Personal Data Protection Law

1. Entry
20 Of the Constitution of the Republic of Turkey. according to the article, everyone has the right to request the protection of personal data about himself / herself. This right also includes being informed about the personal data about the person, accessing this data, requesting their correction or deletion, and learning whether they are being used for their purposes.
The Personal Data Protection Law No. 6698 (“KVK Law”) regulates the procedures and principles to be followed by natural and legal persons who process personal data and the obligations to protect the fundamental rights and freedoms of persons in the processing of personal data. The purpose of this Policy prepared in this direction is to ensure compliance with the obligations related to the KVK Law regulations.
The purpose of this Policy is to protect the personal data of the guarantor, customer, visitor, supplier and third parties managed by the Policy. The protection of the personal data of our employees is written in parallel with the principles in this Policy by Elsan Elektrik Gerecleri Sanayi Ve Ticaret A.Sh. It is managed under the Policy regarding the Processing of Personal Data of its Employees.
Elsan Electrical Equipment Industry and Trade with the KVK Law and other relevant legislation A.Sh. If there is a contradiction between the Personal Data Protection and Processing Policy, the legislation in force will find an area of application. Dec.

2. Purpose
In order to protect the fundamental rights and freedoms of persons, especially the privacy of private life, in the processing of personal data, and to regulate the obligations of natural and legal persons processing personal data, as well as the procedures and principles they will comply with, Elsan Elektrik Gerecleri Sanayi Ve Ticaret A.Sh. (“Company“) The Personal Data Protection and Processing Policy (”Policy") has been prepared.
With the policy, it has been adopted to maintain and develop the activities carried out by the Company in accordance with the principles set out in the KVK Law.

3. Scope
Data subjects whose personal data are processed within the scope of this Policy are categorized as follows:
It Has Been:
Customers: Natural persons whose personal data are obtained due to business relationships within the scope of the activities carried out by the Company, regardless of whether there is any contractual relationship or not
Dec Jul Third Parties: Natural persons of third parties who are associated with these persons to ensure the security of commercial transactions between our Company and the above-mentioned parties or to protect the rights and interests of the mentioned persons (e.g., natural persons of the above-mentioned parties). guarantor, companion, family members and relatives) or all natural persons whose personal data our Company is in a position to process for a specific purpose, although it is not explicitly stated in the Policy (e.g. former employees)
Employee Candidate / Trainee Candidate: Real people who have applied for a job in our company by any means or have submitted their resume and related information to the review of our Company
Employees, Shareholders, Officials of the Institutions with which we Cooperate: In the institutions with which our company has any kind of business relationship (business partner, supplier, etc. but not limited to) employees, real persons, including shareholders and officials of these institutions
Visitor: To the physical facilities owned by our company or where an organization is carried out (offices, etc.) real persons who have entered or visited our websites for various purposes

4. Definitions
The definitions used in this Policy are listed below:
Explicit consent: Consent related to a specific subject, based on information and explained by free will
Anonymization: Making personal data that cannot be associated with an identified or identifiable real person in any way, even by matching it with other data
Supplier: Natural persons who provide products or services to the Company
Personal health data: All kinds of information about the physical and mental health of an identified or identifiable natural person, as well as information about the health service provided to the person
Processing of personal data: by means of means that are fully or partially automatic of personal data or that are not automatic provided that they are part of any data recording system
acquisition, recording, storage, preservation,
changing, rearranging, explaining, transferring,
all kinds of operations performed on the data such as acquisition, making it available, classification or preventing its use
KVK Law: Personal Data Protection Law No. 6698
KVK Board: Personal Data Protection Board
KVK Institution: Personal Data Protection Institution
Special categories of personal data: Race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs of persons, disguise and clothing, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures related data, as well as biometric and genetic data
TCK: Turkish Penal Code No. 5237
Data processor: A natural or legal person who processes personal data on behalf of the data controller on the basis of the authority granted by the data controller
Personal data owner: a real person whose personal data are processed, who is considered a “related person” in the KVK Law
Personal Data Owner Application Form: 11 of the KVK Law for personal data owners whose personal data are processed within the company. the application form that they will use when using their applications for the rights described in the article
Data controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
Register of Data Controllers: Register of data controllers maintained by the Presidency under the supervision of the Personal Data Protection Board
Data Inventory: The inventory that the Company creates and details by relating the personal data processing activities that it performs depending on the business processes to the personal data processing purposes, the recipient group to which the personal data is transferred and the relevant personal data owner group

