LAW ON THE PROTECTION OF PERSONAL DATA

Law Number: 6698

Acceptance Date: 24/3/2016

Published in the Official Gazette: Date: 7/4/2016

Published in the Official Gazette: Series: 5

Number: 29677

Volume: 57

CHAPTER ONE

Purpose, Scope and Definitions

Aim

ARTICLE 1 - (1) The purpose of this Law is to protect the fundamental rights and freedoms of individuals, primarily the privacy of private life, in the processing of personal data, and to regulate the obligations of natural and legal persons processing personal data and the procedures and principles they must comply with.

Scope

ARTICLE 2 - (1) The provisions of this Law shall apply to natural persons whose personal data are processed and to natural and legal persons who process such data wholly or partly automatically or non-automatically, provided that it is part of any data recording system.

Definitions

ARTICLE 3 - (1) In the implementation of this Law;

• a) Explicit consent: Consent given freely and based on informed knowledge regarding a specific matter.,
• b) Anonymization: The process of rendering personal data in such a way that it cannot be linked to an identified or identifiable natural person, even when combined with other data.,
• c) President: The President of the Personal Data Protection Authority,
• c) Data subject: The natural person whose personal data is processed,
• d) Personal data: Any information relating to an identified or identifiable natural person,
• e) Processing of personal data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying or preventing the use of data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system.,
• f) Board: The Personal Data Protection Board,
• g) Institution: The Personal Data Protection Authority,
• (g) Data processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.,
• h) Data recording system: A recording system in which personal data is processed by structuring it according to specific criteria,
• i) Data controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

PART TWO

Processing of Personal Data

General principles

ARTICLE 4 - (1) Personal data may only be processed in accordance with the procedures and principles stipulated in this Law and other laws.

(2) The following principles must be complied with in the processing of personal data:

• a) Compliance with the law and principles of honesty.
• b) Being accurate and up-to-date when necessary.
• c) Processing for specific, explicit and legitimate purposes.
• c) They must be relevant to the purpose for which they are committed, limited, and proportionate.
• d) Retention for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they were processed.

Conditions for processing personal data

ARTICLE 5 - (1) Personal data cannot be processed without the explicit consent of the data subject.

(2) In the presence of one of the following conditions, it is possible to process personal data without the explicit consent of the data subject:

• a) If explicitly provided for in the laws.
• (b) It is necessary for the protection of the life or physical integrity of the person who is unable to express their consent due to factual impossibility or whose consent is not legally valid, or for the protection of the life or physical integrity of another person.
• c) The processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
• c) It must be necessary for the data controller to fulfill its legal obligations.
• d) It must have been made public by the person concerned themselves.
• e) Data processing is necessary for the establishment, exercise, or protection of a right.
• f) The processing of data is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Conditions for processing special categories of personal data.

ARTICLE 6 - (1) Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data are special categories of personal data.

(2) Processing of special categories of personal data without the explicit consent of the data subject is prohibited.

(3) Personal data other than health and sexual life data listed in the first paragraph may be processed without the explicit consent of the data subject in cases stipulated by law. Personal data relating to health and sexual life may be processed without the explicit consent of the data subject only by persons or authorized institutions and organizations under an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.

(4) In processing special categories of personal data, it is also required that adequate measures determined by the Board be taken.

Deletion, destruction, or anonymization of personal data

ARTICLE 7 - (1) Personal data shall be deleted, destroyed or anonymized by the data controller, either automatically or upon the request of the data subject, if the reasons requiring their processing cease to exist, even though they have been processed in accordance with this Law and other relevant laws.

(2) The provisions contained in other laws regarding the deletion, destruction or anonymization of personal data are reserved.

(3) The procedures and principles regarding the deletion, destruction or anonymization of personal data shall be regulated by regulation.

Transfer of personal data

ARTICLE 8 - (1) Personal data cannot be transferred without the explicit consent of the data subject.

(2) Personal data;

• a) In the second paragraph of Article 5,
• (b) Provided that adequate measures are taken, and if one of the conditions specified in the third paragraph of Article 6 is met, data may be transferred without the explicit consent of the data subject.

(3) The provisions contained in other laws regarding the transfer of personal data are reserved.

Transfer of personal data abroad

ARTICLE 9 - (1) Personal data cannot be transferred abroad without the explicit consent of the data subject.

(2) Personal data may be transferred to the foreign country to which the personal data will be transferred, provided that one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 exists;

• a) Adequate protection is available,
• (b) In cases where adequate protection is not available, data may be transferred abroad without the explicit consent of the data subject, provided that the data controllers in Türkiye and the relevant foreign country provide a written guarantee of adequate protection and obtain the permission of the Board.

(3) Countries with adequate protection are determined and announced by the Board.

(4) The Board shall decide whether adequate protection exists in the foreign country and whether permission should be granted in accordance with subparagraph (b) of the second paragraph;

• a) International agreements to which Türkiye is a party,
• b) The reciprocity status regarding data transfer between the country requesting personal data and Türkiye,
• c) For each specific transfer of personal data, the nature of the personal data and the purpose and duration of its processing;,
• c) The relevant legislation and practices of the country to which the personal data will be transferred,
• d) The court shall make a decision by evaluating the measures undertaken by the data controller in the country to which the personal data will be transferred and, if necessary, by obtaining the opinions of the relevant institutions and organizations.

(5) Personal data may be transferred abroad only with the permission of the Board, after obtaining the opinion of the relevant public institution or organization, in cases where the interests of Türkiye or the data subject would be seriously harmed, subject to the provisions of international agreements.

(6) The provisions contained in other laws regarding the transfer of personal data abroad are reserved.

CHAPTER THREE

Rights and Obligations

Data controller's obligation to inform

ARTICLE 10 - (1) During the collection of personal data, the data controller or the person authorized by him/her shall inform the relevant persons;

• a) The identity of the data controller and, if applicable, their representative,
• b) The purpose for which personal data will be processed,
• c) To whom and for what purpose the processed personal data may be transferred,
• c) Method and legal basis for collecting personal data,
• d) They are obliged to provide information regarding the other rights listed in Article 11.

Rights of the relevant person

ARTICLE 11- (1) Everyone may apply to the data controller regarding:;

• a) To find out whether personal data is being processed,
• b) Requesting information regarding the processing of personal data,
• c) To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.,
• c) Knowing the third parties to whom personal data is transferred, whether domestically or internationally.,
• d) Requesting the correction of personal data if it has been processed incompletely or incorrectly.,
• e) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,
• f) Requesting that the actions taken pursuant to clauses (d) and (e) be notified to third parties to whom personal data has been transferred,
• g) The right to object to a result that is detrimental to the individual, arising solely from the analysis of processed data by automated systems.,
• g) Individuals have the right to claim compensation for damages incurred as a result of the unlawful processing of their personal data.

Obligations regarding data security

ARTICLE 12 - (1) The data controller;

• a) To prevent the unlawful processing of personal data,
• b) To prevent unlawful access to personal data,
• c) To ensure the preservation of personal data, the company must take all necessary technical and administrative measures to provide an appropriate level of security.

(2) If personal data is processed on behalf of the data controller by another natural or legal person, the data controller is jointly responsible with these persons for taking the measures specified in the first paragraph.

(3) The data controller is obliged to conduct or have conducted the necessary audits in its own institution or organization to ensure the implementation of the provisions of this Law.

(4) Data controllers and data processors cannot disclose personal data they have learned to others in violation of the provisions of this Law and cannot use it for purposes other than the processing purpose. This obligation continues even after they leave their positions.

