Policy on The Protection and Processing of Personal Data

SECTION 2: CLASSIFICATION OF PERSONAL DATA

Personal Data

Personal data as a term include all kinds of information on an identified or identifiable natural person. In this Policy, personal data as a term shall also include sensitive personal data in line with the applicable legislation thereof.

Sensitive Personal Data

Sensitive personal data consist of a natural person's racial or ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, physical appearance and attire, association, foundation, or trade union membership, data concerning health, data concerning sex life or sexual orientation, criminal conviction, data concerning security measures as well as biometric data and genetic data of such natural persons.

SECTION 3: DATA SUBJECT GROUPS AND DATA CATEGORIES

Personal Data Categorization

Personal data in the following categories are processed by the Company by providing information to the data subjects as per article 10 of the Law thereof. This section includes information about which personal data are processed under such categories in relation to the data subject groups as defined in this Policy and what types of personal data of the data subjects are processed under such categories thereof. Such personal data include those explicitly evident that they belong to an identified or identifiable natural person as processed, in part or in whole, by automatic systems, or otherwise by non-automatic systems provided that such personal data are part of a data recording system as follows:

SECTION 4: PROCESSING OF PERSONAL DATA

General Principles for Processing of Personal Data

Personal data are processed by the Company in compliance with the procedures and principles as provided under the Law and this Policy. The Company acts in line with the following principles when processing such personal data:

Compliance to applicable law and good faith principles;

Ensuring that such personal data are accurate and up-to-date as required;

Processing of personal data for specific, explicit, and legitimate purposes;

Processing of personal data in relation to, limited and proportional to the intended purpose for processing; and

Storage of personal data for a period as provided in applicable legislation or as required for the intended purpose for processing of such personal data.

Conditions for Processing of Personal Data

The Company does not process personal data without the explicit consent of the personal data owner thereof. However, such personal data may be processed without any requirement for explicit consent of the personal data owner in case of any of the following conditions:

Such processing of personal data is explicitly provided under applicable law;
Processing of such personal data is required for the protection of life or physical integrity of the data subject or any other person in such cases where such data subject is unable to provide its explicit consent due to actual impossibility or where such explicit consent is not deemed to be legally valid thereof.
Processing of personal data of the contracting parties is required, provided that such personal data are directly related to the establishment or execution of an agreement: For instance, the bank account information of the payee may be received for the purpose of the payment of the amounts under an agreement executed by and between the parties thereof.
Processing of such personal data is required for the data controller to fulfill its legal obligations thereof.
Such personal data have been made public by the data subject itself: In other words, personal information as previously disclosed to the public may be processed without the explicit consent of the personal data owner as the legal interest for the protection of such personal data is no longer applicable.
Processing of such personal data is required for allocation, use, or protection of any claims or rights thereof.
Processing of such personal data is required for the legitimate interests of the data controller provided that such processing of personal data shall not cause any harm to the fundamental rights and liberties of the data subject thereof.

Conditions for Processing of Sensitive Personal Data

The Company does not process Sensitive Personal Data without an explicit consent of the data subject thereof. The Company shall carry out necessary processes in order to take adequate measures as determined by the Personal Data Protection Board for processing of such Sensitive Personal Data. ,

Our Intended Purposes for Processing of Personal Data

Personal Data as collected by the Company are processed for the following purposes within the scope of the conditions for processing of personal data as provided in articles 5 and 6 of the Law. In case the operation of processing of personal data for the following purposes fails to meet any of the conditions as provided under the Law, then the Company obtains the explicit consent of the personal data owner in relation to such processing of personal data thereof.

