سياسة حماية البيانات الشخصية ومعالجتها

DEFINITIONS

Explicit consent: Consent on a specific issue, based on information and expressed with free will.

Constitution: Constitution of the Republic of Turkey dated November 7, 1982 and numbered 2709; published in the Official Gazette dated November 9, 1982 and numbered 17863.

Anonymization: Changing personal data in such a way that it loses its personal data nature and this situation cannot be reversed. Ex: Masking, aggregation, data corruption, etc. techniques to make personal data unassociable with a natural person. 

Application Form: "Application Form Regarding the Applications to be made to the Data Controller by the Relevant Person (Personal Data Owner) in accordance with the Law No. 6698 on the Protection of Personal Data", which includes the application to be made by personal data owners to exercise their rights.

Employee Candidate: Natural persons who have applied for a job to the Company by any means or who have opened their resume and related information to the Company's review.

Relevant Person: The natural person whose personal data is processed

Company Akyacht Yatçılık Sanayi ve Ticaret Anonim Şirketi

Intercity Company(ies): Other company(ies) in which real and/or legal persons who are shareholders of Ekim Turizm Ticaret ve Sanayi Anonim Şirketi are shareholders

Employees, Shareholders and Authorities of the Institutions We Cooperate with: Real persons, including, but not limited to, employees, shareholders and officials of the organizations (such as business partners, suppliers) with which the Company has any kind of business relationship.

Business Partner: Parties with whom the Company has established a business partnership for purposes such as carrying out various projects and receiving services, either personally or together with Intercity Companies while carrying out its commercial activities. 

Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Personal Data Processing Inventory:  Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal grounds for processing personal data, data category, transferred recipient group and data subject group and by explaining the maximum retention period required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security

Personal data subject: The natural person whose personal data is processed. For example; employee candidates.

Personal data: Any information relating to an identified or identifiable natural person. Therefore, the processing of information on legal entities is not covered by the Law. For example; name-surname, TRKN, e-mail, address, date of birth, credit card number, etc.

KVKK Law on the Protection of Personal Data dated March 24, 2016 and numbered 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677

Board: Personal Data Protection Board

Institution Personal Data Protection Authority

Sensitive personal data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. 

Policy This Personal Data Processing and Protection Policy

Company Shareholder Real persons who are shareholders of the Company

Company Authorized Person: Company board members and other authorized real persons.

Supplier Parties that provide services to the Company on a contractual basis in accordance with the Company's orders and instructions while conducting the Company's commercial activities.

Turkish Penal Code: Turkish Penal Code dated September 26, 2004 and numbered 5237; published in the Official Gazette dated October 12, 2004 and numbered 25611.

Third Person: Natural persons whose personal data are processed within the scope of the Policy, who are not defined differently within the scope of the Policy (e.g. guarantor, companion, family members and relatives, former employees). 

Data processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

Data controller: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system).

Data Controllers Registry (VERBIS): The registry of data controllers kept by the Presidency under the supervision of the Personal Data Protection Board

Visitor Natural persons who have entered the physical premises owned by the Company for various purposes or who visit our websites.   

TABLE OF CONTENTS

DEFINITIONS. 2

TABLE OF CONTENTS. 3

PART ONE. 6

1. INTRODUCTION. 6

1.2. PURPOSE. 6

1.3. SCOPE. 6

1.4. PRIORITY IN THE IMPLEMENTATION OF POLICY AND RELATED LEGISLATION. 6

1.5. EFFECTIVE DATE. 6

PART TWO. 6

2. PROTECTION OF PERSONAL DATA. 6

2.1. OBSERVANCE OF DATA SUBJECT RIGHTS AND EVALUATION OF DATA SUBJECTS' REQUESTS. 6

2.2. PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA. 7

2.3. RAISING AWARENESS AND SUPERVISION OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA  7

2.4. ENSURING THE SECURITY OF PERSONAL DATA. 7

2.4.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data. 7

2.4.1.1.Technical Measures. 7

2.4.1.2 Administrative Measures. 8

2.4.2. Supervision of Measures Taken for the Protection of Personal Data. 9

2.4.3. Measures to be taken in case of unauthorized disclosure of personal data. 9

PART THREE. 9

3. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA. 10

3.1. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES STIPULATED IN THE LEGISLATION  10

3.1.1. Processing in accordance with the Law and Good Faith. 10

3.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary. 10

3.1.3. Processing for Specific, Explicit and Legitimate Purposes. 10

3.1.4. Being relevant, limited and proportionate to the purpose for which they are processed. 10

3.1.5. Storage for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed. 10

3.2. PROCESSING PERSONAL DATA BASED ON AND LIMITED TO ONE OR MORE OF THE PERSONAL DATA PROCESSING CONDITIONS SPECIFIED IN ARTICLE 5 OF THE KVKK. 10

3.3. PROCESSING OF DATA PROCESSED BY INTERCITY COMPANIES BY THE COMPANY. 10

3.4. ENLIGHTENING AND INFORMING THE PERSONAL DATA SUBJECT. 11

3.5. PROCESSING OF PERSONAL DATA OF SPECIAL NATURE. 11

SECTION FOUR. 11

4. CATEGORIZATION, PROCESSING PURPOSES AND STORAGE PERIODS OF PERSONAL DATA PROCESSED BY OUR COMPANY. 11

4.1. CATEGORIZATION OF PERSONAL DATA. 11

4.2. PURPOSES OF PROCESSING PERSONAL DATA. 13

5. CATEGORIZATION OF THE OWNERS OF THE PERSONAL DATA PROCESSED BY THE COMPANY  15

SECTION SIX. 17

6. THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED BY THE COMPANY AND THE PURPOSES OF TRANSFER. 17

6.1 TRANSFER OF PERSONAL DATA. 17

6.1.1 Transfer of Personal Data. 18

6.1.2. Transfer of Sensitive Personal Data. 18

6.2. TRANSFER OF PERSONAL DATA ABROAD. 18

6.2.1. Transfer of Personal Data Abroad. 18

6.2.2. Transfer of Sensitive Personal Data Abroad. 19

6.3       Persons Transferred and Purpose of Data Transfer 19

CHAPTER SEVENTH. 20

7. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW   20

7.1. PROCESSING OF PERSONAL DATA AND SPECIAL CATEGORIES OF PERSONAL DATA. 20

7.1.1. Processing of Personal Data. 20

7.1.2. Processing of Special Categories of Personal Data. 21

CHAPTER EIGHT. 21

8. BUILDING, FACILITY ENTRANCES AND PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITHIN THE BUILDING AND FACILITY AND INTERNET SITE VISITORS. 21

8.1. CAMERA SURVEILLANCE ACTIVITIES CARRIED OUT AT BUILDING AND FACILITY ENTRANCES AND INSIDE  21

8.1.1. Legal Basis for Camera Surveillance Activity. 21

8.1.2. Execution of Monitoring Activities with Security Cameras in accordance with KVKK. 21

8.1.3. Announcement of Camera Surveillance Activity. 22

8.1.4. Purpose of Camera Surveillance and Limitation to the Purpose. 22

8.1.5. Ensuring the Security of the Data Obtained. 22

8.1.6. Storage Period of Personal Data Obtained through Camera Surveillance Activities. 22

8.1.7. Who has access to the information obtained as a result of monitoring and to whom this information is transferred. 22

8.2. MONITORING OF GUEST ENTRANCES AND EXITS CARRIED OUT AT THE ENTRANCES OF COMPANY BUILDINGS AND FACILITIES AND INSIDE THEM.. 22

8.3. STORAGE OF RECORDS RELATED TO INTERNET ACCESS PROVIDED TO OUR VISITORS IN COMPANY BUILDINGS AND FACILITIES. 22

8.4. WEBSITE VISITORS. 23

CHAPTER NINE. 23

9. THE COMPANY'S METHOD AND LEGAL REASON FOR COLLECTING PERSONAL DATA, THE OBLIGATION TO DELETE, DESTROY AND ANONYMIZE PERSONAL DATA AND THE STORAGE PERIOD. 23

