3-6 JUNE 2026
ISTANBUL EXPO CENTER

Personal Data Storage and Destruction Policy

1. INTRODUCTION AND PURPOSE OF PREPARING THE POLICY

This Personal Data Retention and Destruction Policy (“Policy”) has been prepared by SADA UZMANLIK FUARLARI TİC. A.Ş. in order to fulfill our obligations pursuant to the Personal Data Protection Law No. 6698 (“KVKK” or “Law”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”) published in the Official Gazette dated October 28, 2017, which constitutes the secondary regulation of the Law, and to inform data subjects about the principles for determining the maximum retention period necessary for the purpose for which your personal data is processed, as well as the deletion, destruction and anonymization processes.

2. DEFINITIONS

Explicit Consent: Consent regarding a specific subject, based on information and expressed with free will.

Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.

Destruction: Deletion, destruction or anonymization of personal data.

Law: KVKK Law No. 6698 on the Protection of Personal Data.

Recording Medium: Any environment containing personal data processed by fully or partially automated means or by non-automated means provided that they are part of any data recording system.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed on data such as obtaining, recording, storing, preserving, changing, reorganizing, explaining, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automated means or by non-automated means provided that they are part of any data recording system.

Anonymization of Personal Data: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching it with other data.

Deletion of Personal Data: Deletion of personal data; making personal data inaccessible and unusable for relevant users in any way.

Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

Board: Personal Data Protection Board.

Special Categories of Personal Data: Data regarding individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dressing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Periodic Destruction: The process of deletion, destruction or anonymization to be carried out ex officio at repetitive intervals specified in the personal data retention and destruction policy in the event that all the conditions for processing personal data set forth in the Law disappear.

Data Subject/Relevant Person: The natural person whose personal data is processed.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.

3. PRINCIPLES
SADA UZMANLIK FUARLARI TİC. A.Ş. acts within the framework of the following principles regarding the retention and destruction of personal data:

  1. In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law, the technical and administrative measures to be taken within the scope of Articles 1 to 12 and specified in Article 6.2 of this Policy, the provisions of the relevant legislation, Board decisions and this Policy are fully complied with.
  2. All transactions regarding the deletion, destruction and anonymization of personal data are recorded by SADA UZMANLIK FUARLARI TİC. A.Ş. and such records are kept for at least 3 years, excluding other legal obligations.
  3. Unless a contrary decision is taken by the Board, the appropriate method from among the methods of ex officio deletion, destruction or anonymization of personal data is selected by us. However, upon the request of the Relevant Person, the appropriate method will be selected by explaining the justification.
  4. In the event that all the conditions for processing personal data set forth in Articles 5 and 6 of the Law disappear, personal data are deleted, destroyed or anonymized by SADA UZMANLIK FUARLARI TİC. A.Ş. ex officio or upon the request of the relevant person. In this regard, if the Relevant Person applies to SADA UZMANLIK FUARLARI TİC. A.Ş.;
  • Submitted requests are finalized within 30 (thirty) days at the latest and the relevant person is informed,
  • In the event that the data subject to the request has been transferred to third parties, this situation is notified to the third party to whom the data was transferred and it is ensured that the necessary transactions are carried out before the third parties.

CLARIFICATION AND INFORMING OF THE PERSONAL DATA SUBJECT

Our Company, in accordance with Article 10 of the KVK Law, informs the personal data subjects during the acquisition of personal data. In this context, it provides clarification on the identity of SADA UZMANLIK FUARLARI TİC. A.Ş. and its representative, if any, the purpose for which the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the personal data subject.

4. EXPLANATIONS ON REASONS REQUIRING RETENTION AND DESTRUCTION

Personal data belonging to data subjects are safely stored by SADA UZMANLIK FUARLARI TİC. A.Ş. in the physical or electronic environments listed above within the framework of the limits specified in the KVKK and other relevant legislation, particularly for the purposes of maintaining commercial activities, fulfilling legal obligations, planning and executing employee rights and fringe benefits, and managing customer relations. The reasons requiring retention are as follows.

  • Retention of personal data because it is directly related to the establishment and performance of contracts,
  • Retention of personal data for the purpose of establishing, exercising or protecting a right,
  • Retention of personal data being mandatory for the legitimate interests of SADA UZMANLIK FUARLARI TİC. A.Ş., provided that it does not harm the fundamental rights and freedoms of individuals,
  • Retention of personal data for the purpose of SADA UZMANLIK FUARLARI TİC. A.Ş. fulfilling any of its legal obligations,
  • The retention of personal data is explicitly provided for in the legislation,
  • The presence of explicit consent of the data subjects in terms of retention activities that require obtaining explicit consent of the data subjects.

