MANGODO BİLİŞİM A.Ş. DATA POLICY
PURPOSE
The protection of personal data and respect for the fundamental rights and freedoms of the natural persons whose personal data are collected are among the highest priorities of Mangodo Bilişim A.Ş. ("Mangodo" or "Company"). For this reason, we conduct all our activities that involve the processing of personal data with due regard to the privacy of private life, the confidentiality of communications, freedom of thought and belief, and the right to seek effective legal remedies.
To protect personal data in line with current legislation and technology, we apply all administrative and technical safeguards that the nature of the data requires, and we keep those safeguards up to date. This Data Policy ("Policy") explains the methods we follow in processing the personal data collected during our activities (such as their retention, transfer, deletion, or anonymization) in line with the principles of the PDPL.
(1) The Personal Data Retention and Destruction Policy is prepared to set out the procedures and principles of the retention and destruction activities carried out by our Company under the applicable Law No. 6698 on the Protection of Personal Data and the secondary regulations issued under that Law (regulations, communiqués, principle/board decisions, etc.).
(2) As part of its legal and social responsibility, our Company has set as a priority the processing — in compliance with the Constitution of the Republic of Türkiye, Law No. 6698, and other relevant legislation — of the personal data belonging to the categories of employee, shareholder/partner, prospective product or service buyer, supplier employee, supplier representative, product or service buyer (customer), and parent/guardian/representative, and the effective exercise of the rights of those data subjects.
(3) The work and processes related to the retention and destruction of personal data are carried out in line with this Policy, which has been prepared for that purpose.
SCOPE
(1) This Policy applies to data belonging to our Company's customers (product and service buyers), potential customers, employees, employee candidates, supplier employees, supplier representatives, and parents/guardians/representatives.
(2) Within the categories of data subjects listed above, our Company processes personal data in the following categories: identity, contact, personnel, legal action, customer transaction, physical premises security, transaction security, risk management, finance, professional experience, marketing, visual and audio recordings, religion information, health information, criminal conviction and security measures, and biometric data.
(3) Personal data of employees or of third parties — even if those parties are customers of our Company — that are processed on the employees' own phones, computers, or other electronic devices not allocated by the Company and that do not constitute a data registry system under Law No. 6698 and its secondary regulations are outside the scope of this Policy.
(4) Employees may not store or otherwise process the personal data covered by this Policy in their own personal electronic — or even non-electronic — environments that bear the characteristics of a data registry system. The Company reserves its right of recourse against the relevant personnel for any damage, loss, or administrative sanction it may face as a result of conduct contrary to this provision.
Our Policy applies to all processing activities involving personal data within the Company. It has been prepared with due regard to the PDPL and other personal-data legislation, as well as international standards in this area.
DEFINITIONS AND ABBREVIATIONS
DEFINITIONS
• Company: Mangodo Bilişim A.Ş. • Senior Management: The Board of Directors or the General Manager. • Law: Law No. 6698 on the Protection of Personal Data. • Personal Data: Any information relating to an identified or identifiable natural person. • Personal Data Subject: The natural person whose personal data is processed, referred to in the Law as the "data subject." • Processing of Personal Data: Any operation performed on data, such as obtaining, recording, storing, retaining, altering, restructuring, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, either wholly or partially by automated means, or by non-automated means provided that the data are part of a data registry system. • Data Controller: The legal entity responsible for taking the necessary security measures to prevent unlawful processing of, and unlawful access to, personal data, and to ensure the protection of those data. • Contact Person: The natural person appointed to act as the point of contact with the Personal Data Protection Authority, responsible for entering and updating the data inventory in VERBIS. • Data Controllers' Registry Information System (VERBIS): The information system created and managed by the Personal Data Protection Authority, accessible online, which data controllers use to make registry applications and conduct other registry-related operations. • Explicit Consent: Consent that relates to a specific subject, is based on prior information, and is given freely. • Deletion of Personal Data: The process of