İ Z B A Ş

MENU

Vision

Developing as a world-class free zone.

Mission

To prepare the approprıate envıronment ın whıch domestıc and foreıgn ınvestors wıll operate effıcıently, to attract ınvestors to the regıon and to serve the development of the regıon by provıdıng corporate development ın an envıronment where requırements and expectatıons are met.

Policies

PURPOSE, SCOPE AND ADOPTION OF INFORMATION SECURITY BY MANAGEMENT

İZBAŞ accepts corporate information as an extremely valuable asset. Information is critical to the sustainability of our business activities and must be properly protected. İZBAŞ aims to minimize the risks that may arise regarding the Confidentiality, Integrity and Usability of corporate information and the effects of these risks by applying the Information Security Management System (ISMS) ISO 27001 standard.

This policy has been approved by İZBAŞ General Manager.

İZBAŞ has adopted the following issues in particular:

  • To ensure the confidentiality, integrity and availability of İZBAŞ information and information systems
  • To identify the risks to information assets and to manage the risks systematically,
  • To fulfill the requirements of Information Security Standards,
  • To comply with all legal legislation related to Information Security,
  • To evaluate and carry out the works of continuous improvement opportunities in order to maintain the Information Security Management System,
  • To carry out trainings in a way to improve technical and behavioral competencies in order to increase information security awareness,
  • Preparation and publication of other sub-procedures connected to this policy by the IT Supervisor.

İZBAŞ's Information Security Policies are valid and mandatory for all İZBAŞ personnel using İZBAŞ information or business systems, regardless of geographical location or business unit, whether full-time or part-time, permanent or contracted. All persons, such as third party service providers and their affiliated support personnel, who do not fall under these classifications and need access to İZBAŞ information, must adhere to the general principles of this policy and other security responsibilities and obligations they have to comply with.

 

RESPONSIBILITIES OF ALL EMPLOYEES

The purpose of Information Security and this policy is to protect, maintain and manage the confidentiality, integrity and availability of information and all support business systems, processes and applications. This means keeping the information of İZBAŞ in the authorized hands; ensuring that the information is complete, accurate and usable; and ensuring that the information and systems are ready for use when necessary. For this reason, all İZBAŞ and its employees are responsible for performing their work in a way that ensures that the information is protected within İZBAŞ, regardless of their position or duties.

In addition to ensuring that the information of İZBAŞ is complete, accurate and ready to use, all İZBAŞ personnel must also comply with the principles of protection of confidential information and İZBAŞ Business Ethics.

İZBAŞ undertakes to take the measures specified in the Personal Data Protection Law and to work in full compliance with the Personal Data Protection Law.


POLICY OWNERSHIP AND PROVIDING GUIDANCE IN INFORMATION SECURITY

The functional ownership of this policy and all standards and other supporting documents and training activities will be carried out by the IT Officer and will also be a source of advice and guidance regarding the implementation of the policy throughout İZBAŞ.

The IT Officer will ensure that all employees receive appropriate training to ensure an appropriate level of awareness of Information Security issues and will guide them in handling information security incidents in general. Where necessary, it will ensure that this policy is supported by detailed standards, procedures and processes and is ready for use as needed. It will also be responsible for ensuring that these policy requirements are passed on to all employees (permanent or periodic) and all contractor personnel.

The Information Processing Supervisor shall be responsible for the establishment and continuity of the general management framework related to Information Security and for the continuous review of this policy in such a way as to ensure that it lives up to date and continues to reflect the changes in the risk environment or threats faced by İZBAŞ's business-related requirements or information and information systems.

Information Security policies are reviewed at least once a year in parallel with the asset and risk updates made to reflect the current risks faced by İZBAŞ information assets. Information Security Policies are updated by making new necessary additions to keep new risks and changes in risks under control. In addition, any İZBAŞ employee may request the IT Officer to change the policies in order to improve the Information Security Policies and better reflect the controls required by İZBAŞ. Requests are handled and evaluated by the IT Officer.

The principles of Information Security Policy should be applied in parallel with the Rules of the Personnel Regulation of İZBAŞ Human Resources. Employees are also responsible for being aware of and complying with the Information Security Policy.

SUPERVISION AND COMPLIANCE WITH POLICIES AND RESOLUTION OF NON-COMPLIANCE

Each unit manager is primarily responsible for taking the necessary measures to ensure compliance with the Information Security Policy and monitoring the system.

The IT Officer is responsible for the periodic inspection and reporting of compliance with all published policies and procedures and related standards, especially the Information Security Policy.

Violations of the Information Security Policy may cause İZBAŞ to be harmed as a result of the failure to implement the necessary controls against the risks, as well as to incur criminal liability according to the new Turkish Penal Code and to compensate for material damages. Therefore, such violation may also be a violation of İZBAŞ Disciplinary Procedure and may result in disciplinary action. Violations of the Information Security Policy determined as a result of both surveillance, inspection and notification may result in internal disciplinary penalties that may be applied until the termination of employment or even the initiation of judicial and criminal legal proceedings.

Working together on the implementation of this policy will help to continuously protect our knowledge and reputation and ensure the continuity of the success of our business.


OBJECTIVES

İZBAŞ Information Security aims to protect İZBAŞ's reputation, reliability and information assets, and to ensure that basic and supportive business activities continue with the least possible interruption:

  • To ensure the continuity of information systems,
  • To maximize the level of compliance of employees with awareness, awareness and security requirements,
  • To ensure that the compliance with the contracts made with third parties is fully established,
  • Minimizing information security breaches and turning them into learning opportunities,
    • Production, access and storage of information in full compliance with the law,
    • Implement the most up-to-date and effective technical security controls.

Each İZBAŞ employee is responsible for contributing to these goals.

IT IS TO LEAVE A LIVABLE ENVIRONMENT TO FUTURE GENERATIONS BY ACTING WITH THE AWARENESS OF SUSTAINABLE DEVELOPMENT.

  • We accept all segments of society and our suppliers who are active in the environment and will help realize our environmental policies as "partners".
  • We identify the negative environmental effects (temporary and permanent disturbances we give to the environment, etc.) arising from our activities, develop new criteria, methods to minimize them and share practices and information with the relevant parties for their implementation.
  • By sharing our knowledge and experience with our employees and partners, we ensure the development of environmental awareness, the protection of the environment on the basis of human, plant presence(flora) and animal presence(fauna), and the efficient use of energy and natural resources.
  • We take and implement measures to minimize environmental damage in case of any accident or emergency that may occur during our activities.
  • We adopt the principle of complying with these requirements by following all legal legislation, scientific research and technological developments, and continuously improving environmental performance, and we constantly monitor and try to improve our environmental management performance.
  • We reduce negative environmental impacts on the environment and society and contribute to the development of healthier generations in a healthy environment, prevention of pollution, separation and disposal of waste.
  • We disclose our environmental policy to third parties.

In the services carried out by our organization within the scope of its content;

  • We accept our users, all segments of the society and suppliers as our "partners" who will help in the implementation of our occupational health and safety policies.
  • We determine and take precautions against OHS risks arising from the works carried out within the scope of Free Zone Establishment and operation.
  • We undertake to identify the legal conditions,  hazards and risks arising from our activities and to define, implement, maintain and periodically review their suitability within the OHS management system.
  • We follow the developing technology and develop new occupational health and safety criteria and procedures, and exhibit an effective information and participatory approach with relevant parties and all our employees for its implementation.
  • We meet the training needs of our employees and ensure their active participation in the decisions to be taken by communicating their responsibilities related to occupational health and safety.
  • We continuously monitor and improve our Occupational Health and Safety performance.
  • We review and renew existing working procedures and eliminate risks that may threaten occupational health and safety. For this reason, our main principle is "HUMAN FIRST".
  • We make every effort to prevent accidents and occupational diseases and to protect the health of our employees.
  • We take and implement measures to minimize the damages that may occur in case of any accident or emergency that may occur during our activities.
  • We ensure a safe and healthy work environment for all employees and related parties in our field by complying with OHS Rules at a high level, reducing risks and taking protective and preventive measures.
  • We disclose our occupational health and safety policy to all relevant parties.
  • We disclose our environmental policy to third parties.

