Personal Data Protection and Processing Policy

Information

Bilgilendirme

POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA OF ZORLU TESİS YÖNETİM A.Ş. ABOUT THE POLICY

The Law on Protection of Personal Data numbered 6698 (“Law”) entered into force on April 7, 2016, and includes the regulations regarding the processing of all kinds of information associated with “identified or identifiable natural persons”.

This Policy on the Protection and Processing of Personal Data drafted by Zorlu Tesis Yöneim A.Ş. (“Policy”) contains the statements and explanations made Zorlu Tesis (“Zorlu Tesis”) regarding the processing of personal data of real persons falling in the scope of the categories listed hereinbelow in accordance with the Law. In this context, the field of application of ​​the Policy is the processing of personal data of the following data subjects:

  • Real Customers
  • Shareholders, Officials, and Employees of Corporate Customers
  • Potential Customers
  • Company officials
  • Shareholders
  • Former Employees / Retirees
  • Shareholders, Officials, and Employees of Business Partners
  • Shareholders, Officials, and Employees of Suppliers
  • Candidate Employees and Interns
  • Candidate Business Partners
  • Candidate Supplier
  • Visitors
  • Press members
  • Third Parties

This Policy may be updated from time to time in order to comply with changing conditions and legislation.

  1. PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

Zorlu Tesis, which acts the data controller within the meaning of Article 4 of the Law, shall act in accordance with the following principles with respect to the processing of personal data:

  • Compliance with the law and rules of honesty:
    Personal data shall be processed in accordance with the law and the rules of honesty. In this respect, Zorlu Tesis shall act in accordance with the legislation in force and abide by the rules of honesty with respect to all personal data processing processes.
  • Accuracy and being up to date:
    A data controller must establish the necessary processes to ensure that the personal data it processes is kept accurate and up-to-date. Accordingly, Zorlu Tesis shall provide the data subjects with an opportunity to update their data, and take the necessary measures to ensure that the data is transferred to databases correctly.
  • Being processed for specific, explicit and legitimate purposes:
    A data controller is obliged to inform the data subjects about the purposes of processing their personal data in line with the disclosure obligations set out in the Law. In this respect, Zorlu Tesis shall limit its data processing activities to specific and legitimate purposes and shall clearly inform the data subjects about these purposes by means of disclosures.
  • Being relevant with, limited to and proportionate to the purposes for which they are processed:
    Zorlu Tesis shall process personal data to the extent necessary for the purposes declared to the data subjects at the time they were obtained, in connection with this purpose and in a limited manner.
  • Retention for the periods of time stipulated in the relevant legislation or required for the relevant purposes:
    If a certain period of time is set out in the legislation in force, the personal data shall be retained for such period of time. If no such period is specified in the legislation, then a reasonable period of retention shall be fixed by taking into account the purposes of use and the company’s procedures, and the personal data shall be retained for such period of time. Following the expiry of the aforementioned periods, the personal data shall be deleted, destroyed, or anonymized in line with the company’s procedures.
  1. PURPOSES OF PROCESSING PERSONAL DATA BY ZORLU TESİS

Articles 5 and 6 of the Law set out the terms and conditions for the processing of personal data and sensitive personal data. Sensitive personal data are listed in a non-exhaustive manner in the Law and are subject to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade-unions, health, sexual life, criminal conviction, and security measures as well as biometric and genetic data. Article 5 of the Law specifies the terms and conditions for the processing of non-sensitive personal data, and Article 6 of the Law specifies the terms and conditions for the processing of sensitive personal data.

According to the aforementioned articles, non-sensitive personal data may be processed in the following cases:

  • Explicit consent of the data subject is available.
  • Data processing is expressly prescribed by law.
  • It is necessary to process the relevant data in order to protect the life or bodily integrity of the person or someone else, who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid.
  • It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the execution or performance of a contract.
  • Data processing is mandatory in order for the data controller to fulfill its legal obligations.
  • The personal data has been made public by the person concerned.
  • Data processing is mandatory for the establishment, exercise or protection of a right.
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Sensitive personal data may be processed subject to the following conditions:

