Clarification Text Regarding the Processing of Personal Data
Personal Data Protection and Processing Policy
Personal Data Retention and Destruction Policy
LPPD DATA SUBJECT APPLICATION FORM

Personal Data Protection and Processing Policy

CCN INVESTMENTS HOLDING INC.
PERSONAL DATA PROTECTION AND PROCESSING POLICY

Table of Contents

1. INTRODUCTION 2
2. PURPOSE OF THE POLICY 2

3. SCOPE OF THE POLICY 2

4. DEFINITIONS 2

5. PROCESSING AND TRANSFER OF PERSONAL DATA 3

6. General Principles for Processing Personal Data 4

7. Conditions for Processing Personal Data of a General Nature 5

8. Conditions for Processing Sensitive Personal Data 6

9. Conditions for Transfer of Personal Data 7.

4.1. Domestic Transfer of General Categories of Personal Data 7

4.2. Conditions for Domestic Transfer of Sensitive Personal Data 8

  1. DISCLOSURE IN TERMS OF THE PROCESSING OF PERSONAL DATA AND THE RIGHTS OF THE DATA SUBJECT UNDER THE LAW 10
  2. Informing the Relevant Person 10
  3. Rights of the Relevant Person under the Law 11
  4. CASES WHERE THE POLICY AND THE LAW DO NOT APPLY IN WHOLE OR IN PART 13

 

1. INTRODUCTION

Protection of personal data is of great importance for CCN Hastane Hizmetleri Ve İşletme Anonim Şirketi (hereinafter referred to as the "Company"). Great sensitivity is shown in protecting the personal data of our partners, customers, employees, employee candidates, Company officials, employees of subsidiary companies, employees of the companies we work with, shareholders, officials, visitors and third parties.

As recognized in Article 20 of the Turkish Constitution, everyone has the right to request the protection of personal data concerning him/her. This right includes the right to be informed about personal data concerning oneself, to access such data, to request their correction or deletion and to learn whether they are used for their intended purposes. Personal data may only be processed in cases stipulated by law or with the explicit consent of the person.

It has been adopted as a corporate policy to protect and develop the right to "Protection of Personal Data", which is a constitutional right, of our Partners, customers, employees, employee candidates, Company officials, employees of affiliate companies, employees of the companies we work with, shareholders, officials, visitors and third parties, whose personal data we process in line with Company activities or requirements. This Policy sets forth the principles adopted by the Company regarding the processing and protection of personal data.

2. PURPOSE OF THE POLICY

This Policy has been prepared in order to ensure that the activities within the scope of the entire Company are carried out in compliance with the Personal Data Protection Law No. 6698 (hereinafter referred to as " LPPD"), the decisions of the Personal Data Protection Board and secondary legislation on the processing and protection of personal data.

In addition, it is aimed to inform the relevant persons whose personal data are processed in the most transparent manner about the activities carried out by the Company for the processing and security of personal data, the measures taken and the Company principles.

3. SCOPE OF THE POLICY

This policy relates to all kinds of processing carried out on data such as obtaining, recording, storing, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data belonging to data subjects by fully or partially automated or non-automated means, provided that it is part of any data recording system, and the administrative and technical measures taken for the security of personal data.

4. DEFINITIONS

Where;
a. Explicit consent: Consent related to a specific subject, based on information and expressed with free will,
b. Anonymization: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data,
c. Relevant person: The natural person whose personal data is processed,
d. Relevant user: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data,
e. Destruction: Deletion, destruction or anonymization of personal data,
f. Law: Law on the Protection of Personal Data dated 24/3/2016 and numbered 6698,
g. Personal data: Any information relating to an identified or identifiable natural person,
h. Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,
i. Personal data processing inventory: The inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes of personal data processing, data category, transferred recipient group and data subject group, and detailing the maximum period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security,
j. Personal data retention and destruction policy: The policy on which data controllers base the process of determining the maximum period of time required for the purpose for which personal data are processed and the process of deletion, destruction and anonymization,
k. Board: Personal Data Protection Board
l. Authority: Personal Data Protection Authority,
m. Periodic destruction: The process of deletion, destruction or anonymization to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy in the event that all of the conditions for processing personal data specified in the law disappear,
n. Registry: The register of data controllers kept by the Personal Data Protection Authority,
o. Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller
p. Data recording system: The recording system where personal data is structured and processed according to certain criteria,
q. Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

