Bilkom IT Services Joint Stock Company
Personal Data Protection and Processing Policy

SECTION 1 – INTRODUCTION

    1. INTRODUCTION

      Protection of personal data is among the most important priorities of Bilkom Bilişim Hizmetleri Anonim Şirketi (“Bilkom” or “Company”). The principles adopted in the conduct of personal data processing activities carried out by our Company as part of this Bilkom Bilişim Hizmetleri Anonim Şirketi Personal Data Protection and Processing Policy (“Policy”) and the basic principles adopted to ensure the compliance of our Company’s data processing activities with the regulations in the Personal Data Protection Law No. 6698 (“Law”) are set forth in this Policy and our Company ensures the required transparency by informing the owners of personal data.

      Your personal data is processed and protected within the scope of this Policy with full awareness of our responsibility in this regard.

      The activities carried out by our Company regarding the protection of personal data of our employees are managed under the Bilkom Bilişim Hizmetleri Anonim Şirketi Employees Personal Data Protection and Processing Policy, which was entails paralleling guidelines with the principles in this Policy.

    2. SCOPE
      This Policy; relates to all personal data of persons other than our company’s employees, that are processed automatically or manually, provided that they are part of any data recording system. detailed information about the personal data owners in question can be viewed in the ANNEX 2 (“Annex 2- Personal Data Owners”) to this Policy.
    3. IMPLEMENTATION OF THE POLICY AND APPLICABLE LEGISLATION
      Applicable legal regulations in force on the processing and protection of personal data will be upheld at all times. In case of inconsistency between the current legislation and the Policy, our Company accepts that the applicable legislation will be complied with. The policy regulates the rules set forth by the applicable legislation by encompassing them within the Company practices.
    4. ENFORCEMENT OF THE POLICY

      This Policy, issued by our company, is dated 01.Nov.2019. The previous versions issued by the Company have been superseded as of the effective date of this Policy. In case all or certain articles of the Policy are amended, the effective date of the Policy will be updated. The policy is published on our Company’s website (www.bilkom.com.tr/) and made available to the respective persons upon the request of personal data owners.

SECTION 2 – ISSUES RELATING TO THE PROTECTION OF PERSONAL DATA

    1. ENSURING THE SECURITY OF PERSONAL DATA
      In accordance with Article 12 of the Law, our company takes the necessary measures according to the nature of the data to be protected in order to prevent the unlawful disclosure, access, transfer or security deficiencies that may occur in other ways. In this context, our Company takes administrative measures to ensure the required level of security in accordance with the guidelines published by the Personal Data Protection Board (“Board”), and carries out inspections or have such inspections conducted.
    2. PROTECTION OF PRIVATE PERSONAL DATA
      Special importance is attached to sensitive personal data under the Law due to the risk of causing victimization or discrimination when processed unlawfully. Such “special” personal data; includes data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, attire, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. The technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of sensitive Personal data and the necessary audits are provided within our Company as detailed in the Section 3.3 of this Policy.
    3. RAISING AWARENESS OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA AND AUDITS

      Our company provides necessary trainings to business units in order to prevent illegal processing of personal data, illegal access to data, and to raise awareness about data protection. Our company establishes necessary systems to raise awareness of current employees and newly recruited employees on the protection of personal data, and works with consultants, as needed. In line with this, our Company evaluates the participation in the applicable trainings, seminars and information sessions, and organizes new trainings in parallel with the changes in the applicable legislation.

