KVKK Information Text

PERSONAL DATA PROCESSING, PROTECTION, STORAGE, AND DESTRUCTION POLICY

I. INTRODUCTION

1.1. Purpose of the Policy

In accordance with Article 20 of the Constitution titled "Privacy of Private Life," the Personal Data Protection Law No. 6698 ("Law"), and the provisions of the regulations and communiqués in force, the purpose of this Policy is to determine the principles regarding the processing of personal data obtained by Reptur Gayrimenkul İnşaat Turizm ve Ticaret A.Ş. ("Company" or "Reptur"), the protection of the fundamental rights and freedoms of data subjects (employees, employee candidates, suppliers, shareholders/partners, company officials, visitors, and other third parties), primarily the privacy of private life, the performance of data processing activities by the data controller in compliance with the law, and the protection, processing, storage, and, when necessary, destruction of the obtained personal data.

1.2. Scope of the Policy

Based on the fact that any operation performed on personal data—defined as any information relating to an identified or identifiable natural person—such as obtaining, recording, storage, preservation, alteration, reorganization, disclosure, transferring, taking over, making available, classification, or preventing the use thereof by Reptur in its capacity as data controller, whether by fully or partially automated means or by non-automated means provided that it is part of a data filing system, is considered a data processing activity; the determination of the procedures and principles of the data processing activities carried out by Reptur defines the scope of this Policy.

1.3. Application of the Policy and Related Legislation

This Policy has been prepared in accordance with the relevant legislation, primarily the Turkish Commercial Code No. 6102, the Turkish Code of Obligations No. 6098, the Personal Data Protection Law No. 6698, the Regulation on the Data Controllers Registry No. 30286, the Regulation on the Deletion, Destruction, or Anonymization of Personal Data No. 30224, and the Regulation on the Processing and Privacy of Personal Health Data, as well as the rules set forth in the regulations, communiqués, decisions, and guides published by the Board.

In the event of changes to the Law or other relevant legislation after the publication date of the Policy by Reptur, and if the Policy becomes inconsistent with said changes, the amended provisions and rules shall apply. All communiqués, decisions, and guides published by the Board are monitored by Reptur, and the rules stipulated by the Policy are kept up to date.

1.4. Enforcement of the Policy

The Policy has been published on Reptur's websites www.reptur.ru, www.reptur.com, www.reptur.de, and www.reptur.com.tr, and entered into force on the date of its publication.

II. MATTERS REGARDING THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

According to Article 12 of Law No. 6698, the data controller is obliged to take all necessary administrative and technical measures to provide the appropriate level of security for the purposes of:

Preventing the unlawful processing of personal data,
Preventing unlawful access to personal data,
Ensuring the preservation of personal data.

For the reasons explained, Reptur implements security measures to prevent the unlawful processing, transfer, and disclosure of personal data to third parties, as well as unauthorized access and security deficiencies arising through other means. Explanations regarding the administrative and technical measures taken are located in the section VI. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA.

2.2. Protection of Special Categories of Personal Data

Data that is sensitive by nature and which, if obtained by third parties, may cause victimization or discrimination of the data subjects, is considered special category personal data under the Law. Special categories of personal data consist of data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Special categories of personal data cannot be processed without the explicit consent of the data subject. Among the special categories of personal data, health data of the individuals concerned may be processed without seeking explicit consent only by persons under the obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, performing preventive medicine and care services, and the planning and management of health services and financing. Furthermore, regardless of the type, all special categories of personal data can only be processed if the adequate measures determined by the KVKK (Personal Data Protection Authority) are taken as per the law.

All necessary measures for the protection of special categories of personal data are taken by Reptur, and the principle is to avoid obtaining and processing such data as much as possible.

