1. Chapter 1-Introduction

1.1. Introduction

Protection of personal data is among the top priorities of our company. The most important pillar of this issue is, by governing this policy, the protection and processing of the personal data of our customers, potential customers, candidate employees, company shareholders, company officials, visitors, as well as employees, shareholders and authorities of the institutions we cooperate, and third parties.

This policy sets out the principles to be adopted and considered in terms of implementation by Özak Yenigün Ziylan Adi Ortaklığı. regarding the processing and protection of personal data. This policy determines the functions to be fulfilled by Özak Yenigün Ziylan Adi Ortaklığı and sets out the basic principles on how to comply with the regulations stipulated in the Law on the Protection of Personal Data No. 6698 (KVKK). In this sense, the administrative and technical measures to be taken by Özak Yenigün Ziylan Adi Ortaklığı are examined in order to protect personal data processed in compliance with the relevant legislation.

1.2. Purpose of the Policy

The main purpose of this policy is to provide information on the personal data processing activities conducted in accordance with the law by Özak Yenigün Ziylan Adi Ortaklığı and on the systems adopted for the protection of personal data. In this context, our aim is to ensure transparency by informing people, notably our customers, potential customers, candidate employees, company shareholders, company officials, visitors, as well as employees, shareholders and authorities of the institutions we cooperate, and third parties, whose personal data are processed by Özak Yenigün Ziylan Adi Ortaklığı.

1.3. Scope of the Policy

This policy relates to all personal data of our customers, potential customers, candidate employees, Company shareholders, Company officials, visitors, as well as employees, shareholders and authorities of the institutions we cooperate, and third parties, processed through automated means or provided that they are part of any data registry system through non-automated means.

This Policy may be amended from time to time by the approval of the Board of Directors, if stipulated by the KVK Regulations or when deemed necessary by the Company's Data Controller.

1.4. Entry into Force of The Policy

The Policy, developed by our company, will be updated the event of a renewal of the entire or certain provisions.

The policy is published on our Company's website and made available to the relevant persons upon request of the personal data subjects.

1.5. Definitions

Explicit Consent: Consent about a specific subject based on the information and expressed in free will.

Anonymization: The modification of personal data in such a way that they lose their personal data feature and that this condition cannot be recovered. For instance, making personal data unassociated with a real person with techniques of masking, consolidation, data destruction, etc.

Candidate Employee: Real persons who have applied for a job in any way to our Company or have opened their personal background and related information for inspection by our Company.

Employees, Shareholders, and Authorities of the Institutions we Cooperate: Real persons, including shareholders and authorities of the institutions, who work in these institutions (including, but not limited to as a business partner, supplier, etc.) with which we have developed any kind of business relation.

Personal Data Subject: A Real person whose data are processed. For example; Customers and employees.

Personal Data: Any information related to the identified or identifiable real person. The processing of data relating to legal persons is hereby not within the scope of the Law. For instance; name-surname, TR identity number, e-mail, address, date of birth, credit card number, etc.

Customer: Real persons who used or have been using the products and services offered by our company.

Data of Special Nature:Personal data relating to the race, ethnic origin, political opinion,philosophical belief, religion, sect or other belief, clothing, membership to associations,foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature.

Potential Customer: Real persons who have the potential to do business with our company, who might want to work, who have purchasing power but we have not reached yet, and who we have not sold anything even if reached.

Company Shareholders: Real persons who are shareholders of our company.

Company Authority: Executive board members of our company and other authorized real persons.

Data Processor: A real and legal person who processes personal data on his behalf on the basis of the authority conferred by the data controller. For example; Digital marketing companies working with our company, etc.

Visitor: Real persons who have entered our physical premises with various purposes or visited our websites. 

2. Chapter 2 - Protection of Personal Data

Our Company, in accordance with Article 12 of the Law on KVK, takes the necessary technical and administrative measures to ensure that the appropriate level of security is maintained so as to prevent illegal processing of personal data, to prevent illegal access to data, as well as to ensure data retention; within this scope, it performs required inspections or has these inspections done.

2.1. Ensuring Security of Personal Data

2.1.1. Technical and Administrative Measures for Legal Processing and Protection of Personal Data

Our Company takes technical and administrative measures considering technological facilities and application cost so as to ensure that personal data is processed in accordance with the law; to prevent indiscreet or unauthorized disclosure, access, transfer, or other unlawful access of personal data; to prevent them from being stored in unsecure environment and being illegally destroyed, lost or altered.