  • Explicit consent of the data subject is available.
  • The processing of any sensitive personal data other than health and sexual life data (e.g. race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade-unions, criminal convictions, and security measures, and biometric and genetic data) is envisaged in legislation.
  • Processing of any sensitive personal data related to health and sexual life by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

In this context, Zorlu Tesis shall process personal data of real persons set out in the categories specified in Annex 1 hereto for the following purposes:

  • planning, audit and execution of information security processes
  • establishment and management of information technologies infrastructure
  • planning and execution of benefits for employees
  • planning and execution of employees' authorization to access to information
  • event management
  • follow-up of finance and/or accounting affairs
  • planning of human resources processes
  • planning and execution of business activities
  • planning and execution of authorizations of business partners and/or suppliers to access to information
  • management of relationships with business partners and/or suppliers
  • planning and/or execution of occupational health and/or safety processes
  • planning and/or execution of business continuity activities
  • establishment and tracking of the credit disbursement processes
  • planning and execution of corporate communication activities
  • planning and execution of corporate governance activities
  • planning and execution of customer relationship management processes
  • planning and/or execution of customer satisfaction activities
  • follow-up of customer requests and/or complaints
  • execution of personnel hiring processes
  • planning and/or execution of after sales support services activities
  • fulfillment of employment contracts and/or legislative obligations for company employees
  • ensuring the security of company’s fixtures and/or resources
  • planning and execution of the operational activities required for ensuring that the company’s activities are carried out in accordance with the company’s procedures and/or related legislation
  • ensuring the security of the company’s operations
  • planning and/or execution of the company's financial risk processes
  • planning and/or execution of the processes for establishing and/or increasing loyalty to the products and/or services offered by the company
  • planning and/or execution of the company's production and/or operational risk processes
  • execution of formalities under the companies and partnership law
  • follow-up of contract processes and/or legal requests
  • planning and execution of supply chain management processes
  • planning and execution of production and/or operation processes
  • planning and execution of market research activities for sales and marketing of products and services
  • planning and execution of marketing processes of products and/or services
  • planning and execution of sales processes of products and/or services
  • ensuring data is accurate and up-to-date
  • providing information to authorities pursuant to legislation
  1. TRANSFER OF PERSONAL DATA BY ZORLU TESİS

General Terms of Transfer

Article 8 of the Law has made a distinction regarding the transfer of personal data according to whether the data in question is sensitive personal data or not.

According to the aforementioned article, non-sensitive personal data may be transferred to third parties in the presence of one of the processing conditions specified in Section 2 above. In this regard, personal data may be shared by Zorlu Tesis with persons other than its legal entities in the following events:

  • Explicit consent of the data subject is available.
  • Data processing is expressly prescribed by law.
  • it is mandatory for the protection of life or physical integrity of the person or of any
    other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.
  • It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the execution or performance of a contract.
  • Data processing is mandatory in order for the data controller to fulfill its legal obligations.
  • The personal data has been made public by the person concerned.
  • Data processing is mandatory for the establishment, exercise or protection of a right.
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Article 8 also refers to the terms and conditions of processing specified in Section 2 in terms of sensitive personal data, but stipulates that adequate measures must also be taken for the transfer. Accordingly, Zorlu Tesis may, after adequate precautions are taken, share personal data with any third parties in the following events:

  • The processing of any sensitive personal data other than health and sexual life data (e.g. race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade-unions, criminal convictions, and security measures, and biometric and genetic data) is envisaged in legislation.
  • Processing of any sensitive personal data related to health and sexual life by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

Transfer Abroad

Zorlu Tesis may transfer personal data abroad in the following events:

  • Explicit consent of the data subject is available, or
  • In cases where no explicit consent of the data subject is available, but one or more of the other conditions mentioned above are met, provided that
  • There is adequate protection in the country to which the data is transferred, and
  • Zorlu Tesis undertakes an adequate level of protection in writing together with the data controller in the relevant foreign country and obtains prior consent of the Personal Data Protection Board, if there is no adequate protection in the country where the data is transferred.