(5) If personal data processed is obtained by others through unlawful means, the data controller shall notify the data subject and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.

CHAPTER FOUR

Application, Complaint and Data Controllers Registry

Application to the data controller

ARTICLE 13 - (1) The data subject shall submit their requests regarding the implementation of this Law to the data controller in writing or by other methods determined by the Board.

(2) The data controller shall process the requests included in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the process requires additional costs, the fee specified in the tariff determined by the Board may be charged.

(3) The data controller shall accept or reject the request, explaining the reason, and shall notify the relevant person of its response in writing or electronically. If the request in the application is accepted, the data controller shall take the necessary action. If the application is due to an error on the part of the data controller, the fee received shall be refunded to the relevant person.

Complaint to the board

ARTICLE 14 - (1) In cases where the application is rejected, the answer given is deemed insufficient, or no response is given to the application within the prescribed time limit, the data subject may file a complaint with the Board within thirty days from the date on which he/she learns of the data controller's answer, and in any case within sixty days from the date of the application.

(2) No complaint may be filed without exhausting the application procedure in accordance with Article 13.

(3) Those whose personal rights have been violated have the right to compensation in accordance with general provisions.

Procedures and principles for investigations, whether initiated upon complaint or ex officio.

ARTICLE 15 - (1) The Board shall conduct the necessary investigation on matters within its scope of duty, upon complaint or upon learning of an alleged violation.

(2) Notifications or complaints that do not meet the conditions specified in Article 6 of the Law No. 3071 on the Use of the Right to Petition, dated 1/11/1984, will not be examined.

(3) Except for information and documents that are classified as state secrets, the data controller is obliged to send the information and documents requested by the Board regarding the subject of the investigation within fifteen days and to allow on-site inspections if necessary.

(4) Upon receiving a complaint, the Board examines the request and gives a response to the relevant parties. If no response is given within sixty days from the date of the complaint, the request is deemed rejected.

(5) If, as a result of an investigation conducted upon complaint or ex officio, it is determined that a violation has occurred, the Board decides that the data controller must remedy the detected illegalities and notifies the relevant parties. This decision must be implemented without delay and within thirty days at the latest from the date of notification.

(6) If, as a result of an investigation conducted upon complaint or ex officio, it is determined that the violation is widespread, the Board shall take a principle decision on this matter and publish it. Before taking a principle decision, the Board may also obtain the opinions of the relevant institutions and organizations if it deems necessary.

(7) The Board may decide to stop the processing of data or the transfer of data abroad in cases where there is a risk of irreparable or impossible damage and there is a clear illegality.

Data Controllers Registry

ARTICLE 16 - (1) A Data Controllers Registry is kept publicly by the Presidency under the supervision of the Board.

(2) Natural and legal persons processing personal data are required to register with the Data Controllers Registry before starting data processing. However, exceptions to the obligation to register with the Data Controllers Registry may be made by the Board, taking into account objective criteria to be determined by the Board, such as the nature and number of personal data processed, whether the data processing is based on law or whether it is transferred to third parties.

(3) The application for registration to the Data Controllers Registry is made with a notification containing the following:

• a) Identity and address information of the data controller and, if applicable, their representative.
• b) The purpose for which personal data will be processed.
• c) Descriptions of the data subject group(s) and the data categories belonging to these individuals.
• c) The recipient or groups of recipients to whom personal data may be transferred.
• d) Personal data intended to be transferred to foreign countries.
• e) Measures taken regarding personal data security.
• f) The maximum period for which personal data are necessary for the purpose for which they are processed.

(4) Any changes to the information provided pursuant to the third paragraph shall be immediately reported to the Presidency.

(5) Other procedures and principles regarding the Data Controllers Registry are regulated by regulation.

CHAPTER FIVE

Crimes and Misdemeanors

Crimes

ARTICLE 17 - (1) The provisions of Articles 135 to 140 of the Turkish Penal Code No. 5237 dated 26/9/2004 shall apply to crimes related to personal data.

(2) Those who do not delete or anonymize personal data in violation of the provisions of Article 7 of this Law shall be punished in accordance with Article 138 of Law No. 5237.

Offenses

ARTICLE 18- (1) This Law;

• a) Those who fail to fulfill the obligation to provide information as stipulated in Article 10 shall be subject to a fine ranging from 5,000 Turkish Lira to 100,000 Turkish Lira.,
• b) Those who fail to fulfill the data security obligations stipulated in Article 12 shall be subject to fines ranging from 15,000 Turkish Lira to 1,000,000 Turkish Lira.,
• c) Those who fail to comply with the decisions given by the Board pursuant to Article 15 shall be fined between 25,000 Turkish Lira and 1,000,000 Turkish Lira.,
• c) Those who act contrary to the registration and notification obligation to the Data Controllers Registry stipulated in Article 16 shall be subject to an administrative fine ranging from 20,000 Turkish Lira to 1,000,000 Turkish Lira.

(2) The administrative fines stipulated in this article shall be applied to natural persons and private legal entities that are data controllers.

(3) If the acts listed in the first paragraph are committed within public institutions and organizations or professional organizations with the status of public institutions, upon notification by the Board, disciplinary action will be taken against the civil servants and other public officials working in the relevant public institutions and organizations, as well as those working in professional organizations with the status of public institutions, in accordance with the disciplinary provisions, and the result will be reported to the Board.

CHAPTER SIX

Personal Data Protection Authority and Organization

Personal Data Protection Authority

ARTICLE 19 - (1) The Personal Data Protection Authority, which has administrative and financial autonomy and is a public legal entity, has been established to fulfill the duties assigned by this Law.

(2) The institution is affiliated with the minister appointed by the President.

(3) The institution's headquarters are in Ankara.

(4) The institution consists of the Board and the Presidency. The decision-making body of the institution is the Board.

The institution's duties

ARTICLE 20 - (1) The duties of the institution are as follows:

• a) Within its area of responsibility, to monitor developments in practices and legislation, to make evaluations and recommendations, and to conduct or commission research and studies.
• b) To cooperate with public institutions and organizations, civil society organizations, professional associations, or universities on matters within its scope of duty, if deemed necessary.
• c) To monitor and evaluate international developments regarding personal data, to cooperate with international organizations on matters within its scope of duty, and to participate in meetings.
• c) To submit the annual activity report to the Presidency, the Turkish Grand National Assembly Human Rights Review Committee (…).
• d) To perform other duties assigned by law.

Personal Data Protection Board

ARTICLE 21 - (1) The Board shall perform and exercise its duties and powers granted by this Law and other legislation independently and under its own responsibility. No organ, authority, body or person may give orders or instructions to the Board, or make recommendations or suggestions regarding matters within its scope of duty.

(2) The Board consists of nine members. Five members of the Board are elected by the Grand National Assembly of Türkiye, and four members are elected by the President.

(3) The following conditions are required to become a member of the Board:

• a) Having knowledge and experience in matters within the institution's area of responsibility.
• b) To possess the qualifications specified in subparagraphs (1), (4), (5), (6) and (7) of paragraph (A) of the first clause of article 48 of the Civil Servants Law No. 657 dated 14/7/1965.
• c) Not being a member of any political party.
• c) Having completed at least four years of undergraduate-level higher education.
• d) (Repealed: 2/7/2018-Decree Law-703/163 art.)

(4) (Repealed: 2/7/2018-KHK-703/163 art.)

