POLICY ON PROTECTION OF PERSONAL DATA

This policy explains the principles for the processing of personal data that need to be known by the real persons we process whose personal data, such as Dogus Technology supplier, consultant, internal customer (Dogus Group Affiliates), physical visitor and website (http://www.d-teknoloji.com.tr/) users.

Definitions

Within the scope of this policy;

Dogus Technology: Doğuş Bilgi İşlem ve Teknoloji Hizmetleri A.Ş., which own the site,

Relevant person/real person: Personal data owner (subject),

Recording environment: Any environment which is automatic in whole or in part or where personal data processed with non-automatic means are exist provided that it is a part of any data recording system.

Site: The website on the following address:http://www.d-teknoloji.com.tr/,

Data Processor: Real or legal person processing data according to the authority given by the data processor.

Data Supervisor: Real or legal person determining the processing purposes of the personal data and responsible for the establishment and management of the data recording system,

Law No. 5651: Law on Regulation of Publications on the Internet and Suppression of Crimes Committed by means of such Publications,

Law No. 6698/KVKK: Refers to the Law on Protection of Personal Data.

1. Scope and Purpose of Protection of Personal Data Policy

This present Privacy and Protection of Personal Data Policy explains Dogus Technology’s:

• Methods and legal reasons for collecting personal data,
• personal data of groups of persons being processed (Categorization of Data Subject),
• The categories of personal data processed about these groups of people (Data Categories) and sample data types,
• Business processes in which this personal data is used and the purpose of use,
• Technical and administrative measures taken to ensure the security of personal data,
• To whom and for what purpose can personal data be transferred,
• Retention periods of personal data,
• What are the rights of the Relevant Persons on their own personal data and how these rights can be used by them
• Personal data sharing with official authorities

a. Methods and Legal Reasons for Collecting Personal Data

Dogus Technology collects personal data through the website, the relevant company, the person concerned, cookies, notifications from administrative and judicial authorities and other communication channels, aurally, electronically or in writing, in accordance with the personal data processing conditions specified in the KVK Law and in line with the legal reasons provided in this present Personal Data Protection Policy.

b. Categorization of Data Subject Person Group

Dogus Technology categorizes the groups of people whose personal data are processed in personal data processing processes and activities related to these processes as follows. However, personal data of other groups of persons (consultants, educators) may be processed in accordance with the personal data processing requirements provided in Articles 5 and 6 of the KVK Law and in line with the legal reasons specified in this Privacy/Personal Data Protection Policy.

• Internal customer (Dogus Group Affiliates)
• Online Visitor
• Physical visitor
• Supplier or Supplier’s Employee (Outsourced staff) or Authority
• Consultant

Data Categories and Sample Data Types

1.	Internal customer (Dogus Group Affiliates) • Credentials: First name, surname • Contact Information: mobile phone, email address, landline phone • Risk Management Information: IP address • Process Security Information: Passcode, password information • Legal Transaction and Compliance Information: Start and end time of the service provided, the type of service utilized, the data transferred.
2.	Online Visitor • Process Security Information: Passcode, mobile phone, password information • Legal Transaction Information/Risk Management Information: IP address • Legal Transaction and Compliance Information: Start and end time of the service provided, the type of service utilized, the amount of data transferred.
3.	Physical Visitor • Credentials: First name, surname, T.R. identification number • Transaction Information: License plate number, date and time of visit • Visual Information: Camera Recording (CCTV)
4.	Supplier or Supplier’s Employee (Outsourced staff) or Authority • Credentials: TR Identification number, Name surname • Contact Information: email address, phone, KEP address, address, mobile phone • Financial Information: Account No, Tax Office, Tax Identification Number, Tax plate, IBAN, • Legal Procedure and Compliance Information: Signature circular, certificate of activity, power of attorney • Special Categories of Personal Data/Legal Transaction Information: Signature, Medical Report, Criminal Record • Personal Information: SSI Payroll, OHS documents • Professional Experience and Experience Information: Education Status, Certificate • Visual Information: Photograph • Visual Information: Camera Recording (CCTV)
5.	Consultant • Credentials: First name, surname, T.R. identification number • Contact Information: mobile phone, email address, landline phone • Financial Information: IBAN number • Special Categories of Personal Data/Legal Transaction Information: Signature, Signature circular • Professional Experience and Experience Information: Education Status, Certificate

In Which Business Processes and for What Purposes Personal Data is used?

• Personal data is used to carry out activities related to the following processes by Dogus Technology:
• Processing of online visitor data in accordance with the relevant legislation,
• Ensuring physical space security,
• Improving the services offered through the platforms, developing new services and giving information about it,
• Improving process management
• Resolving problems and complaints of internal customer
• Ensuring internal customer communication and providing support in line with the service provided
• Performing statistical evaluations,
• Determining and implementing Dogus Technology commercial and business strategies,
• Ensuring cooperation with universities, receiving support within the scope of joint projects,
• Ensuring R & D center sustainability,
• Making the necessary notifications for R & D sustainability,
• Following accountant and purchase transactions,
• Compliance with legal processes and legislation,
• Responding to information requests from administrative and judicial authorities,
• Planning in-company reporting and business development activities,
• Ensuring data processing security and preventing malicious use,
• Planning and execution of the necessary operational activities to ensure that Dogus Technology activities are conducted in accordance with the policies that are prepared within the scope of Dogus Technology procedures and KVK Law,
• Making necessary arrangements to ensure that the processed data is up to date and accurate,

e. Technical and Administrative Measures Taken to Ensure the Security of Personal Data

Dogus Technology undertakes to take all necessary technical and administrative measures and to show due diligence to ensure confidentiality, integrity and security of your personal data.