9.1. METHOD AND LEGAL REASON FOR COLLECTING PERSONAL DATA. 23

9.2. DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA. 23

9.2.1. Conditions for Deletion, Destruction and Anonymization of Personal Data. 23

9.2.2. Techniques for Deletion, Destruction and Anonymization of Personal Data. 24

9.2.2.1. Techniques for Deletion and Destruction of Personal Data. 24

9.2.2.2.2. Techniques for Anonymizing Personal Data. 24

9.3. Retention Period of Personal Data. 24

SECTION TEN. 25

10. RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY FOR EXERCISING AND EVALUATING THESE RIGHTS  25

10.1 RIGHTS OF THE DATA OWNER AND EXERCISING THESE RIGHTS. 25

10.1.1. Rights of the Personal Data Owner 25

10.1.2. Cases where the Personal Data Owner cannot assert his/her rights. 25

10.1.3. Exercising the Rights of the Personal Data Owner 26

10.1.4. Personal Data Subject's Right to File a Complaint to the Board. 26

10.2. APPLICATIONS FOR INTERCITY COMPANIES. 26

10.3. THE COMPANY'S RESPONSE TO APPLICATIONS. 26

10.3.1. Procedure and Duration of the Company's Response to Applications. 26

10.3.2. Information that the Company may request from the Applicant Personal Data Subject 26

10.3.3. The Company's Right to Refuse the Personal Data Subject's Application. 26

CHAPTER ELEVEN. 27

11. MANAGEMENT STRUCTURE IN ACCORDANCE WITH THE COMPANY'S POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA. 27

CHAPTER TWELVE. 27

12. UPDATES, HARMONIZATION AND AMENDMENTS. 27

PERSONAL DATA PROCESSING POLICY

PART ONE

1. INTRODUCTION

According to Article 20 of the Constitution of the Republic of Turkey, everyone has the right to request the protection of personal data concerning him/her. The Company pays utmost attention to the protection of personal data, which is a constitutional right; in this context, the Company determines a company policy in accordance with the Law No. 6698 on the Protection of Personal Data ("KVKK"), which regulates the protection of fundamental rights and freedoms of individuals in the processing of personal data and the obligations of those who process personal data and the procedures and principles to be complied with in order to protect the personal data of real persons whose data it processes. 

Information regarding the identity of the data controller for all kinds of personal data processing activities covered by this Policy is provided below.

Data Controller: Akyacht Yatçılık Sanayi ve Ticaret Anonim Şirketi ("Company")

Address: Sepetlipinar SB Mahallesi, 104. Cad., No:8/2 Başiskele - KOCAELİ

1.2. BUT Ç

The main purpose of this Policy is to make explanations about the personal data processing activity carried out by the Company in accordance with the law and the systems adopted for the protection of personal data, and in this context, to ensure transparency by informing all relevant natural persons whose data are processed by the Company mentioned below.

1.3. SCOPE

This Policy is related to all personal data of natural persons detailed in Section 5 below, which are processed automatically or non-automatically provided that they are part of any data recording system. Our Company informs the Personal Data Owners about the Law by publishing this Policy on its website.

1.4. PRIORITY IN THE IMPLEMENTATION OF POLICY AND RELEVANT LEGISLATION

In case of any incompatibility between the legislation in force and the Policy, the Company accepts that the legislation in force will be applied.

1.5. EFFECTIVE DATE

This Policy was issued by the Company and entered into force on December 2023. This Policy is updated in cases where it is necessary to update it and/or when necessary, such as changes in legislation, Board decisions or developments in the sector and in the field of informatics. Changes made within this scope are immediately entered into the text and explanations regarding the changes are entered into the Change Table at the end of the policy.

This Policy and the amendments made to the Policy within the scope of the update shall be deemed to have entered into force upon its publication on the Company's website.

PART TWO

2. PROTECTION OF PERSONAL DATA

The Company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and to carry out or have the necessary audits carried out within this scope.

2.1. OBSERVANCE OF DATA SUBJECT'S RIGHTS AND EVALUATION OF DATA SUBJECTS' REQUESTS

The Company carries out the necessary channels, internal functioning, administrative and technical arrangements to evaluate the rights of personal data owners and to provide the necessary information to personal data owners. 

The requests of personal data owners submitted to the Company are evaluated in accordance with Article 10 of this Policy.

2.2. PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data, which are of special importance due to the risk of causing victimization or discrimination when processed unlawfully, are personal data of special nature.

The Company acts sensitively in the protection of sensitive personal data. In this context, the technical and administrative measures taken by the Company for the protection of personal data are carefully implemented in terms of sensitive personal data and necessary audits are provided within the Company.

2.3. RAISING AWARENESS AND SUPERVISION OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

The Company ensures that necessary trainings are organized for business units in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the protection of data.

Necessary systems are established to ensure that the current employees of the Company's business units and the employees who are newly included in the business unit are aware of the protection of personal data, and if necessary, professional persons are hired in this regard.

The results of the trainings conducted to raise the awareness of the Company's business units on the protection and processing of personal data are reported to the Company. In this direction, the Company evaluates the participation in the relevant trainings, seminars and information sessions and conducts or has the necessary audits carried out. The Company updates and renews its trainings in parallel with the updating of the relevant legislation.

2.4. ENSURING THE SECURITY OF PERSONAL DATA

In accordance with Article 12 of the Law, the Company takes the necessary measures according to the nature of the data to be protected in order to prevent unlawful disclosure, access, transfer or other security deficiencies that may occur in other ways. In this context, our Company takes technical and administrative measures to ensure the necessary level of security in accordance with the guidelines published by the Board, and conducts or has audits carried out.

2.4.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data

The Company takes technical and administrative measures to ensure that personal data is processed in accordance with the law, according to technological possibilities and implementation cost.

2.4.1.1.Technical Measures

Technical Measures Taken to Ensure Lawful Processing of Personal Data

The main technical measures taken by the Company to ensure the lawful processing of personal data are listed below:

    Personal data processing activities carried out within the Company are audited through technical systems established. In this context, ISO 27001 Information Security Management System has been complied with and all environments where personal data are created, processed, stored, displayed and transmitted are subject to technical measures.

    The technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism.

    In order to maintain technical competence, the Company's information security infrastructure is audited every year by a third party organization.

    Technically knowledgeable personnel are employed. An Information Security Team was formed and necessary appointments were made.

Technical Measures to Prevent Unlawful Access to Personal Data

The main technical measures taken by the Company to prevent unlawful access to personal data are listed below:

    Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.

    Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a business unit basis. 

    Access authorizations are limited, and authorizations are regularly reviewed.

    The technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism, and the issues that pose a risk are re-evaluated and necessary technological solutions are produced.

    Software and hardware including virus protection systems and firewalls are installed.

    Technically knowledgeable personnel are employed.

    Intrusion detection and prevention systems are used and regular vulnerability and penetration tests are conducted.

    Security scans are regularly performed to identify security vulnerabilities in applications where personal data is collected. The vulnerabilities found are closed.

Technical Measures Taken for Storing Personal Data in Secure Environments

The main technical measures taken by the Company to store personal data in secure environments are listed below:

    Systems in line with technological developments are used to store personal data in secure environments.

    Personnel specialized in technical issues are employed.

    Technical security systems are installed for storage areas, the technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism, the issues that pose a risk are re-evaluated and the necessary technological solutions are produced.

    Backup programs are used in accordance with the law to ensure that personal data is stored securely.

    Access to data storage areas containing personal data is logged and inappropriate access or access attempts are instantly communicated to the relevant persons.