(5) The Grand National Assembly of Türkiye elects members to the Board in the following manner:

• a) For the election, twice the number of candidates determined in proportion to the number of members of each political party group are nominated, and the members of the Board are elected by the General Assembly of the Turkish Grand National Assembly from among these candidates, based on the number of members allocated to each political party group. However, political party groups cannot hold discussions or make decisions regarding who to vote for in the elections to be held in the Turkish Grand National Assembly.
• (b) The election of the Board members shall be held within ten days of the nomination and announcement of the candidates. A combined ballot paper shall be prepared with separate lists for the candidates nominated by political party groups. Votes shall be cast by marking the designated space next to the names of the candidates. Votes exceeding the number of members to be elected to the Board from the quotas determined by the political party groups according to the second paragraph shall be considered invalid.
• c) Provided there is a quorum, the candidates who receive the most votes in the election will be elected, up to the number of vacant seats.
• (c) Two months before the end of a member's term; in the event of a vacancy for any reason, elections shall be held in the same manner within one month of the date of the vacancy, or, if the Grand National Assembly of Turkey is in recess on the date of the vacancy, within one month of the end of the recess. In these elections, the distribution of vacant memberships among political party groups shall be determined by taking into account the number of members elected from the political party group quotas in the first election and the current proportion of political party groups.

(6) If the term of office of one of the members selected by the President (…) ends forty-five days before the end of his term or if his term ends for any reason, the situation is reported to the Presidency (…)(4) by the Institution within fifteen days. New members are elected one month before the end of the term of office of the members. If there is a vacancy in these memberships for any reason before the end of the term of office, the election is held within fifteen days from the notification.

(7) The Board elects the Chairman and the Vice-Chairman from among its members. The Chairman of the Board is also the Chairman of the Institution.

(8) The term of office of the board members is four years. A member whose term has expired may be re-elected. If a member's term of office ends for any reason before the end of their term, the person elected to replace them will complete the remaining term of the member they replaced.

(9) The elected members take an oath before the First Presidency Board of the Court of Cassation, stating, "I swear on my honor and integrity that I will perform my duties in accordance with the Constitution and laws, with complete impartiality, honesty, fairness and justice." The application to the Court of Cassation for the oath is considered an urgent matter.

(10) Unless based on a special law, Board members cannot hold any official or private position other than the performance of their official duties in the Board, cannot be managers in associations, foundations, cooperatives or similar places, cannot engage in trade, cannot engage in freelance professional activities, and cannot act as arbitrators or experts. However, Board members may publish scientific publications, give lectures and conferences, and receive royalties and lecture and conference fees arising from these, provided that it does not interfere with their primary duties.

(11) Investigations into alleged crimes committed by members due to their duties are conducted in accordance with the Law No. 4483 on the Trial of Civil Servants and Other Public Officials dated 2/12/1999, and permission for investigation is granted by the President.

(12) The provisions of Law No. 657 shall apply to the disciplinary investigation and prosecution of the board members.

(13) Board members cannot be dismissed for any reason before their terms expire. Board members;

• a) It is later discovered that they do not meet the requirements for election,
• b) The conviction for crimes committed in connection with their duties becoming final.,
• c) It is definitively determined by a medical board report that they are unable to perform their duties,
• c) If it is determined that they have not been able to report to their duties without permission, without excuse and without interruption for fifteen days or for a total of thirty days in a year,
• d) If it is determined that they have not attended a total of three Board meetings without permission or justification within one month, or a total of ten Board meetings within one year, their membership will be terminated by a decision of the Board.

(14) Those elected to the Board shall have their ties with their previous positions severed for the duration of their service on the Board. Those elected to membership while being public officials shall, provided they do not lose their qualifications for entry into public service, be appointed to a position suitable to their qualifications by the appointing authority within one month if their term of office ends or they request to leave their position and apply to their former institution within thirty days. Until the appointment is made, all payments they receive shall continue to be paid by the Institution. For those who are not working in a public institution and are elected to membership and whose term of office ends in the manner specified above, all payments they receive shall continue to be paid by the Institution until they start any job or work, and the payment to be made by the Institution to those whose membership ends in this way cannot exceed three months. The periods they spend in the Institution shall be considered as having been spent in their previous institutions or organizations in terms of their personal and other rights.

The duties and powers of the Board

ARTICLE 22- (1) The duties and powers of the Board are as follows:

• a) To ensure that personal data is processed in a manner consistent with fundamental rights and freedoms.
• b) To decide on complaints from those who claim that their rights regarding personal data have been violated.
• c) Upon receiving a complaint or becoming aware of an alleged violation, to examine whether personal data is being processed in accordance with the law in matters falling within its area of responsibility and to take temporary measures in this regard if necessary.
• c) To determine the adequate safeguards required for the processing of special categories of personal data.
• d) To ensure the maintenance of the Data Controllers Registry.
• e) To take the necessary regulatory actions regarding the Board's area of responsibility and the functioning of the Institution.
• f) To take regulatory action to define obligations regarding data security.
• g) To take regulatory action regarding the duties, powers, and responsibilities of the data controller and its representative.
• g) To decide on the administrative sanctions stipulated in this Law.
• h) To provide opinions on draft legislation prepared by other institutions and organizations that contain provisions relating to personal data.
• i) To finalize the institution's strategic plan, define its aims and objectives, service quality standards, and performance criteria.
• i) To discuss and approve the budget proposal prepared in accordance with the institution's strategic plan and its aims and objectives.
• j) To approve and publish draft reports prepared on the institution's performance, financial status, annual activities, and other relevant issues.
• k) To discuss and decide on proposals regarding the purchase, sale, and rental of real estate.
• l) To perform other duties assigned by law.

Operating principles of the Board

ARTICLE 23 - (1) The Chairman determines the meeting days and agenda of the Board. The Chairman may call the Board to an extraordinary meeting when necessary.

(2) The Board shall meet with at least six members, including the chairman, and shall take decisions by a simple majority of the total number of members. Board members may not abstain from voting.

(3) Board members cannot participate in meetings and voting on matters concerning themselves, their blood relatives up to the third degree and their in-laws up to the second degree, their adopted children and their spouses even if the marriage bond between them has been dissolved.

(4) Board members cannot disclose the secrets they learn about the relevant parties and third parties during their work to anyone other than the authorities legally authorized in this regard, and cannot use them for their own benefit. This obligation continues even after they leave their posts.

(5) The matters discussed in the Board are recorded in the minutes. The decisions and, if any, the reasons for the dissenting opinions are written within fifteen days at the latest from the date of the decision. The Board announces the decisions it deems necessary to the public.

(6) Unless otherwise decided, the discussions at the Board meetings are confidential.

(7) The working procedures and principles of the Board, the drafting of decisions and other matters are regulated by regulation.

Minister

ARTICLE 24- (1) The President, in his capacity as the head of the Board and the Institution, is the highest-ranking official of the Institution and organizes, carries out and coordinates the services of the Institution in accordance with the legislation, the aims and policies of the Institution, its strategic plan, performance criteria and service quality standards.

(2) The President is responsible for the general management and representation of the Institution. This responsibility includes the duties and powers to organize, conduct, supervise, evaluate the Institution's activities and, when necessary, make them public.

