EN TR lang
EN TR lang

We use cookies to improve your experience on our website and enhance our services. For more information, please review our Cookie Policy.

Accept

Protection of Personal Data (KVKK) Policy

CCN Holding KVKK Policies

Ccn Yatırım Holding Anonim Şirketi Policy On The Protection And Processing Of Personal Data

Contents

INTRODUCTION
PURPOSE OF THE POLICY
SCOPE OF THE POLICY
DEFINITIONS

I. PROCESSING AND TRANSFER OF PERSONAL DATA

5. General Principles for the Processing of Personal Data
6. Conditions for Processing General Personal Data
7. Conditions for Processing Special Categories of Personal Data
8. Conditions for the Transfer of Personal Data

4.1. Domestic Transfer of General Personal Data
4.2. Conditions for the Domestic Transfer of Special Categories of Personal Data;

II. INFORMATION OBLIGATION REGARDING THE PROCESSING OF PERSONAL DATA AND THE RIGHTS OF THE DATA SUBJECT UNDER THE LAW

9. Informing the Data Subject
10. Rights of the Data Subject Under the Law

III. CONDITIONS IN WHICH THE POLICY AND THE LAW ARE NOT FULLY OR PARTIALLY APPLICABLE


1. INTRODUCTION

For CCN Hastane Hizmetleri ve İşletme Anonim Şirketi (hereinafter referred to as the “Company”), the protection of personal data is of great importance.

Utmost care and diligence is exercised in protecting the personal data of our partners, customers, employees, employee candidates, Company officials, employees of our subsidiaries and affiliates, employees of other companies we work with, shareholders, authorized persons, visitors, and third parties.

As recognized under Article 20 of the Turkish Constitution, every individual is entitled to request the protection of their personal data.

This right also encompasses being informed about one’s personal data, accessing such data, requesting their rectification or deletion, and learning whether they are used in line with their intended purposes.

Personal data may be processed only in cases prescribed by law or with the explicit consent of the data subject.

It is adopted as a corporate policy to protect and promote the constitutional right to the “Protection of Personal Data” for all parties whose personal data we process in line with the Company’s activities or operational requirements.

This Policy sets out the principles adopted by the Company regarding the processing and protection of personal data.

 
2. PURPOSE OF THE POLICY

This Policy has been prepared to ensure that all Company activities concerning the processing and protection of personal data are carried out in compliance with Law No. 6698 on the Protection of Personal Data (hereinafter referred to as “KVKK” or the “Law”), the decisions of the Personal Data Protection Board, and the relevant secondary legislation.

The Company also aims to inform data subjects, in the most transparent manner, about the activities carried out and the measures taken to ensure the processing and security of personal data, as well as the Company’s principles in this regard.

 
3. SCOPE OF THE POLICY

This Policy covers all forms of processing carried out on the personal data of data subjects—such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use—whether by fully or partially automated means or by non-automated means provided that they form part of any data recording system, as well as the administrative and technical measures taken to ensure the security of personal data.

 
4. DEFINITIONS

The following terms used in this Policy refer to:

a. Explicit consent: Refers to consent that is specific to a particular matter, informed, and freely given;
b. Anonymization: Refers to rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching it with other data;
c. Data subject: Refers to the natural person whose personal data is processed;
d. Relevant user: Refers to persons who process personal data within the data controller’s organization or in line with the authorization and instructions received from the data controller, excluding those who are technically responsible for storing, protecting, and backing up the data;
e. Destruction: Refers to the deletion, destruction, or anonymization of personal data;
f. The Law: Refers to the Law on the Protection of Personal Data No. 6698, dated March 24, 2016;
g. Personal data: Refers to any information relating to an identified or identifiable natural person;
h. Processing of personal data: Refers to all forms of processing carried out on personal data—such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use—whether by fully or partially automated means or by non-automated means provided that they form part of any data recording system;
i. Personal data processing inventory: Refers to the inventory created by data controllers by associating their personal data processing activities carried out in connection with their business processes with the purposes of processing, data categories, recipient groups to whom the data is transferred, and categories of data subjects, and which details the maximum retention periods required for the purposes for which the personal data is processed, the personal data envisaged to be transferred abroad, and the measures taken regarding data security;
j. Personal data retention and destruction policy: Refers to the policy that data controllers rely on when determining the maximum retention period required for the purposes for which personal data is processed, as well as for carrying out deletion, destruction, and anonymization processes;
k. Board: Refers to the Personal Data Protection Board;
l. Authority: Refers to the Personal Data Protection Authority;
m. Periodic destruction: Refers to the ex officio deletion, destruction, or anonymization of personal data, carried out at recurring intervals specified in the personal data retention and destruction policy, when all conditions for processing personal data under the Law no longer exist;
n. Registry: Refers to the data controllers’ registry maintained by the Personal Data Protection Authority;
o. Data processor: Refers to the natural or legal person that processes personal data on behalf of the data controller based on the authority granted by the data controller;
p. Data recording system: Refers to the recording system in which personal data is processed by being structured according to specific criteria;
q. Data controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system;
r. Expression.

