Personal Data Protection and Processing Policy

Purpose

The purpose of this policy is to:

Define the methods adopted by POLEN TURİZM YATIRIMLARI A.Ş. (the Company) to ensure compliance with the Personal Data Protection Law No. 6698 (KVKK) in all activities carried out by the Company, particularly regarding personal data processing activities and personal data protection,

Provide transparency by informing all individuals whose personal data is processed by the Company, including but not limited to the Company’s administrative authorities, personnel, customers, job applicants, suppliers, visitors, employees of affiliated institutions and third parties, about the principles and systems established by the Company for personal data protection.

Scope

All personal data processed by the Company, automatically or through non-automatic means as part of any data recording system in the Company’s processes, including but not limited to the Company’s administrative authorities, personnel, customers, job applicants, suppliers, visitors, employees of affiliated institutions and third parties. 

Authority and Responsibilities

All employees, external service providers and any other parties storing and processing personal data within the Company are responsible for fulfilling the requirements stipulated by the Law, Regulations and this Policy concerning data destruction.

Each department is responsible for keeping and protecting the data it generates within its business processes.

Decisions related to data destruction that may affect business processes, compromise data integrity, cause data loss or result in non-compliance with legal regulations will be made by the relevant manager and their designated team, taking into account the type of personal data, the systems involved and the department responsible for processing the data.

The responsibility for receiving and responding to notifications or correspondence with the Personal Data Protection Authority on behalf of the data controller, including registry-related processes, lies with the designated contact person for the data controller.

Definitions and Abbreviations

Company: POLEN TURİZM YATIRIMLARI A.Ş.

Explicit Consent: Consent given freely, based on information, and concerning a specific matter.

Relevant/Authorised User: Individuals who process personal data within the organisation of the data controller or under its authority and instructions, excluding those responsible for the technical storage, protection, and backup of the data.

Destruction: The deletion, destruction, or anonymization of personal data.

Law: The Personal Data Protection Law No. 6698.

Recording Medium: Any medium where personal data is processed, either fully or partially automatically or non-automatically as part of a data recording system.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, altering, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, whether fully or partially automated or non-automated as part of a data recording system. 

Anonymization of Personal Data: Rendering personal data incapable of being associated with an identified or identifiable natural person, even when combined with other data.

Deletion of Personal Data: Rendering personal data inaccessible and unusable for authorised users.

Destruction of Personal Data: Rendering personal data inaccessible, irretrievable and unusable by anyone.

Board: The Personal Data Protection Board.

Special Categories of Personal Data; Data relating to a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs; appearance, clothing; association, foundation, or union membership; health; sexual life; criminal convictions and security measures; as well as biometric and genetic data.

Periodic Destruction: The deletion, destruction, or anonymization of personal data carried out at recurring intervals as specified in the data retention and destruction policy, in cases where all conditions for processing personal data stipulated by the Law no longer apply.

Data Owner/Relevant Person; The natural person whose personal data is processed.

Data Processors; A natural or legal person who processes personal data on behalf of the data controller based on its authority.

Data Controller; A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Regulation; The Regulation on the Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.

Personal Data Protection and Processing Policy

The Company clearly defines the measures and processes implemented for the protection and processing of personal data through this policy. In cases where this policy conflicts with applicable laws and regulations or becomes outdated due to updated legislation, the Company commits to adhering to the current laws and regulations. This policy is updated in accordance with changes in laws, regulations and legal frameworks.

5.1.1. Ensuring the Security of Personal Data

The Company takes all necessary technical and administrative measures to ensure an appropriate level of security for the protection of personal data.

These measures align with the requirements of Article 12, Paragraph 1 of the Personal Data Protection Law (KVKK), which include:

Preventing the unlawful processing of personal data,

Preventing unlawful access to personal data,

Ensuring the preservation of personal data.

The measures implemented by the Company to ensure the security of personal data are detailed below.

5.1.2. Administrative Measures

The Company employs knowledgeable and experienced personnel to ensure data security and provides training to employees on information security awareness and the protection of personal data.

To protect the personal data, The Company implements administrative measures and monitors employee compliance with these measures. Defines access and authorisation levels in accordance with legal compliance requirements established for each business unit while ensuring business processes are not disrupted. Establishes rules and access rights for employees working in information technology departments regarding access to personal data. Employees are informed that personal data they learn during their duties cannot be disclosed to others or used for purposes outside their job functions, in accordance with KVKK provisions. This obligation continues even after employment ends. Employees are required to sign necessary commitments to this effect. For the sharing of personal data with third parties, the Company ensures data security by either signing framework agreements with these parties or including provisions in contracts requiring compliance with data security measures. Third parties with whom personal data is shared must commit to taking necessary security measures to protect personal data and ensuring compliance with these measures within their own organisations. If it is determined that personal data has been obtained unlawfully by others despite the precautions taken, the contact person for the data controller informs the relevant parties and the Personal Data Protection Board (KVK Board). The method by which the data was unlawfully accessed is investigated. The Company applies necessary administrative measures to address identified vulnerabilities and, when required, implements technical measures.