Performance of emergency procedures;

Performance of information and/or data security procedures;

Management of access authorizations;

Ensuring security of the premises;

Performance of communication operations;

Performance of storage and archiving operations;

Performance of internal audit, investigation, and intelligence operations;

Performance of risk management procedures;

Ensuring the security of movable property and resources;

Management of organization activities and events

Performance of management activities;

Performance of business and administrative activities;

Providing support services to customers and reporting within the scope of the relevant contract and applicable service standards;

Formation, updating, and development of the services to be provided to our customers by determining the interests and requirements of our customers thereof;

Ensuring the fulfillment of our legal obligations as required or obligated by statutory regulations;

Providing campaigns, surveys, and promotions;

Contacting persons having a business relationship with the Company;

Performing advertisement and marketing operations;

Compliance management;

Vendor / supplier management, program and services;

Statutory reporting,

Invoicing,

Optimal planning and implementation of human resources policies; 

Correct planning, performance, and management of business partnerships and strategies;

Ensuring legal, commercial, and physical security of the Company and its business associates;

Ensuring corporate operation as well as planning and execution of management and communication activities;

Ensuring the highest level of data security; 

Creation of databases;

Development of web services and debugging on the corporate website;

Contacting Personal Data owners who have submitted their requests and complaints to the Company as well as ensuring the management of such requests and complaints thereof;

Efficiency management;

Performance of staff recruitment procedures;

Providing the Group Companies with support relating to staff recruitment and compliance to applicable legislation;

Planning and performance of audit and supervision activities in order to ensure the performance of the operations of the Group Companies in compliance with the applicable legislation;

Providing the Group Companies with support relating to the performance of the operations under corporations law and legislation;

Performance and follow-up of financial reporting and risk management processes;

Performance and follow-up of operations under corporate law;

Performance of operations for maintaining corporate reputation;

Creation and follow-up of visitor records;

Planning and performance of the activities relating to business operations and business continuity;

Follow-up of financial and/or accounting operations;

Providing competent authorities with information in relation to applicable legislation and preparation for audits to be conducted by such competent authorities;

Planning and performance of corporate communication activities;

Planning and performance of operational procedures;

Planning and performance of the authorized staff of the business associates and/or suppliers to access information;

Planning and performance of customer relationship management procedures;

Follow-up of customer requests and/or complaints,

Follow-up of contracting procedures and/or legal claims;

Planning and performance of marketing survey activities for sales and marketing of the services;

Performance of sales and after-sale operations as well as purchasing operations;

Planning and/or performance of procedures for creating and/or increasing customer engagement to the products and/or services as provided by the Company;

For the purposes of ensuring the performance of corporate human resources policies and evaluation of job applications in compliance with corporate human resources policies;

Fulfillment of the obligations and taking necessary actions within the scope of occupational health and safety procedures;

Fulfillment of the obligations on behalf of the company employees arising out of the contract of employment and/or applicable legislation thereof;

Performance of the procedures relating to commencement and termination of the employment of the personnel;

Evaluation of wages and performance procedures as well as management of salaries and payrolls;

Planning and/or performance of in-company training activities;

For the purpose of ensuring the legal and commercial security of the Company and persons having a business relationship with the Company;

Planning and performance of necessary operational activities in order to ensure that the Company operations are carried out in compliance with corporate procedures and/or applicable legislation;

Ensuring the security of Company premises and/or buildings and facilities;

Ensuring the security of Company assets (i.e. fixtures and fittings etc.) and/or resources;

For the purpose of determination and implementation of corporate commercial and business strategies;

Performance of social responsibility activities conducted by the Company;

Planning and performance of customs operations procedures;

Completion of Excellence procedures;

SECTION 5: TRANSFER OF PERSONAL DATA

Conditions for Transferring Personal Data

As a corporation, we act in compliance with the decisions and regulations as provided under the Law and taken by the Board regarding the transfer of Personal Data and we take any necessary actions thereof. Provided that the exceptional circumstances as contained in the applicable legislation are reserved, the Company does not transfer personal data and sensitive personal data to any natural persons or legal entities without the explicit consent of the Data Subject thereof. However, personal data may be transferred:

In such cases as described in article 2 of Section 4 in this Policy, or

For sensitive personal data, in such cases as described in article 2 of Section 4 in this Policy, or

Sensitive personal data concerning the health and sex life or sexual orientation of the Data Subject may only be transferred to the natural persons or authorized institutions and organizations under confidentiality obligation for the purposes of protection of public health, preventive healthcare, medical diagnosis, treatment and healthcare services, planning and management of healthcare services as well as their financing

without any requirement for an explicit consent thereof. 

