PERSONAL DATA PROTECTION AND PROCESSING POLICY

SECTION 1: INTRODUCTION

I. THE IMPORTANCE OF PERSONAL DATA PROTECTION

The protection of personal data is a constitutional right and is among the priorities of our Company. Accordingly, the establishment of a continuously updated system within our Company has been envisaged for this purpose, and this Policy has been prepared. Within the scope of the Law No. 6698 on the Protection of Personal Data (“KVKK”), acting in the capacity of Data Controller, Istanbul Ekspres Nakliyat ve Ticaret A.Ş., located at Inonu Mahallesi, Bati Bulvari No:83, 06370 Yenimahalle, Ankara, Turkiye and its branches, has prepared this Policy in order to fulfill its general obligation to inform and to determine the fundamental principles governing the processing of personal data by our Company.

Within this framework, the basic principles regarding the protection of personal data belonging to our customers, potential customers, employees, employee candidates, interns and students, employees and representatives of suppliers/subcontractors, company shareholders and partners, visitors, and other third parties whose personal data we process are regulated.

In order to ensure the implementation of the matters set forth in this Policy, the necessary procedures are established within the Company; clarification texts compatible with the Personal Data Processing Inventory specific to data subject categories are prepared; personal data protection and confidentiality agreements are executed with Company employees and third parties who have access to personal data; job descriptions are revised; and the necessary administrative and technical measures for the protection of personal data are taken by Istanbul Ekspres Nakliyat ve Ticaret A.Ş., with audits being conducted or commissioned accordingly. The protection of personal data is also embraced by senior management, and personal data protection processes are managed through the establishment of a dedicated committee (Istanbul Ekspres Nakliyat Committee).

II. PURPOSE OF THE POLICY

The primary purpose of this Policy is to set forth the principles regarding personal data processing activities carried out by Istanbul Ekspres Nakliyat ve Ticaret A.Ş. in a lawful manner and the protection of personal data, and to ensure transparency by informing and enlightening individuals whose personal data are processed by our Company.

III. SCOPE

This Policy covers all personal data processed, whether fully or partially by automated means or by non-automated means provided that they form part of a data recording system, belonging to individuals categorized as “customers, potential customers, employees, employee candidates, interns and students, employees and representatives of suppliers/subcontractors, company shareholders and partners, visitors, and other third parties whose data are processed.”

IV. IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION

In matters relating to the processing and protection of personal data, applicable legal regulations in force shall primarily apply. In the event of any inconsistency between the applicable legislation and this Policy, our Company acknowledges that the provisions of the legislation in force shall prevail.

V. ACCESS AND UPDATES

This Policy is published on our Company’s website at www.istanbulekspres.com.tr and is made available to the access of personal data owners upon request. It is updated when necessary.

SECTION 2: PROCESSING OF PERSONAL DATA

1. In accordance with Article 20 of the Constitution and Article 4 of the KVKK, our Company may process personal data in a lawful and fair manner; accurately and, where necessary, up to date; for specific, explicit, and legitimate purposes; and in a manner that is relevant, limited, and proportionate to the purpose. Personal data are retained for the period stipulated by law or required by the purpose of processing.

2. Pursuant to Articles 20 of the Constitution and 5 of the KVKK, personal data are processed based on one or more of the conditions set forth in Article 5 of the KVKK.

3. In accordance with Article 419 of the Turkish Code of Obligations, without prejudice to Law No. 6698, personal data of employees and employee candidates are processed based on suitability for employment and the performance of the employment contract.

4. In compliance with Articles 20 of the Constitution and 10 of the KVKK, our Company informs personal data subjects and responds to applications made for information requests and the exercise of statutory rights within the legal timeframe.

5. Our Company acts in accordance with Article 6 of the KVKK regarding the processing of special categories of personal data.

6. Our Company complies with Articles 8 and 9 of the KVKK regarding the transfer of personal data and conducts its practices in line with decisions and communiqués issued by the Personal Data Protection Board and safe country lists.

I. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH PRINCIPLES SET FORTH IN LEGISLATION

A. Principles of Personal Data Processing

1. Lawfulness and Fairness

Our Company acts in accordance with legal regulations and the principle of good faith in the processing of personal data. Legal grounds are identified, proportionality is observed, data are not processed beyond the required purpose, and no processing is carried out without the knowledge of the data subject.

