PERSONAL DATA PROTECTION POLICY
1. Introduction
As Başterziler Mobilya Pazarlama San. Tic. A.Ş. (“Başterziler”), we attach great importance to the security of personal data, and processing, storing, and protecting all personal data belonging to all individuals associated with our Company in accordance with the Law No. 6698 on the Protection of Personal Data (“KVKK” and “the Law”) is one of our priorities.
This “Personal Data Protection and Processing Policy” (“Policy”) sets out the fundamental principles and guidelines adopted by Başterziler in the protection and processing of personal data, and is implemented and made sustainable as a company policy.
1.2 Objective
The purpose of this Policy is to define the procedures and principles regarding the processing, protection, and storage of personal data carried out by Başterziler in accordance with the legal regulations on which this Policy is based, and to inform the natural persons whose data is processed by Başterziler about this matter.
1.3 Scope
This Policy relates to all personal data of our customers, employees, job applicants, interns, supplier employees, company officials, visitors, business partners (authorized representatives, shareholders and employees of suppliers, designers, manufacturers and similar institutions with whom we have business relationships), and third parties, processed automatically or non-automatically as part of any data recording system.
In this context, the entirety of this Policy, or only certain provisions thereof, may apply to the relevant groups of individuals mentioned above.
1.4 Definitions
The definitions used in the application of this Policy are listed below:
| Explicit Consent | Informed and freely given consent regarding a specific matter. |
| Anonymization | Personal data must be rendered in such a way that it cannot be linked to an identified or identifiable natural person, even when combined with other data. |
| Employee(s) | Tailors and workers employed under the Labor Law, as well as students/graduates undergoing internships (mandatory/optional) |
| Electronic Environment |
Environments where personal data can be created, read, modified, and written using electronic devices. |
| Non-Electronic Environment |
All written, printed, visual, and other media outside of electronic media. |
| Service Provider |
A natural or legal person who provides services to tailors under a specific contract. |
| Contact Person | The natural person whose personal data is processed |
| Destruction | The irreversible deletion, destruction, or anonymization of personal data. |
| Law / GDPR | Law No. 6698 on the Protection of Personal Data |
| Recording Medium | Any medium containing personal data processed wholly or partly automatically, or by non-automatic means as part of a data recording system. |
| Processing of Personal Data | Personal data is subject to any operation performed on data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying or preventing the use of data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system. |
| Personal Data Inventory |
Data controllers create an inventory detailing their personal data processing activities based on their business processes, associating these activities with the purposes of personal data processing, data category, recipient group to whom the data is transferred, and data subject group. This inventory also specifies the maximum period for which the personal data is processed for the intended purposes, the personal data intended for transfer to foreign countries, and the measures taken regarding data security. |
| Personal Data Protection Committee |
A committee formed by Başterziler with the authority to make decisions and present them to senior management for the purpose of ensuring, maintaining, managing, and improving compliance with personal data protection legislation, and which provides the necessary coordination within Başterziler for this purpose, and includes officials from different units. |
| Board | Personal Data Protection Board |
| Organisation | Personal Data Protection Authority |
| Special Qualifications Personal Data |
Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. |
| Policy |
This “Personal Data Protection and Processing Policy” sets out the principles adopted by Başterziler in the processing and protection of personal data. |
| Data Processor | Natural and legal persons who process personal data on behalf of the data controller, based on the authority granted by the data controller. |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| Data Recording The system |
A data recording system in which personal data is processed by structuring it according to specific criteria. |
| Data Those responsible Registry Information The system |
The register of data controllers maintained by the Presidency of the Personal Data Protection Authority and available to the public. |
| VERBIS | Data Controllers Registry Information System |
For definitions not included in this Policy, the definitions in the Law shall apply.
2. GENERAL PROVISIONS REGARDING THE PROCESSING OF PERSONAL DATA
Başterziler, while carrying out personal data processing activities
- General principles
- Conditions for processing personal data
- It complies with the conditions for processing special categories of personal data.