III. MATTERS REGARDING THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Accordance with the Principles Prescribed in the Legislation

Pursuant to Article 4 of the Law, the principles to be applied in the processing of your personal data are as follows:

Compliance with the law and the rules of honesty,
Being accurate and, where necessary, up to date,
Processing for specific, explicit, and legitimate purposes,
Being relevant, limited, and proportionate to the purposes for which they are processed,
Retention for the period prescribed in the relevant legislation or required for the purpose for which they are processed.

3.2. Conditions for Processing Personal Data

Personal data obtained by Reptur cannot be processed without the explicit consent of the data subject, except for the exceptions provided for in the Law. Your personal data may be processed without explicit consent in the following cases:

If it is expressly provided for in the laws,
If it is mandatory for the protection of the life or physical integrity of the person or another person who is unable to disclose their consent due to actual impossibility or whose consent is not legally recognized,
If it is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract,
If it is mandatory for the data controller to fulfill its legal obligation,
If it has been made public by the data subject themselves,
If data processing is mandatory for the establishment, exercise, or protection of a right,
If data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3. Exceptions to the Obligation to Obtain Explicit Consent

a) Being expressly provided for in the laws

One of the data processing conditions is that it is expressly provided for in the laws. Provisions in the laws stating that personal data may be processed can constitute a data processing condition. In such a case, obtaining the explicit consent of the data subject is not required.

b) Actual impossibility

In cases where it is mandatory for the protection of the life or physical integrity of the person or another person who is unable to disclose their consent due to actual impossibility or whose consent is not legally recognized, the personal data of the data subject may be processed without obtaining explicit consent.

c) Direct relevance to the establishment or performance of a contract

In the event that data processing is mandatory during the establishment or performance of a contract to which the data subject is a party, the processing of personal data without obtaining explicit consent may come into question.

d) Fulfillment of the Company's legal obligation

Personal data may be processed without obtaining explicit consent for the purpose of fulfilling the legal obligations that Reptur must perform in its capacity as data controller.

e) Being made public by the data subject

Personal data that has been made public by the data subject, in other words, personal data that has been disclosed to the public in any way, can be processed without obtaining explicit consent. Even in this case, the personal data made public cannot be subject to use outside its purpose.

HTML etiketlerini ve stil özelliklerini tam olarak koruyarak hazırladığım İngilizce çeviri aşağıdadır:

f) If it is mandatory for the establishment, exercise, and protection of a right

In cases where it is mandatory for the establishment, exercise, or protection of a right, it is possible to process the personal data of the data subject even without their explicit consent.

g) If it is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject

If the processing of personal data is mandatory for the data controller and the data processing activity will not harm the fundamental rights and freedoms of the data subject, personal data may be processed without obtaining explicit consent.

The legitimate interest of the data controller refers to the interest and benefit to be obtained as a result of the processing to be performed. The benefit to be obtained by the data controller must relate to an interest that is legitimate, sufficiently effective to compete with the fundamental rights and freedoms of the data subject, specific, and currently existing. It must be an operation related to the current activities of the data controller and one that will provide a benefit in the near future.

3.4. Processing of Special Categories of Personal Data

The processing of special categories of personal data is subject to Article 6 of the Law, and processing without the explicit consent of the data subject is prohibited.

Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are special categories of personal data. The types of data included in this scope are limited in number and cannot be expanded through interpretation.

By their nature, special categories of personal data are data that, if learned, could cause the data subject to suffer discrimination or victimization. Therefore, they must be protected much more strictly compared to other personal data.

a) Special categories of personal data other than health and sexual life

Special categories of personal data other than personal data relating to health and sexual life may be processed without seeking the explicit consent of the data subject in cases prescribed by law.

b) Special categories of personal data relating to health and sexual life

Special categories of personal data relating to health and sexual life may only be processed by persons under the obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.