 
I. PROCESSING AND TRANSFER OF PERSONAL DATA

1. General Principles for the Processing of Personal Data
Personal data is processed by the Company in accordance with the procedures and principles set out in the Law and in this Policy. The Company acts in compliance with the following principles set out in Article 4 of the Law in processing personal data.

a. Compliance With Applicable Law and Good Faith Principles
The Company processes personal data in compliance with the applicable legislation and the requirements of the principle of good faith and uses such data within these limits. In this regard, the Company takes into account the data subject’s interests and reasonable expectations when processing personal data and ensures that such processing is carried out transparently for the data subject.

b. Accuracy and, Where Necessary, Keeping Personal Data Up to Date
The Company ensures that the personal data it processes is accurate and up to date, taking into consideration the fundamental rights and legitimate interests of the personal data subjects.

In this context, it carefully considers matters such as ensuring that the sources from which the data is obtained are identifiable, verifying the accuracy of the data, and assessing whether updates are necessary. The Company keeps channels open to ensure that the data subject’s information remains accurate and up to date.

c. Processing for Specific, Explicit, and Legitimate Purposes
The Company processes personal data for legitimate purposes and shares the clearly and explicitly defined purpose of processing with the data subjects. A legitimate purpose means that the personal data processed by the Company must be connected with and necessary for the work it performs or the services it provides. In the notices provided to data subjects and in the explicit consents obtained, the purposes for which the data collected from data subjects will be processed are clearly and explicitly stated.

d. Being Relevant, Limited, and Proportionate to the Purpose for Which They Are Processed
The Company ensures that the personal data it processes is suitable for achieving the identified purposes and that personal data which is not related to or not needed for the fulfillment of such purposes is not processed. In this context, the Company does not engage in data processing to meet potential future needs that may arise later.

e. Retention for the Period Prescribed in the Applicable Legislation or Required for the Purpose for Which They Are Processed
If a retention period is prescribed in the relevant applicable legislation, the Company complies with such period; otherwise, personal data is retained only for the duration necessary for the purpose for which it is processed. The retention period of personal data varies depending on the work or service carried out by the Company and the nature of the data collected. If all conditions for processing certain personal data cease to exist, the relevant data is destroyed by the Company during the first six-month periodic destruction cycle following the date on which the obligation to destroy the data arises.

 
2. Conditions for Processing General Personal Data

As a rule, the Company does not process personal data without the explicit consent of the data subject. However, where any of the conditions set out in Article 5/2 of the Law is met, personal data may be processed without the explicit consent of the data subject.

a. Explicitly Provided for under Applicable Laws
The Company may process the personal data of data subjects without their explicit consent in cases expressly provided for under applicable laws. For example, the processing of our employees’ personal data pursuant to the Labor Law and the applicable legislation falls within this scope.

b. Absolutely Required to Protect the Life or Physical Integrity of the Data Subject or Another Person, Where the Data Subject Is Unable to Express Their Consent Due to Actual Impossibility or Their Consent Is Not Deemed Legally Valid
In cases where the data subject is unable to express their consent due to actual impossibility or where the expressed consent is not legally valid, personal data may be processed without explicit consent for the protection of the life or physical integrity of the data subject or another person.