2. Accuracy and Keeping Data Up to Date

Personal data are kept accurate and up to date, taking into account the fundamental rights of data subjects and the legitimate interests of the Company. In particular, customer and potential customer data are carefully updated, and no marketing communications are sent without consent.

3. Processing for Specific, Explicit, and Legitimate Purposes

The purpose of personal data processing is clearly and explicitly determined prior to processing and recorded in the Personal Data Inventory.

4. Relevance, Limitation, and Proportionality

Personal data are processed in a manner suitable for achieving the intended purpose, and unnecessary data processing is avoided. The principle of data minimization is actively implemented.

5. Retention for the Required Period

Personal data are retained only for the period stipulated in the relevant legislation or required for the processing purpose. Upon expiration of such period or elimination of processing grounds, data are deleted, destroyed, or anonymized in accordance with the Company’s ISMS “Disposal” procedures.

B. Rules on Processing of General Personal Data

Personal data may be processed without explicit consent where one or more of the legal grounds specified in Article 5 of the KVKK apply, including statutory requirements, contractual necessity, legal obligations, public disclosure by the data subject, protection of rights, or legitimate interests, provided that fundamental rights are not harmed.

Where such conditions do not exist, explicit, informed, and freely given consent is obtained.

C. Processing of Special Categories of Personal Data

Special categories of personal data are processed in compliance with Article 6 of the KVKK and with heightened care. These include data relating to race, ethnicity, political opinion, religion, health, biometric and genetic data, among others.

Such data are processed only where legally permitted or with explicit consent, and appropriate safeguards are applied.

D. Informing and Notifying Data Subjects

In accordance with Article 10 of the KVKK, data subjects are informed regarding the purposes of processing, recipients, legal grounds, and their rights. Information requests are handled via the application form available on our website at https://www.istanbulekspres.com.tr.

II. TRANSFER OF PERSONAL DATA

Personal data may be transferred to third parties in accordance with Articles 8 and 9 of the KVKK, provided that necessary security measures are taken.

A. Principles of Transfer

Transfers are conducted based on legal grounds such as explicit consent, statutory obligation, contractual necessity, legal compliance, legitimate interest, or protection of rights.

B. Transfer of Special Categories of Personal Data

Special categories of personal data are transferred only with explicit consent or under conditions prescribed by law and with adequate safeguards.

C. Transfer Abroad

Personal data may be transferred abroad to countries providing adequate protection or to countries where adequate protection is contractually guaranteed and approved by the Personal Data Protection Board, in compliance with Article 9 of the KVKK and GDPR-aligned requirements.

D. Purposes of Transfer and Recipient Categories

Purposes of Transfer

To fulfill the Company’s activities and objectives, manage human resources, ensure occupational health and safety, and obtain outsourced services necessary for commercial operations.

Recipients

Personal data may be transferred to relevant parties in accordance with Articles 8 and 9 of the KVKK:

In the transfers made by our Company, the principles and rules set forth in this Policy are followed.

III. PERSONAL DATA CATEGORIZATIONS

The individuals whose data is processed in our company and the data processed within this scope are categorized as follows;

PERSON CATEGORIZATION

DATA CATEGORIZATION

SECTION 3: LEGAL GROUNDS AND PURPOSES OF PROCESSING PERSONAL DATA

I. LEGAL GROUNDS FOR THE PROCESSING OF PERSONAL DATA

1. General Principles

Although the legal grounds for the processing of personal data by our Company may vary, all personal data processing activities are carried out in accordance with the general principles set forth in Article 4 of Law No. 6698. Accordingly, in all data processing activities, the following principles are taken into consideration:

Compliance with the law and the principles of honesty,
Accuracy and, where necessary, being kept up to date,
Processing for specific, explicit, and legitimate purposes,
Being relevant, limited, and proportionate to the purposes for which they are processed,
Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

2. Grounds for Lawful Processing

Existence of the Explicit Consent of the Data Subject

One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be given for a specific subject, based on adequate information, and expressed freely.