rendering personal data inaccessible and unusable by any means for the relevant users. • Destruction of Personal Data: The process of rendering personal data inaccessible, irretrievable, and unusable in any way by anyone. • Anonymization: Rendering personal data incapable of being associated with an identified or identifiable natural person, even when combined with other data. • Personal Data Processing Inventory: The inventory in which the Company describes its data-processing activities according to its business processes, associating them with processing purposes, data category, recipient group, and the group of data subjects; and which states the processing purposes, legal basis, maximum retention period necessary for those purposes, and the security measures taken. • Destruction: The deletion, destruction, or anonymization of personal data. • Periodic Destruction: The deletion, destruction, or anonymization carried out ex officio at recurring intervals set out in the policy when the conditions for processing personal data no longer apply. • Board: The Personal Data Protection Board. • Authority: The Personal Data Protection Authority. • Data Categories: The classification of personal data based on common features, into the group(s) of data subjects. • Application Form: The form titled "Form on Applications by the Data Subject (Personal Data Owner) to the Data Controller under Law No. 6698 on the Protection of Personal Data," used by data subjects to exercise their rights. • Employee Candidate: A natural person who has applied for a job in any way or who has shared their CV and related information for review. • Employees, Shareholders, and Officials of Institutions with Which We Collaborate: Natural persons working at institutions with which our Company has any business relationship (business partner, supplier, and the like, by whatever name), including those institutions' shareholders and officials. • Business Partner: Parties with which the Company forms business partnerships to carry out various projects, provide or receive services, etc., directly or together with potential future group companies. • Special Categories of Personal Data: Data concerning a person's race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, dress and clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, together with biometric and genetic data. • Customer: All persons contacted regarding any of the Company's services within the scope of its field of activity for purposes such as the provision of services, use in marketing activities, service offerings, modelling, reporting, scoring, risk monitoring, intelligence, existing or new reporting studies, and identification of potential customers. • Company Shareholder: A natural-person shareholder of our Company. • Company Official: A member of the Company's board of directors or other authorized natural person. • Supplier / Technical Service / Dealer: Parties that provide services on a contractual basis to our Company and our customers, in line with our Company's instructions, while we carry out our commercial activities. • Third Party: Natural persons whose personal data are processed under this Policy and who are not otherwise defined (e.g., former employees). • Data Processor: The natural or legal person who processes personal data on behalf of the data controller under the controller's authorization — for example, the cloud-computing provider that holds/stores our Company's data, or third parties providing outsourced support services. • Visitor: Natural persons who enter our Company's physical premises for various purposes, or who visit our Company's websites, mobile and digital applications.
ABBREVIATIONS
• PDPL: Law No. 6698 on the Protection of Personal Data, dated 24 March 2016, published in Official Gazette No. 29677 dated 7 April 2016. • PDP Board: Personal Data Protection Board. • PDP Authority: Personal Data Protection Authority. • Policy: The Company's Personal Data Processing, Protection, and Destruction Policy. • Turkish Criminal Code ("TCK"): Turkish Criminal Code No. 5237 dated 26 September 2004, published in Official Gazette No. 25611 dated 12 October 2004.
ROLES AND RESPONSIBILITIES
A Personal Data Protection Officer ("Officer") has been appointed within the Company to monitor and manage the actions required for compliance with the Law. The principal duties of this Officer are:
• To prepare the Company's policies and procedures concerning Data, revise them where necessary, and take the actions required to put them into force. • To distribute the necessary roles within the Company for the implementation of policies and procedures and to follow up on the actions taken. • To monitor the audits to be conducted under Article 12 of the Law. • To determine the actions to be taken to increase awareness within the Company regarding the application of the Law, and to distribute the corresponding roles. • To ensure that actions are taken to address any questions or issues that may arise concerning the application of the Law and/or policies and procedures. • To take the necessary actions, where required, to resolve data-subject applications. • To conduct relations with the Personal Data Protection Authority.