2.1 Processing Personal Data in Accordance with General Principles
2.1.1 Lawful and Fair Operation
Başterziler acts in accordance with the principles established by legal regulations and the general rule of trust and honesty in the processing of personal data. Within this scope, our company conducts its personal data processing activities in a lawful, honest, and transparent manner.
2.1.2 Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
Başterziler makes every effort to ensure that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights and legitimate interests of personal data owners. In this regard, it takes the necessary administrative and technical measures and provides personal data owners with the means to correct and verify the accuracy of their personal data.
2.1.3 Processing Personal Data for Specific, Explicit and Legitimate Purposes
Başterziler clearly and precisely defines the purpose of personal data processing and conducts its data processing activities within the scope of explicit, legitimate, and lawful purposes.
2.1.4 Personal Data Must Be Relevant, Limited, and Proportionate to the Purpose for Which They Are Processed
Başterziler processes personal data only to the extent that it is relevant to and required by the purposes of data processing. It avoids processing personal data that is not related to or needed for the purpose of data processing.
2.1.5 For the duration stipulated in the relevant legislation or necessary for the purpose for which they are processed.
Preservation
Başterziler retains personal data only for the period specified in the relevant legislation or for the period necessary for the purpose for which it is processed. In this context, we first determine whether a retention period for personal data is stipulated in the relevant legislation; if a period is specified, we comply with that period; if no period is specified, we retain personal data for the period necessary for the purpose for which it is processed. Upon the expiration of this period or the cessation of the reasons requiring processing, personal data is deleted, destroyed, or anonymized by us. Detailed information on this matter can be found in the Başterziler Technology Services and Trade Inc. Personal Data Retention and Destruction Policy.
2.2 Processing Personal Data in Accordance with the Conditions for Processing Personal Data
Başterziler Mobilya Pazarlama San. Tic. A.Ş. conducts its personal data processing activities in accordance with the data processing conditions set forth in personal data protection legislation. In this context, personal data processing activities only take place if the following data processing conditions are met:
2.2.1 Obtaining Explicit Consent
According to the law, personal data cannot be processed without the explicit consent of the data subject. Başterziler Mobilya Pazarlama San. Tic. A.Ş. requires that the data subject explicitly consent to the processing of their data "freely, with sufficient knowledge of the subject, without any doubt, and limited to the purpose of data processing" in order to carry out personal data processing activities.
2.2.2 Exceptional Cases Where Explicit Consent is Not Required for the Processing of Personal Data
Başterziler may process personal data without explicit consent if any of the following conditions stipulated in the Law exist:
- i. Explicitly Provided for in the Laws
Personal data of the data subject may be processed lawfully, only if explicitly provided for in the laws and within the limits of the relevant legal provisions.
- ii. Inability to Obtain the Explicit Consent of the Data Subject Due to Factual Impossibility and the Necessity of Processing Personal Data
Personal data may be processed without explicit consent if it is necessary to protect the life or physical integrity of the person or another person, or if the person is unable to express their consent due to factual impossibility or if their consent is not legally valid. For example, if explicit consent cannot be obtained due to the person being unconscious, their personal data may be processed during a medical intervention to protect their life or physical integrity.
- iii. Personal Data Processing Activity Directly Related to the Establishment or Performance of the Contract
Being Related to the Truth
Personal data may be processed if it is necessary for the establishment or performance of a contract, provided that the processing of personal data belonging to the parties of the contract is directly related to that contract.
- iv. The Processing of Personal Data is Necessary for Başterziler to Fulfill its Legal Obligations
Başterziler may process the personal data of the relevant person if it is necessary to fulfill its legal obligations.
- v. Public Disclosure of Personal Data by the Data Subject
Personal data that has been made public by the data subject themselves, in other words, that has been disclosed to the public in any way, may be processed without explicit consent.
- vi. The Necessity of Data Processing for the Establishment, Exercise, or Protection of a Right
Personal data may be processed without explicit consent if the processing of data is necessary for the establishment, exercise, or protection of a right.