5.1.3. Technical Measures

The Company conducts internal controls for the systems it establishes. These controls include processes such as risk analysis, data classification, information security risk assessment and business impact analysis. Based on these processes, technical measures are implemented in line with advancements in technology and infrastructure investments are made accordingly.

The Company ensures the installation of software and hardware, such as antivirus systems and firewalls, and uses updated versions that incorporate necessary security measures against known vulnerabilities. The access rights of information technology staff to personal data are monitored and kept under control.

Physical areas where personal data is stored are secured against theft and loss. Similarly, environments containing personal data are protected against external risks (e.g., fire, flood, earthquake) using appropriate measures. Entry and exit to these environments are recorded and monitored. Servers containing personal data are stored in the Company’s system room, where physical security measures have been implemented.

Passwords used to access systems, applications, databases, and other areas containing personal data are generated using complex algorithms, and the systems enforce the use of such passwords.

Access and authorisation definitions are made in accordance with the legal compliance requirements established for each business unit. The suitability of access rights with authorisations is regularly monitored. Information obtained through system security checks is reported to relevant parties.

Points posing risks are identified and necessary technical measures are implemented. The Company fosters awareness to ensure technical measures for personal data security are continuously operational and integrated into the organisational culture. The sustainability of the measures is maintained through ongoing checks and controls.

5.1.4. Audits for the Sustainability of Personal Data Protection 

In compliance with Article 12 of the Personal Data Protection Law (KVKK), the Company conducts and commissions necessary audits.

Penetration tests are regularly performed on systems to identify potential technical vulnerabilities. Systems are routinely monitored by the IT department, and log records are reviewed to ensure protection against cyberattacks. Findings identified through management system audits, alerts generated by monitoring systems, and system observations are addressed with appropriate technical and administrative measures.

5.1.5. Measures Taken in Case of Unauthorised Disclosure of Personal Data 

In compliance with Article 12 of the Personal Data Protection Law (KVKK), the Company informs the data owner and the Personal Data Protection Board (KVK Board) if personal data is disclosed without authorisation.

If deemed necessary by the KVK Board, this incident may be announced on the KVK Board’s website or through another method.

5.1.6 Measures to Ensure Third Parties Protect Personal Data

The Company includes provisions in contracts with third parties to prevent the unlawful processing, unauthorised access and improper retention of personal data. Before sharing information with third parties, confidentiality agreements are signed. The Company also provides necessary information to third parties to raise awareness about data protection.

5.1.7. Measures to Protect Special Categories of Personal Data 

Special categories of personal data require heightened protection due to their nature and the potential for harm or discrimination if processed unlawfully. Article 6 of the Personal Data Protection Law identifies certain personal data as “special categories” due to their potential to cause victimisation or discrimination.

These data categories include information about race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs; appearance, clothing; association, foundation, or union membership; health; sexual life; criminal convictions and security measures; and biometric and genetic data.

The Company takes the necessary precautions to protect special categories of personal data in compliance with the KVKK. Additional care is exercised in technical and administrative measures for these data categories.

The Company processes special categories of personal data in accordance with adequate precautions determined by the KVK Board. Before processing such data, the explicit consent of the data owner is obtained. In the absence of explicit consent, personal data may only be processed under the following conditions as permitted by law:

Special categories of personal data other than health and sexual life may be processed in cases explicitly stipulated by law.

Special categories of personal data related to health and sexual life may only be processed for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, as well as the planning and management of healthcare services and financing. Such data may be processed by persons or authorised institutions and organisations that are under a confidentiality obligation.
5.1.8. Raising Awareness for the Protection of Personal Data

To prevent the unlawful processing and access of personal data and ensure its preservation, the Company provides necessary information to business units, organises training sessions, and evaluates their effectiveness. The “Personal Data Protection and Processing Policy” is published on the Company’s website, and employees are informed about the policy.

In the event of changes to relevant laws, regulations or legislation, policies are revised and re-communicated to employees.

5.2. Principles for the Processing of Personal Data 

Article 4, Paragraph 2 of the Personal Data Protection Law (KVKK) sets forth principles for pro-cessing personal data. The Company processes personal data in accordance with these principles:

Processing must comply with the law and rules of good faith.

Personal data must be accurate and, when necessary, kept up-to-date.

Processing must be for specified, explicit, and lawful purposes.

Processing must be relevant, limited, and proportionate to the purposes for which the data is processed.

Personal data must be retained for the duration required by relevant legislation or for the purpose for which it was processed.

5.3. Conditions for Processing Personal Data

As a public institution, the Company processes a significant portion of its data under legal obligations and public order mandates, exercising its authority as required. According to Article 5/2 of the Personal Data Protection Law, personal data may be processed without explicit consent under the following conditions:

If the processing is clearly provided for by the law.

If the data owner cannot express consent due to physical impossibility, or consent lacks legal validity, and the processing is necessary to protect their life or physical integrity or that of another person.

