IFAS ISTANBUL INC.
POLICY ON PROCESSING AND PROTECTION OF PERSONAL DATA
- Introduction
IFAS ISTANBUL INC. (IFAS or Company) strives to achieve full compliance with the “Law on the
Protection of Personal Data” (KVKK or Law), which came into force with all its provisions as of
October 7, 2016, as published in the Official Gazette on April 7, 2016. In this context, IFAS prioritizes
the lawful processing and protection of personal data and has prepared the “Policy on Processing
and Protection of Personal Data” (Policy) to transparently inform you about its activities related to
the processing and protection of personal data. - Purpose and Scope of the Policy
This Policy is prepared to inform the individuals whose personal data is processed by IFAS, listed in
Annex-1, about the processing and protection of personal data. It includes information on what
personal data is processed by IFAS, the purposes of processing, to whom and for what purposes this
data may be transferred, the administrative and technical measures taken for the protection of
personal data, the rights of individuals over their personal data, and the application methods for
these rights. For the processing and protection of personal data of IFAS employees, interns, and
shareholders/partners, specific information is provided in the “Policy on Processing and Protection of
Employee Personal Data.” - Definitions
The definitions in this Policy are as follows:
- Explicit Consent: Consent based on information about a specific subject, expressed freely and with
free will. - Recipient Group: The category of real or legal persons to whom personal data is transferred by the
data controller. - Anonymization: Making personal data unidentifiable or non-associable with a specific individual in
any way, even when matched with other data. - Data Subject: The real person whose personal data is processed.
- Personal Data: Any information about an identified or identifiable real person.
- Special Categories of Personal Data: Data related to individuals’ race, ethnic origin, political
opinions, philosophical beliefs, religion, sect, or other beliefs, clothing and attire, membership in
associations, foundations or unions, health, sexual life, criminal convictions, and security measures,
as well as biometric and genetic data. - Processing of Personal Data: Any operation performed on personal data, whether fully or partially
automatic or not, including obtaining, recording, storing, preserving, altering, rearranging, disclosing,
transferring, taking over, making obtainable, classifying, or using the data. - Board: Personal Data Protection Board.
- Institution: Personal Data Protection Authority.
- Data Recording System: The system in which personal data is processed according to specific
criteria. - Data Controller: Real or legal person determining the purposes and means of processing personal
data.
For definitions not included in this Policy, the definitions in the Law and secondary regulations are
applicable.
- General Principles for Processing Personal Data
The general principles to be followed in the processing of personal data are regulated in Article 4 of
the Law. IFAS primarily adheres to these general principles in its personal data processing activities.
- Compliance with the law and fairness: IFAS acts in accordance with the current legislation and
ethical standards in all personal data processing processes. - Accuracy and necessity: IFAS takes necessary measures to ensure that your personal data is
accurate and up-to-date. - Specific, explicit, and legitimate purposes: IFAS limits personal data processing activities to specific
and legitimate purposes, informing you clearly through disclosure texts. - Connection with the purpose of processing, limited, and proportionate: IFAS processes personal
data in connection with and limited to the purposes notified to you, in a proportionate manner. - Retention for the period prescribed by relevant legislation or for the purpose of processing: IFAS
retains your personal data for the period specified by the current legislation or, if no specific period is
prescribed, for reasonable periods determined considering the purpose of data processing and
company procedures. After the expiration of these periods, the data is deleted, destroyed, or
anonymized in accordance with the “IFAS ISTANBUL INC. Personal Data Storage and Destruction
Policy.”
- Conditions for Processing Personal Data
The conditions for processing personal data are regulated in Article 5 of the Law, and the conditions
for processing special categories of personal data are regulated in Article 6. The Law allows the
processing of personal data without the explicit consent of the data subject in certain cases specified
in these articles. The conditions for processing personal data may vary depending on whether the
personal data is special categories of personal data and whether it relates to health and sexual life. - Conditions for Transferring Personal Data to Domestic and Foreign Countries
Article 8 of the Law regulates the transfer of personal data to third parties in Turkey, and Article 9
regulates the transfer of personal data to third parties abroad.