In accordance with the Regulation, personal data belonging to data subjects are deleted, destroyed or anonymized by SADA UZMANLIK FUARLARI TİC. A.Ş. ex officio or upon request in the following cases:

  • Amendment or abolition of the relevant legislation provisions that constitute the basis for the processing or retention of personal data,
  • Disappearance of the purpose requiring the processing or retention of personal data,
  • Disappearance of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law.
  • In cases where the processing of personal data occurs only based on the explicit consent condition, the relevant person withdraws his/her consent,
  • Acceptance by the data controller of the application made by the relevant person regarding the deletion, destruction or anonymization of his/her personal data within the framework of his/her rights in subparagraphs (e) and (f) of Article 11 of the Law,
  • In cases where the data controller rejects the application made to him/her by the relevant person with the request for deletion, destruction or anonymization of his/her personal data, the response provided is found insufficient or no response is given within the period provided for in the Law; filing a complaint with the Board and this request being found appropriate by the Board,
  • Despite the passage of the maximum period requiring the retention of personal data, the absence of any condition that would justify the retention of personal data for a longer period,

5. RETENTION AND DESTRUCTION PERIODS

The following criteria are used respectively in determining the retention and destruction periods of your personal data obtained by SADA UZMANLIK FUARLARI TİC. A.Ş. in accordance with the KVKK and other relevant legislation provisions:

  • If a period is provided for in the legislation regarding the retention of the personal data in question, this period shall be complied with. Following the expiration of the said period, the data is processed within the scope of the 2nd paragraph.
  • In the event that the period provided for in the legislation regarding the retention of the personal data in question expires or no period is provided for in the relevant legislation regarding the retention of the said data, respectively;
    • Personal data are subject to classification as personal data and special categories of personal data, based on the definition in Article 6 of the KVKK. All personal data determined to be of a special nature are destroyed. The method to be applied in the destruction of said data is determined according to the nature of the data and its degree of importance in terms of its retention by SADA UZMANLIK FUARLARI TİC. A.Ş.
    • The compliance of the retention of the data with the principles specified in Article 4 of the KVKK is questioned, for example; whether SADA UZMANLIK FUARLARI TİC. A.Ş. has a legitimate purpose in the retention of the data. Data determined to constitute a violation of the principles set forth in Article 4 of the KVKK in its retention are deleted, destroyed or anonymized.
    • It is determined which exception(s) provided for in Articles 5 and 6 of the KVKK the retention of the data can be evaluated within. Reasonable periods for the retention of data are determined within the framework of the identified exceptions. In the event of the expiration of said periods, the data are deleted, destroyed or anonymized. Personal data whose retention period has expired are destroyed in 6-month periods in accordance with the procedures set forth in this Policy. All transactions regarding the deletion, destruction and anonymization of personal data are recorded and such records are kept for at least three years, excluding other legal obligations.
  • If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the company have also come to an end; personal data can only be stored for the purpose of constituting evidence in possible legal disputes or for the assertion of the relevant right connected to the personal data or for the establishment of a defense. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the mentioned right and the examples in the requests previously directed to our Company on the same issues despite the passage of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is necessary to use it in the relevant legal dispute. Here too, after the expiration of the mentioned period, personal data are deleted, destroyed or anonymized.

6. PROCEDURES FOR RETENTION AND DESTRUCTION OF PERSONAL DATA BY SADA UZMANLIK FUARLARI TİC. A.Ş.

I. RECORDING MEDIA

Your personal data is kept in two ways in the company SADA UZMANLIK FUARLARI TİC. A.Ş.

  • In electronic environment through a computer program within the Company that is closed and has no external access. This program was developed by SADA UZMANLIK FUARLARI TİC. A.Ş., its password is held only by the necessary personnel and these personnel can perform operations in this program.
  • Personal data is kept in physical environment by being filed in paper form. These physical files are stored in secure cabinets and access is provided only by authorized personnel.