3.5. Informing and Notifying the Personal Data Subject

During the collection of personal data, information is provided to data subjects by Reptur in its capacity as data controller or by persons authorized by it. The procedures and principles regarding the information provided are specified in the relevant Clarification Texts on the Processing of Personal Data published by Reptur, and the information summary includes the following elements:

The identity of the data controller and its representative, if any,
The purpose for which the personal data will be processed,
To whom and for what purpose the personal data may be transferred,
The method and legal grounds for personal data collection,
The rights of the data subject as set out in Article 11 of the Law.

a) Identity of the data controller and its representative

According to Article 10 of the Law, personal data obtained from data subjects (employees, candidate employees, suppliers, shareholders/partners, company officials, visitors, and other third parties) are processed by Reptur Gayrimenkul İnşaat Turizm ve Ticaret A.Ş. in its capacity as data controller and can be reached through the communication channels available at www.reptur.ru, www.reptur.com, www.reptur.de, and www.reptur.com.tr.

b) Purposes of processing personal data

The processing of personal data is carried out for specific, explicit, and legitimate purposes and is based on the principle of informing data subjects. The purposes for which your obtained data are processed are included in section V. CATEGORIZATION AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY OUR COMPANY of the Policy.

c) Persons to whom personal data is transferred and the purposes of transfer

The persons to whom personal data is transferred and the purposes of the transfer must be clearly stated within the framework of the data controller's obligation to inform the data subject. Personal data cannot be transferred to third parties without the explicit consent of the data subject. The recipient groups to whom personal data is transferred by Reptur and the purposes of the transfer are shown in section IV. TRANSFER OF PERSONAL DATA.

HTML etiketlerini ve stil özelliklerini tam olarak koruyarak hazırladığım İngilizce çeviri aşağıdadır:

d) Method and legal grounds for personal data collection

In accordance with Articles 5 and 6 of the Law, the data controller must clearly state on which of the personal data processing conditions the processing is based. The method and mediation of data collection are determined by the data controller. The conditions for processing personal data, i.e., the cases of compliance with the law, are listed exhaustively in the Law (Art. 5-6), and these conditions cannot be expanded.

Reptur, as the data controller, primarily evaluates whether the purpose of the personal data processing activity is based on one of the processing conditions other than explicit consent; if this purpose does not meet at least one of the conditions other than explicit consent specified in the Law, then the explicit consent of the person is sought for the continuation of the data processing activity.

IV. TRANSFER OF PERSONAL DATA

4.1. Domestic Transfer

Personal data cannot be transferred without the explicit consent of the data subject. However, they may be transferred without seeking the explicit consent of the data subject if one of the conditions specified in:

The second paragraph of Article 5,
The third paragraph of Article 6, provided that adequate measures are taken,

is present.

Accordingly, personal data of the data subject may be transferred to third parties without obtaining explicit consent if: it is expressly provided for in the laws (1), it is mandatory for the protection of the life or physical integrity of the person or another person who is unable to disclose their consent due to actual impossibility or whose consent is not legally recognized (2), it is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract (3), it is mandatory for the data controller to fulfill its legal obligation (4), it has been made public by the data subject themselves (5), data processing is mandatory for the establishment, exercise, or protection of a right (6), or if data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

At the same time, among the special categories of personal data belonging to data subjects, personal data other than health and sexual life may be transferred in cases provided for by law; whereas personal data relating to health and sexual life may only be transferred to third parties without seeking the explicit consent of the data subject by persons under the obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, and the planning and management of health services and financing.

Information regarding the recipient groups to whom your personal data processed by Reptur is transferred is included in the section ANNEX 4 – Third Parties to Whom Personal Data is Transferred and Purposes of Transfer of this Policy.

4.2. International Transfer

Personal data cannot be transferred abroad without the explicit consent of the data subject. However, personal data may be transferred abroad without seeking the explicit consent of the data subject if one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the Law is present, and in the foreign country where the personal data will be transferred:

There is adequate protection,
In the absence of adequate protection, the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and the Board's permission is obtained,

HTML etiketlerini ve stil özelliklerini bozmadan hazırladığım İngilizce çeviri aşağıdadır:

personal data may be transferred abroad without seeking the explicit consent of the data subject.