- vii. The Necessity of Processing Personal Data for the Legitimate Interests of Başterziler
Personal data may be processed without explicit consent if it is necessary for Başterziler's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.
2.3 Processing Special Categories of Personal Data in Accordance with the Processing Conditions
Special categories of personal data can only be processed with the explicit consent of the data subject. However, special categories of personal data, excluding data on sexual life and personal health, may be processed without the explicit consent of the data subject in cases stipulated by law. Personal data relating to health and sexual life may only be processed without explicit consent for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing. Therefore, in accordance with the law, unless otherwise stipulated, personal health data can only be processed by the company physician under the scope of explicit consent or under the obligation of confidentiality. Başterziler takes the measures determined by the Board regarding the processing and protection of special categories of personal data. Başterziler shows utmost sensitivity to the protection and security of special categories of personal data, and the technical and administrative measures taken regarding the protection of special categories of personal data are carefully implemented, and the necessary audits are carried out within Başterziler.
2.4 Processing Personal Data in Accordance with Transfer Conditions
Başterziler may transfer the personal and sensitive personal data of the data subject to third parties in accordance with the purposes of personal data processing and, if applicable, with explicit consent, or otherwise for legal reasons, by taking the necessary security measures. In this context, Başterziler acts in accordance with the personal data transfer conditions stipulated in Articles 8 and 9 of the Law.
2.4.1 Transfer of Personal Data Within the Country
In accordance with Article 8 of the Law, Başterziler conducts its domestic data transfer activities in compliance with the data processing conditions.
2.4.2 Transfer of Personal Data Abroad
In accordance with Article 9 of the Law, Başterziler conducts its data transfer activities abroad in compliance with the data processing conditions (See Başterziler Personal Data Protection and Processing Policy - Section Two, articles 2.1, 2.2 and 2.3). In cases where personal data is transferred without obtaining explicit consent in accordance with the Law, one of the following conditions must also be met with respect to the foreign country to which the data will be transferred:
- The foreign country to which the personal data is transferred must be classified by the Board as a country where adequate protection exists.
- If adequate protection is not in place, data controllers in Türkiye and the relevant foreign country must provide a written commitment to adequate protection and obtain permission from the Board.
2.4.3 Recipient Groups to Whom Personal Data is Transferred
In accordance with Articles 8 and 9 of the Law, Başterziler may transfer the personal data of data subjects to its business partners, suppliers, banks and financial institutions, consulting and auditing firms providing support in legal, tax and similar areas, company officials, shareholders, legally authorized public institutions and private individuals, and domestic and/or foreign service providers providing storage, archiving, and information technology support (server, hosting, software, cloud computing, etc.) services on behalf of the Company, for the purpose of continuing its commercial activities and business processes. The classification of the recipient groups to whom personal data is transferred is given in Section 3 of this Policy. In case of personal data transfer, Başterziler ensures that the third parties to whom personal data is transferred also comply with this Policy. In this context, necessary protective arrangements are added to the contracts concluded with third parties and technical measures are taken.
3. CATEGORIES OF PERSONAL DATA PROCESSED BY THE CHIEF TAUGHTERS, PURPOSES OF PROCESSING AND TRANSFER, AND RECIPIENT GROUPS TO WHOM IT IS TRANSFERRED.