2.4.1.2 Administrative Measures

Administrative Measures Taken to Ensure Lawful Processing of Personal Data

The main administrative measures taken by the Company to ensure the lawful processing of personal data are listed below:

    Employees are informed and trained on the law on the protection of personal data and the processing of personal data in accordance with the law.

    All activities carried out by the Company are analyzed in detail specific to all business units, and as a result of this analysis, personal data processing activities are revealed specific to the commercial activities carried out by the relevant business units.

    The personal data processing activities carried out by the business units of the Company are determined specifically for each business unit and the activity it carries out.

    In order to ensure the legal compliance requirements determined on a business unit basis, awareness is raised and implementation rules are determined for the relevant business units; the necessary administrative measures are implemented through internal policies and trainings to ensure the supervision of these issues and the continuity of the implementation. 

    In the contracts, internal regulations and related documents governing the legal relationship between the Company and the employees, records that impose an obligation not to process, disclose and use personal data, except for the Company's instructions and exceptions imposed by law, are included and employee awareness is raised and audits are carried out. 

Administrative Measures to Prevent Unlawful Access to Personal Data

The main administrative measures taken by the Company to prevent unlawful access to personal data are listed below:

    Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.

    Access to personal data and authorization processes are designed and implemented within the company in accordance with the legal compliance requirements for processing personal data on a business unit basis.

    Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of the KVKK and cannot use it for purposes other than processing, and that this obligation will continue after they leave their duties, and that sanctions will be imposed on them in case of contrary behavior in accordance with both the relevant legislation and the internal regulations of the personnel, and necessary commitments are taken from them in this direction.

    Provisions are added to the contracts concluded by the Company with the persons to whom personal data are transferred in accordance with the law; that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.

    Access to all electronic media where personal data is processed by the Company is controlled, security tightenings are made, and violations are detected and examined with the help of security solutions.

    All data transfer routes are kept under control, permissions related to data transfers are audited, data transfer activities are filtered, trace records are taken and protected.

    Track records are continuously analyzed and reported

    Personal data is encrypted in the environments where it is recorded, stored and transmitted, and key management is applied for cryptographic controls within the organization

    Security measures are taken within the scope of information systems, system procurement, development and maintenance.

    Risks and threats are identified. Risk analysis, residual risk and risk handling processes are defined and operated.

Administrative Measures Taken for Storing Personal Data in Secure Environments

The main administrative measures taken by the Company to store personal data in secure environments are listed below:

    Employees are trained to ensure that personal data is stored securely.

    Legal and technical consultancy services are obtained in order to follow the developments in the field of information security, privacy of private life and protection of personal data and to take necessary actions. In the event that an external service is obtained by the Company due to technical requirements for the storage of personal data, the contracts concluded with the relevant companies to which personal data are transferred in accordance with the law include provisions stating that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.

    Access permissions for all environments are designed according to the need-to-know principle. Personnel access rights are revised in cases such as resignation or change of duty. Permissions can only be granted or changed with the approval of the relevant unit supervisor.

2.4.2. Supervision of Measures Taken for the Protection of Personal Data

In accordance with Article 12 of the KVKK, the Company conducts or has the necessary audits carried out within its own organization. The results of these audits are reported to the relevant department within the scope of the internal functioning of the Company and necessary activities are carried out to improve the measures taken.

2.4.3. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

In the event that personal data processed in accordance with Article 12 of the KVKK is obtained by others through unlawful means, the Company operates a system that ensures that this situation is notified to the relevant personal data owner and the Board as soon as possible.

If deemed necessary by the Board, this situation may be announced on the Board's website or by any other method.

PART THREE

3. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

The Company strictly complies with the matters specified in the legislation on the processing of personal data.

3.1. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES STIPULATED IN THE LEGISLATION

3.1.1. Processing in Compliance with Law and Good Faith

The Company acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, the Company takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than those required by the purpose.

3.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

The Company ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests. It takes necessary measures in this direction. For example, the Company has established a system for personal data subjects to correct and confirm the accuracy of their personal data.

3.1.3. Processing for Specific, Explicit and Legitimate Purposes

The Company clearly and precisely determines the legitimate and lawful purpose of personal data processing. The Company processes personal data as much as is necessary in connection with and necessary for the commercial activity it carries out. The purpose for which personal data will be processed by the Company is determined before the personal data processing activity begins.

3.1.4. Being relevant, limited and proportionate to the purpose for which they are processed

The Company processes personal data in a manner that is conducive to the achievement of the specified purposes and avoids the processing of personal data that is not related to the achievement of the purpose or is not needed, and processes personal data limited to the specified purposes. For example, personal data processing activities are not carried out to meet the needs that may arise later.

3.1.5. Storage for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

The Company retains personal data only for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. In this context, the Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period of time is determined, it keeps it for the minimum period stipulated in the legal legislation to which the relevant activity is subject, and if no period of time is determined, it keeps personal data for the period required for the purpose for which they are processed. Personal data are deleted, destroyed or anonymized by the Company in the event that the period expires or the reasons requiring their processing disappear. Personal data are not stored by the Company with the possibility of future use.

3.2. PROCESSING PERSONAL DATA BASED ON AND LIMITED TO ONE OR MORE OF THE PERSONAL DATA PROCESSING CONDITIONS SPECIFIED IN ARTICLE 5 OF THE KVKK

Protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted without prejudice to their essence only for the reasons specified in the relevant articles of the Constitution and only by law. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the person. In this direction and in accordance with the Constitution, the Company processes personal data only in cases stipulated in the legislation or with the explicit consent of the person.

3.3. PROCESSING OF DATA PROCESSED BY INTERCITY COMPANIES BY THE COMPANY

The Company may also process the personal data processed by Intercity Companies in order to carry out the activities of Intercity Companies in accordance with the principles, objectives and strategies of the Company and to protect the rights and interests of the Company and its reputation. In the event that the personal data sharing between Intercity Companies and the Company takes place within the scope of personal data transfer from the data controller to the data controller within the scope of KVKK, the relevant Intercity Companies shall inform the person that his/her personal data may be sent to the Company during the personal data collection phase.

3.4. DISCLOSURE AND INFORMATION OF THE PERSONAL DATA SUBJECT

In accordance with Article 10 of the KVKK, the Company enlightens Personal Data Owners during the acquisition of personal data. In this context, the Company informs about the identity of the representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and the rights of the personal data owner.

"Requesting information" is also listed among the rights of the personal data owner in Article 11 of the KVKK. In this context, the Company provides the necessary information in case the Personal Data Owner requests information in accordance with Article 20 of the Constitution and Article 11 of the KVKK.

3.5. PROCESSING OF PERSONAL DATA OF SPECIAL NATURE

The Company acts in strict compliance with the regulations stipulated in the KVKK in the processing of personal data determined as "special quality" by the KVKK. 

Special categories of personal data are processed by the Company in the following cases, provided that adequate measures to be determined by the Board are taken: 

a.     If the personal data subject has explicit consent or

b.     If the personal data subject does not have explicit consent;

    Sensitive personal data other than the health and sexual life of the personal data owner, in cases stipulated by law,

    Sensitive personal data relating to the health and sexual life of the personal data subject are processed only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.

CHAPTER FOUR

4. CATEGORIZATION, PROCESSING PURPOSES AND STORAGE PERIODS OF PERSONAL DATA PROCESSED BY OUR COMPANY

In accordance with Article 10 of the LPPD, the Company informs the personal data owner which personal data of which personal data owner groups are processed within the scope of the disclosure obligation, the purposes of processing the personal data of the personal data owner and the retention periods. 

4.1. CATEGORIZATION OF PERSONAL DATA

The following categories of personal data are processed by informing the data subjects in accordance with Article 10 of the LPPD.