• All processes related to data processing activities within Özak Yenigün Ziylan Adi Ortaklığı are analyzed on the basis of business units. In this context, a "personal data processing map" was issued.
• Pursuant to the personal data processing map, the works to be performed in order to ensure compliance with the law are identified on a unit basis.
• The developed personal data processing processes are inspected by the technical systems to be devised and reported to the concerned party.
• Özak Yenigün Ziylan Adi Ortaklığı employees were informed about the legal processing of personal data and sanctions for unlawful data processing.
• Regular inspections are carried out to ensure awareness of the employees. Required administrative measures are implemented through the internal policies and training of Özak Yenigün Ziylan Adi Ortaklığı
• Özak Yenigün Ziylan Adi Ortaklığı makes entries regarding the confidentiality of shared personal data and how they should be processed and stored, in contracts and documents governing the legal relationship among the Company, its employees, subsidiaries, business partners, suppliers, and customers.
• Access to personal data is limited to the employees assigned to data processing. Employees are restricted from accessing personal data that they do not use as a requirement for their tasks.
• Technical personnel are employed for technical matters.
• Technological technical measures have been taken to prevent access to systems and locations where personal data are stored, and these measures are periodically updated.
• Access and authorization technical processes were designed and activated by Özak Yenigün Ziylan Adi Ortaklığı, in accordance with business unit-based legal compliance requirements.
• The technical measures taken are periodically reported to the concerned parties. Technological solutions are developed for security risks.
• Required software and systems, including virus protection systems and firewalls, are installed.
• Özak Yenigün Ziylan Adi Ortaklığı employees are trained in the technical measures taken in this sense, and technical personnel are employed.
• The employees of Özak Yenigün Ziylan Adi Ortaklığı are committed to not disclose the personal data they acquired to others in violation of the provisions of KVK, and not to use them other than for the purpose of data processing. This commitment shall continue to affect even after they have left the job.
• To protect personal data, the provisions for the required security measures were inserted to the contracts which Özak Yenigün Ziylan Adi Ortaklığı concluded with people to whom personal data are transferred.

Technological systems are being used in order to store personal data in a secure environment.

• Technical personnel are employed for technical matters.
• Technical security systems are established for fixed storage, and technical measures taken are periodically reported to the concerned in pursuant to an internal audit mechanism, and the required technological solution is produced by reevaluating the risky issues.
• To ensure the safe storage of personal data, backup programs are used in a lawful manner.
• Employees are trained to ensure the safe storage of personal data.
• In case of getting an external service [outsourcing] due to technical requirements for the storage of personal data, provisions concerning that the persons to whom personal data is transferred will take necessary security measures for data protection, and these measures are followed within their institutions, are inserted to the contracts concluded with the companies which personal data are legally transferred to.

2.1.2. Audit of Measures Taken on Personal Data Protection

Our Company performs the required audits within its own body in accordance with Article 12 of the Law on KVK. The results of these audits are reported to the concerned department in line with the Company's internal operation procedures, and required activities are carried out to improve the measures taken. 

2.1.3. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

In case that personal data processed in accordance with Article 12 of the Law on KVK are obtained by others through illegal means, our company operates a system that allows this situation to be notified to the concerned personal data subject and the KVK Board as soon as possible.

If deemed necessary by the KVK Board, this may be announced on the website of the KVK Board or by any other means.

2.2. Observing the Rights of Data Subject and Evaluating the Complaints

Özak Yenigün Ziylan Adi Ortaklığı exploits required channels, internal working procedures, administrative and technical regulations in accordance with Article 13 of the Law on KVK to evaluate the rights [and complaints] of personal data subjects and to provide them with necessary information.

In the event that personal data subjects submit their complaints in writing to our Company regarding their rights stipulated in the Law on KVK, our company concludes the complaint as soon as possible and free of charge within 30 days at the latest depending on the nature of the complaint. However, if the process requires an additional cost, our Company will charge the tariff determined by the KVK Board.

The data controller accepts or rejects the complaint and notifies the concerned in writing or electronically. In case the complaint mentioned in the application is found acceptable, the data controller does the necessary. In the event that the application is made due to a mistake of the data controller, the fee shall be returned to the person concerned.

3. Chapter 3- Processing of Personal Data

Özak Yenigün Ziylan Adi Ortaklığı, in accordance with Article 4 of the Law on KVK, conducts data processing activities in compliance with the law and good faith. Our Company retains personal data as long as required by law or as required for personal data processing purposes.

Özak Yenigün Ziylan Adi Ortaklığı, Özak Yenigün Ziylan Adi Ortaklığı processes personal data on the basis of certain requirements of Article 5 of the Law on KVK about personal data processing.

Özak Yenigün Ziylan Adi Ortaklığı, Elucidates personal data subjects and informs them when requested information in accordance with Article 10 of the Law on KVK.