Media used by the Company for the transfer of such personal data consist of methods such as corporate intranet, electronic mail, printed copy, MS Excel worksheet, VPN, and secure file transfer.

Conditions for International Transfer of Personal Data

As a rule, personal data may not be transferred abroad without the explicit consent of the Data Subject thereof. However, in case of any of the exceptional circumstances as defined in article 2 of Section 4 in this Policy and in case such third parties abroad are:

Located in any of the countries as listed by the Board to ensure adequate protection of personal data, or

In cases where such third parties are not located in any of the countries ensuring adequate data protection, then on the condition that the data controllers in Turkey and in the relevant countries abroad provide a written commitment to ensure adequate data protection and also provided that the Board grants permission thereof,

then such personal data may be transferred abroad without an explicit consent thereof. 

Our Intended Purposes for Transferring Personal Data and Third-Parties to Whom Personal Data Are Transferred

For the purposes as provided in Article 4 of this Policy, Personal data may be transferred to:

Our suppliers;

Business associates and business contacts;

Affiliates and group companies;

Ela Excellence Resort Belek;

Legally authorized public institutions and organizations;

Legally authorized private persons/entities;

Our shareholders;

Domestic and foreign server service providers of the Company; and

Audit firms

provided that all necessary technical and administrative measures are taken in line with the principles and rules as described in this Policy.

Personal Data Stipulated to be Transferred to Foreign Countries

Due to the ongoing abroad activities of Company, personal data limited to contact details may be transferred abroad based on the explicit consent of the personal data owners to be limited by the scope of such explicit consent and provided that it is also limited to the circumstances as required by the operational procedure with our foreign business associates located abroad.

SECTION 6: METHOD FOR COLLECTION OF PERSONAL DATA AND THE LEGAL BASIS

Method for Collection of Personal Data and the Legal Basis

Personal Data are collected by the Company by technical and procedural methods employed through various means such as our website, e-mails, application forms, request forms, secure electronic transactions, printed forms, log sheets, and physical channels, or in verbal, written, or digital environment, through automatic systems, in part or in whole, or through non-automatic systems provided that such personal data are part of a data recording system to be processed for the purposes of providing our business services to our customers within the framework of legitimate reasons arising out of and enforceable based on the applicable legislation, contracts, claims, customs of trade, and good faith principles as applicable in terms of the performance of our business operations in this regard as well as the fulfillment of legal obligations of the Company, fulfillment of the requirements of the business relationship established with our customers and establishment, exercising, and protection of mutual rights in this regard, and protection of the legitimate interests of the Company provided that the fundamental rights and liberties of the personal data owners having a business relationship with the Company are protected thereof. Within this context, characteristic methods for Collection of Personal Data, intended purposes for collection of personal data, and activities carried out in this regard are as follows:

Security Camera Surveillance Activity At the Building and Facility Entrances and Inside the Buildings and Facilities

Within the scope of security camera surveillance activity, the Company aims to improve the Excellence of services provided, to ensure the reliability of such services, to ensure the security of the Company, its customers, and others, and to protect the interests of the customers relating to the services provided to such customers thereof.

Legal Basis for Camera Surveillance Activity

Camera surveillance activity as undertaken by the Company is carried out in compliance with the Law on Private Security Services and applicable legislation thereof.

Providing Information on Camera Surveillance Activity

As per article 10 of the Law on the Protection of Personal Data, the Company provides the personal data owner with necessary information thereof.

With regards to camera surveillance activity, the Company published this Policy on its website (online Policy amendment) and a warning sign about camera surveillance was placed at the entrances of the locations subject to surveillance (providing on-site information).

Intended Purpose for Camera Surveillance Activity and Such Activity Being Limited to the Purpose

The intended purpose for camera surveillance activity as carried out by the Company is limited to the purposes as provided in this Policy. Areas where surveillance would be too invasive for the privacy of individuals beyond the intended purposes for security (e.g. restrooms, prayer rooms, etc.) are not subject to camera surveillance activity.

