Personal Data Protection Law

1. REVISIONS

Revision No:
Revised Article:
Revision Reason:
Effective Date:

2. INTRODUCTION

The Personal Data Protection Law introduces several key provisions governing protection and legal processing of personal data.

Under the aforementioned law, personal data is defined as any information relating to an identified or identifiable natural person. Processing of personal data means any operation performed on personal data at any time between its collection and deletion.

Adequate personal data processing procedures will significantly enhance the Foundation’s capability of ensuring compliance with the law, which will in turn affect all other operations of the Foundation.

3. PURPOSE OF THE POLICY

This Policy governs the rules of processing personal data of the employees of the Foundation and its Commercial Enterprise. Therefore, the purpose of the Policy is to specify how the personal data of the employees, as well as other personal data that fall under the scope of the Policy, is processed. The other purpose of the Policy is to inform employees on the processing of personal data.

4. SCOPE OF THE POLICY

The Policy applies to Foundation employees. In addition to current employees, rules of this Policy also apply to former employees whose personal data is still being processed, and candidates who have applied for a job at the Foundation. For all purposes under this Policy, the term employee shall refer to former employees, candidates and interns wherever applicable.

5. EFFECTIVENESS AND REVISION

The Policy took effect on April 1, 2018. The Policy may be amended from time to time in order to adapt to changing conditions and legislation. Revisions shall be communicated to employees via various channels. In case the Policy is amended, either in part or in full, the effective date of the Policy shall be updated to reflect this change. The Human Resources Department is responsible for the implementation of this Policy.

6. PROCESSING OF PERSONAL DATA OF CANDIDATES DURING RECRUITMENT AND PLACEMENT

This section contains special provisions on the processing of personal data of candidates during recruitment processes. Special provisions concerning candidates are applicable alongside other provisions of this Policy that involve employees.

6.1. Personal Data Collected and Processed during Recruitment
The Foundation may process all or some of the information specified in the section “11. Categorization of Personal Data” depending on the nature of the job application. The Foundation also may collect and store the following candidate information during application:
• Full name, address, date of birth, email address, telephone number and other contact information,
• CV, cover letter, past or current work experience or other qualifications, education background, transcript, language proficiency test results or other supporting documentation,
• Records of information obtained during interviews, whether made through teleconference, over the phone, or face-to-face,
• Recording of the video interview, on condition that the candidate is given prior verbal/written notification about and consents to the interview being recorded,
• Results obtained from background checks and verifications concerning the information provided by the candidate, or other information obtained from the inquiries made by the Foundation,
• Results of competency tests and personality inventories conducted during recruitment.

Depending on the position, the Foundation may request the candidate to submit sensitive personal data (e.g. criminal record, medical record). In such cases, the candidate shall be informed as to why sensitive personal data is requested and how it will be used, either via the application form or another explanatory note.

6.2. Purposes for Collecting and Processing Candidate Personal Data
The Foundation may process candidate personal data based on the nature of the application and the one or more purposes specified in this Policy’s section “12. Purposes for Processing Personal Data” to:
• Evaluate the candidate’s qualifications, experience and suitability for the open position,
• When necessary, perform background checks of the information provided by the candidate, or contact relevant third parties to verify their references,
• Contact the candidate with regard to the application and recruitment processes, or about any new domestic or international positions as they become available in the future,
• Fulfill statutory obligations or the requirements of a government agency,
• Improve or develop the Foundation’s recruitment procedures.

6.3. Methods of Collecting and Processing Candidate Personal Data
During the recruitment process, candidate personal data may be collected in the following ways and means in addition to or as a supplement to the other ways and means as specified in this Policy:
• Written or digital application form on electronic media,
• Candidate CV submitted to the Foundation via email, mail, reference or other methods,
• Employment or consulting firms,
• During interviews, whether made through teleconference, over the phone, or face-to-face,
• Background checks and verifications concerning the information provided by the candidate, or inquiries made by the Foundation,
• Skill and personality tests administered and evaluated by experienced specialists during recruitment.

The Foundation processes the collected personal data automatically or manually through computer systems and human resources personnel.
Personal data collected by the Foundation shall be stored in hard copy or digital form in the Foundation’s communications systems, corporate resource planning systems and electronic media.

6.4. Candidate Reference Checks
The Foundation may perform checks to verify the references of candidates. In general, the purpose of these checks is to validate the information provided by the candidate. Furthermore, the checks also aim to reveal any information the candidate might have withheld, which could conceivably pose a risk for the Foundation.

The reference checks may also involve obtaining data from third parties.