LEGAL OBLIGATIONS
As a data controller, our legal obligations within the scope of Data are listed below.
Our Obligation to Inform
As a data controller, when we collect personal data, we have a duty to inform the data subject about:
● the purposes for which the personal data will be processed, ● information regarding our trade name, ● the persons to whom, and the purposes for which, the personal data may be transferred, ● the method and legal basis for collecting the data, and ● their rights under the PDPL.
As a Company, we make every effort to ensure that this Policy, which is open to the public, is understandable and easily accessible. We meet our duty to inform via our website, through information panels at our physical locations, or through information notices addressed to the relevant groups of data subjects.
Our Obligation to Ensure Data Security
As data controller, we take the administrative and technical measures required by legislation to ensure the security of the personal data we process. The obligations and the measures taken with respect to data security are detailed in this Policy.
PROCESSING, RETENTION, TRANSFER, AND SECURITY OF PERSONAL DATA
RECORDING ENVIRONMENTS
(1) Personal data are held within the Company in two fundamental types of environment: electronic and non-electronic.
(2) Electronic environments: a. Servers (domain, backup, e-mail, database, web, file sharing, etc.) and software (office software, customer-tracking software, portals). b. Information-security devices (firewalls, intrusion detection and prevention systems, log files, antivirus, etc.). c. Personal computers (desktops, laptops). d. Mobile devices (phones, tablets, etc.). e. Optical discs (CD, DVD, etc.). f. Removable storage (USB drives, memory cards, etc.). g. Printers, scanners, photocopiers.
(3) Non-electronic environments: a. Paper. b. Manual data registry systems (survey forms). c. Written, printed, and visual materials.
PROCESSING AND DESTRUCTION OF YOUR PERSONAL DATA
Personal data of the Company's employees, shareholders/partners, prospective product or service buyers, supplier employees, supplier representatives, product or service buyers (customers), and parents/guardians/representatives are stored and destroyed in accordance with the law.
Processing Activities
(1) Personal data are processed by the Company within the framework of the criteria of lawfulness, fairness, purpose limitation, and proportionality, and on the legal grounds set out in the Law.
(2) Personal data processed are connected with, limited to, and proportionate with the purposes of processing and the result intended to be achieved.
(3) Where a retention period is set in the relevant legislation, processing continues for that period; if no period is specified, processing continues for as long as is necessary for the purpose of processing.
(4) In this context, personal data will be processed/retained only for the mandatory periods set by the following laws, the regulations, communiqués, principle decisions, or other secondary regulations issued under them, and any other legal regulations the Company is required to comply with during its activities:
• Law No. 6698 on the Protection of Personal Data • Labour Law No. 4857 • Occupational Health and Safety Law No. 6361 • Turkish Code of Obligations No. 6098 • Social Security and General Health Insurance Law No. 5510 • Law No. 6502 on the Protection of the Consumer • Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications • Law No. 6563 on the Regulation of Electronic Commerce • Right to Information Act No. 4982 • Law No. 3071 on the Exercise of the Right of Petition • Tax Procedure Law No. 213 • Corporate Tax Law No. 5520
Principles of Processing Personal Data
We process personal data in line with the following principles.
• Processing in compliance with the law and the rules of good faith We process personal data in line with the rules of good faith, using transparent methods, and by fulfilling our duty to inform. When fulfilling that duty, wherever possible we briefly explain the processing purpose at the time the data is obtained from you, and we provide the data subject with access to non-detailed information about the processing.
• Ensuring accuracy and, where necessary, currency of personal data We take the necessary administrative and technical measures in our data-processing procedures to keep processed data accurate and current. However, because a significant part of the data is processed on the basis of declarations by data subjects, we reflect those declarations as accurately as possible and offer data subjects the opportunity to apply to update their data and to correct any errors.
• Processing for specified, explicit, and legitimate purposes We process personal data within the legitimate purposes we have determined to conduct our activities in line with the legislation and the requirements of the ordinary course of life, with their scope and content clearly determined.