SECTION 3 – ISSUES RELATING TO THE PROCESSING OF PERSONAL DATA

    1. PROCESSING PERSONAL DATA IN ACCORDANCE WITH THE GUIDELINES SET FORTH IN THE LEGISLATION
      1. Processing In Accordance With The Law and Integrity
        Personal data is processed in accordance with the general rule of trust and honesty, without compromising the fundamental rights and freedoms of individuals. In this sense, personal data is processed to the extent and limited to the business activities of our Company.
      2. Ensuring Personal Data Are Accurate and Up-to-Date When Necessary

        Our company takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the period of processing, and establishes the necessary mechanisms to ensure the maintain the personal data accurate  and up-to-date at certain periods.
      3. Processing for Specific, Clear, and Legitimate Purposes
        Our company clearly reveals the purposes of processing personal data and processes it within the scope of purposes related to these activities, in line with its business activities.
      4. Relating to the Purpose for which they are Processed, Limited and Proportionate Processing
        Our company collects personal data only in the quality and extent required by business activities and processes the data limited to the specified purposes.
      5. Retention for as Long as Required for the Purpose of Processing or as Stipulated in the Applicable Legislation
        Our company keeps personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the applicable legislation. In this sense, our Company first determines whether a period is stipulated for maintaining personal data in the applicable legislation, and if a period is determined, the Company acts in accordance with this requirement. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is disposed of in accordance with the periodic destruction periods or by the application of the data owner and with the determined destruction methods (deletion and / or destruction and / or anonymization).
    2. CONDITIONS FOR PROCESSING PERSONAL DATA
      Except for the express consent of the personal data owner, the basis of the personal data processing activity may be only one of the conditions stated below, or more than one condition may be the basis of the same personal data processing activity. In case the processed data is sensitive personal data, the conditions in the 3.3 title of this Policy (“Processing of Sensitive Personal Data”) will be applied.
      1. Explicit Consent of the Personal Data Owner
        One of the conditions for the processing of personal data is the explicit consent of the data owner. The explicit consent of the personal data owner must be disclosed on a specific subject, based on information and free will. In the presence of the personal data processing conditions listed below, personal data can be processed without the need for the explicit consent of the data owner.
      2. Explicitly Provided in Laws
        If the personal data of the data owner is expressly stipulated in the law, in other words, if there is a clear provision in the applicable law regarding the processing of personal data, this data processing condition will be deemed to have been fulfilled.
      3. Failure to Obtain the Explicit Consent of the Respective Person Due to Actual Impossibility
        The personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to express his or her consent due to actual impossibility, or whose consent cannot be validated, in order to protect the life or physical integrity of the respective person or another person.
      4. Direct Concern with the Establishment or Performance of the Contract
        Provided that it is directly related to the conclusion or performance of a contract to which the data owner is a party to, this condition may be deemed to be fulfilled if the processing of personal data is necessary.
      5. Fulfilling the Legal Obligations of the Company
        The personal data of the data owner may be processed if the processing is necessary for our company to fulfill its legal obligations.
      6. Publicizing the Personal Data of the Personal Data Owner
        If the data owner has made his personal data public, the applicable personal data may be processed for the purpose of making it public.
      7. Requirement of Data Processing for the Establishment or Protection of a Right
        If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.
      8. Obligatory Data Processing for the Legitimate Interest of Our Company
        Provided that the fundamental rights and freedoms of the personal data owner are not harmed, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company.
    3. PROCESSING OF SENSITIVE PERSONAL DATA
      Sensitive personal data is processed by our Company in accordance with the principles set forth in this Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, in the presence of the following conditions:
      1. Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data owner, provided that it is expressly stipulated in the law, in other words, if there is a clear provision in the applicable law regarding the processing of such personal data. Otherwise, the explicit consent of the data owner will be obtained.
      2. Special categories of personal data regarding health and sexual life may be disclosed by persons or authorized agencies and organizations under the requirement of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, may be processed without consent. Otherwise, the explicit consent of the data owner will be obtained.
    4. DISCLOSURE TO THE PERSONAL DATA OWNER
      In accordance with Article 10 of the Law and the additional legislation, our Company informs the personal data owners about who, as the data controller, for what purposes their personal data is processed, for what purposes it is shared with whom, by what methods it is collected, the legal reason and the rights of the data owners as part of the processing of their personal data.
    5. TRANSFER OF PERSONAL DATA
      Our company can transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, group companies, third real persons) by taking the necessary security measures in line with the personal data processing purposes as stipulated  by the law. Accordingly, our company acts in accordance with the regulations stipulated in Article 8 of the Law. Detailed information on this subject can be found in the ANNEX 4 of this Policy (“ANNEX 4- Third Parties to which Personal Data Transferred by Our Company and Purposes of Transfer”).
      1. Transfer of Personal Data
        Even without the explicit consent of the personal data owner, in case one or more of the conditions stated below are present, personal data may be transferred to third parties with due diligence by our Company, by taking all necessary security measures, including the methods prescribed by the Board.
        • The activities regarding the transfer of personal data are clearly stipulated in the laws,
        • The transfer of personal data by the Company is directly related to and necessary for the execution  or performance of a contract,
        • The transfer of personal data is mandatory for our Company to fulfill its legal obligations,
        • Transfer of personal data by our Company in a limited manner for the purpose of making it public, provided that the personal data has already been made public by the data owner,
        • The transfer of personal data by the Company is mandatory for the execution, exercise or protection of the rights of the Company or the data owner or third parties,
        • It is obligatory to transfer personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner,
        • Being obligatory for the protection of life or bodily integrity of the person or another person, who is unable to express his or her consent due to actual impossibility or whose consent is not legally recognized. In addition to the above, personal data can be transferred to foreign countries that are declared to have sufficient protection by the Board (“Foreign Country Ensuring Sufficient Protection”)  in the presence of any of the above conditions. In the absence of sufficient protection, it can be transferred to foreign countries where the data controllers in Turkey and the applicable foreign country undertake an adequate protection in writing in line with the data transfer conditions stipulated in the legislation and where the Board has the permission (“Foreign Country Where the Data Controller Warrants Sufficient Protection”).
      2. Transfer of Private Personal Data
        Sensitive Personal data may be transferred by our Company in accordance with the principles set forth in this Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:
        1. Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data owner, provided that it is expressly stipulated in the law, in other words, there is a clear provision in the applicable law regarding the processing of personal data. Otherwise, the explicit consent of the data owner will be obtained.
        2. Special categories of personal data regarding health and sexual life may be disclosed by persons or authorized agencies and organizations under the requirement of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, may be processed without consent. Otherwise, the explicit consent of the data owner will be obtained.In addition to the above, personal data may be transferred to a Foreign Country with Sufficient Protection in case of any of the above conditions. In the absence of sufficient protection, it can be transferred to Foreign Countries where the Data Controller Warrants Adequate Protection, in line with the data transfer conditions stipulated in the legislation.