PERSONAL DATA CATEGORIZATION

EXPLANATION

Identity Information

Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; containing information about the identity of the person; documents such as driver's license, identity card and passport containing information such as name-surname, Turkish ID number, nationality, mother's name-father's name, place of birth, date of birth, age, gender, and information such as tax number, SSI number, signature information, vehicle license plate, etc.

Contact Information 

Information such as telephone number, address, e-mail address, social media accounts, fax number, IP address, which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system

Family Members and Relatives 

Information about the personal data owner's family members (e.g. spouse, mother, father, child), relatives and other persons who can be reached in case of emergency, which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; within the framework of the operations carried out by the Company's business units, related to the products and services offered by the Company's affiliates or in order to protect the legal and other interests of the Company and the personal data owner 

Physical Space Security Information 

Personal data clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; personal data related to records and documents taken at the entrance to the physical space, during the stay in the physical space; camera recordings, CCTV recordings, office entry and exit records and records taken at the security point, etc.

Financial Information

Personal data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Company with the personal data owner, and data such as bank account number and information, IBAN number, credit card number and information, balance sheet account information, account transactions breakdown, financial aids, immovable/portable information allocated to the employee by the employer, financial performance, information on assets, surety status, insurance information, credit rating, debt information (loan, mortgage information, execution proceedings, etc.) financial profile, asset data, income/salary information.) financial profile, asset data, income/salary information

Audio/Visual Information 

Information that clearly belongs to an identified or identifiable natural person; photographs and camera recordings (except for recordings within the scope of Physical Space Security Information), voice recordings and data contained in documents that are copies of documents containing personal data, etc.

Personal Information

All kinds of personal data such as payroll information, disciplinary investigation, performance evaluation, employment document records, CV / resume, work permit document, residence permit document, clothing measurements, etc., which are processed partially or completely automatically or non-automatically as part of the data recording system, which clearly belong to an identified or identifiable natural person; processed for obtaining information that will be the basis for the formation of the personal rights of natural persons who have a working relationship with the Company.

Sensitive Personal Data 

Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; data specified in Article 6 of the KVKK (e.g. health data including blood type)

Complaints and Suggestions Information

Personal data clearly belonging to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; personal data regarding the receipt and evaluation of any request or complaint addressed to the Company

Legal Process Knowledge

Judicial authority correspondence, case file information, etc., which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system.

Education and Work Information

Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; Military Service Status, CV / Resume, Education Status, Past Salary and Premium Information, Reasons for Termination of Previous Employment, Foreign Language Skills, Skills, Education Status, Exam and Training Results, Employment Document (from Former Workplace), SSI Service Transcript, Diploma Sample, Professional Development Certificates, Occupational Information, Job Qualification Status, Career History, etc.

Customer Transaction Information

Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; call center records, invoice / check / bill information, order or request information, etc.

Vehicle Information

Vehicle license, license plate etc. information

Employee Performance and Career Development Information

Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; the loyalty score, performance evaluation information, work history, professional competencies, interests and hobbies, interview and recruitment evaluations, interview, Education Information, etc. of the real person working for the purpose of conducting recruitment / employment, personnel recruitment processes

Information on Criminal Conviction and Security Measures

Criminal Registry Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system

Transaction Security Information

Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; ip address information, website login and exit information, username and password, Password and User Information of the Devices Used by the Employee within the Company, Internal Access and Authorization Information, E-signature, log records, etc.

Transaction Information

Data such as survey information, declaration information, cookie records, which clearly belong to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; processed within the framework of the activities carried out by the Company, related to the services provided or to protect the legal and other interests of the Company and the personal data owner

Health Information

Information on disability status, blood group information, personal health information, information on devices and prostheses used, etc., which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system.

4.2. PURPOSES OF PROCESSING PERSONAL DATA

The Company processes personal data limited to the purposes and conditions within the personal data processing conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the KVKK. These purposes and conditions;

         It is clearly stipulated in the legislation that the Company is engaged in the relevant activity regarding the processing of your personal data

         The processing of your personal data by the Company is directly related and necessary for the establishment or performance of a contract 

         Processing of your personal data is mandatory for the Company to fulfill its legal obligation

         Provided that your personal data has been made public by you; processing by the Company limited to the purpose of publicization by you 

         Processing of your personal data by the Company is mandatory for the establishment, use or protection of the rights of the Company or you or third parties

         It is mandatory to carry out personal data processing activities for the legitimate interests of the Company, provided that it does not harm your fundamental rights and freedoms

         The processing of personal data by the Company is mandatory for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to disclose his consent due to actual or legal invalidity 

         It is stipulated in the laws for personal data of special nature other than the health and sexual life of the personal data owner 

         In terms of personal data of special nature related to the health and sexual life of the personal data owner, it is processed by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

Terms of Processing

Scope

Example

Law Provision

Tax Legislation, Labor Legislation, Trade Legislation etc.

Employee personal information must be kept in accordance with the legislation.

Performance of the Contract

Contract of Employment, Contract of Sale, Contract of Carriage, Contract of Work, etc.

The processing of your personal data by the Company is directly related and necessary for the establishment or performance of a contract 

Actual Impossibility

A person who is unable to give consent due to actual impossibility or who lacks the power of discernment.

The processing of personal data by the Company is mandatory for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to disclose his consent due to actual or legal invalidity 

Legal Liability of the Data Controller

Financial Audits, Security Legislation, Compliance with Sector-Focused Regulations.

Processing of your personal data is mandatory for the Company to fulfill its legal obligation

Making Public

Making information about oneself available to the public.

Provided that your personal data has been made public by you; processing by the Company limited to the purpose of publicization by you 

Establishment, Protection and Exercise of Right

Mandatory data to be used for filing lawsuits, registration procedures, all kinds of title deed transactions, etc.

Retention of necessary information about a departing employee during the statute of limitations.

Processing of your personal data by the Company is mandatory for the establishment, use or protection of the rights of the Company or you or third parties

Legitimate Interest

Provided that the fundamental rights of the data subject are not harmed, data may be processed if it is mandatory for the legitimate interest of the data controller.

It is mandatory to carry out personal data processing activities for the legitimate interests of the Company, provided that it does not harm your fundamental rights and freedoms

In this context, the Company processes your personal data limited to the following purposes:

         Yacht construction, maintenance, repair and repair works,

         Performance of sales and leasing of marine vessels,

         Execution of after-sales services,

         Planning and execution of corporate sustainability activities,

         Event management,

         Management of relationships with business partners or suppliers

         Providing the necessary information in line with the requests and audits of regulatory and supervisory institutions and official authorities,

         Improving service quality and customer satisfaction,

         Follow-up of human resources processes,

         Execution of company personnel recruitment processes

         Supporting the personnel recruitment processes of Intercity Companies

         Execution/follow-up of the Company's financial reporting and risk management processes

         Conducting finance and financial affairs

         Execution/follow-up of company legal affairs

         Planning and execution of corporate communication activities

         Execution of corporate governance activities

         Realization of company and partnership law transactions

         Request and complaint management

         Ensuring the security of company values

         Supporting Intercity Companies in compliance with relevant legislation

         Supporting the planning and execution processes of the fringe benefits and benefits to be provided to the senior executives of the Company and Intercity Companies

         Planning and execution of audit activities to ensure that the activities of Intercity Companies are carried out in accordance with the procedures of Intercity Companies and the relevant legislation

         Supporting Intercity Companies in the realization of corporate and partnership law transactions

         Carrying out activities to protect the reputation of Intercity Companies

         Managing investor relations

         Providing information to authorized institutions due to legislation

         Creation and follow-up of visitor records

         Necessary for the performance of the employment contract

         Fulfillment of legal obligations,

         Labor Law, Occupational Health and Safety Law, Social Security Law and related legislation and other laws and legislation

         Ensuring security within the company

         Performance of customer contracts,

         Management of the company, conduct of business, implementation of company policies

         Ensuring and improving the company's occupational health and safety

         Ensuring the legal and commercial security of the Company and persons in business relations with the Company; determining and implementing human resources policies and business strategies

·         Development and marketing of services in line with our commercial activities

In the event that the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the KVKK, your explicit consent is obtained by the Company regarding the relevant processing process. 