II. TECHNICAL AND ADMINISTRATIVE MEASURES

All administrative and technical measures taken by SADA UZMANLIK FUARLARI TİC. A.Ş. within the framework of the principles in Article 12 of the KVKK for the purpose of ensuring the secure storage of your personal data, preventing unlawful processing and access, and ensuring the lawful destruction of data are listed below:
Administrative Measures:
Within the scope of administrative measures, SADA UZMANLIK FUARLARI TİC. A.Ş.;

  • Limits internal access to stored personal data to personnel who need access due to their job descriptions. Whether the data is of a special nature and its degree of importance are also taken into account in limiting access.
  • In the event that processed personal data is obtained by others through unlawful means, it notifies the relevant person and the Board as soon as possible.
  • Regarding the sharing of personal data, it signs a framework agreement regarding the protection of personal data and data security with the persons with whom personal data is shared, or ensures data security with provisions added to its existing contract.
  • Employs knowledgeable and experienced personnel regarding the processing of personal data and provides its personnel with necessary training within the scope of personal data protection legislation and data security.
  • Conducts and has necessary audits conducted in order to ensure the implementation of the provisions of the Law within its own legal entity. It eliminates privacy and security vulnerabilities that arise as a result of audits.

Technical Measures:
Within the scope of technical measures, SADA UZMANLIK FUARLARI TİC. A.Ş.;

  • Performs necessary internal controls within the scope of the established systems.
  • Carries out information technology risk assessment and business impact analysis processes within the scope of the established systems.
  • Ensures the provision of technical infrastructure to prevent or observe the leakage of data out of the institution and the creation of relevant matrices.
  • Ensures the control of system vulnerabilities by receiving penetration testing services regularly and when needed.
  • Ensures that the access authorizations of employees in information technology units to personal data are kept under control.
  • Destruction of personal data is ensured in a way that cannot be recycled and will not leave an audit trail.
  • In accordance with Article 12 of the Law, all kinds of digital environments where personal data are stored are protected by encrypted or cryptographic methods in a way that meets information security requirements.

III. PERSONNEL

You can access the titles, units, and job descriptions of the personnel involved in the personal data storage and destruction process from the list in ANNEX-1 of this Policy.

IV. DESTRUCTION METHODS OF PERSONAL DATA

In the event that the personal data processing purposes listed in the Law and the Regulation disappear, the personal data obtained by SADA UZMANLIK FUARLARI TİC. A.Ş. in accordance with the KVKK and other relevant legislation will be destroyed by SADA UZMANLIK FUARLARI TİC. A.Ş. ex officio or upon the application of the Relevant Person, again in accordance with the provisions of the Law and relevant legislation, with the techniques specified below.

Techniques for Deletion and Destruction of Personal Data: The procedures and principles regarding the techniques for deletion and destruction of personal data by SADA UZMANLIK FUARLARI TİC. A.Ş. are listed below:

Deletion of Personal Data:

Secure Deletion from Software: While deleting data processed by fully or partially automated means and maintained in digital environments; methods regarding the deletion of data from the relevant software are used in a way that will make it inaccessible and unusable for Relevant Users in any way. If electronic systems are to be used, we will explain how the deletion process is done and its stages here. However, if the process of deleting personal data will result in the inability to access other data within the system and the inability to use this data, personal data will also be deemed deleted if personal data is archived by making it unassociable with the relevant person, provided that the following conditions are met.

  • Being closed to the access of any other institution, organization or person,
  • Taking all necessary technical and administrative measures to ensure that personal data can only be accessed by authorized persons.

Secure Deletion by an Expert: In some cases, it may agree with an expert to delete personal data on its behalf. In this case, personal data is securely deleted by the person who is an expert in this field in a way that will make it inaccessible and unusable for Relevant Users in any way.
Blacking Out Personal Data in Paper Environment: It is the method of physically cutting out the relevant personal data from the document or making it invisible by using permanent ink in a way that cannot be reversed and cannot be read with technological solutions, in order to prevent unintended use of personal data or to delete the data requested to be deleted.

Destruction of Personal Data:

De-magnetizing: It is the method of corrupting the data on the magnetic media in an unreadable way by passing it through special devices where it will be exposed to high magnetic fields. It should be noted that if destruction with this method is not successful, the destruction process can only be completed with the physical destruction of the media.
Physical Destruction: Personal data can also be processed by non-automated means, provided that they are part of any data recording system. While destroying such data, a system of physical destruction of personal data is applied in a way that it cannot be used later. The destruction of data in paper and microfiche environments must also be carried out in this way, as it is not possible to destroy them in any other way.
Overwriting: The overwriting method is a data destruction method that makes it impossible to read and recover old data by writing random data consisting of 0s and 1s at least seven times over magnetic media and rewritable optical media via special software.