The candidates may contact the Foundation at any time to inquire about the reference check.

6.5. Candidates’ Rights Regarding Their Personal Data
Candidates who wish to exercise their rights under the law may contact the Foundation within the scope of the procedures and principles detailed in this Policy.

6.6. Candidate Personal Data That Will Continue to Be Processed After Recruitment
In case the candidate is hired for the open position, all personal data collected and processed during the recruitment process shall be transferred to the personal file.

6.7. Candidate Personal Data Security
In terms of ensuring data security, no discrimination is made between Foundation employees and candidates who apply for a job at the Foundation. Please see the personal data security section of this document for detailed information about the security of personal data.

7. PRINCIPLES ON THE PROCESSING OF EMPLOYEE PERSONAL DATA

7.1. Lawfulness and Fairness
Personal data is processed in accordance with statutory requirements and the principles of good faith. Accordingly, personal data is processed in a limited manner, proportionate to the purpose of processing.

7.2. Accuracy and Up-to-dateness
Periodic checks and revisions are carried out to ensure that the processed data is accurate and up-to-date, taking into account legitimate interests of the employees. In this context, the Foundation shall establish internal systems for verifying, and when necessary, correcting personal data.

7.3. Being Processed for Specific, Clear and Legitimate Purposes
The processing of personal data shall be based on clear purposes, and personal data shall be processed only as necessary for these purposes. Processing purpose for personal data shall be disclosed before the actual processing.

7.4. Being Relevant, Limited and Proportionate to the Purpose of Processing
Personal data shall be processed in a manner that is appropriate for the specified purposes, avoiding processing any personal data that is unrelated or unnecessary to the specified purpose.

7.5. Being Retained for the Period Laid Down by Legislation or Required for the Purpose of Processing
The Foundation retains personal data only for the period specified in relevant legislation or required for the purpose of processing. Therefore, the Foundation first determines whether there is a timeframe specified in the legislation for retaining personal data, complying with the time limit if there one, or retaining the personal data for a set amount of time as required for the purpose of processing if not. At the end of this time period or when the reasons for data processing is no longer deemed valid, if there are no legal grounds to continue retaining the data, the Foundation shall delete, destroy or anonymized the personal data in accordance with the principles specified herein.

8. CONDITIONS FOR PROCESSING EMPLOYEE PERSONAL DATA

Explicit consent of the personal data subject is one of the several legal bases that allow for the processing of personal data in accordance with the law. Apart from explicit consent, personal data may also be processed under one of the following conditions.

The personal data may be processed based on one or several of the reasons specified below. In case the processed data falls within the scope of sensitive personal data, the provisions of the section “Conditions for Processing Sensitive Personal Data” shall also apply.

The Foundation communicates to its employees which personal data is processed, purposes and reasons for processing personal data, where the personal data is collected from, with whom the personal data will be shared, and how it will be used.

8.1. Processing of Data Is Expressly Provided for In the Law
In case the processing of personal data is expressly provided for in the law, the Foundation may process the personal data without having to obtain the explicit consent of the employee.

8.2. Obtaining Explicit Consent is Not Possible
When an employee is unable to give consent or when their consent is not deemed legally valid, the personal data of said employee may be processed without explicit consent if it is necessary to do so in order to protect the life or physical health of the employee or any other person.

8.3. Processing of Data is Directly Related to the Establishment or Performance of the Contract
Personal data of the parties to a contract may be processed on condition that it is directly related to the establishment or performance of the contract.

8.4. Processing of Data is Necessary for Compliance with A Legal Obligation
Personal data may be processed without explicit consent when it is necessary to do so in order to fulfill the legal obligations of the data controller.

8.5. Personal Data Has Been Made Public by the Employee
The personal data of an employee may be processed without explicit consent if the data has been made public by the employee in question.

8.6. Processing of Data is Mandatory for the Establishment, Exercise, or Protection of a Right
Personal data may be processed without explicit consent when it is mandatory for the establishment, exercise, or protection of a right.

8.7. Processing of Data is Necessary Based on Legitimate Interest
Personal data may be processed without explicit consent for the legitimate interests pursued by the Foundation, provided that such processing does not violate the fundamental rights and liberties of the employee.

8.8. Processing Employee Personal Data with Explicit Consent
In cases where employee personal data may not be processed based on any of the conditions specified in articles 8.1 - 8.7 above, the personal data may only be processed with explicit consent.

9. CONDITIONS FOR PROCESSING SENSITIVE PERSONAL DATA

Certain personal data is classified as “sensitive personal data” and therefore is subject to stronger protection.