In the products and services carried out by our organization within the scope of activity of Free Zone founder and operator (Regional founder and operator "BMI", Workplace rental and Warehouse);

As İzmir Serbest Bölge Kurucu ve İşleticisi A.Ş., while providing infrastructure and services to all its employees and users in a healthy and safe environment within the framework of the Free Zones Law and other relevant legislation;

  • We accept all segments of society that will benefit from our services and help to realize our policies as our "partner" and consider customer satisfaction as the main purpose of all our activities.
  • We take these criteria as a basis by complying with national/international standards, legal and technical legislation.
  • In line with developing needs and demands, we share our services for their implementation by improving them.
  • We meet the training needs of our employees and contribute to total development by sharing our knowledge and experience with our employees and partners.
  • In our activities, we prioritize all kinds of national and human values, business ethics and economic sustainability.
  • We aim to be a brand in our field of activity and thus gain the trust of our parties.
  • We review and renew all our activities and practices and ensure continuous improvement.

İzbaş İzmir Serbest Bölge Kurucu ve İşleticisi Anonim Şirketi

PERSONAL DATA PROTECTION AND PROCESSING POLICY

Approved by the Directors Board.

ABBREVIATIONS AND CONCEPTS

KVKK/Law

Personal Data Protection Law No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677

GDPR

EU (European Union) General Data Protection Regulation

Constitution

The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709, published in the Official Gazette dated 9 November 1982 and numbered 17863

Data Processor

Except for the person or unit responsible for technical storage, protection and backup of the data, the person who processes personal data outside the organization of the data controller and in line with the authorization and instruction received from the data controller.

Data Owner/Data Subject

Natural persons whose personal data are processed, such as employees, customers, business partners, shareholders, officials, potential customers, candidate employees, interns, visitors, suppliers, employees of the institutions with which the Company is affiliated, and third parties and other persons, including but not limited to those listed herein.

Data Controller

The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. For the purposes of this Policy, İzbaş İzmir Serbest Bölge Kurucu ve İşleticisi Anonim Şirketi will hereinafter be referred to as the Data Controller.

Open Consent

Consent on a specific issue, based on information and freely given.

Disposal

Deletion, disposal or anonymization of personal data.

Storage/Recording Environment

Any environment in which personal data processed by fully or partially automated or non-automated means, provided that it is part of any data recording system.

Personal Data

Any information relating to an identified or identifiable natural person.

Sensitive Personal Data

Personal data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Processing of Personal Data

Any operation performed on personal data such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Anonymization of Personal Data

Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Deletion of Personal Data

The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way.

Disposal of Personal Data

The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way.

Periodic Disposal

Deletion, destruction or anonymization to be carried out ex officio at recurring intervals in the event that all of the conditions for processing personal data specified in the Law are eliminated.

Regulation

Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017 and numbered 30224 and entered into force as of January 1, 2018.

PDP Board / Board

Personal Data Protection Board

PDP Authority

Personal Data Protection Authority

Policy

Data Controller Personal Data Protection and Processing Policy

Turkish Penal Code

Turkish Penal Code dated September 26, 2004 and numbered 5237; published in the Official Gazette dated October 12, 2004 and numbered 25611.

Obligation to Inform

The data controller shall inform the relevant persons about the identity of the Data Controller, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the data subject listed in Article 11 of the KVKK.

Data Controllers Registry Information System (VERBIS)

It is a data registry system created by the Board Presidency under the supervision of the Board, where data controllers register and declare information about their data processing activities.

1. INTRODUCTION

1.1. Objective

As the Data Controller, we are aware of our responsibility for the protection of personal data, which is regulated as a constitutional right, and taking it under legal guarantee, and we give importance to the safe use of your personal data.

The purpose of this policy is to regulate the methods and principles to be followed by İzbaş İzmir Serbest Bölge Kurucu ve İşleticisi Anonim Şirketi to ensure that it processes and protects personal data in accordance with the Law on the Protection of Personal Data (KVKK) published in the Official Gazette dated April 7, 2016 and numbered 29677.

In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by the Data Controller and to protect all rights of personal data owners arising from the legislation on personal data.

1.2. Scope

This policy applies to the activities carried out by İzbaş İzmir Serbest Bölgesi Kurucu ve İşleticisi Anonim Şirketi for the processing and protection of all personal data.

This policy covers natural persons whose personal data are processed by the Data Controller through automatic or non-automatic means, provided that they are part of any data recording system. This Policy does not apply to legal entities and legal entity data in any way.

Groups of Persons Whose Data are Processed under the Policy

Employee

Product or Service Recipient

Supplier Officer

Shareholder/Partner

Visitor

Supplier Employee

Potential Product or Service Buyer

Parent / Guardian / Representative

Subject of the news

Employee Candidate

Intern

Public Official

Rapporteur

Occupational Health and Safety Specialist

Doctor

Workplace Physician

Website Visitors

The entire scope of application of this Policy will cover all of the personal data owners in the above-mentioned categories of the relevant group of persons; some of its provisions may only be directed to certain groups of relevant persons.

This policy is implemented by the Data Controller in the activities carried out for the processing and protection of all personal data, together with the relevant detailed data procedures.

1.3. Implementation of the Policy and Related Legislation

Within the scope of this Policy, the relevant legal regulations and data security principles in force in the national legislation on the processing and protection of personal data will primarily apply. In case of incompatibility between the legislation in force and the Policy, the Data Controller agrees that the legislation in force will be applied.

2. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the KVKK, the Data Controller takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and to carry out or have the necessary audits carried out within this scope.

2.1. Ensuring the Security of Personal Data

2.1.1. Technical and Administrative Measures Taken to Ensure the Processing of Personal Data in Accordance with the Law, to Prevent Unlawful Access to Personal Data and to Store Personal Data in Secure Environments

Subject to the confidentiality of personal data, the Data Controller takes technical and administrative measures in accordance with the technological possibilities and the cost of implementation in order to ensure the appropriate level of security in order to ensure that personal data is processed in accordance with the law, to prevent unlawful access to this data, to prevent its loss and destruction, to ensure its storage and preservation in secure environments.

2.1.1.1. Technical Measures Taken to Ensure the Processing of Personal Data in Accordance with the Law, to Prevent Unlawful Access to Personal Data and to Store Personal Data in Secure Environments

The main technical measures taken by the Data Controller, subject to personal data confidentiality, to ensure that personal data is processed in accordance with the law, to prevent unlawful access to this data, to prevent loss and destruction, to ensure the appropriate level of security in order to ensure storage and preservation in secure environments are listed below:

Technical Measures

Network security and application security are ensured

Access logs are kept regularly

Corporate policies on access, information security, use, storage and disposal have been prepared and implemented

Up-to-date anti-virus systems are used

Firewalls are used

Personal data is backed up and the security of the backed up personal data is also ensured

User account management and authorization control system is implemented and monitored

Data loss prevention software is used

Log records are kept without user intervention

If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using KEP or corporate mail account

Secure encryption/cryptographic keys are used for sensitive personal data and managed by different units

Intrusion detection and prevention systems are used

2.1.1.2. Administrative Measures Taken to Ensure the Lawful Processing of Personal Data, to Prevent Unlawful Access to Personal Data and to Store Personal Data in Secure Environments

The main administrative measures taken by the Data Controller, subject to personal data confidentiality, to ensure that personal data is processed in accordance with the law, to prevent unlawful access to this data, to prevent loss and destruction, to ensure the appropriate level of security in order to ensure that it is stored and stored in secure environments are listed below:

Administrative Measures

Disciplinary arrangements are in place for employees that include data security provisions

Training and awareness activities on data security for employees are carried out at regular intervals

Authorization matrix has been created for employees

Confidentiality commitments are made

Employees who change their position or leave their job are de-authorized in this area

The signed contracts contain data security provisions

Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format

Personal data security policies and procedures have been determined

Personal data security issues are quickly reported

Personal data security is monitored

Necessary security measures are taken for entering and exiting physical environments containing personal data

Physical environments containing personal data are secured against external risks (fire, flood, etc.)

Security of environments containing personal data is ensured

Personal data is minimized as much as possible

Existing risks and threats have been identified

Protocols and procedures for the security of sensitive personal data have been determined and implemented

Awareness of data processing service providers on data security is ensured

2.1.2. Supervision of Measures Taken for the Protection of Personal Data

In accordance with Article 12 of the KVK Law, the Data Controller conducts or has the necessary audits carried out within its own organization. The results of the measure audit carried out within the scope of the audit activities required to fulfill the obligations of the legal regulations that constitute the personal data protection planning are reported to the relevant department within the scope of the internal functioning of the Data Controller and necessary activities are carried out to improve the measures taken.