3.1 Categories of Personal Data
The categories and descriptions of personal data processed within the scope of personal data processing activities carried out by Başterziler are listed below:
| Categories of Personal Data | Explanation |
| Identity Data |
Personal data includes information about a person's identity: name and surname, Turkish Republic identity number, marital status, gender, nationality, parents' names and surnames, place and date of birth, and other identification information, as well as documents containing this information such as driver's license, national identity card, passport, birth certificate, tax number, social security number, and other relevant details. |
| Contact Information | These include contact information such as phone number, address, and email address, as well as documents containing this information, such as proof of address. |
| Personal Data | Personal data processed within the scope of an employment relationship with our company consists of obtaining information that forms the basis of the personal rights of individuals. |
| Legal Transaction Data |
Personal data processed due to a legal relationship with our Company includes information from correspondence with judicial authorities and information from case files. |
| Customer Transactions Information |
Customer data includes all call center records, transaction history, order information, and personal data obtained during the processes of receiving and evaluating any requests or complaints. |
| Physical Space Security Data |
Entry and exit records for visits to workplaces and showrooms, as well as personal data obtained during the camera recording process, are examples of personal data. |
| Vocational Experience Data |
Personal data of our employees and supplier employees includes information such as diploma details, courses attended, professional development training information, and certifications. |
| Marketing Data |
Personal data processed by our company, such as shopping history, surveys, and cookie records, is used to improve the services we offer. |
| Visual and Auditory Records |
Personal data processed includes recording telephone conversations with our customers, supplier representatives, and other third parties, as well as visual recordings of activities in which our employees participate within the company. |
| Financial Data | Personal data refers to information, documents, and records showing all financial outcomes arising from the legal relationship established between our company and the data subject. Examples: Credit card information, income information, IBAN number, etc. |
| Special Qualifications Personal Data |
These are personal data that are limited in scope by law and whose processing carries a risk of discrimination against data subjects. Examples: Health data, including blood type, biometric data, criminal convictions and security measures, etc. |
| Transaction Security Data |
Personal data is processed to ensure the technical, administrative, legal, and commercial security of both the data subject and our Company. |
3.2 Categories of Relevant Persons
Below are the identities and descriptions of our employees, job applicants, customers, business partners (authorized representatives, shareholders, and employees of suppliers and similar business partners), and third parties covered by this Policy.
3.2.1. Description of Relevant Person Categories
Employees: Natural persons who have an employment relationship with our company. Job Applicants: Natural persons who have applied for a job with our company through any means and submitted their resumes and/or job application forms for our company's review. Interns: Natural persons who are undertaking voluntary or mandatory internships within our company. Customers: Natural persons who use or have used the products and services offered by our company. Company Officials: Natural persons who are in the senior management of Başterziler and/or authorized to represent Başterziler, as well as the natural person representatives of legal entities. Board members and shareholders are considered within this scope. Supplier Representatives and Employees: Natural persons and legal entity suppliers with whom our company has a service relationship in carrying out its activities, and the natural person representatives of these suppliers, and all natural persons working within these suppliers. Other Third Parties: Other natural persons who do not fall into any related person category.
3.3 Classification of Personal Data Processed by Head Tailors According to Data Subjects
The table below details the data subject categories and the categories of personal data processed within the scope of the processing activity, as mentioned above:
| Categories of Personal Data | Explanation |
| Identity Data |
Employees, Job Applicants, Potential Products or Services Buyer, Intern, Supplier Employee, Supplier Representative, Our customers |
| Contact Information |
Employees, Job Applicants, Potential Products or Services Buyer, Intern, Supplier Employee, Supplier Representative, Our customers |
| Personal Data | Employees, Job Applicants, Interns, Supplier Employees |
| Legal Transaction Data | Employees, Customers |
| Customer Transaction Information | Customers, Potential Customers |
| Physical Space Security Data | Employees, Customers, Potential Customers, Visitors |
| Professional Experience Data | Employees, Interns, Supplier Employees, Suppliers Official |
| Marketing Data | Customers, Potential Customers |
| Financial Data | Employees, Interns, Supplier Representatives |
| Visual and Auditory Recordings | Employee, Potential Product or Service Buyer, Supplier Employees, Customers |
| Special Categories of Personal Data / Health Information |
Employee, Intern, Supplier Employee |
| Special Categories of Personal Data / Criminal Conviction and Security Measures |
Employee, Supplier Employee |
| Biometric Data | Employees |
| Transaction Security Data | Customers, Employees, Supplier Employees |
3.4 Purposes of Processing Personal Data
Başterziler processes personal data for the purposes listed below. The purposes of personal data processing, their relationship to business processes and personal data categories, are clearly and detailedly defined for each business unit and process and recorded in the Başterziler Personal Data Inventory.