9.1. Processing Sensitive Personal Data with Explicit Consent
Sensitive personal data may be processed with the explicit consent of the employee, in accordance with the principles set out in this policy, and by taking necessary administrative and technical measures. Processed sensitive personal data shall be made accessible to duly authorized personnel only.

9.2. Processing Sensitive Personal Data without Explicit Consent
In case no explicit consent is given by the employee, sensitive personal data may only be processed under the following conditions and by taking adequate measures as specified by the Personal Data Protection Board ("Board"):
(i) Sensitive personal data, with the exception of data on health and sex life, may be processed as stipulated by the law,
(ii) Sensitive personal data on health and sex life may only be processed by persons, authorized bodies and organizations bound by confidentiality, and for the exclusive purposes of protecting public health, offering preventive medicine, providing medical diagnosis, treatment and care, or planning and managing healthcare services.

10. NOTIFYING AND INFORMING EMPLOYEES

Personal data subjects shall be informed by the Foundation during the collection of their personal data. The Foundation shall communicate to them the identity of the Foundation representative, if applicable, the purpose for processing the personal data, to whom and for what purpose the processed personal data may be transferred, how personal data is collected, and the employee’s rights in this context.

The Foundation shall respond in writing to employee inquiries about personal data.

11. CATEGORIZATION OF PERSONAL DATA

The following categories of employee personal data are processed by the Foundation under this policy.

PERSONAL DATA CATEGORIES
Identity Information Any information contained in documents such as Driver's License, Identity Card, Certificate of Residence, Passport, Attorney's ID, Marriage Certificate, etc., which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.
Contact Information Any information such as phone number, address, e-mail, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.
Location Data The data collected to identify the location of Foundation vehicles and equipment that are in use by Foundation employees or the employees of partner companies, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.

Family Members and Relatives Information Any information about the family members and relatives of the data subject processed to protect the legal interests of the Foundation and the data subject, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.

Physical Security Information Any information in records and logs showing access times and stay durations for physical spaces, which can be readily associated with an identified or identifiable natural person and available in the data recording system.
Transaction Security Information Personal data processed in order to ensure the technical, administrative, legal and commercial security of the Foundation and its employees, which can be readily associated with an identified or identifiable natural person and available in the data recording system.
Financial Information Any information, documents and records of financial results based on the type of the legal relationship between the Foundation and the data subject, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.
Employee Personal Information Any personal data processed to form a basis of the employee personal rights for Foundation employees or other natural persons who are in a business relationship with the Foundation, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.
Candidate Information Any processed personal data belonging to persons who have applied for a job at the Foundation or evaluated for a job to meet the human resources needs of the Foundation in accordance with commercial practices and principles of good faith, or persons who are in a business relationship with the Foundation, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.
Employee Transaction Information Any personal data processed in relation with the business transactions of Foundation employees or other natural persons who are in a business relationship with the Foundation, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.
Employee Performance and Career Development Information Any personal data processed for the purposes of measuring the performance of employees or other natural persons who are in a business relationship with our Foundation, or planning and executing their career development in line with the Foundation’s human resources policy, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.
Employee Benefits Information Any personal data processed to plan the employee benefits offered to employees or other natural persons who are in a business relationship with our Foundation, select objective criteria for entitlement to such benefits, and monitor their provision, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.
Legal Action and Compliance Information Any personal data processed for the purposes of identifying and following up on the Foundation’s legal receivables and rights, fulfilling its obligations, and ensuring compliance with statutory requirements and internal policies, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.
Audit and Inspection Information Any personal data processed within the context of the Foundation’s legal obligations and compliance with internal policies, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.
Sensitive Personal Data Any data that falls within the scope of Article 6 of the Law No. 6698, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.
Request/Complaint Management Information Any personal data related to the receipt and evaluation of requests and complaints made to the Foundation, which can be readily associated with an identified or identifiable natural person and processed either in part or in full by an automated system or manually through a data recording system.

12. PURPOSE OF PROCESSING PERSONAL DATA

12.1. Processing Conditions
Processing of personal data is limited to the following conditions:

• When it is expressly provided for in the law,
• When it is directly related to the establishment or performance of a contract with the Foundation,
• When it is necessary to fulfill a legal obligation for the Foundation,
• When it is made public by the employee, and is processed in a limited manner based on the original purpose of disclosure,
• When it is mandatory for the establishment, exercise, or protection of the rights of the Foundation, employees or third parties,
• When it is essential for the legitimate interests pursued by the Foundation, provided that such processing does not violate the fundamental rights and liberties of the employees,
• When it is necessary to protect the life or physical health of the employee or any other person, and the data subject in question is unable to give consent or their consent is not deemed legally valid,
• In addition to the above, when it is necessary for the proper operation of Foundation processes, with explicit consent of the employee.