Özak Yenigün Ziylan Adi Ortaklığı complies with the regulations envisaged for the processing of data of special nature, pursuant to the provisions of Article 6 of the Law on KVK.

Özak Yenigün Ziylan Adi Ortaklığı, in accordance with the Articles 8 and 9 of the Law on KVK, complies with the regulations stipulated by the Law and set forth by the KVK Board on the transfer of personal data.

3.1. Processing of Personal Data Pursuant to the Principles Prescribed in Legislation

3.1.1. Processing compliance with the Rule of Law and Good Faith

Özak Yenigün Ziylan Adi Ortaklığı acts in accordance with the principles set out by legal regulations and general trust and good faith in the processing of personal data. In this context, our company takes into consideration the proportionality requirements in the processing of personal data and does not use personal data other than for its intended purpose.

3.1.2. Ensuring Personal Data Accuracy, and Up-to-Dateness When Necessary

Özak Yenigün Ziylan Adi Ortaklığı ensures that personal data it has processed are accurate and up to date, taking into account the fundamental rights of personal data subjects and their legitimate interests. In this respect, our company takes the necessary measures.

3.1.3. Processing with Specific, Explicit and Legitimate Purposes 

Özak Yenigün Ziylan Adi Ortaklığı processes personal data for specific, explicit, and legal reasons. In this context, Özak Yenigün Ziylan Adi Ortaklığı Companies should identify the purpose for which personal data will be processed, and should provide data subjects with this purpose before their personal data is processed. Personal data should not be processed for purposes other than those specified. The purposes of data processing identified by Özak Yenigün Ziylan Adi Ortaklığı shall be legitimate and lawful.

3.1.4. Being Limited, Proportional and Expedient to Purpose of Data Processing

Özak Yenigün Ziylan Adi Ortaklığı processes personal data in a way to achieve the identified purposes and avoids the processing of personal data that is not required or not related to the realization of the purpose. For example, our company is not conducting personal data processing to meet probable needs.

3.1.5. Retaining Personal Data for the Period Required for the Purpose stipulated in the Legislation or for the Purpose for Which They were Processed

Özak Yenigün Ziylan Adi Ortaklığı retains personal data only for the period specified in the relevant legislation or for the purpose for which they were processed. In this context, our company determines whether a period has been stipulated for the storage of personal data in the relevant legislation; if this is the case, it takes into account this period; otherwise, it retains personal data for the time period required for the purpose for which they were processed.

3.2. Personal Data Processed by Our Company

3.2.1. Which Personal Data Do We Process

Should you share with us, or if required, your personal data and the data of special nature which may be subject to our processing are as follows:

Name, Surname, Place of birth, Date of birth, Gender, Marital status, Photo, Home Phone Number, Cell Phone Number, Personal e-mail address, Personal Identifying Information, Address, Surveys, Photos conveyed for Form filling and contests, Video recordings, any other personal data you share with us in any way through the channels above, information about your usage of the goods and services we offer, personal data collected automatically by automatic search engines, image and sound recording devices, cookies or other means, social media tools, updated information that our business partners, suppliers, and other third parties share with us based on your prior consent, page display information; information such as search term and search results, and other personal data such as paid listings and sponsored links.

3.2.2. How Your Personal Data Can Be Processed

Pursuant to the Law No. 6698 on the Protection of Personal Data, in Data Controller's capacity, we will be able to process any kind of personal data and data of special nature that you share with our company, by conducting any kinds operation on them, such as retrieving in whole or in part through automated means or provided that they are part of any data registry system, through non-automated means, and registering, storing as long as they required for the processing purpose, preserving, modifying, reorganizing, disclosing, transferring, making acquisition, making retrievable, classifying or preventing of use.

3.3. Elucidating and Informing Personal Data Subject

Our Company elucidates personal data subjects during the retrieving of personal data in accordance with Article 10 of the Law on KVK. In this sense, we provide information on for what purpose personal data will be processed, to whom and for which purpose personal data can be transferred, personal data retrieving method and legal rights of the personal data subject.

Article 11 of the Law on KVK mentions "request information" as one of the rights of the personal data subject. Our company, pursuant to this provision, provides the necessary information should the personal data subject requests information.