(3) The duties of the President are as follows:

• a) To chair board meetings.
• b) To ensure the notification of the Board's decisions and the public announcement of those deemed necessary by the Board, and to monitor their implementation.
• c) To appoint the Vice President, department heads, and institution personnel.
• c) To finalize the proposals received from the service units and submit them to the Board.
• d) To ensure the implementation of the strategic plan and to establish human resources and labor policies in line with service quality standards.
• e) To prepare the institution's annual budget and financial statements in accordance with the defined strategies, annual aims and objectives.
• f) To ensure coordination so that the board and service units work in a harmonious, efficient, disciplined and orderly manner.
• g) To manage the institution's relations with other organizations.
• (g) To define the duties and responsibilities of personnel authorized to sign on behalf of the Head of the Institution.
• h) To perform other duties related to the management and operation of the institution.

The composition and functions of the Presidency.

ARTICLE 25 - (1) The Presidency consists of the Vice President and service units. The Presidency performs the duties listed in the fourth paragraph through service units organized as department heads. The number of department heads cannot exceed seven.

(2) A Vice President is appointed by the President to assist him in his duties relating to the Institution.

(3) The Vice President and department heads are appointed by the President from among those who have graduated from a higher education institution with at least four years of study and have served in public service for ten years.

(4) The duties of the Presidency are as follows:

• a) Maintaining the Data Controllers Registry.
• b) To carry out the office and secretarial functions of the institution and the board.
• c) To represent the Institution through lawyers in lawsuits and enforcement proceedings to which the Institution is a party, to follow up on or have followed up on lawsuits, and to provide legal services.
• c) To handle the personnel matters of the board members and those working in the institution.
• d) To perform the duties assigned to financial services and strategy development units by law.
• e) To ensure the establishment and use of an information system for the conduct of the institution's business and operations.
• f) To prepare and submit draft reports to the Board on the Board's annual activities or on other matters as needed.
• g) To prepare a draft strategic plan for the institution.
• g) To determine the institution's personnel policy, and to prepare and implement career and training plans for personnel.
• h) To handle personnel appointment, transfer, disciplinary, performance, promotion, retirement, and similar procedures.
• i) To establish ethical guidelines for staff and provide necessary training.
• i) To carry out all kinds of procurement, leasing, maintenance, repair, construction, archiving, health, social and similar services required by the Institution within the framework of the Public Financial Management and Control Law No. 5018 dated 10/12/2003.
• j) To keep records of the movable and immovable assets belonging to the institution.
• k) To perform other duties assigned by the Board or the Chairman.

(5) Service units and the working procedures and principles of these units are determined by a regulation put into effect by the President upon the proposal of the Institution, in accordance with the field of activity, duties and powers specified in this Law.

Personal Data Protection Specialist and assistant specialists

ARTICLE 26 - (1) Personal Data Protection Specialists and Personal Data Protection Assistant Specialists may be employed in the Institution. Those appointed to the Personal Data Protection Specialist position within the framework of Article 41 of the Law No. 657 shall be granted a one-time promotion.

Provisions relating to personnel and their rights

ARTICLE 27 - (1) Institution personnel are subject to Law No. 657, except for matters regulated by this Law.

(2) Payments made to the Chairman and members of the Board and the personnel of the Institution within the scope of financial and social rights, as determined in accordance with Article 11 of the Decree Law No. 375 dated 27/6/1989, are paid in the same manner and principles as payments made to comparable personnel. Payments made to comparable personnel that are not subject to tax and other legal deductions are also not subject to tax and other deductions under this Law.

(3) The Chairman and members of the Board and the personnel of the Institution are subject to the provisions of subparagraph (c) of the first paragraph of Article 4 of the Social Insurance and General Health Insurance Law No. 5510 dated 31/5/2006. The Chairman and members of the Board and the personnel of the Institution are considered equivalent to the personnel determined as their peers in terms of retirement rights. For those who were appointed to the Chairman and members of the Board while insured under subparagraph (c) of the first paragraph of Article 4 of Law No. 5510 and whose duties have ended or who have requested to leave these duties, the service periods spent in these duties are taken into account in determining their acquired rights, monthly salary, grade and level. For those who fall within the scope of temporary Article 4 of Law No. 5510 during their duties, the periods spent in these duties are considered as the periods for which position allowance and representation allowance should be paid. For those insured under Article 4, paragraph 1, subparagraph (a) of Law No. 5510 in public institutions and organizations, and subsequently appointed as Board Chairman or members, termination of their employment with their previous institutions and organizations does not entitle them to severance pay or end-of-employment compensation. In such cases, the service periods for which severance pay or end-of-employment compensation would be paid are combined with the service periods spent as Board Chairman or Board member and considered as the period for which a retirement bonus will be paid.

(4) Civil servants and other public officials working in public administrations within the central government, social security institutions, local administrations, administrations affiliated with local administrations, local administration unions, revolving fund organizations, funds established by law, organizations with public legal personality, organizations whose capital is more than fifty percent owned by the public, state economic enterprises and public economic enterprises and their affiliated partnerships and institutions may be temporarily assigned to the Institution with the consent of their institutions, and judges and prosecutors with their own consent, provided that their salaries, allowances, all kinds of raises and compensations and other financial and social rights and benefits are paid by their institutions. The Institution's requests in this regard are prioritized by the relevant institutions and organizations. Personnel assigned in this way are considered to be on paid leave from their institutions. During the period of leave, their civil service and personal rights continue, and these periods are taken into account in their promotions and retirements, and their promotions are made on time without the need for any other procedure. The time spent at the Institution by those assigned under this article shall be considered as time spent at their own institutions. The number of those assigned in this way cannot exceed ten percent of the total number of Personal Data Protection Specialists and Personal Data Protection Assistant Specialists, and the assignment period cannot exceed two years. However, this period may be extended in one-year increments if necessary.

(5) The cadre titles and numbers of personnel to be employed in the institution are shown in the attached table (I). Changes in titles and grades, addition of new titles and cancellation of vacant positions are made by the Board decision, provided that the total number of cadres is not exceeded and limited to the cadre titles in the annexes of the Decree Law No. 190 on General Cadre and Procedure dated 13/12/1983.

CHAPTER SEVEN

Miscellaneous Provisions

Exceptions

ARTICLE 28 - (1) The provisions of this Law shall not apply in the following cases:

• a) Processing of personal data by natural persons solely within the scope of activities related to themselves or family members living in the same household, provided that the data is not disclosed to third parties and obligations regarding data security are complied with.
• b) Processing personal data for purposes such as research, planning, and statistics through official statistics and by anonymizing it.
• c) Processing of personal data for artistic, historical, literary or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or personal rights, or constitute a crime.
• c) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that have been given duties and powers by law to ensure national defense, national security, public security, public order or economic security.
• d) Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial or execution proceedings.

(2) Provided that it is in accordance with the purpose and fundamental principles of this Law and is proportionate, Article 10, which regulates the data controller's obligation to inform, Article 11, which regulates the rights of the data subject, excluding the right to claim compensation for damages, and Article 16, which regulates the obligation to register with the Data Controllers Registry, shall not apply in the following cases:

• a) The processing of personal data is necessary for the prevention of crime or for criminal investigation.
• b) Processing personal data that has been made public by the data subject themselves.
• c) When the processing of personal data is necessary for the performance of supervisory or regulatory duties, or for disciplinary investigations or prosecutions, by authorized and competent public institutions and organizations, as well as professional organizations with the status of public institutions, based on the authority granted by law.
• c) The processing of personal data is necessary for the protection of the State's economic and financial interests in relation to budgetary, tax, and financial matters.

The institution's budget and revenues

ARTICLE 29 - (1) The institution's budget is prepared and approved in accordance with the procedures and principles set forth in Law No. 5018.