SECTION FIVE M

5. CATEGORIZATION OF THE OWNERS OF THE PERSONAL DATA PROCESSED BY THE COMPANY

Personal data owner refers to real persons whose personal data are processed in accordance with Law No. 6698, and although the personal data of the categories of personal data owners listed below are processed by the Company, the scope of application of this Policy is limited to the categories of personal data owners described below.

PERSONAL DATA SUBJECT CATEGORIZATION

EXPLANATION

Employee/Candidate Employee

Real persons who have applied for a job to the Company by any means or who have opened their CV and related information to the Company's review.

Former Employee

Real persons who have applied for a job to the Company by any means or who have opened their resume and related information to the Company's review, but whose employment contract relationship with the Company has ended.

Trainee/Intern Candidate

Real persons who have applied for a job to do their internship at the Company or who have opened their resume and related information to the Company's review.

Real Person Customer/Customer Candidate

Natural persons whose personal data are obtained through the Company's business relations within the scope of the operations carried out by the Company and its business units

Natural Person Supplier/Business Partner/Solution Partner/Stakeholder/Authority/Employee

Real persons who provide services to the Company on a contractual basis in accordance with the Company's orders and instructions while carrying out the Company's commercial activities, real persons with whom the Company has any kind of business relationship, real persons who are its employees' officers or shareholders.

Shareholder

Real persons who are shareholders of the Company

Company Official / Business Partner / Solution Partner

Members of the Company's board of directors and other authorized real persons

Intercity Companies

Other companies in which real and/or legal persons who are shareholders of Ekim Turizm Ticaret ve Sanayi Anonim Şirketi are shareholders

Contracting Party

Real persons with whom the Company has concluded an employment contract within the scope of the operations carried out by the Company and its business units.

Third natural person

Other natural persons not covered by this Policy and the Company Employees Personal Data Protection and Processing Policy (e.g. guarantors, companions, former employees)

Visitor

Real persons who have entered the physical premises owned by the Company for various purposes

Website Visitor

Real persons who visit the website owned by the Company

Although the categories of persons whose personal data are processed by the Company are within the scope of the above-mentioned scope, persons outside of these categories may also direct their requests to the Company within the scope of KVKK; the requests of these persons will also be evaluated within the scope of this Policy.  

The table below details the categories of personal data subjects mentioned above and the types of personal data processed by the persons within these categories. 

PERSONAL DATA CATEGORIZATION

PERSONAL DATA CATEGORIZATION DESCRIPTION

CATEGORY OF DATA SUBJECT TO WHICH THE RELEVANT PERSONAL DATA RELATES  

Identity Information

Data containing information about the identity of the person; name-surname, Turkish ID number, nationality, place of birth, date of birth, gender, workplace information, registration number, tax number, title, biography, etc. and documents such as driver's license, professional ID, identity card

Company and/or Intercity Companies Customer, Customer Candidate, Employee, Employee Candidate, Former Employee, Intern, Intern Candidate, Company Shareholder, Company Official, Visitor, Intrnet Visitor, Supplier, Employees and Authorities of the Institutions (Business Partner) with which we cooperate, Third Party

Contact Information 

Telephone number, address, e-mail address, fax number, etc.

Company and/or Intercity companies Customer, Customer Candidate, Employee, Employee Candidate, Former Employee, Trainee, Trainee Candidate, Company Shareholder, Company Official, Supplier, Employees, Shareholders and Authorities of the Institutions (Business Partner) with which we are in cooperation, Third Party

Family Members and Relatives 

Family members of the personal data owner processed within the framework of the activities carried out by the Company, related to the services provided or in order to protect the legal and other interests of the Company and the personal data owner

(e.g. spouse, mother, father, child), information about relatives and other persons who can be contacted in case of emergency)

Company and/or Intercity companies Employee, Employee Candidate, Intern, Intern Candidate 

Physical Space Security Information 

Personal data relating to records and documents taken at the entrance to the physical space, during the stay in the physical space; camera records, vehicle information records and records taken at the security point, etc.

Company and/or Intercity companies Customers, Customer Candidates, Visitors, Former Employees, Employees, Employee, Employee Candidates, Interns, Intern Candidates, Company Shareholders, Company Authorities, Suppliers, Employees, Shareholders and Authorities of the Institutions (Business Partners) with which we cooperate, Third Parties

Financial Information

Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Company and/or Intercity Companies with the personal data subject, and data such as bank account number, IBAN number, income information, debt/credit information

Customer of the Company and/or Intercity companies, Former Employee, Employee, Employee, Employee Candidate, Intern, Intern Candidate, Company Shareholder, Company Official, Supplier, Employees, Shareholders and Authorities of the Institutions (Business Partner) with which we are in cooperation, Third Party

Audio/Visual Information

Photographs and camera recordings (excluding recordings within the scope of Physical Space Security Information) and audio recordings

Company and/or Intercity companies Customer, Customer Candidate, Employee, Employee Candidate, Former Employee, Intern, Intern Candidate, Company Shareholder, Company Official, Visitor, Supplier, Employees and Authorities of the Institutions (Business Partner) with which we are in cooperation, Third Party

Personal Information 

Data such as payroll information, performance evaluation, employment document records, CV/resume, work permit document

Company and/or Intercity companies Employee Candidate, Employee, Former Employee, Intern, Intern Candidate

Sensitive Personal Data 

Data specified in Article 6 of the KVKK,

Prospective Employee, Employee, Former Employee, Intern, Company Shareholder, Company Official

Complaints and Suggestions Information

Personal data relating to the receipt and evaluation of any request or complaint addressed to the Company

Company and/or Intercity companies Customer, Customer Candidate, Employee Candidate, Former Employee, Intern, Intern Candidate, Company Shareholder, Company Official, Visitor, Internet Visitor, Supplier, Employees and Authorities of the Institutions We Cooperate with, Third Party

Legal Procedure and Compliance Knowledge

Personal data processed within the scope of determination and follow-up of our legal receivables and rights and performance of our debts and compliance with our legal obligations and the Company's policies

Company and/or Intercity Customer, Employee, Former Employee, Intern, Company Shareholder, Company Official, Supplier, Relator, Employees and Authorities of the Institutions (Business Partner) with which we are in cooperation, Third Party

Education and Work Information

Educational Background, Past Salary and Bonus Information, Reasons for Termination of Previous Employment, Foreign Language Skills, Skills, Educational Background, Certificate of Employment (from former employer), Diploma Sample, Professional Development Certificates, Occupational Information, Job Qualifications, Career History, etc.

Company and/or Intercity companies Employee, Employee Candidate, Former Employee, Intern, Intern Candidate

Customer Transaction Information

Invoice information, order or request information, etc.

Customers, Prospective Customers, Employees, Suppliers, Suppliers, Employees and Authorities of the Institutions (Business Partners) with which we cooperate with the Company and/or Intercity companies

Vehicle Information

License plate and registration information of the vehicle

Company and/or Intercity companies' Customers, Employees, Former Employees, Interns, Visitors, Suppliers, Employees and Authorities of the Institutions (Business Partners) with which we cooperate, Third Parties

Employee Performance and Career Development Information

Recruitment / employment, performance evaluation information, work history, professional competencies, interview and induction assessments, etc.