Ensuring Security of Captured Personal Data

In compliance with article 12 of the Law on the Protection of Personal Data, all reasonable technical and administrative measures as provided in this Policy are taken with a view to instating the security of the captured personal data by the Company as a result of camera surveillance activity.

Parties Authorized to Access the Captured Personal Data by Camera Surveillance Activity and Parties to Whom Such Personal Data Are Transferred

Only a limited number of Company employees has access to the security camera footage as captured and stored in digital environment. On the other hand, in-company security staff and administrative affairs personnel may view live feed as received from the security camera systems. Others are not allowed to access such footage.

Supervision of Visitor Entry-Exit Procedures At Building and Facility Entrances and Inside the Buildings and Facilities

The Company processes personal data for the supervision of visitors' entry and exit procedures in the Company buildings and facilities in order to ensure the security and for the purposes as defined in this Policy.

Names and last names as well as vehicle plate numbers of the persons who are visiting the Company premises as a guest are obtained and such persons as the personal data owners are duly informed by texts placed in various locations in the Company premises or otherwise made available to the guests thereof.

Website Visitors

The Company uses technical methods (e.g. cookies, etc.) to log online website activities of the visitors of the websites as owned by the Company in order to ensure that the visitors of such websites navigate the websites in line with the intended purposes of visiting such websites, provide the visitors with customized content, and carry out online advertisement activities thereof. Visitors of our website are provided with our "Cookies Policy" and comprehensive information is provided to such visitors in line with our obligation to provide required information to our visitors thereof.

Mobile Applications of the Company

The Company develops mobile applications used by our customers by downloading such applications to their mobile devices with an aim to facilitate the provision of services as provided by the Company to our customers. Explicit consent of the customers are obtained by providing comprehensive information within the scope of our obligation to provide required information to our customers using our mobile applications just before they enter any personal information thereof.

SECTION 7: DELETION, DISPOSAL, AND ANONYMIZATION OF PERSONAL DATA

Deletion, Disposal, or Anonymization of Personal Data

The Company undertakes deletion, disposal, or anonymization of Personal Data, either ex officio or upon request by the personal data owner, in case the conditions for processing of such personal data are no longer applicable provided that applicable provisions as contained in other laws and legislation relating to deletion, disposal, or anonymization of Personal Data shall be reserved. Upon deletion of Personal Data, such data are destroyed in such a manner to prevent them being reused or recovered. Data disposal processes are carried out by documenting such disposal process in a formal report in periodic disposal periods as determined by the Company thereof.

Term for Storage and Disposal of Personal Data

The Company stores Personal Data during the period as provided in applicable legislation provided that storage of Personal Data is stipulated in such applicable legislation. In case such legislation does not set out the storage period of personal data, then Personal Data is processed for a period as required by the Company procedures and customs of trade in relation to the operations performed during processing of such personal data, and then personal data are subject to deletion, disposal or anonymization thereof.

In case the purpose for processing of personal data is no longer applicable and the storage period as provided in applicable legislation and/or as determined by the Company has also expired, then such personal data may only be stored to constitute evidence for any potential legal disputes or claim for the rights associated with such personal data or defend such rights thereof. In such cases, the Company determines the storage periods of personal data by taking into consideration the statute of limitation periods for claiming for such rights as well as previous examples contained in the requests as received by the Company on similar cases regardless of whether the statute of limitation periods has expired thereof. In that case, such stored personal data may not be accessed for any other purpose and the relevant personal data may only be accessed when they are required to be used to resolve such legal disputes thereof. Upon expiration of the storage period as defined in this paragraph, such personal data are subject to deletion, disposal, or anonymization thereof.

SECTION 8: ACTIONS TAKEN FOR THE SECURITY OF PERSONAL DATA

The Company takes all necessary technical and administrative measures and performs or gets all necessary controls done in order to ensure adequate level of security to prevent unlawful processing, unlawful access to as well as ensuring the protection of Personal Data as processed by the Company in compliance with article 12 of the Law thereof.

