Personal Data Protection and Processing Policy

Personal Data Protection and Processing Policy

INTRODUCTION

1.1. General Overview

Ensuring the confidentiality and security of personal data, and complying with relevant legal regulations, are among the top priorities of BİLETİNİAL BİLET BASIM VE DAĞITIM ANONİM ŞİRKETİ ("Data Controller"). Maximum care is taken in this regard.

This Personal Data Protection and Processing Policy ("Policy") aims to ensure the lawful processing, storage, and protection of personal data of our employees, job candidates, visitors, persons we serve, guests, and other third parties whose personal data is processed ("Data Subjects"), as well as compliance with the Law No. 6698 on the Protection of Personal Data ("KVKK").

In preparing this Policy, the Data Controller has used the Turkish Constitution and relevant provisions of KVKK, as well as the relevant legal norms related to the protection and processing of personal data and decisions of the Personal Data Protection Board as guidance.

The Policy will include explanations and instructions regarding the following fundamental principles adopted by the Data Controller for the processing of personal data:

Processing personal data in accordance with the law and integrity principles,

Keeping personal data accurate and, where necessary, up-to-date,

Processing personal data for specific, explicit, and legitimate purposes,

Ensuring that personal data is related to, limited to, and necessary for the purposes for which it is processed,

Storing personal data for the period required by the relevant legislation or for the purpose for which it is processed,

Deleting, destroying, or anonymizing personal data when the processing purpose ceases to exist,

Informing data subjects,

Establishing necessary processes for data subjects to exercise their rights,

Taking necessary measures for the processing and storage of personal data,

Transferring personal data to third parties in accordance with the requirements of the processing purpose,

Showing necessary sensitivity in the processing and protection of special categories of personal data,

Determining the policies, procedures, etc. documents used for KVKK compliance purposes.

1.2. Purpose and Scope of the Policy

The primary purpose of the Policy is to ensure full compliance with KVKK in the personal data processing activities conducted by the Data Controller.

Additionally, the Policy and other written policies aim to sustain our principle of compliance with KVKK and other relevant legal regulations regarding personal data security.

The scope of the Policy covers all personal data processed automatically or manually as part of any data recording system.

1.3. Implementation of the Policy and Relevant Legislation

The Policy has been structured and regulated in accordance with the principles set forth by the relevant legislation. In case of any inconsistency between the current legislation and the Policy, the provisions of the current legislation shall prevail.

2. DEFINITIONS AND ABBREVIATIONS

3. PRINCIPLES OF PROCESSING PERSONAL DATA

3.1. Processing of Personal Data in Compliance with Legal Principles

3.1.1. Compliance with Law and Integrity

All operations performed on personal data shall be in compliance with the law and principles of integrity. In this context, transparency is embraced, and data subjects are informed about the purpose of data collection.

3.1.2. Ensuring Accuracy and, When Necessary, Currency of Personal Data

Systems and processes are established to ensure the accuracy and currency of personal data being processed. Data subjects may request that their personal data be kept accurate and up-to-date by applying to the Data Controller. Such applications are made in accordance with the Notification on Application Procedures and Principles to the Data Controller.

3.1.3. Processing for Specific, Explicit, and Legitimate Purposes

The purpose of processing personal data is determined explicitly and within legal limits, and is communicated to data subjects through information texts before the processing begins.

3.1.4. Data Minimization

Personal data is processed in a manner that is relevant, limited, and proportional to the purposes for which it is processed. During data processing activities, care is taken to avoid processing personal data that is unrelated to or not currently or potentially needed for the purpose.

3.1.5. Retention for Legal or Necessary Period

Personal data is retained only for the duration specified by the relevant legislation or necessary for the purpose for which it was processed. This involves determining whether there is a specified retention period in the relevant legislation. If specified, the data is retained accordingly; if not, data is retained for the period necessary for the purpose it was processed.

When determining retention and destruction periods, considerations include: the duration of the legal relationship with the data subject, the period during which the data controller’s legitimate interests are valid, risks, costs, and liabilities associated with data retention, whether the maximum retention period is adequate for maintaining data accuracy and currency, legal obligations, and statute of limitations for rights associated with the data.

A policy for the retention and destruction of data is prepared and implemented.

3.2. Processing of Personal Data in Compliance with Article 5 of KVKK

Personal data is processed only with the explicit consent of the data subjects or, in cases where explicit consent is not required under KVKK, within the limits specified by the relevant conditions.

3.2.1. Explicit Consent

Explicit consent is the declaration made by data subjects based on information and freedom of choice on a specific issue.

Under KVKK Articles 5/1 and 6/2, explicit consent is obtained when necessary for data processing activities. The most reasonable method is preferred in obtaining explicit consent.

3.2.2. Cases Where Explicit Consent is Not Required

Article 5/2 of KVKK regulates cases where personal data can be processed without explicit consent from data subjects. If conditions for processing data are met, explicit consent is not sought to avoid misleading data subjects.

3.3. Processing of Special Categories of Personal Data

Special categories of personal data, as defined by KVKK due to their potential for greater harm or discrimination, are handled with maximum sensitivity.

Principles for processing special categories of personal data are also addressed in the Policy.