Company and/or Intercity companies Employee, Former Employee, Intern

Information on Criminal Conviction and Security Measures

Criminal Record Information,

Company and/or Intercity companies Employee, Employee Candidate, Former Employee, Intern, Intern Candidate

Transaction Security Information

Your personal data processed to ensure our technical, administrative, legal and commercial security during the execution of our activities (e.g. log records, IP information, authentication information)

Customers of the Company and/or Intercity companies, Employees, Former Employees, Interns, Company Shareholders, Company Officials, Visitors, Internet Visitors, Suppliers, Employees and Authorities of the Institutions (Business Partners) with which we cooperate, Third Parties

Transaction Information

Data such as survey information, declaration information, call center records, membership information, cookie records, which are processed within the framework of the activities carried out by the Company, related to the services provided or to protect the legal and other interests of the Company and the personal data owner

Customers of the Company and/or Intercity companies, Customer Candidate, Employee, Former Employee, Intern, Company Shareholder, Company Official, Visitor, Employees and Authorities of the Institutions (Business Partner) with which we cooperate, Third Parties

Health Information

Information on disability status, blood type information, personal health information, etc.

Company and/or Intercity companies Employee, Former Employee, Employee Candidate, Intern, Company Shareholder, Company Official

 

SECTION SIX

6. THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED BY THE COMPANY AND THE PURPOSES OF TRANSFER

6.1 TRANSFER OF PERSONAL DATA

The Company may transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with the lawful personal data processing purposes. In this direction, the Company acts in accordance with the regulations stipulated in Article 8 of the KVKK.

6.1.1 Transfer of Personal Data

The Company may transfer personal data to third parties based on and limited to one or more of the following personal data processing conditions in line with legitimate and lawful personal data processing purposes:

         If there is explicit consent of the personal data subject,

If there is a clear regulation in the laws regarding the transfer of personal data,

·         If it is mandatory for the protection of the life or physical integrity of the personal data subject or someone else and the personal data subject is unable to disclose his/her consent due to actual impossibility or his/her consent is not legally valid;

         If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

         If personal data transfer is mandatory for the Company to fulfill its legal obligation,

         If the personal data has been made public by the personal data subject,

         If personal data transfer is mandatory for the establishment, exercise or protection of a right, 

         If personal data transfer is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

6.1.2. Transfer of Sensitive Personal Data

By taking due care, taking the necessary security measures and taking adequate measures stipulated by the Board; In line with legitimate and lawful personal data processing purposes, the Company may transfer the personal data owner's sensitive personal data to third parties in the following cases. 

a.     If the personal data subject has explicit consent or,

b.     If the personal data subject does not have explicit consent;

    Sensitive personal data other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data), in cases stipulated by law, 

    Personal data of special nature relating to the health and sexual life of the personal data subject can only be accessed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

6.2. TRANSFER OF PERSONAL DATA ABROAD

The Company may transfer personal data and sensitive personal data of the personal data owner to third parties by taking necessary security measures in line with the lawful personal data processing purposes. 

The Company may transfer personal data to foreign countries declared by the Board to have adequate protection ("Foreign Country with Adequate Protection") or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the Board has permission ("Foreign Country Where the Data Controller Undertakes Adequate Protection").

6.2.1. Transfer of Personal Data Abroad

In line with the legitimate and lawful personal data processing purposes, the Company may transfer personal data to Foreign Countries with Adequate Protection or to Foreign Countries where there is a Data Controller Committed to Adequate Protection in the presence of one of the following cases if the personal data owner has explicit consent or if the personal data owner does not have explicit consent:

         If there is a clear regulation in the laws regarding the transfer of personal data,

         If it is mandatory for the protection of the life or physical integrity of the personal data subject or someone else and the personal data subject is unable to disclose his/her consent due to actual impossibility or his/her consent is not legally valid;

         If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract, 

         If personal data transfer is mandatory for the Company to fulfill its legal obligation,

         If the personal data has been made public by the personal data subject,

         If personal data transfer is mandatory for the establishment, exercise or protection of a right, 

         If personal data transfer is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

6.2.2. Transfer of Sensitive Personal Data Abroad

By taking due care, taking the necessary security measures and taking adequate measures stipulated by the Board; In line with legitimate and lawful personal data processing purposes, the Company may transfer the personal data of the personal data owner to Foreign Countries with Adequate Protection or to Foreign Countries where there is a Data Controller Committed to Adequate Protection in the following cases.

a.         If the personal data subject has explicit consent or

b.         If the personal data subject does not have explicit consent;

    Sensitive personal data other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data), in cases stipulated by law, 

    Personal data of special nature related to the health and sexual life of the personal data owner can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

6.3Transferred       Persons and Purpose of Data Transfer

The Company informs the personal data owner of the groups of persons to whom personal data are transferred in accordance with Article 10 of the KVKK.

The Company may transfer the personal data of the data subjects governed by the Policy to the categories of persons listed below:

         Company partners,

         Company suppliers,

         Intercity Companies,

         Company shareholders,

         Company officials,

         Legally authorized public institutions and organizations

         To legally authorized private law persons 

The scope of the above-mentioned persons to whom data is transferred and the purposes of data transfer are stated below. 

Persons to whom data can be transferred

Definition

Data Transfer Purpose

Business Partner

It defines the parties with whom the Company has established business partnerships for purposes such as carrying out various projects and receiving services, either personally or together with Intercity companies while conducting its commercial activities. 

Limited to ensure the fulfillment of the purposes for which the joint venture was established 

Supplier 

Defines the parties that provide services to the Company on a contractual basis in accordance with the Company's orders and instructions while carrying out the Company's commercial activities. 

Limited to the purpose of providing the Company with the services outsourced by the Company from the supplier and necessary to fulfill the Company's commercial activities. 

Shareholders 

Real persons who are shareholders of the Company

Limited to the purposes of the activities carried out by the Company within the scope of corporate law, event management and corporate communication processes in accordance with the provisions of the relevant legislation

Company Authorities/Company Business and Solution Partners

Company board members and other authorized natural persons

In accordance with the provisions of the relevant legislation, limited to the purposes of designing strategies for the Company's commercial activities, ensuring their management at the highest level and auditing

Legally Authorized Public Institutions and Organizations 

Public institutions and organizations authorized to receive information and documents from the Company in accordance with the provisions of the relevant legislation 

Limited to the purpose requested by the relevant public institutions and organizations within the legal authority

Legally Authorized Private Law Persons 

Private law persons authorized to receive information and documents from the Company in accordance with the provisions of the relevant legislation

Limited to the purpose requested by the relevant private law persons within their legal authority

Intercity Companies

Other companies in which real and/or legal persons who are shareholders of Ekim Turizm Ticaret ve Sanayi Anonim Şirketi are shareholders

Limited to the purpose of ensuring that the services necessary to fulfill the Company's commercial activities are provided to the Company. 

CHAPTER SEVENTH

7. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW

The Company informs the personal data owner about the personal data it processes in accordance with Article 10 of the KVKK.

7.1. PROCESSING OF PERSONAL DATA AND SPECIAL CATEGORIES OF PERSONAL DATA

7.1.1. Processing of Personal Data

The explicit consent of the personal data owner is only one of the legal grounds that make it possible to process personal data in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity.

Although the legal grounds for the processing of personal data by the Company may differ, the Company acts in accordance with the general principles specified in Article 4 of the KVKK in all kinds of personal data processing activities.

         Explicit Consent of the Personal Data Owner: One of the conditions for processing personal data is the explicit consent of the owner. The explicit consent of the personal data owner must be related to a specific subject, based on information and free will.

For personal data processing activities other than the purpose of processing for the reasons for obtaining personal data, at least one of the conditions under this heading is sought; If one of these conditions is not present, these personal data processing activities are carried out by the Company based on the explicit consent of the personal data owner for these processing activities.

For the processing of personal data based on the explicit consent of the personal data owner, the explicit consent of the personal data owners is obtained through the relevant methods.

         Explicitly Stipulated in Laws: The personal data of the data subject may be processed in accordance with the law if it is explicitly stipulated in the law. 

·         Failure to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility : The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect his/her or another person's life or physical integrity.

