Personal Data Protection Policy

DATA PRIVACY COMMITMENT&DÜ

• This Personal Data Protection Policy (“Policy”), pursuant to the Personal Data Protection Law No. 6698 and the provisions of the relevant legislation, the Turkey SMA Foundation (“Data Controller”) is responsible for protecting personal data. It determines the principles to be followed while fulfilling its obligations.
• The data controller undertakes to act in accordance with this Policy and the procedures to be applied in accordance with the Policy in terms of the personal data in its possession.

PURPOSE OF THE POLICY

• The main purpose of this Policy is to determine the principles regarding the methods and processes for the processing and protection of personal data by the data controller.

SCOPE OF THE POLICY

• This Policy covers all activities related to personal data processed by the data controller and is applied to said activities.
• This Policy does not apply to data that does not qualify as personal data.
• This Policy can be changed by the authorized decision bodies of the data controller if required by the personal data protection regulations.
• In case of inconsistency between the personal data protection regulations and the Policy, the provisions of the legislation regarding the protection of personal data shall prevail.

DEFINITIONS

• The definitions in this Policy have the following meanings:
  • Explicit Consent: It expresses the consent based on being informed about a particular subject and expressed with free will.
  • Anonymization: It means making personal data impossible to be associated with an identified or identifiable real person under any circumstances, even by matching with other data.
  • Clarification Obligation: The Data Controller or the person authorized by him is obliged to inform the data subject within the scope of Article 10 of the KVKK during the acquisition of personal data; fame means.
  • Relevant Person: Refers to all real persons whose Personal Data is processed by or on behalf of the data controller.
  • Personal Data: All kinds of personal data relating to an identified or identifiable natural person; represents information. (Within the scope of this policy, the expression "personal data" also includes the expression "personal data of special nature", if appropriate.)
  • Personal Data Processing: Obtaining, recording, storing, preserving, changing, re-processing personal data completely or partially automatically or non-automatically provided that it is a part of any data recording system. Any kind of data done on data such as organizing, disclosing, transferring, taking over, making it available, classifying or preventing its use; refers to the operation.
  • Board: refers to the Personal Data Protection Board.
  • Authority: refers to the Personal Data Protection Authority.
  • KVKK: Refers to the Law on Protection of Personal Data No. 6698.
  • KVK Regulations: Personal Data Protection Law No. 6698 and other relevant legislation on the protection of Personal Data, binding judicial and administrative decisions, policy decisions, provisions, instructions and data applicable international agreements and any other refers to the legislation.
  • KVK Policies: Refers to the policies issued by the data controller on the protection of Personal Data.
  • KVK Procedures: Refers to the procedures that determine the obligations of the data controller and employees within the scope of the KVK Policies.
  • Special Quality Personal Data: People's race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, It refers to data on foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
  • Deletion or Deletion: It means irreversibly destroyed or destroyed Personal Data.
  • Data Inventory: Personal data processing for the Personal Data Processing activities of the data controller; and methods, purposes of personal data processing, data category, third place to which personal data is transferred; persons etc. refers to the inventory containing the information.
  • Data Processor: refers to the real or legal person who processes personal data on behalf of the Data Controller, with the authorization of the Data Controller.
  • Data Controller: Refers to the natural or legal person who processes personal data by specifying the purposes and ways of processing, and who is responsible for the establishment and management of the data recording system.
  • Data Controller Contact Person: Refers to the person who manages the data controller's relations with the Institution and is appointed by the decision of the authorized body.

PRINCIPLES OF PERSONAL DATA PROCESSING

• The data controller processes the personal data in accordance with the law and the rules of honesty and on the basis of the principle of good faith.
• The data controller is responsible for all necessary procedures for the personal data to be complete, accurate and up-to-date. It takes measures and updates the relevant personal data within the scope of KVK Regulations when necessary.
• The data controller processes personal data for specific, clear and legitimate purposes. Before the processing of personal data, the purpose for which personal data will be processed is determined by the Data Controller. The relevant person is informed within the scope of KVK regulations and the Explicit Consent of the Related Person is obtained when necessary.
• Data Controller, personal data related to the purpose of processing, limited and measurable; it works like this. The data controller may use personal data only in exceptional cases within the scope of KVK Regulations (Articles 5.2 and 6.3 of the KVKK) or for the purpose within the scope of Explicit Consent obtained from the Related Person. (Article 5.1 and Article 6.2 of the KVKK) and in accordance with the principle of proportionality. The Data Controller processes the Personal Data in a way that is suitable for the realization of the determined purposes and is not related to the realization of the purpose or is not needed; refrains from processing unheard personal data.
• Data controller, personal data for the purpose for which they are processed or specified in the relevant legislation; It preserves for as long as necessary. Personal data is deleted or anonymized after the period required for the purpose of Personal Data Processing has expired. In this case, the third party to which the data controller transfers the personal data; It is ensured that individuals also delete, destroy or anonymize personal data.