(2) The institution's revenues are as follows:

• a) Treasury grants from the general budget.
• b) Income derived from movable and immovable assets belonging to the institution.
• c) Donations and aid received.
• c) Income derived from the investment of income.
• d) Other income.

Amended and added provisions

ARTICLE 30 - (1) (Related to and incorporated into the Law No. 5018 dated 10/12/2003.)

(2) to (5) – (Related to Law No. 5237 dated 26/9/2004 and incorporated in its place.)

(6) (It is related to the Basic Law on Health Services No. 3359 dated 7/5/1987 and has been incorporated in its place.)

(7) (This is related to the Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliated Institutions, dated 11/10/2011, and has been incorporated in its place.)

Regulations

ARTICLE 31 - (1) Regulations regarding the implementation of this Law shall be put into effect by the Institution.

Transitional provisions

TEMPORARY ARTICLE 1- (1) Within six months from the date of publication of this Law, the members of the Board shall be elected in accordance with the procedure stipulated in Article 21, and the Presidency organization shall be established.

(2) Data controllers are obliged to register with the Data Controllers Registry within the period determined and announced by the Board.

(3) Personal data processed before the publication date of this Law shall be brought into compliance with the provisions of this Law within two years from the publication date. Personal data found to be in violation of the provisions of this Law shall be immediately deleted, destroyed or anonymized. However, consents lawfully obtained before the publication date of this Law shall be deemed to be in compliance with this Law unless a contrary declaration of intent is made within one year.

(4) The regulations provided for in this Law shall enter into force within one year from the date of publication of this Law.

(5) Within one year from the date of publication of this Law, a senior manager shall be appointed in public institutions and organizations to ensure coordination regarding the implementation of this Law and shall be notified to the Presidency.

(6) The first elected President, the Second President and two members selected by lot serve for six years; the other five members serve for four years.

(7) Until a budget is allocated to the institution;

• a) The institution's expenses are covered by the Prime Ministry budget.
• (b) All necessary support services, such as buildings, vehicles, equipment, furnishings, and supplies, required for the institution to perform its services, are provided by the Prime Ministry.

(8) Until the service units of the institution become operational, the secretariat services are provided by the Prime Ministry.

TEMPORARY ARTICLE 2 - (Added: 28/11/2017-7061/120 art.)

(1) Graduates of political science, economics and administrative sciences, economics, law and business faculties, or the electronics, electrical-electronics, electronics and communication, computer, information systems engineering departments of engineering faculties, or equivalent higher education institutions in Turkey or abroad whose equivalence is accepted by the Council of Higher Education, who have entered the profession through a special competitive examination and have been appointed to the positions of the central organizations of the institutions with the titles specified in subparagraph (11) of paragraph (A) of the section titled “Common Provisions” of Article 36 of Law No. 657 after a certain period of in-service training and a special qualification examination, and who have been in these positions for at least two years, excluding periods of unpaid leave, as well as those in teaching positions, may be appointed as Personal Data Protection Experts within one year from the date of entry into force of this article, provided that they have received at least seventy points in the Foreign Language Proficiency Level Determination Exam and have not reached the age of forty as of the date of appointment. The number of those to be appointed in this way cannot exceed fifteen.

Force

ARTICLE 32- (1) This Law;

• a) Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 shall enter into force six months after their publication date,
• (b) The other articles shall enter into force on the date of publication.

Executive

ARTICLE 33 - (1) The Council of Ministers shall execute the provisions of this Law.

TABLE NUMBER (I)

Miscellaneous Provisions

LIST SHOWING THE EFFECTIVE DATE OF LEGISLATION ADDING TO AND AMENDING LAW NO. 6698 OR PROVISIONS ANNULLED BY THE CONSTITUTIONAL COURT.

1. OBJECTIVE

In ADO Group companies, the procedures and principles to be followed in the protection and processing of personal data are determined in accordance with the "Personal Data Protection Law" and related subordinate legal regulations.

2. BASIC PRINCIPLES

• 2.1. The protection and processing of personal data shall be based on the provisions of this policy and the "Personal Data Protection Law" and other legal regulations issued in connection with this law.
• 2.2. Personal data includes any information relating to an identified or identifiable natural person. Special categories of personal data include data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic information.
• 2.3. Personal data is stored in the locations/departments and systems determined by the Institution, as specified in the "Authorization List". The processing, access to, and use of personal data are carried out only by authorized persons. (FR.YNT.01.001)
• 2.4. The protection of personal data is a constitutional right and is among our Company's priorities. To this end, a "Personal Data Protection Committee" (the Committee) has been established within the Company to manage, monitor, and analyze personal data protection processes. The working principles and procedures of the Committee are detailed under section 3.1.3 of this policy.
• 2.5. In order to implement the matters stated in this policy, the necessary procedures have been established within the Company, information texts have been prepared, confidentiality agreements have been made, job descriptions have been revised, and all necessary administrative and technical measures have been taken to protect personal data.
• 2.6. "Special categories of personal data" belonging to ADO Group employees, suppliers, customers, potential customers, and visitors with whom ADO has business relationships are protected and processed by our Company in accordance with the principles specified in the "Procedure for the Protection and Processing of Special Categories of Personal Data" (PR.YNT.00.001).
• 2.7. Personal data cannot be processed, transferred to another person/system, used, or presented without the explicit consent of the data subject. Explicit consent is obtained in a clear, informed, and free manner.
• 2.8. Individuals who record, share, and/or fail to delete personal data in violation of the principles and legal regulations stated in this policy will be subject to the provisions of Articles 135-140 of the Turkish Penal Code (TCK) and also to the decisions of the Company's Disciplinary Board.
• 2.9. All ADO employees are personally responsible for the protection and security of personal data.
• 2.10. Compliance with the Personal Data Protection Law (KVK Law), other related legal regulations, and this policy is periodically audited by the Internal Audit Unit as specified in the "Audit Systems Activities Procedure" (PR.YNT.01.002).

3. IMPLEMENTATION PRINCIPLES

• 3.1. ENSURING THE PRIVACY AND SECURITY OF PERSONAL DATA

  In accordance with the Personal Data Protection Law, our Company has taken all the technical and administrative measures specified under subheadings 3.1.1 and 3.1.2 in this policy to ensure an appropriate level of security to prevent the unlawful processing and access to personal data it processes and to ensure the proper preservation of data, and it carries out the necessary controls and audits within this scope.

  • 3.1.1. Technical Measures

    • 3.1.1.1. Our company has implemented all necessary technical security measures to protect and securely process personal data, providing a high level of protection against potential risks. All technical measures are implemented by the Information Technology Department.
    • 3.1.1.2. In order to protect information technology systems containing personal data from internal and external attacks, cybercrimes, or malware, the following actions are taken:
      • All users' transaction records in software containing personal data are regularly maintained. (Logs)
      • Annual penetration tests are conducted by an independent external expert organization to assess the security of access to areas where personal data is stored, and any irregularities and/or vulnerabilities found are addressed.
      • Security software messages, access control logs, and other reporting tools are continuously monitored.
      • In the event of undesirable incidents such as system crashes, malicious software, denial-of-service attacks, incomplete or erroneous data entry, breaches that compromise confidentiality and integrity, or misuse of the information system, evidence is collected and securely stored.
      • If security issues are identified, a report is promptly sent to senior management and the consulting firm involved in the process.
      • The physical environments where servers containing personal data are located are protected against external threats (fire, earthquake, etc.) using appropriate methods, and entrances/exits are recorded by cameras.
      • Personnel are frequently sent emails informing them about security vulnerabilities and flaws in systems and/or services.
    • 3.1.1.3. Software including firewalls and antivirus systems are used.
    • 3.1.1.4. Systems in line with technological advancements are used to store personal data in secure environments. Technical measures taken for storage areas are periodically evaluated to identify potential risks, and necessary technological solutions are developed.
    • 3.1.1.5. Access to personal data in electronic format is done as specified in the “Access Authorization List”. (FR.YNT.01.016)
    • 3.1.1.6. Access control is always implemented on systems that provide access to personal data.
    • 3.1.1.7. Data controllers ensure that periodic backups are made of personal data to protect against the risk of damage, destruction, theft, or loss for any reason.
    • 3.1.1.8. Expert personnel with sufficient technical knowledge in data processing are employed.
    • 3.1.1.9. Technological developments are closely monitored, and existing systems are subsequently updated and necessary measures are taken.