Parties to which personal data is transferred by Zorlu Tesis

Zorlu Tesis transfers personal data to the following parties as per the above-mentioned terms and conditions:

  • to Zorlu Holding AŞ in order to ensure the execution of commercial and operational activities that require the involvement of Zorlu Holding AŞ.
  • to suppliers for the purpose of obtaining services for such processes that our company outsources.
  • to business partners to ensure that the objectives of the business partnership are fulfilled.
  • legally authorized public bodies and legally authorized private persons or entities, limited to the information requested within the framework of their legal authorization.
  1. PERSONAL DATA PROCESSED BY ZORLU TESİS

The categorization of personal data processed by Zorlu Tesis is available in Annex 1 hereto.

  1. PROCEDURE FOR PROCESSING PERSONAL DATA BY ZORLU TESİS

Zorlu Tesis informs the personal data subjects about the purposes for which it processes the personal data as the data controller, to whom and for what purposes the processed personal data may be transferred, the methods of collecting personal data, and the rights of data subjects, as stipulated in the Law, during the acquisition of personal data.

If any process necessitates obtaining explicit consent in accordance with the Law, express consent shall be obtained from data subjects after the above-mentioned notification is made by Zorlu Tesis.

  1. DETERMINATION OF RETENTION PERIODS OF PERSONAL DATA BY ZORLU TESİS

Zorlu Tesis determines the retention periods of personal data by considering the legislation in force and the purposes of processing the personal data in question. In any case, Zorlu Tesis determines the retention periods in the light of its legal obligations and the relevant statute of limitations.

In the event that the purpose of data processing personal data disappears, such personal data shall be deleted, destroyed or anonymized unless there is another legal reason or basis that allows the personal data to be retained.

  1. RIGHTS OF DATA SUBJECTS AND THE USE OF THESE RIGHTS

Rights of Data subjects

According to Article 11 of the Law, personal data subjects have the following rights against the data controller:

  • To know whether his/her personal data is processed;
  • To request information if his/her personal data has been processed;
  • To know the purpose of processing his/her personal data and whether such data have been used appropriately for their purpose,
  • To know the third parties to whom his/her personal data have been transferred domestically or abroad,
  • To request rectification in case his/her personal data have been processed incompletely or inaccurately
  • To request deletion or destruction of personal data within the framework of the conditions stipulated in the relevant legislation.
  • To request notification of transactions performed as a result of requests fo correction, deletion and destruction of personal data to any third parties to whom personal data has been transferred.
  • object to the occurrence of any results against himself / herself through analysis of the processed data exclusively through automated systems.
  • demand the compensation of damages and losses suffered due to the unlawful processing of personal data.

Paragraph 2 of Article 28 of the Law lists the cases where data subjects do not have the right to make such requests, and in this regard the above-mentioned rights may not be exercised for personal data in the following events:

  • The processing of personal data is necessary for the prevention of any crimes or for the conduct of any criminal investigations
  • The processing is carried out on the data which is made public by the data subject himself
  • The processing is required for inspection or regulatory duties and disciplinary investigation and prosecution to be carried out by the public institutions and organizations and by professional associations having the status of public institution, assigned and authorised for such actions, in accordance with the power conferred on them by the law
  • The processing is required for protection of State’s economic and financial interests with regard to budgetary, tax-related and financial issues

According to paragraph 1 of Article 28 of the Law, any requests of data subjects will not be processed in the following events since such personal data will be outside the scope of the Law:

  • personal data is processed by natural persons within the scope of purely personal
    activities of the data subject or of family members living together with him in the same
    dwelling provided that it is not to be disclosed to third parties and the obligations about data
    security is to be complied with.
  • personal data is processed for the purpose of official statistics and for research,
    planning and statistical purposes after having been anonymized.
  • personal data is processed with artistic, historical, literary or scientific purposes, or
    within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or they are processed so as not to constitute a crime.
  • personal data is processed within the scope of preventive, protective and
    intelligence activities carried out by public institutions and organizations duly authorised and assigned to maintain national defence, national security, public security, public order or economic security
  • personal data is processed by judicial authorities or execution authorities with
    regard to investigation, prosecution, criminal proceedings or execution proceedings.

Exercise of Rights by Data Subjects

Data subjects may use the "Form for Applications to be Filed by Personal Data Subjects to Data Controllers", available in the link “Application Form regarding Personal Data Protection Law” to exercise any of the above-mentioned rights.

