PDPL General Policy

POLICY FOR STORAGE,

PROCESS AND DESTRUCTION OF PERSONAL DATA

1. Purpose and Scope

Protection of personal data as a constitutional right and their legal assurance is a very delicate matter for Özak Geçiş Teknolojileri Sanayi ve Ticaret Anonim Şirketi (“Özak” or “Company”) and is among the top priorities of our Company. In Özak, we are well aware of our responsibilities in this respect and we place much importance in safe process of your personal data.

This Policy for the Storage, Process and Destruction of Personal Data (“Policy”) is intended to define such methods and principles with the goal to protect fundamental rights and freedoms of individuals, including their private lives, in order to assure the process, transfer and protection by Özak of personal data in line with the Personal Data Protection Law no. 6698 as published in the Official Gazette issued on 7 April 2016 on 29677 (the “PDPL”) and applicable secondary legislation in force, and in addition, to clarify the rights of Relevant Persons in general in line with both the PDPL and the applicable secondary legislation.

This Policy is applicable to the activities whereby all personal data administered by Özak are processed, transferred, stored, destructed and protected.

In this respect, Özak takes all administrative and technical measures in order to protect personal data processed in line with the applicable legislation. Accordingly, the Company reserves its right to change this Policy.

1. Definitions

For definitions and terms used herein, such meanings as defined in the PDPL and the secondary legislation adopted shall be used. Accordingly;

• Express consent: means a consent that is explained by free will on an informed basis about a specific matter;
• Relevant Person: means such real person whose personal data are processed;
• Personal Data: means any information that belongs to an identified or verifiable person;
• Process of Personal Data: means any and all processes on data such as capture, recording, storage, modification, editing, clarification, transfer, taking over, materialization, classification or prevention of use of personal data by fully or partly automated means or, provided to be a part of any data recording system, non-automated means;
• Committee: means Personal Data Protection Committee;
• Agency: means Personal Data Protection Committee,
• Personal Data Inventory: means an inventory where a data controller creates by associating personal data process activities executed by them depending on business processes with personal data process purposes, legal grounds, data category, transferee recipient group and group of persons subject to data and where it details such maximum storage time necessary for the purpose of personal data process, personal data contemplated to be transferred to foreign countries and measures adopted for data security;
• Recording Environment: means any and all environments where there are personal data processed by fully or partly automated means or, provided to be a part of any data recording system, non-automated means;
• PDPL: means the Personal Data Protection Law no. 6698;
• Destruction: means the erasure, destruction or anonymization of personal data;
• Periodic Destruction: means such erasure, destruction or anonymization of personal data,  ex officio, at such repeated intervals set out in the storage and destruction policy in case all conditions for processing personal data as required under the Law are no longer applicable;
• Policy: means Özak’s policy for the Storage, Process and Destruction of Personal Data;
• Special Personal Data: means such biometric and genetic data of persons as well as their data about their race, ethnic origins, political beliefs, philosophical beliefs, religion, sects or other beliefs, clothing and attire, memberships to trade union, foundation or associations, sexual life, criminal conviction or security measures;
• Data Controller: means an individual or entity that determines the purposes and means for the process of personal data is responsible for setting up and managing the data recording system;
• VERBIS: means the Data Controllers Registration Data System;
• Data Processor: means such individual or entity that processes personal data in accordance with the authority given by, and on behalf of, the data controller;
• Regulation: means the Regulation on the Erasure, Destruction or Anonymization of Personal Data as published in the Official Gazette issued on 28 October 2017.

 

1. Related Persons and Processed Personal Data

Özak may gather and process personal data from:

1. customers, subcontractors, suppliers, business connections and potential customers (and/ or individuals related to them) and other business partners;
2. individuals whose personal data are obtained due to professional services provided to customers;
3. Özak employees, their family members and job applicants and their references;
4. Website visitors and social media followers and
5. Third parties.

Personal data collected by Özak may vary pursuant to business and legal relations between the relevant person and Özak. Notwithstanding the foregoing, personal data such as ID details, contact details, financial details, special personal data, education and visual data, data about family members shall be processed in line with the purpose necessary for Özak to process them and in line with conditions set out in Articles 5 and 6 of the PDPL in connection with such purpose and in a limited and proportionate manner, and where necessary, current form.

