PERSONAL DATA PROCESSING INVENTORY AND PERSONAL DATA PROTECTION POLICY
INTRODUCTION
Kadıköy Terminal Real Estate Services Trade Joint Stock Company (“Company”) is headquartered at Kazım Özalp Neighborhood, Koza Street No: 22, Çankaya, Ankara.
Within the scope of the Law No. 6698 on the Protection of Personal Data (“KVKK Law” or “Law”), the Company acts as the data controller.
Personal data subjects are real persons whose personal data is collected, processed, and transferred by the Company in accordance with the purposes stated below and pursuant to the KVKK Law and other applicable legislation. The Company attaches utmost importance to the security of personal data. With this awareness, personal data is processed and stored in compliance with the Law and secondary legislation.
A. PURPOSE AND SCOPE OF THE POLICY
This Policy aims to ensure the effective implementation of regulations introduced for compliance with the KVKK Law within the Company by shareholders, authorized persons, employees, subsidiaries, affiliates, and business partners.
In line with the fundamental principles set forth in this Policy, the Company aims to take all necessary administrative and technical measures for the processing and protection of personal data, establish internal procedures and regulations, increase awareness through trainings, and implement effective audit mechanisms.
This Policy regulates the fundamental principles to be observed in these processes, the Company’s obligations under the KVKK Law, and compliance activities to be carried out for the protection of personal data.
All employees are obliged to act in compliance with this Policy and the KVKK Law while performing their duties. In case of non-compliance, administrative, legal, and disciplinary sanctions may be applied, including termination of employment for just cause.
B. DEFINITIONS AND ABBREVIATIONS
Explicit Consent: Consent given freely, based on information, and related to a specific matter
Relevant User: Persons processing personal data within the organization, excluding those responsible for technical storage
Destruction: Deletion, destruction, or anonymization of personal data
Law / KVKK: Law No. 6698 on the Protection of Personal Data
Recording Medium: Any environment where personal data is stored
Personal Data: Any information relating to an identified or identifiable natural person
Processing of Personal Data: Any operation performed on personal data
Anonymization: Rendering personal data unidentifiable
Deletion: Making data inaccessible
Destruction: Making data irreversibly inaccessible
Board: Personal Data Protection Board
Special Categories of Personal Data: Data relating to health, criminal records, biometric data, etc.
Periodic Destruction: Recurrent destruction processes
Data Subject: Natural person whose data is processed
Data Controller: Person determining purposes and means of processing
Regulation: Regulation on the Data Controllers Registry
The Company acts as the Data Controller. Department managers are responsible for monitoring compliance and reporting to the Board of Directors.
C. GENERAL PRINCIPLES OF PROCESSING PERSONAL DATA
Personal data is processed in accordance with the following principles:
Lawfulness and fairness
Accuracy and up-to-dateness
Processing for specific, explicit, and legitimate purposes
Being relevant, limited, and proportionate
Retention for the period required by legislation or processing purposes
D. CONDITIONS FOR PROCESSING PERSONAL DATA
Personal data is processed with explicit consent unless one of the exceptions under the Law applies, including:
Explicit legal provision
Protection of life or physical integrity
Necessity for contract performance
Legal obligation
Public disclosure by the data subject
Establishment, exercise, or protection of a right
Legitimate interest without harming fundamental rights
Special categories of personal data are processed with explicit consent unless otherwise permitted by law, subject to adequate safeguards.
E. METHODS OF COLLECTION AND PROCESSING
Personal data is processed based on the Personal Data Processing Inventory and may be collected verbally, in writing, physically, or electronically through applications, CVs, interviews, HR platforms, contracts, correspondence, security systems, websites, Wi-Fi systems, and similar channels.
Data Subject Groups include job applicants, employees, interns, customers, suppliers, consultants, visitors, shareholders, company executives, and group company employees.
Personal data categories include identity, contact, employment, professional experience, finance, legal transaction, transaction security, visual/audio records, physical space security, health data, and criminal records.
F. TRANSFER OF PERSONAL DATA
Personal data may be transferred in accordance with Articles 8 and 9 of the Law to authorized public institutions, shareholders, business partners, group companies, suppliers, and service providers, limited to processing purposes.
G. TRANSFER ABROAD
Personal data may be transferred abroad only if legal conditions are met and adequacy decisions exist. Special categories of personal data are not transferred abroad.
H. RETENTION OF PERSONAL DATA
Personal data is stored securely in physical or electronic environments for the required period. Upon expiration of the retention period or cessation of processing purposes, data is deleted, destroyed, or anonymized. Data may be retained for statute of limitations periods where legitimate interest exists.
I. MEASURES FOR THE PROTECTION OF PERSONAL DATA
The Company implements administrative and technical measures including network security, access control, encryption, logging, training, audits, firewalls, antivirus systems, confidentiality agreements, backup systems, penetration testing, and physical security measures.
J. OBLIGATION TO INFORM
The Company fulfills its obligation to inform data subjects in accordance with Article 10 of the Law and provides guidance on exercising their rights. Information notices and explicit consent statements are prepared where required.
K. RESPONDING TO APPLICATIONS
Requests are finalized within thirty days free of charge unless a fee is determined by the Board. The Company may request additional information to verify identity and clarify requests.
L. REVISION AND REPEAL
In case of revision or repeal, the updated Policy shall be announced through appropriate channels.
M. EFFECTIVE DATE
This Policy enters into force on the date of publication.
N. ENFORCEMENT
The Board of Directors and department managers are responsible for the enforcement of this Policy.