• Implementation of Information Security Processes
• Conducting the Selection and Placement Processes for Job Applicants / Interns / Students
• Managing the application processes for job applicants.
• Implementing Employee Satisfaction and Engagement Processes
• Fulfilling Obligations Arising from Employment Contracts and Legislation for Employees
• Managing Employee Benefits and Advantage Processes
• Conducting Audit / Ethics Activities
• Conducting Training Activities
• Enforcement of Access Permissions
• Ensuring that activities are carried out in accordance with the legislation.
• Handling Finance and Accounting Operations
• Implementing Company/Product/Service Loyalty Processes
• Ensuring Physical Security of the Space
• Execution of Assignment Processes
• Monitoring and Managing Legal Affairs
• Conducting Internal Audit/Investigation/Intelligence Activities
• Conducting Communication Activities
• Planning Human Resources Processes
• Conducting/Supervising Business Activities
• Implementation of Occupational Health and Safety Activities
• Receiving and evaluating suggestions for improving business processes.
• Implementing Business Continuity Activities
• Execution of Goods/Services Procurement Processes
• Providing After-Sales Support Services for Goods/Services
• Execution of Goods/Services Sales Processes
• Execution of Goods/Services Production and Operation Processes
• Execution of Customer Relationship Management Processes
• Conducting activities aimed at customer satisfaction.
• Organization and Event Management
• Conducting Marketing Analysis Studies
• Conducting Performance Appraisal Processes
• Execution of Advertising / Campaign / Promotion Processes
• Conducting Storage and Archiving Activities
• Execution of Contract Processes
• Implementation of Strategic Planning Activities
• Tracking Requests/Complaints
• Ensuring the Security of Movable Property and Resources
• Execution of Supply Chain Management Processes
• Implementation of Wage Policy
• Execution of Marketing Processes for Products/Services
• Ensuring the Security of Data Controller Operations
• Execution of Investment Processes
• Providing Information to Authorized Persons, Institutions and Organizations
3.5. Methods and Reasons for Collecting Personal Data
Başterziler collects personal data belonging to the relevant individuals.
• Our websites and platforms belonging to Başterziler, various social media channels, and emails, short messages (“SMS”) or multimedia messages (“MMS”) used within the scope of Başterziler's sales and marketing activities,
• Through other communication methods, including printed and electronic forms,
• Head tailors communicate their business activities through contracts, policies, commercial offers, printed and electronic forms, documents, and correspondence.
• Through business cards and other documents obtained during job interviews,
• Başterziler collects data through third parties, such as business partners or companies supplying services/products, via verbal, written, or electronic means, using various methods that are wholly or partially automated, or non-automated as part of any data recording system.
Personal data collected through these methods are stored in accordance with the data processing conditions set forth in Section 2 of this Policy and for the personal data processing purposes listed above, while complying with the periods mandated by the KVKK (Personal Data Protection Law) and other legislation, and by taking all necessary administrative and technical measures.
4. MATTERS RELATED TO THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the Law, Başterziler takes the necessary technical and administrative measures to prevent the unlawful processing of personal data, to prevent unlawful access to data, and to ensure the preservation of data, within its capabilities and according to the nature of the data to be protected, and conducts or has conducted the necessary audits within this scope.
4.1 Ensuring the Security of Personal Data
4.1.1 Technical Measures
The main technical measures taken to prevent the unlawful processing of personal data, to prevent unlawful access to data, and to ensure the preservation of data are listed below:
• Network security and application security are ensured.
• Closed-system networks are used for the transfer of personal data over the network.
• Security measures are taken within the scope of the procurement, development, and maintenance of information technology systems.
• Access logs are maintained regularly.
• Data masking measures are applied when necessary.
• Up-to-date antivirus systems are used.