         Direct Relevance to the Establishment or Performance of a Contract: Provided that it is directly related to the conclusion or performance of a contract, it is possible to process personal data if it is necessary to process personal data of the parties to the contract. 

         Fulfillment of the Company's Legal Obligation: Personal data of the data subject may be processed if the processing is mandatory for the Company to fulfill its legal obligations as the data controller.

         Publicization of Personal Data by the Data Subject: If the data subject has made his/her personal data public by himself/herself, the relevant personal data may be processed.

         Data Processing is Mandatory for the Establishment or Protection of a Right: If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the personal data owner may be processed.

         Data Processing is Mandatory for the Legitimate Interest of the Company: Provided that it does not harm the fundamental rights and freedoms of the personal data owner, data data may be processed if data processing is mandatory for the legitimate interests of the Company.

7.1.2. Processing of Sensitive Personal Data

Special categories of personal data are processed by the Company in the following cases if the personal data owner does not have explicit consent, provided that adequate measures to be determined by the Board are taken: 

         Sensitive personal data other than the health and sexual life of the personal data owner, in cases stipulated by law,

         Personal data of special nature relating to the health and sexual life of the personal data subject can only be accessed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

CHAPTER EIGHT

8. BUILDING, FACILITY ENTRANCES AND PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITHIN THE BUILDING AND FACILITY AND INTERNET SITE VISITORS

Personal data processing activities carried out by the Company at the entrances of the building facility and within the facility are carried out in accordance with the Constitution, KVKK and other relevant legislation.

In order to ensure security, the Company carries out personal data processing activities for the monitoring of guest entrances and exits with security cameras in the Company buildings and facilities.

Personal data processing activity is carried out by the Company through the use of security cameras and recording of guest entrances and exits.

8.1. CAMERA SURVEILLANCE ACTIVITIES CARRIED OUT AT BUILDING AND FACILITY ENTRANCES AND INSIDE

In this section, explanations will be made regarding the Company's camera surveillance system and information will be provided on how personal data, confidentiality and fundamental rights of the person are protected. 

Within the scope of security camera surveillance activity; the Company aims to protect the interests of the company and other persons in ensuring the security of the company and other persons.

8.1.1. Legal Basis for Camera Surveillance

Camera surveillance activities carried out by the Company are carried out in accordance with the Law on Private Security Services and the relevant legislation.

8.1.2. Execution of Monitoring Activities with Security Cameras According to KVKK

The Company acts in accordance with the regulations in the KVKK in carrying out camera surveillance activities for security purposes. The Company carries out security camera monitoring activities in order to ensure security in its buildings and facilities, for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the KVKK. 

8.1.3. Announcement of Camera Surveillance Activities

The personal data owner is informed by the Company in accordance with Article 10 of the LPPD.  The Company notifies the personal data subject with more than one method regarding the camera surveillance activity of the information it provides regarding general issues. Thus, it is aimed to prevent damage to the fundamental rights and freedoms of the personal data owner, to ensure transparency and enlightenment of the personal data owner. 

The Company publishes this Policy on the Company's website for camera surveillance and hangs a notification letter regarding the surveillance at the entrances of the areas where surveillance is carried out.

8.1.4. Purpose and Limitation of Camera Surveillance

In accordance with Article 4 of the KVKK, the Company processes personal data in a limited and measured manner in connection with the purpose for which they are processed.

The purpose of the Company's video camera monitoring activities is limited to the purposes listed in this Policy. Accordingly, the monitoring areas, the number and the time of monitoring of the security cameras are sufficient to achieve the security purpose and are limited to this purpose. Areas that may result in interference with the privacy of the person in a way that exceeds the security purposes (for example, toilets) are not subject to monitoring.

8.1.5. Ensuring the Security of the Data Obtained

In accordance with Article 12 of the LPPD, the Company takes necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera surveillance activities.

8.1.6. Storage Period of Personal Data Obtained through Camera Surveillance

Detailed information on the Company's retention period for personal data obtained through camera surveillance activities is provided in Article 9 of this Policy titled Retention Periods of Personal Data.

8.1.7. Who Has Access to the Information Obtained as a Result of Monitoring and to Whom This Information is Transferred

Only a limited number of Company employees have access to the records recorded and stored digitally with live camera footage. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking. 

8.2. MONITORING OF GUEST ENTRANCES AND EXITS CARRIED OUT AT AND INSIDE COMPANY BUILDINGS AND FACILITIES

The Company carries out personal data processing activities to ensure security and to monitor guest entrances and exits in the Company buildings and facilities for the purposes specified in this Policy. 

While the names and surnames of the persons who come to the Company premises as guests are obtained or through the texts posted in the Company or otherwise made available to the guests, the personal data owners in question are enlightened within this scope. The data obtained for the purpose of tracking guest entry-exit are processed only for this purpose and the relevant personal data are recorded in the data recording system in a physical environment.

8.3. STORAGE OF RECORDS REGARDING INTERNET ACCESS PROVIDED TO OUR VISITORS IN COMPANY BUILDINGS AND FACILITIES

For the purposes of ensuring security by the Company and for the purposes specified in this Policy; Internet access can be provided by the Company to our Visitors who request it during your stay in our buildings and facilities. In this case, log records regarding your internet access are recorded in accordance with the Law No. 5651 and the mandatory provisions of the legislation regulated in accordance with this Law; These records are processed only upon request by authorized public institutions and organizations or in order to fulfill our legal obligation in the audit processes to be carried out within the Company. 

Only a limited number of Company employees have access to the log records obtained within this framework. Company employees who have access to the aforementioned records access these records only for use in requests or audit processes from authorized public institutions and organizations and share them with legally authorized persons. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking. 

8.4. WEBSITE VISITORS

On the websites owned by the Company; In order to ensure that visitors to these sites perform their visits on the sites in accordance with their visit purposes; In order to be able to show them customized content and to engage in online advertising activities, it records internet movements within the site by technical means (e.g. cookies-cookie), provided that users are given the option to change this setting from browsers.

Detailed explanations regarding the protection and processing of personal data regarding these activities are available on the relevant websites. 

 

CHAPTER NINE

9. THE COMPANY'S METHOD AND LEGAL REASON FOR COLLECTING PERSONAL DATA, THE OBLIGATION TO DELETE, DESTROY AND ANONYMIZE PERSONAL DATA AND THE STORAGE PERIOD

9.1. METHOD AND LEGAL REASON FOR COLLECTING PERSONAL DATA

For the purpose of checking compliance with Article 1 regulating the purpose of the Law and Article 2 regulating the scope of the Law, Personal Data is collected in all kinds of verbal, written, electronic media; by technical and other methods, through various means such as call center, Company website, mobile application, in order to fulfill the responsibilities arising from the law within the framework of legislation, contract, request and optional legal reasons in order to fulfill the purposes set out in the Policy, and is processed by the Company or data processors assigned by the Company.

9.2. DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA

Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymization of Personal Data, the Company deletes, destroys or anonymizes Personal Data ex officio or upon the request of the data owner in the event that the reasons requiring its processing disappear, although it has processed it in accordance with the provisions of this Law and other laws. With the deletion of Personal Data, this data is destroyed in such a way that it cannot be used and recovered in any way again. Accordingly, Personal Data shall be irreversibly deleted from the documents, files, CDs, diskettes, hard disks, etc. in which they are stored. Destruction of Personal Data, on the other hand, refers to the destruction of materials suitable for storing data such as documents, files, CDs, diskettes, hard disks, etc. in which the data is recorded in such a way that the information cannot be recovered and used again. Anonymization of data means making Personal Data impossible to be associated with an identified or identifiable natural person even if it is matched with other data.

9.2.1. Conditions for Deletion, Destruction and Anonymization of Personal Data

Although the Company has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVKK, personal data shall be deleted, destroyed or anonymized upon the Company's own decision or upon the request of the personal data owner if the reasons requiring its processing disappear.