PERSONAL DATA CATEGORY	PERSONAL DATA CATEGORIZATION CLARIFICATION	RELEVANT DATA SUBJECT
ID DATA	Turkish ID no,  passport no, ID serial no, name-surname, photograph, birth place, birth date, age, birth registration details, certificate of identity registration copy	Customers, visitors, subcontractors, suppliers, natural or legal person subcontractors, real person representative of suppliers,  officers and employees of entities with which Özak is in collaboration, employee candidates and third parties;
CONTACT DATA	E-mail address, telephone number, mobile number, address, etc.	Customers, subcontractors, suppliers, natural or legal person subcontractors, real person representative of suppliers, business connections, potential customers (and/ or their related persons), business partners. officers and employees of entities with which Özak is in collaboration, employee candidates and third parties;
LOCATION DATA	Location data that can be captured during the use of Company cars	Authorized officers, officers and employees of entities with which Özak is in collaboration and third parties;
DATA FOR FAMILY MEMBERS AND CLOSE RELATIVES	ID data about children and spouse of personal data holder, contact details	Children and spouse of personal data holder;
PHYSICAL LOCATION SECURITY DATA	Workplace access and exit details, negotiation records, visitor data, camera records etc.	Customers, visitors, subcontractors, suppliers, natural or legal person subcontractors, real person representative of suppliers, officers and employees of entities with which Özak is in collaboration, employee candidates and third parties;
FINANCIAL DATA	Data showing financial consequences of transactions executed by data subject, bank account details,	Özak employees,
PERSONNEL DATA	Any information and documentation that should be available in the personnel data statutorily (for instance, wage maounts, Social Security Agency (SSA) premiums, payrolls etc.)	Özak employees, employee candidates and third parties
SPECIAL PERSONAL DATA	Healthcare data and criminal record data	Özak employees
LEGAL ACT AND COMPLIANCE DATA	Court or administrative authority orders and data available in execution office documentation and documents and records that should be stored pursuant to legal obligations	Özak employees
APPLICATION/ COMPLAINT MANAGEMENT DATA	Demands and personal data disclosed to Özak in connection with applications and/ or complaints to Özak, and relevant records and reports in relation thereto;	Suppliers, business connections, customers and/ or their related persons, potential customers, officers and employees of entities with which Özak is in collaboration, employee candidates and third parties;
AUDIO-VISUAL DATA	Photographs, camera recordings	Suppliers, business connections, customers and/ or their related real persons, potential customers, visitors, officers and employees of entities with which Özak is in collaboration, Özak employees, employee candidates and third parties;
MOTOR VEHICLE DATA	License plate data	Suppliers, business connections, customers and/ or their related real persons, potential customers, visitors, officers and employees of entities with which Özak is in collaboration, Özak employees, employee candidates and third parties;
ELECTRONIC DATA	Membership records, Internet password and code data, IP address, transaction security data, log-in records etc.	Customers, officers and employees of entities with which Özak is in collaboration, Özak employees, employee candidates and third parties (website visitors, those who make use of Özak’s internet access etc.)
PROFESSIONAL AND EDUCATION DATA	Data about the individual’s employer, professional chamber data, registration number, diploma grade, diploma photocopy, etc.	Suppliers, business contacts, customers and/ or their related real persons, potential customers, officers and employees of entities with which Özak is in collaboration, Özak employees, employee candidates and third parties
TRAVEL DATA	Flight data, tour route, accommodation data, etc.	Officers and employees of entities with which Özak is in collaboration, Özak employees

 

1. Data Controller

Acting as a data controller, Özak may process, store, keep, edit or transfer your personal data in Turkey or abroad to the extent permitted by the PDPL and under our commercial or business relations and by seeking the express consent of the Relevant Person in case an express consent is required.

In line with Article 12 of the PDPL, Özak adopts such technical and administrative measures, and necessary audits are done by or on behalf of Özak, to assure the data protection and to prevent unlawful access to data and their unlawful process by it as the data controller.

