POLICY ON PROTECTION OF PERSONAL DATA

This policy sets down, outlines and describes the principles applied by Doğuş Holding, as the Data Supervisor, on processing of personal data, and required to be known by all natural persons whose personal data is processed thereby, such as suppliers, visitors and users of its website at the address of (http://www.dogusgrubu.com.tr/).

I. Definitions:

For the purposes and in the context of this Policy:

“Doğuş Holding” refers to Doğuş Holding A.Ş., owner of the Website; and

“Related Person/Natural Person” refers to owner of personal data; and

“Recording Medium” refers to all kinds of media, which are fully or partially automatic or where personal data processed by non-automatic ways and means is kept, providing that it is a part of any data recording system; and

“Website” refers to a specific website located at the address of (http://www.dogusgrubu.com.tr/); and

“Data Processor” refers to a natural person or a legal entity processing personal data in the name of and in reliance upon an authorization given by the Data Supervisor; and

“Data Supervisor” refers to a natural person or a legal entity who determines the purposes and means of processing of personal data and is responsible for establishment and management of data recording system; and

“Law no. 5651” refers to and stands for the Law on Regulation of Publications via Internet Environment and on Fight Against Crimes Committed by Means of Such Publications.

“Law no. 6698” or “KVKK” refers to and stands for the Personal Data Protection Law.

II. Acquisition and Processing of Your Personal Data:

1. Processing of Personal Data of Website Users (Online Visitors) and WIFI Service Users:

1.1. Processing of Personal Data of Website Users (Online Visitors):

Users using the Website may, with a view to expressing their requests and suggestions, transmit and disclose their personal data such as name and surname, email address, message, sector and subject matter of form, by filling in the form given at https://www.dogusgrubu.com.tr/tr/iletisim link.

The Users hereby acknowledge and accept in advance that they share their personal data as above with the Website with their full and own will and volition. Such personal data will be processed only for the purpose of assessment of and responding to the requests and suggestions expressed by the Users.

In addition, “traffic data” composed of IP address of the Users visiting the Website, starting and ending times of service given thereat, type of service used, quantity of data transferred, and if any, subscriber identity data are also processed pursuant to the Law no. 5651.

1.2. Processing of Personal Data of WIFI Service Users:

Visitors visiting the physical campus of Doğuş Holding and wishing to make use of wifi thereat are required to know that their mobile phone number and traffic data are processed by Doğuş Holding for the sake of provision of such service and in order to comply with the Law no. 5651 and the relevant secondary legislative instruments associated thereto.

2. Processing of Personal Data of Suppliers:

Doğuş Holding also processes the personal data of natural person suppliers, supplier’s employees and/or supplier’s duly authorized officers in order to conduct, manage and monitor the processes of supply of products, services or goods thereat.

2.1. Personal Data Processed During the Processes of Supply:

Doğuş Holding processes the following personal data in the course of the processes of supply:

  • For natural person suppliers, such identity information as name and surname, and T.R. identity number, as well as such financial information as bank account data, and such communication data as address, email address and mobile phone number; and

  • For supplier’s duly authorized officers, such identity information as name and surname, and specific personal data such as photograph and specimen signature put on such documents as power of attorney / signature circular; and such communication data as address, email address and mobile phone number; and

  • For supplier’s employees, such identity information as name and surname, and such personnel information as Social Security Agency payroll and Occupational Health and Safety documents, and specific personal data such as health report and criminal conviction certificate, and education/professional experience information such as educational background and certificates, as well as such financial information as bank account data, and such communication data as address, email address and mobile phone number.

2.2. Purpose of Processing of Personal Data During the Processes of Supply:

  • Performance of legal obligations and duties arising out of such laws as the Occupational Health and Safety Law, the Social Security Law, the Labor Act, the Turkish Commercial Code and the Tax Procedures Code; and

  • To conduct, manage and follow up the contracting processes regarding supply of goods, products or services; and

  • To ensure compliance with the corporate rules.

2.3. Methods of Collection and Processing of Personal Data of Suppliers:

Personal Data is collected and processed by:

  • Supplier’s duly authorized officers, supplier’s employees or natural person suppliers themselves; or

  • Such documents as Signature Circular / Power of Attorney; or

  • Such communication channels as email, telephone and website; or

  • Contracts; or

  • Reference Control Form.