Detailed regulations regarding the Company's techniques for the storage, deletion, destruction and anonymization of Personal Data are included in the Personal Data Retention and Destruction Policy published on the Company's website.

Although it has been processed in accordance with the provisions of the relevant law, personal data shall be deleted, destroyed or anonymized upon the decision of the Company or upon the request of the personal data owner if the reasons requiring its processing disappear. In this context, the Company fulfills its relevant obligation by the methods described in this section.

9.2.2. Techniques for Deletion, Destruction and Anonymization of Personal Data

9.2.2.1. Techniques for Deletion and Destruction of Personal Data

Although the Company has been processed in accordance with the provisions of the relevant law, it may delete or destroy personal data based on its own decision or upon the request of the personal data owner if the reasons requiring its processing disappear. The most commonly used deletion or destruction techniques used by the Company are listed below:

         Physical Destruction: Personal data may also be processed by non-automatic means, provided that they are part of any data recording system. When such data is deleted/destroyed, the system of physically destroying the personal data in a way that cannot be used later is applied.

         Secure Deletion from Software: When deleting/destroying data processed by fully or partially automated means and stored in digital media; methods are used to delete the data from the relevant software in a way that cannot be recovered again.

         Secure Erasure by an Expert: In some cases, the Company may hire an expert to erase personal data on its behalf. In this case, personal data is securely deleted/destroyed by the expert in a way that cannot be recovered again.

9.2.2.2.2. Techniques for Anonymizing Personal Data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. The Company may anonymize personal data when the reasons requiring the processing of personal data processed in accordance with the law disappear.

In accordance with Article 28 of the KVKK; anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of KVKK and the explicit consent of the personal data owner will not be sought. Since personal data processed by anonymization will be outside the scope of KVKK, the rights set out in Section 10 of the Policy will not apply to this data. The most commonly used anonymization techniques used by the Company are listed below.

         Masking: Data masking is a method of anonymizing personal data by removing the basic identifying information of personal data from the data set.  Example: By removing the information such as name, T.R. Identity Number, etc. that enables the identification of the personal data owner, the personal data owner is transformed into a data set where it becomes impossible to identify the personal data owner.

         Aggregation With the data aggregation method, many data are aggregated and personal data cannot be associated with any individual.  Example: Revealing that there are Z number of employees of X age without showing the ages of the employees individually.

         Data Derivation: With the data derivation method, a more general content is created from the content of personal data and it is ensured that personal data cannot be associated with any person.  Example: Specifying ages instead of dates of birth; specifying the region of residence instead of the street address.

         Data Hashing: With data hashing method, the values in the personal data set are mixed to break the link between the values and the persons.  Example: Changing the quality of voice recordings to make it impossible to associate the voices with the data subject. 

9.3. Retention Period of Personal Data

The Company stores Personal Data for the period specified in this legislation, if stipulated in the legislation. If a period of time is not regulated in the legislation regarding how long personal data should be kept, Personal Data is processed for the period required to be processed in accordance with the practices and customs of the Company's practices and commercial life, depending on the activity carried out by the Company while processing that data, and then deleted, destroyed or anonymized.

If the purpose of processing personal data has expired and the retention periods determined by the relevant legislation and the Company have expired; personal data can only be stored for the purpose of constituting evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the right in question and the examples in the requests previously addressed to the Company on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.

SECTION TEN

10. RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY FOR EXERCISING AND EVALUATING THESE RIGHTS

The Company informs the personal data owner of the rights of the personal data owner in accordance with Article 10 of the KVKK and guides the personal data owner on how to exercise these rights, and the Company carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and to inform the personal data owners.

10.1 RIGHTS OF THE DATA SUBJECT AND EXERCISING THESE RIGHTS

10.1.1. Rights of the Personal Data Owner

Personal data subjects have the following rights: 

         Learn whether personal data is being processed,

         Request information if their personal data has been processed,

         To learn the purpose of processing personal data and whether they are used for their intended purpose,

         To know the third parties to whom personal data are transferred domestically or abroad,

         To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

         Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

         To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,

         In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

10.1.2. Cases where the Personal Data Owner cannot assert his/her rights

Pursuant to Article 28 of the KVKK, personal data owners cannot assert the rights of personal data owners listed in 10.1.1. in these matters, since the following cases are excluded from the scope of KVKK:

         Processing of Personal Data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and the obligations regarding data security are complied with.

         Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.

         Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime.

         Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.

         Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions.

Pursuant to Article 28/2 of the KVKK; In the cases listed below, personal data owners cannot assert their other rights listed in 10.1.1. except for the right to demand compensation for the damage: 

         Processing of personal data is necessary for the prevention of crime or criminal investigation.

         Processing of personal data made public by the personal data subject himself/herself.

         Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.

         Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.

10.1.3. Exercising the Rights of the Personal Data Owner

Personal Data Owners will be able to submit their requests regarding their rights listed in this section to the Company free of charge by filling out and signing the Application Form with the information and documents that will identify their identity and by the methods specified below or by other methods determined by the Personal Data Protection Board:

·         akyacht.com After filling in the form found at the address of the applicant, a copy of the form with wet signature must be sent to the address "Sepetlipınar SB Mahallesi, 104. Cad., No: 8/2, Başiskele/Kocaeli" by hand, registered mail with return receipt or notary public,

         After filling out the form on

         With mobile signature,

         Submitting the application form to [email protected] by using the e-mail address previously notified to the Company and registered in the Company system.

In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.

10.1.4. Personal Data Owner's Right to File a Complaint to the Board

The personal data owner may file a complaint to the Board within thirty days from the date of learning the Company's response and in any case within sixty days from the date of application in case his/her application is rejected, the response is found insufficient or the application is not responded in due time in accordance with Article 14 of the KVKK.

10.2. APPLICATIONS FOR INTERCITY COMPANIES

If applications regarding the personal data processing activities of Intercity Companies are made to the Company, these applications are also processed and finalized by the Company.

10.3. THE COMPANY'S RESPONSE TO APPLICATIONS

10.3.1. Procedure and Duration of the Company's Response to Applications

In the event that the personal data owner submits his/her request to the Company in accordance with the procedure in the section titled 10.1.3. of this section, the Company will finalize the relevant request free of charge within thirty days at the latest, depending on the nature of the request. However, if a fee is stipulated by the Board, the Company will charge the applicant the fee in the tariff determined by the Board.

10.3.2. Information that the Company may request from the Applicant Personal Data Subject

The Company may request information from the relevant person in order to determine whether the applicant is the personal data owner. In order to clarify the issues in the application of the personal data owner, the Company may ask the personal data owner questions about the application.

10.3.3. The Company's Right to Reject the Application of the Personal Data Owner

The Company may reject the application of the applicant by explaining its reasoning in the following cases:

         Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.

         Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime.

         Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.

         Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions.

         Processing of personal data is necessary for the prevention of crime or criminal investigation.

         Processing of personal data made public by the personal data subject himself/herself.

         Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.

         Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.

         The request of the personal data owner is likely to prevent the rights and freedoms of other persons

         Demands were made that required disproportionate effort.

         The requested information is publicly available.

CHAPTER ELEVEN

11. MANAGEMENT STRUCTURE IN ACCORDANCE WITH THE COMPANY'S POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

A Personal Data Committee has been established within the Company in accordance with the decision of the Company's senior management to manage this Policy and other policies related and related to this Policy.  The Personal Data Committee is authorized and tasked with taking the necessary actions for the storage and processing of Personal Data Owners' data in accordance with the law, this Policy and other policies related and related to this Policy. The Personal Data Retention and Destruction Policy published on the Company's website contains detailed regulations regarding the persons assigned to the Personal Data Committee and their duties.

CHAPTER TWELVE

12. UPDATES, HARMONIZATION AND AMENDMENTS

AMENDMENT TABLE

Amended Article

Amendment Date

Reason for Amendment