In the absence of the above conditions, the Foundation shall seek the explicit consent of the data subject in order to process their personal data.

12.2. Processing Purposes
The Foundation processes personal data for the following, non-exhaustive list of purposes:

• To implement the Foundation's human resources policies, including but not limited to promotions and assignments, employee health and human resources operations, managing and reporting shift/working hours, human resources planning and statistics, employee training, benefits planning, internal communication and performance recognition, expat/overseas assignment management,
• To ensure the legal and commercial security of the Foundation and its business partners, including but not limited to business partner, customer and supplier (and executives and employees thereof) evaluation processes, legal and commercial risk analyses, communications-related administrative operations and legal compliance processes,
• To determine and implement the commercial and business strategies of the Foundation, and planning of reports for public disclosure.

A significant portion of the activities carried out by the Foundation within the context of the above purposes do not require the explicit consent of the data subject, as specified in articles 5.2 and 6.3 of the law. For other activities and processes that do not fall within the scope of the aforementioned articles of the law, the Foundation seeks the explicit consent of the data subject. It should be noted that the Foundation may process the data for which consent is granted for other purposes that do not require explicit consent as provided for in the law.

Refusal to grant explicit consent should not be construed that no personal data processing will be carried out, as in this case, personal data processing shall be limited to the purposes specified in Article 7.1 that do not require explicit consent.

13. SPECIAL CONDITIONS REGARDING PERSONAL DATA PROCESSING

This section defines and explains special conditions within the context of personal data processing.

13.1. Processing of Personal Data for Employee Benefits Such as Private Health Insurance and Private Pension
Private health insurance, private pension and other benefits fall under the scope of additional and side benefits offered to employees.

13.2. Processing of Personal Data for the Purpose of Providing Employee Benefits
Personal data collected by third party companies to whom employee benefits (health insurance, private pension, etc.) are outsourced, or personal data obtained from employees of these
companies shall not be used in the context of the general business relationship. Necessary measures shall be taken and revised accordingly.
The Foundation’s participation in Private Health Insurance and Private Pension procedures is limited to policy creation (application), collection and payment. Other individual transactions shall be handled by the call center of the relevant company, and the personal data protection policy thereof shall apply.

13.3. Processing of Personal Data Required for Employee Benefits
Employee data shared with companies to whom employee benefits are outsourced shall be limited to the minimum amount required for the provision of the employee benefit. Furthermore, necessary measures shall be taken to prevent the personal data shared from being processed by said companies for other purposes. In case the personal data falls within the scope of sensitive personal data, additional measures applicable to sensitive personal data shall be taken.

13.4. Processing of Personal Data to Ensure Equal Opportunity
Employee personal data may be processed in a limited manner as necessary to ensure equal opportunity and prevent discrimination on the basis of race, ethnicity, religion, sect, disability, or sexual orientation.

Anonymous data on Foundation employees is the primary source to be used for equal opportunity purposes. Personal data may be processed in case anonymous data is not sufficient

13.5. Processing of Personal Data to Fight Corruption
Personal data sets within various departments may be compared in order to prevent unlawful transactions within the Foundation. Accordingly, employee transactions, especially financial transactions, may be verified, with investigations and comparisons thereof using personal data sets kept by various departments.

In the event that preliminary investigations reveal the possibility of a gross irregularity, the personal data in question may be investigated by a third party specializing on the subject.

13.6. Processing of Personal Data for References
The Foundation may give references to employees for employment or training purposes among others. The reference shall be given by the department manager or sub-managers of the employee. The decision of giving reference to an employer is left to the manager’s discretion.

If reference is given, it may include information such as the employee's work performance, competencies and experience, and other job-related qualifications. The reference may also include any information deemed appropriate by the reference-provider and for which the employee has given explicit consent, and other information requested by the recipient of the reference.

13.7. Processing of Personal Data in Transactions That Affect the Foundation's Organization
Any personal data shared during the course of transactions that affect the Foundation’s organization is anonymized as much as possible. For personal data shared for this purpose and cannot be anonymized, the following assurances shall be obtained from the recipient of the personal data:
• Personal data may only be used within the context of the transaction,
• Confidentiality rules shall apply,
• No personal data may be shared with third parties unless there is a separate legal obligation to do so.