3.4. Purposes of Personal Data Processing

Our company processes personal data in accordance with the terms and conditions  specified in the 2nd  subclause of article 5 and 3rd subclause of article 6 of the Law on the Protection of Personal Data numbered 6698. These terms and conditions are as follows:

• The relevant activities of our Company regarding the processing of your personal data should be clearly provided by laws.
• The processing of your personal data by our Company should be directly relevant and necessary for the conclusion or fulfillment of a contract.
• The processing of your personal data should be mandatory for our Company to be able to perform his legal obligations.
• Provided that your personal data is made available to the public by you; the data concerned should be processed in a limited way to this publicization.
• The processing of your personal data by our Company should be mandatory to establish, exercise, or protect the rights of our Company or you or third parties.
• Personal data processing should be mandatory for the legitimate interests of our Company, provided that this processing shall not violate your fundamental rights and freedoms.
• Personal data processing by our company should be mandatory for the protection of life or physical integrity of the personal data subject or of any other person, and in this case, the personal data subject should be bodily incapable of giving his consent or whose consent is not deemed legally valid.
• The processing of personal data of special nature, excluding those relating to health and sexual life, is provided for by laws.
• Personal data of special nature of data subject relating to health and sexual life are processed by any person or authorized public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

• In line with conducting necessary undertakings by our respective business units and performing related business processes in order to carry out commercial activities by the Company;
• Planning and execution of business activities and of ensuring business continuity,
• Planning and execution of customs operations, production and/or its operations processes,
• Business follow-up of finance and/or accounting,
• Activity method,
• Providing information with the competent authorities about legislation,
• Planning and executing corporate communication activities,
• Planning and execution of supply chain management and logistics activities,
• Planning and execution of production and/or its operation processes
• Planning and execution of information access authorities for business partners and/or suppliers
• In line with conducting necessary undertakings by our respective business units and performing related business processes in order to benefit people from products and services offered by the Company;
• Planning and execution of customer relationship management processes,
• Following customer requests and/or complaints,
• Planning and execution of marketing processes of products and/or services,
• Planning and/or execution of after-sales support services activities,
• Business follow-up of contract processes and/or legal requests, performing and following the customer's insurance process,
• In line with the aim of carrying out necessary activities in order to offer products and services of our Company to personal data subjects by customizing these products and services according to the subject's taste, usage habits, and needs;
• Planning and execution of market research activities for the sales and marketing of products and services,
• Sales and after-sales operations and procurement operations,
• Planning and/or execution the processes of creating and/or increasing loyalty to the products and/or services offered by the Company,
• In line with the purpose of ensuring the execution of our Company's human resources policies;
• Fulfilling the obligations and taking necessary measures within the framework of occupational health and safety,
• Evaluation of job applications in accordance with our Company's Human Resources Policies,
• Fulfilling the obligations arising from the employment contract and/or legislation for the employees of the Company,
• Personnel recruitment and layoff procedures,
• Evaluating of pay for performance process,
• Managing of wages and payrolls,
• Planning and/or execution of internal training activities,
• Conducting other human resources operations,
• In line with the purpose of ensuring the legal and commercial security of our Company and business contacts;
• Business follow-up of the company's legal affairs,
• Planning and execution of the operational activities required to ensure that the Company's activities are carried out in compliance with the Company procedures and/or relevant legislation,
• Creating and tracking visitor records
• Ensuring the security of company premises and/or facilities,
• Ensuring the security of company inventory stocks and/or resources,
• Ensuring the security of company operations,
• Planning and execution of emergency management processes,
• Planning and/or execution of financial risk processes of the Company,
• In line with the purpose of determining and implementing our company's commercial and business strategies;
• Financial operations performing by our company, communication, market research and social responsibility activities, procurement operations, product/project/manufacturing/investment quality processes and operations,
• Company internal system and application management operations,
• Planning and/or execution of external training activities,
• Managing of relations with business partners and/or suppliers.

In the case that personal data subject does not give his/her explicit consent, it should be understand that our business units may carry out personal data processing for purposes that do not require explicit consent of the personal data subject, as specified in the first paragraph, and may carry out data processing which remains outside the scope of the same purpose for data processing; rather than that not to carry out any data processing.

3.5. Processing Data of Special Nature

In processing personal data designated as "data of special nature" by the Law on KVK, our Company strictly adheres to the regulations stipulated in the Law.

In Article 6 of the Law on KVK, a set of personal data, when illegally processed, which have the risk of causing unjust suffering or discrimination, are identified as "data of special nature." These data are the personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.

3.7.1. Transfer of Personal Data

Our company may transfer personal data, in line with legitimate and legal personal data processing purposes, to third parties on the basis of one or more of the personal data processing conditions specified in Article 5 of the Law listed below:

• Should personal data subject express his/her explicit consent,
• Should there is a clear regulation about the transfer of personal data by law,
• Should the transfer be mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his/her consent or whose consent is not deemed legally valid.
• Should the transferring of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfillment of that contract.
• Should personal data transfer is mandatory for our Company to fulfill its legal obligation,
• Should personal data are made available to the public by the data subject himself,
• Should personal data transfer be mandatory for the establishment, exercise, or protection of any right.
• Should it is mandatory for the legitimate interests of our Company, provided that the transfer shall not violate the fundamental rights and freedoms of the data subject.