5. General Principles regarding the Processing of Personal Data
3 Of the KVK Law. according to the article, all kinds of transactions performed on the data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, inheriting, making available, classifying or preventing the use of personal data by means that are fully or partially automatic or non-automatic, provided that they are part of any data recording system, are covered by the processing of personal data.
It is mandatory to comply with the following principles in the processing of personal data:
a) Compliance with the rules of law and honesty
Our Company carries out its personal data processing activities in accordance with the law and the rules of honesty in accordance with the KVK Law and relevant legislation, especially the Constitution.
b) Be accurate and up-to-date when necessary
While the processing of personal data by our company is being carried out, the processing of personal data
all kinds of administrative and technical measures are taken to ensure its accuracy and timeliness.
c) Processing for specific, clear and legitimate purposes
Our company, before starting the activity of processing personal data, has determined the purpose of processing personal data
he clearly and definitively determines.
d) Being connected, limited and restrained for the purposes for which they are processed
Personal data are processed by our company to the extent necessary for the realization of the determined purposes. Data processing activities are not carried out on the assumption that they can be used later.
e) To be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed
Our Company stores personal data for a limited period of time as required by the KVK Law and the relevant legislation or for the purposes related to the data processing activity.

6. Conditions of Processing of Personal Data
Our company, with the explicit consent of the personal data owner or 5 of the KVK Law. and 6. stipulated in the articles
in cases where it can process personal data and personal data of a special nature without explicit consent.
6.1. Processing of Personal Data
5 Of the KVK Law on the personal data processing activities of our company. data processing as set out in the article
conducts it in accordance with its conditions:
a. To be clearly stipulated in the laws.
b. The fact that a person who is unable to disclose his consent due to actual impossibility or whose consent is not granted legal validity is mandatory for the protection of the vital or bodily integrity of himself or someone else.
c. It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
d. It is mandatory for our company to fulfill its legal obligations.
e. The fact that the personal data has been made public by the owner himself.
f. The necessity of data processing for the establishment, use or protection of a right.
g. It is mandatory to process data for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
Your personal data of a special nature are collected, stored and processed based on the following reasons of compliance with the law:
a) Having the explicit consent of the person concerned,
b) It is clearly stipulated in the laws,
c) A person who is unable to disclose his consent due to actual impossibility, or whose consent is not legally valid, must be for the protection of the life or body integrity of himself or someone else,
ç) Regarding the personal data made public by the relevant person and in accordance with the will of making it public,
d) It is mandatory for the establishment, use or protection of a right,
e) It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and maintenance services, as well as the planning, management and financing of health services by persons or authorized institutions and organizations under the obligation to keep secrets, for the purpose of conducting preventive medicine, medical diagnosis, treatment and care services,
f) It is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
6.2. Processing of Personal Data of a Special Nature
Our Company, 6 of the KVK Law on the processing of personal data specified as of a special nature, which carries the risk of creating discrimination if they are processed illegally. it conducts it in accordance with the data processing conditions set out in the article.
Processing of personal data of a special nature;
a) Having the explicit consent of the person concerned,
b) It is clearly stipulated in the laws,
c) A person who is unable to disclose his consent due to actual impossibility, or whose consent is not legally valid, must be for the protection of the life or body integrity of himself or someone else,
ç) Regarding the personal data made public by the relevant person and in accordance with the will of making it public,
d) It is mandatory for the establishment, use or protection of a right,
e) It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and maintenance services, as well as the planning, management and financing of health services by persons or authorized institutions and organizations under the obligation to keep secrets, for the purpose of conducting preventive medicine, medical diagnosis, treatment and care services,
f) It is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
g) Foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes are intended for their current or former members and members, or people who are in regular contact with these organizations and formations, provided that they comply with the legislation and purposes to which they are subject, are limited to their areas of activity and are not disclosed to third parties,
in this case, it is possible.”
6.3 The Legal Reason for the Processing of Your Personal Data
Your personal data is subject to the Turkish Commercial Code numbered 6102, Turkish Code of Obligations numbered 6098, Tax Procedure Code numbered 213, electronic commerce legislation and KVKK. we process within the framework of the following legal reasons regulated in 5:
o We process based on your consent in cases where we need to obtain your explicit consent in accordance with the KVKK and other legislation (We would like to remind you that you can withdraw your consent at any time in this case)
o In any case permitted by the applicable legislation
When there is an obligation to protect the vital interests of any person
o In cases where we need to establish a contract with you, perform the contract and fulfill our obligations under a contract
o Fulfilling our legal obligations,
o In the event that your personal data has been made public by you
o The necessity of our data processing for the establishment or protection of a right, exercising our legal rights and defending against legal claims filed against us
o In cases where our legitimate interests require, provided that we do not harm your fundamental rights and freedoms

