Personal Data Protection Clarification Text

General Clarification Statement on the Processing of Personal Data

1. Purpose and Scope of the Statement
In line with the importance attached by Akvizyon Grup Hizmetleri Org. ve Dış Tic. Ltd. Şti. (……………………/COMPANY) to personal data, this statement sets forth the COMPANY’s approach, internal regulations and measures regarding the protection and processing of the personal data of our customers, potential customers, employees, job candidates, company shareholders, company officials, visitors, employees, shareholders and officials of institutions with which we cooperate, and third parties. It has been prepared primarily to inform these persons and the relevant third parties.

This Statement relates to all personal data of the relevant persons that are processed either automatically or non-automatically, provided that such processing is part of any data recording system.

This General Clarification Statement on the Processing of Personal Data (“Statement”) issued by the COMPANY is dated 01.04.2018. If the whole Statement or certain articles thereof are renewed, the effective date and version of the Statement will be updated. The Statement is published on our company’s website (……………..) and made available to the relevant persons upon the request of personal data owners.

2. Data Subject Categories of the Company

  • Company Personnel: Refers to personnel working within the Company, even under various dealership structures.
  • Customer: Refers to persons or institutions that apply to the Company in person and/or via the internet to purchase products and services.
  • Customer Employee/Authorized Person: Refers to the employees and/or authorized persons of corporate customers who are in communication with the Company.
  • Potential Customer: Refers to persons or institutions that may apply to the Company in person and/or via the internet to purchase products and services.
  • Potential Customer Employee/Authorized Person: Refers to the employees and/or authorized persons of corporate potential customers who are in communication with the Company.
  • Visitor: Refers to persons who physically visit the Company’s premises or visit via the internet.
  • Third Party: Refers to natural persons related to the persons mentioned above, in order to ensure the commercial transaction security between the Company and such parties or to protect the rights and provide benefits for the persons mentioned.
  • Job Candidate: Refers to persons who have applied for a job with the Company through any means or have made their résumé available for the Company’s review.
  • Company Shareholder: Refers to natural persons who are shareholders of the Company.
  • Company Official: Refers to the chairman of the board, board members and other authorized natural persons of the Company.
  • Companies, Legal Entities, Officials and Employees in Cooperation: Refers to all legal entities with which the Company is in cooperation and their officials and employees.

3. Company Personal Data Categories

  • Identity Information
  • Contact Information
  • Customer Information
  • Customer Transaction and Request Information
  • Physical Space and/or Security Information
  • Transaction Security Information
  • Risk Management Information
  • Financial Information
  • Job Candidate Information
  • Legal Transaction and Compliance Information
  • Special Categories of Personal Data
  • Marketing Information
  • Product and Service Request Information

4. Principles Regarding Personal Data
a. Processing of Personal Data
The Company processes personal data in accordance with Article 20 of the Constitution and Article 4 of the Personal Data Protection Law (KVKK) as follows:

  • In compliance with the law and the principles of honesty,
  • Accurately and, where necessary, up to date,
  • For specific, explicit and legitimate purposes,
  • In a manner that is relevant, limited and proportionate to the purpose,
  • By retaining them for the period stipulated by the legislation or required by the purpose of processing personal data,
  • Based on one or more of the conditions specified in Article 5 of the KVKK.

In accordance with Article 20 of the Constitution and Article 10 of the KVKK, during the acquisition of such personal data, the Company informs the data subjects about:

  • The title Akvizyon Grup Hizmetleri Org. ve Dış Tic. Ltd. Şti.,
  • For what purpose the personal data will be processed,
  • To whom and for what purpose the processed personal data may be transferred,
  • The method and legal basis of collecting personal data,
  • The rights of the personal data owner.

b. Purpose of Processing Personal Data
Personal data are processed by the COMPANY within the scope of the purposes stated in Article 5 of the KVKK and listed below:

  • Where processing of personal data is mandatory for the Company to fulfill its legal obligations,
  • Where processing of personal data by the Company is mandatory for the establishment, exercise or protection of the rights of the Company, data subjects or third parties,
  • Where processing is mandatory for the protection of the life or physical integrity of the personal data owner or another person, and where the personal data owner is unable to express consent due to actual impossibility or legal invalidity,
  • Where the Company’s relevant activity regarding the processing of personal data is explicitly stipulated by laws,
  • Where processing of personal data by the Company is directly related and necessary for the establishment or performance of a contract,
  • Where personal data are processed by the Company in a limited manner in line with the purpose of being made public, provided that the personal data have been made public,
  • Where processing of personal data is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.