1. PROCESSING AND TRANSFER OF PERSONAL DATA

2. General Principles for Processing Personal Data
Personal data are processed by our Company in accordance with the procedures and principles stipulated in the Law and this Policy. While processing personal data, our Company acts in accordance with the following principles regulated by Article 4 of the Law.

3. Compliance with the Law and Rules of Good Faith
Our Company processes personal data in accordance with the relevant legislation and the requirements of the rule of good faith and uses it within these limits. In this context, our Company takes into account the interests and a reasonable expectation of the person concerned when processing personal data and takes care to ensure that the data processing activity in question is transparent for the person concerned.

4. Being Accurate and Up-to-Date When Necessary
Our Company ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights and legitimate interests of personal data owners. In this context, it carefully considers issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated. Our Company keeps the channels open to ensure that the relevant person's information is accurate and up-to-date.

5. Processing for Specific, Explicit and Legitimate Purposes
Our Company processes personal data for legitimate purposes and shares the clearly and precisely determined purpose of data processing with the relevant persons. The legitimate purpose means that the personal data processed by our Company is related to and necessary for the work it has done or the services it provides. The purposes for which the data received from the relevant persons are processed are clearly and clearly stated in the clarifications made to the relevant persons and in the explicit consents obtained.

6. Being Relevant, Limited and Proportionate to the Purpose for which they are Processed
Our Company ensures that the personal data processed are suitable for the realization of the specified purposes and that personal data that are not related to the realization of the purpose in question or that are not needed are not processed. In this context, our Company does not process data to meet the needs that may arise later.

7. Retention for the Period Stipulated in the Relevant Legislation, or Required for the Purpose for which they are Processed

If there is a period stipulated in the relevant legislation for the storage of data, our Company complies with these periods; otherwise, it retains personal data only for the period required for the purpose for which they are processed. The retention period of personal data varies according to the nature of the business or service carried out by our Company or the data obtained. In the event that all of the conditions for the processing of personal data by our Company disappear, such data shall be destroyed in the first 6-month periodic destruction period following the date on which the obligation to destroy the data in question arises.

8. Terms of Processing of Personal Data of General Nature
As a rule, our Company does not process personal data without the explicit consent of the data subject. However, in the presence of one of the following conditions stipulated in Article 5/2 of the Law, personal data may be processed without the explicit consent of the data subject.

9. Explicitly Stipulated by Laws
Our Company may process the personal data of personal data owners even without their explicit consent in cases expressly stipulated by law. For example, the processing of personal data of our employees in accordance with the Labor Law legislation will be evaluated within this scope.

10. It is Mandatory for the Protection of the Life or Physical Integrity of the Person Himself or of Another Person Who is in a Situation of Not Being Able to Explain His Consent Due to Actual Impossibility or Whose Consent is Not Recognized as Legally Valid

Our Company may process personal data without explicit consent in order to protect the life or physical integrity of persons in cases where the person concerned is unable to disclose his/her consent due to the actual impossibility of the person concerned or where the consent disclosed is not valid. For example, in a situation where the person is unconscious or mentally ill and his/her consent is not valid, the personal data of the person concerned may be processed during medical intervention in order to protect his/her life or physical integrity. In this context, the processing of personal data of a person whose liberty is restricted through a telephone, computer or other technical device carried by the person in order to determine the location of the person whose liberty is restricted is not subject to the explicit consent of the person concerned.