2.1.3. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

The Data Controller has the obligation to protect the personal data it processes against unauthorized access, illegal processing, disclosure, loss and alteration. In the event that the personal data processed in accordance with Article 12 of the KVKK is obtained and used by unauthorized others through unlawful means, it carries out the system that ensures that this situation is notified to the relevant personal data owner and the PDP Board as soon as possible.

2.2. Observing the Rights of the Data Subject; Creating Channels to Communicate These Rights to the Data Controller and Evaluating the Requests of Data Subjects

The Data Controller carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.

If personal data owners submit their requests regarding their rights listed below in writing to us, the Data Controller, will finalize the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the rate schedule determined by the PDP Board will be charged to the applicant data owner.

Personal data owners;

  • Learn whether personal data is being processed,

  • Request information if their personal data has been processed,

  • To learn the purpose of processing personal data and whether they are used in accordance with their purpose

  • To know the third parties to whom personal data are transferred domestically or abroad,

  • To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

  • Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, to request the deletion or disposal of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

  • To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,

  • In case of damage due to unlawful processing of personal data, it has the right to demand the compensation of the damage.

2.3. Protection of Sensitive Personal Data

KVKK shows great importance to certain sensitive personal data due to the risk of causing victimization or discrimination in case of unlawful processing.

These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

The Data Controller acts sensitively in the protection of special categories of personal data, which are determined as "special categories" by the KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by the Data Controller for the protection of personal data are carefully implemented in terms of special categories of personal data and necessary audits are provided within the Data Controller and a Policy on Processing and Protection of Special Categories of Personal Data is also established.

2.4. Awareness Raising and Audit of Business Units on Protection and Processing of Personal Data

The Data Controller ensures that the necessary trainings are organized for the business units in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the protection of data.

Necessary systems are established to ensure that the existing employees of the business units of the Data Controller and the employees who are newly included in the business unit are aware of the protection of personal data, and if necessary, professional persons are hired.

The results of the trainings conducted to increase the awareness of the business units of the Data Controller on the protection and processing of personal data are reported to the Data Controller. In this direction, the Data Controller evaluates the participation in the relevant trainings, seminars and information sessions and conducts or has the necessary audits carried out. As the Data Controller, the trainings carried out by us are updated and renewed in parallel with the updating of the relevant legislation.

3. ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

The Data Controller, in accordance with Article 20 of the Constitution and Article 4 of the KVKK, in the processing of personal data; in accordance with the law and good faith; accurate and up-to-date when necessary; pursuing specific, clear and legitimate purposes; personal data processing activities in a purpose-related, limited and measured manner.

The Data Controller retains personal data for the period stipulated by law or required by the purpose of personal data processing.

Pursuant to Article 20 of the Constitution and Article 5 of the KVKK, the Data Controller processes personal data based on one or more of the conditions in Article 5 of the KVKK regarding the processing of personal data.

In accordance with Article 20 of the Constitution and Article 10 of the KVKK, the Data Controller informs the personal data subjects and provides the necessary information in case the personal data subjects request information.

In accordance with Article 6 of the KVKK, the Data Controller acts in accordance with the regulations stipulated for the processing of special categories of personal data.

In accordance with Articles 8 and 9 of the KVKK, the Data Controller acts in accordance with the regulations stipulated in the law and set forth by the PDP Board regarding the transfer of personal data.

3.1. Processing of Personal Data in Compliance with the Principles Stipulated in the Legislation

3.1.1. Processing in accordance with the Law and Good Faith

The Data Controller acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, the Data Controller takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than its purpose.

3.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

Data Controller; It ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests. It takes necessary measures in this direction.

3.1.3. Processing for Specific, Explicit and Legitimate Purposes

The Data Controller clearly and precisely determines the legitimate and lawful purpose of personal data processing. The Data Controller processes personal data in connection with and to the extent necessary for the services it provides. The purpose for which personal data will be processed by the Data Controller is determined before the personal data processing activity begins.

3.1.4. Being relevant, limited and proportionate to the purpose for which they are processed

The Data Controller processes personal data in a manner that is conducive to the realization of the specified purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed.

3.1.5. Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

The Data Controller retains personal data only for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. In this context, the Data Controller first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period of time is determined, it acts in accordance with this period, and if a period of time is not determined, it keeps personal data for the period required for the purpose for which they are processed. Personal data are deleted, disposed of or anonymized by the Data Controller at the end of the period or in the event that the reasons requiring their processing disappear. Personal data are not stored by the Data Controller with the possibility of future use.

3.2. Processing of Personal Data Based on and Limited to One or More of the Personal Data Processing Conditions Stated in Article 5 of the KVKK

Protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted without prejudice to their essence only for the reasons specified in the relevant articles of the Constitution and only by law. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the person. In this direction and in accordance with the Constitution; the Data Controller processes personal data only in cases stipulated by law or with the explicit consent of the person.

3.3. Informing the Personal Data Owner

In accordance with Article 10 of the Data Controller and KVKK, we inform personal data owners during the acquisition of personal data. In this context, we inform about the identity of the Data Controller and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and the rights of the personal data owner.

Article 20 of the Constitution stipulates that everyone has the right to be informed about personal data concerning him/her. In this direction, "requesting information" is also listed among the rights of the personal data owner in Article 11 of the KVKK. In this context, the Data Controller provides the necessary information in case the personal data owner requests information in accordance with Article 20 of the Constitution and Article 11 of the KVKK.

While fulfilling the disclosure obligation, the Data Controller acts in accordance with the Law No. 6698, the Communiqué on the Procedures and Principles to be followed in the Fulfillment of the Disclosure Obligation, the Board decisions published on the website of the Authority and the Guide to the Fulfillment of the Disclosure Obligation prepared by the Authority.

3.4. Processing of Special Categories of Personal Data

In the processing of personal data determined as "special quality" by the KVKK, the Data Controller acts in strict compliance with the regulations stipulated in the KVKK.

In Article 6 of the KVKK, some personal data that have the risk of causing victimization or discrimination when processed unlawfully are determined as "special categories". These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

In accordance with the KVKK, special categories of personal data are processed by the Data Controller in the following cases, provided that adequate measures to be determined by the PDP Board are taken:

  • If the personal data subject has explicit consent

or

  • If the personal data subject does not have explicit consent;

Sensitive personal data other than the health and sexual life of the personal data owner, in cases stipulated by law,

Sensitive personal data relating to the health and sexual life of the personal data owner are processed only by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

A separate policy for the processing of special categories of personal data is established by the Data Controller.

3.5. Transfer of Personal Data

The Data Controller may transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with the lawful personal data processing purposes. In this direction, the Data Controller acts in accordance with the regulations stipulated in Article 8 of the KVKK.

3.5.1. Conditions for Transfer of Personal Data

In line with legitimate and lawful personal data processing purposes, the Data Controller may transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law listed below:

  • If there is explicit consent of the personal data owner.

  • If there is a clear regulation in the laws regarding the transfer of personal data.

  • If it is mandatory for the protection of the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid.

  • If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.

  • If personal data transfer is mandatory for the Data Controller to fulfill its legal obligation.

  • If the personal data has been made public by the personal data subject.

  • If personal data transfer is mandatory for the establishment, exercise or protection of a right.

  • If personal data transfer is mandatory for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

3.5.2. Transfer of Sensitive Personal Data

The Data Controller may transfer the personal data of the personal data owner to third parties in the following cases in line with the legitimate and lawful personal data processing purposes by taking the necessary care, taking the necessary security measures and adequate measures stipulated by the PDP Board.

  • If the personal data subject has explicit consent

or

  • If the personal data subject does not have explicit consent

Sensitive personal data (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and apparel, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data) other than the health and sexual life of the personal data owner, in cases stipulated by law,

Sensitive personal data relating to the health and sexual life of the personal data owner are transferred only to persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

3.6. Transfer of Personal Data Abroad

The Data Controller may transfer the personal data and sensitive personal data of the personal data owner to third parties abroad by taking the necessary security measures in line with the lawful personal data processing purposes.

As a result of the widespread use of company applications that provide information services today, communication through instant messaging or online communication channels is established through platforms and applications of foreign origin. Therefore, it is possible to transfer data abroad through these platforms.

Personal data are transferred by the Data Controller to foreign countries declared to have adequate protection by the PDP Board or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the PDP Board has permission ("Foreign Country Where the Data Controller Undertakes Adequate Protection"). In this direction, the Data Controller acts in accordance with the regulations stipulated in Article 9 of the KVKK.