DATA CONTROLLER’S ID DETAILS
Trade Name:	Özak Geçiş Teknolojileri Sanayi ve Ticaret Anonim Şirketi
Address:	Köseköy Çuhane Cad. No:130 Kartepe/Kocaeli
Central Registration No:	0662080445600012
Trade Registry Office:	2673-Kocaeli
Official Website:	https://ozak-t.com/
Electronic Mail Address:	ozak@ozak-t.com
Telephone Number:	+90 262 373 48 48

 

1. Application of the Policy and Relevant Legislation

Provisions of applicable legislation shall take precedence in the protection and process of personal data. Özak acknowledges that in case of a conflict with the legislation and the provisions hereof, the current legislation in force shall prevail.

The Policy comprises rules applicable to Ozak practices set under the applicable legislation; Özat undertakes necessary system operations and preparations in order to observe time limits set out in the PDPL.

1. Principles applicable to Personal Data Process

Özak processes personal data in line with such terms and conditions set out in the PDPL and other applicable Laws.

Pursuant to Article 4 of the PDPL, Özak, acting as the data controller, acts in line with the following principles for the process of personal data:

1. Processing in line with the Law and Rules of Integrity: Personal data are processed in line with the law and rules of integrity. In line with this principle, Özak, in its capacity as the data controller, complies and acts in line with the applicable law in the process of all personal data.
2. Current and True Personal Data: A data controller must configure necessary processes to assure that personal data processed by it shall be current and correct. In this respect, Özak provides the means for the update of relevant personal data and takes necessary measures to ensure that they are transferred to data bases in a correct manner.
3. Processing for Specific, Open and Legitimate Purposes: A data controller is under the obligation to inform data subjects about purposes underlying the process of their personal data in line with disclosure obligations as set out in the PDPL. In this line, Özak, in its capacity as the data controller, expressly discloses the data subjects about said purposes in line with the disclosure texts provided that data process operations shall be limited and for legitimate purposes.
4. Related to Purpose of Process, Limited and Proportionate Process: Özak processes personal data in a limited way and related to the purpose reported to the data subject at the time of access to such data and to the extent required for such purpose.
5. Storage for such period necessary for the Purpose of Process or as defined in the applicable law. Özak stores such personal data only for such duration defined in the applicable laws or necessary for the purpose of process. In this respect, Özak first determines if a period is set in the relevant legislation for the storage of personal data, and unless such a period is set, stores them for such time necessary for the purpose of process. In case such reasons that require process are no longer applicable or the term expires, personal data are erased, destroyed or anonymized by Özak.

Pursuant to Article 5 of the PDPL, personal data may not be processed without the express consent of the relevant person and pursuant to the second paragraph thereof, personal data may be processed without the need for the express consent of the relevant person. In situations below, Özak may carry out data process and transfer activities without seeking the express consent of the relevant person pursuant to second paragraph of Article 5 of the PDPL:

1. If explicitly prescribed in the laws;
2. In case it is necessary to protect the life or bodily integrity of a person who shall not be able to make known his consent due to actual impossibility or whose consent is not legally valid, or of a third party;
3. Provided to be directly related to the execution or performance of a contract, if processing the personal data of the contract parties is necessary;
4. If it is mandatory for data controller to perform its legal obligations;
5. If the data are publicized by the relevant person himself;
6. Where data processing is mandatory to vest in, use or protect a right;
7. Provided not to cause harm to fundamental rights and freedoms of relevant person, where data process is required for legitimate interests of the data controller.

 

1. Process of Special Personal Data

The PDPL places a special importance on the unlawful process of certain personal data as it may lead to a discrimination or grievance of the affected person. Such special data include biometric and genetic data of persons as well as their data about their race, ethnic origins, political beliefs, philosophical beliefs, religion, sects or other beliefs, clothing and attire, memberships to trade union, foundation or associations, sexual life, criminal conviction or security measures.

Özak’s approach to such data is very delicate as their unlawful process may result in the grief of the people and it may process this kind of data pursuant to the third paragraph of Article 6 of the PDPL without seeking the express consent of the relevant person (or where necessary, by asking his consent) provided that it shall take necessary measures as set out by the Committee.

In this respect, technical and administrative measures taken by Özak to protect personal data are diligently applied to special personal data and necessary audits are carried out in Özak.