During the occurrence of the situations listed above, SADA UZMANLIK FUARLARI TİC. A.Ş. fully complies with the KVKK, Regulation and other relevant legislation provisions for the purpose of ensuring data security and takes all necessary administrative and technical measures.

Techniques for Anonymization of Personal Data: The procedures and principles regarding the techniques for anonymization of personal data by SADA UZMANLIK FUARLARI TİC. A.Ş. are listed below: Anonymization Methods That Do Not Provide Value Disorder: Anonymization methods that do not provide value disorder are methods applied by generalization, replacing with each other, or removing a specific data or sub-data group from the group, without making any changes or additions/deletions in the stored personal data.
Variable Extraction: With the method of extracting descriptive data, the existing data set is anonymized by removing those that are “high-degree descriptive” from the variables in the data set created after the collected data are brought together.
Extracting Records: In the record extraction method, the stored data is anonymized by removing the data row containing singularity among the data from the records. For example, if there is only one senior manager in a company, the remaining data can be anonymized by removing the data of this person from the records where the seniority, salary and gender data of the employees at the same level are kept.
Regional Masking: In the regional masking method, since a single data creates a very slightly visible combination, if it has a determining quality, hiding the relevant data ensures anonymization.
Lower and Upper Limit Coding: With the lower and upper limit coding method, values in a data group containing predefined categories are anonymized by merging them by determining a specific criterion.
Generalization: With the data aggregation method, many data are aggregated and personal data is made unassociable with any person. For example; revealing that there are Z number of employees at age X, without showing the ages of the employees one by one.
Global Coding: With the data derivation method, a more general content than the content of the personal data is created and personal data is ensured to be unassociable with any person.
Anonymization Methods That Provide Value Disorder: In anonymization methods that provide value disorder, unlike those that do not provide value disorder, it creates corruption by changing some data in personal data groups. While using these methods, deviations will need to be applied carefully in line with the benefit expected/desired to be obtained. By ensuring that total statistics are not distorted, the expected benefit from the data can continue to be provided.
Adding Noise: In the method of adding noise to the data, the data is anonymized by adding some deviations in the positive or negative direction at a determined rate to the existing data, especially in a data set where numerical data is predominant. For example, in a data group with weight values, the display of real values is prevented and the data is anonymized by using a (+/−) 3 kg deviation. The deviation is applied equally to each value.
Micro-Aggregation: In the micro-aggregation method, all data will first be arranged in a meaningful order (such as from largest to smallest), divided into groups, and anonymization will be provided by taking the average of the groups and writing the obtained value in place of the relevant data in the existing group. For example, for salary information; if two groups are made as below and above 10,000 TL, the sum of the salaries of the people receiving 10,000 TL and less is divided by the number of people and this value obtained is written in the salary set of everyone receiving a salary below 10,000 TL.
Data Swapping: In the data swapping method, the values of a variable are swapped with each other between pairs selected from the stored data. In this method, which is generally used for data that can be categorized, the aim is to transform the database by swapping the data belonging to the data owners with each other.

In accordance with Article 28 of the KVKK, in the event that personal data is processed for purposes such as research, planning and statistics by being made anonymous with official statistics, this situation will remain outside the scope of the Law and explicit consent will not be required.

7. RIGHTS OF THE DATA SUBJECT AND EXERCISE OF THESE RIGHTS

Rights of the Personal Data Subject

Personal data subjects have the following rights:

  • Learning whether personal data is processed or not,
  • If personal data has been processed, requesting information regarding this,
  • Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
  • Knowing the third parties to whom personal data is transferred at home or abroad,
  • In case personal data is processed incompletely or incorrectly, requesting their correction and requesting notification of the transaction made within this scope to the third parties to whom personal data is transferred,
  • Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the KVK Law and other relevant law provisions, and requesting notification of the transaction made within this scope to the third parties to whom personal data is transferred,
  • Objecting to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
  • Requesting compensation for the damage in case of suffering damage due to unlawful processing of personal data.
  • For the purpose of ensuring security by our Company, personal data processing activities are carried out for monitoring with security cameras in the buildings and facilities of our Company and for tracking guest entries and exits.
  • Personal data processing activity is carried out by our Company through the use of security cameras and recording guest entries and exits.
  • In this context, our Company acts in accordance with the Constitution, the KVK Law and other relevant legislation.

OUR COMPANY’S METHOD AND PERIOD OF RESPONDING TO APPLICATIONS

In the event that the personal data subject submits his/her request to our Company in accordance with the procedure in this section, our Company will finalize the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the KVK Board will be charged from the applicant by our Company.