Explicitly Stipulated in Laws

Personal data of the data subject may be processed lawfully if it is explicitly stipulated in the law. For example, notifying the identities of our employees to authorized authorities pursuant to identity notification legislation.

Inability to Obtain Explicit Consent Due to Actual Impossibility

If the processing of personal data is mandatory for the protection of the life or physical integrity of the data subject or another person, and the data subject is unable to express consent due to actual impossibility or if consent is not legally valid, personal data may be processed. For example, sharing the blood type information of an employee who has fainted with a physician.

Directly Related to the Establishment or Performance of a Contract

Provided that it is directly related to the establishment or performance of a contract, personal data of the parties to the contract may be processed where necessary. For example, obtaining a CV from a candidate to establish an employment contract, or collecting address information to enable official notifications within the scope of the contract.

Fulfillment of the Company’s Legal Obligations

Personal data of the data subject may be processed where processing is mandatory for our Company, as the data controller, to fulfill its legal obligations. For example, processing family information to allow an employee to benefit from tax allowances.

Personal Data Made Public by the Data Subject

If the data subject has made their personal data public, the relevant personal data may be processed. For example, if our customers submit complaints, requests, or suggestions on a publicly accessible platform on the internet, they are deemed to have made their information public. In such cases, our Company may process such data solely for the purpose of responding to the complaint, request, or suggestion.

Processing is Mandatory for the Establishment, Exercise, or Protection of a Right

Personal data may be processed where processing is mandatory for the establishment, exercise, or protection of a right. For example, storing evidentiary data such as sales contracts and invoices and using them when necessary.

Processing is Mandatory for the Legitimate Interests of the Company

Provided that it does not harm the fundamental rights and freedoms of the data subject, personal data may be processed where processing is mandatory for the legitimate interests of our Company. For example, monitoring critical areas via security cameras to prevent theft or ensure occupational safety.

Processing of Special Categories of Personal Data and Legal Grounds

Special categories of personal data may only be processed without the explicit consent of the data subject in cases stipulated by law and provided that adequate measures determined by the Personal Data Protection Board are taken. Special categories of personal data relating to health and sexual life may only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of healthcare services and financing, by persons under confidentiality obligations or authorized institutions and organizations. Regardless of the legal basis, general data processing principles are always taken into account and complied with during processing activities (Law No. 6698, Article 4).

II. PURPOSES OF PROCESSING PERSONAL DATA

Our Company processes personal data limited to the purposes and conditions specified in Article 5(2) and Article 6(3) of Law No. 6698. During processing activities, the legal grounds stated above are taken into account, and where no other lawful basis exists, explicit consent is obtained from the data subject. In all cases, compliance with the general principles under Article 4 is ensured. The purposes of processing personal data are also specified in our Company’s Personal Data Processing Inventory.

Primary Processing Purposes

Personal data is processed within our Company primarily for the following purposes:

Fulfillment of mutual obligations arising from employment contracts,
Execution of human resources processes, recruitment, personnel management, payroll, performance evaluations, disciplinary procedures, training and career planning,
Ensuring occupational health and safety,
Preventing misuse, theft, and ensuring general security,
Managing supplier and subcontractor relations in line with legal obligations,
Conducting financial, accounting, legal, and audit processes,
Managing customer relations and ensuring customer satisfaction,
Carrying out operational, logistics, marketing, and business continuity activities,
Ensuring physical and information security,
Managing risk, compliance, archiving, and record-keeping activities,
Conducting internal investigations, audits, and legal follow-ups,
Managing visitor records and security camera monitoring activities.

Camera monitoring activities at workplaces are carried out for occupational health and safety, general security, and product safety purposes, provided that they do not violate the fundamental rights and freedoms of employees, visitors, and other data subjects.

SECTION 4: STORAGE, DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

I. STORAGE AND RETENTION PERIODS

Personal data is stored for the periods stipulated in relevant legislation. Where no retention period is specified, personal data is stored for as long as necessary for the purposes of processing, in line with business practices and legal requirements, and may be retained for evidentiary purposes in legal disputes. Once the purpose of processing ceases to exist, personal data is deleted, destroyed, or anonymized.