V. CATEGORIZATION AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY OUR COMPANY

The categorization of data obtained by Reptur from the relevant data subjects and the purposes pursued in the processing of personal data are shown in the relevant sections of the clarification texts available on our website for each category of data subject.

VI. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

Administrative and technical measures are taken by Reptur for the secure storage of personal data, the prevention of unlawful processing, and the prevention of unauthorized access to personal data.

In order to ensure personal data security, Reptur identifies all personal data processed and determines the probability of risks that may arise regarding the protection of this data; while identifying these risks, it is taken into account whether the personal data is special category personal data (1), the degree of confidentiality required by its nature (2), and the nature and quantity of the damage that may arise for the data subject in case of a security breach (3).

After defining these risks and determining their priority, control and solution alternatives aimed at reducing or eliminating said risks are evaluated in line with the principles of cost, applicability, and utility; necessary technical and administrative measures are planned and put into practice.

6.1. Administrative Measures

It is of great importance for ensuring personal data security that employees perform the first response to attacks that would damage personal data security and regarding cybersecurity, even if they have limited information. For this reason, awareness and information activities are carried out within our internal organization in our capacity as data controller.

It is ensured that employees are provided with the necessary training on issues such as the non-disclosure and non-sharing of personal data unlawfully, awareness activities are carried out for employees, and an environment where security risks can be identified is created; the roles and responsibilities regarding personal data security for everyone working under the data controller, regardless of their position, are determined in their job descriptions, and employees are made aware of their roles and responsibilities in this regard.

On the other hand, confidentiality agreements are signed as part of the recruitment processes of employees, and a disciplinary process is maintained that will be activated in case employees do not comply with security policies and procedures.

In the event of any changes in the policies and procedures implemented regarding personal data security, information about data security and security threats is kept up to date by conducting trainings to notify and explain the change to employees.

In accordance with sub-paragraphs (b) and (d) of Article 4 of the Law, personal data must be accurate and up-to-date when necessary, and must be retained for the period prescribed in the relevant legislation or required for the purpose for which they are processed. In this context, processed data are processed in accordance with the principles and rules that must be observed in the data processing activity and are retained for the period required for the purpose for which they are processed. Information regarding the storage and destruction procedures and storage periods of personal data processed by Reptur is shown in sections VIII. STORAGE AND DESTRUCTION OF PERSONAL DATA and ANNEX-4: Personal Data Retention Periods of this Policy.

The table below provides a summary of the administrative measures being taken to ensure data security:

Tablo yapısını, renk kodlarını (background colors) ve hücre genişliklerini tamamen koruyarak hazırladığım İngilizce çeviri aşağıdadır:

Administrative Measures

Risk Analyses are being conducted.

Corporate Communication (Crisis Management, Board and Data Subject Notification Processes, Reputation Management, etc.) is being ensured.

Monitoring of Personal Data Security is being performed.

Personal Data is being minimized as much as possible.

Personal Data Security Policies and Procedures have been established.

Corporate Policies regarding Access, Information Security, Usage, Storage, and Destruction have been prepared and are being implemented.

Existing Risks and Threats have been identified.

Personal Data Security Issues are reported promptly.

In-house Periodic and/or Random Audits are being conducted and/or commissioned.

Security measures within the scope of Information Technology Systems Procurement, Development, and Maintenance are being taken.

Protocols and Procedures for Special Categories of Personal Data Security have been established and are being implemented.

Disciplinary Regulations containing Data Security Provisions for employees are being implemented.

Periodic Training and Awareness Activities on Data Security are being conducted for employees.

Access privileges in this field are revoked for employees who undergo a change of duty or leave the job.

Periodic Audits of Data Processor service providers regarding Data Security are ensured.

6.2. Technical Measures

Firewalls and gateways are used among the measures taken to protect my information technology systems containing personal data against unauthorized access and threats from third parties over the internet. The firewall used ensures the blocking of breaches into the information network, while the gateway restricts employees' access to websites or online platforms that pose a threat to personal data security.