1. Recording Media

Electronic Media

Non-electronic Media

Servers (Sphere of impact, backing up, e-mail, data base, data base, web, file sharing. etc.) Software (office software, portal, EBYS, VERBİS.) Information security devices (firewall, attack identification and interception, daily logs, anti-virus etc) Personal computers (desktop, notebook) Mobile devices (telephones, tablet PCs etc.) Optic discs (CD, DVD etc.) Removable memory devices (USB, Memory Card etc.) Printer, scanner, photocopy machine

Paper Manual data recording systems (survey forms, visitor access books) Printed, written and visual media

 

1. Methods for Collecting Personal Data and Legal Basis

Özak may collect or acquire such personal data provided by third parties to the Company; or may gather or capture a public data or via social media accounts or its website while a person is connected by using Özak’s Wi-Fi network.

Personal data held by Özak are processed pursuant to, and stored for such storage times set out, in the PDPL and Regulation on Erasure, Destruction or Anonymization of Personal Data (“Regulation”) as well as Turkish Code of Commerce no. 6102 and Code of Obligations no. 6096 and the Labour Code no 4857 and the Social Security and General Healthcare Insurance Law no. 5510 and the Law no. 5651 on the Arrangement of Online Broadcasts and Fight against Crimes committed through these Broadcasts, Tax Procedures Law no. 213 and the Regulation no. 4982 on Healthcare and Security Measures to be adopted in Offices, Buildings and their Outbuildings, the Right to Information Act no. 4982 and the secondary legislation adopted.

Personal data that Özak may require from relevant persons or relevant persons may directly give to Özak may be collected by means of automated and non-automated methods and resources and may store them for such legal time in order to perform legal requirements as well as obligations arising from the contract and to reach such other purposes and reasons detailed below.

1. Negotiations between all Özak service units and relevant persons;
2. Verbal, written or electronic applications to Özak;
3. Subsidiaries, affiliates, third party persons and agencies in close relation with Özak;
4. Meetings and congresses;
5. Public agencies
6. Online applications, SMS channels, social media platforms;
7. Other outsourcing companies;
8. Real and/ or legal persons with whom Özak executes deals under any legislation or contracts;
9. Public data.

 

1. Storage and Destruction of Personal data

Personal data of employees, employee candidates, visitors and such employees of third party service providers (suppliers, subcontractors etc and their representatives), customers and relevant agencies shall be stored and destroyed by Özak in line with the Law.

In this respect, detailed information about storage and destruction is given below in the following order:

 

1. Information about storage

Article 3 of the PDPL defines the concept of process of personal data while Article 4 prescribes that processed personal data should be stored for such necessary time related to the purpose of process or as set out in the relevant legislation provided that processing should be related to the purpose, limited and proportionate whereas Articles 5 and 6 lists conditions to process personal data.

Accordingly, personal data shall be stored for such duration as set out in the applicable legislation and/ or in line with our process purposes under Özak’s business operations.

The Company shall store personal data processed by it under its operations for the purposes below:

1. To run human resources processes;
2. To ensure corporate communication;
3. To ensure the Company’s security;
4. To do statistical studies;
5. To perform such works and transactions in line with executed business contracts and protocols etc.;
6. To ensure that legal obligations shall be performed as required or mandated by legal regulations;
7. To maintain contact with natural/ legal persons with whom Özak has business deals;
8. To make legal reporting; and
9. Burden of proof for use as evidence in any future legal dispute.

 

1. Information about destruction

Personal data shall be erased, destroyed and anonymized by Özak upon the request by the relevant person, or ex officio, in the following circumstances:

1. Where applicable legislation governing such process is amended or abolished;
2. Purpose to process or store data is no longer applicable;
3. Where personal data process is only subject to express consent, if the relevant person withdraws his consent;
4. If the Agency accepts the application by the relevant person pursuant to Article 11 of the PDPL with the demand for erasure or destruction of his personal data in line with its rights;
5. Where Özak refuses the application by the relevant person for the erasure, destruction or anonymization of personal data, or the answer given is found to be insufficient or no answer is given within such time periods set out in the PDPL or a complaint is filed with, and accepted by, the Agency;
6. Where maximum time period required for the storage of personal data is over and there is not any condition that would justify the storage of them for longer periods.