PROCESSING OF PERSONAL DATA

Personal data can only be processed by the Data Controller within the scope of the following procedures and principles:

• Open Consent
  • Personal Data is processed after the notification to be made within the scope of fulfilling the obligation to inform the Relevant Persons and upon the Explicit Consent of the Relevant Persons.
  • Lighting Liability; Relevant Persons are informed of their rights before express consent is obtained within its framework.
  • Explicit Consent of the Relevant Person is obtained through methods in accordance with KVK Regulations. Explicit Consent is provably retained by the Data Controller for the required period of time within the scope of KVK Regulations.
  • All employees who process Personal Data are obliged to comply with this Policy and the KVKK Procedures, which are the annexes of this Policy.
• Processing of Personal Data without Explicit Consent: It is considered that the processing of personal data without express consent is within the scope of KVK Regulations; In such cases (Article 5.2) of the KVKK, the Data Controller may process personal data without obtaining the explicit consent of the Related Person. In the event that personal data is processed in this way, the Data Controller processes personal data within the limits set by the KVK Regulations. In this context:
  • In case of explicit consent in the law, personal data may be processed by the Data Controller without express consent.
  • Mandatory for the protection of the life or bodily integrity of the Relevant Person himself or someone other than the Relevant Person who is unable to express his consent due to actual impossibility or whose consent is not legally valid Personal data may be processed by the Data Controller without express consent.
  • Provided that it is directly related to the establishment or performance of a contract, in case it is necessary to process the personal data of the parties to the contract, the personal data may be processed by the Data Controller without the express consent of the Relevant Persons.
  • The legal obligation of the Data Controller for the processing of personal data; Personal data may be processed by the Data Controller without the express consent of the data subjects, if necessary.
  • Personal data made public by the Relevant Person may be processed by the Data Controller without obtaining express consent.
  • If the processing of personal data is necessary for the establishment, exercise or protection of a right, personal data may be processed by the Data Controller without obtaining express consent.
  • Provided that it does not harm the fundamental rights and freedoms of the Data Controller, personal data may be processed by the Data Controller without express consent, if data processing is necessary for the legitimate interests of the Data Controller.

ÖPROCESSING OF SPECIAL QUALITY PERSONAL DATA

• Special Quality Personal Data can only be processed if the Relevant Person has express consent or if explicit processing is required by law in terms of Special Quality Personal Data excluding sexual life and personal health data.
• Personal data related to health and sexual life, but only for the protection of public health, preventive medicine, medicineî obligation to keep confidential for the purpose of conducting diagnosis, treatment and care services, planning and managing health services and financing; It can be processed by persons or authorized institutions and organizations without express consent.
• Measures determined by the Board are taken when processing Special Quality Personal Data.
• Data Controller, for employees involved in the processing of Special Quality Personal Data,
  • It will provide regular training on KVK Regulations and the security of Personal Data.
  • It will make confidentiality agreements.
  • It will define the authorizations of users who have access to Personal Data and will periodically perform authorization checks.
  • The employees who have a change of job or quit the job will immediately remove their authority in this field and will immediately take back the inventory allocated to the relevant employee.

STORAGE OF PERSONAL DATA

• Personal Data are kept within the scope of the relevant legal retention periods within the Data Controller, and are kept for the required period in order to carry out the activities related to this data and the purposes specified in this Policy. Personal data whose purpose of use has expired and whose legal storage period has expired is deleted, destroyed or anonymized by the Data Controller in accordance with Article 7 of the KVKK.
• In case Personal and Special Quality Personal Data are transferred to electronic media, the Data Controller shall take the necessary technical measures regarding the electronic environments where Personal and Special Quality Data are processed, stored and/or accessed.
• In the event that Personal and Special Quality Personal Data are processed in the physical environment, the Data Controller shall take the necessary administrative measures regarding the physical security of these environments regarding the physical environments where the Data is processed, stored and/or accessed, and shall prevent unauthorized entry and exit. will prevent it.