13.8. Processing of Personal Data in Disciplinary Investigations
Disciplinary investigations on employees may only utilize the bare minimum amount of personal data as necessitated by the investigation. Adequate effort shall be made to ensure that such data is accurate and up-to-date, with a view to avoiding hampering the effectiveness of the investigation.

14. TRANSFER OF PERSONAL DATA TO THIRD PARTIES

Personal data and sensitive personal data may be transferred to third parties (natural or legal persons, group companies) by taking necessary security measures in line with the purpose of processing.

14.1. Transfer of Personal Data
Personal data may be transferred to third parties for data processing under the conditions specified in Article 12.1 above.

14.2. Transfer of Sensitive Personal Data
Sensitive personal data of employees may be transferred to third parties:
• With the explicit consent of the employee,
• If no explicit consent is given;
- For sensitive personal data with the exception of data on health and sex life (race, ethnicity, political or philosophical views, religious beliefs, clothing, association, foundation or trade union membership, criminal record, and biometric and genetic information), as stipulated by the law,
- For sensitive personal data on health and sex life, only to persons, authorized bodies and organizations bound by confidentiality, and for the exclusive purposes of protecting public health, offering preventive medicine, providing medical diagnosis, treatment and care, or planning and managing healthcare services.

14.3. Third Persons to whom Personal Data is Transferred and Purposes of Transferring
Personal data may be transferred to the following:
(i) Business partners of the Foundation,
(ii) Suppliers of the Foundation,
(iii) Affiliates of the Foundation,
(iv) Founders of the Foundation,
(v) Duly authorized public agencies and organizations,
( vi) Duly authorized private law practitioners.

Details about the recipients of the personal data and purposes of data transfer are given below.
Data Recipients and Data Transfer Purposes
Business Partners: Third parties with whom the Foundation establishes business partnerships for purposes such as sales, promotion and marketing of the Foundation's products and services, after-sales support, and joint customer loyalty programs. Transfer of data to business partners is limited to the objective of the business partnership.
Suppliers: Third parties that provide services to the Foundation on a contractual basis in accordance with the Foundation's orders and instructions. Transfer of data to suppliers is limited to the fulfillment of the services outsourced by the Foundation from the supplier.
Founders: Individuals authorized under relevant legislation to develop strategies and audit activities related to the Foundation's activities. Transfer of data to founders is limited to the development of strategies and audit activities.
Duly Authorized Public Agencies and Organizations: Public agencies and organizations authorized to request information and documentation from the Foundation under relevant legislation. Transfer of data to public agencies and organizations is limited to the purpose for which the request is made.
Duly Authorized Private Law Practitioners: Private law practitioners authorized to request information and documentation from the Foundation under relevant legislation. Transfer of data to duly authorized private law practitioners is limited to the purpose for which the request is made.

15. TRANSFER OF PERSONAL DATA ABROAD

Personal data may be transferred abroad to third parties residing in foreign countries deemed by the Board to offer adequate protection, or in case adequate protection is not available, upon a commitment for adequate protection given in writing by the data controllers in Turkey and in the relevant foreign country, and with the authorization of the Board.

15.1. Transfer of Personal Data Abroad
Personal data may be transferred abroad for data processing under the conditions specified in Article 12.1 above.

15.2. Transfer of Sensitive Personal Data Abroad
Sensitive personal data of employees may be transferred abroad:
• With the explicit consent of the employee,
• If no explicit consent is given;
- For sensitive personal data with the exception of data on health and sex life (race, ethnicity, political or philosophical views, religious beliefs, clothing, association, foundation or trade union membership, criminal record, and biometric and genetic information), as stipulated by the law,
- For sensitive personal data on health and sex life, only to persons, authorized bodies and organizations bound by confidentiality, and for the exclusive purposes of protecting public health, offering preventive medicine, providing medical diagnosis, treatment and care, or planning and managing healthcare services.

16. PERSONAL DATA STORAGE PERIOD

Personal data is retained in accordance with statutory obligations, as well as the purposes of processing. When the reasons for data processing is no longer deemed valid, and if there are no legal grounds to continue retaining the data, the personal data shall be deleted, destroyed or anonymized by notifying the data subject.

At the end of the retention period, personal data shall be destroyed in accordance with the principles of this Policy and in six-month periods. All operations concerning the deletion, destruction and anonymization of personal data are recorded, and such records are kept for a period of three years or more, based on other legal obligations.

Any requests by the data subject shall be addressed and data subject shall be notified by the data controller within 30 days.