Special Categories of Data:
Article 6 of the KVKK defines certain personal data as “special categories” because, if processed unlawfully, they may cause victimization or discrimination. These include data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and attire, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. Special categories of personal data are processed by the Company, provided that adequate measures determined by the Personal Data Protection Board are taken, in the following cases:

  • Special categories of personal data other than those relating to health and sexual life, in cases stipulated by law,
  • Special categories of personal data relating to health and sexual life only by persons under an obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.

Where the data processing conditions specified above are not present, explicit consent is obtained from the data subject by the Company.

Within the scope of the conditions specified above, personal data are processed by the Company for the purposes stated below.

  • For ensuring the implementation of the Company’s human resources policies; carrying out HR operations in accordance with the Company’s HR policies, supplying personnel suitable for open positions, fulfilling obligations within the framework of occupational health and safety and taking the necessary measures,
  • For ensuring the fulfillment of the Company’s legal and commercial obligations and those of persons in business relations with the Company; administrative communication operations carried out by the Company, service-related operations, ensuring the physical security and supervision of the Company’s locations, business partner/customer/supplier/business partner (authorized persons, employees or shareholders) evaluation processes, legal and commercial risk analyses, legal compliance processes, and the conduct of financial affairs,
  • For carrying out the necessary studies to recommend the products and services offered by the Company to customers by customizing them according to customers’ tastes, usage habits and needs; one-to-one and/or integrated marketing activities, sales and after-sales operations carried out by the Company,
  • For determining and implementing the Company’s commercial and business strategies; financial operations, communication, market research and social responsibility activities, procurement operations (request, quotation, evaluation, order, budgeting, contract), sales operations (quotation, evaluation, order, contract), and determining and implementing the Company’s commercial and business strategies.

These may also include internal system and application management operations and legal operations management. Personal data processed by the Company within the scope of this Statement and the categories of data subjects whose data are processed are set out categorically.

c. Transfer of Personal Data
Within the scope of the purposes stated in this Statement, the Company may transfer the personal data referred to herein to the persons and institutions stated below for the purposes stated below:

  • To legally authorized public institutions and organizations, limited to the purpose requested within their legal authority,
  • To legally authorized private law persons, limited to the purpose requested within their legal authority,
  • To the Company’s business partners, limited to ensuring the fulfillment of the purposes for which the business partnership was established,
  • To the Company’s suppliers, limited to ensuring the provision of the services necessary for carrying out the Company’s commercial activities,
  • To the Company’s affiliates, in order to ensure the execution of commercial activities requiring the participation of the Company’s affiliates,
  • To affiliates, consultants and service providers for the purposes of designing strategies related to the Company’s commercial activities, risk management, financial consolidation, auditing and compliance with company policies,
  • To the Company’s shareholders for the purposes of designing strategies and auditing regarding the Company’s commercial activities in accordance with the relevant legislation.

Personal data will be transferred by the Company in cases where adequate protection is committed to in writing and the approval of the Board is available.

ç. Method and Legal Basis of Collecting Personal Data
Your personal data are collected by the Company through different channels and based on different legal reasons for the purposes of providing and improving the products and services offered and carrying out commercial activities. Personal data collected in this process are obtained through employees and representatives or through public databases within the scope of the relevant legislation, based on the legal reason of conducting commercial activities. Personal data collected on this legal basis may also be processed and transferred for the purposes specified in this Clarification Text within the scope of the personal data processing conditions and purposes stated in Articles 5 and 6 of Law No. 6698.

d. Retention and Deletion of Data
The Company retains the personal data it processes for the periods determined by legislation. If no period is specifically determined in the legislation, personal data are retained for the period required by the Company’s practices and the customs of commercial life in connection with the services offered while processing such data, and thereafter only for the periods demonstrated as necessary in practice in order to serve as evidence in possible legal disputes. At the end of the specified periods, such personal data are deleted, destroyed or anonymized in such a way that, even if matched with other data, they can in no way be associated with an identified or identifiable natural person.

5. Rights of the Data Subject
Article 20 of the Constitution provides that everyone has the right to be informed about personal data concerning them, and Article 11 of the KVKK regulates the “right to request information” among the rights of the personal data owner. In this context, the Company provides the necessary information where the personal data owner requests information; and through this Statement, informs the data subject about how this right to request information may be exercised and how such requests will be evaluated.

  • Personal data owners have the right to,
  • Learn whether personal data are processed,
  • Request information if personal data have been processed,
  • Learn the purpose of processing personal data and whether they are used in accordance with that purpose,
  • Know the third parties to whom personal data are transferred domestically or abroad,
  • Request correction of personal data if they are incomplete or incorrectly processed, and request notification of such correction to third parties to whom the personal data have been transferred,
  • Request deletion or destruction of personal data where the reasons requiring processing cease to exist, although they have been processed in accordance with the KVKK and other relevant laws, and request notification of such operation to third parties to whom the personal data have been transferred,
  • Object to the emergence of a result against the person through analysis of processed data exclusively by automatic systems,
  • Request compensation for the damage in case personal data are processed unlawfully.