• 3.1.2. Administrative Measures

  • 3.1.2.1. The Company takes all necessary administrative measures to protect and process personal data in the most secure manner.
  • 3.1.2.2. The likelihood of risks to the security and protection of personal data occurring, and the losses that would result if these risks were to occur, are accurately determined, and appropriate measures are taken accordingly. The following points are considered when identifying risks and threats:
    • Whether personal data is sensitive or not,
    • What level of confidentiality is required by its nature?,
    • The nature and extent of the harm that may arise for the person concerned in the event of a security breach.
  • 3.1.2.3. After risks and threats are identified, all alternative control systems and solutions aimed at reducing, eliminating, etc., risks are evaluated considering the principles of cost, feasibility, and usefulness, and risk treatment options are implemented according to the "Risk Management Procedure" (PR.YNT.01.003).
  • 3.1.2.4. Necessary internal control systems are established at the business unit level regarding the protection and processing of personal data.
  • 3.1.2.5. Company personnel receive continuous training and information on compliance with the Personal Data Protection Law, unlawful access to personal data, etc.
  • 3.1.2.6. When our company outsources services for the processing, storage, and protection of personal data due to administrative or technical requirements, the contracts with the party to whom the personal data is transferred include provisions stating that they will take the necessary security measures to protect the data and ensure compliance with these measures within their own organizations. These contracts are signed in accordance with the Personal Data Protection Law (KVKK) for the purpose of ensuring the security and protection of personal data.
  • 3.1.2.7. Documents containing provisions of the Personal Data Protection Law (procedures, contracts, undertakings, specifications, etc.) include obligations not to process, disclose, or use personal data outside of this policy and the Personal Data Protection Law.
  • 3.1.2.8. Employees are informed that they will not disclose personal data they have been involved with and/or learned to third parties, will not use it for purposes other than the processing purpose, that this obligation continues even after they leave their jobs, and that the data will be stored in secure environments; necessary measures are taken accordingly.
  • 3.1.2.9. Access to personal data located in physical form is done as specified in the “Access Authorization List”. (FR.YNT.01.016)

• 3.1.3. Activities of the Personal Data Protection Committee

• 3.1.3.1. A “Personal Data Protection Committee” has been established within the company to manage activities related to the protection of personal data. The committee members consist of the Chairman of the Board of Directors (CB), the Director of the Presidential Office, the Legal Counsel, the Director of Human Resources/Administrative Affairs, and the Director of Audit Systems. The Legal Counsel chairs the committee. In meetings attended by the Chairman of the Board of Directors (CB), the CB presides over the committee.
• 3.1.3.2. Decisions in the Committee are taken by majority vote. In case of a tie, the decision of the Committee Chair shall prevail. The Director of Audit Systems does not have voting rights.
• 3.1.3.3. The Committee meets monthly. In addition, the Committee may convene immediately upon the request of a member and/or in the event of an extraordinary circumstance.
• 3.1.3.4. The Committee's duties are as follows:
  • To identify the need for documentation regarding the protection and processing of personal data and to make changes or revisions as needed.,
  • To identify the necessary steps to ensure compliance with the Personal Data Protection Law and related legislation, and to submit them for approval to senior management.,
  • To decide on the implementation and audit procedures for policies regarding the protection and processing of personal data, and to submit internal assignments and coordination in this context to the approval of senior management.,
  • To increase awareness within the Company and among institutions with which ADO Group has business relationships regarding the protection and processing of personal data.,
  • To identify potential risks in personal data processing activities and ensure that necessary precautions are taken; to submit improvement suggestions for approval to senior management.,
  • To ensure that data subjects are informed about data processing activities and their legal rights regarding the protection and transfer of personal data and the implementation of policies, by organizing training sessions.,
  • To receive and forward requests from personal data owners regarding information requests, data deletion, and data storage to Senior Management.,
  • To monitor developments and regulations regarding the protection of personal data as notified and published by the Personal Data Protection Authority (KVKK) under the Prime Ministry; to determine the actions that need to be taken within the Company in accordance with these developments and regulations and to communicate them to the Senior Management.,
  • To report problems related to the protection of personal data to the Personal Data Protection Authority and to take action in line with the feedback received.,
  • To perform other duties assigned by the Chairman of the Board regarding the protection of personal data.

• 3.2. PROCESSING OF PERSONAL DATA

  • 3.2.1. Methods of Processing Personal Data
    • 3.2.1.1. As stated in Article 3 of the Personal Data Protection Law, any operation performed on personal data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system, falls within the scope of processing personal data.
    • 3.2.1.2. Our company acts in accordance with the principles established by legal regulations (Article 20 of the Constitution and Article 4 of the Personal Data Protection Law) and the rule of trust and honesty in the processing of personal data. Within this scope, personal data;
      • In accordance with our company's human resources policies, and in line with this policy, personnel recruitment, human resources operations (personnel records, payroll processes, career management, training activities, etc.), fulfillment of obligations (health data) and taking necessary precautions within the framework of occupational health and safety are carried out.,
      • In line with the determination and implementation of our company's commercial and business strategies with legal/natural persons; the execution of sales (demand, order, budgeting, contract) and purchasing operations (offer, evaluation, etc.), accounting and finance operations, quality processes, communication and social responsibility activities carried out by our company,
      • In accordance with the relevant legislation, activities are carried out with public institutions and public legal entities authorized to receive data (information, documents, etc.) from our Company.,
      • Without being limited to the above items, the activities mentioned under item 3 in Ado Group's privacy policy are carried out.,
      It is processed for this purpose.
    • 3.2.1.3. Personal data processing activities are revealed by analyzing each process/department within ADO separately.
    • 3.2.1.4. This policy adopts the following fundamental principles in the processing of personal data:
      • Compliance with the law and principles of honesty,
      • Ensuring it is accurate and up-to-date,
      • Processing for specific, explicit and legitimate purposes,
      • Being relevant to the purpose for which they are committed, limited and proportionate,
      • To be retained for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they were processed,
      • Informing and educating data subjects before processing personal data,
      • To establish the necessary systems for personal data owners to exercise their rights.,
      • Taking necessary measures for the preservation of personal data,
      • In transferring personal data to third parties in accordance with the requirements of the processing purpose, we must act in compliance with the legislation and the regulations of the Personal Data Protection Authority.,
      • Demonstrate the necessary sensitivity in the processing and protection of sensitive personal data.
    • 3.2.1.5. Personal data cannot be processed without the explicit consent of the data subject. However, personal data may be processed without the explicit consent of the data subject if any of the following conditions exist:
      • If it is explicitly provided for in the laws,
      • It is necessary for the protection of the life or physical integrity of the person who is unable to express their consent due to factual impossibility or whose consent is not legally valid, or for the protection of the life or physical integrity of another person.,
      • The institution becoming commercially invalid, losing its recognition,
      • The processing of personal data of the parties to a contract is necessary provided that it is directly related to the establishment or performance of the contract.,
      • Personal data must be necessary for the data controller to fulfill its legal obligations.,
      • The personal data must have been made public by the data subject.,
      • Data processing must be necessary for the establishment, exercise, or protection of a right.,
      • Personal data transfer is necessary for our company to fulfill its legal obligations.
      • Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
    • 3.2.1.6. Regarding the processing of personal data, ADO employees receive regular training on data security in accordance with the Personal Data Protection Law and related regulations; confidentiality agreements are made; the scope and duration of access rights for users with access to data are clearly defined; and periodic access controls are carried out. The access rights of employees who change roles or leave the company are terminated simultaneously.
  • 3.2.2. Processing of Special Categories of Personal Data
    • 3.2.2.1. According to Article 6, paragraph 1 of the Personal Data Protection Law, special categories of personal data include data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic information.
    • In our company, personal data classified as "special categories" cannot be processed "without the explicit consent of the data subject," as stated in Article 6, paragraph 2 of the Personal Data Protection Law.
      However, as stated in paragraph 3 of the same article (Article 6), personal data other than health and sexual life data may be processed without the explicit consent of the data subject in cases stipulated by law. Personal data relating to health and sexual life, however, may only be processed without the explicit consent of the data subject by persons or authorized institutions and organizations under an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.