Technical Measures Taken for Personal Data Security

Provided that such measures are limited to those for ensuring the security and protection of personal data:

Network security and application security are ensured;
Closed computer network system is used in personal data transfers through the network;
Necessary security measures with regards to the procurement, development, and maintenance of information technology systems are taken;
In-company technical organization is implemented for the purposes of processing and storage of personal data in compliance with the applicable legislation thereof;
Data masking is applied as a measure whenever deemed required;
Technical infrastructure is established in order to ensure the security of the databases on which personal data are intended to be stored;
Established Technical infrastructure procedures are subject to follow-ups and controls;
Reporting procedures for the technical measures taken as well as control processes are determined;
Technical measures are periodically updated and revised;
Associated risks are reviewed and necessary technological solutions are created;
Up-to-date anti-virus protection systems, firewall, and similar software or hardware security products are used and security systems in line with technological developments are installed;
Applications through which personal data are collected are subject to periodic security scans and any identified security breaches are eliminated thereof;
Backup programs are used in compliance with applicable law in order to ensure the secure storage of personal data;
Access to data storage media and/or data is strictly limited to the access of the authorized personnel and limited to the purpose for storage of personal data, and any unauthorized access or attempted access is instantly reported to the authorized personnel by keeping log entries for access to data storage spaces where such personal data are stored;
Logs are subject to periodic review;
Expert technical staff is employed;
User account management and authorization control systems are in place and subject to follow-up;
Logs are kept in such a manner to prevent any user intervention;
In case sensitive personal data are required to be transferred by e-mail, such sensitive personal data are always sent by encryption and via KEP address (registered e-mail address) or by using a corporate e-mail account;
Secure encryption and/or cryptographic keys are used for sensitive personal data and managed by different units;
Cyber attack detection and prevention systems are in place;
Penetration test is performed;
Cybersecurity measures have been taken and its implementation is subject to continuous supervision;
Encryption is ensured.

Administrative Measures Taken for Personal Data Security

Provided that such measures are limited to those for the protection of personal data:

Corporate policies and procedures are created for access to personal data by those, including employees of our group companies and affiliates, data security, data usage, storage, and disposal, and policies for using tools and equipment associated with the use of databases and applications containing personal data are issued and implemented thereof;

Employees are duly informed and trained on protection and processing of personal data in compliance with applicable law;

Data security training and awareness activities for employees are organized on a regular basis;

Within the scope of the agreements with our employees and/or corporate policies as published, actions to be taken in case of any unlawful processing of personal data by our company employees are determined;

Agreements and procedures as executed with our employees contain provisions imposing obligations to prevent unlawful processing, disclosure, and use of personal data in such an unlawful manner thereof, and relevant awareness and control activities are carried out in this regard;

Company employees are subject to disciplinary actions relating to data security;

Our employees are informed about the fact that their obligations not to disclose to others any personal data they have in possession in any manner as contrary to the provisions of the Law and not to process such personal data for any purpose other than the intended purpose for processing of such personal data shall continue to be applicable to them even after they have left their job and such employees provide a written commitment not to disclose or process such personal information thereof;

Corporate policies on access, data security, use, storage, and disposal of personal data are issued and implemented;

The agreements as executed by and between the Company and the parties, to whom personal data are transferred in compliance with applicable law, contain provisions ensuring that the parties, to whom personal data are transferred, shall take the necessary security measures for the protection of such personal data and ensure compliance with such measures in their own institutions thereof;

The scope of access to personal data by our company employees is determined based on the roles and responsibilities/functions of such employees, and their authorities to access such personal data are limited accordingly whereas their authorities are periodically reviewed, an authorization matrix is designated, and the authorizations of the employees who leave their job or are subject to reassignment are removed thereof;

Recent developments on the data security, right of privacy, and protection of personal data are followed and necessary legal and technical consultancy services are procured in order to take any necessary actions thereof;

Compliance of collaborated data processors and other data controllers to the Law and secondary legislation is investigated, necessary instructions are provided, and their awareness on compliance is ensured;

Any issues about personal data security are duly reported without delay;

Personal data security is subject to follow-up;

Personal data volume is reduced as much as possible;

Personal data are subject to backup and the security of such personal data subject to backup are also ensured;

Internal periodic and/or random controls are performed and/or get to be performed;

Current risks and threats are identified;

Protocols and procedures for the security of sensitive personal data have been determined and implemented;

Necessary security measures are taken for entry to and exit from the environments/media containing personal data;

The environments containing personal data are protected against external risks (e.g. fire, flood, etc.);

Awareness of service providers who process personal data is ensured for data security;

Technical staff is employed accordingly; and

The system ensuring timely reporting to the relevant personal data owner and the Personal Data Protection Board in case of any unlawful access to such personal data by unauthorized parties have been established and implemented.

