data to third parties outside the country shall be performed by the Company, provided that at least one of the data processing conditions set out in Articles 5 and 6 of the Law and described under Heading 3 of this Policy exists and that the data processing conditions comply with the basic principles. In the event that the country where the data is to be transferred is not a safe country as declared by the Personal Data Protection Board, personal data can be transferred to third parties abroad if the Company and data controller of the concerned country undertakes adequate protection in writing, and if at least one of the data processing conditions in Articles 5 and 6 of the Law (see 3rd Heading of the Policy) exists upon the permission of Personal Data Protection Board. 

In accordance with the general principles of the Law and the data processing conditions in Articles 8 and 9, the Company can transfer data to the categorized parties in the table below:

SHARED PARTY CATEGORIZATION

SCOPE TRANSFER PURPOSE
Business Partner The parties with which the Company has established a business partnership while carrying out its commercial activities Business Partner: Limited sharing of personal data in order to ensure the fulfillment of the business partnership's objectives
Shareholders Company partners Limited personal data sharing in order to ensure that shareholders have the right to receive information during the performance of the Company's commercial activities
Supplier The parties providing services for the Company to continue its commercial activities in accordance with the instructions received from the Company and based on the contract concluded with the Company Limited transfer by procuring outsourced services from the supplier
Legally Authorized Public Authority Public institutions and organizations legally authorized to receive information and documents from the Company Limited personal data sharing of relevant public institutions and organizations with the aim of requesting information
Legally Authorized Private Institution

Private law officers who are legally authorized to receive information and documents from the Company

Limited sharing of data for the purpose requested by the relevant private law officers within their legal authority 

 

5. CLARIFICATION OF DATA SUBJECTS AND RIGHTS OF DATA SUBJECTS

According to Article 10 of the Law, data subjects must be informed about the processing of personal data before processing the data or during the processing operation at the latest. In accordance with the relevant article, the necessary structure has been established within the company's organization in order to ensure that the data subjects are clarified in every situation where the personal data processing activity is carried out by the Company with the capacity of data controller. 

In this context;

  • For the purpose of processing your personal data, please refer to the Section 2. 2. of the Policy. 
  • For the parties to whom your personal data is transferred and for the purpose of transfer, please refer to the Section 4 of the Policy. 
  • To review the conditions for processing your personal data, which can be collected through different channels in physical or electronic media, please refer to the Sections 3.2 and 3.3 of the Policy.
  • We would like to state that you have the following rights in accordance with Article 11 of the Law as the data subject:
  • – To find out whether your personal data has been processed,
  • – If your personal data has been processed, to request information about it,
  • – To find out the purpose of processing your personal data and whether they are used in accordance with their purpose,
  • – To know the third parties to whom your personal data is transferred inside or outside the country
  • – To request the correction of your personal data if it is incomplete or incorrectly processed and to request the notification of the transaction performed within this scope to the third parties to whom your personal data is transferred,
  • – To request the deletion or destruction of personal data in case the reasons requiring its processing have disappeared and to ask the third parties to whom your personal data has been transferred in this context despite being processed in accordance with the law and other relevant provisions of the Law,
  • – To object the emergence of a result against you upon analyzing exclusively through automated systems and
  • – To request the elimination of the damage in case you suffer damage due to illegal processing of the data. Your requests regarding the rights mentioned above can be forwarded to our Company by using the Data Subject Application Form on the internet address www.indigo.com.tr; by sending an e-mail to our registered mail address [email protected] upon writing "Personal Data Protection Law Information Request" in the subject part of the e-mail after signing with a 'secure electronic signature' within the scope of the Electronic Signature Law No. 5070, or you can send your request form personally, by mail, or by a notary channel, by writing "Information Request under the Law on Protection of Personal Data" on the envelope / notification with a wet signature to the address of "Yukarı Mah. Eski Göreme Cad. No. 33 Uçhisar, 50240 Nevşehir." Depending on the nature of your request, your applications will be concluded free of charge as soon as possible and within thirty days at the latest; however, if the transaction requires an additional cost, you may be requested with a charge according to the tariff to be determined by the Personal Data Protection Board. 

During the evaluation of the applications made, the company shall firstly determine whether the person making the claim is the actual right-holder. However, the Company may request detailed and additional information in order to better understand the demand when it deems necessary. Replies to data subject applications shall be notified to the data subjects in writing or electronically. If the application is rejected, the reasons for rejection will be explained to the data subject by stating the grounds. In case personal data are not obtained directly from the data subject; activities to make clarification for the data subjects shall be carried out by the Company at the latest when transferring personal data for the first time (1) within a reasonable time from the acquisition of personal data, (2) during the initial communication, if the personal data are to be used for communication with the data subject, (3) if the personal data are to be transferred. 

6. DELETING, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA 

Although it has been processed in accordance with the law pursuant to Article 7 of the Law, the Company shall delete, destroy, or anonymize the personal data in accordance with the guidelines published by the Authority in the event that the reasons requiring the processing of data have disappeared or upon the request of the data subject.