When the purpose of processing personal data is no longer applicable and the retention period specified by the relevant law and the Foundation is over, personal data may only be stored as evidence for potential legal disputes, or to claim or defend a right concerning the personal data. The timeframes specified here are determined based on the statute of limitations for such rights, as well as past examples of claims made to the Foundation after the statute of limitations period. Personal data retained for such purpose may not be accessed for any other purpose, and are only accessed for use within the context of a legal dispute as noted above, after which the data shall be deleted, destroyed or anonymized as specified. However, in case not all purposes for processing personal data are no longer applicable, the data controller may reject the claim in writing based on Article 13.3 of the law, and notify the rejection to the relevant party in writing or electronically in no longer than 30 days.

17. PERSONAL DATA SECURITY

Reasonable measures shall be taken to protect personal data and prevent unauthorized access, accidental loss or deliberate deletion or damage to the personal data.

All necessary technical and physical measures shall be taken to prevent unauthorized access to personal data. The authorization system to be used for such purpose shall be designed in a manner to prevent users from accessing more personal data than necessary. Sensitive personal data such as medical history shall be protected by stricter measures compared to other forms of personal data.

Authorized users shall go through security checks before accessing the data. These individuals shall also be given training explaining their duties and responsibilities.

Personal data access logs shall be kept to the extent that it is technically possible, and reviewed on a regular basis. Any unauthorized access shall result in an investigation.

Any e-mails or documents containing employee personal data not related to the Foundation shall be flagged for destruction. If the necessary actions are not taken within the specified period, these files or documents shall be destroyed by the Foundation. The Foundation may not be held responsible for the unauthorized use or transfer of such data by third parties.

Foundation employees who process personal data are required to comply with the following rules to ensure data security:
• Acting in accordance with the law and the principles of good faith with respect to the protection of personal data,
• Processing personal data in a full, accurate and complete manner,
• Updating outdated personal data as necessary,
• Notifying any unlawful data processing to the relevant manager,
• Offering necessary guidance to facilitate exercising of legal rights regarding personal data.

18. PROCESSING PERSONAL DATA RELATED TO EMPLOYEE ELECTRONIC BUSINESS COMMUNICATIONS

Transactions carried out by employees during their business activities may be significant for the security of the Foundation, its customers, its employees and other third parties. In case the personal data related to employee electronic communications is processed, such processing shall comply with the provisions of this Policy.

18.1. Special Rules Regarding Electronic Communications
Any complaint or disciplinary action filed against an employee based on personal data obtained through electronic communications is subject to the personal data protection and processing rules specified in the law and this Policy. Employees who act in violation of the Policy to process personal data unlawfully, or use data obtained in this matter for other purposes may be subject to disciplinary action.

18.2. Processing of Personal Data Related to Electronic Communication Devices
Employee personal data related to electronic communication devices allocated by the Foundation, such as mobile phone, laptop, tablet, etc. are subject to data processing. Any sensitive personal data obtained in this manner is subject to the provisions on sensitive personal data processing. Personal data obtained from the use of electronic communication devices is also subject to the other provisions of this Policy as applicable.

18.3. Processing of Personal Data Related to Phone Calls
Care shall be taken to ensure that personal data related to the communication made using Foundation-assigned phones, telephone numbers called and call durations are only used for the purposes for which they are processed. Any sensitive personal data obtained in this manner is subject to the provisions on sensitive personal data processing.

18.4. Processing of Personal Data Related to Corporate E-mails
Personal data obtained through employee corporate e-mail accounts may be processed in accordance with the legislation and the provisions of this Policy.

18.5. Processing of Personal Data Related to Internet Usage
In case personal data is obtained from the internet usage of employees in line with the legislative provisions, said data is also to the other provisions of this Policy as applicable.

18.6. Processing of Personal Data Related to Security Cameras
In case any personal data is obtained from security cameras or other recordings at the workplace, such data may be processed for purposes of investigating a suspicious action, resolving a dispute or as evidence in case of a complaint, or for other purposes as specified in this Policy.

18.7. Processing of Personal Data Related to Foundation Vehicles
Processing of personal data obtained from Foundation-assigned vehicles is subject to the provisions of this Policy.

18.8. Processing of Information Provided by Third Parties
In certain cases, information about employees may be requested from third parties, such as banks, credit rating agencies and other research companies. In such case, any personal data obtained is subject to the provisions of this Policy.