For example, where the data subject is unconscious or where their consent is not legally valid due to a mental illness, their personal data may be processed during a medical intervention aimed at protecting their life or physical integrity. In this context, the processing of personal data through a phone, computer, or other technical device carried by an individual whose liberty has been restricted for the purpose of determining their location is not subject to the data subject’s explicit consent.

c. Processing of the Personal Data of the Contractual Parties Is Required, Provided That Such Processing Is Directly Related to the Establishment or Performance of a Contract
The Company may process personal data in connection with the establishment or performance of a contract. For example, the creditor’s account number may be obtained for the payment to be made under a concluded contract.

d. Required for the Company to Fulfill Its Legal Obligations
Where the processing of personal data is necessary for the Company to fulfill its legal obligations, the required personal data may be processed by the Company without the explicit consent of the data subjects. For example, during a tax audit, information relating to our employees or customers may be made available for review by the relevant public officials.

e. Personal Data Made Public by the Data Subject
Personal data that has been made public by the data subject—meaning disclosed to the public in any manner and thereby rendered accessible to everyone—may be processed by the Company on the basis that the legal interest requiring protection for such personal data has ceased to exist.

f. Processing of Personal Data Is Required for the Establishment, Exercise, or Protection of a Right
Where the processing of personal data is required for the exercise or protection of a lawfully legitimate right, the Company may process the personal data of data subjects without seeking explicit consent.

g. Processing of Personal Data Is Required for the Legitimate Interests of the Company, Provided That Such Processing Does Not Harm the Fundamental Rights and Freedoms of the Data Subject
The Company may process the personal data of data subjects where it is necessary for the Company’s legitimate interests, provided that such processing does not harm the fundamental rights and freedoms of the data subjects protected under the Law and this Policy. The Company exercises due care to comply with the fundamental principles of personal data protection and to maintain the balance of interests between the Company and the data subjects.

h. Explicit Consent of the Data Subject Has Been Obtained
Obtaining explicit consent of the data subject for the processing of personal data is a priority for the Company. Accordingly, the necessary methods have been developed to obtain the explicit consent of data subjects whose personal data we process, both in physical and electronic form.

Before obtaining data subjects’ consent for the processing of their personal data, the obligation to inform the data subject under Article 10 of the Law is fulfilled, and explicit consent—specific to a particular matter, informed, and freely given—is obtained from the data subjects.

 
3. Conditions for Processing Special Categories of Personal Data

Certain categories of personal data have been given special importance under the Law, as they carry a potential risk of discrimination and may cause harm to individuals if processed unlawfully; these data are referred to as “special categories of personal data.”

The types of data considered special categories of personal data are specified in Article 6 of the Law. Accordingly, data relating to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are defined as special categories of personal data.

The Company exercises particular care in processing these “special categories of personal data,” to which the Law attributes particular importance. Employees involved in the processing of special categories of personal data receive training on the Law, the relevant regulations, and the security of such data; they are required to sign confidentiality agreements; access authorizations are restricted; and the permissions of employees who change roles or leave the Company are promptly revoked.

All actions performed in electronic media where special categories of personal data are stored are securely logged, security updates for such media are continuously monitored, and the necessary security tests are conducted regularly, with the test results recorded. Adequate security measures are taken in the physical environments where special categories of personal data are stored, and unauthorized access to such environments is prevented.

Obtaining the explicit consent of data subjects for the processing of such data is a priority for our Cooperative. In the absence of the data subject’s explicit consent, special categories of personal data may be processed by the Cooperative only in the exceptional circumstances set out in the Law:

Personal data other than those relating to health and sexual life may be processed without the explicit consent of the data subject in cases prescribed by applicable laws.

Personal data concerning health and sexual life may be processed without the explicit consent of the data subject only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, or the planning and management of healthcare services and their financing, and only by persons under a duty of confidentiality or by authorized institutions and organizations.

 
4. Conditions for the Transfer of Personal Data

4.1. Domestic Transfer of General Personal Data

The Company may transfer personal data and Special Categories of Personal Data to third parties in accordance with the Law by establishing the necessary confidentiality conditions and taking the required security measures in line with its purposes for processing personal data. The Company complies with the regulations set forth in the Law during the transfer of personal data.

Within this scope, the Company may transfer personal data to third parties, based on one or more of the personal data processing conditions set out in Article 5 of the Law, limited to and in line with its legitimate and lawful personal data processing purposes:

• If the explicit consent of the data subject is obtained;
• Explicitly provided for under applicable laws;
• If there is an explicit provision in the laws regarding the transfer of personal data;
• If it is necessary to protect the life or physical integrity of the data subject or another person, and the data subject is unable to express their consent due to actual impossibility or their consent is not deemed legally valid;
• If the transfer of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract;
• If the transfer of personal data is required for the establishment, exercise, or protection of a right; and
• If the transfer of personal data is required for the legitimate interests of the Company, provided that such transfer does not harm the fundamental rights and freedoms of the data subject.