 

1. Measures on Protection of Personal Data

The Company shall adopt technical and administrative measures to store personal data safely, to prevent its unlawful process or unlawful access to it and to destroy it in line with the law.

1. About technical measures

Özak regularly audits such personal data processed by it by means of an internal technical system set up by it. Relevant departments address technical issues and expert staff member is deployed in these departments. Besides, technological developments are tracked and in particular, an eye is kept on technical developments in cyber-security areas, and systems are updated accordingly. Diligence is paid to access and authorization matters and authorities of existing personnel are reviewed and arranged and an access restriction is applied to former employees and their accounts are closed. Software with anti-virus systems and fire walls are used. Pursuant to the results of audit works, any detected weakness is corrected.

1. About administrative measures

Özak meets such requirements set out in the PDPL and the secondary legislation by means of all personal data documentation kept by it, including this policy and [personal data inventory]. In this respect, Özak creates corporate procedures and drafts, its contracts by applying data security provisions based on its capacity as the data controller and it gets confidentiality obligations and enhances its data security. Before it starts to process personal data, Özak performs its disclosure obligation towards relevant person. It applies internal audits regularly or randomly and proceeds with risk analyses. It creates an internal discipline for the protection of personal data and provides all employees with information security training for all management personnel with access to personal data and it organizes awareness events. Moreover, it has drafted a discipline procedure applicable to such staff members who fail to comply with security policies and procedures.

1. About measures applicable to special data

Özak pays a diligent approach to the protection of special personal data as described in the first paragraph of Article 6 of the PDPL. In this respect, Özak applies such technical and administrative measures adopted for the protection of personal data by taking into account minimum measures defined by the Committee in respect to special personal data.

1. Erasure, Destruction and Anonymization of Personal Data by Özak

Where, in line with Article 138 of Turkish Criminal Code and Article 7 of the PPL, in case reasons for processing personal data are no longer applicable although such process has been in compliance with applicable legislation such personal data shall be erased, destroyed or anonymized by Özak at its discretion or upon a request by the personal data owner in this respect.

Özak reserves its right to refuse the data subject’s request in case it is entitled and/ or obligated to store personal data pursuant to the applicable legislation.

When personal data are processed by a non-automated means which should be a part of data recording system, a system is applied where data are physically and irretrievably erased/ destroyed without any subsequent possible use. Whenever Özak reaches agreement with an individual or entity for the process of personal data for it, personal data shall be safely erased by such person or entity in an irretrievable way,

Özak may anonymize personal data when those reasons that require for the lawful process of personal data are no longer applicable,

Methods of anonymization that are most frequently used by Özak are as follows:

Removal of variables	:	To remove one or several direct identifiers within the personal data of the relevant person and that shall help identify him in any way; This method may be used for the anonymization of the personal data or in case there are data in the personal data that do not suit the purpose of process, such data may also be erased by this method.
Regional concealing	:	Within a data table where personal data are aggregately in anonymized form, any information that may help distinguish any data standing out as exception may be deleted.
Generalization	:	A process whereby personal data of many people are brought together and distinctive details are removed and data are turned into statistical data.
Data mixing and contamination	:	Direct or indirect identifier in personal data are mixed or contaminated with other values and they are cut off from the relevant person and they lose their “identifier” nature.

1. Storage and Destruction Times

The following table shows the time periods by which Özak is responsible to store personal data that it processes now or in future and time limits within which it shall destroy them.