2.4. Rights of Supplier’s Duly Authorized Officers, Supplier’s Employees or Natural Person Suppliers as to Their Personal Data:

Supplier’s duly authorized officers, supplier’s employees or natural person suppliers wishing to use their rights originating from the Personal Data Protection Law may file an application to Doğuş Holding in accordance with the procedures and principles described in this policy.

2.5. Security of Personal Data of Supplier’s Duly Authorized Officers, Supplier’s Employees or Natural Person Suppliers:

Section of this document pertaining to security of personal data contains detailed information about security of personal data of supplier’s duly authorized officers, supplier’s employees or natural person suppliers.

3. Processing of Personal Data of Physical Visitors:

3.1. Processed Personal Data of Natural Persons Physically Visiting Doğuş Group Campus:

Doğuş Holding processes such personal data / specific personal data of natural persons visiting Doğuş Group Campus as:

  • Identity information (T.R. identity document, driving license, passport, lawyer’s identity, etc.); and

  • Information on person to be visited; and

  • Visitor arrival and departure times; and

  • Motor vehicle mark and license plate number; and

  • From which company; and

  • Image records.

Doğuş Holding records images via indoors and outdoors cameras for the sake of security of its employees and visitors. Visitors are informed about recording by cameras indoors.

3.2. Purpose of Processing of Personal Data of Visitors:

Doğuş Holding processes personal data of persons visiting Doğuş Group campus for the following purposes:

  • To assure security of locations; and

  • To collect identity information and documents pursuant to the governing laws and regulations; and

  • To give a visitor entry card and assign a visitor number; and

  • To keep records of visit arrival and departure times; and

  • To fill in an arms delivery memorandum for visitors coming with arms to the Campus; and

  • To share the building’s internal and external sketches and the required security information together with the visitor card; and

  • To plan and perform emergency management processes (terrorism and fire); and

  • To handle and manage security scans for persons/products coming to the building; and

  • To report any incidents of crime or breach of laws to the security forces.

3.3. Methods of Collection and Processing of Personal Data of Visitors:

Personal data is processed by and through:

  • Official identity documents (T.R. identity document, driving license, passport, lawyer’s identity document) of the visitor himself; and

  • Image records taken by CCTV.

3.4. Security of Personal Data of Visitors and Sharing of Personal Data:

Both identity information and CCTV records of visitors are kept in the systems open to access only by the authorized persons. Such personal data may, upon demand, be shared only with the public administrations and authorities which are legally authorized to demand this data.

4. Processing of Personal Data of Social Responsibility Project Participants:

4.1. Personal data of project partners and project participants (such as volunteer workers, parents and students) processed in the social responsibility projects organized by Doğuş Holding are as listed below:

  • Identity information

  • Communication data

  • Education information

  • Financial information

4.2. Purpose of Processing of Personal Data of Project Partners and Project Participants:

  • To enhance and increase awareness about the Company; and

  • To create social benefit and social awareness; and

  • To plan and perform corporate communication activities; and

  • Activity (event) management; and

  • To plan and perform social responsibility and/or civil society activities or events; and

  • To plan and perform sponsorship activities.

4.3. Methods of Collection and Processing of Personal Data of Project Partners and Project Participants:

Such personal data are received directly from project partners and/or project participants themselves on ad-hoc (project) basis.

III. Security and Transfer of Your Personal Data, and Use of Rights on Your Personal Data:

Personal data mentioned in the preceding sections are kept and stored in the database of Doğuş Teknoloji in strict confidence and with all security measures taken in accordance with article 12 of the Personal Data Protection Law no. 6698, and shall in no case and in no event be shared with third parties for commercial purposes.

Doğuş Holding at least takes the following measures and actions for the sake of security of personal data processed by it, and in order to prevent unlawful accesses and processing of data by illegal means:

  • All pages into which personal data is taken and obtained via website are protected by SSL certificate.

  • Hash, encryption, transaction records, access management and physical security measures are taken with a view to processing the information systems hosting personal data against unlawful accesses and processing of data by illegal means.

  • Network containing both the website and all information systems hosting personal data is protected by a firewall.

  • Our Website does not use any cookies aiming to monitor and follow-up the site use habits of its online visitors.

Doğuş Holding keeps and stores all personal data of both online and physical visitors as a requirement of pertinent laws, and may share the same with the relevant public administrations and entities upon demand. Personal data of suppliers may be shared with the Doğuş Holding companies and subsidiaries and also with the relevant public administrations and entities in respect of the goods, products or services supplied by them. Personal data of participants and/or partners of social responsibility projects organized and held by Doğuş Holding may be shared in media and press and social media in reliance upon express consent of the relevant person. About companies and subsidiaries of Doğuş Holding, you may get information from the address of http://www.dogusgrubu.com.tr/tr/sektorler.aspx.