3.7.2. Transfer of Personal Data of Special Nature

Our company may transfer personal data of special nature of the personal data subject to third parties in the following cases in line with legitimate and legal personal data processing purposes, by showing due diligence, taking required security measures and adequate measures stipulated by the KVK Board.

• Should personal data subject express his/her explicit consent, or
• Should personal data subject does not express his/her explicit consent;
• In the cases prescribed by the law, the personal data of special nature of the subject (related to race, ethnic origin, political opinion,philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data), other than his/her health and sexual life,
• Personal data of special nature of data subject relating to health and sexual life are only processed by any person or authorized public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

3.7.3. Use of Website Cookies

Özak Yenigün Ziylan Adi Ortaklığı websites are the sites that use cookies. Cookies; is a file consisting mostly of letters and numbers, being stored in the internet browser or on the hard disk of the device in use by allowing the device to be recognized.

Özak Yenigün Ziylan Adi Ortaklığı websites store information collected through cookies, log files, blank gif files, and/or third-party resources to form a summary of your preferences.

We use two types of cookies on our websites; session cookies and persistent cookies. Session cookies are temporary cookies which are valid only until you close your browser. Persistent cookies remain on your hard disk until you delete them or they expire (in this option, how long cookies remain on the device will depend on the lifetime of the cookies).

Websites use cookies to remember your preferences and customize your website/mobile application. This includes cookies that save your user password and allow you to stay your website/mobile application constantly logged in, thus saving you the trouble of entering passwords more than once for each visit, and includes the cookies that remember and recognize you on your next visit to the website/mobile app.

These cookies are used to determine how you use the website/mobile application, and to measure the parameters such as the duration of your visit, including where you connect to the web site, what content you view on the website/mobile app, and how you use the website/mobile app.

The website may also use cookies to activate advertising technology to provide you with ads that may be of interest to you when you visit the search engines, website, mobile app, and / or websites that the website advertises. To offer you specific ads, advertising technology uses information about your previous visits to the website/mobile app and to the websites/mobile applications that the website advertises. In the course of offering these advertisements, a unique third-party cookie may be stored on your browser so that the website can recognize you.

Özak Yenigün Ziylan Adi Ortaklığı also uses Google Analytics, a web analysis service provided by Google Inc. Google Analytics uses cookies to analyze how users use the website, mobile app, and/or mobile site, by statistical information/reports.

You can use the following methods to allow and deny cookies:

To have information about cookies and cookie management, in addition to the above options, you can visit https://www.allaboutcookies.org, and https://www.youronlinechoices.eu/, or use the "Privacy Badger" application (https://www.eff.org/tr/privacybadger).

If you deny persistent cookies or session cookies, you may continue to use the website, mobile app, and mobile site, but you may not be able to access all their functions, or you may have limited access.

Information about cookies on our website is listed in the following table:

Remembering your preferences of functional and analytical cookies contain data on the effective use of the website, optimizing the site to meet user requests, and how visitors use the site. By their nature, such cookies may contain personal information, such as the user name.

3.8. Retention Time Periods for Personal Data

Our Company stores personal data, where stipulated in the relevant laws and regulations, for the period stated in these legislations.

In cases where the legislation does not regulate the period of retention for how long personal data should be stored, personal data is processed for a period, which requires the processing of our data in accordance with the requirements of our Company's practices and precedents of commercial activities, depending on the services offered by our Company, and they shall be then erased, destroyed or anonymized.

If the purpose of processing the personal data expires, and the relevant legislation becomes obsolete, and the retention periods determined by the Company also comes to close, personal data can only be stored for the purposes of potential legal disputes, or claims on related rights linked to personal data, or preparations of statement of defense. In setting the time spans, retention periods are determined based on prescription periods for claiming the mentioned right, and even though the prescription periods expire, the examples of requests previously directed to our company on the same issues. In this case, retained personal data are not accessible for any other reason except for the requirements of legal disputes. Personal data is erased, destroyed, or anonymized once the mentioned period has expired.

3.9. Deleting, Destroying and Anonymizing Personal Data

As set out in Article 7 of the Law on KVK, personal data is erased, destroyed or made anonymous upon the Company's own decision or at the request of the personal data subjects, in case the reasons that require processing are eliminated in spite of the fact that it has been processed in accordance with the relevant legal provisions. In this context, our Company fulfills its obligation with the methods described in this Chapter.