Information That Our Company May Request from the Personal Data Subject Making an Application

  • Our Company may request information from the relevant person in order to determine whether the person making the application is the personal data subject.
  • Our Company may ask questions to the personal data subject regarding his/her application in order to clarify the issues included in the application of the personal data subject.

Our Company’s Right to Reject the Application of the Personal Data Subject

Our Company may reject the application of the person making the application by explaining the justification in the following cases:

  • Processing of personal data for purposes such as research, planning and statistics by being made anonymous with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  • Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
  • The processing of personal data is necessary for the prevention of crime or for crime investigation.
  • Processing of personal data made public by the personal data subject himself/herself.
  • The processing of personal data is necessary for the execution of inspection or regulation duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, based on the authority given by the law.
  • The processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial matters.
  • The possibility that the request of the personal data subject prevents the rights and freedoms of other persons.
  • Requests requiring disproportionate effort have been made.
  • The requested information is public information.

Right of the Personal Data Subject to File a Complaint with the KVK Board

In accordance with Article 14 of the KVK Law, the personal data subject may file a complaint with the KVK Board within thirty days from the date he/she learns the response of our Company and in any case within sixty days from the date of application, in cases where the application is rejected, the response given is found insufficient or the application is not responded to in time.

Exercise of Rights by the Personal Data Subject

  • Personal data subjects will be able to submit their requests regarding their rights listed above to the Company by filling out the form at the KVK APPLICATION FORM address with a wet signature or secure electronic signature.
  • It is not possible for third parties to make requests on behalf of personal data subjects.
  • In order for a person other than the personal data subject himself/herself to make a request, there must be a special power of attorney issued by the personal data subject on behalf of the person who will make the application regarding the subject.
  • In the application they will make to exercise their rights, personal data subjects will fill out the “Application Form Regarding Applications to be Made to the Data Controller by the Relevant Person (Personal Data Subject) Pursuant to the Personal Data Protection Law No. 6698” linked above. The method of the application to be made is also explained in detail in this form. The application form for personal data can be downloaded from www.sada.com.tr.

Cases Where the Personal Data Subject Cannot Assert His/Her Rights

Since the following cases are kept outside the scope of the KVK Law pursuant to Article 28 of the KVK Law, personal data subjects cannot assert their rights mentioned above in these matters:

  • Processing of personal data for purposes such as research, planning and statistics by being made anonymous with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  • Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to Article 28/2 of the KVK Law; personal data subjects cannot assert their other rights listed above, except for the right to request compensation for the damage, in the following cases:

  • The processing of personal data is necessary for the prevention of crime or for crime investigation.
  • Processing of personal data made public by the personal data subject himself/herself.
  • The processing of personal data is necessary for the execution of inspection or regulation duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, based on the authority given by the law.
  • The processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial matters.

8. PERSONS TO WHOM DATA SHARING CAN BE MADE

SADA UZMANLIK FUARLARI TİC. A.Ş. may share personal data and transfer data with the natural or legal persons specified below within the framework of laws in cases it deems necessary.

Persons to Whom Data Transfer Can Be Made

Business Partner Definition: Defines the parties with whom our Company has established a business partnership for purposes such as sale, promotion and marketing of our company’s products and services, after-sales support, execution of common customer loyalty programs while conducting our Company’s commercial activities.

Data Transfer Purpose: Limited to ensuring the fulfillment of the purposes for establishing the business partnership.

Supplier Definition: Defines the parties that provide services to our Company on a contract basis in accordance with the orders and instructions of our Company while conducting our Company’s commercial activities.

Data Transfer Purpose: Limited to ensuring that the services that our Company procures from the supplier as outsourced and that are necessary to fulfill the commercial activities of our Company are provided to our Company.

Legally Authorized Public Institutions and Organizations Definition: Public institutions and organizations authorized to receive information and documents from our Company according to the relevant legislation provisions.

Data Transfer Purpose: Limited to the purpose requested by the relevant public institutions and organizations within their legal authority.

Legally Authorized Private Law Persons Definition: Private law persons authorized to receive information and documents from our Company according to the relevant legislation provisions.

Data Transfer Purpose: Limited to the purpose requested by the relevant private law persons within their legal authority.