DATA OWNER	DATA CATEGORY	DATA STORAGE TIME
Employee	Recruitment documents and personnel data underlying length of service and wage statements for Social Security Agency as well as other personnel data	During the term of employment contract and 10 (ten) years following its expiry
Employee	Data within the Workplace Personal Healthcare File	During the term of employment contract and 10 (ten) years following its expiry
Business Partner/ Solution Partner/ Consultant	ID data, contact data and financial data for the conduct of business relation between ÖZAK and Business Partner/ Solution Partner/ Consultant, and data of Business Partner/ Solution Partner/ Consultant’s employee	During the term of  business/ commercial relation with Business Partner/ Solution Partner/ Consultant, and for 10 years from its termination pursuant to Article 146 of Turkish Code of Obligations and Article 82 of Turkish Code of Commerce
Visitors	Visitor’s name, surname, Turkish ID no, license plate and camera records taken during the Visitor’s access to Özak’s physical premises	For two years
Personnel Candidate	CV of the candidate and data on his job application form	2 years from the application date
Trainee (Student)	Data in the trainee’s trainee file	During the term of trainee relation and for 10 (ten) years from the termination of that relation
Customer	Customer’s name, surname, Turkish ID no, contact details, bank details, e-mail, address, tax ID no, tax office, product/ service preferences, transaction history, special day data and similar details.	For 10 years from each purchase of a product/ a service by the Customer pursuant to Article 146 of Turkish Code of Obligations and Article 82 of Turkish Code of Commerce
Customer	Camera videos, license plate data	For two years
Where Subcontractors, Suppliers etc. with whom Özak collaborates are real persons, their personal data;  or in case they are legal persons, personal data of their representatives	ID data, contact data, financial data, telephone data and similar personal data for the conduct of business relation between Özak and Subcontractors, Suppliers etc. with whom Özak collaborates	For 10 years from the termination of the business/ commercial relation with Subcontractors, Suppliers etc. with whom Özak collaborates pursuant to Article 146 of Turkish Code of Obligations and Article 82 of Turkish Code of Commerce

Periodic Destruction Time is defined as 6 months pursuant to Article 11 of the Regulation. In this respect, Özak shall destroy personal data within 6 months following the expiry of the storage time set out in the Personal Data Inventory,

1. People involved in Personal Data Storage and Destruction Processes and Their Duties

Özak personnel involved in the personal data storage and destruction processes and their duties are given below.

Title		Duty Description
Personal Data Manager: Serap DÖNMEZ General Manager Assistant for Administrative and Financial Affairs.	:	To direct any planning, analysis, research, risk identification works in projects during the harmonization with the Law, to manage processes that should be undertaken pursuant to the Law, the Policy for the Protection and Process of Personal Data and Destruction Policy  and to decide on requests from relevant persons
Personal Data Officer: Mine ÖZÇELİK DENİZ Human Resources Manager	:	To report requests from relevant persons to Personal Data Committee Manager for review and evaluation, to perform requests from such persons evaluated and decided by the Personal Data Committee Manager pursuant to such decision, to audit storage and destruction processes, to report these audits to the Personal Data Committee Manager and to conduct storage and destruction processes.

 

1. Personal Data Transfer
2. Personal Data Transfer in Turkey

Özak is under the responsibility to act in line with such decisions and applicable regulations adopted by the Committee and set out in the PDPL as applicable to the personal data transfer.

Personal data and special personal data of an individual may not be transferred by Özak to other real or legal persons without the express consent of the relevant person., provided that in case this transfer is strictly required by the PDPL and other Laws and there are circumstances listed in 2^nd Paragraph of Article 5 of the PDPL and 3^rd Paragraph of Article 6 thereof exist, such transfer may be made to authorized administrative or judicial authority subject to such limits and in such manner set out in the applicable legislation without such express consent.

Moreover, provided to comply with the PDPL and other applicable legislation, the Company may adopt such security measures listed in the regulations and unless otherwise is stated in the laws and applicable regulations, or where there is a contract made with the Data Controller, in that contract, the Company may transfer personal data to third parties and Group Companies in Turkey upon the consent by the relevant person.

1. Personal Data Transfer to abroad

Özak may transfer personal data to third parties in Turkey and it may transfer them to abroad upon process in Turkey or upon process and storage outside Turkey as described above, including outsourcing, in compliance with the PDPL and other applicable legislation, the Company may adopt such security measures listed in the regulations unless otherwise is stated in the laws and applicable regulations, or where there is a contract made with the Data Controller, in that contract.

Personal data may be transferred to a country under the PDPL only if there is an adequate protection there pursuant to the decision of Personal Data Protection Committee. In cases where there is not adequate protection, the transfer may take place on the condition data our Company shall commit to provide adequate protection in writing together with the Data Controller in the relevant foreign country and it shall obtain the permission of the Committee in this respect.

1. Individuals and entities receiving data

Data required by public entities under their applicable legislation shall be shared pursuant to Article 8 of the PDPL.