Although our company has processed personal data in accordance with the provisions of the relevant law, should the reasons for the processing disappear, it may erase or destroy the data on the basis of its own decision or at the request of the personal data subject. The data controller and the committee monitor the conditions requiring erasure and destruction of personal data.

Anonymization of personal data refers to making personal data unlikely to be associated with any real, identifiable person in any way, even when personal data are paired with other data. Our company may anonymize personal data when the reasons for processing the personal data processed in accordance with the law are disappeared.

4. Chapter 4 - Third Parties to Which Personal Data are Transferred by our Company, and Their Purposes

In accordance with Article 10 of the Law on KVK, our Company informs the personal data subject of the groups to whom personal data are transferred.

In line with Articles 8 and 9 of the Law on KVK, our Company may transfer customers' personal data to the following categories:

• Özak Gayrimenkul Yatırım Ortaklığı A.Ş.
• Özak Global Holding
• Özak Yenigün Ziylan Adi Ortaklığı
• Aktay Otel İşletmeleri A.Ş.
• Akyön Tesis Yönetim Hizmetleri A.Ş..
• Kamer İnşaat Ticaret ve Sanayii A.Ş., including;
• Our main shareholders,
• Our affiliated companies,
• Our group companies,
• Direct/indirect domestic/international subsidiaries;
• Program partner organizations and domestic/international organizations we get service and cooperate for conducting our activities,
• Our business partners,
• Our suppliers,
• Organizations we get service,
• Domestic and overseas servers we use,
• Domestic/foreign institutions where we get cloud service,
• Persons and organizations processing data on behalf of the data controller, and supporting measurement, targeting, and profiling
• Audit Companies,
• Advertising and promotion agencies,
• Due to the legal obligation, state institutions and organizations, and other third parties,

5. Chapter 5- Personal Data Processing Activities in Buildings-Premises and Entrance Locations

Personal data processing activities conducted by our Company at the entrance locations and in the buildings and premises are carried out in accordance with the Constitution, the Law on KVK, and other relevant legislation.

In order to ensure security, our company conducts monitoring activities with security cameras in the buildings and premises, and data processing for tracking guest entrance and exits.

Our Company carries out personal data processing through the use of security cameras and recording of guest entrance and exits.

In this context, our Company acts in line with the Constitution, the Law on KVK, and other relevant legislation.

5.1.  5.1. Surveillance with Camera at Entrance Locations, and in Building and Premises

In this Chapter, we will explain the camera-surveillance system of our Company, and give information on how to protect personal data, privacy, and fundamental human rights.

The objectives of our company in surveilling with security cameras are to improve the quality of the service provided, to ensure the reliability of the company, to deliver the security of the customers, the company and other people, to protect the security of benefits of customers about the service they receive.

5.1.1.  Legal Basis of Camera Surveillance

Our company conducts camera surveillance activities in accordance with the Law on Private Security Services and related legislation.

5.1.2. Surveillance with Security Cameras According to the Law on KVK

Our Company complies with the regulations of the Law on KVK Law in conducting surveillance activities with security cameras.

In order to ensure the security in the buildings and premises, our company carries out surveillance activities in line with the purposes stated in the laws and in accordance with the personal data processing requirements set forth in the Law on KVK.

5.1.3. Announcement of Camera Surveillance Activity

Our Company elucidates the personal data subjects in pursuant to Article 10 of the Law on KVK.

In this way, it is aimed to prevent the damage to the fundamental rights and freedoms of the personal data subject, to ensure transparency, and to elucidate the data subject.

5.1.4. The Purpose of Surveillance with Cameras and Limitation of Purpose

In accordance with Article 4 of the Law on KVK, our Company processes personal data in a limited and restrained manner in connection with the purpose for which it was processed.

The purpose of video surveillance by our Company is limited to the purposes set out in this Policy. In this respect, security camera coverage, the number of them and when to conduct surveillance are determined in a way that is sufficient enough to achieve the security purpose and limited for this purpose. In areas where personal privacy takes precedence of the security goals (e.g., toilets), no surveillance is carried out.

5.1.5. Ensuring Security of Obtained Data

In accordance with Article 12 of the Law on KVK, technical and administrative measures are taken in order to ensure the security of the personal data obtained by the surveillance activities.

5.1.6. Time Period for Retention of Personal Data Obtained by Surveillance with Cameras

The detailed information about the retention period of personal data obtained by camera surveillance activities of the Company is presented in the article of this Policy, titled as "Retention Period of Personal Data."