Furthermore, regular checks are conducted to ensure the proper functioning of software and hardware and to determine whether the security measures taken for the systems are sufficient. Access to systems containing personal data is restricted; in this context, employees are granted access authorization only to the extent necessary for their tasks, duties, powers, and responsibilities, and access to the relevant systems is provided by using usernames and passwords. While creating these passwords, sequences of numbers or letters that are related to personal information or easy to guess are avoided as much as possible.

Access authorization and control matrices are created within the data controller organization, and products such as antivirus and antispam, which regularly scan the information system network and detect threats, are used to protect against malicious software.

To ensure data security, necessary measures are taken to keep physical documents containing personal data, as well as servers, backup devices, CDs, DVDs, USBs, and other similar storage devices, open only to the access of authorized personnel and to increase physical security in this regard.

The table below provides a summary of the technical measures being taken to ensure data security:

Technical Measures

Authority Matrix

Authority Control System

Regular Maintenance of Access Logs

User Account Management

Network Security

Application Security

Encryption

Intrusion Detection and Prevention Systems

Logging (Maintenance of Log Records)

Maintenance of Log Records Without User Intervention

Data Loss Prevention Software

Continuous Monitoring of Cybersecurity Measures and Implementation

Backup and Ensuring Security of Backed-up Personal Data

Ensuring the Security of Personal Data Stored in the Cloud

Firewalls

Up-to-date Anti-Virus Systems

Deletion, Destruction, or Anonymization

Taking Necessary Security Measures for Entry and Exit to Physical Environments Containing Personal Data

Ensuring the Security of Environments Containing Personal Data

VII. PERSONAL DATA PROCESSING ACTIVITIES AT BUILDING ENTRANCES AND WITHIN THE BUILDING

Video Surveillance Activities at Building Entrances and Within the Building

Within the scope of the Law on Private Security Services, video surveillance activities are carried out at the Company entrance, workspaces, common areas, and surroundings for the purpose of ensuring security and protecting the interests related to the security of Reptur and other persons. Video surveillance activities are conducted in compliance with the Law and within the framework of the data processing conditions specified both in the Law and in this Policy.

VIII. STORAGE AND DESTRUCTION OF PERSONAL DATA

8.1. In accordance with subparagraphs (b) and (d) of Article 4 of the Law, personal data must be accurate and up-to-date when necessary, and must be retained for the period prescribed in the relevant legislation or required for the purpose for which they are processed. Your personal data held by Reptur is retained for as long as the data processing activity is necessary; in the event that the obligation to delete, destroy, or anonymize personal data arises, they are deleted, destroyed, or anonymized within the first periodic destruction period following the date this obligation arises. In the deletion, destruction, or anonymization of your personal data, the Company acts in accordance with the general principles set forth in Article 4 of the Law and the technical and administrative measures set forth in Article 12.

The time interval for periodic destruction is limited to a maximum of 1 year.

The personal data specialist personnel assigned by Reptur regarding the storage and destruction of data is the person responsible for the implementation and supervision of the personal data storage and destruction policy.

All operations regarding the deletion, destruction, or anonymization of personal data by Reptur are recorded and, pursuant to legal obligations, are kept for at least 3 years.

The retention periods of personal data processed by Reptur are shown in ANNEX-4.

8.2. Obligation to Delete, Destroy, and Anonymize Personal Data

Personal data processed by Reptur is deleted, destroyed, or anonymized ex officio or upon the request of the relevant data subject in the event that the reasons requiring processing cease to exist, in accordance with Article 7 of the Law and the provisions of the "Regulation on the Deletion, Destruction, or Anonymization of Personal Data" prepared by the Personal Data Protection Board and published in the Official Gazette dated October 28, 2017, and numbered 30224.

a) Deletion of personal data

Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant employees in any way.