SECTION 4 – CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND THE PURPOSE OF PROCESSING

At our Company, personal data is processed by informing the respective persons in accordance with Article 10 of the Law and the additional  legislation, and in line with the personal data processing purposes of our Company, limited based on at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, in accordance with the general principles set forth in the Law of processing  personal data, primarily the principles set forth in Article 4 of the Law.
Personal data categories processed for the purposes and conditions specified in this Policy and detailed information about the categories  can be accessed from the ANNEX 3 of the Policy (“ANNEX 3- Personal Data Categories”). 1 (“Annex 1- Personal Data Processing Purposes”).

  1. SECTION – STORAGE AND DISPOSAL OF PERSONAL DATA
    Our company keeps personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the applicable legislation. In this sense, our Company first determines whether a period is stipulated for maintaining personal data in the applicable legislation, and if a period is determined, the Company acts in accordance with this requirement. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is disposed of in accordance with the periodic destruction periods or by the application of the data owner and with the determined destruction methods (deletion and / or destruction and / or anonymization).
  2. SECTION – RIGHTS OF PERSONAL DATA OWNERS AND THE EXERCISE OF THESE RIGHTS
    1. RIGHTS OF PERSONAL DATA OWNER
      Personal data owners have the following rights:
      1. Requiring information as to whether personal data is processed or not,
      2. Requiring information about the processing, if personal data has been processed,
      3. Requiring information on the purpose of processing personal data and whether they are used in accordance with its purpose,
      4. Requiring information on the third parties to whom personal data is transferred at home or abroad,
      5. Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
      6. Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist despite the fact that it has been processed in accordance with the provisions of the law and other applicable laws, and requesting that the transaction carried out within this scope be notified to the third parties to whom the personal data has been transferred,
      7. Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automated systems,
      8. Requesting compensation for the damage in case of loss due to unlawful processing of personal data.
    2. EXERCISE OF THE RIGHTS OF PERSONAL DATA OWNER
      Personal data owners may submit their requests regarding their rights listed in section 6.1 (“Personal Data Owner’s Rights”) to our Company using the methods determined by the Board. Accordingly, they will be able to benefit from the “Data Owner Application Form”, which can be accessed at http://www.bilkom.com.tr/kisisel-verilerin-korunmasi/.
    3. OUR COMPANY’S RESPONSE TO APPLICATIONS
      Our company takes the necessary administrative and technical measures to finalize the applications to be made by the personal data owner in accordance with the Law and additional  legislation. In the event of a request, our Company will conclude the request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.
ANNEX 1 – Purposes of Personal Data Processing
MAIN OBJECTIVES (PRIMARY)
SUB-OBJECTIVES (SECONDARY)
Enabling the necessary works to be carried out by our respective business units and the related business processes to be conducted in order to carry out the commercial activities of the company.
Planning and execution of logistics activities
Planning and execution of supply chain management processes
Planning and execution of production and operation processes
Planning and execution of corporate governance activities
Planning, auditing and execution of information security processes
Planning and execution of business activities
Planning, auditing and execution of information security processes
Event management
Planning and execution of corporate communication activities
Creation and management of information technology infrastructure
Planning and execution of the company’s commercial and business strategies
Management of relations with business partners and suppliers
Planning and execution of the Company’s human resources policies and processes
Planning of human resources processes
Execution of recruitment processes
Planning and execution of intern and student recruitment, placement and operation processes
Ensuring the legal, technical and commercial-occupational safety of the Company and the persons who have a business relationship with the Company
Planning and execution of necessary operational activities to ensure that company activities are carried out in accordance with company procedures and applicable legislation
Planning and execution of the company’s financial risk processes
Planning and execution of company audit activities
Giving information to authorized agencies for legal requirements
Creating and tracking visitor records
Planning and executing the activities required to recommend and promote the products and services offered by the company to the applicable persons by customizing them according to the preferences, usage habits and needs of the persons concerned.
Planning and execution of the processes of creating and increasing loyalty to the products and services offered by the company
Planning and execution of marketing processes of products and services
Planning and execution of customer satisfaction activities
Carrying out the necessary work by our business units and executing the applicable business processes in order to benefit the applicable people from the products and services offered by the company.
Planning and execution of sales processes of products and services
Follow-up of contract processes and legal requests
ANNEX 2 – Owners of Personal Data
CATEGORIES OF PERSONAL DATA OWNERS
DESCRIPTION
Customer
Real persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company.
Visitors
Real persons who have entered the physical campuses owned by our company or visited our websites for various purposes
Other Users
All real persons who have entered the physical premises of our company for various purposes or who visit/use our websites and who are not in the definition of customer/visitor defined above
Participant
Natural persons participating in activities organized by our company, such as meetings, event etc..
Employee Candidate
Natural persons (including trainee candidates) who have applied for a job in our company by any means or have submitted their resume and related information to our company’s review.
Company Executive
Members of our company’s board of directors and other authorized natural persons
Employees, shareholders and officials of organizations with which our company has business relations
Natural persons, including the employees, shareholders and officials of organizations with which our company has any sort of business relations (including but not limited to business partners, dealers, suppliers, etc.).
ANNEX 3 – Categories of Personal Data
PERSONAL DATA CATEGORIES
DESCRIPTION
Personal Particulars
Data containing information about the identity of the person: name-surname, Republic of Turkey citizen ID, nationality, place of birth, date of birth, gender, workplace information, registration number, tax number, title, biography, etc. information and documents such as driver’s license, professional identity, identity card and passport
Contact Information
Phone number, address, e-mail, fax number
Physical Space Security Information
Personal data regarding the records and documents taken at the entrance to the physical space on the campus of our company, during the stay in the physical space; camera recordings, recordings taken at the security point, etc.
Transaction Security Information
Your personal data processed to ensure our technical, administrative, legal and commercial security while carrying out our commercial activities (for example, log records)
Financial Information
Personal data processed for information, documents and records showing all kinds of financial results created according to the type of legal relationship our company has established with the personal data owner, and data such as bank account number, IBAN number, debt/credit information, income information.
Employee Candidate Information
All kinds of personal data processed to obtain information that will be the basis for the evaluation of the individuals who have applied to be an employee of our company or who have been evaluated as an employee candidate in line with the human resources needs of our company in accordance with the commercial practices and honesty rules (Military Status Information, Educational Status Information) information, marital status information, reference information).
Sensitive Personal Data
Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data
Audio Visual Data
Photographs, video and audio recordings
Audit and Inspection Information
Audit and Inspection Information means personal data processed during internal or external audit activities within the scope of our company’s compliance with its legal obligations and company policies.
Legal Action and Compliance Information
Personal data processed within the scope of determination and follow-up of our legal receivables and rights, performance of our debts and compliance with our legal obligations and our Company’s policies
Transaction Information
Data such as survey information, cookie records, entry-exit records, personality inventory, travel information that our company has obtained as part of the business activities