• Connected with the purposes of processing, limited and proportionate We process personal data in a manner connected with, limited to, and proportionate with the purposes we have set. We avoid processing irrelevant personal data or data not needed for processing. For this reason, we do not process special categories of personal data unless legally required, and where processing is necessary we obtain explicit consent.
• Retention for the periods set in the legislation or required by our legitimate interests Many provisions of the legislation require personal data to be retained for specific periods. For this reason, we retain the personal data we process for the period set in the relevant legislation, or for the period necessary for the processing purposes. When the retention period set in the legislation ends, or when the processing purpose ceases, we delete, destroy, or anonymize the personal data.
Processing Purposes
The Company processes personal data for the purposes of using identity, address, tax number, and other information in all kinds of products and services offered under the legislation on investment services and activities; identifying the owner and counterparty of any business or transaction; preparing the information and documents that will support business and transactions carried out on paper or electronically; complying with the storage, reporting, and notification obligations imposed by all judicial and administrative authorities under the relevant legislation; and meeting the burden of proof in any future legal disputes.
Legal Basis of Processing
(1) The legal basis for processing is, in principle, the consent of the data subject. Such consent must be given with full knowledge of all aspects of the processing activity and its consequences, free from any influence capable of vitiating the data subject's will.
(2) The data may, however, be processed without the data subject's consent in the following cases:
a. Where it is expressly provided for in the law. b. Where it is necessary for the protection of the life or physical integrity of the person himself/herself or of another person who is incapable of giving consent due to actual impossibility, or whose consent is not given legal validity. c. Where it is necessary for the processing of the personal data of the parties to a contract, provided that the processing is directly related to the establishment or performance of a contract. d. Where it is necessary for the Company to fulfil its legal obligations. e. Where it has been made public by the data subject. f. Where it is necessary for the establishment, exercise, or protection of a right. g. Where it is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Your personal data may be processed by our Company in line with the fundamental principles of the Law and the conditions for processing personal data, for the purposes set out below:
1) Processing your personal data in connection with your purchases of our products and services • Identity Data (first name, surname, T.R. ID number), • Contact Data (e-mail, phone number, address), • Customer Transaction Data (purchased product, invoice and payment information),
processed for the purposes of: realising the sale of products and services offered by our Company; providing after-sales delivery and installation; fulfilling the obligations under the sales contract; and supplying after-sales services, with the latter falling within our legal obligations.
2) Processing your personal data through the contact form used on our website • Identity Data (first name, surname), • Contact Data (e-mail, phone number, address),
processed for the purposes of: carrying out information-update operations and conveying responses to complaints, suggestions, questions, and requests sent to MANGODO; necessary for our legitimate interest in establishing contact with the data subject at their request.
3) Processing your personal data in connection with customer-relations management and our electronic-environment software and call-centre services • Identity Data (first name, surname, T.R. ID number), • Contact Data (e-mail, phone number, address), • Customer Transaction Data (purchased product, customer requests and complaints),
processed for the purposes of: receiving and evaluating customer requests and complaints submitted via our website or messaging applications; customer-relations management; internal reporting and improvement of business processes — based on the existence of a legitimate interest of the data controller (PDPL Art. 5), provided that this does not harm the fundamental rights and freedoms of the data subjects.
4) Processing your personal data in connection with our legal obligations and commercial activities • Identity Data (first name, surname, T.R. ID number), • Contact Data (e-mail, phone number, address), • Customer Transaction Data (purchased product, order completion, customer requests and complaints), • Biometric data taken from employees for entry/exit and security purposes, • Information on business partners and their employees: full name, T.R. ID number, social-security data, registry records, ID copy, education documents, tax certificate, residence information, photograph, CV,
processed for the purposes of: fulfilling obligations under the legislation; providing information to public authorities, including documents requested; running accounting and finance processes; running information-security processes; performing sales-validation operations; ensuring physical-premises security and employee safety; conducting security, communication, and service processes for service-providing employees and business partners — based on (i) explicit provision in the law (e.g., invoice contents under the Tax Procedure Law), (ii) legal obligation (e.g., data-security obligations), (iii) necessity for the establishment, exercise, or protection of a right (e.g., as evidence in legal disputes), and (iv) the legitimate interest of the data controller, provided that it does not harm fundamental rights and freedoms.