1. Data Security

Özak ensures that pursuant to Article 12 of the PDPL, suitable technological and organizational controls are in place to prevent the loss, misuse, inadvertent destruction of or any modification in personal data.

Özak personnel with access to personal data shall attend such training courses necessary to protect the confidentiality of such data. The employee with permission of access to such personal data is permitted only on a need-to-know basis to perform their tasks properly. People with access to personal data are also subject to strict professional confidentiality obligations.

In order to be effective against the most recent threats, our security defence measures are regularly monitored and tested.

1. Rights of Relevant Person

An individual whose personal data is processed by Özak may apply Özak at ozak@ozak-t.com to use his rights below:

1. To inquire whether his/her personal data are processed or not;
2. Where his/her personal data are processed, to ask for information in this respect;
3. To inquire the purpose of personal data process and if they are used in line with this purpose;
4. To know about third parties in Turkey or abroad to whom his personal data are transferred;
5. In case personal data are incompletely processed or misprocessed, to ask for their correction;
6. In case reasons for the process of his personal data are no longer applicable although they have been processed in line with Article 7 of the PDPL, to ask for the erasure or destruction of personal data;
7. In cases where personal data are corrected, erased, destroyed or anonymized, to ask that such activities should be notified to third parties to whom personal data are transferred;
8. To object to a consequence due to a situation that arises to his disadvantage in case his personal data are analysed and processed by exclusively automated systems;
9. To demand for the compensation of his losses in case he sustains a loss on account of unlawful process of his personal data.

 

Pursuant to Article 28 of the Personal Data Protection Law no. 6698 titled “Exceptions”, the provisions of this Law shall not be applicable in case of circumstances below, and therefore, relevant persons may not assert their rights based on them:

1. Provided not to disclose personal data to third parties and to comply with data security obligations, where such data are processed by individuals  in relation to such activities that are purely related to him or his family members living in the same house;
2. Where personal data are processed for research, planning and statistical studies provided that they are anonymized by way of official statistics;
3. Provided not to violate or abuse national defence, national security, public security, public order, economic security, confidentiality of personal life or personal rights, where personal data are processed for the purposes of art, history, literature or scientific purposes or under the freedom of speech;
4. Where personal data are processed for preventive, protective and intelligence purposes conducted by such authorized public entities and agencies to perform their tasks assigned by the law to secure national defence, national security, public security, public order and economic security;
5. Where personal data are processed by judicial authorities or law enforcement bodies in connection with investigations, prosecution, trial or execution purposes.

 

Similarly, pursuant to second paragraph of Article 28 of the PDPL, a relevant person may not assert his rights listed in Article 11 thereof in circumstances below except for the right to seek a compensation of his damages:

1. Where personal data are required to prevent or investigate a criminal act;
2. Where personal data publicized by the data subject himself/herself are processed by him/her;
3. Where process is required for a disciplinary action or investigation or the conduct of audit or regulation task and such process is asked by public bodies, institutions or other public professional chambers in charge based on  the authorities granted under the laws;
4. Where personal data are processed to safeguard the State’s economic and financial interests in relation to budget, tax and financial matters.

Pursuant to the PDPL or other secondary legislation, a personal data owner may send all his/her requests in relation to his/her above-listed rights to the address of ozak@ozak-t.com under the heading “Personal Data Application Letter”. During this application, personal data owners may use their e-mail addresses registered with Özak systems and previously notified by them, or by affixing an electronic or mobile signature defined pursuant to Electronic Signature Law no. 5070.

Trade Name	Central Registration System No.	Mail address
Özak Geçiş Teknolojileri Sanayi ve Ticaret Anonim Şirketi	0662080445600012	ozak@ozak-t.com

A personal data owner may send their wet-signed application letters to the address of Köseköy Çuhane Cad. No:130 Kartepe/Kocaeli or to ozak@ozak-t.com  under an electronic signature.

Where third parties shall make an application for personal data owner, the data owner shall submit a notarized special power of attorney in the name of the applicant.

1. AMENDMENTS, UPDATES AND REVOCATION

Our Company reserves its right to amend this Personal Data Protection and Process Policy.

In the event that such Policy is amended, without limitation, due to, for instance, legal requirements that are recently adopted, the most current version of the relevant text shall be posted at our website.