Dogus Technology takes the necessary measures to prevent unauthorized access to personal data, misuse, unlawful processing, disclosure, alteration or destruction of personal data. Dogus Technology uses generally accepted security technology standards such as firewalls and Secure Socket Layer (SSL) encryption when personal data is processed.

In order to prevent unlawful access to the personal data processed by Dogus Technology, to prevent unlawful processing of these data and to ensure the protection of personal data, Dogus Technology:

• protects the website where personal data are taken with SSL.
• establishes access authorization and control matrices and implements them for its employees in order to prevent unlawful procession of personal data,
• periodically performs penetration tests and tests the resistance of the system against unauthorized access in order to ensure unlawful access to personal data,
• takes hash, encryption, transaction recording, access management and physical security measures to ensure that information systems containing personal data are protected against unauthorized access and unlawful data processing.
• Web site and network on which all systems containing personal data exist are protected with firewall.
• ensures that personal data in printed form is kept in lockers at all the times and can only be accessed by authorized persons.

Although Dogus Technology takes the necessary information security measures, in the event that personal data is damaged or seized by unauthorized third parties as a result of attacks on the platforms operated by Dogus Technology or on Dogus Technology system, Dogus Technology immediately notifies you and the Personal Data Protection Board and takes the necessary measures.

f. To Whom and for What Purpose can the Personal Data be Transferred?

Dogus Technology transfers personal data to third parties only for the purposes specified in this Privacy and Protection of Personal Data Policy and in accordance with Articles 8 and 9 of the Law.

Dogus Technology stores personal data about online and physical visitors in accordance with the legislation and can share it with the relevant public institutions and organizations upon request. Personal data regarding suppliers may be shared with the companies and subsidiaries within the structure of Dogus Group in relation to the goods, products or services procured, as well as with the relevant public institutions. You can get information for the companies and subsidiaries within the structure of Dogus Group at http://www.dogusgrubu.com.tr/tr/sektorler.aspx.

It is shared with TUBITAK (Scientific and Technological Research Council of Turkey) and the Ministry of Science, Industry and Technology in order to ensure R&D sustainability and to make the necessary notifications in line with the legislations.

Dogus Technology shares data with Dogus Holding A.S. (Inc.) in accordance with KVKK (Law on the Protection of Personal Data) within the scope of reporting and statistical studies.

In addition to the technical measures to ensure the security of personal data subject to national and international transfer that we have mentioned above; it is considered that the counter party of the legal relationship is a data controller or data processor, and it is also legally protected by means of the KVKK Law compliant provisions included in our contracts.

g. Retention Periods of Personal Data

Dogus Technology keeps the personal data it processes in accordance with the KVKK Law for the periods stipulated in the relevant legislation or required by the purpose of processing.

You can examine our Cookie Policy regarding the retention periods of personal data obtained through cookies.

h. What Are The Rights Of The Relevant Persons On Their Personal Data And How They Can Use These Rights

The rights of the Person concerned in accordance with article 11 of the KVK Law on the personal data processed by Dogus Technology are listed below:

• To learn whether personal data is processed or not,
• To request information about personal data if it has been processed,
• To learn the purpose of processing personal data and whether they are used appropriately for their purpose,
• To know the third parties in Turkey or abroad which personal data are transferred,
• To request correction of personal data in case of incomplete or incorrect processing,
• To request deletion or destruction of personal data within the framework of the conditions foreseen under Article 7 of the KVKK Law,
• (d) and (e) to notify the third parties to whom the personal data has been transferred,
• To object to the occurrence of a result against the person through analysing the processed data exclusively through automated systems,
• To demand the damage be compensated in the event of a damage due to the processing of personal data unlawfully

In order to execute these rights, you can always contact us using the “Application Form” on our website and the methods specified in this form.

The relevant person groups whose personal data is processed by us accept and declare that they are aware that the fact that personal data collected due to contractual relationship and shared by them through the Web Site and/or given by them are accurate and up-to-date is important for other relevant legislation and in order to use the rights they have on the personal data pursuant to KVKK Law, and that the responsibility to arise from giving misinformation solely belongs to them. You may make any changes and/or updates to your personal data by accessing at kisiselverilerim@d-teknoloji.com.tr.

i. Personal Data Sharing with Official Authorities

Dogus Technology may share this information for the purpose of fulfilling its obligations in the laws with public institutions and organizations that are legally authorized to request this information (in cases where Dogus Technology is obliged to legally and administratively make notification or give information including but not limited to fight against the crime, threat against national and public security and such other reasons).

2. Deletion, Destruction and Anonymization Conditions for Personal Data

Your personal data processed for the purposes specified in this Personal Data Protection Policy will continue to be anonymized and used by us when the purpose required the processing according to Article 7 / f.1 of Law No. 6698 is no longer valid, and when the periods specified by the Laws are expired according to Article 17 and Article 138 of the Turkish Penal Code.

Dogus Technology anoymizes the personal data it has processed by using one or more techniques, which is/are the most appropriate for business processes and activities, from the anonymization methods specified in the Guidelines on Deletion, Destruction and Anonymization of Personal Data published by Data Protection Board, when the retention periods stipulated in the relevant legislation or required by the purpose of processing are expired, and within the 6-month period provided for periodic destruction, and then continues to use this anonymized data.

3. Amendments to Privacy/Personal Data Protection Policy

Dogus Technology can make amendments to this “Personal Data Protection Policy” at any time. These revisions take effect immediately upon the publication of the revised new Protection of Personal Data Policy.

Application Form

Pursuant to Article 13 (1) of the Law, you are required to submit your request regarding the use of the your rights to our Company in writing or by other means determined by the Personal Data Protection Board.

Within this framework, the channels and procedures through which you will submit your application in writing to our company within the scope of Article 11 of the KVK Law are explained on our Dogus Technology application methods page.