DELETING, DESTROYING AND ANNOUNCEMENT OF PERSONAL DATA

• Legitimate purpose for the Processing of Personal Data; disappears, the relevant personal data is deleted, destroyed or anonymized.
• The necessary procedure is established for the deletion, destruction and anonymization processes and actions are taken in line with the procedure.
• The Data Controller does not store Personal Data, considering the possibility of using it in the future.
• All deletion, destruction and anonymization activities to be implemented by the Data Controller on Personal Data will be carried out in accordance with the principles specified in the Procedure for Deletion, Destruction and Anonymization of Personal Data.

TRANSFER OF PERSONAL DATA AND PERSONAL DATA ÜÇÜNCÜ PROCESSING BY PERSONS

• Data Controller, by taking the necessary measures in line with the purposes of Personal Data Processing, the Personal Data of the Third Party in Turkey and/or abroad; can transfer it to a real or legal person in accordance with KVK Regulations. In this case, the Data Controller, to whom he/she transfers personal data, ensures that individuals also comply with this Policy. In this context, the third; Necessary protective regulations are added to the contracts concluded with the person.
• Personal data, without express consent in exceptional cases specified in Article 5.2 of KVKK and in Article 6.3, provided that adequate measures are taken, or in other cases, provided that the explicit consent of the Relevant Person is obtained (KVKK Article 5.1 and Article 6.2) Third in Turkey may be transferred to persons by the Data Controller.
• Personal data, in exceptional cases specified in KVKK Article 5.2 and Article 6.3, without Explicit Consent or in other cases, provided that the explicit consent of the Relevant Person is obtained (Article 5.1 and Article 6.2 of the KVKK). Third may be transferred to persons by the Data Controller.
• In the event that personal data is transferred without express consent in accordance with the KVK Regulations, one of the following conditions must also exist in terms of the foreign country to which it will be transferred:
  • The foreign country to which the Personal Data is transferred is in the status of a country with adequate protection by the Board (the Board's current list will be taken into account),
  • In case the foreign country where the transfer will take place is not included in the Board's list of safe countries, the Data Controller and the Data Controllers in the relevant country must obtain permission from the Board by making a written commitment that adequate protection will be provided.

DATA SPEAKER'S LIGHTING DIRECTORATE

• Data Controller informs the Related Persons before the processing of personal data in accordance with Article 10 of the KVKK. In this context, the Data Controller carries the obligation to inform while obtaining personal data; fulfills. Lighting Obligation The notification to be made to the Relevant Persons within the scope of the scope includes the following elements, respectively:
  • Identity of the Data Controller and his representative, if any,
  • The purpose for which personal data will be processed,
  • To whom and for what purpose the processed personal data can be transferred,
  • Method and legal reason for collecting personal data,
  • Rights of Relevant Persons listed in Article 11 of the KVKK.
• The Data Controller provides the necessary information if the Data Subject requests information in accordance with Article 20 of the Constitution of the Republic of Turkey and Article 11 of the KVKK.
• In case of request by the Related Persons in accordance with the KVK Regulations, the Data Controller notifies the Personal Data of the Related Person that has been processed to the Related Person.
• Data Processor, Third; in case of one person, the third; Before starting Personal Data Processing, with a written agreement that the person will act in accordance with the obligations stated above; must be committed by the person.

RIGHTS OF THE RELATED PERSON

• The Data Controller responds to the following requests of the Relevant Persons whose personal data they hold, in accordance with the KVK Regulations:
  • Learning whether personal data is processed by the data controller,
  • Request information about the processing of Personal Data,
  • Learning the purpose of processing Personal Data and whether they are used in accordance with its purpose,
  • Third, where personal data is transferred at home or abroad; know people,
  • To request correction of Personal Data in case of incomplete or incorrect processing by the Data Controller,
  • To request the deletion or destruction of personal data by the Data Controller, in case the reasons requiring the processing of personal data disappear within the scope of the principles of purpose, duration and legitimacy,
  • In case of correction, deletion or destruction of personal data by the Data Controller, these processes are the third place where personal data is transferred; requesting people to be notified,
  • In case of analysis of the processed Personal Data exclusively through automated systems, Objection to this result if a result arises against the Relevant Person,
  • Demanding the removal of the damage in case the Personal Data is processed unlawfully and the Related Person suffers damage due to this reason.
• Relevant Persons wish to exercise their rights and/or think that the Data Controller does not act within the scope of this Policy while processing personal data; requests in cases;
  • By making an application to the address of the Data Controller stated below in writing in Turkish or by notary public,
  • Using the e-mail address previously notified to the data controller by the data controller and registered in the data controller's system
  • They can send it by other methods determined by the Personal Data Protection Authority, which can be added to them in the future.
  • Current application methods and application content must be confirmed by the legislation before the application. The applications made must contain the mandatory elements listed in the 2nd paragraph of the 5th article of the "Communiqué on the Procedures and Principles of Application to the Data Controller". Otherwise, applications will not be considered.