• Firewalls are used.
• The signed agreements include data security provisions.
• Extra security measures are taken for personal data transmitted via paper, and the relevant documents are sent in a classified document format.
• Personal data security issues are reported promptly.
• Personal data security is monitored.
• Necessary security measures regarding entry and exit to physical environments containing personal data.
is being received.
• Physical environments containing personal data are secured against external risks (fire, flood, etc.).
• The security of environments containing personal data is ensured.
• Personal data is backed up, and the security of the backed-up personal data is also ensured.
• User account management and authorization control systems are implemented and monitored.
• Log records are stored in a way that does not require user intervention.
• Existing risks and threats have been identified.
• If sensitive personal data is to be sent via email, it must be sent encrypted and using a registered electronic mail (KEP) or corporate email account.
• For sensitive personal data, secure encryption/cryptographic keys are used and managed by different units.
• Intrusion detection and prevention systems are used.
• A penetration test is performed.
• Cybersecurity measures have been put in place and their implementation is continuously monitored.
• Encryption is being used.
• Personal data transferred via portable memory, CD, or DVD is encrypted.
• Data loss prevention software is used.
4.1.2 Administrative Measures
The main administrative measures taken to prevent the unlawful processing of personal data, to prevent unlawful access to data, and to ensure the preservation of data are listed below:
• Training is provided to improve the qualifications of employees, including training on preventing the unlawful processing of personal data, preventing unlawful access to personal data, ensuring the preservation of personal data, communication techniques, technical knowledge and skills, and awareness of relevant legislation.
• Additional protocols have been prepared and implemented for cases requiring data transfer related to activities carried out by the head tailors.
• Başterziler fulfills its obligation to inform data subjects before commencing personal data processing.
• Başterziler fulfills its obligation to inform data subjects before commencing personal data processing.
• A personal data processing inventory has been prepared.
• Compliance efforts have been made with the principle of data minimization during the GDPR compliance process.
• In order to ensure compliance with the law and its continuity, a Personal Data Protection Committee has been established and its members have been trained.
• Internal company policies and procedures regarding the storage and destruction of personal data, and the protection of special categories of personal data, have been prepared and implemented.
• Data processing service providers are made aware of data security issues.
• Confidentiality agreements are in place.
• An authorization matrix has been created for employees. The authorizations of employees who change roles or leave the company are revoked in this area.
4.1.3 Auditing of Measures Taken Regarding the Protection of Personal Data
In accordance with the law, Başterziler conducts or commissions the necessary audits within its own organization. The results of these audits are reported to the Personal Data Protection Committee, senior management, and the relevant department within the scope of the company's internal operations. Actions are planned, and the follow-up of the planned actions to improve the measures taken is carried out by the relevant process owners and the Personal Data Protection Committee.
4.1.4 Measures to be Taken in Case of Unlawful Disclosure of Personal Data
If personal data is obtained or disclosed by others through unlawful means, Başterziler will notify the relevant data owner as soon as possible and the Board within 72 hours of the date of detection.
4.2 Protection of Special Categories of Personal Data
The law attaches special importance to certain personal data due to the risk of causing harm and/or discrimination to individuals if processed unlawfully. This data includes: race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. Başterziler shows utmost sensitivity to the protection of special categories of personal data, which are defined as "special categories" by law and processed lawfully. Başterziler approaches the security of special categories of personal data with the utmost care and has prepared a separate Special Categories of Personal Data Processing and Protection Policy, and ensures the necessary audits within the Company.
4.3 Protection of the Rights of Data Subjects
Başterziler respects all legal rights of personal data owners in accordance with the Policy and the Law, and takes all necessary measures to protect these rights. Detailed information regarding the rights of personal data owners is provided in Section 5 of this Policy.
5. RIGHTS OF THE DATA SUBJECTS, AND THE EXERCISE OF THESE RIGHTS
POINTS
5.1 Rights of the Data Subject
The person concerned may apply to Başterziler in accordance with Article 11 of the Law, requesting information regarding themselves;
• To find out whether your personal data is being processed,
• Requesting information regarding the processing of personal data, if applicable.