  1. Processing of Personal Data of the Parties to a Contract is Necessary Provided that it is Directly Related to the Establishment or Execution of a Contract

Personal data may be processed by our Company in relation to the establishment or performance of a contract. For example, the account number of the creditor party may be obtained for the payment of money pursuant to a contract.

  1. It is Mandatory for Our Company to fulfill its Legal Obligations

If the processing of personal data is mandatory for our Company to fulfill its legal obligations, the necessary personal data may be processed by our Company without the explicit consent of the persons concerned. For example, during a tax audit by our Company, information belonging to our Employees or Customers may be submitted to the examination of the relevant public officials.

  1. Being publicized by the Data Subject Him/herself

Personal data made public by the person concerned by our Company, in other words, personal data that have been disclosed to the public in any way and thus become known to everyone, may be processed by our Company on the assumption that the legal interest to be protected has disappeared in the processing of such data.

  1. Data Processing is Mandatory for the Establishment, Exercise or Protection of a Right

In cases where data processing is mandatory for the exercise or protection of a legitimate legal right, our Company may process the personal data of the relevant persons without seeking explicit consent.

  1. Data processing is Mandatory for the Legitimate Interests of Our Company, provided that it does not harm the Fundamental Rights and Freedoms of the Data Subject

Our Company may process the personal data of the relevant persons in cases where the processing of personal data is mandatory for the provision of legitimate interests, provided that it does not harm the fundamental rights and freedoms of the relevant persons protected under the Law and Policy. Our Company shows the necessary sensitivity to comply with the basic principles regarding the protection of personal data and to observe the balance of interests of our Company and the relevant persons.

  1. Explicit Consent of the Personal Data Owner

Obtaining explicit consent to the processing of personal data is a Company priority. For this reason, necessary methods have been developed to obtain the explicit consent of the data subjects whose personal data we process physically and electronically.

Before obtaining the consent of the relevant persons regarding the processing of their personal data, the obligation to inform is fulfilled in accordance with Article 10 of the LPPD, and it is ensured that their explicit consent is obtained on a specific subject, based on information and with free will.

  1. Conditions for Processing Sensitive Personal Data

The LPPD gives special importance to some personal data, considering that they have the potential to discriminate and may cause victimization of persons when processed unlawfully, and these data are called "special categories of personal data".

Article 6 of the Law defines which data are special categories of personal data. Accordingly, race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are personal data of special nature.

The Company shows special sensitivity in the processing of such "special categories of personal data" to which the LPPD attaches special importance. Employees involved in the processing of special categories of personal data are trained on the Law and related regulations and special categories of personal data security, confidentiality agreements are signed, access authorization to data is restricted, and the authorization of employees who change their duties or leave their jobs is immediately removed.

Transaction records of all transactions carried out in electronic media where sensitive personal data are stored are securely logged, security updates for the media where the data are stored are continuously monitored and necessary security tests are regularly performed and test results are recorded. Adequate security measures are taken in physical environments where special categories of personal data are stored, and unauthorized entry and exit to such environments are prevented.

The explicit consent of the relevant persons for the processing of such data is the priority of our Cooperative. The Cooperative may process special categories of personal data without the explicit consent of the data subject only in the following exceptional cases specified in the LPPD;

  • Personal data other than health and sexual life may be processed without the explicit consent of the data subject in cases stipulated by law.
    § Personal data related to health and sexual life can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the person concerned.
  1. Conditions for Transmission of Personal Data

4.1. Domestic Transfer of General Categories of Personal Data
Our Company may transfer personal data and special categories of personal data to third parties in accordance with the Law by establishing the necessary confidentiality conditions and taking security measures in line with the purposes of processing personal data. Our Company acts in accordance with the regulations stipulated in the Law during the transfer of personal data. In this context, in line with the legitimate and lawful personal data processing purposes, our Company may transfer personal data to third parties based on and limited to one or more of the following personal data processing conditions specified in Article 5 of the Law;
- If the data subject has explicit consent,
- Explicitly stipulated in the law.
- If there is a clear regulation in the laws regarding the transfer of personal data,
- If it is mandatory for the protection of the life or physical integrity of the person concerned or another person and the person concerned is unable to disclose his/her consent due to actual impossibility or his/her consent is not legally valid,
- If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
- If personal data transfer is mandatory for our company to fulfill its legal obligation,
- If the personal data has been made public by the data subject,
- If personal data transfer is mandatory for the establishment, exercise or protection of a right,
- Provided that it does not harm the fundamental rights and freedoms of the data subject, if personal data transfer is mandatory for the legitimate interests of our Company, it may transfer.