Data Controller       : Turkey SMA Foundation

E-mail                      : info@sma.org.tr

Website         : www.sma.org.tr

Mail                          : Batikent Mah. Geven Sok. No 5/B Tepebaşı/ESKISEHIR

• In case the data subjects submit their requests regarding their rights listed above to the Data Controller in writing, the Data Controller's request is finalized according to the nature of the request; concludes it free of charge within thirty days. In the event that a separate cost arises for the conclusion of the requests by the Data Controller, the fees in the tariff determined by the Personal Data Protection Board may be requested by the Data Controller.

DATA MANAGEMENT AND SECURITY

• All employees involved in the relevant process are jointly and severally responsible for the protection of Personal Data in accordance with this Policy and KVK Procedures.
• Personal Data Processing activities are audited by the Data Controller with technical systems according to technological possibilities and implementation cost.
• We employ personnel who are knowledgeable on technical issues related to Personal Data Processing activities, and third place on other issues that require expertise; service is received from individuals.
• Data Controller employees are informed and trained about the protection of personal data and its legal processing.
• The necessary KVK Procedure in order to ensure that the employees who need access to personal data have access to the said personal data; is created and acted in accordance with this procedure.
• Customers can access Personal Data only within the authorization defined for them and in accordance with the relevant KVK Procedure. Any kind of behavior that the employee has done beyond his/her authority; access and processing is unlawful and is a reason for termination of employment with just cause.
• In case the employee suspects that the security of personal data is not adequately provided or detects such a security breach, he/she immediately notifies the Board of Directors.
• Every person assigned a device is responsible for the security of the devices allocated to him/her.
• &Cedil;employees are responsible for the security of physical files within their area of ​​responsibility.
• In case of security measures requested or to be requested additionally for the security of personal data within the scope of KVK Regulations, all employees must comply with additional security measures and comply with these rules. It is responsible for ensuring the continuity of safety precautions.
• Software and hardware including virus protection systems and firewalls are installed in accordance with technological developments in order to store Personal Data in secure environments at the campus of the data controller.
• Backup programs are used to prevent personal data from being lost or damaged, and adequate security measures are taken.
• Necessary measures will be taken to protect the documents containing personal data with encrypted (encrypted) systems. In this context, personal data will not be stored in common areas and on the desktop. File and class&o containing personal data hopes etc. The documents will not be moved to the desktop or to the common folder, without the written approval of the Board of Directors, the information on the Data Controller computers will not be transferred to USB, etc. It cannot be transferred to another device or taken out of campus.
• The data controller is a committee in order to take technical and administrative measures for the protection of Personal Data with the decision of the authorized body, to follow the developments and administrative activities continuously, to prepare and announce the necessary KVK Procedures, and to ensure and supervise their compliance. may decide to establish it.
• All of the personal data processed is "Confidential Information" by the Data Controller. It is considered as.
• Cedyl;employees have been informed that their obligations regarding the security and confidentiality of personal data will continue after the termination of the business relationship, and the Data Controller has made a commitment from its employees to comply with these rules. ;t taken.

EDUCATION

• The data controller provides the necessary training to its employees on the protection of personal data within the scope of the Policy and the KVK Procedures in its annex and the KVK Regulations.
• In the trainings, the definitions and protection of Special Quality Personal Data are especially mentioned.
• If the employee has access to personal data physically or on a computer, the Data Controller shall train the relevant employee regarding these accesses (for example, the computer program being accessed).

AUDITING

• The Data Controller has the right to inspect all employees, departments and contractors regularly and ex officio at any time, without giving any prior notice, in accordance with this Policy and KVK Regulations. /li>

VIOLATIONS

• Cedil;employees believe that it is against the procedures and principles set forth in the KVK Regulations and within the scope of this Policy; reports to the business, transaction or board of directors. In this context, an action plan is created in accordance with this Policy and KVK Procedures for the relevant violation.
• The notification to be made to the Relevant Person or Institution regarding the violation is prepared by taking into account the provisions of the applicable legislation on the subject, especially the KVK Regulations.

CHANGES TO THE POLICY

• This Policy Is Necessary; may be changed with the approval of the Board of Directors.
• The data controller shares the updated Policy text with its employees via e-mail so that the changes made on the Policy can be reviewed.

RELEASE DATE OF THE POLICY

• This version of this Policy has entered into force after being approved by the Board of Directors on …/…/2021.