ANNEX 4 – Third Parties to which Personal Data is Transferred by Our Company and Purposes of Such Transfers

Our company may transfer the personal data of customers to the following categories of parties in accordance with Articles 8 and 9 of the Law:

Business/Solution Partners

Suppliers
Legally Authorized Public Agencies and Organizations
Legally Authorized Private Law Persons
Koç Holding A.Ş.
Koç Group Companies

The scope of the above-mentioned parties to whom the transfer is made and the data transfer purposes are detailed below.
Parties To Which Data Can Be Transferred
Definition
Purpose of Data Transfer
Business / Solution Partner
· Banks, telecommunication companies, organizations that provide services in recruitment processes for purposes such as receiving services within the scope of the execution of business activities,

· Dealers with business partnerships within the scope of the company’s commercial activities, limited to ensuring that the purposes of establishment of the business partnership are fulfilled.

Limited to the extent necessary to fulfill the requirements of execution of the business partnership
Supplier
The parties that provide services to our Company in line with the data processing purposes and instructions of our Company as part of the execution of the commercial activities of the Supplier to our Company.
Limited to ensure the provision of services that are outsourced by our company from the supplier and necessary to carry out the commercial activities of our company.
Legally Authorized Public Agencies and Organizations
Public agencies and organizations authorized to receive information and documents from our Company in accordance with the provisions of the applicable legislation
E.g; Ministries, Tax Offices, Trade Registry, etc.
Limited to the requested purpose and legal authority of the respective public agencies and organizations.
Legally Authorized Private Legal Persons
Institutions or organizations established in accordance with certain conditions determined by law pursuant to the provisions of the applicable legislation and conducting their activities within the framework determined by the law (For example, independent auditors, notaries).
Personal data is shared limited the subjects within the scope of the activities carried out by the applicable private institutions and organizations.
Koç Holding A.Ş. Koç Holding A.Ş.
Limited to ensuring the execution of corporate communication, strategic planning, human resources, commercial and audit activities that require the involvement of Koç Group Companies.
Koç Group Companies
(You can access Koç Group Companies from the list at

www.koc.com.tr )

Limited to evaluation purposes at other Koç Group Companies during recruitment processes, provided the data owner’s explicit consent is obtained.