Rights granted to you by article 11 of the Law no. 6698 with respect to your personal data shared with us in reliance upon the methods and purposes of processing of personal data as outlined and described in this Personal Data Protection Policy are as listed below:

(a) To learn whether your personal data is processed or not; and

(b) If your personal data is processed, to request information thereabout; and

(c) To learn the purpose of processing of your personal data, and whether your personal data is used for the intended purposes or not; and

(d) To learn identity of third parties to whom your personal data is transferred, whether resident at home or abroad; and

(e) If your personal data is processed incompletely or inaccurately, to request completion or correction of the same, as the case may be; and

(f) To request deletion or destruction of personal data within the frame of the conditions set forth in Article 7 hereof; and

(g) To request us to notify the actions taken pursuant to subparagraphs (e) and (f) hereinabove to third parties to whom your personal data is transferred; and

(h) To raise objections against probable outcomes against you through analysis of your processed personal data solely by means of automatic systems; and

(i) If you incur or suffer damages due to unlawful or illegal processing of personal data, to claim indemnification of such damages.

In order to use these rights, you may at all times contact us by using the “Application Form” contained in our Website and the methods specified in that Application Form.

IV. Keeping of Your Personal Data Current and Accurate:

All persons and groups of persons whose personal data are processed by us will be deemed to have clearly acknowledged and declared that they are aware and cognizant of the fact that keeping of their personal data shared by them with us via our Website and/or disclosed directly by themselves or collected by us in the course of our contractual relations with them accurate and current is important and essential for them to be able to use their rights on their personal data within the meaning ascribed thereto by the Personal Data Protection Law and for compliance with other applicable laws pertaining thereto, and also that they will be fully and personally responsible for all consequences of provision of inaccurate or untrue information. You may at any time make the required changes and/or updates in your personal data shared with us by accessing to our site at the address of kisiselverilerim@dogusgrubu.com.tr.

V. Personal Data Storage Time:

Period of storage of personal data of online visitors is 2 years pursuant to the pertinent proviso of the Law no. 5651, while period of storage of CCTV records of physical visitors is 90 days. Personal data relating to identity information is stored and kept for the periods of time stipulated in the applicable laws and regulations. Personal data of suppliers is stored for a period of 10 years following the date of termination of legal relations with them pursuant to the applicable laws.

VI. Deletion, Destruction or Anonymization of Your Personal Data:

Your personal data processed for the purposes set forth in this Personal Data Protection Policy will be continued to be used after being anonymized by us when the purpose necessitating processing of them according to article 7/f.1 of the Law no. 6698 is no more valid, or after the end of the periods of time envisaged in the relevant Laws as per Article 17 of the Law no. 6698 and Article 138 of the Turkish Criminal Code.

Upon termination of the periods of storage specified in the applicable laws or necessitated by the underlying purpose of processing, Doğuş Holding anonymizes the processed personal data by using any one or more techniques best fit to the relevant business processes and activities out of the methods of anonymization described and listed in the Guideline on Deletion, Destruction or Anonymization of Personal Data published by the Personal Data Protection Board within the period of 6 months stipulated for periodical destruction, and continues to use such data as such.

VII. Categorization of Personal Data:

Relevant Group of Persons

Data Category

Online visitors and WIFI Service Users

Identity Data, Communication Data and Legal Transactions or Proceedings Data

Natural Person Supplier, Supplier’s Duly Authorized Officers, Supplier’s Employees

Identity Data, Communication Data, Legal Transactions or Proceedings Data, Financial Data, Corporate Identity Data, Audio Visual Data, Specific Personal Data and Personnel Data and Information

Physical Visitors

Identity Data and Audio Visual Data

Project Partners, Project Participants

Identity Data, Communication Data,  Audio Visual Data, Financial Data and Educational Data

VIII. Amendments and Updates in Policy:

Doğuş Holding may at any time revise, rearrange, amend or update this Policy in tandem with the relevant laws and its Corporate Policies. In this case, relevant persons shall be kept informed about the new Policy text reflecting all these revisions, rearrangements, amendments or updates when needed.

Last Revision Date: 03/05/2018

1609

15