Special categories of personal data can be processed without explicit consent only under the following conditions, with adequate measures determined by the Board:

a) Special categories of personal data, except for health and sexual life, as specified by law.

b) Special categories of personal data related to health and sexual life can be processed without explicit consent only for purposes such as public health protection, preventive medicine, medical diagnosis, treatment, and care services, health services planning and management, by individuals or institutions bound by confidentiality.

Additional measures and processes are determined for accessing and processing special categories of personal data.

A separate policy/procedure is created for processing special categories of personal data.

3.4. Transfer of Personal Data

Personal data is transferred in accordance with data processing purposes and conditions. Data may be transferred to regulatory bodies, inspection authorities, authorized public institutions, suppliers and business partners, and other third parties in Turkey and abroad, within the scope of KVKK Articles 8 and 9.

Measures determined by the Board are taken for the international transfer of personal data.

Data transfers are communicated to data subjects through information texts.

4. PRINCIPLES OF PROTECTING PERSONAL DATA

4.1. Technical and Administrative Measures for Data Security

The measures taken are recorded in the Data Controllers Registry Information System under the name "BİLETİNİAL BİLET BASIM VE DAĞITIM ANONİM ŞİRKETİ."

4.2. Raising Awareness Among Employees

Training and meetings are organized to prevent unlawful processing and access to personal data and to ensure its secure storage. If necessary, professional assistance is sought to enhance employees’ awareness about data protection.

4.3. Protection of Special Categories of Personal Data

Special categories of personal data processed in compliance with KVKK are protected with sensitivity. Technical and administrative measures for protection are determined based on the relevant regulations and decisions of the Personal Data Protection Authority.

4.4. Process in Case of Unauthorized Disclosure

If personal data is unlawfully accessed by others, this situation is reported to data subjects and the Board within 72 hours. If deemed necessary, the Board may announce the situation on its website or by other means.

4.5. Personal Data Inventory

A current personal data processing inventory is maintained by the Data Controller. The Committee is responsible for the accuracy, currency, and presentation of this inventory to relevant authorities. Accurate maintenance of inventories and updates on data protection policies and developments are continuously monitored.

5. DATA SUBJECTS’ APPLICATION TO THE DATA CONTROLLER, COMMUNICATION CHANNELS, AND APPLICATION EVALUATION PROCESSES

5.1. Application Subject

Data subjects’ rights are highly valued, and opportunities are provided for their exercise. Use of the application form is not mandatory, and applications made in accordance with the Notification on Application Procedures and Principles to the Data Controller will be evaluated.

Everyone has the right to:

a) Learn whether their personal data is processed.

b) Request information about their processed personal data.

c) Understand the purpose of processing their data and whether it is used accordingly.

d) Know third parties, domestically or internationally, to whom their data is transferred.

e) Request correction of inaccurate or incomplete data.

f) Request deletion or destruction of personal data under the conditions specified in Article 7 of KVKK.

g) Request notification of the corrections, deletions, or destructions to third parties to whom data has been transferred.

h) Object to a result that is solely based on automated processing of their data.

i) Request compensation for damages caused by unlawful processing of their data.

5.2. Application Method and Address

5.3. Post-Application Process

Applications received by us are responded to based on the nature of the request, within 30 (thirty) days from the date the request reaches the Data Controller. Responses are sent according to the notification method specified by the applicant.

In accordance with Article 14 of the KVKK, if the application is rejected, the response is deemed insufficient, or no response is provided within the time frame, the Data Subject may file a complaint with the Board within thirty days of learning the response and in any case, within sixty days from the date of the application.

5.4. Application Fee

Applications are generally free of charge. However, if the requested procedure incurs additional costs, the Data Controller will charge the fee determined by the Board’s tariff.

5.5. Evaluation of the Application

Applications made by Data Subjects will be evaluated using the “Data Subject Application and Response Procedure” that has been prepared and enacted.

6. INFORMING AND NOTIFYING DATA SUBJECTS

In accordance with Article 10 of the KVKK, Data Subjects are informed about the process of obtaining personal data through the Clarification Text and other documents.

The Clarification Text includes at a minimum: the identity of the data controller, the purpose of processing personal data, to whom and for what purpose personal data may be transferred, the method and legal basis of data collection, and the rights of Data Subjects.

The most reasonable method will be applied in fulfilling the obligation to inform.

7. PERSONAL DATA PROTECTION COMMITTEE

A Personal Data Protection Committee is established within the Data Controller’s organization under the framework of personal data protection law. Committee members are appointed from among the Data Controller’s officials and employees.

The Committee makes the necessary efforts to ensure the Data Controller's compliance with personal data protection regulations.

The Committee ensures that applications from Data Subjects are answered within legal timeframes and in accordance with procedures.

The Committee manages the Data Controller’s relations with the Personal Data Protection Authority.

The Committee conducts periodic audits, and records actions required based on audit results. Cost/need analysis is conducted for actions required, and actions are taken based on reasonable analysis results.

8. REVIEW

The policy is reviewed and revised as necessary.

Matters related to the implementation of the Policy within the Data Controller are systematized through internal policies, procedures, and guidelines.

9. EFFECTIVE DATE

The policy comes into effect upon approval by the Committee within the Data Controller and is communicated to all Data Controller employees.