II. DELETION, DESTRUCTION, AND ANONYMIZATION

A. Deletion of Personal Data

Deletion refers to rendering personal data inaccessible and unusable for relevant users. Necessary technical and administrative measures are taken to ensure this.

B. Destruction of Personal Data

Destruction refers to rendering personal data completely inaccessible, irretrievable, and unusable by anyone.

C. Anonymization of Personal Data

Anonymization refers to processing personal data in such a way that it can no longer be associated with an identifiable individual, even when combined with other data. Anonymized data may be processed for research, planning, and statistical purposes without requiring explicit consent.

SECTION 5: RIGHTS OF DATA SUBJECTS

I. SCOPE AND EXERCISE OF DATA SUBJECT RIGHTS

A. Rights of Data Subjects

Individuals whose personal data is processed have the right to:

Learn whether personal data is processed,
Request information if personal data has been processed,
Learn the purpose of processing and whether it is used in accordance with its purpose,
Know third parties to whom personal data is transferred domestically or abroad,
Request correction of incomplete or inaccurate personal data,
Request deletion or destruction of personal data when processing grounds cease,
Object to results arising against them through automated processing,
Request compensation for damages arising from unlawful processing.

B. Exercise of Rights

Pursuant to Article 13 of Law No. 6698, data subjects may submit their requests regarding the exercise of their rights to our Company through the methods specified below.

In the application:

The following information must be included in the application: name and surname, and signature if the application is submitted in writing; for Turkish citizens, the Turkish Republic Identification Number; for foreign nationals, nationality, passport number, or, if available, an identification number; the residential address or workplace address for service of notice; if available, the e-mail address for notification; telephone and fax numbers; and the subject of the request. Any information and documents related to the matter must also be attached to the application.

Third parties cannot submit requests on behalf of personal data subjects. For a person other than the personal data subject to submit a request, a special power of attorney issued by the personal data subject in favor of the applicant must be provided. In the application you submit as a personal data subject to exercise your rights stated above—containing your explanations regarding the right you wish to exercise—the requested matter must be clear and understandable; the request must relate to you personally, or, if you are acting on behalf of another person, you must be specifically authorized for this purpose and document your authority; the application must include identity and address information; and documents verifying your identity must be attached.

The application form for data subjects is available on our Company’s website.

C. Responding to applications

If the personal data subject submits their request to our Company in accordance with the prescribed procedure, our Company will finalize the request free of charge, depending on the nature of the request, as soon as possible and no later than thirty (30) days. However, if the process requires an additional cost, the fee specified in the tariff determined by the Personal Data Protection Board will be charged to the applicant.

Our Company may request information from the applicant in order to determine whether the applicant is the personal data subject. Our Company may also direct questions to the personal data subject regarding the application in order to clarify the matters included therein. Applications are managed within our Company in accordance with the Company’s “Data Subject Application Procedure.”

SECTION 6: ENSURING THE SECURITY OF PERSONAL DATA

I. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE LAWFUL PROCESSING OF PERSONAL DATA

Our Company takes all necessary technical and administrative measures to ensure the lawful processing of personal data. In this context:

A Data Inventory compliant with the VERBİS system (Data Mapping) is prepared within our Company, and compliance audits regarding lawfulness and purpose are conducted within this framework.
The “Policy on Information Principles in the Processing of Personal Data” has been put into effect to ensure that the obligation to inform data subjects is fulfilled completely and accurately.
Employees are informed about personal data protection law and the lawful processing of personal data.
All activities carried out by our Company are analyzed in detail for each business unit, and, as a result of this analysis, personal data processing activities are identified based on the specific activities performed by the relevant unit.
For the personal data processing activities carried out by our business units, the requirements necessary to ensure compliance with the processing conditions required by Law No. 6698 are determined specifically for each unit and each detailed activity.
Provisions are included in contracts and documents governing the legal relationship between the Company and employees that impose obligations not to process, disclose, or use personal data—except as instructed by the Company and as permitted by legal exceptions; employee awareness is ensured and audits are conducted.
Similar provisions are included in contracts and documents governing the legal relationship between the Company and third parties processing data for which the Company is responsible—except as instructed by the Company and as permitted by legal exceptions; and a “Supplier Confidentiality Agreement” has been put into effect.

II. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN IN THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Under the Law on the Protection of Personal Data, certain personal data is given special importance due to the risk of harm or discrimination if processed unlawfully. Such data includes: race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association/foundation/union membership, health, sexual life, criminal convictions and security measures, biometric data, and genetic data.

Our Company acts with particular care in protecting special categories of personal data determined as such under the Law and processed lawfully. In this scope, the technical and administrative measures taken for the protection of personal data are applied with due care to special categories of personal data, and necessary audits are ensured. Accordingly:

A “Policy on the Protection and Processing of Personal Data” has been prepared regarding the security and processing principles for special categories of personal data.
Employees involved in the processing of special categories of personal data receive regular training on the Law, related regulations, and special-category data security; confidentiality agreements are executed; the scope and duration of authorizations for users with access rights are clearly defined; authorization controls are carried out; and the access rights of employees who change roles or leave employment are immediately revoked, and the inventory allocated to them by the data controller is collected back.
Where special-category data is processed, stored and/or accessed electronically, the data is protected using cryptographic methods; cryptographic keys are kept securely and in separate environments; all actions performed on the data are securely logged; security updates for the environments are monitored; and necessary security tests are conducted and recorded.
Where access is provided through software, user authorizations are applied; security tests for such software are performed regularly and recorded. Where remote access is required, at least two-factor authentication is provided.
Where the relevant environments are physical, sufficient physical security measures are taken against risks (such as electrical leakage, fire, flood, theft, etc.), and physical security is ensured to prevent unauthorized entry and exit.
If special-category data is to be transferred and transfer via e-mail is required, the transfer is ensured by using encrypted corporate e-mail or a Registered Electronic Mail (KEP) account.
If special-category data is transferred through media such as memory devices, CD, DVD, etc., it is encrypted using cryptographic methods and the cryptographic key is kept in a separate environment.
If data is transferred between servers in different physical locations, transfer is performed by establishing a VPN between servers or using the sFTP method. If transfer is required in paper form, necessary measures are taken against risks such as theft, loss, or unauthorized viewing, and documents are sent in the format of “classified/confidential documents.”
In addition to the measures above, technical and administrative measures aimed at ensuring an adequate level of security, as set out in the Personal Data Security Guide published on the website of the Personal Data Protection Authority, are also taken into consideration.

III. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO PREVENT UNLAWFUL ACCESS TO PERSONAL DATA

Our Company takes technical and administrative measures to prevent the careless or unauthorized disclosure, access, transfer, or any other form of unlawful access to personal data.

A. Technical measures taken to prevent unlawful access

The main technical measures include:

Ensuring Cybersecurity

Cybersecurity products are primarily used, but measures are not limited to these. Measures such as firewalls and network gateways are implemented. Unused software and services are removed from devices.

Software Updates

Patch management and software updates are applied to ensure proper functioning of software and hardware and to regularly verify whether security measures are adequate.

Access Restrictions

Access to systems containing personal data is restricted. Employees are granted access only to the extent necessary for their duties, authorities, and responsibilities. Access is provided via username and password. When creating passwords, combinations of uppercase/lowercase letters, numbers, and symbols are used instead of easily guessable sequences. Accordingly, an access authorization and control matrix is established.

Encryption / Credential Controls

In addition to strong password use, access is limited through measures such as restricting login attempts, ensuring periodic password changes, using administrator accounts only when necessary, and promptly deleting or disabling accounts of employees whose relationship with the data controller has ended.

Antivirus Software

Antivirus and antispam products that regularly scan the network and detect threats are used and kept up to date; relevant files are scanned regularly. Where personal data is obtained from different websites and/or mobile applications, connections are ensured via SSL or a more secure method.

Monitoring Personal Data Security

Security issues are reported as quickly as possible,
All user activity records are maintained regularly (e.g., logs),
Networks are monitored for intrusions or abnormal activity,
Active software and services on networks are checked.

A formal reporting procedure is established for employees to report vulnerabilities or related threats.

In undesirable incidents such as system crashes, malware, denial-of-service attacks, incorrect data entry, breaches affecting confidentiality/integrity, or misuse of IT systems, evidence is collected and stored securely.