3.6.1. Conditions for Transferring Personal Data Abroad

In line with the legitimate and lawful personal data processing purposes, the Data Controller may transfer personal data to Foreign Countries with Adequate Protection or to Foreign Countries where there is a Data Controller Committed to Adequate Protection in the presence of one of the following cases if the personal data owner has explicit consent or if the personal data owner does not have explicit consent:

  • If there is a clear regulation in the laws regarding the transfer of personal data,
  • If it is mandatory for the protection of the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid;
  • If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
  • If personal data transfer is mandatory for the Data Controller to fulfill its legal obligation

3.6.2. Transfer of Sensitive Personal Data Abroad

  • If the personal data subject has explicit consent

or

  • If the personal data subject does not have explicit consent;

Sensitive personal data other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data), in cases stipulated by law,

Sensitive personal data relating to the health and sexual life of the personal data owner can only be transferred within the scope of processing by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

4. CATEGORIZATION, PROCESSING PURPOSES AND STORAGE PERIODS OF PERSONAL DATA PROCESSED BY THE DATA CONTROLLER

In accordance with Article 10 of the KVKK, the Data Controller informs the personal data owner of which personal data owner groups' personal data are processed, the purposes of processing the personal data of the personal data owner and the retention periods within the scope of the disclosure obligation.

4.1. Categorization of Personal Data

The following categories of personal data are processed by the Data Controller by informing the relevant persons in accordance with Article 10 of the KVKK, in line with the legitimate and lawful personal data processing purposes of the Data Controller, based on one or more of the personal data processing conditions specified in Article 5 of the KVKK and limited to the subjects within the scope of this Policy by complying with the general principles specified in the KVKK, especially the principles specified in Article 4 regarding the processing of personal data, and all obligations regulated in the KVKK.

Category of Personal Data

Description

Identity Data

Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of a data recording system; containing information about the identity of the person; (documents such as driver's license, identity card and passport containing information such as name-surname, Turkish ID number, nationality information, mother's name-father's name, place of birth, date of birth, gender, and information such as tax number, Social Security number, signature information, vehicle license plate, etc.)

Communication Data

Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; (information such as telephone number, address, e-mail address, fax number, IP address)

Financial Data

Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; (Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Data Controller with the personal data owner and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information)

Professional Experience Data

Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; data containing information about the identity of the person; (Data processed according to the type of legal relationship established by the Data Controller with the Personal Data Owner; data such as diploma information, courses attended, vocational training information, certificates, candidate application forms, reference interview information, job interview information, transcript information).

Criminal Conviction and Security Measures Data

Data belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, (data such as the criminal record of the Personal Data Owner obtained within the framework of the operations carried out by the business units of the Data Controller or in order to carry out the business processes of natural persons in a working relationship with the Data Controller or to protect the legal and other interests of the Data Controller and the Personal Data Owner)

Location Data

Information that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system (information that determines the location of the personal data owner within the framework of the operations carried out by the business units, during the use of products and services or while using the vehicles of the employees, GPS location, travel data, etc.).

Audio/Visual Data

Data that clearly belongs to an identified or identifiable natural person (photographs and camera recordings (except for recordings within the scope of Physical Space Security Information), voice recordings and data contained in documents that are copies of documents containing personal data)

Personnel Information

All kinds of personal data that clearly belong to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed to obtain information that will be the basis for the formation of the employee’s rights of natural persons who are in a working relationship with the Data Controller

Health Data

Personal data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system (health data such as health report, disability tax exemption certificates, insurance certificates, military service status certificates of the Personal Data Owner and / or family members obtained within the framework of the operations carried out by the business units of the Data Controller, in relation to the products and services offered or in order to carry out the business processes of natural persons in a working relationship with the Data Controller or to protect the legal and other interests of the Data Controller and the Personal Data Owner)

Legal Process Data

Data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed within the scope of the Data Controller's legal processes, determination of receivables and rights, follow-up and fulfillment of debts and legal obligations, information in correspondence with judicial authorities, incoming and outgoing documents, information such as case files.

Venue Security Data

Personal data relating to records and documents taken at the entrance to the physical space, during the stay in the physical space, camera recordings, records taken at the security point, etc., which are clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system.

Risk Management Data

Data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed for the management of all kinds of commercial, technical, administrative risks created according to the type of legal relationship established by the Data Controller with the Personal Data Owner.

Customer Transaction Data

Information such as call center records, invoice, promissory note check information, order information, request information, request information, offer, service number obtained and produced about the relevant person as a result of the commercial activities of the Data Controller and the operations carried out by the business units, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system.

Marketing Data

Data obtained through shopping history information, surveys, cookie records, campaigns, which are clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, obtained and produced about the relevant person as a result of the commercial activities of the Data Controller and the operations carried out by the business units.

Process Security Information

Personal data such as IP Address information, Website login and exit information, password and password information, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Data Controller while carrying out the activities of the Data Controller.

Vehicle Information

Data such as Vehicle License Plate, Vehicle License Plate, Embezzled Vehicle Information, Vehicle License Plate, Vehicle License Plate, Vehicle License Plate, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system.

Family Member and Relative Data

Information on family members who clearly belong to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system

4.2. Purposes of Processing Personal Data

The Data Controller processes personal data limited to the purposes and conditions within the personal data processing conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the KVKK. These purposes and conditions are listed below:

  • It is clearly stipulated in the Laws that the Data Controller is engaged in the relevant activity regarding the processing of your personal data

  • The processing of your personal data by the Data Controller is directly related and necessary for the establishment or performance of a contract

  • Processing of your personal data is mandatory for the Data Controller to fulfill its legal obligation

  • Provided that your personal data has been made public by you; processing by the Data Controller in a limited manner for the purpose of publicization by you

  • Processing of your personal data by the Data Controller is mandatory for the establishment, use or protection of the rights of the Data Controller or you or third parties

  • It is mandatory to carry out personal data processing activities for the legitimate interests of the Data Controller, provided that it does not harm your fundamental rights and freedoms

  • Processing of personal data by the Data Controller is mandatory for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to disclose his consent due to actual or legal invalidity

  • It is stipulated in the laws for personal data of special nature other than the health and sexual life of the personal data owner

  • In terms of personal data of special nature related to the health and sexual life of the personal data owner, it is processed by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

In this context, the Data Controller processes your personal data for the following purposes:

Purposes of Processing

Monitoring and Execution of Legal Affairs

Execution of Storage and Archive Activities

Execution of Contract Processes

Providing Information to Authorized Persons, Institutions and Organizations

Execution of Management Activities

Execution of Activities in Compliance with the Legislation

Execution of Assignment Processes

Execution / Supervision of Business Activities

Execution of Emergency Management Processes

Ensuring Physical Space Security

Ensuring the Security of Movable Property and Resources

Execution of Activities for Customer Satisfaction

Execution of Communication Activities

Execution of Supply Chain Management Processes

Execution of Risk Management Processes

Execution of Finance and Accounting Affairs

Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees

Execution of Fringe Benefits and Benefits Processes for Employees

Creating and Tracking Visitor Records

Execution of Business Continuity Ensuring Activities

Planning Human Resources Processes

Execution of Occupational Health / Safety Activities

Execution of Logistics Activities

Execution of Customer Relationship Management Processes

Conducting Audit / Ethics Activities

Receiving and Evaluating Suggestions for Improvement of Business Processes

Tracking Requests / Complaints

Execution of Goods / Service Procurement Processes

Execution of Goods / Services Production and Operation Processes

Conducting Internal Audit / Investigation / Intelligence Activities

Execution of Goods / Service Sales Processes

Execution of Wage Policy

Execution of Goods / Services After Sales Support Services

Conducting Training Activities

Execution of Employee Satisfaction and Loyalty Processes

Execution of Employee Candidate Application Processes

Execution of Employee Candidate / Intern / Student Selection and Placement Processes

Execution of Termination Procedures

Execution of Performance Evaluation Processes

Execution of Human Resources Processes

Ensuring the Security of Data Controller Operations

Execution of Access Authorizations

Organization and Event Management

Foreign Personnel Work and Residence Permit Procedures

Execution of Information Security Processes

Execution of Company / Product / Service Loyalty Processes

Conducting Marketing Analysis Studies

If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the KVKK, your explicit consent is obtained by the Data Controller regarding the relevant processing process.