SHARING OF PERSONAL DATA
Your personal data may be transferred to or shared with the following parties for the purposes set out, in compliance with the article of the Law on transfers:
• Parties to whom data is transferred so that you can benefit from the sale and after-sales delivery of our products and services; • Our suppliers providing services in the field of information technology, including software, maintenance, security, and personal-data hosting; • Our suppliers providing cargo and logistics services; • Our business partners from whom we obtain legal support; • Consulting business partners engaged for business development and project execution; • Our business partners engaged solely for the resolution of customer complaints, the organization of customer visits within the scope of customer satisfaction, or the conduct of our commercial and operational activities; • Our business partners, for identity verification where customers benefit from campaigns or offers provided by those partners; • Our business partners engaged solely to organize visits within the scope of customer satisfaction; • Public authorities and authorized private institutions, within the scope of our legal obligations.
PROCESSING AND SHARING SUBJECT TO YOUR EXPLICIT CONSENT
Some processing operations under the Law require the data subject's explicit consent. In line with the conditions for processing personal data set out in the Law, our Company may, only with your consent, process your personal data for the following purposes and share them with the third-party suppliers we engage:
• Personalizing our products and services to your preferences, usage habits, and needs, and offering them to you; conducting analysis, segmentation, or targeting activities; presenting special product or service offers, new product announcements, campaigns, promotions, and other marketing activities; conducting surveys and customer-satisfaction measurements; contacting you electronically in connection with such activities; accessing data retained in line with statutory periods; receiving backup and archiving services in physical and digital environments. In addition, data will be shared with our international partners and branches for reporting, valuation, service and product satisfaction, supply, development, and follow-up purposes.
10. REASONS REQUIRING DESTRUCTION
(1) Personal data are deleted, destroyed, or anonymized — either at the request of the data subject or ex officio by the Company — in the following cases:
a. Amendment or repeal of the provisions of the legislation that justify the processing; b. Cessation of the purpose requiring processing or retention; c. Withdrawal of explicit consent, in cases where processing was based solely on consent; d. Acceptance by the Authority of an application by the data subject for deletion or destruction under Article 11 of the Law; e. Where the Company rejects, gives an inadequate response to, or fails to respond within the time set by the Law to the data subject's application for deletion, destruction, or anonymization, and the data subject files a complaint with the Board, which finds the request appropriate; f. Expiry of the maximum retention period required for the personal data, in the absence of any condition justifying a longer period.
11. SPECIAL PROVISIONS ON SPECIAL CATEGORIES OF PERSONAL DATA
(1) Personal data concerning a person's race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, dress and clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, together with biometric and genetic data, constitute special categories of personal data.
(2) The fundamental ground for processing and transferring special categories of personal data is the consent of the data subject. Personal data other than those concerning health and sexual life may, however, be processed without the data subject's explicit consent in the cases provided for in the laws. Personal data concerning health and sexual life may be processed without explicit consent only for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and finance, by persons under a duty of confidentiality, or authorized institutions and organizations.
(3) The Company holds religion information, health data, criminal convictions and security measures, and biometric data within its data registry systems as special categories of personal data. Health, criminal convictions and security measures, and biometric data are held only with respect to employees. The processing purposes are based on legal requirements (for health, criminal convictions, and security-measures categories) and on the Company's legitimate interest (for biometric data).