4.2. Conditions for Domestic Transmission of Special Categories of Personal Data

Our Company may transmit the special categories of personal data of the data subjects to third parties in accordance with the principles adopted in the processing of personal data.
In the transmission of special categories of personal data to third parties, sensitivity is shown to obtaining the consent of the data subject and special categories of personal data are transmitted domestically by taking adequate technical and administrative measures. However, in the event of the following circumstances, it may be possible to transmit sensitive personal data without the explicit consent of the data subject by taking adequate technical and administrative measures;

- Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data, in cases stipulated by law,
- Personal data relating to health and sexual life can only be collected by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

Conditions for the Transmission of Personal Data of General Nature Abroad:

- Our Company may transmit the personal data and special categories of personal data of the data subjects to third parties abroad by taking the necessary security measures in line with the purposes of personal data processing. If personal data transmission is mandatory for our company to fulfill its legal obligation,
- If the personal data has been made public by the data subject,
- Personal data transmission is the establishment of a right,
Personal data may be transmitted by the Board to foreign countries declared to have adequate protection by the Board in light of Article 9 of the Law or, in the absence of adequate protection, to foreign countries where the data controllers in Türkiye and the relevant foreign country undertake in writing to provide adequate protection and where the Board's permission is granted.
Our Company may transmit the personal data of the data subjects abroad in accordance with the principles adopted in the processing of personal data.
In the absence of the explicit consent of the data subject, it is possible to transfer personal data abroad in the presence of one of the following conditions, provided that there is adequate protection in the country where the data will be transferred or the data controller to whom the personal data will be transferred undertakes adequate protection in writing and the Personal Data Protection Board has permission:
- Explicitly stipulated in the law.
- In cases where it is compulsory for protecting the life or bodily integrity of someone itself or someone else, who is not capable of declaring his/her consent due to physical impossibility, or whose consent has legal validity,
- Provided that it is directly related to the establishment or performance of a contract, it is necessary to process personal data belonging to the parties to the contract.
- It is mandatory for the data controller to fulfill its legal obligation.
- It has been made public by the data subject himself/herself.
- When it is necessary to process data in order for establishing, using, or protecting a right,
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Conditions for Transferring Special Categories of Personal Data Abroad
Our Company may transfer the personal data of the data subjects abroad in accordance with the principles adopted in the processing of personal data.
Provided that there is adequate protection in the country where the data will be transmitted or that the data controller to whom the personal data will be transmitted undertakes adequate protection in writing and the Personal Data Protection Board has the permission of the Personal Data Protection Board, it is possible to transmit personal data abroad without the need for the explicit consent of the data subject in the presence of one of the following conditions:
- Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data, in cases stipulated by law,
- Personal data relating to health and sexual life can only be collected by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