4.3. Retention of Personal Data

4.3.1. Retention Periods of Personal Data

If stipulated in the relevant laws and regulations, the Data Controller retains personal data for the period specified in these regulations. The retention periods determined by the Data Controller are stated below:

Categories of Personal Data

Retention Period

Identification Data

10 years from the end of the purpose of data processing

1 year from the end of the purpose of data processing

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

Storage capacity up to

10 Years from the end of the activity

2 years from the end of the processing purpose

10 Years from the Termination of the Legal Relationship

10 Years from the Expiry of the Purpose of Processing

15 Years from the Termination of the Employment Relationship

10 Years from the Termination of Operations

15 Years from the Termination of Employment

10 Years After Termination of the Purpose of Processing

1 year from the end of the processing purpose

6 months from the end of the pandemic

10 years from the end of the processing purpose

5 years from the end of the processing purpose

2 Years

Communication Data

10 years from the end of the purpose of data processing

10 years from the termination of the legal relationship

15 years from the termination of the employment contract

10 Years from the end of the activity

10 Years from the Expiry of the Purpose of Processing

15 Years from the Termination of the Employment Relationship

10 Years from the Termination of the Legal Relationship

10 Years from the Termination of Operations

1 year from the end of the processing purpose

15 Years from the Termination of Employment

10 years from the end of the processing purpose

5 years from the end of the processing purpose

2 years from the end of the processing purpose

1 Year

Vehicle Data

10 years from the end of the purpose of data processing

10 Years from the end of the activity

15 years from the termination of the employment contract

15 Years from the Termination of Employment

Financial Data

10 years from the end of the purpose of data processing

10 years from the termination of the legal relationship

15 years from the termination of the employment contract

10 Years from the end of the activity

10 Years from the Termination of the Legal Relationship

10 Years from the Termination of Operations

15 Years from the Termination of Employment

Professional Experience Data

10 years from the end of the purpose of data processing

15 years from the termination of the employment contract

10 Years from the end of the activity

1 year from the end of the processing purpose

1 Year

Criminal Conviction and Security Measure Data

10 years from the end of the purpose of data processing

10 years from the termination of the legal relationship

1 year from the end of the processing purpose

15 years from the termination of the employment contract

Location Data

10 years from the end of the purpose of data processing

15 years from the termination of the employment contract

15 Years from the Termination of Employment

5 years from the end of the processing purpose

Audio and Visual Recording Data

10 years from the end of the purpose of data processing

15 years from the termination of the employment contract

Storage capacity up to

10 Years from the Expiry of the Processing Purpose

10 Years from the end of the activity

Personnel Data

10 years from the end of the purpose of data processing

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

15 Years from the Termination of Employment

10 Years from the Termination of the Legal Relationship

1 year from the end of the processing purpose

1 Year

Health Data

10 years from the end of the purpose of data processing

10 Years from the end of the activity

15 years from the termination of the employment contract

1 year from the end of the processing purpose

6 months from the end of the pandemic

15 Years from the Termination of the Employment Relationship

Legal Process Data

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

Venue Security Data

Storage capacity up to

45 days

15 years from the termination of the employment contract

Risk Management

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

10 Years from the Termination of Operations

10 years from the end of the purpose of data processing

Customer Transaction Data

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

10 Years from the Termination of Operations

10 Years from the Termination of the Legal Relationship

10 years from the end of the processing purpose

2 years from the end of the processing purpose

10 years from the end of the purpose of data processing

Employee Relatives Data

15 years from the termination of the employment contract

Marketing

10 years from the end of the processing purpose

5 years from the end of the processing purpose

2 years from the end of the processing purpose

10 years from the end of the purpose of data processing

Process Security

2 years from the end of the processing purpose

5 years from the end of the processing purpose

10 years from the end of the purpose of data processing

2 Years

If a period of time is not regulated in the legislation regarding how long personal data should be stored, Personal Data is processed for the period required to be processed in accordance with the practices and customs of the commercial life of the Data Controller, depending on the activity carried out by the Data Controller while processing that data, and then deleted, destroyed or anonymized. You can find detailed information on this subject in the Policy on Deletion, Destruction or Anonymization of Personal Data of the Data Controller.

If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the Data Controller have come to an end; personal data can only be stored for the purpose of constituting evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the aforementioned right and the examples in the requests previously addressed to the Data Controller on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.

4.3.2. Responsibility and Distribution of Duties in the Storage of Personal Data

All units and employees of the Data Controller actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law by properly implementing the technical and administrative measures taken by the responsible units within the scope of the Policy, training and raising awareness of the unit employees, monitoring and continuous supervision.

4.3.3. Storage Environments

Personal data belonging to data subjects are securely stored by the Data Controller in the environments listed in the table below in accordance with the relevant legislation, especially the provisions of the KVKK:

Storage Environments

Computer

Locked Archive Cabinet

Company Server

Locked Cabinet

Hard Disk

Archive Cabinet

Domestic Email Server

Server

Archive Room

Excel Program

Software Program - Domestic

Paper

Notebook

Flash Memory

Domestic Server

Encrypted File

Access Restricted File

5. CATEGORIZATION OF THE OWNERS OF THE PERSONAL DATA PROCESSED BY THE DATA CONTROLLER

The table below details the categories of personal data subjects mentioned above and the types of personal data processed by the persons within these categories.

Personal Data Owner Category and Description

Categories of Processed Personal Data of the Data Subject

Employee

(Real persons who have an employment contract with the Data Controller)

Identity

Communication

Location

Personel

Legal Process

Venue Security

Audio and Visual Recordings

Criminal Conviction and Security Measures

Vehicle Information

Health Information

Risk Management

Finance

Professional Experience

Employee's Family Member and Relative Information

Process Security

Marketing

Product or Service Recipient

(Natural persons whose personal data are obtained through the business relations of the Data Controller within the scope of the operations carried out by the business units of the Data Controller, regardless of whether they have any contractual relationship with the Data Controller)

Identity

Communication

Vehicle Information

Finance

Legal Process

Venue Security

Customer Transaction

Risk Management

Supplier Employee

Supplier Employee

(Real persons authorized to represent the Data Controller who are bound to the Data Controller by a supply contract)

Identity

Communication

Finance

Professional Experience

Criminal Conviction and Security Measures

Personel

Health

Legal Process

Risk Management

Visual/Audio Records

Customer Transaction

Venue Security

Shareholder/Partner

(Real persons who are shareholders of the Data Controller)

Identity

Visual/Audio Records

Communication

Venue Security

Legal Process

Risk Management

Finance

Professional Experience

Visitor

(Real persons who have entered the physical premises owned by the Data Controller for various purposes or who visit our websites)

Identity

Venue Security

Visual/Audio Records

Health

Process Security

Supplier Employee

(Natural persons who are bound to the Data Controller by a supply contract and have an employment contract with the Data Controller)

Venue Security

Identity

Communication

Professional Experience

Health

Visual/Audio Records

Finance

Location

Process Security

Marketing

Potential Product or Service Buyer

(Natural persons whose personal data are obtained through the business relations of the Data Controller within the scope of the operations carried out by the business units of the Data Controller as a basis for the future legal relationship with the Data Controller)

Venue Security

Identity

Communication

Visual/Audio Records

Health

Customer Transaction

Marketing

Location

Process Security

Parent / Guardian / Representative

(Person(s) authorized to act on behalf of the natural or legal person who has a legal relationship with the Data Controller)

Identity

Communication

Finance

Legal Process

Subject of the news

(The person about whom the news was reported)

Identity

Communication

Visual/Audio Records

Employee Candidate

(Natural persons who have applied for a job to the Data Controller by any means or who have opened their CV and related information to the examination of the Data Controller)

Identity

Communication

Personel

Professional Experience

Criminal Conviction and Security Measures

Legal Process

Visual/Audio Records

Health

Venue Security

Intern

(Real persons who are in an internship relationship with the Data Controller)

Identity

Communication

Personel

Professional Experience

Health

Public Official

(Other groups of people)

Identity

Communication

Rapporteur

(Other groups of people)

Identity

Visual/Audio Records

Occupational Health and Safety Specialist

(Other groups of people)

Identity

Communication

Professional Experience

Doctor

(Other groups of people)

Identity

Professional Experience

Workplace Physician

(Other groups of people)

Identity

Professional Experience

Website Visitors

(Other groups of people)

Process Security

Marketing

6. THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED BY THE DATA CONTROLLER AND THE PURPOSES OF TRANSFER

In accordance with Article 10 of the KVKK, the Data Controller informs the personal data owner about the groups of persons to whom personal data are transferred.