7. Ensuring the Security and Confidentiality of Personal Data
Our company is subject to Article 12 of the KVK Law. in accordance with the article, Jul takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes and unlawful access to personal data, to ensure the preservation of personal data.
7.1. Technical Measures Taken to Ensure the Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
The Company has taken all kinds of technical and technological security measures to protect your personal data and has protected your personal data against possible risks. The measures in question are listed below:
- Taking technical measures to the extent possible by technology
- Employment of people who are experts in technical issues
- Conducting an audit on the implementation of measures taken at regular intervals December
- Creation of the necessary software and infrastructure to ensure security
- Restriction of access to the data being processed within the company
- Using a backup program in accordance with the law to ensure that personal data is stored securely
- Use of software containing virus protection systems
7.2. Administrative Measures Taken to Ensure the Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
- Training and raising awareness of the company's employees regarding the KVK Law,
- In cases of personal data transfer, ensuring that a record is added to the contracts concluded with the persons to whom the personal data is transferred that the party to whom the personal data is transferred will fulfill the data security,
- Determination of the requirements to be fulfilled for compliance with the KVK Law and preparation of internal policies for their implementation,
7.3. Precautions to be Taken in Case of Disclosure of Personal Data by Unlawful Means If the processed personal data is obtained by others by unlawful means, our Company will notify the relevant data owner and the Board as soon as possible of this situation.

8. Purposes of Processing of Personal Data and Storage Periods
8.1. Purposes of Processing of Personal Data
Personal Data, Elsan Electrical Equipment Industry and Trade A.Sh. it can be processed by the company within the scope of the following purposes and stored for as long as these purposes and the relevant legal periods are stipulated.
Purposes of Personal Data Processing;
* Carrying out electricity generation, distribution and retail sales activities
* Performing the activities that the Company is responsible for carrying out within the scope of legal and administrative obligations,
* Informing the data owner about the changes in the legislation or the rules and policies accepted by the Company,
* Investigation, detection, notification and prevention of illegal transactions, as well as management and execution of activities subject to the legal process,
* Protection of legitimate interests,
* Negotiation, creation and execution of contracts,
· Performing due diligence within the scope of requests and questions and providing feedback to the relevant person,
· Along with conducting promotional activities, obtaining the opinion of data owners through surveys and votes and ensuring customer/ employee satisfaction,
* Increasing efficiency by ensuring the workflow and coordination Decoupling between the units,
· Examination of the suitability of candidates for the relevant position in the job application, candidate evaluation and recruitment processes, as well as contacting these candidates and people connected with the application,
* Registration of the visit and tracking of the cargo,
· Ensuring the security of the digital systems and physical environments owned by the Company or used by the Company and taking the necessary measures by making relevant evaluations,
* Carrying out the necessary works by business units in order to benefit customers from the products and services offered,
* Planning and execution of corporate sustainability activities,
* Execution of company law transactions,
* Ensuring the legal and commercial security of the persons who are in a business relationship,
* Conducting commercial activities for the purpose of determining and implementing commercial and business strategies.
8.2. Duration of Storage of Personal Data
We store your personal data only for the period necessary to fulfill the purpose for which they were collected. We determine these periods separately for each business process and at the end of the relevant periods, if there is no other reason why we should keep your personal data, we dispose of your personal data in accordance with the KVKK.
When determining the periods of destruction of your personal data, we take into account the following criteria:
• The period of time accepted in accordance with general practice in the sector where the data controller operates within the scope of the purpose of processing the relevant data category,
• The period of time that makes it necessary to process the personal data included in the relevant data category and during which the legal relationship established with the relevant person will continue,
• The period during which the legitimate interest to be obtained by the data controller, depending on the purpose of processing the relevant data category, will be valid in accordance with the law and the rules of honesty,
• The period during which the risks, costs and responsibilities caused by the storage of the relevant data category depending on the purpose of processing will continue legally,
• Whether the maximum period to be determined is suitable for keeping the relevant data category accurate and up-to-date when necessary,
• The period during which the data controller is obliged to store the personal data included in the relevant data category due to his/her legal obligation,
• The statute of limitations set by the data controller for asserting a right related to the personal data contained in the relevant data category.