Securing Environments Containing Personal Data

Where personal data is stored on devices located at data controller premises or in paper form, physical security measures are taken against threats such as theft or loss. Physical environments are protected against external risks (fire, flood, etc.), and access is controlled.
If personal data is in electronic environments, access can be restricted between network components and/or components can be segregated to prevent data breaches.

Equivalent measures are applied to paper/electronic environments and devices containing Company personal data located outside Company premises (laptops, mobile phones, USB drives, etc.). Personal data sent via e-mail or post is sent carefully and with sufficient measures. Where employees access the information systems network via personal devices, adequate security measures are also applied.

For risks such as loss or theft of devices, access control authorization and/or encryption methods are used; encryption keys are stored in environments accessible only to authorized persons.

Paper documents containing personal data are stored locked and accessible only to authorized persons.

Cloud Storage

Where necessary, cloud storage may be used. In such cases, the Company evaluates whether the security measures taken by the cloud provider are adequate and appropriate, considering Board guidance and recommendations.

IT Systems Supply, Development and Maintenance

Security requirements are taken into account when determining needs related to procurement, development, or improvement of systems.

Backup of Personal Data

In cases of damage, loss, theft, or disappearance of personal data, the Company ensures continuity by using backed-up data as soon as possible. Backups are accessible only by the system administrator, and dataset backups are kept offline.

B. Administrative measures taken to prevent unlawful access

The main administrative measures include:

Employees are informed and trained on technical measures to prevent unlawful access to personal data.
Employees are informed that they may not disclose personal data they learn in violation of the Law or use it outside the purpose of processing, and that this obligation continues after employment ends; necessary undertakings are obtained.
Personal Data Security Policies and Procedures are established; regular controls are performed and documented; areas for improvement are identified. Risks and breach-management methods for each data category are also clearly defined.
Data minimization: data must be accurate and up to date and retained only as long as necessary; outdated or unnecessary data is evaluated and deleted/destroyed/anonymized under the retention and destruction policy.
Managing relationships with data processors: when services are obtained from processors, the Company ensures that they provide at least an equivalent level of security; protective clauses regarding personal data protection are included in contracts.

IV. STORAGE OF PERSONAL DATA IN SECURE ENVIRONMENTS

Our Company takes necessary technical and administrative measures—considering technological capabilities and implementation cost—to store personal data securely and prevent unlawful destruction, loss, or alteration.

A. Technical measures for secure storage

Systems compatible with technological developments are used for secure storage.
Technical security systems are established for storage areas; measures are audited periodically through the Company’s designated audit mechanism; risks are reassessed and necessary technological solutions are implemented.
All necessary infrastructure is used lawfully to ensure secure storage.

B. Administrative measures for secure storage

Employees are informed regarding the secure storage of personal data.
If external services are used due to technical requirements, contracts with relevant companies to whom data is lawfully transferred include provisions that recipients will take necessary security measures and ensure compliance within their organizations; the Company acts in accordance with the “Principles for the Protection of Personal Data in Relations with Third Parties” policy.

V. TRAINING

Our Company provides employees with necessary training within the scope of policies, procedures, and KVKK regulations regarding the protection of personal data.
Trainings specifically address definitions and protection practices related to special categories of personal data.

If an employee accesses personal data physically or electronically, the Company provides training specific to such access (e.g., the relevant software).

VI. AUDIT

A. Increasing awareness and auditing business units

Our Company ensures that necessary notifications are made to business units to increase awareness for preventing unlawful processing, unlawful access, and ensuring retention.

B. Increasing awareness and auditing business partners and suppliers

Our Company provides necessary information to business partners to increase awareness for preventing unlawful processing, unlawful access, and ensuring retention.

C. Auditing the measures taken for personal data protection

Our Company has the right to audit, at any time and ex officio, without prior notice, whether all employees, departments, and contractors comply with this Policy and KVKK regulations, and conducts or commissions routine audits. Audit results are evaluated within the Company’s internal processes and improvement actions are carried out.

Measures to be taken in case of unauthorized disclosure of personal data:

In accordance with Article 12 of the KVKK, our Company operates a system to ensure that, if personal data processed lawfully is obtained by others through unlawful means, this is notified as soon as possible to the relevant data subject and to the Personal Data Protection Board.