The Data Controller may transfer the personal data of the data owners managed by the Policy in accordance with Articles 8 and 9 of the KVKK to domestic and foreign recipient groups within the scope of the transfer reasons based on the data category listed below:

Category of Data

Reason of Transfer

Recipient

Domestic

Abroad

Domestic

Abroad

Identity

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

Supplier

Natural Persons or Private Law Legal Entities

Suppliers

Natural Persons or Private Law Legal Entities

Communication

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

Supplier

Natural Persons or Private Law Legal Entities

Suppliers

Natural Persons or Private Law Legal Entities

Vehicle Data

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

 

Finance

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

Suppliers

Natural Persons or Private Law Legal Entities

Suppliers

Professional Experience

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

Suppliers

Natural Persons or Private Law Legal Entities

 

Criminal Records

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

Suppliers

 

Location

Legal Obligation

 

Authorized Public Institutions and Organizations

 

Visual/Audio Records

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

Natural Persons or Private Law Legal Entities

 

Personel

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

Supplier

 

Health

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

Supplier

 

Legal Process

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

Supplier

 

Venue Security

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

Supplier

 

Risk Management

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

Supplier

Natural Persons or Private Law Legal Entities

 

Customer Transaction

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

Supplier

Natural Persons or Private Law Legal Entities

Suppliers

Employee Relative Info

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

 

Marketing

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

 

Process Security

Legal Obligation

Court Order

 

Authorized Public Institutions and Organizations

 

The definition and scope of the recipient groups to which the above-mentioned transfers are made are set out in the table below.

Persons to whom data can be transferred

Definition of Persons to Whom Data Can Be Transferred

Authorized Public Institutions and Organizations

Public institutions and organizations authorized to receive information and documents from the Data Controller in accordance with the provisions of the relevant legislation.

(All ministries, judicial, administrative institutions and organizations under the Presidency, especially the Ministry of Justice, the Constitutional Court, the Court of Cassation, the Council of State, the Regional Courts of Appeal, Local Courts and other courts of the Republic of Turkey, all departments and levels of the Turkish Grand National Assembly, other administrative and financial accident institutions, Governorships, District Governorships, Security Directorates, Consulates of the relevant country, Population and Citizenship Courts, all departments and degrees of the departments and institutions of the Turkish Grand National Assembly, other administrative and financial accident institutions, Governorships, District Governorships, Security Directorates, Consulates of the relevant country, Population and Citizenship Affairs Directorates, Tax Offices, all central and provincial organizations and units of the Ministry of Finance, Customs Directorates and Chief Directorates, SSI, General Directorate of Free Zones of the Undersecretariat of Foreign Trade, Free Zones, All Public Banks and all other authorized public institutions and organizations)

Suppliers

Defines the parties that provide services to the Data Controller on a contractual basis in accordance with the orders and instructions of the Data Controller while carrying out the commercial activities of the Data Controller

Real Persons or Private Law Legal Entities

Private law persons or real persons authorized to receive information and documents from the Data Controller in accordance with the provisions of the relevant legislation

7. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW

The Data Controller informs the personal data owner about the personal data it processes in accordance with Article 10 of the KVKK.

7.1. Processing of Personal Data and Sensitive Personal Data

7.1.1. Processing of Personal Data

The explicit consent of the personal data owner is only one of the legal grounds that make it possible to process personal data in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity. In case the processed data is personal data of special nature; the conditions stated below under the heading 7.1.2. under this section are applied.

Although the legal grounds for the processing of personal data by the Data Controller may vary, all kinds of personal data processing activities are carried out in accordance with the general principles specified in Article 4 of the KVKK.

7.1.1.1.1. Explicit Consent of the Personal Data Owner

One of the conditions for processing personal data is the explicit consent of the owner. The explicit consent of the personal data owner must be related to a specific subject, based on information and free will.

For personal data processing activities  other than the purpose of processing for the reasons for obtaining personal data, at least one of the conditions in 7.1.1.1.2 - 7.1.1.8 of this title is sought; If one of these conditions is not present, these personal data processing activities are carried out by the Data Controller based on the explicit consent of the personal data owner for these processing activities.

For the processing of personal data based on the explicit consent of the personal data owner, the explicit consent of the personal data owners is obtained through the relevant methods.

7.1.1.2. Explicitly Stipulated in Laws

The personal data of the data subject may be processed in accordance with the law if it is clearly stipulated in the law.

7.1.1.3. Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility

The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself/herself or another person.

7.1.1.4. Directly Related to the Establishment or Performance of the Contract

Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process personal data belonging to the parties to the contract.

7.1.1.5. Fulfillment of the Legal Obligation by the Data Controller

The personal data of the data subject may be processed if the processing is mandatory for the Data Controller to fulfill its legal obligations as a data controller.

7.1.1.6. Publicization of Personal Data by the Personal Data Owner

In the event that the data subject has made his/her personal data public by himself/herself, the relevant personal data may be processed.

7.1.1.7. Data Processing is Mandatory for the Establishment or Protection of a Right

Personal data of the personal data owner may be processed if data processing is mandatory for the establishment, exercise or protection of a right.

7.1.1.8. Data Processing is Mandatory for the Legitimate Interest of the Data Controller

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, data may be processed if it is mandatory for the legitimate interests of the Data Controller.

7.1.2. Processing of Special Categories of Personal Data

if the personal data owner does not have explicit consent, provided that adequate measures to be determined by the PDP Board are taken, special categories of personal data are processed by the Data Controller in the following cases:

  • Sensitive personal data other than the health and sexual life of the personal data owner, in cases stipulated by law,

  • Sensitive personal data relating to the health and sexual life of the personal data subject can only be collected by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

7.2. Building, Facility Entrances and Personal Data Processing Activities Conducted within the Building Facility

Personal data processing activities carried out by the Data Controller at the entrances of the building facility and within the facility are carried out in accordance with the Constitution, the KVKK and other relevant legislation.

In order to ensure security by the Data Controller, personal data processing activities are carried out for the monitoring of guest entrances and exits with security cameras in the buildings and facilities of the Data Controller.

Personal data processing activity is carried out by the Data Controller through the use of security cameras and recording of guest entrances and exits.

Cameras are divided into two as indoor and outdoor cameras. Indoor cameras are positioned at an angle that will not directly attract our employees or visitors, except for sinks, rooms, changing cabins and room interiors. The locations of the cameras have been carefully determined to ensure that the monitoring activity is kept to a minimum and limited to the purpose of monitoring.

7.2.1. Data Controller Camera Surveillance Activities Carried Out at Building, Facility Entrances and Inside

In this section, explanations will be made regarding the camera surveillance system of the Data Controller and information will be provided on how personal data, confidentiality and fundamental rights of the person are protected.

Within the scope of security camera surveillance activity, the Data Controller aims to protect the interests of the Data Controller and other persons to ensure the security of the Data Controller and other persons.

7.2.2. Execution of Monitoring Activities with Security Cameras in accordance with KVK Law

The Data Controller acts in accordance with the regulations in the KVKK in carrying out camera surveillance activities for security purposes. In order to ensure security in its buildings and facilities, the Data Controller carries out security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the KVKK.

7.2.3. Announcement of Camera Monitoring Activity

The personal data owner is informed by the Data Controller in accordance with Article 10 of the KVKK. The Data Controller notifies with more than one method regarding the camera surveillance activity of the clarification made regarding general issues. Thus, it is aimed to prevent damage to the fundamental rights and freedoms of the personal data owner and to ensure transparency and enlightenment of the personal data owner.

For the camera surveillance activity by the Data Controller; this Policy is published on the Data Controller's website (online policy regulation) and a notification letter regarding the monitoring is posted at the entrances of the areas where the monitoring is carried out (on-site disclosure).

7.2.4. Purpose of and Limitation to the Purpose of Camera Surveillance

In accordance with Article 4 of the KVK Law, the Data Controller processes personal data in a limited and measured manner in connection with the purpose for which they are processed.

The purpose of video camera surveillance by the Data Controller is limited to the purposes listed in this Policy. In this direction, the monitoring areas, number and time of monitoring of security cameras are sufficient to achieve the security purpose and are limited to this purpose. Areas that may result in interference with the privacy of the person in a way that exceeds the security purposes (for example, toilets) are not subject to monitoring.