9. Deletion, Destruction and Anonymization of Personal Data
7 Of the KVK Law. in accordance with the article, although the personal data has been processed in accordance with the relevant legislation, if the reasons requiring its processing disappear, the personal data will be deleted, destroyed or anonymized by our Company on your own or at the request of the personal data owner.
The procedures and principles related to this issue will be fulfilled in accordance with the KVK Law and the secondary legislation to be established by taking this Law as a basis.
9.1. Methods of Erasure and Destruction of Personal Data
Although our Company has been processed in accordance with the provisions of the relevant law, if the reasons requiring processing disappear, it may delete or destroy personal data based on its own decision or upon the request of the personal data owner. The most commonly used deletion or destruction techniques by our company are listed below:
a. Physically Destroying
Personal data can also be processed by non-automatic means, provided that it is part of any data recording system. When deleting / destroying such data, a system of physical destruction of personal data is applied in such a way that it cannot be used later.
b. Secure Deletion from Software
When deleting/ destroying data processed by fully or partially automatic means and stored in digital media, methods related to deleting data from the relevant software are used in such a way that it cannot be recovered again.
c. Safe Deletion by an Expert
In some cases, our company may agree with a specialist to delete personal data on its behalf. In this case, the personal data is securely deleted/destroyed by the person who is an expert in this field in such a way that it cannot be recovered again.
9.2. Methods of Anonymization of Personal Data
Even by matching personal data with other data, under no circumstances is an identifiable or identifiable
it means that it is made in a way that cannot be associated with a real person.
a. Masking
It is a method of anonymizing personal data by removing the basic determining information of personal data from the data set with data masking.
Example: The name that allows the identification of the personal data owner, TC ID Number, etc. converting the personal data into a data set in which it becomes impossible to identify the owner by extracting the information.
b. Aggregating
With the data aggregation method, many data are aggregated and personal data are made to be unable to be associated with any person.
Example: Revealing that there are customers as old as y at the age of x, without showing the ages of the customers individually.
c. Data Derivation
With the data derivation method, a more general content is created than the content of the personal data and it is ensured that the personal data cannot be associated with any person.
Example: Specifying ages instead of dates of birth; specifying the region of residence instead of the open address.
d. Data Hashing
By mixing the values in the personal data set with the data hash method, the Decoupling of the connection between values and persons is ensured.
Example: Changing the nature of voice recordings so that the data owner cannot be associated with the sounds.