19. SPECIAL RULES REGARDING THE COLLECTION AND PROCESSING OF EMPLOYEE HEALTH DATA

19.1. Storage of Health Data and Employees Authorized to Process Health Data
Health data is stored separately from other types of personal data to the extent that Foundation capabilities allow in order to increase security and to protect such data from unauthorized access. The Foundation endeavors to process health data in the most limited manner possible. In cases where health data is to be processed, any employees authorized to process such information are made aware of the sensitivity of the data to inform necessary measures.

19.2. Health Data as Sensitive Personal Data
Employee health data is regarded as sensitive personal data, and is subject to all security measures that apply to sensitive personal data.

19.3. Access to Health Data
Employee health data is accessed only when necessary and by authorized personnel. Health data may also be disclosed to managers in a limited manner to enable them to carry out their managerial duties.

19.4. Alcohol and Drug Tests
In the event of a material breach or risk of a material breach concerning the employment contract, working conditions or disciplinary rules due to the use of drugs or alcohol, employees may be asked to take alcohol or drug tests within the scope of the legislation.

20. EMPLOYEE LEGAL RIGHTS AND EXERCISING LEGAL RIGHTS

20.1. Legal Rights Regarding Personal Data
With respect to their personal data, employees are entitled to:
a. Inquire about whether their personal data has been processed,
b. If their personal data has been processed, request information on the processing,
c. Learn the purpose of processing of the personal data and whether their data is used in accordance with the specified purpose,
d. Request information on domestic and foreign third parties with whom their data has been shared,
e. Request correction in case the personal data processed is inaccurate or incomplete,
f. Request deletion or destruction of personal data under the conditions stipulated in applicable legislation,
g. Request that the actions taken within the framework of paragraphs (d) and (e) be notified to the third parties to whom the personal data is transferred,
h. Object to any result that is to their detriment as a result of an exclusively automated analysis of their personal data,
i. Claim compensation for the damages they might have suffered in the event their personal data is processed in an unlawful manner.

20.2. Exercising Legal Rights Pertaining to Personal Data
Employees may exercise their legal rights pertaining to personal data by using the “Data Subject Application Form to Data Controller”. Such applications are addressed no later than 30 days from the receipt of the application.

Detailed information on how to exercise legal rights is given in the Foundation’s Personal Data Protection and Processing Policy section titled “Right of Data Subjects, Methodology for Exercising Said Rights”.

21. RELATIONSHIP BETWEEN THE FOUNDATION'S PERSONAL DATA PROTECTION AND PROCESSING POLICY AND OTHER POLICIES

Any existing or future core policies, procedures and instructions concerning the protection and processing of personal data are regarded as connected to this Policy. Any new policies, procedures and instruction shall also be interconnected with other core policies of the Foundation to ensure harmonization of processes.

22. GOVERNANCE OF FOUNDATION'S PERSONAL DATA PROTECTION AND PROCESSING POLICY

The Foundation has a “Personal Data Protection Committee” chaired by the CTO to manage this Policy and other related policies, procedures and instructions. The duties and responsibilities of this committee are explained in detailed in the Foundation's Personal Data Protection and Processing Policy.

23. PERSONAL DATA PROTECTION POLICY COMPLIANCE AUDITS

The Personal Data Protection Audit Team, which will be formed by the Kıraça Holding, shall prepare an audit schedule on an annual basis to evaluate compliance of the Group Companies to the provisions of the Policy. The audits will evaluate whether;
• Statutory requirements such as Information Documents, Application Forms, Approval Forms are fulfilled,
• Data processing and access authorizations are accurate, and
• New data fields are created.
PDPL Audit Team comprises members from various departments of the Kıraça Holding, including Legal Advisory and Human Resources.

24. ANNEX-1 DEFINITIONS

Explicit Consent: Freely given, specific and informed consent.
Anonymization: Irrevocable alteration to personal data that eliminates the personal nature of the data, such as masking, aggregation, etc. that prevents the data from being associated with any natural person.
Data Subject: A natural person whose personal data is processed, such as customers and employees.
Personal Data: Any information relating to an identified or identifiable natural person, such as full name, identity number, email, address, date of birth, credit card number, etc. Information on legal persons does not fall under the scope of the law.
Sensitive Personal Data: Data on race, ethnicity, political or philosophical views, religious beliefs, clothing, association, foundation or trade union membership, health, sex life, criminal record, and biometric and genetic information.
Processing of Personal Data: Any operation performed on personal data, wholly or partially by automated means or non-automated means as part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,
Data Processor: The natural or legal person who processes personal data on behalf of the data controller upon its authorization, such as the cloud computing firm that retains the data of [COMPANY], pollsters that administer customer polls, call center firm that makes scripted calls.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