All necessary technical and administrative measures are taken to ensure that deleted personal data is inaccessible and unusable for the relevant employees.

b) Destruction of personal data

Destruction of personal data is the process of making personal data inaccessible, irretrievable, and unusable by anyone in any way.

The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data, and every technical and administrative measure is taken to ensure that personal data is inaccessible, irretrievable, and unusable by anyone in any way.

c) Anonymization of personal data

Anonymization of personal data is the process of rendering personal data in such a way that it can no longer be associated with an identified or identifiable natural person, even if it is matched with other data.

While all necessary technical and administrative measures are taken by Reptur for the anonymization of your personal data, it is anonymized by applying methods consistent with our personal data storage and destruction policy.

7.3. Personal Data Recording Environments

Personal data recording environment refers to any environment containing personal data processed by fully or partially automated means or by non-automated means provided that it is part of a data filing system.

Personal data regarding the relevant data subjects are stored securely by Reptur in the data recording environments specified below, in accordance with the relevant legislation, primarily the provisions of LPPD No. 6698, and within the framework of international data security principles:

a) Technical recording environments: Computer environment, central servers, removable memories (USB, Memory Card, etc.), information security devices, and software.

b) Non-technical data recording environments: Papers, manual data recording systems, written, printed, and visual media.

7.4. Reasons Requiring the Destruction of Personal Data

Personal data regarding the relevant data subjects are destroyed by Reptur for purposes and reasons such as, but not limited to:

General principles set forth in Article 4 of the Law,
Amendment of the relevant legislative provisions that form the basis of the processing,
Withdrawal of the explicit consent by the data subject in cases where processing is based solely on explicit consent,
Request by the data subject for the destruction of their personal data,
Expiration of the legal obligations regarding the storage of personal data,
Disappearance of the purpose requiring the processing or storage of personal data,
Expiration of the maximum period requiring the storage of personal data and the absence of any justified reason to continue storage.

7.5. Techniques for Deletion, Destruction, and Anonymization of Personal Data

Techniques for deletion, destruction, or anonymization of processed personal data by Reptur are shown below, and which technique will be applied may vary depending on the nature of the processed personal data.

During the performance of deletion, destruction, or anonymization of personal data, necessary administrative and technical measures are taken, such as informing employees about information security and destruction processes, choosing the most appropriate method according to the nature of the data recording environment where personal data is kept, conducting regular and periodic maintenance and monitoring work regarding data security, using the most up-to-date destruction systems technologically and technically, issuing automatic deletion commands, and revoking the authorization to access, reuse, or retrieve deleted data.

To this end, it is first necessary to identify the personal data subject to deletion, destruction, or anonymization (1), identify the relevant employees for each personal data using an access authorization and control matrix or a similar system (2), determine the access, retrieval, and reuse authorizations and methods of the relevant employees (3), and close and eliminate the access, retrieval, and reuse authorizations and methods of the relevant employees within the scope of personal data (4).

The procedure followed for the deletion of personal data is as follows:

Issuing a deletion command in cloud or application-type solutions,
Blacking out, cutting, or making invisible for data located in paper media,
Deletion using appropriate software for data located on portable media.

The procedure followed for the destruction of personal data is as follows:

Physical destruction processes in paper or electronic media.

The procedure followed for the anonymization of personal data is as follows:

Removing variables from data that can be associated with the data subject,
Regional masking to make the data set more secure and reduce the risk of predictability,
Generalization process aimed at converting the relevant personal data from a specific value to a more general value.

IX. RIGHTS OF THE PERSONAL DATA SUBJECT AND THE EXERCISE OF RIGHTS

9.1. Rights of the Personal Data Subject

In accordance with Law No. 6698, in your capacity as a data subject, you have the right to:

Learn whether your personal data is being processed,
Request information if your personal data has been processed,
Learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
Know the third parties to whom personal data is transferred domestically or abroad,
Request rectification if the personal data is processed incompletely or inaccurately,
Request deletion or destruction of your personal data within the framework of the conditions stipulated in Article 7,
Request notification of the operations performed regarding rectification, deletion, or destruction to third parties to whom the personal data has been transferred,
Object to the occurrence of a result against you by analyzing your processed data exclusively through automated systems,
Claim compensation for damages in case you incur loss due to the unlawful processing of your personal data.