4.2. Conditions for the Domestic Transfer of Special Categories of Personal Data

The Company may transfer special categories of personal data of data subjects to third parties in line with the principles adopted for the processing of personal data.

For the transfer of special categories of personal data to third parties, due care is exercised to obtain the explicit consent of the data subject, and such data is transferred domestically with adequate technical and organizational measures in place. However, in the presence of the circumstances set out below, special categories of personal data may also be transferred without the explicit consent of the data subject, provided that adequate technical and organizational measures are taken:

• Data relating to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association, foundation or trade union membership, criminal convictions and security measures, as well as biometric and genetic data, may be transferred in cases prescribed by law;
• Personal data concerning health and sexual life may be transferred only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, or the planning and management of healthcare services and their financing, and only to/by persons under a duty of confidentiality or by authorized institutions and organizations.

 
Conditions for the Transfer of General Personal Data Abroad

• The Company may transfer personal data and special categories of personal data of data subjects to third parties abroad by taking the necessary security measures in line with its personal data processing purposes. If the transfer of personal data is required for the Company to fulfill its legal obligations;
• If the personal data have been made public by the data subject;
• If the transfer of personal data is required for the establishment, exercise, or protection of a right;

Personal data may be transferred by the Company to foreign countries that are declared by the Board, in accordance with Article 9 of the Law, to provide adequate protection, or—where adequate protection is lacking—to foreign countries where the data controllers in Türkiye and the relevant foreign country provide a written undertaking of adequate protection and obtain the Board’s authorization thereof.

The Company may transfer the personal data of data subjects abroad in line with the principles adopted for the processing of personal data.

Where the country to which the personal data will be transferred provides adequate protection, or where the data controller receiving the data provides a written undertaking of sufficient protection and authorization is obtained from the Personal Data Protection Board, personal data may be transferred abroad without the explicit consent of the data subject, provided that one of the following conditions is met:

• Explicitly provided for under applicable laws;
• Absolutely required to protect the life or physical integrity of the data subject or another person, where the data subject is unable to express their consent due to actual impossibility or their consent is not deemed legally valid;
• Processing of the personal data of the contractual parties is required, provided that such processing is directly related to the establishment or performance of a contract;
• Required for the data controller to fulfill its legal obligations;
• Personal data has been made public by the data subject;
• Processing of personal data is required for the establishment, exercise, or protection of a right;
• Processing of personal data is required for the legitimate interests of the data controller, provided that such processing does not harm the fundamental rights and freedoms of the data subject.

 
Conditions for the Transfer of Special Categories of Personal Data Abroad

The Company may transfer the personal data of data subjects abroad in line with the principles adopted for the processing of personal data.

Where the country to which the personal data will be transferred provides adequate protection, or where the data controller receiving the data provides a written undertaking of sufficient protection and authorization is obtained from the Personal Data Protection Board, personal data may be transferred abroad without the explicit consent of the data subject, provided that one of the following conditions is met:

• Data relating to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association, foundation or trade union membership, criminal convictions and security measures, as well as biometric and genetic data, may be transferred in cases prescribed by law;
• Personal data concerning health and sexual life may be transferred only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, or the planning and management of healthcare services and their financing, and only to/by persons under a duty of confidentiality or by authorized institutions and organizations.

 
DATA RELATING TO INTERNET ACCESS PROVIDED IN BUILDINGS AND FACILITIES

Internet access is provided to employees and guests within the Company’s buildings and facilities. The first name, last name, phone number, Republic of Türkiye identification number, and the websites and access timestamps of employees and guests who wish to use the internet are retained as a legal obligation pursuant to Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through Such Publications, and the Regulation on Internet Collective Use Providers issued under this Law.

The retained records may be shared with legally authorized institutions and organizations, where requested, for the fulfillment of statutory obligations.

 
Monitoring of Buildings and Facilities by Security Cameras

The Company conducts camera monitoring activities in compliance with the Law on Private Security Services and the applicable legislation. Personal data recorded through security cameras are processed solely for security purposes, in compliance with the personal data processing principles and conditions set forth in the Law.