7.2.5. Ensuring the Security of the Data Obtained

Necessary technical and administrative measures are taken by the Data Controller to ensure the security of personal data obtained as a result of camera surveillance activity in accordance with Article 12 of the KVKK.

7.2.6. Retention Period of Personal Data Obtained through Camera Surveillance Activity

Detailed information on the Data Controller's retention period for personal data obtained through camera surveillance is provided in Article 4.3 of this Policy titled Retention Periods of Personal Data.

If it is understood that the video recordings obtained from the security camera constitute evidence in a criminal investigation before the deletion period, if it constitutes evidence in a criminal investigation, it is kept until it is submitted to the judicial authority.

Video recordings obtained from security cameras are kept for 10 years if it is understood that they constitute evidence in a legal dispute before the deletion period.

7.2.7. Who has access to the information obtained as a result of monitoring and to whom this information is transferred

Only a limited number of Data Controller employees have access to the records recorded and stored in digital media with live camera images. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.

8. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Although the Data Controller has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVKK, personal data shall be deleted, destroyed or anonymized upon the Data Controller's own decision or upon the request of the personal data owner, if the reasons requiring its processing disappear.

In this context:

  • Expiration or nullity of the contract on the basis of processing,

  • Withdrawal of consent in processing activities based on explicit consent,

  • Data Subject's application for deletion-destruction-anonymization and acceptance of this application,

  • The decision that the request to be made by the Personal Data Protection Board should be met as a result of the Data Owner's application and the rejection of this application,

  • Expiration of the retention period,

  • Periodic destruction operations carried out within the Data Controller,

As a result, the Data Controller deletes, destroys or anonymizes the Personal Data collected.

In terms of Deletion, Destruction or Anonymization of Personal Data, the Data Controller creates a separate policy in detail within the scope of the Regulation on Deletion, Destruction or Anonymization of Personal Data.

9. RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY FOR THE EXERCISE AND EVALUATION OF THESE RIGHTS

9.1. Rights of the Data Subject and Exercising These Rights

9.1.1. Rights of the Personal Data Subject

Personal data subjects have the following rights:

  • Learn whether personal data is being processed

  • Request information if their personal data has been processed,

  • To learn the purpose of processing personal data and whether they are used for their intended purpose,

  • To know the third parties to whom personal data are transferred domestically or abroad,

  • To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

  • Although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

  • To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,

  • In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

9.1.2. Cases Where the Personal Data Owner Cannot Assert His/Her Rights

Pursuant to Article 28 of the KVK Law, personal data owners cannot assert the rights of personal data owners listed in 9.1.1. in these matters, since the following cases are excluded from the scope of the KVK Law:

  • Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.

  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.

  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.

  • Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures.

Pursuant to Article 28/2 of the KVKK; In the cases listed below, personal data owners cannot assert their other rights listed in 9.1.1. except for the right to demand compensation for the damage:

  • Processing of personal data is necessary for the prevention of crime or criminal investigation.

  • Processing of personal data made public by the personal data owner himself/herself.

  • Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.

  • Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.

9.1.3. Exercising the Rights of the Personal Data Owner

Personal Data Owners may submit their requests regarding their rights listed under Title 9.1.1. of this section to the Data Controller free of charge by filling out and signing the Application Form with the information and documents that will identify their identity and by the methods specified below or by other methods determined by the Personal Data Protection Board:

  • www.izbas.net a copy of which is available at or İzmir Serbest Bölgesi Panaz Mevkii Maltepe Köyü Menemen/İZMİR After filling out the form, which you can obtain from the address of the Data Controller, you can send a wet signed copy to the same address of the Data Controller personally or through a notary public.

In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.

9.1.4. Personal Data Owner's Right to File a Complaint to the PDP Board

Pursuant to Article 14 of the KVK Law, the personal data owner may file a complaint to the KVK Board within thirty days from the date of learning the response of the Data Controller and in any case within sixty days from the date of application in case the application is rejected, the response is found insufficient or the application is not responded in due time.

9.2. Response of the Data Controller to the Applications

9.2.1. Procedure and Duration of the Data Controller's Response to Applications

In the event that the personal data owner submits his/her request to the Data Controller in accordance with the procedure in section 9.1.3. of this section, the Data Controller will finalize the relevant request free of charge within thirty days at the latest, depending on the nature of the request. However, if a fee is stipulated by the PDP Board, the fee in the tariff determined by the PDP Board will be charged by the Data Controller from the applicant.

9.2.2. Information that the Data Controller may request from the Applicant Personal Data Subject

The Data Controller may request information from the relevant person in order to determine whether the applicant is the personal data owner. In order to clarify the issues in the application of the personal data owner, the Data Controller may ask questions to the personal data owner about the application.

9.2.3 Data Controller's Right to Reject the Personal Data Subject's Application

The Data Controller may reject the application of the applicant in the following cases by explaining the reason:

  • Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.

  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.

  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.

  • Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution procedures.

  • Processing of personal data is necessary for the prevention of crime or criminal investigation.

  • Processing of personal data made public by the personal data owner himself/herself.

  • Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.

  • Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.

  • The request of the personal data owner is likely to prevent the rights and freedoms of other persons

  • Requests have been made that require disproportionate effort.

  • The requested information is publicly available.

10. THE RELATIONSHIP OF THE DATA CONTROLLER'S POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA WITH OTHER POLICIES

The Data Controller may also establish sub-policies for internal use regarding the protection and processing of personal data related to the principles set forth in this Policy, as well as other policies for certain groups of persons, especially employees.

The principles of the Data Controller's sub-policies for internal use are reflected in publicly available policies to the extent relevant, and it is aimed to inform those concerned within this framework and to ensure transparency and accountability regarding the personal data processing activities carried out by the Data Controller.

Thank you for reviewing our PDP Policy

İzbaş İzmir Serbest Bölge Kurucu ve İşleticisi Anonim Şirketi

İzmir Serbest Bölgesi Panaz Mevkii Maltepe Köyü Menemen/İZMİR

+90 (232) 842 63 11

info@izbas.net

www.izbas.net

Quality Certificates

Integrated Management System is implemented in İZBAŞ; ISO 9001:2015, ISO 14001:2015, ISO 45001:2018 and ISO 27001:2013 Certificates are available.

İzbaş - Quality Certificates - ISO 9001

İzbaş - Quality Certificates - ISO 14001

İzbaş - Quality Certificates - ISO / IEC 27001

İzbaş - Quality Certificates - ISO 45001

Social Responsibility

Our Social Responsibility Policy and Principles

As İzbaş, we believe that our own employees and employees of all companies operating in the region have the right to work in a healthy and safe environment in working conditions suitable for human dignity. Our employees are our most valuable asset and our primary goal is to ensure and protect the safety of our employees.

In accordance with our understanding of business ethics; we aim to ensure the highest level of integrity in all business activities and relationships within our region. In this context, all behaviors such as corruption, bribery, blackmail, etc. are strictly prohibited and are guaranteed by our employee handbooks and disciplinary procedures.

In accordance with our principle of respect for the environment, which is within the framework of our values, we manage environmental impacts at a level appropriate to all our fields of activity within the region with our Waste Water Treatment, Solar Drying facilities, Waste Collection and Landfill Sites, as well as the projects we plan to implement, and we carry out improvement works to minimize these impacts. The sustainability of our environmental policies is also protected by the ISO 14001 Environmental Management System.

In accordance with our principle of respect for people, we believe in the importance of social and community activities not only for our employees, but also for the spread of social benefit throughout the country. We encourage the participation of our employees in our activities and publish them in our annual reports.

Kars Arpaçay Okul Yardımı

KVKK Clarification Text

İZBAŞ İZMİR SERBEST BÖLGESİ KURUCU VE İŞLETİCİSİ A.Ş.

PRIVACY NOTICE ON PROTECTION AND PROCESSING OF PERSONAL DATA

1. General Description

Within the scope of the law, personal data includes all kinds of data relating to an identified or identifiable natural person. Sensitive personal data, which is a special type of personal data, is based on race, ethnicity, political thought, philosophical belief, religion, sect, other beliefs, association, foundation or union membership, health, sexual life, criminal conviction and security measures. refers to biometric and genetic data.

Processing personal data, obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, of personal data fully or partially automatically or by non-automatic means provided that it is a part of any data recording system, It refers to all kinds of operations performed on data such as classification or prevention of use.