SUNA AND İNAN KIRAÇ FOUNDATION PERSONAL DATA PROCESSING CLARIFICATION TEXT

a) Data Controller and Representative
As per the Personal Data Protection Law No. 6698 (“Law No. 6698”), Suna and İnan Kıraç Foundation, acting in the capacity of data controller, may process your personal data for the following purposes.

b) Personal Data Processing Purposes
Your personal data shall be processed for the original purpose of your disclosure in line with the purposes of the employment contract, for maintaining and improving an effective human resource management, fulfilling contractual obligations, evaluating employee performance, ensuring and improving occupational safety, and to implement the human resources policies of the Suna and İnan Kıraç Foundation, ensure the legal and commercial security of the Suna and İnan Kıraç Foundation and its business partners, and to determine and implement the commercial and business strategies of the Suna and İnan Kıraç Foundation, in accordance with the conditions and purposes specified in Articles 5 and 6 of the Law No. 6698.

Detailed information on the processing purposes of your personal data by the Suna and İnan Kıraç Foundation is provided in the Suna and İnan Kıraç Foundation Employee Personal Data Protection and Processing Policy, which is available at peramuzesi.org.tr, iae.org.tr, and sunaveinankiracvakfi.org.tr.

c) Personal Data Recipients and Transfer Purposes
Your collected personal may be transferred to the business partners, shareholders and affiliates of the Suna and İnan Kıraç Foundation, duly authorized public agencies and private individuals and your trade union, for the purposes of the employment contract, for maintaining and improving an effective human resource management, fulfilling contractual obligations, evaluating employee performance, ensuring and improving occupational safety, and to ensure the legal and commercial security of the Suna and İnan Kıraç Foundation and its business partners, and to determine and implement the commercial and business strategies of the Suna and İnan Kıraç Foundation, in accordance with the terms, conditions and purposes specified in Articles 8 and 9 of the Law No. 6698 and as specified in the Suna and İnan Kıraç Foundation Employee Personal Data Protection and Processing Policy, which is available at peramuzesi.org.tr, iae.org.tr, and sunaveinankiracvakfi.org.tr.

ç) Method and Legal Basis for the Collection of Personal Data
Suna and İnan Kıraç Foundation collects your personal data via different channels based on several legal reasons in order to implement and execute the Foundation’s Human Resources operations. Accordingly, your personal data is collected physically and electronically during the establishment and implementation of your employment contract for the purposes of the Labor Law, Occupational Health and Safety Law and the Code of Obligations as well as the purposes of your employment contract, for maintaining and improving an effective human resource management, fulfilling contractual obligations, evaluating employee performance, ensuring and improving occupational safety, and for managing the Foundation’s commercial activities and operational processes. Personal data collected in this manner may be processed or transferred in accordance with the conditions and purposes specified in Articles 5 and 6 of the Law No. 6698, and the purposes specified in paragraphs (b) and (c) of this Clarification Text.

d) Rights of the Data Subject under Article 11 of the Law No. 6698
As the data subject of the personal data, you may submit any requests pertaining to your rights to the Suna and İnan Kıraç Foundation in line with the methods specified in the Suna and İnan Kıraç Foundation Employee Personal Data Protection and Processing Policy available at peramuzesi.org.tr, peramuseum.org, iae.org.tr and sunaveinankiracvakfi.org.tr and in accordance with the Communique on Data Controller Application Principles and Procedures. Your application shall be evaluated and finalized free of charge in no later than 30 days, depending on the nature of the request. In case the request necessitates an additional cost, the Suna and İnan Kıraç Foundation may charge a fee as specified in the tariff determined by the Personal Data Protection Board. As data subject, you are entitled to;
• Inquire about whether your personal data has been processed,
• If your personal data has been processed, request information on the processing,
• Learn the purpose of processing of your personal data and whether your data is used in accordance with the specified purpose,
• Request information on domestic and foreign third parties with whom your data has been shared,
• Request correction in case the personal data processed is inaccurate or incomplete, and that the action taken in this context be notified to the third parties to whom the personal data is transferred,
• Request deletion or destruction of personal data that is lawfully processed under the Law No. 6698 and other applicable legislation in case the reason for processing is no longer applicable, and that the action taken in this context be notified to the third parties to whom the personal data is transferred,
• Object to any result that is to their detriment as a result of an exclusively automated analysis of their personal data,
• Claim compensation for the damages they might have suffered in the event their personal data is processed in an unlawful manner.