DATA ON INTERNET ACCESS PROVIDED IN BUILDINGS AND FACILITIES
Internet access is provided to employees and guests in the Company's buildings and facilities. The name, surname, telephone number, Turkish ID number, websites accessed by the employee and guest who wish to use the internet access, and the time of access are stored as a legal obligation in accordance with the Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through Such Publications and the Regulation on Internet Mass Use Providers issued on the basis of this Law.
Stored records may be shared with legally authorized institutions and organizations in order to fulfill legal obligations if requested by authorized institutions and organizations.
Monitoring of Buildings and Facilities with Security Cameras
Camera surveillance activities are carried out by the Company in accordance with the Law on Private Security Services and the relevant legal legislation. Personal data recorded through security cameras are processed only for security purposes and the personal data processing principles and conditions stipulated in the LPPD are complied with.
The necessary sensitivity is shown in order not to violate the fundamental rights and freedoms of individuals and the privacy of private life, and a balance is established between the protection of the rights of the relevant persons with the aim of ensuring the security of the Company and protecting its legitimate interests.
Accordingly, when determining the positioning, number and recording time of security cameras, planning is made to be sufficient to ensure security. Security camera surveillance activities are not carried out in areas that may constitute the privacy of private life.
The Company ensures that the relevant persons are informed about the data processing process by posting a notification in visible areas in the Company's buildings and facilities that monitoring is carried out 24 hours a day, 7 days a week with security cameras and that the images are recorded.
The Company takes the necessary administrative and technical security measures to ensure the security of personal data recorded by security cameras. The recorded images can only be accessed by a limited number of Company employees.
Visitor Entrances to Company Buildings and Facilities
In order to ensure security, the Company carries out data processing activities in order to monitor visitor entrances and exits at entrances to company buildings and facilities. In this context, personal data such as name-surname information, vehicle license plate information, etc. of visitors can be stored for a certain period of time in order to ensure building and facility security and can only be used for this purpose.
Pursuant to Article 10 of the LPPD, the Company fulfills its obligation of disclosure in its capacity as the data controller and informs the relevant persons in this regard. For security purposes, notices regarding the processing of personal data of visitors are posted in visible areas in buildings and facilities, and the relevant persons are informed about the data processing process.
PERSONAL DATA OF WEBSITE VISITORS
On some of the Company's websites, the information of the visitors to these websites may be recorded by technical means (such as cookies) or by being shared by the visitor during the membership phase.
"Clarification Text on the Protection and Processing of Personal Data" has been published on the Company's websites within the scope of Article 10 of the LPPD on how and for what purpose personal data are obtained and visitors have been informed about this issue.

1. DISCLOSURE IN TERMS OF THE PROCESSING OF PERSONAL DATA AND THE RIGHTS OF THE DATA SUBJECT UNDER THE LAW

2. Informing the Relevant Person
In accordance with Article 10 of the Law and the provisions of the Communiqué on the Procedures and Principles to be followed in the Fulfillment of the Obligation to Inform published in the Official Gazette dated 10.03.2018, our Company informs personal data owners - interested persons during the acquisition of personal data. For detailed information on the processing of personal data, you can review the Clarification Text at "www.ccnholding.com". In this context, as stated above, if any, the identity of the Company representative, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and the rights of the person concerned.