2. Data Controller

Your personal data may be processed by İzbaş İzmir Serbest Bölgesi Kurucu ve İşleticisi A.Ş.  (“Data Controller”) in the capacity of data controller, in accordance with the Personal Data Protection Law No. 6698 (“Law”) within the scope described below.

3. Collection of Personal Data, Legal Basis and Purposes of Processing

Your personal data, in accordance with the Law, may vary depending on the service provided by the Data Controller and the commercial activities of the Data Controller, and collected verbally, in writing or electronically, automatically or non-automatically.

Your collected personal data, in accordance with the basic principles stipulated in the Law and within the personal data processing conditions (legal reasons) specified in Articles 5 and 6 of the Law and shown below; It can be processed by the İzbaş İzmir Serbest Bölgesi Kurucu ve İşleticisi A.Ş. for the purposes stated below. You can examine what your personal data is, how they are collected, what personal data may be subject to processing by us, and the details of the purposes of processing this data from the tables below.

A. GROUPS OF PEOPLE

Collection and Processing of Personal Data (Person Groups)

Data Acquisition Method

Purposes of Processing Personal Data

Worker

Product or Service Recipient

Supplier Representative

Shareholder/Partner

Visitor

Supplier Employee

Potential Product or Service Buyer

Parent / Guardian / Representative

Person subject to the news

Employee Candidate

Intern

Information Technologies Data Recording System

Form - Document

Document Original

E -Mail - Abroad

E -Mail - Domestic

Hard Copy

Document Management Software

Accounting program

Excel Program

Web Based Software

Special Integration Program

Hand writing

Software Program - Domestic

Computing environment

Encrypted File

Execution of Legal Affairs

Storage and Archive Activities

Execution of Contract Processes

to Authorized Persons, Institutions and Organizations

Execution of Management Activities

Execution of Activities in Compliance with the Legislation

Execution of Assignment Processes

Execution / Supervision of Business Activities

Execution of Emergency Management Processes

Providing Physical Space Security

Movable Property and Resources

Execution of Activities for Customer Satisfaction

Execution of Communication Activities

Execution of Supply Chain Management Processes

Execution of Risk Management Processes

Execution of Finance and Accounting Affairs

Fulfillment of Employment Contract and Legislative Obligations for Employees

and Benefits Processes for Employees

Conducting Business Continuity Ensuring Activities

Planning of Human Resources Processes

Execution of Logistics Activities

Execution of Customer Relationship Management Processes

Follow-up of Requests / Complaints

Execution of Occupational Health / Safety Activities

Execution of Goods / Services Procurement Processes

of Goods / Services Production and Operation Processes

Conducting Audit / Ethical Activities

Carrying out Internal Audit / Investigation / Intelligence Activities

Execution of Good / Service Sales Processes

Execution of Wage Policy

Execution of Goods / Services After-Sales Support Services

Conducting Educational Activities

Employee Satisfaction and Loyalty Processes

and Evaluating Suggestions for Improvement of Business Processes

Execution of Application Processes of Employee Candidates

of Employee Candidate / Intern / Student Selection and Placement Processes

Other - Execution of Termination Procedures

Execution of Performance Evaluation Processes

Other - Execution of Human Resources Processes

Ensuring the Security of Data Controller Operations

Execution of Access Authorizations

Organization and Event Management

Foreign Personnel Work and Residence Permit Procedures

Execution of Information Security Processes

Execution of Company / Product / Service Loyalty Processes

Conducting Marketing Analysis Studies

Creating and Tracking Visitor Records

Legal reasons

Fulfillment of Legal Obligation

Contract Signing

Legitimate Interests of the Data Controller

Prescribed in Laws

Establishment, Use or Protection of a Right

Obtaining Explicit Consent

The Relevant Person has made it public

Protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, and planning, management and financing of health services

B. OTHER GROUPS OF PEOPLE

Purposes of Collection and Processing of Personal Data (Person Groups)

Data Acquisition Method

Purposes of Processing Personal Data

Public servant

Reporter

Occupational health and Safety specialist

Doctor

Occupational Physician

Website Visitor

Information Technologies Data Recording System

Form - Document

Document Original

Execution of Activities in Compliance with the Legislation

Execution of Assignment Processes

Execution of Communication Activities

Execution / Supervision of Business Activities

to Authorized Persons, Institutions and Organizations

Execution of Management Activities

Fulfillment of Employment Contract and Legislative Obligations for Employees

Execution of Occupational Health / Safety Activities

Execution of Application Processes of Employee Candidates

Conducting Business Continuity Ensuring Activities

Execution of Information Security Processes

Legal reasons

Fulfillment of Legal Obligation

Prescribed in Laws

Establishment, Use or Protection of a Right

Legitimate Interests of the Data Controller

Protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, and planning, management and financing of health services

4. The Parties and Purposes of Transfer of Your Personal Data

Your personal data may be transferred by the Data Controller to the domestic and foreign recipient groups listed below, limited to the above-mentioned purposes, in accordance with the basic principles stipulated in the Law and within the personal data transfer conditions specified in Articles 8 and 9 of the Law.

A. GROUPS OF PEOPLE

Parties to which Personal Data are Transferred and Purposes of Transfer

Transferred Parties

PERSON GROUPS

DOMESTIC

ABROAD

Worker

Product or Service Recipient

Supplier Representative

Shareholder/Partner

Visitor

Supplier Employee

Potential Product or Service Buyer

Parent / Guardian / Representative

person in the news

Employee Candidate

Intern

Authorized Public Institutions and Organizations

suppliers

Other - Financial Advisor - Accounting

Other - Legal Counsel

Natural Persons or Private Law Legal Entities

Other - Company Attorney, Financial Advisor

suppliers

Natural Persons or Private Law Legal Entities

Purpose of Transfer of Personal Data

DOMESTIC

ABROAD

Legal Obligation

Court Order

 

Legal reasons

DOMESTIC

ABROAD

Obligatory for the fulfillment of obligations and commitments

Legal regulation

 

B. OTHER GROUPS OF PEOPLE

Parties to which Personal Data are Transferred and Purposes of Transfer

Transferred Parties

PERSON GROUPS

DOMESTIC

ABROAD

Public servant

Reporter

Doctor

Occupational Physician

Website Visitor

Occupational health and Safety Specialist

Authorized Public Institutions and Organizations

Natural Persons or Private Law Legal Entities

Other - Company Attorney, Financial Advisor

suppliers

Other - Legal Counsel

Other - Financial Advisor - Accounting

 

Purpose of Transfer of Personal Data

DOMESTIC

ABROAD

Legal Obligation

 

Legal reasons

DOMESTIC

ABROAD

Legal regulation

Obligatory for the fulfillment of obligations and commitments

 

5. Your Rights Enumerated in Article 11 of the Law as Personal Data Owner

In accordance with Article 11 of the Law, we declare that you have the following rights as data owners:

  • Learning whether your personal data is processed,

  • If your personal data has been processed, requesting information about it,

  • To learn the purpose of processing your personal data and whether they are used in accordance with the purpose,

  • Knowing the third parties to whom your personal data is transferred, in the country or abroad,

  • Requesting correction of your personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,

  • Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist despite the fact that it has been processed in accordance with the Law and other relevant law provisions, and requesting that the transaction carried out within this scope be notified to the third parties to whom your personal data has been transferred,

  • Objecting to this if a result arises against you by analyzing the processed data exclusively through automated systems,

  • To request the compensation of the damage in case you suffer damage due to the unlawful processing of your personal data.

If you submit your requests regarding your rights to us through the methods stated below, the request will be finalized as soon as possible and within thirty days at the latest, free of charge, depending on its nature.

In order to exercise your rights, after filling and signing the relevant person/data owner application/request form, a copy of which is available at www.izbas.net or you can get physically from the Data Controller, this application form or your originally signed petition to use your rights;

It can be hand-delivered to the secretariat of İzmir Serbest Bölgesi Panaz Mevkii Maltepe Köyü Menemen/İZMİR address (Data Controller address) with documents identifying your identity.,

It can be sent to our address above via a notary public or registered mail,

Thank you for reading our privacy notice.

İzbaş İzmir Serbest Bölge Kurucu ve İşleticisi Anonim Şirketi

I Want to Invest in İZBAŞ

İZBAŞ's professional team is ready to give you all the information you need to invest in İzmir Free Zone.

Click here to fill in the form

İZBAŞ İZMİR SERBEST BÖLGE KURUCU VE İŞLETİCİ A. Ş. © 2022 | ALL RIGHTS RESERVED.