• 3.3. TRANSFER OF PERSONAL DATA

  • 3.3.1. As a general rule, personal data cannot be transferred without the explicit consent of the data subject. However, according to Article 8 of the Personal Data Protection Law (KVKK), personal data may be transferred without explicit consent, provided that adequate protection is ensured and the conditions specified in Article 5, paragraph 2 (Article 3.2.1.5 of this policy) and Article 6, paragraph 3 (Article 3.2.2.2 of this policy) of the KVKK are met.
  • 3.3.2. Furthermore, when transferring personal data abroad, the provisions specified in article 3.3.1 apply, and if the provisions of article 9, paragraph 2 (mentioned below) of the Personal Data Protection Law are present in the foreign country to which the personal data will be transferred;
    • Having adequate protection,
    • If adequate protection is not in place, data controllers in Türkiye and the relevant foreign country must provide a written commitment to ensure adequate protection, and obtain the Board's permission.
    The information can be transferred abroad without the explicit consent of the person concerned.

• 3.4. Deletion, Destruction and Anonymization of Personal Data

  Personal data is deleted, destroyed, or anonymized by our Company upon request or ex officio, after the purpose of processing has ended, and the retention periods determined by the relevant legislation and/or our Company have expired. In this context, our Company fulfills its obligations in accordance with Article 7 of the Personal Data Protection Law and the principles set forth in the "Regulation on the Deletion, Destruction, or Anonymization of Personal Data".
  • 3.4.1. The process followed for deleting personal data is stated below:
    • Identifying the personal data that will be subject to the deletion process,
    • Identifying the relevant users for each piece of personal data using an access authorization and control matrix or a similar system,
    • Identifying the access, retrieval, and reuse permissions and methods of the relevant users,
    • Closing and eliminating the access, retrieval, and reuse rights and methods of the relevant users regarding their personal data.
  • 3.4.2. The methods to be followed in the destruction of personal data are specified below:
    • Physical Destruction: Personal data can also be processed through non-electronic/non-automatic means, provided it is part of a data recording system. When such data is deleted/destroyed, the personal data is physically destroyed in a way that prevents its subsequent use.
    • Deletion and Destruction in the Server (Cloud) Environment: This refers to methods used to delete/destroy data that is processed entirely or partially electronically/automatically and stored in digital environments, ensuring that the data is removed from the relevant software in such a way that it cannot be recovered by specific individuals or in any form.
  • 3.4.3. The processes for anonymizing personal data are described below:
    • Masking: Data masking is the process of removing the key identifying information of personal data from a dataset.
    • Aggregation: Data aggregation is a method where many pieces of data are combined to make personal data impossible to link to any other data.
    • Data Derivation: More general content is created from the content of the personal data, ensuring that the personal data cannot be linked to any specific individual.
    • Data Hashing: This involves mixing values within a personal data set to break the link between those values and individuals.

• 3.5. STORAGE AND ACCESS OF PERSONAL DATA

  Our company processes personal data in accordance with the retention periods specified in the Personal Data Protection Law (KVKK) or for the purposes for which they are processed, taking into account legal and criminal limitation periods. Upon the expiration of the retention period or the cessation of the reasons requiring processing, personal data is deleted, destroyed, or anonymized by our company.
  • 3.5.1. Preservation of Personal Data in Paper Format
    • Employees' personal data is kept in paper-based personnel files.
    • Only Human Resources Department personnel have access to personnel files.
    • Personnel files are classified in the "Confidential" risk category.
    • Personnel files can only be accessed by personnel working in the relevant department.
    • Access to personnel files by unauthorized individuals is permitted only with the approval of the Head of the Financial and Administrative Affairs Group. Access to personal data is conducted under the supervision of authorized personnel.
    • “The Human Resources and Administrative Affairs Department is responsible for the secure access to the "Personnel" and "Health" files.
    • Unauthorized access cases will be detected in accordance with the "Disciplinary Procedure" (PR.MII.02.001).
  • 3.5.2. Preservation of Personal Data in the Digital Environment
    • Only authorized personnel may access digital environments where personal data is stored.
    • Access is controlled using unique passwords for each user, and all access activities are recorded in log files.
    • Security systems such as firewalls and antivirus programs exist to protect data in the digital environment.
    • The Information Technology Department Manager is responsible for taking all necessary measures regarding the preservation of personal data in the digital environment and information security within the scope of the company's "Information Security" practices.
•  

• 3.6. RIGHTS AND OBLIGATIONS

  • 3.6.1. Data Subject Rights
    • 3.6.1.1. The data subject has the right to learn the following matters concerning themselves by applying to the data controller.
      • To find out whether your personal data is being processed,
      • The right to request information regarding the processing of personal data.,
      • To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.,
      • Knowing the third parties to whom personal data is transferred, whether domestically or internationally,
      • The right to request the correction of personal data if it has been processed incompletely or inaccurately, and to request that third parties to whom the personal data has been transferred be notified of the action taken in this regard.
      • Even if personal data has been processed in accordance with the Personal Data Protection Law and other related legal provisions, you have the right to request the deletion or destruction of your personal data when the reasons requiring its processing cease to exist, and to request that this action be notified to third parties to whom your personal data has been transferred.,
      • The right to object to an outcome that is detrimental to oneself, resulting from the analysis of processed data exclusively through automated systems.,
      • The right to claim compensation for damages incurred due to processing that violates the Personal Data Protection Law.
  • 3.6.2. Rights and Obligations of the Data Controller
    • 3.6.2.1. The Data Controller is obliged to take the necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing and/or access of personal data, to ensure the preservation of personal data, and to prevent possible data loss in the systems for which it is responsible.
    • 3.6.2.2. Data controllers and data processors shall not disclose personal data they have learned/acquired to others in a manner contrary to the provisions of the "Personal Data Protection Law" and shall not use it for purposes other than the processing purpose. This obligation continues even after they leave their positions.
    • 3.6.2.3. If personal data is obtained by others through unlawful means, the data controller shall share this information with the Committee immediately and subsequently forward it to the Personal Data Protection Board as soon as possible.
    • 3.6.2.4. The data controller has the obligation to inform/notify the personal data owner, to conduct and have conducted audits, to maintain confidentiality, and to report breaches.
    • 3.6.2.5. Our company informs personal data owners in accordance with Article 20 of the Constitution and Article 10 of the Personal Data Protection Law and provides the necessary information when personal data owners request information.
    • 3.6.2.6. The data controller shall inform the relevant parties during the collection of personal data;
      • The identity of the data controller and, if applicable, their representative,
      • The purpose for which personal data will be processed,
      • To whom and for what purpose the processed personal data may be transferred,
      • Method and legal basis for collecting personal data,
      • Other rights listed in Article 11 of the Personal Data Protection Law
      It provides information on the subject.