(4) The relevant articles of this Policy also apply to the processing purposes, processing periods, and deletion/destruction/anonymization periods for special categories of data. In our Company, photographs of employees, suppliers, and business partners, security camera images in physical environments, and biometric data taken at building entry/exit are held for security purposes as special categories of data. Special categories of data of service-consuming customers are not held in our Company.
(5) In processing special categories of personal data, the Company: a. Regularly trains employees involved in processes handling special categories of personal data on the Law, secondary regulations, decisions and guidance published by the Board, and the security of such data. b. Has concluded confidentiality agreements with employees who have access to special categories of personal data. c. Clearly defines the scope and duration of authority of users with access rights to such data. d. Periodically reviews access rights. e. Immediately revokes the access rights of employees who change roles or leave the Company, and recovers any inventory allocated to them.
(6) For special categories of personal data held in electronic form: a. Data are stored physically in secure and segregated environments. b. Audit trails are kept for all activities performed on the data, and the security of those audit trails is ensured. c. Data from areas accessed via employee biometric data are not transferred to any other location, are not held in an accessible environment outside the hardware disk, and are not archived. d. Digital records are not accessible by Company personnel at large; access is provided in a separate environment, only under specific permission and request. Access restrictions are enforced, and access is granted only when legally required, through an authority matrix. e. When remote access is required — particularly by external service providers — defined areas within the system are designated, logs of accessing IP addresses are kept, and remote operations are visually monitored.
(7) For special categories of personal data held physically in employee personnel files, the necessary security measures have been taken to prevent unauthorized access; files are kept in locked cabinets under the control of the human-resources manager. The keys to these cabinets are controlled by the human-resources unit manager. Records, entries, and exits are also held digitally on a single computer under the human-resources manager's control. The relevant building services (including the archive area) have been protected against electrical leaks, fire, flood, theft, etc.
12. TRANSFER OF PERSONAL DATA
Domestic transfer
As a Company, we act in line with the rules set out in the PDPL and the decisions of the PDP Board regarding the transfer of personal data.
Without prejudice to the lawful bases set out in the legislation, personal data and special categories of personal data are not transferred to third parties without the data subject's explicit consent.
International transfer
As a rule, personal data may not be transferred abroad without the data subject's explicit consent.
Nevertheless, where one of the lawful bases set out in this Policy exists and the third party to which the data is to be transferred abroad either (i) is located in one of the countries deemed safe by the PDP Board, or (ii) is not located in such a country but the Company and the data controller in the unsafe country have provided written undertakings of adequate protection and the PDP Board has authorized the international transfer, personal data may be transferred abroad without the need for explicit consent.
Third Parties to Whom Personal Data Are Transferred by the Company
Personal data may be transferred — within the rules set out in this Policy — to the categories of recipients listed below:
1. Authorized public institutions and organizations 2. Natural persons or private-law legal entities 3. The public
Authorized public institutions and organizations refer to public bodies entitled to obtain information and documents from the Company under the relevant legislation. Transfers may be made to them for: conducting activities in compliance with the legislation; following up and conducting legal matters; informing authorized persons, institutions, and organizations; fulfilling the obligations arising from employees' employment contracts and the legislation; conducting/auditing business activities; and conducting occupational health and safety activities.
Natural persons or private-law legal entities refer to private parties entitled to obtain information and documents from the Company in the context of our activities and services. Transfers may be made to them for: conducting business activities; ensuring business and/or service continuity; running the supply chain; planning and managing goods/service production, delivery, and maintenance processes; and ensuring customer satisfaction.
The public refers to the views, attitudes, and beliefs adopted by a significant portion of a community regarding a particular issue. Transfers to the public may be made for the purpose of informing the public within the scope provided by the legislation.
13. TECHNICAL AND ADMINISTRATIVE MEASURES
To ensure the secure storage of personal data, to prevent unlawful processing and access, and to ensure the lawful destruction of personal data, the Company takes the technical and administrative measures required by Article 12 of the Law, within the adequate framework determined and published by the Board for special categories of personal data.