If processing is necessary for the establishment or performance of a contract to which the data owner is a party.

If processing is necessary for the data controller to fulfil a legal obligation.

If the data owner has made their personal data public.

If processing is necessary for the establishment, exercise, or protection of a legal right.

If processing is necessary for the legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data owner.

For situations outside these conditions, the Company processes personal data only after obtaining the explicit consent of the data owner.

5.4. Destruction of Personal Data

The Company disposes of personal data it has obtained if the data is not required to be retained due to legal obligations or for the maintenance of public order, and upon the request of the data owners. Personal data belonging to data owners is destroyed when the need for providing services, fulfilling legal obligations, and planning employee rights and benefits no longer exists, based on a decision by the institution.

5.5. Transfer of Personal Data to Domestic Third Parties

The Company carefully complies with the conditions outlined in the Personal Data Protection Law (KVKK) regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. Accordingly, personal data is not transferred to third parties without the explicit consent of the data owner. However, in the presence of any of the following conditions stipulated in KVKK, personal data may be transferred without obtaining explicit consent from the data owner:

When explicitly provided for by law,

When it is necessary to protect the life or physical integrity of the data owner or another person and the data owner is unable to provide consent due to physical impossibility or legal invalidity,

When processing is directly related to the establishment or performance of a contract to which the data owner is a party,

When it is necessary for the data controller to fulfil its legal obligations,

When the data has been made public by the data owner,

When processing is necessary for the establishment, exercise, or protection of a legal right,

When processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.

With sufficient measures in place, the following conditions also apply: For special categories of personal data excluding health and sexual life, personal data may be transferred if explicitly provided for by law. For special categories of personal data related to health and sexual life, personal data may be transferred without explicit consent for purposes such as:

Protection of public health,

Preventive medicine,

Medical diagnosis,

Delivery of treatment and care services,

Planning and management of healthcare services and financing.

The transfer of special categories of personal data is also carried out in compliance with the conditions specified for their processing.

5.6. Transfer of Personal Data Abroad

The Company requires the explicit consent of the data owner for the transfer of personal data abroad in accordance with the Personal Data Protection Law (KVKK). However, in cases where personal data, including special categories of personal data, can be processed without the explicit consent of the data owner, personal data may be transferred abroad without explicit consent provided that the foreign country ensures adequate protection. If the country of transfer has not been designated by the Personal Data Protection Board as one with adequate protection, the Company and the data controller/processor in the foreign country must commit to ensuring sufficient protection in writing.

The Company does not transfer personal data to foreign countries or store personal data on servers located in foreign countries.
5.7. Rights of the Personal Data Owner

The rights of data owners under the Personal Data Protection Law are outlined in Article 11 and are as follows:

To learn whether personal data is being processed,

To request information if personal data has been processed,

To learn the purpose of personal data processing and whether it is being used in accordance with its purpose,

To know the third parties to whom personal data is transferred domestically or abroad,

To request the correction of incomplete or inaccurate personal data,

To request the deletion or destruction of personal data under the conditions set forth in Article 7,

To request notification to third parties to whom personal data has been transferred regarding corrections, deletions, or destruction carried out in compliance with subparagraphs (5) and (6),

To object to a result arising against oneself due to the analysis of processed data exclusively by automated systems,

To claim compensation for damages incurred due to the unlawful processing of personal data.

These rights can be exercised by filling out the “Personal Data Owner Application Form”. 

Data Controller and Contact Information:

Data controller: POLEN TURİZM YATIRIMLARI A.Ş.

Data controller contact person: IT Personnel

5.8. Obligation to Inform and Notify

Under Article 10 of the Personal Data Protection Law (KVKK), data owners must be informed be-fore or at the time of obtaining their personal data. The information to be provided to data owners within the scope of this obligation includes:

The identity of the data controller and, if applicable, its representative,

The purposes for which personal data will be processed,

The recipients to whom the processed personal data may be transferred and the purposes of such transfers,

The method and legal basis for collecting personal data,

Other rights of the data owner listed in Article 11 of the KVKK.

However, under Article 28(1) of the KVKK, the obligation to inform does not apply in the following circumstances:

When personal data is processed by natural persons solely for activities related to themselves or family members living in the same household, provided the data is not shared with third parties and data security obligations are met,

When personal data is processed for purposes such as research, planning, and statistics after being anonymised,

When personal data is processed for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided it does not violate national defence, national security, public safety, public order, economic security, privacy, or personality rights, or constitute a crime,

When personal data is processed within the scope of preventive, protective, or intelligence activities conducted by public institutions and organisations authorised by law to ensure national defence, national security, public safety, public order, or economic security,

When personal data is processed by judicial authorities or execution agencies in relation to investigation, prosecution, trial, or enforcement procedures.

5.9. Conditions of Deletion, Destruction and Anonymization of Personal Data
The Company deletes, destroys, or anonymises personal data it has obtained if the data is not required to be retained due to legal obligations or for the maintenance of public order, or at the re-quest of the data owners.