PERSONAL DATA PROTECTION LAW (PDPL) INFORMATION NOTICE

This information notice has been prepared in accordance with Law No. 6698 on the Protection of Personal Data (“Law”), in order to inform data subjects about the procedures and principles regarding the processing of personal data by the data controller.

1. Identity of the Data Controller

The organization acting as the data controller fulfills its obligation to inform data subjects regarding the processing of personal data pursuant to Article 10 of the Law. Although no company name is specified in this text, the data controller undertakes to comply with all relevant legal obligations.

2. Categories of Personal Data Processed

The categories of personal data processed may include, but are not limited to, the following:

Identity Information: Name, surname, Turkish ID number, passport number, date of birth, gender, etc.

Contact Information: Telephone number, email address, residential address, communication preferences, etc.

Customer Transaction Information: Product/service purchase details, payment information, order history, etc.

Financial Information: Bank account details, IBAN, invoice information, etc.

Transaction Security Information: IP address, log records, username, password, etc.

Visual and Audio Data: Photographs, video recordings, call center voice recordings, etc.

Location Data: GPS data, city/country location information.

Health Data (where necessary and with explicit consent): Medical history, prescription information, etc.

Special Categories of Personal Data: Health information, biometric data, criminal convictions, and security measures as defined by law.

3. Purposes of Processing Personal Data

Collected personal data may be processed for the following purposes:

Provision of products and services, execution of after-sales support

Management of customer relations processes

Establishment and performance of contractual processes

Execution of financial and accounting transactions

Conduct of communication activities

Performing marketing analysis studies

Planning advertising, campaign, and promotion processes (subject to explicit consent)

Management of requests and complaints

Conduct of internal operational activities

Ensuring occupational and information security

Fulfillment of legal obligations

Providing information to authorized institutions and organizations

Execution of human resources and employment processes (for employee/candidate data)

Management of website and mobile application, improving user experience

Prevention of fraud and abuse, ensuring security

Conduct of risk management and audit processes

Protection of legitimate interests

4. Methods of Collecting Personal Data

Personal data may be collected through the following methods:

Website, mobile application, call center, email, SMS

Electronic forms, physical application forms

Contracts and other commercial documents

Cameras and other security systems

Cookies and other online technologies

Communications via social media accounts

Through third-party business partners and service providers

5. Legal Grounds for Processing Personal Data

Pursuant to Articles 5 and 6 of the Law, personal data is processed based on the following legal grounds:

The explicit consent of the data subject

Being clearly stipulated by law

Being directly related to the establishment or performance of a contract

Necessity for the data controller to fulfill its legal obligations

Being made public by the data subject themselves

Necessity for the establishment, exercise, or protection of a right

Necessity for the legitimate interests of the data controller, provided that it does not harm fundamental rights and freedoms

For health and sexual life data: explicit consent or exceptions for public health, preventive medicine, etc.

6. Transfer of Personal Data

Personal data may be transferred to the following recipient groups in accordance with Articles 8 and 9 of the Law:

Authorized public institutions and organizations

Regulatory and supervisory authorities

Courts and enforcement offices

Business partners

Suppliers and service providers

Banks and financial institutions

Third parties providing support services (such as cloud service providers, call centers, etc.)

Lawyers, financial advisors, consultants

Data processors or transferees located domestically or abroad (subject to the conditions in the Law)

7. Transfer of Personal Data Abroad

Where necessary and in compliance with Article 9 of the Law, personal data may be transferred abroad with the explicit consent of the data subject or to countries deemed to provide adequate protection by the Board. Necessary measures are taken to ensure that third parties to whom data is transferred act in accordance with the Law and data confidentiality requirements.

8. Retention Period of Personal Data

Personal data will be retained for:

Periods prescribed by relevant legislation

As long as necessary for the purpose of processing

Statutory limitation periods

After the expiration of the relevant period, personal data will be deleted, destroyed, or anonymized as part of periodic destruction processes.

9. Rights of the Data Subject

Pursuant to Article 11 of the Law, data subjects have the following rights by applying to the data controller:

To learn whether their personal data is being processed

If processed, to request information about such processing

To learn the purpose of processing and whether it is used in line with that purpose

To know the third parties to whom their data is transferred domestically or abroad

To request correction of incomplete or inaccurate data

To request deletion or destruction of data within the scope of the Law

To request notification of correction, deletion, or destruction to third parties to whom the data was transferred

To object to outcomes against them resulting from analysis exclusively by automated systems

To demand compensation for damages arising from unlawful processing

10. Methods of Application

Data subjects may exercise the above rights by applying in writing or via other methods determined by the Personal Data Protection Board. Applications will be concluded within 30 days at the latest. If the application incurs a cost, the fee in the tariff determined by the Board may be charged.

Applications must include:

Name and surname, and signature if written

Turkish ID number (for foreigners: nationality, passport number or identification number)

Residential or business address for notifications

Email address, telephone number, or fax number for notification

Subject of the request