Physical Actions Taken for Personal Data Security

Occupation-based physical access measures are taken at the locations where personal data are stored;

Documents as well as archiving/storage equipment containing personal data are stored in locked cabinets;

Card pass systems are used in working spaces;

Working spaces are monitored by closed-circuit camera system (CCTV) without intrusion to the privacy of the employees;

Documents and storage equipment containing personal data are securely disposed of, and are subject to backup to prevent data loss in line with the rules and principles as provided under the Law on the Protection of Personal Data and this Policy thereof.

Procedure to be Followed for Unauthorized Disclosure of Personal Data

Pursuant to article 12 of the Law, the Company notifies the relevant data owner and the Board as soon as possible and within 72 hours at the latest from the determination of the unlawful access by third parties of the processed Personal Data.

Auditting the Actions Taken for the Protection of Personal Data

Pursuant to article 12 of the Law on the Protection of Personal Data, the Company performs or causes to perform internal audits every 6 months as required thereof. The audit results are reported to the relevant department within the scope of the internal procedures of the Company and the necessary actions are taken in order to improve the measures taken thereof.



Raising Awareness and Supervision of the Employees on Protection and Processing of Personal Data

The Company ensures organization of necessary training to be provided to its current employees and new employees recently recruited in any business unit, in order to raise awareness on prevention of unlawful processing of and unlawful access to personal data as well as ensuring protection of such personal data thereof. The current employees of the Company are provided with awareness training every 4 months thereof.

SECTION 9: RIGHTS OF THE PERSONAL DATA OWNER

Providing Clarification to the Personal Data Owner

During the collection of Personal Data as per article 10 of the Law, the Company provides clarification/information to the personal data owner about the identity of the Company representative, if any, intended purposes for processing of Personal Data, to whom and for what purposes such Personal Data as processed may be transferred, the method for collection of Personal Data and legal basis thereof as well as the rights of the Personal Data Owner thereof.

Rights of the Personal Data Owner

Pursuant to article 11 of the Law, the Company provides information to the personal data owners about their rights as follows:

Learning about whether such personal data are processed;
Requesting for information if such personal data have been processed;
Learning about the purpose for processing of personal data and whether such personal data are used in line with their intended purposes thereof;
Being informed about domestic or foreign third parties to whom such personal data are transferred;
Requesting for correction of any incomplete or inaccurate information in case such personal data as processed contain any incomplete or inaccurate information thereof;
Requesting for deletion or disposal of personal data within the scope of the conditions as provided in article 7 of the Law thereof;
Requesting for notification of the processes carried out pursuant to items (d) and (e) of Article 11 of the Law to the third parties to whom such personal data have been transferred;
Raising an objection in case of any result against the personal data owner arising out of the analysis of the processed data exclusively through automatic systems; and
Requesting for compensation of damages in case the personal data owner incurs damages and/or loss due to unlawful processing of its personal data
thereof.

Exercising of the Rights by the Personal Data Owner

Personal data owners may submit to the Company their requests for exercising their rights as defined in this Policy through our website at www.ozakglobal.com by the methods as described in our website, by completing the "Application Form" and complying with the conditions as provided in the "Application Form" thereof.

Petition Right of the Personal Data Owner to the Personal Data Protection Board

If the application as submitted by the personal data owner is rejected by the Company, or the personal data owner considers that the response provided was not satisfactory, or the Company fails to provide a response in due time, the personal data owner shall be entitled to submit an official complaint to the Board within thirty (30) days from the receipt of the response and in any case, within sixty (60) days from the date of application thereof.