3. Rights of the Data Subject Under the Law
Our Company informs you of your rights in accordance with Article 11 of the Law and the provisions of the Communiqué on the Procedures and Principles of Application to the Data Controller published in the Official Gazette dated 10.03.2018; provides guidance on how to exercise such rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. Pursuant to Article 11 of the Law, our Company gives clarifications to the relevant persons regarding to the right;
- To learn whether personal data is processed or not,
- Request information if their personal data has been processed,
- To learn the purpose of processing personal data and whether they are used for their intended purpose,
- To know the third parties to whom personal data are transmitted domestically or abroad,
- To request correction of personal data in case of incomplete or incorrect processing,
- To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
- To request notification of the transactions made pursuant to sub-paragraphs (d) and (e) of Article 11 of the Law to third parties to whom personal data are transmitted,
- To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
- To demand the compensation of the damage in case of damage due to unlawful processing of personal data.
You can send your requests regarding the implementation of the Law in the methods as it is described in the application form by using the Law on the Protection of Personal Data Relevant Person Application Form that can be accessed from www.ccnholding.com Pursuant to Article 13/2 of the Law, our Company finalizes the requests submitted to it free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction in question requires an additional cost, the fee in the tariff determined by the Board may be charged.
Our Company may either accept your request or reject it by explaining its reasoning and notify its response in writing or electronically. In cases where your application is rejected, you find the answer insufficient or your application is not responded to within the time limit; you have the right to file a complaint to the Board within thirty days from the date of learning our answer and in any case within sixty days from the date of application.
SECURITY OF PERSONAL DATA
The Company takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data and unlawful access to personal data and to ensure the protection of personal data.
In this context, first of all, a study has been carried out to determine the personal data processed by our Company, the risks that may arise regarding the protection of this data have been determined, taking into account whether the personal data processed is personal data of special nature, and the necessary technical and administrative measures have been put into practice to reduce or eliminate the risks.
In order to ensure personal data security, regular trainings are provided to personnel and managers in order to prevent unlawful disclosure and sharing of personal data and to raise awareness of the LPPD.
In addition, employees involved in personal data processing processes are asked to sign confidentiality agreements as part of their business processes, and if it is determined that an employee acts contrary to security policies and procedures, the necessary disciplinary process is carried out.
The Company restricts access to personal data included in data processing processes on a personnel basis, and a limited number of personnel are authorized to access personal data related to the business processes they carry out. Data processing activities carried out by the personnel are recorded. Care is taken to comply with the principle of "Everything is Forbidden Unless Permitted" regarding access to personal data throughout the Company.
In order to prevent unlawful processing of personal data and unlawful access to personal data, technical systems have been established to monitor and audit the processes related to the processing of personal data. Regular internal audits are carried out to prevent unlawful processing of personal data and unlawful access to personal data.
Technical methods with an appropriate level of security are used to prevent unlawful access to personal data and to ensure that it is stored in secure environments, and these methods are updated in accordance with the developing technology.
In the event of an internal or external attack on the Company's data recording system, in order to recognize this situation early and intervene early, it is regularly checked which software and services are running on the information networks and whether there is any infiltration or movement that should not be in the information networks, and the transaction movements of all users are regularly kept.
DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
Pursuant to Article 7 of the LPPD, the Company deletes, destroys or anonymizes personal data ex officio or upon the request of the data subject in the event that the reasons requiring its processing disappear or the period stipulated in the legislation expires, although it has been processed in accordance with the legislation.
Personal data stored in physical media are deleted, destroyed or anonymized ex officio or upon the request of the data subject, if the purpose of data processing is realized or the period stipulated in the legislation expires.
Personal data recorded in digital data recording systems are deleted, destroyed or anonymized ex officio or upon the request of the data subject, if the purpose of data processing is realized or the period stipulated in the legislation expires.
Any personal data anonymized pursuant to the LPPD is not subject to the LPPD. Anonymization of personal data is the process of making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching personal data with other data.
In the event that the reasons requiring the processing of personal data disappear or the period stipulated in the legislation expires, personal data may be anonymized ex officio or upon the request of the data subject. Anonymized personal data may be used for purposes such as research, statistics and planning, stored indefinitely and transferred domestically and abroad.
Regarding the destruction of personal data, a "Personal Data Retention and Destruction Policy" has been prepared and announced on the Company's website.

4. CASES WHERE THE POLICY AND THE LAW DO NOT APPLY IN WHOLE OR IN PART

The provisions of this Policy and the Law shall not apply in the following cases in accordance with Article 28/1 of the Law:
- Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that personal data is not disclosed to third parties and data security obligations are complied with.
- Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
- Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, and privacy of private life or personal rights or constitute a crime.
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
- Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution procedures.

Provided that it is appropriate and proportionate to the purpose and basic principles of this Policy and the Law, Articles 10 regulating the obligation of the data controller to inform, 11 regulating the rights of the data subject, except the right to claim compensation for the damage, and 16 regulating the obligation to register with the Data Controllers Registry will not be applied in the following cases in accordance with Article 28/2 of the Law:
- Processing of personal data is necessary for the prevention of crime or criminal investigation
- Processing of personal data made public by the data subject himself/herself.
- Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
- Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.