Applications will be made using one of the following methods, together with documents that will identify the relevant data subject:

  • The form shall be completed and a signed copy thereof shall be delivered by hand, or sent via a notary public or by registered letter with return receipt to the following address: Levazım Mah. Koru Sok. No: 2 Zorlu Center Köprü Katı Zorlu Gayimenkul 34340 Beşiktaş/İstanbul.
  • The form may be sent via a registered e-mail to zorlutesisyonetim@hs03.kep.tr by signing the form with a secure electronic signature issued under the Electronic Signature Law No. 5070.
  • Any of the methods prescribed by the Personal Data Protection Board may be used.

Zorlu Tesis shall respond to data subjects who wish to exercise such rights within the limits set forth in the Law, within a maximum of thirty days, as stipulated in the Law. In order for any third parties to apply on behalf of personal data subjects, a special power of attorney issued by the data subject through a notary public on behalf of the applicant person must be present.

As a rule, applications of data subjects are processed free of charge, but if a fee tariff is indicated by the Personal Data Protection Board, a fee may be charged based on such tariff.

Zorlu Tesis may request information from a data subject in order to determine whether the applicant is the owner of personal data, and may ask questions about the application to the personal data subject in order to clarify the issues stated in the application.

  1. PROTECTION OF PERSONAL DATA BY ZORLU TESİS

Zorlu Tesis shall take reasonable technical and administrative measures to prevent any risks of unauthorized access, accidental data loss, deliberate deletion or damage to personal data in order to ensure the security of personal data.

In this context, Zorlu Tesis shall:

  • record access to personal data
  • ensure data security by using software and hardware including virus protection systems and firewalls
  • keep track of personal data processing activities on a business unit basis
  • ensure that the necessary inspections are carried out in order to ensure the implementation of the provisions of the Law in accordance with Article 12 of the Law
  • ensure the compliance of internal policies and procedures and data processing activities with the Law
  • make authorizations in accordance with the nature of the data accessed accross the company
  • subject access to sensitive personal data to more stringent measures
  • perform additional security checks for persons who have access to sensitive personal data
  • obtain commitments from the external service providers to ensure compliance with the Law in case of any external access to personal data due to reasons such as outsourcing
  • take the necessary actions to inform all its employees, especially those who have access to personal data, about their duties and responsibilities under the Law.
  1. INTER-COMPANY GOVERNANCE STRUCTURE OF ZORLU TESİS REGARDING THE PROTECTION OF PERSONAL DATA

A Personal Data Protection Committee (“Committee”) has been established within Zorlu Tesis to monitor and manage the actions required to comply with the Law. The main duties of this Committee are as follows:

  • To take the necessary actions for the protection and processing of personal data, as well as to prepare policies and procedures within Zorlu Tesis, and to put them into effect
  • To allocate the necessary tasks within Zorlu Tesis for the implementation of the policies and procedures and to follow-up that the relevant actions are taken
  • To follow up the audits to be conducted in accordance with Article 12 of the Law
  • To determine the actions to be taken to raise awareness across Zorlu Tesis regarding the implementation of the Law, and to allocate the necessary tasks regarding such actions
  • To ensure that necessary actions are taken to resolve all questions and problems that may arise regarding the implementation of the law and/or the policies and procedures
  • To take necessary actions for the resolution of applications filed by data subject when necessary
  • To maintain relationships with the Personal Data Protection Authority.

Annex 1: Data Categorization

Data Category

Description of Personal Data Categorization

Types of Personal Data Covered by the Related Personal Data Categorization

Identity Details

Information contained in documents such as driver's license, identity card, certificate of residence, passport, attorney ID, marriage certificate, which clearly belong to a identified or identifiable real person and are included in the data registry system

Turkish ID number, passport number, identity card serial number, name and surname, photo, place of birth, date of birth, age, place of registration, sample of detailed identity card

Contact Details

Information that clearly belongs to an identified or identifiable natural person and that is available in the data registry system and that is used for the purpose of communicating with the person concerned

E-mail address, telephone number, mobile phone number, address etc.

Location Details

Data that clearly belongs to an identified or identifiable natural person and that is available in the data registry system, and that is used to identify the location of the data subject

Location data obtained during the use of company vehicles

Details of Family Members and Relatives

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, which is processed in order to protect the legal interests of the relevant company and the data subject, and which is about the family members and relatives of the personal data subject

Information such as identity details, contact details, and professional and educational details about children and spouse of the personal data subject

Customer details

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which is about customers who benefit from our products and services

Customer number, professional information, etc.