10. Third Parties to whom Personal Data is Transferred and the Purposes of Transfer
Procedures and principles to be applied in personal data transfers 8 of the KVK Law. and 9. It is regulated in the Articles and the personal data and special personal data of the personal data owner can be transferred to third parties at home and abroad. In order to perform the services, your personal data may be shared with third parties, contracted institutions, lawyers for the resolution of legal disputes, real and legal persons with whom we have a proxy relationship, our business partners and other third parties, including, but not limited to, laws and other legislation and other regulations related to laws, regulations of supervisory and regulatory institutions and organizations, as well as cases required by public authorities. However, in any case, personal data cannot be transferred without the explicit consent of the personal data owner, except in exceptional cases.
10.1. Transfer of Personal Data Domestically
8 Of the KVK Law. in accordance with article 6 of this Policy, the domestic transfer of personal data is entitled “Terms of Processing of Personal Data”. it will be possible provided that one of the conditions specified in the section is met.
10.2. Transfer of Personal Data Abroad
9 Of the KVK Law. in accordance with the article, if personal data is transferred abroad, in addition to the fact that the conditions for their domestic transfer have been met, the existence of one of the following issues is sought:
- If there is a qualification decision made by the Board about the country where the transfer will be made, sectors within the country or international organizations, it can be transferred abroad by the data controllers and data processors.
- Providing that the relevant person has the opportunity to exercise his rights and apply for effective legal remedies in the country where the transfer will be made, one of the appropriate guarantees mentioned below is provided by the parties, provided that there is an opportunity to apply for effective legal remedies in the country where the transfer will be made
a) The existence of an agreement between public institutions and organizations abroad or international organizations and public institutions and organizations in Turkey or professional organizations of the nature of a public institution, which is not an international contract, and Decertification of the transfer by the Board.
b) The existence of binding company rules that companies within the enterprise group engaged in joint economic activity are obliged to comply with, which contain provisions related to the protection of personal data and are approved by the Board.
c) The existence of a standard contract announced by the Board, which includes such issues as data categories, purposes of data October transfer, recipients and groups of recipients, technical and administrative measures to be taken by the data recipient, additional measures taken for personal data of a special nature.
ç) The existence of a written undertaking containing the provisions that will provide adequate protection and the authorization of the transfer by the Board.
- The standard contract is notified to the Institution by the data controller or the data processor within five working days from the date of its signing.
- Data controllers and data processors may transfer personal data abroad only if one of the following conditions exists, provided that there is no adequacy decision and any of the appropriate guarantees provided for in the fourth paragraph cannot be provided, provided that it is accidental:
a) The person concerned gives explicit consent to the transfer, provided that he/she is informed about the possible risks.
b) The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the request of the data subject Dec.
c) The transfer is mandatory for the establishment or performance of a contract to be concluded between the data controller and another natural or legal person for the benefit of the data subject. Dec.
ç) The transfer is mandatory for a superior public benefit.
d) It is mandatory to transfer personal data for the establishment, use or protection of a right.
e) It is mandatory to transfer personal data for the protection of the life or body integrity of a person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid, himself or someone else.
f) Transfer from a registry that is open to the public or persons with a legitimate interest, provided that the conditions required to access the registry are met in the relevant legislation and that the person with a legitimate interest requests it.
The provisions contained in other laws regarding the transfer of personal data abroad are reserved.
10.3. Contact Groups to Which Personal Data is Transferred by Our Company
Our company is subject to Article 8 of the KVK Law. and 9. in accordance with the articles and within the scope of this Policy, the personal data owners may transfer the personal data to the following groups of persons within the framework of the specified purposes:
DEFINITION OF CONTACT GROUPS PURPOSE OF TRANSFER
Legally Authorized Public Institutions and Organizations: Energy Market Regulatory Authority (EMRA), Energy Markets Enterprise A.Sh. (EPIAS), Turkey Electricity Transmission A.Sh. (TEIAS), Chamber of Energy Engineers (EMO), Capital Markets Board (CMB), Central Registry Agency (MKK), Electricity Distribution Services Association (ELDER), Türkiye Elektrik Dağıtım A.Sh. (TEDAŞ), Turkish Statistical Institute (TURKSTAT), T.C. Ministry of Energy, Turkish Employment Agency, Ministry of Family, Labor and Social Services of the Republic of Turkey, Social Security Institution, District Health Directorate, official, administrative authorities such as municipalities
The relevant public institution and
The authority of their organizations
limited to the purpose requested within the framework of the information, reporting, etc. before these organizations. compliance with obligations and fulfillment of requests.
Legally Authorized Private Legal Persons: In accordance with the provisions of the relevant legislation
as private law persons authorized to receive information and documents from our company, the relevant private law persons
limited to the purpose requested by him within the scope of his legal authority.
Service providers: Companies offering cloud computing services or companies offering database services, servers, functions and services in a limited way for the most efficient and in accordance with current technologies.
Professional Consultants:
* Banks
* Insurance companies
* Auditors
* Lawyers
* Accountants
* Shipping Companies,
* Warehouses
* Cargo Companies
* Service Companies
* Travel Agencies
In order to maintain business activities, limited to the purposes of conducting tender processes, conducting mediation and arbitration transactions, and conducting our relations with our suppliers.

11. The Obligation of Our Company to Inform
Our company is subject to Article 10 of the KVK Law. in accordance with the article, it should inform the personal data owners during the collection of personal data. In this context, our Company fulfills its obligation to inform on the following issues:
a. The title of our company in the capacity of data controller
b. For what purpose the personal data will be processed
c. To whom and for what purposes the processed personal data may be transferred
d. The method and legal reason of collecting personal data
e. Rights of the personal data owner