Due care is taken not to violate fundamental rights and freedoms or the privacy of individuals, ensuring a balance between safeguarding Company security and legitimate interests and protecting the rights of the data subjects.

Accordingly, the placement, number, and retention period of security cameras are planned to be sufficient to ensure security. No camera monitoring is conducted in areas that may constitute a violation of the right to privacy.

In visible areas within the Company’s buildings and facilities, notices are posted stating that 24/7 camera monitoring is conducted and images are recorded, thereby informing data subjects about the data processing activity.

The Company implements the necessary organizational and technical measures to ensure the security of personal data recorded by security cameras. Access to the recorded footage is limited to a restricted number of Company employees.

 
Visitor Entry to the Company’s Buildings and Facilities

For security purposes, the Company processes data to monitor visitor entry and exit at its buildings and facilities. Within this scope, visitors’ personal data—such as their first and last name and vehicle license plate information—may be retained for a limited period to ensure building and facility security and may be used solely for this purpose.

Pursuant to Article 10 of the Law, the Company, in its capacity as data controller, fulfills its information obligation and informs data subjects accordingly. In visible areas within the buildings and facilities, notices are posted stating that visitors’ personal data are processed for security purposes, thereby informing data subjects about the data processing activity.

 
PERSONAL DATA OF WEBSITE VISITORS

On some of the Company’s websites, information on visitors may be recorded through technical means (such as cookies) or through data shared by the visitor during the registration process.

On the Company’s websites, a “Privacy Notice on the Protection and Processing of Personal Data” has been published pursuant to Article 10 of the Law, informing visitors of how and for what purpose their personal data are obtained.

 
II. INFORMATION OBLIGATION REGARDING THE PROCESSING OF PERSONAL DATA AND THE RIGHTS OF THE DATA SUBJECT UNDER THE LAW

1. Informing the Data Subject

The Company duly informs data subjects—the relevant individuals whose personal data are processed—at the time of collection, in accordance with Article 10 of the Law and the provisions of the Communiqué on the Procedures and Principles for the Fulfillment of the Obligation to Inform, published in the Official Gazette on March 10, 2018.

For detailed information on the processing of personal data, you may review the Privacy Notice available at “www.ccnholding.com”.

Within this scope, as noted above, the Company provides information—where applicable—on the identity of the Company representative, the purposes for which personal data will be processed, the recipients and purposes of any data transfers, the method and legal basis for collecting personal data, and the rights of the data subject.

2. Rights of the Data Subject Under the Law

The Company informs you of your rights under Article 11 of the Law and the provisions of the Communiqué on the Procedures and Principles of Application to the Data Controller, published in the Official Gazette on March 10, 2018; provides guidance on how to exercise these rights; and takes the necessary internal, administrative/organizational, and technical measures in this regard.

Pursuant to Article 11 of the Law, the Company informs data subjects that they are entitled to:

• learn whether their personal data is being processed;
• request information if their personal data has been processed;
• learn the purpose for which their personal data is processed and whether it is used in accordance with that purpose;
• know the third parties to whom your personal data is transferred, whether domestically or abroad;
• request the rectification of their personal data if it is incomplete or inaccurately processed;
• request the deletion or destruction of their personal data within the framework of the conditions set out in Article 7 of the Law;
• request the notification of the actions taken pursuant to subparagraphs (d) and (e) of Article 11 of the Law to third parties to whom personal data have been transferred;
• object to any outcome to their detriment arising from the analysis of their processed data exclusively through automated systems; and
• request compensation for damages in the event they suffer harm due to the unlawful processing of their personal data.

Data subjects may submit their requests under the Law by using the Personal Data Protection Law Data Subject Application Form available at www.ccnholding.com, through the methods specified in the application form.

Pursuant to Article 13/2 of the Law, the Company finalizes requests submitted to it, free of charge, as soon as possible and within thirty (30) days at the latest, depending on the nature of the request. However, if the relevant process requires an additional cost, a fee may be charged in accordance with the tariff set by the Board.

The Company may accept or reject your request by providing its reasoning, and will notify its response in writing or electronically. If your application is rejected, if you find the response inadequate, or if no response is provided within the prescribed period, you have the right to file a complaint with the Board within thirty (30) days from the date you become aware of the response, and in any case within sixty (60) days from the date of your application.

 
SECURITY OF PERSONAL DATA

The Company takes all necessary technical and organizational measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure their preservation.