7.3. Retention Times

DATA SUBJECT

DATA CATEGORY

DATA RETENTION PERIOD
Employee

Personal data on recruitment documents and service period and wage notifications made to the Social Security Institution

The data shall be retained for 50 (fifty) years at the continuation and also expiry of the service contract.
Employee Personnel data excluding the personal data of the recruitment documents and service period and wage notifications made to the Social Security Institution The data shall be retained for 10 (ten) years at the continuation of the service contract and from the beginning of the calendar year following the expiry of the service contract.
Employee Data in Workplace Personal Health Files The data shall be retained for 30 (thirty) years at the continuation and also expiry of the service contract.
Employee

Video camera footage, video camera voice recordings, voice recordings taken during phone calls

The data shall be retained for 2 years.
Business Partner / Solution Partner / Consultant Identity information, contact information, financial information, business partner / Solution Partner / Consultant employee data regarding the performance of the business relationship between the Partner / Solution Partner / Consultant and the Company The data shall be retained for 10 years during the business / commercial relationship with the Company and Business Partner / Solution Partner / Consultant and from the expiry of business / commercial relation in accordance with the Article 146 of Turkish Code of Obligations and the Article 82 of Turkish Commercial Code.
Business Partner / Solution Partner / Consultant

Video camera footage, video camera voice recordings, voice recordings taken during phone calls

The data shall be retained for 2 years.
Visitor Name, surname, T.R. ID No., Passport No., car license plate of the visitor taken at the entrance to the company's premises and video camera footage recordings, sound recordings taken during phone calls The data shall be retained for 2 years.
Employee Candidate

Information on the Candidate's CV and job application form

The data shall be retained for up to 2 years, until the resume is outdated.
Employee Candidate

Video camera footage, video camera voice recordings, voice recordings taken during phone calls

The data shall be retained for 2 years.

Intern (student) Information contained in the internship file of the student

The data shall be retained for 10 (ten) years at the continuation of the internship and from the beginning of the calendar year following the expiry of the internship.

Intern (student) Video camera footage, video camera voice recordings, voice recordings taken during phone calls The data shall be retained for 2 years.
Customer Customer name, surname, T.R. ID number, contact information, payment information and methods, Mac address information, access IP Information and data originating from Law No. 5651, information on the special days and health data other than the camera images, camera sound recordings, voice recordings collected during phone calls.

The data shall be retained for 10 years from the delivery of each product / service purchased by the customer in accordance with Article 146 of Turkish Code of Obligations and the Article 82 of Turkish Commercial Code.

Customer Video camera footage, video camera voice recordings, voice recordings taken during phone calls The data shall be retained for 2 years.

Prospective Customer

Identity information, contact information, financial information, voice records taken during telephone calls regarding the establishment of a commercial relationship between the Prospective Customer and the Company

The data shall be retained for 2 years.

Cooperated Institutions / Firms (Supplier)

Identity information, contact information, financial information about the execution of the commercial relationship between the Cooperated Institutions / Firms and Data of the Cooperated Institution / Firm Employees The data shall be retained for 10 years during the business / commercial relationship between Cooperated Institutions / Firms and the Company and from the expiry of such relationships in accordance with Article 146 of Turkish Code of Obligations and the Article 82 of Turkish Commercial Code.
Cooperated Institutions / Firms (Supplier)

Video camera footage, video camera voice recordings, voice recordings taken during phone calls

The data shall be retained for 2 years.

* If a longer period has been arranged in accordance with the legislation, or if a longer period of time has been envisaged for the timeout, lapse of time, retention periods in accordance with the legislation the periods specified in the provisions of the legislation shall be considered as the maximum retention period.

7.4. Duration of Data Destruction

The Company shall delete, destroy and anonymize the personal data no later than 6 months after the date on which the obligation to delete, destroy or anonymize the personal data that the Company is responsible for in accordance with the Law, relevant legislation, the Processing and Protection of Personal Data Policy and this Personal Data Retention and Disposal Policy.

When the person concerned requests the deletion or destruction of his/her personal data by applying to the Company pursuant to Article 13 of the Law;

7.4.1. If all the conditions for processing personal data have disappeared; the Company shall delete, destroy or anonymize the personal data subject to the request with an appropriate method of destruction within 30 (thirty) days from the date of receipt of the request. The person concerned must have made the request in accordance with the Policy on Processing and Protection of Personal Data so that the Company is deemed to have received the request. The Company shall inform the person concerned about the transaction in any case. 

7.4.2. If all the conditions for processing personal data have not disappeared, this request may be rejected by the Company, in accordance with the third paragraph of Article 13 of the Law by explaining the grounds for rejection and the response shall be notified to the concerned person in writing or electronically within thirty days at the latest.

7.5. PERIODIC DESTRUCTION

In the event that all the conditions for the processing of personal data in the Law have disappeared; the Company shall delete, destroy or anonymize the personal data whose processing conditions have disappeared in a process that is specified in this Personal Data Retention and Disposal Policy and will be carried out ex officio at regular intervals.

Periodic destruction processes shall be repeated every 6 (six) months.