• To learn the purpose for which personal data is processed and whether it is being used appropriately for that purpose,
• Knowing the third parties to whom personal data is transferred, whether domestically or internationally.
• Requesting the correction of incomplete or inaccurate personal data and notifying third parties to whom the personal data has been transferred of the correction made.
• To request the deletion or destruction of personal data when the reasons requiring its processing cease to exist, even if it has been processed in accordance with the law and other relevant legislation, and to request that this action be notified to third parties to whom the personal data has been transferred.
• The right to object to an outcome that is detrimental to oneself, resulting from the analysis of processed data exclusively through automated systems.
• Individuals have the right to claim compensation for damages incurred as a result of the unlawful processing of their personal data.
5.2 Circumstances in Which the Data Subject Cannot Exercise Their Rights
The relevant persons cannot assert their rights listed in section 5.1 in the following cases, as these are excluded from the scope of the Law pursuant to Article 28 of the Law:
• Personal data may be processed by natural persons solely for activities related to themselves or family members living in the same household, provided that the data is not disclosed to third parties and that obligations regarding data security are complied with.
• Processing personal data for purposes such as research, planning, and statistics through official statistics and by anonymizing it,
• Processing of personal data for artistic, historical, literary or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or personal rights, or constitute a crime.
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that have been given duties and powers by law to ensure national defense, national security, public safety, public order or economic security,
• Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial or execution proceedings.
According to the second paragraph of Article 28 of the Law, the data subject cannot exercise the rights specified in Article 5.1 of this Policy, except for the right to claim compensation for damages, in the following cases:
• The processing of personal data is necessary for the prevention of crime or for criminal investigation.
• Processing personal data that has been made public by the data subject themselves.
• Personal data processing is necessary for the performance of supervisory or regulatory duties, or for disciplinary investigations or prosecutions, by authorized and competent public institutions and organizations, as well as professional organizations with the status of public institutions, based on the authority granted by law.
• The processing of personal data is necessary for the protection of the State's economic and financial interests in relation to budgetary, tax, and financial matters.
5.3 Exercise of Rights by the Data Subject
The data subject may exercise the rights specified in Article 5.1 of this Policy by completing the application form available at https://www.vitello.com and submitting it with a wet signature or via registered email address, secure electronic signature, mobile signature, or email address previously notified to Başterziler and registered in the systems.
The method for making an application is explained in detail in the "Application Form under the Personal Data Protection Law" whose address is provided above. If the data subject wishes to exercise this right through their representative, they must submit documents verifying their identity, issued or approved by the competent authorities, and any supporting documents, to Başterziler along with the application form.
5.4 Başterziler's Response to Applications
Başterziler will process requests submitted to it free of charge as soon as possible, and no later than thirty days, depending on the nature of the request. If fulfilling a request incurs a cost, fees may be charged according to the tariff determined by the Board. Başterziler may accept or reject a request, explaining the reason; it will notify the data subject of its response in writing or electronically. If the request is accepted, Başterziler will fulfill the request.
6. PUBLICATION AND SECURITY OF THE POLICY
The policy is published in two different formats: in printed form (with a wet signature) and electronically, and is made public on the website. The printed copy is kept by the Personal Data Protection Committee.
7. POLICY UPDATE PERIOD
The policy is reviewed by the Personal Data Protection Committee as needed, and the necessary sections are updated.
8. ENTRY INTO FORCE, REPEAL AND IMPLEMENTATION OF THE POLICY
This policy shall be deemed to have entered into force upon its publication on Başterziler's website. If a decision is made to revoke it, the original copies of the policy bearing wet signatures shall be cancelled (stamped or marked with a cancellation stamp) and signed by the chairpersons and members of the Personal Data Protection Committee, and shall be kept by the Personal Data Protection Committee for at least 5 years.