• 3.7. BREACH OF PERSONAL DATA

  • 3.7.1. In compliance with the Personal Data Protection Law, if it is determined that personal data has been obtained by others through unlawful means, this shall be reported to the Personal Data Protection Board by the authorized person specified in the "Important Person Access List". (FR.MII.05.003)
  • 3.7.2. In cases of unlawful processing, sharing, and failure to delete personal data when necessary, proceedings will be conducted by the Legal Counsel in accordance with Articles 135 to 140 of the Turkish Penal Code.
  • 3.7.3. In case of a breach of personal data, the following legal sanctions shall apply:
    • Anyone who unlawfully records personal data shall be sentenced to imprisonment for one to three years.
    • Anyone who unlawfully discloses, disseminates, or obtains personal data belonging to another person shall be prosecuted and sentenced to imprisonment for a period of two to four years.
    • Those who fail to delete data from the system despite the expiration of the legally mandated periods will be sentenced to imprisonment for one to two years.

4. DEFINITIONS

Personal data is any information relating to an identified or identifiable natural person.

Special Categories of Personal Data: This includes data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic information.

Data Controller: The person responsible for determining the purposes and means of processing personal data, and for establishing and managing the data recording system.

Anonymization of Personal Data: This is the process of rendering data in such a way that it cannot be linked to an identified or identifiable natural person, even when combined with other data.

Data Processor: A person who processes personal data on behalf of the data controller, based on the authorization given by the data controller.

Data Recording System: A recording system in which personal data is processed by structuring it according to specific criteria.

Processing of Personal Data: Personal data processing refers to any operation performed on data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system.

Other definitions and abbreviations used in this document can be found in the ADO Glossary.

As Adopen Plastic and Construction Industry Inc. (ADOPEN), we attach great importance to the processing and storage of all personal data belonging to all individuals associated with ADOPEN in accordance with the Law No. 6698 on the Protection of Personal Data (the Law). Within the scope of this responsibility, as the "Data Controller" as defined in the Law, we process your personal and sensitive personal data (personal data) within the limits stipulated by legal regulations as stated below.

This privacy notice has been prepared by ADOPEN to fulfill its obligation to inform data subjects under the relevant law, and aims to provide information on the protection of personal data.

1. Data Controller

In accordance with Law No. 6698, your personal data is processed by ADOPEN as the data controller.

2. Methods and Legal Grounds for Collecting Personal Data

Your personal data is collected by ADOPEN through various channels for the purpose of conducting our activities, in accordance with the law, other legal regulations, and ADOPEN policies, and based on legal grounds.

Depending on your relationship with ADOPEN, we may collect your personal data through automated or non-automated methods to conduct our activities with you. Data is collected through various communication channels including: Job Application Form, Employment Contract, Information Security and Ethics Statement Protocol, Supplier Agreement, Confidentiality Agreement, Occupational Safety Agreement, Purchase Agreement, Dealership Agreement, Dealer Interview Form, documents submitted to ADOPEN during the job application process, online job application form and internship application form on the website, correspondence conducted via email addresses, cargo shipments, information forms, document channels in our documentation system, electronic e-forms, visitor information forms completed by you and requested at security checkpoints before entering facilities, sales transactions, order entry (B2B systems), transportation transactions, sales support transactions (issuing delivery notes and invoices, accepting return invoices), accounting transactions, product complaints/return transactions, technical service, call center, evaluation of requests and complaints received through complaint and reporting channels, purchasing transactions, cargo shipments, technical service and call center channels, training, seminars, fairs, and verbally conveyed information.

3. Purpose of Processing Personal Data

Your collected personal data may be processed by ADOPEN for the purposes stated below, within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law:

• Ensuring that ADOPEN's activities are carried out in accordance with legislation and ADOPEN policies.,
• Planning and execution of human resources activities,
• The necessary studies are to be carried out by the business units and activities are to be conducted accordingly.,
• Determining, planning, and implementing trade policies in the short, medium, and long term.,
• Ensuring the commercial and legal security of individuals with whom a business relationship is established;
• Protecting ADOPEN's commercial reputation and the trust it has built.

For detailed information on the purposes for which ADOPEN processes your personal data; “"Personal Data Protection and Processing Policy"”"in (Policy) This policy has been published on the ADOPEN intranet, notice boards, B2B system, and official website, and has also been posted on notice boards at ADOPEN facilities.

4. To Whom and for What Purpose the Processed Personal Data May Be Transferred

Your collected personal data is detailed in this privacy notice. “3. Purpose of Processing Personal Data” For the purpose of carrying out the business processes mentioned under this heading, personal data may be transferred to authorized public institutions (Turkish Employment Agency/İŞ-KUR, Ministry of Labor and Social Security, Ministry of Interior, Ministry of Treasury and Finance, etc.) and/or authorized private persons, to the extent permitted and required by legal regulations, and within the limits of the transfer conditions specified in Articles 8 and 9 of the Law and within the framework of this Policy.

5. Rights of the Personal Data Subject

Data subjects can request the following from ADOPEN:;

a. To find out whether personal data is being processed,
b. Requesting information regarding the processing of personal data,
c. To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.,
d. Knowing the third parties to whom personal data is transferred, whether domestically or internationally.,
e. The right to request the correction of personal data if it has been processed incompletely or incorrectly, and to request that this correction be notified to third parties to whom the personal data has been transferred.,
f. Even if personal data has been processed in accordance with the law and other relevant legal provisions, the right to request its deletion or destruction if the reasons requiring its processing have ceased to exist.,
g. “"to"” And “"f"” requesting that the actions taken in accordance with these articles be notified to third parties to whom personal data has been transferred,
h. The right to object to a result that is detrimental to the individual, arising solely from the analysis of processed data by automated systems.,
i. The right to claim compensation for damages incurred as a result of an act committed in violation of the law.

They have rights.

To exercise your rights specified in Article 11 of the Law, you can submit your request by filling out the “Personal Data Subject Application Form” and sending it to adopen@hs02.kep.tr. Your request will be processed as soon as possible (in any case within a maximum of thirty days), depending on its nature. If the process incurs additional costs for ADOPEN, the fee specified in the “Notification on the Procedures and Principles for Applications to the Data Controller” will be charged. If the request is rejected, the reasons for rejection will be notified to the data subject in writing or electronically.

6. Processing Procedure

Your personal data will be recorded, processed, stored, and transferred for the legally mandated retention periods determined within the framework of legal regulations. Upon expiration of the legal retention period, your personal data will be deleted, destroyed, or anonymized in accordance with the Law and related subordinate legal regulations.