5.1.7. Who can Access to Information Obtained as a Result of Surveillance and Who Is this Information Transferred to

Only a limited number of Özak Yenigün Ziylan Adi Ortaklığı employees have access to the records saved and stored in digital media. Live footages can only be observed security guards whom our Company gets service. A limited number of people having access to the records declare, through the confidentiality commitment, that they will maintain the confidentiality of the data they access.

5.2.  Tracking of Guest Entrance-Exits in Buildings and Premises and at Entrance

For the purpose of ensuring company security and in line with the purposes of this Policy, Özak Yenigün Ziylan Adi Ortaklığı conducts personal data processing to track guest entrance and exits in their buildings and premises.

When the names and surname of the people who come to the premises of Özak Yenigün Ziylan Adi Ortaklığı as a guest are obtained, those personal data subjects are informed through the texts that are posted before the Company or otherwise made available by the Company. The data obtained for tracking guest entrance and exits are processed for this purpose only, and the personal data are recorded in the data recording system in physical domains.

5.3.  The storing of records for Internet Access Provided to Our Guests in the Buildings and Premises of Özak Yenigün Ziylan Adi Ortaklığı

For the purpose of ensuring company security and in line with the purposes of this Policy, our company provides Internet access with guests who request during their stay in our buildings and premises. In this case, log records of your internet access are saved in accordance with the Law No. 5651 and the imperative provisions of the legislation regulated by this Law; and these records are processed only if requested by authorized state institutions and organizations, or required for the audit process within the company in order to fulfill its legal obligation.

Only a limited number of Özak Yenigün Ziylan Adi Ortaklığı employees have access to the log records obtained in this sense. Company employees having access to the mentioned records have access to these records only for use in the demand from the authorized state institutions and organizations, or for use in the audit processes, and they share the records with legally authorized persons. A limited number of people having access to the records declare, through the confidentiality commitment, that they will maintain the confidentiality of the data they access.

6.         Chapter 6 - Rights of Personal Data Subjects; Exercise and Evaluation of these Rights

Our Company informs the personal data subject of his/her rights in accordance with Article 10 of the Law on KVK and guides the personal data subject about how to exercise these rights. Our Company exploits required channels, internal working procedures, administrative and technical regulations in accordance with Article 13 of the Law on KVK to evaluate the rights [and complaints] of personal data subjects and to provide them with necessary information.

6.7. Rights of Data Subject and Exercise of the Rights

6.7.1. Rights of Personal Data Subject

Article 11 of Law No. 6698 on the Protection of Personal Data entered into force on October 7, 2016, and your rights under this article as of this date are as follows. Everyone has the right to apply to the Data Controller and;

• To learn whether his/her personal data are processed or not,
• To request information if his personal data are processed,
• To learn the purpose of his data processing and whether this data is used for intended purposes,
• To know the third parties to whom his personal data is transferred at home or abroad,
• To request the rectification of the incomplete or inaccurate data, if any,
• To request his personal data to be erased or destroyed under the conditions laid down in Article 7,
• To request notification of the operations carried out in compliance with subparagraphs (d) and (e) to third parties to whom his personal data has been transferred,
• To object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavorable consequence for the data subject,
• To claim compensation in case of suffering loss due to illegal processing of the personal data.

6.7.2. Exceptions in the Rights of Personal Data Subject

Personal data subjects, pursuant to Article 28 of the Law on KVK, may not claim the foregoing rights, as the followings are excluded from the scope of the Law:

• Processing the personal data for the purposes of investigation, planning, and statistics by anonymizing with official statistics.
• Processing personal data within the context of artistic, historical, literary or scientific purposes or freedom of speech provided that the personal data does not breach the natural defense, national security, public security, public order, economic security and confidentiality of private life or personal rights, and does not constitute a crime.
• Processing the personal data within the scope of preventive, protective and intelligence operations executed by state institutions and organizations so authorized by the law to ensure national defense, national security, public safety, public order or economic security.
• Processing the personal data by judicial or enforcement authorities in relation to the investigation, proceedings, litigation, or execution procedures.

Personal data subjects, pursuant to Article 28/2 of the Law on KVK, may not claim their other rights, except the right to claim damage, in the following cases:

• Processing personal data required for prevention of committing an illegal act or criminal investigation.
• Processing of personal data publicized by the data subject.
• Processing personal data being required for disciplinary investigation or prosecution and conducting supervisory or regulatory duties by the authorized state institutions and organizations and professional public organizations by the power granted by the law.
• Processing personal data required for protecting the economic and financial interest of the State with regard to the budgetary, tax-related, and financial issues.