7.6. CONTROL OVER COMPLIANCE WITH THE LAW FOR DATA DESTRUCTION PROCESS

The Company shall carry out the destruction operations that are executed both on demand and ex officio at regular intervals in accordance with the Law, other legislation, the Policy on Processing and Protection of Personal Data and this Personal Data Retention and Destruction Policy.

The company shall take some administrative and technical measures in order to ensure that its disposal procedure is carried out in accordance with these regulations.

6.4.1. Technical Measures

  • The Company shall maintain technical tools and equipment suitable for each method of destruction in this policy.
  • The Company shall ensure the security of the place where the destruction procedures are executed.
  • The Company shall keep records of destruction procedures.
  • The Company shall employ competent and experienced staff to execute the destruction procedures, or procure services from competent third parties when necessary.

6.4.2. Administrative Measures

  • The Company shall work in order to expand and raise awareness among its employees on information security, personal data and privacy,
  • The company has received legal and technical consultancy services with the aim of following developments in the field of Information security, right to privacy, personal data protection and secure destruction techniques and taking necessary actions,
  • In cases where destruction procedures have been executed to third parties due to technical or legal requirements, the Company shall conclude protocols with the third parties in order to protect personal data, and take all necessary care with the aim of ensuring that the third parties comply with their obligations in these protocols,
  • The Company shall regularly control whether the destruction procedures are carried out in accordance with the law and the conditions and obligations specified in this Personal Data Retention and Destruction Policy, and take the necessary actions,
  • The Company shall record all transactions regarding the deletion, destruction and anonymization of personal data and retain these records for at least three years, excluding other legal obligations on these matters.

DATA SECURITY MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

The following technical and administrative measures are taken by our Company within the scope of protecting both printed and digital documents;

Administrative Measures; Disciplinary regulations including data security provisions are in force for employees. Training and awareness studies are carried out at certain intervals on data security for employees. An authority matrix has been created for employees. Corporate policies on access, information security, usage, retention and disposal have been prepared and implemented. Letters of undertaking are prepared on the confidentiality. Employees who have been subject to change of duty or left jobs are revoked regarding their previous duties. The signed contracts contain the provisions on data security. Additional security measures are taken for personal data transmitted via paper and the relevant documents are transferred in the form of a confidential document. Personal data security policies and procedures have been identified. Personal data security issues are reported quickly. Necessary security precautions are taken for entering and exiting physical environments containing personal data. Physical environments containing personal data are protected against external risks (fire, flood etc.). Security of environments containing personal data is ensured. Personal data is reduced as much as possible. Periodic and / or random audits are carried out within the organization. Existing risks and threats have been identified. Protocols and procedures for specially qualified personal data security have been determined and implemented.

Technical Measures; Network security and application security are ensured. Closed system network is utilized for personal data transfer via the network. Security measures are taken within the scope of supply, development and maintenance of information technology systems. Access logs are maintained regularly. When necessary, data masking measures are applied. Up-to-date anti-virus systems are used. Firewalls are implemented. Personal data security is monitored. Personal data is backed up and the security of the backed-up personal data is also ensured. User account management and authority control system are implemented and these are also followed up. Log records are maintained in such a way that there is no user intervention. Intrusion detection and prevention systems are used. Penetration test is applied. Cyber security measures have been taken and implementation of such measures is constantly monitored. Sensitive personal data that are transferred in the memory, CD, DVD media are transferred by encrypting the data. Sensitive personal data that are transferred in the memory, CD, DVD media are transferred by encrypting the data. Data loss prevention software is used.

8. RESTRICTIONS ON SCOPE AND IMPLEMENTATION OF THE LAW 

The following situations are not covered by the Law: 

– Provided that Personal data is not provided to the third parties and the obligations relating to data security are adhered to, processing the same within the scope of the operations related to the family individuals living with fully itself or living in the same housing by the real persons. – Processing the personal data for the purposes of investigation, planning and statistics by anonymizing with official statistics. – Processing personal data within the context of artistic, historical, literary or scientific purposes or freedom of speech provided that the personal data does not breach the natural defense, national security, public security, public order, economic security and confidentiality of private life or personal rights, and does not constitute a crime. – Processing the personal data within the scope of preventive, protective and intelligence operations executed by state institutions and organizations so authorized by the law to ensure national defense, national security, public safety, public order or economic security. – Processing the personal data by judicial or enforcement authorities in relation to the investigation, proceedings, litigation or execution procedures. 

There is no need for clarification to be made by the Company to the data subjects in the cases listed below, and the data subjects shall not be able to exercise their rights specified in the Law, except for their right to remedy their losses: 

– Processing personal data being required for prevention of committing an illegal act or criminal investigation. – Processing personal data publicized by the person concerned. – Processing personal data being required for disciplinary investigation or prosecution and conducting supervisory or regulatory duties by the authorized state institutions and organizations and professional public organizations by the power granted by the law. –Processing personal data being required for protecting economic and financial interest of the State in relation to the budget, tax and financial matters. 

APPLICATION FORM FOR PROCESSING PERSONAL DATA