- According to Article 8 of the Law, personal data may be transferred to third parties in Turkey
without your explicit consent, provided that one of the conditions specified in Article 5/2 or Article
6/3 of the Law is met, taking into account other provisions in other laws. - According to Article 9 of the Law, personal data may be transferred to third parties abroad without
your explicit consent, provided that one of the conditions specified in Article 5/2 or Article 6/3 of the
Law is met, and if there is adequate protection in the country where the personal data will be
transferred, or if there is no adequate protection, the data controllers in Turkey and the relevant
foreign country undertake adequate protection in writing, and the permission of the Board is
obtained.
- Methods of Collection and Your Collected Personal Data
Your personal data is collected by IFAS through various methods, including verbal communication
during meetings, in-person or via email or social media, or through information/documents you
provide/share electronically. The data may also be obtained from your employer, our suppliers,
customers, public areas, press organizations of your employer, and our network provider, as well as
from your family members/close associates who are employees of IFAS. The data is collected through
various automatic and non-automatic means, such as electronic registration screens for internet
access, wireless internet channels, and image recording devices. The collected personal data varies
depending on the product or service requested, the activities to be carried out by IFAS, and legal
obligations. - Purposes of Processing Your Personal Data
Your personal data obtained by IFAS is processed in accordance with the general principles specified
in Articles 5 and 6 of the Law. The specific purposes for processing your personal data are listed in
Annex-3. - Transfer of Your Personal Data
IFAS shares your personal data with third parties in compliance with the conditions specified in the
Law, without obtaining your explicit consent, and within the framework of other laws, if applicable.
The recipients of your personal data and the conditions for processing are listed in Annex-4.
In cases where your personal data is shared, IFAS ensures that the party receiving the data complies
with the rules in this Policy and the provisions in the legislation. - Storage of Your Personal Data
Although your personal data has been processed in accordance with the Law and other legal
regulations, if the reasons requiring processing cease to exist, your personal data will be deleted,
destroyed, or anonymized by the decision of our Company or upon your request. When determining
the storage periods of your personal data, our Company takes into account the current legislation
and the processing purposes of your personal data. If there are statutory limitation periods related to
personal data processing, the storage periods may be extended until these periods expire. - Measures Taken for the Protection of Your Personal Data
IFAS takes all necessary technical and administrative measures to ensure the security of your
personal data and prevent unauthorized access, unauthorized disclosure, alteration, or destruction.
In this context, within the framework of the Law and secondary regulations, measures such as
pseudonymization, anonymization, ensuring physical security, access authorization, information
classification, employee training, and audits are taken. - Your Rights as a Data Subject
As a data subject, you have the following rights:
- Learning whether your personal data is processed,
- If your personal data has been processed, requesting information about it,
- Learning the purpose of processing personal data and whether they are used in accordance with
this purpose, - Knowing the third parties in the country or abroad to whom your personal data is transferred,
- If your personal data is incomplete or incorrectly processed, requesting correction, and requesting
notification of the transaction made within this scope to third parties to whom your personal data
has been transferred, - Although it has been processed in accordance with the provisions of the Law and other relevant
laws, requesting the deletion or destruction of personal data in the event that the reasons requiring
processing cease to exist, and requesting notification of the transaction made within this scope to
third parties to whom your personal data has been transferred, - Objecting to the occurrence of a result against you by analyzing your processed data exclusively
through automated systems, - In the event of damage due to unlawful processing of your personal data, requesting the
compensation of the damage.
- Application Methods for Your Rights
You can submit your requests regarding your rights mentioned in Article 12 of this Policy to our
Company in writing or by other methods determined by the Board. To exercise your rights, you can
use the application form provided by the Board on our official website, or you can prepare a written
application including your identification information and your explanations about your request, and
deliver it to our Company through the methods specified in the Policy on Processing and Protection
of Personal Data. - Amendments to the Policy
IFAS reserves the right to make amendments to this Policy in accordance with the developments in
the field of personal data processing and protection, changes in legislation, and technological
developments. The updated version of the Policy is published on our official website, and if there are
significant changes, you will be informed through the communication channels specified by IFAS. - Enforcement of the Policy
This Policy is put into effect on [Effective Date] and will be valid until it is updated or revoked. If any
provision of this Policy becomes invalid, this will not affect the validity of the other provisions.