12. The Rights of Personal Data Owners and the Exercise of These Rights
13 Of the KVK Law. in accordance with the article, the evaluation of the rights of the personal data owners and the information that should be made to the personal data owners in addition to this Policy Elsan Elektrik Gerecleri Sanayi Ve Ticaret A.Sh. The Personal Data is carried out by the Owner through the Application Form. Personal data owners may submit complaints or requests related to the processing activities of their personal data to us within the framework of the principles specified in the relevant form.
12.1. Right of Application
11 Of the KVK Law. in accordance with the article, everyone whose personal data is processed can apply to our Company and make requests related to the following issues related to him/her:
a. To learn whether his/her personal data is processed or not,
b. If your personal data has been processed, do not request information about it,
c. To learn the purpose of the processing of their personal data and whether they are used in accordance with their purpose,
d. To learn about the third parties to whom their personal data are transferred domestically or abroad,
e. To request that their personal data be corrected in case of incomplete or incorrect processing and to request that the transaction made in this context be notified to the third parties to whom the personal data are transferred,
f. If the reasons requiring the processing of personal data disappear, request that they be deleted, destroyed or anonymized, and request that the transaction made in this context be notified to the third parties to whom the personal data are transferred,
g. Objecting to the occurrence of a result against the data owner by analyzing the processed personal data exclusively through automated systems,
h. Do not request compensation for the damage if they suffer damage due to the unlawful processing of their personal data.
12.2. Cases That are Outside the Scope of the Right of Application
28 Of the KVK Law. according to the article, it will not be possible for the personal data owners to assert their rights in the following cases:
a. The processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same housing, provided that they are not given to third parties and the obligations related to data security are complied with,
b. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,
c. Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or do not constitute a crime,
d. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations assigned duties and authority by law in order to ensure national defense, national security, public security, public order or economic security,

e. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures.
28 Of the KVK Law. 2 of the article. in accordance with the paragraph, it will not be possible for the personal data owners to assert their rights (except for the right to request compensation for damage).:
a. The fact that the processing of personal data is necessary for the prevention of the commission of a crime or for the investigation of a crime.
b. Processing of personal data made public by the data subject himself.
c. Supervision or regulation of personal data processing by authorized and authorized public institutions and organizations, as well as professional organizations that are public institutions, based on the authority granted by law
to be necessary for the execution of their duties and for disciplinary investigation or prosecution.
d. The fact that the processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and financial issues.12.3. The Way to Respond
13 Of the KVK Law. in accordance with the article, our Company will finalize the application requests made by the personal data owner free of charge as soon as possible and no later than 30 (thirty) days, depending on the nature of the request.
The application of the personal data owner may be rejected in the following cases:
a. Preventing the rights and freedoms of other persons
b. Requires disproportionate effort
c. The fact that the information is a public information
d. Endangering the privacy of others
e. The existence of one of the cases that are excluded from the scope in accordance with the KVK Law

13. Personal Data Processing Activities Carried Out Within the Company and Data Processing Activities Carried Out on the Website
13.1. Monitoring with a Camera Inside the Company
In order to protect the interests of our company and other people related to ensuring their safety, camera monitoring is carried out within our Company.
In accordance with the regulations contained in the KVK Law, this Policy is published by our Company on our website regarding camera monitoring activities, and a notification letter about monitoring is posted at the entrances to the areas where monitoring is performed.
There is no monitoring in areas that may lead to interference with a person's privacy. Only a limited number of our Company employees and security company employees who are suppliers can access the security camera recordings, if necessary. These persons who have access to the records declare that they will protect the confidentiality of the data they access with the confidentiality commitment they have signed.
13.2. Customer Entrances and Exits Visiting the Company
Personal data processing activities are carried out for tracking the entry and exit of our guests who visit our company. While obtaining the first and last name information of the persons who come to our company, the data in question are processed only for this purpose and the relevant personal data are recorded in the registration system in a physical environment.
13.3. Records of Internet Access Provided to Visitors of the Company
Storage
Internet access is provided by our company to our visitors who request it during your stay in our buildings and facilities. In this case, log records related to your internet access are recorded in accordance with the Law No. 5651 and the supervisory provisions of the legislation regulated in accordance with this Law; these records are processed only for the purpose of fulfilling our relevant legal obligations upon request by authorized public institutions and organizations or during the audit processes to be carried out within our Company. Within this framework, only a limited number of our employees who are under the obligation of confidentiality have access to the log records obtained. Our employees who have access to these records access these records only for use in requests or audit processes from authorized public institutions and organizations and are shared with legally authorized persons.
13.4. Website Visitors
Internet movements within the site are recorded so that people visiting the website of our company can perform their visits in an appropriate way for the purposes of visiting, so that customized content can be shown to them and online advertising activities can be carried out (for example, cookies by technical means). Detailed explanations about these activities of our company are included in the texts of the Privacy Policies on our website.
This Policy may be revised by the Company if deemed necessary. In cases where revision is in question, the most up-to-date version of the Policy will be included on the Company's website.