TRANSFER OF PERSONAL DATA

Our Company may transfer the personal data and special categories of personal data of the personal data subject to third parties (third party companies, group companies, third natural persons) by taking necessary security measures in line with the lawful personal data processing purposes. In this direction, our Company acts in accordance with the regulations provided for in Article 8 of the KVK Law.

Transfer of Personal Data

Our Company may transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law listed below, in line with legitimate and lawful personal data processing purposes:

  • If there is explicit consent of the personal data subject,
  • If there is an explicit regulation in the laws regarding the transfer of personal data,
  • If it is mandatory for the protection of the life or physical integrity of the personal data subject or someone else and the personal data subject is unable to express his/her consent due to actual impossibility or if his/her consent is not recognized as legally valid,
  • If it is necessary to transfer the personal data belonging to the parties of the contract, provided that it is directly related to the establishment or performance of a contract,
  • If personal data transfer is mandatory for our Company to fulfill its legal obligation,
  • If personal data have been made public by the personal data subject,
  • If personal data transfer is mandatory for the establishment, exercise or protection of a right,
  • If personal data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data subject.

Transfer of Special Categories of Personal Data

By showing necessary care, taking necessary security measures and taking adequate precautions provided for by the KVK Board; our Company may transfer the special categories of data of the personal data subject to third parties in the following cases in line with legitimate and lawful personal data processing purposes.

  • If there is explicit consent of the personal data subject, or
  • If there is no explicit consent of the personal data subject,
  • Special categories of personal data other than the health and sexual life of the personal data subject (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dressing, membership to associations, foundations or trade unions, data regarding criminal convictions and security measures, and biometric and genetic data), in cases provided for in the laws,
  • Special categories of personal data regarding the health and sexual life of the personal data subject, only by persons under the obligation of secrecy or authorized institutions and organizations for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.

TRANSFER OF PERSONAL DATA ABROAD

Our Company may transfer the personal data and special categories of personal data of the personal data subject to third parties by taking necessary security measures in line with lawful personal data processing purposes. Personal data are transferred by our Company; to foreign countries declared by the KVK Board to have adequate protection (“Foreign Country with Adequate Protection”) or, in case of lack of adequate protection, to foreign countries where data controllers in Turkey and in the relevant foreign country undertake adequate protection in writing and the permission of the KVK Board exists (“Foreign Country Where Data Controller Undertaking Adequate Protection is Located”). In this direction, our Company acts in accordance with the regulations provided for in Article 9 of the KVK Law.

Transfer of Personal Data Abroad

Our Company may transfer personal data to Foreign Countries with Adequate Protection or Foreign Countries Where Data Controller Undertaking Adequate Protection is Located, if there is explicit consent of the personal data subject or if there is no explicit consent of the personal data subject, in case of the existence of one of the following cases, in line with legitimate and lawful personal data processing purposes:

  • If there is an explicit regulation in the laws regarding the transfer of personal data,
  • If it is mandatory for the protection of the life or physical integrity of the personal data subject or someone else and the personal data subject is unable to express his/her consent due to actual impossibility or if his/her consent is not recognized as legally valid,
  • If it is necessary to transfer the personal data belonging to the parties of the contract, provided that it is directly related to the establishment or performance of a contract,
  • If personal data transfer is mandatory for our Company to fulfill its legal obligation,
  • If personal data have been made public by the personal data subject,
  • If personal data transfer is mandatory for the establishment, exercise or protection of a right,
  • If personal data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data subject.

Transfer of Special Categories of Personal Data Abroad

By showing necessary care, taking necessary security measures and taking adequate precautions provided for by the KVK Board; our Company may transfer the special categories of data of the personal data subject to Foreign Countries with Adequate Protection or Foreign Countries Where Data Controller Undertaking Adequate Protection is Located in the following cases in line with legitimate and lawful personal data processing purposes.

  • If there is explicit consent of the personal data subject, or
  • If there is no explicit consent of the personal data subject;
  • Special categories of personal data other than the health and sexual life of the personal data subject (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dressing, membership to associations, foundations or trade unions, data regarding criminal convictions and security measures, and biometric and genetic data), in cases provided for in the laws,
  • Special categories of personal data regarding the health and sexual life of the personal data subject, within the scope of processing by persons under the obligation of secrecy or authorized institutions and organizations for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.

9. OTHER MATTERS

In case of inconsistency between the KVKK and other relevant legislation provisions and this Policy, the KVKK and other relevant legislation provisions shall primarily apply. This Policy entered into force on 15/09/2018. In case of changes in the Policy, the effective date of the Policy and the relevant articles will be updated accordingly.