9.2. Exercise of Rights by the Personal Data Subject

As personal data subjects, you may submit your requests regarding your rights by filling out the Application Form published on the website using the methods regulated in the data subject application procedure, or by using the methods specified in the Communiqué on the Procedures and Principles of Application to the Data Controller, including name, surname, and signature if the application is in writing, T.C. identity number for citizens of the Republic of Turkey, nationality for foreigners, passport number or identity number if any, residential or workplace address for notification, e-mail address for notification if any, telephone and fax number, the subject of the request in writing or by using a registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the electronic mail address previously notified to Reptur by the data subject and registered in Reptur's system, in a manner that your identity can be confirmed, to Reptur's address at OTTO business center, Barbaros, Mimar Sinan Cd. No:165 floor:5 office:36, 34746 Ataşehir/İstanbul or to the contact address [email protected]. In such case, Reptur will conclude the request free of charge as soon as possible and within thirty days at the latest from the date of notification, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by Reptur.

9.3. Response of Our Company to Applications

Reptur concludes the application as soon as possible according to the nature of the request. This period cannot exceed 30 days from the notification of your application to Reptur. In the event that additional information is requested due to deficiencies or unclear statements in your application, the response period does not start until the relevant additional information and documents are notified to us. If the transaction requires any cost, a fee may be requested according to the tariff determined by the Personal Data Protection Board.

ANNEX – 1: Definitions

Explicit consent: Consent regarding a specific subject, based on information and expressed with free will.

Anonymization: Rendering personal data impossible to be associated with an identified or identifiable natural person in any way, even by matching it with other data.

Recipient group: The category of natural or legal person to whom personal data is transferred by the data controller.

Direct identifiers: Identifiers that, on their own, directly reveal, disclose, and distinguish the person they are associated with.

Indirect identifiers: Identifiers that, by coming together with other identifiers, reveal, disclose, and distinguish the person they are associated with.

Data subject (Relevant person): The natural person whose personal data is processed.

Relevant user: Natural or legal persons who process personal data within the organization of the data controller or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.

Destruction: Deletion, destruction, or anonymization of personal data.

Law: The Law on the Protection of Personal Data No. 6698, dated 24/3/2016.

Blacking out: Processes such as crossing out, painting, and blurring the whole of the personal data in such a way that it cannot be associated with an identified or identifiable natural person.

Recording medium: Any environment where personal data is processed by fully or partially automated means or by non-automated means, provided that it is part of a data filing system.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of personal data: Any operation performed on data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automated means or by non-automated means provided that it is part of a data filing system.

Law on the Protection of Personal Data (“LPPD”): The Personal Data Protection Law No. 6698, which entered into force after being published in the Official Gazette on April 7, 2016.

Board: The Personal Data Protection Board.

Authority: The Personal Data Protection Authority.

Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller.

Data filing system: The recording system where personal data is processed by being structured according to specific criteria.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

ANNEX – 2: Personal Data Subjects (Relevant Persons)

Data Subject Categories	Description
Employee	Refers to the persons working within Reptur.
Employee Candidate	Refers to natural persons who apply for a job by sending a CV or by other methods to Reptur.
Potential Customer	Refers to natural persons who show interest in using the services offered by Reptur and have the potential to become customers.
Customer	Refers to natural persons receiving services from Reptur.
Supplier	Refers to natural persons and legal person employees from whom services are procured by Reptur.
Shareholders/ Partners	Refers to individuals who hold at least one share in Reptur.
Visitor	Refers to 3rd persons who visit the workplace and Reptur's website.
Business Partners	Refers to natural persons and legal person employees with whom business, operations, and cooperation are carried out by Reptur to conduct service development and all other kinds of commercial activities.
Other Relevant Third Parties	Refers to natural persons other than the defined relevant persons for whom personal data processing activities are carried out by Reptur.