Data Controller's Right to Reject the Application of the Personal Data Owner

The Company is entitled to reject the application as submitted by the personal data owner in case certain conditions are met as described in this Policy. Conditions where the Company as the Data Controller is entitled to exercise its right to reject the application of the personal data owner are as follows:

Regarding the personal data subject to the application submitted by the relevant personal data owner;

In case such personal data are processed for purposes such as research, planning, and statistics, etc. after anonymization of such personal data by official statisticalization procedures;

In case such personal data are processed for the purposes such as art, history, literature, or science or within the context of freedom of expression provided that such processing of personal data shall not violate or constitute any crime against national defense, national security, public safety, public order, economic security, right of privacy, or personal rights thereof;

In case such personal data are processed within the scope of preventive, protective, and intelligence actions as conducted by the competent public institutions and organizations as designated and authorized by law to ensure national defense, national security, public safety, public order, or economic security;

In case such personal data are processed by judicial or execution authorities in relation to investigation, prosecution, litigation, or execution;

In case processing of personal data is required for prevention of committing a crime or for criminal investigation;

Processing of personal data as previously made public by the personal data owner;

In case processing of personal data is required for the performance of supervisory or regulatory functions as well as disciplinary investigation or prosecution by the competent public institutions and organizations as well as public professional organizations as designated and authorized by law;

In case processing of personal data is required for the protection of the economic and financial interests of the State in relation to budgetary, taxation, and financial matters;

In case the request of the relevant personal data owner may potentially hinder the rights and liberties of others;

In case of requests requiring disproportionate efforts; and

In case the requested information is publicly available information, then

the Company as the Data Controller may exercise its right to reject the application thereof. 

SECTION 10: PERSONNEL RESPONSIBLE FOR ENSURING COMPLIANCE TO THIS POLICY

As per the resolution of the Company senior management, the Personal Data Committee was formed within the Company for the management of this Policy as well as other policies arising out of and in relation to this Policy thereof. The Personal Data Committee shall be authorized and be responsible for the performance of all necessary procedures for storage and processing of the personal data of Personal Data Owners in compliance with the applicable law, this Policy as well as other policies arising out of and in relation to this Policy thereof. The main responsibilities of the Personal Data Committee are as follows:

Drafting basic policies on Protection and Processing of Personal Data, and submitting such policies to the senior management for approval of the same for implementation;

Deciding on the performance and procedures for implementation and control of the policies on Protection and Processing of Personal Data, ensuring internal assignment and coordination within this scope, and submission of the same to the senior management for approval thereof;

Determination of the actions required to ensure compliance to the Law on the Protection of Personal Data and applicable legislation, and submission of such required actions to the senior management for approval as well as ensuring supervision and coordination of the implementation of such actions thereof;

Raising awareness about the Protection and Processing of Personal Data within the Company as well as in other institutions that the Company collaborates with;

Determination of any potential risks relating to the processing of personal data by the Company and ensuring that all necessary actions are taken as well as submission of proposals for improvement to the senior management for their approval;

Designation and ensuring implementation of training activities for the protection of personal data as well as for the implementation of the policies thereof;

Providing the ultimate and final resolution of the applications as submitted by personal data owners;

Coordination of informing and training activities to ensure that personal data owners are duly informed about the operations regarding the processing of personal data as well as about their legal rights thereof;

Drafting amendments to basic policies on Protection and Processing of Personal Data, and submitting such policies to the senior management for approval of the same for implementation;

Following the developments and regulations on the Protection of Personal Data, providing the senior management with recommendations on the actions as required to be taken within the Company in line with such developments and regulations thereof;

Coordination of the relationship between the Committee and the Personal Data Protection Board thereof; and

Performance of other functions to be assigned by the senior management of the Company on the protection of personal data.

SECTION 11: REVISIONS AND CHANGES

The Company reserves the right to make changes to this Policy and other policies arising out of and in relation to this Policy in line with any amendment to the Law and secondary legislation as well as any resolutions of the Committee and/or any developments in the industry or informatics thereof. Any changes to this Policy are immediately incorporated into the text and any comments relating to such changes are provided in this section.

01/06/2020    : This Policy on the Processing and Protection of Personal Data entered into force upon approval by the Company thereof.