Customer Transaction Details

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which is about all kinds of deals performed by the customers who benefit from our products and services

Requests and instructions, order and basket information, etc.

Information on Security of Physical Space

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which is about the records and documents taken at the entrance to the physical space and during the stay in the physical space

Entry-exit logs, visit information, camera recordings, etc.

Information on Transaction Security

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which is processed in order to ensure the technical, administrative, legal and commercial security of Zorlu Tesis and related parties

Information that is used to match any transaction associated with the personal data subject with that person, and that shows that the person is authorized to do such transaction (eg website password and password information)

Information on Risk Management

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which is processed in order to ensure the commercial, technical, and administrative risks of Zorlu Tesis

Records such as IP address, Mac ID, etc.

Financial Information

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which represents personal data within the scope of information, documentation and records showing the personal data owner and any financial results generated based on the type of legal relationship

Information showing the financial results of the transactions performed by the data subject; credit card debts, loan amounts, loan payments, amounts and rate of interest payable, debt balances, credit balances, etc.

Personnel Information

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which represents the personal data that is the basis for the formation of personal rights of employees

All kinds of information and documentation that are legally required to be available in the personnel file (e.g. salary amounts, SSI premiums, payrolls, etc)

Information on Employee Candidates

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which represents the personal data of data subjects who shared their information to make a job application to Zorlu Tesis and which is used in the application evaluation process

CV, interview notes, personality test results, etc.

Information on Employee Transactions

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which represents the personal data relating to employees or any work-related transactions performed by employees

Work entry-exit records, business travels, information about meetings attended, security inquiries, information on tracking of mail traffic, information on vehicle usage, information on spendings via company credit cards, etc.

Information on Performance and Career Development of Employees

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which represents the personal data processed for the purpose of measuring the performance of employees and planning and executing their career development within the scope of human resources policies

Performance evaluation reports, interview results, career development training etc.

Information on Benefits

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which represents the personal data processed for the planning of benefits offered to employees and for employees to benefit from them

Private health insurance, vehicle allocation, etc.

Marketing Details

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which represents the data to be used by Zorlu Tesis for marketing activities

Reports and evaluations showing the habits and tastes of the person collected for marketing purposes, targeting information, cookie records, data enrichment activities, etc.

Information on Legal Transaction and Compliance

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which represents the personal data processed for the purpose of determination and follow-up of legal receivables and rights and performance of debts and legal obligations

Data contained in documents such as court and administrative body decisions

Information on Audits and Inspections

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which represents the personal data processed within the scope of compliance with the legal obligations and corporate policies of Zorlu Tesis

Audit and inspection reports, related interview records and similar records

Sensitive Personal Data

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which represents the data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data of individuals

Data on race, ethnicity, political thought, philosophical belief, religion, sect or other belief, dressing, memberships in associations, foundations or unions, data on health and sexual life, data on criminal convictions and security measures, biometric data, genetic data

Information on Request/Complaint Management

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which represents the personal data regarding the receipt and evaluation of any requests or complaints directed to Zorlu Tesis

All kinds of requests and complaints against companies, as well as related records and reports

Information on Reputation Management

Information which clearly belongs to an identified or identifiable natural person and is available in the data registry system, and which represents the personal data that may affect the reputation of Zorlu Tesis, its shareholders, employees, business partners or customers

Personal data present in negative news about the company on social media

Audio-Visual Data

Audiovisual recordings which clearly belong to an identified or identifiable natural person and are available in the data registry system, and which can be linked to the personal data subject

Photos, camera recordings and audio recordings

Annex 2. Definitions

Expression

As defined in the law

Explicit consent

consent that relates to a specified issue, declared by free will and based on information

Anonymization

Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching them with other data.

Relevant person

An individual whose personal data is processed (referred to as "data subject" in the Policy)

Personal data

Any information relating to an identified or identifiable natural person.

Processing of personal data

any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means

Data registry system

the registry system which the personal data is registered into through being structured according to certain criteria,

Data Controller

Any natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.