ANNEX – 3: Third Parties to Whom Personal Data is Transferred and Purposes of Transfer

Transferred Person/Unit	Scope	Purpose of Transfer
Business Partners	Parties with whom business partnerships are established within the scope of commercial activities carried out by Reptur	Transfer of personal data limitedly for the purpose of ensuring the performance of the activity carried out with business partners.
Authorized Public Institutions and Organizations	Legal relationships between legally authorized public institutions and organizations and Reptur	Sharing/transfer of information and documents requested by relevant public institutions and organizations from Reptur, limited to the purpose of the request.
Suppliers	Parties from whom services are obtained for the sustainability of Reptur's commercial activities	Transfer of personal data limitedly for the purpose of obtaining services from suppliers.
Legal Consultants	Parties from whom services are obtained for the purpose of legal support for Reptur	Transfer of personal data limitedly for the purpose of obtaining legal support within the scope of establishing, using, and protecting the legal rights of Reptur.
Financial Advisors	Parties from whom services are obtained for the purpose of support in financial matters for Reptur	Transfer of personal data limitedly for the purpose of obtaining professional support within the scope of establishing, using, and protecting the financial rights of Reptur.

ANNEX – 4: Personal Data Retention Periods

Source of Personal Data	Period	Legal Basis
Personal Data Processed in Contracts and Contractual Relationships (e.g., Company Official Name and Surname, Signature Circular, etc.)	10 Years from the Termination of the Contract	Law No. 6102, Law No. 6098, and Law No. 213
Sales and Procurement Processes	During the Business/Commercial Relationship with Reptur and 10 Years from its Termination	Turkish Code of Obligations No. 6098 and Turkish Commercial Code No. 6102
All Records Regarding Accounting and Financial Transactions	10 Years	Law No. 6102, Law No. 213
Personal Data Regarding Tax Records	5 Years	Tax Procedure Law No. 213
Marketing Processes	2 Years	Law No. 6102, Law No. 6098, and Law No. 213
All Records Regarding Human Resources Processes within the Scope of Labor Law, Including Personnel Files	10 Years from the Termination of the Employment Relationship	Labor Law No. 4857 and Related Legislation / Turkish Code of Obligations No. 6098
Data Collected within the Scope of Occupational Health and Safety Legislation (e.g., Pre-employment health tests, health reports, OHS Trainings, records regarding Occupational Health and Safety activities, etc.)	15 Years from the Termination of the Employment Relationship	Occupational Health and Safety Law No. 6331, Regulation on Occupational Health and Safety Services
Data Processed Pursuant to Corporate Communication Activities for Employees	10 Years from the Termination of the Employment Relationship	Sectoral Customs Apply.
Data Regarding Candidate Applications in Case the Job Application is Not Accepted (e.g., Resume, Application Form, etc.)	2 Years	Sectoral Customs Apply.
Personal Data of Physical Visitors	1 Year	Sectoral Customs Apply.
Commercial Electronic E-mail Consent Records	1 Year from the Date Consent is Withdrawn	Law No. 6563, Regulation on Commercial Communication and Commercial Electronic Messages Published in the Official Gazette No. 29417 dated 15.07.2015
Personal Data Processed for Security Purposes Pursuant to CCTV Cameras (Camera Records)	3 Months	Sectoral Customs Apply.
Traffic Information Processed During Network Usage, Internet Login, and Remote Connection	2 Years	Law No. 5651
Cookies, Traffic Information, and Log Records Regarding Online Visitors	6 Months – Maximum 2 Years	Internet Law No. 5651
Personal Data Protection Board Operations	10 Years	Law No. 6698