Pursuant to Article 28/2 of the KVKK, except for the right to request compensation for damage, personal data owners may not assert the rights listed above in the following cases:

  • Where personal data processing is necessary for the prevention of crime or for a criminal investigation.
  • Where personal data made public by the personal data owner are processed by themselves.
  • Where personal data processing is necessary for the execution of supervision or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations authorized by law and professional organizations in the nature of public institutions.
  • Where personal data processing is necessary for the protection of the State’s economic and financial interests in matters related to budget, tax and financial issues.

Personal data owners may submit their requests regarding the rights specified above to the Company’s Human Resources department by means of a wet-signed petition. If a person other than the personal data owner will make the request, a special power of attorney issued by the personal data owner in the name of the applicant must be available.
Requests duly submitted to the Company will be concluded within fifteen days at the latest. If the fulfillment of such requests additionally requires a cost, the relevant fee will be charged to the applicant by the Company.

The Company may request information from the applicant to determine whether the applicant is the personal data owner and may ask questions to the personal data owner in order to clarify the matters stated in the application.

The Company may reject the application of the applicant by explaining the reason in the following cases:

  • Where personal data are processed for purposes such as research, planning and statistics by anonymizing them through official statistics.
  • Where personal data are processed for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that national defense, national security, public security, public order, economic security, privacy or personal rights are not violated and no crime is committed.
  • Where personal data are processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law for ensuring national defense, national security, public security, public order or economic security.

Where personal data are processed by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

  • Where personal data processing is necessary for the prevention of crime or for a criminal investigation.
  • Where personal data made public by the personal data owner are processed by themselves.
  • Where personal data processing is necessary for the execution of supervision or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations authorized by law and professional organizations in the nature of public institutions.
  • Where personal data processing is necessary for the protection of the State’s economic and financial interests in matters related to budget, tax and financial issues.
  • Where the request of the personal data owner is likely to prevent the rights and freedoms of other persons.
  • Where the requests require disproportionate effort.
  • Where the information requested is publicly available.

Pursuant to Article 14 of the KVKK, in cases where the application is rejected, the response is found insufficient, or the application is not responded to in due time, the personal data owner may file a complaint with the Board within fifteen days from the date of learning the Company’s response and in any case within thirty days from the date of application.

6. Security of Personal Data
a. Security Measures
In accordance with Article 12 of the KVKK, the Company takes the necessary measures and controls to ensure an appropriate level of security in order to prevent unlawful processing of personal data, prevent unlawful access to data and ensure the preservation of data, and carries out or has carried out the necessary audits in this context. The measures and controls taken by the Company in this regard are listed below:

  • Employing personnel who are knowledgeable in establishing and operating systems in compliance with the principles regarding the processing of personal data and the relevant legislation,
  • Providing training to personnel in order to ensure that they are informed about personal data, and including provisions in personnel contracts regarding compliance with personal data protection legislation and the Company’s implementation rules,
  • Using backup programs in compliance with the legislation to ensure secure storage of personal data,
  • In cases where a service covering personal data processing processes is outsourced, including provisions in contracts with outsourced companies stating that they will take the necessary security measures to protect personal data and ensure compliance with such measures within their own organizations,
  • Evaluating personal data processing processes in all activities carried out by the Company within the scope of the data processing conditions regulated by the KVKK and taking the necessary technical and organizational measures to ensure that such processes are carried out in compliance with the provisions of the KVKK,
  • Determining and implementing practice rules regarding the management of personal data processing processes and the compliance structure, including measures and controls,
  • Maintaining and supervising personal data processing processes and the systems related to these processes through management systems having technical and organizational features.

b. Audit
In accordance with Article 12 of the KVKK, the Company carries out or has carried out the necessary audits within its own structure. The results of these audits are reported to the relevant department within the scope of the Company’s internal functioning, and the necessary activities are carried out to improve the measures taken. Necessary systems are established and training is provided to employees in order to create awareness regarding the protection of personal data among current employees of the Company’s business units and employees newly included in such business units.

c. Data Breach Management
In accordance with Article 12 of the KVKK, the Company operates a system that ensures that, in the event the personal data processed are obtained by others through unlawful means, this situation is notified to the relevant personal data owner and the Board as soon as possible. If deemed necessary by the Board, this situation may be announced on the Board’s website or by another method.