6.7.3. Exercise of Rights by Personal Data Subject

Pursuant to the first paragraph of Article 13 of the Law on KVK, the data subject shall lodge an application in writing to our Company, the data controller, about his demands concerning the implementation of this Law or via other methods specified by Personal Data Protection Board (the "Board"). In this context, the applications to be made to our Company in "writing" shall be communicated by means of;

• Application in person,
• Notary public,
• Sending the application to the registered e-mail address of the Company by signing a secure electronic signature defined in Electronic Signature Law No. 5070. Our contact information for your exercise this right is as follows.

Title: Özak Yenigün Ziylan Adi Ortaklığı
Mersis no : 0662080921900001
E-mail address: [email protected]
Postal address : İkitelli OSB Mah.10 Cad. 34 Portall Plaza No:7D/8 Başakşehir - İstanbul

6.7.4. Personal Data Subject's Right to Complaint to the KVK Board

Pursuant to Article 14 of the Law on KVK, in case the application is declined, the response is found unsatisfactory or the response is not given in due time, the data subject may file a complaint with the KVK Board within thirty days as of he/she learns about the response of our Company, or within sixty days as of the application date, in any case.

6.8. Özak Yenigün Ziylan Adi Ortaklığı. Response to Applications

6.8.1. Our Company's Procedures and Response Time for Applications

In the event that personal data subject duly communicates his/her request to our Company, we shall conclude the demands involved in the applications within the shortest time possible depending on the nature of the demand and within thirty days at the latest and free of charge.

However, if the process incurs another cost, our Company shall charge the applicant for the tariff set by the KVK Board.

6.8.2. Information that Our Company may Request from Personal Data Subject

Our company may request information from the concerned person to determine whether the applicant has personal data.

In order to clarify the issues in the application of personal data subject, our Company may pose questions about the application.

6.8.3. Our Company's Right to Decline Personal Data Subject's Application

Our Company may decline an application on justified grounds in the following cases:

• Processing the personal data for the purposes of investigation, planning, and statistics by anonymizing with official statistics.
• Processing personal data within the context of artistic, historical, literary or scientific purposes or freedom of speech provided that the personal data does not breach the natural defense, national security, public security, public order, economic security and confidentiality of private life or personal rights, and does not constitute a crime.
• Processing the personal data within the scope of preventive, protective and intelligence operations executed by state institutions and organizations so authorized by the law to ensure national defense, national security, public safety, public order or economic security.
• Processing the personal data by judicial or enforcement authorities in relation to the investigation, proceedings, litigation, or execution procedures.
• Processing personal data required for prevention of committing an illegal act or criminal investigation.
• Processing of personal data publicized by the data subject.
• Processing personal data being required for disciplinary investigation or prosecution and conducting supervisory or regulatory duties by the authorized state institutions and organizations and professional public organizations by the power granted by the law.
• Processing personal data required for protecting the economic and financial interest of the State with regard to the budgetary, tax-related, and financial issues.
• The possibility of personal data subject to block other people's rights and freedoms.

7. Chapter 7 - Company Personal Data Protection and Processing Governance Principles

Our company has established a governance structure to ensure compliance with the regulations of the Law on KVK, and to secure the implementation of Personal Data Protection and Processing Policy.

A "Personal Data Protection Committee" has been formed before the Company in order to manage this Policy and other policies linked to this Policy. The tasks of this committee are set out below:

• To prepare the basic policies for the protection and processing of personal data, and to submit them to the approval of the senior management to put into force.
• To submit to the approval of the senior management the issues related to the decision on how to implement and audit the policies on the Protection and Processing of Personal Data, and the issues with regard to making intercorporate assignments and ensuring coordination in this context.
• To determine the measures to be taken in order to ensure the compliance with the Law on Personal Data Protection and the relevant legislation, and to submit "things to do" to the approval of the senior management and then to supervise them by ensuring coordination.
• To increase awareness of the protection and processing of personal data within the Company and the institutions with which the company cooperates.
• To ensure that required measures are taken by identifying the risks that may incur in the Company's personal data processing activities, and to submit to the approval of the senior management the rectifying proposals.
• To plan and execute training on the protection of personal data and the implementation of policies.
• To finalize the applications of personal data subjects at the top level.
• To coordinate the execution of information and training activities to ensure that personal data subjects are informed about their personal data processing activities and legal rights.
• To prepare the amendments of basic policies for the protection and processing of personal data, and to submit them to the approval of the senior management to put into force.
• To follow the developments and regulations on the Protection of Personal Data, and to advise the senior management on the necessary actions to be taken within the Company as per these developments and regulations.
• To coordinate the relations with the Personal Data Protection Board and Institution.
• To perform other duties that may be given by the Company's senior management to protect personal data.