Within this scope, the Company conducted an initial review to identify the personal data it processes, taking into account whether special categories of personal data are involved; the potential risks to the protection of such data were identified, and the necessary technical and organizational measures were implemented to mitigate or eliminate those risks.

To ensure the security of personal data, and to prevent their unlawful disclosure, sharing, or transfer while raising awareness of the Law, regular trainings are provided to employees and managers.

In addition, employees involved in personal data processing activities are required to sign confidentiality agreements as part of their job processes, and where employees are found to act in breach of security/privacy policies and procedures, the necessary disciplinary process is carried out.

Access to personal data involved in processing activities has been restricted on a personnel basis, and only a limited number of employees have been granted access authorization to personal data relevant to their job processes. Data processing activities carried out by personnel are logged. Throughout the Company, careful adherence is paid to the principle of “Everything is Prohibited Unless Explicitly Authorized” with respect to access to personal data.

To prevent the unlawful processing of personal data and unlawful access to such data, technical systems have been established to monitor and audit personal data processing activities. Regular internal audits are conducted to prevent the unlawful processing of personal data and unlawful access to such data.

To prevent unlawful access to personal data and ensure their storage in secure media, technical methods with an appropriate level of security are employed, and such methods are updated in line with state-of-the-art developments.

In the event of an internal or external attack on the Company’s data recording system, the IT network is regularly monitored to detect early signs and enable timely intervention by checking which software and services are running and whether there is any intrusion or anomalous activity, and all user activity logs are maintained on a regular basis.

 
DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Pursuant to Article 7 of the Law, the Company deletes, destroys, or anonymizes personal data ex officio or upon the request of the data subject when the reasons requiring their processing cease to exist or when the period prescribed under the applicable legislation expires, even if the data have been processed in compliance with the applicable laws.

Personal data maintained in physical media are deleted, destroyed, or anonymized ex officio or upon the request of the data subject when the purpose of processing is fulfilled or when the period prescribed under the applicable legislation expires.

Personal data recorded in digital data systems are deleted, destroyed, or anonymized ex officio or upon the request of the data subject when the purpose of processing is fulfilled or when the period prescribed under the applicable legislation expires.

For personal data that have been anonymized pursuant to the Law, the provisions of the Law shall not be applicable. Anonymization of personal data means rendering personal data incapable of being associated with an identified or identifiable natural person in any manner whatsoever, even when matched with other data.

Personal data may be anonymized ex officio or upon the request of the data subject when the reasons requiring their processing cease to exist or when the period prescribed under the applicable legislation expires.

Anonymized personal data may be used for purposes such as research, statistics, and planning, may be retained indefinitely, and may be transferred domestically or abroad.

A “Personal Data Retention and Destruction Policy” has been prepared regarding the disposal of personal data and published on the Company’s website.

 
III. CONDITIONS IN WHICH THE POLICY AND THE LAW ARE NOT FULLY OR PARTIALLY APPLICABLE

Pursuant to Article 28/1 of the Law, this Policy and the provisions of the Law shall not apply in the following cases:

• The processing of personal data by natural persons within the scope of activities related solely to themselves or their family members living in the same household, provided that such data are not disclosed to third parties and the obligations regarding data security are complied with.
• The processing of personal data for official statistics or, by anonymizing them, for purposes such as research, planning, and statistics.
• The processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights, and does not constitute a criminal offense.
• The processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations that are authorized under the applicable laws to ensure national defense, national security, public security, public order, or economic security.
• The processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial, or execution procedures.

Provided that it is consistent with the purpose and fundamental principles of this Policy and the Law and remains proportionate, Articles 10 on the information obligation of the data controller, 11 on the rights of the data subject (except for the right to claim compensation), and 16 on the obligation to register with the Data Controllers’ Registry shall not apply in the following cases pursuant to Article 28/2 of the Law:

• Where the processing of personal data is necessary for the prevention of crime or for criminal investigation.
• The processing of personal data that have been made public by the data subject.
• Where the processing of personal data is necessary for the performance of supervisory or regulatory duties and for disciplinary investigation or prosecution by public institutions and organizations, or professional bodies having the status of public institutions, based on the authority granted by applicable law.
• Where the processing of personal data is necessary to safeguard the State’s economic and financial interests in matters relating to budget, taxation, and financial affairs.