13.1. Technical measures
We take various measures to protect personal data, including but not limited to:
1. Ensuring network security and application security. 2. Using a closed-system network for transfers of personal data over the network. 3. Taking security measures within the scope of supply, development, and maintenance of information-technology systems. 4. Maintaining access logs in a regular and tamper-resistant manner. 5. Using up-to-date antivirus systems. 6. Using firewalls. 7. Minimizing personal data as far as possible. 8. Backing up personal data and securing those backups, and conducting necessary internal warnings and notifications on a regular basis. 9. Using user-account and authorization-control systems, including their monitoring, encryption, code retrieval, and password-renewal systems. 10. Using intrusion-detection and -prevention systems. 11. Taking cybersecurity measures and continuously monitoring their implementation.
13.2. Administrative measures
We take various measures to protect personal data, including but not limited to:
1. Maintaining an authority matrix for employees. 2. Revoking the authorities of employees who change roles or leave the Company. 3. Taking the necessary security measures for entry to and exit from physical environments containing personal data. 4. Entry into the Company's physical premises is granted following identity check without recording the visitor's name. Visitor entry-exit records that contain names are kept in physical form for 5 years.
DATA SECURITY UNDER THESE MEASURES
Our obligations regarding personal-data security
As a Company, we take administrative and technical measures, in line with technological possibilities and implementation costs, to: ● prevent unlawful processing of personal data, ● prevent unlawful access to personal data, and ● ensure lawful retention of personal data.
A. Measures we take to prevent unlawful processing of personal data ● Conducting and commissioning the necessary internal audits. ● Training and informing employees on lawful processing of personal data. ● Including provisions on appropriate security measures in our contracts with third parties when processing is carried out together with them. ● Notifying the data subject and the PDP Board in the event of unlawful disclosure or data leakage, conducting the legally required investigations, and taking the related measures.
B. Technical and administrative measures to prevent unlawful access to personal data ● Receiving remote or physical support from the technically expert main shareholder group and employing dedicated staff. ● Updating and renewing technical measures at regular intervals. ● Establishing internal access-authorization procedures. ● Defining the procedures for reporting on technical measures and audit processes. ● Conducting periodic audits to ensure that the Company's data-registry systems are used in line with legislation. ● Establishing emergency plans against potential risks and developing systems for their implementation. ● Training and informing employees on access to personal data and authorization. ● Including provisions on security measures in contracts with third parties who access personal data through processing or retention. ● Establishing security systems in line with technological developments to prevent unlawful access to personal data.
C. Measures taken in the event of unlawful disclosure of personal data We take administrative and technical measures to prevent unlawful disclosure of personal data, and update them in line with our procedures. We have the necessary systems and infrastructure to notify the data subject and the PDP Board if we detect unauthorized disclosure of personal data. Notwithstanding all measures taken, if unlawful disclosure occurs, the PDP Board may, if it deems necessary, announce the matter on its website or by other means.
15. YOUR RIGHTS UNDER THE LAW
Under Article 11 of the Law, data subjects have the right to: • learn whether their personal data are being processed; • request information if they have been processed; • learn the purpose of processing and whether the data are used in line with that purpose; • know the third parties to whom personal data have been transferred domestically or abroad; • request correction if data have been processed incompletely or incorrectly, and request that any such correction be notified to the third parties to whom data have been transferred; • request deletion or destruction of personal data when the conditions requiring processing cease, even if the data have been processed in compliance with the Law and other legal provisions, and request that any such deletion or destruction be notified to the third parties to whom data have been transferred; • object to any outcome that arises against them as a result of the data being analysed solely through automated systems; • request compensation for damage suffered due to unlawful processing of personal data.
To make an application regarding your personal data, you may submit your request: • In writing to Kandilli Mah. Rasathane Cad. Kandilli Rasathanesi Deprem Araştırma Enstitüsü No: 104/13 Apartment No: 17 Üsküdar / İstanbul, in person or via notary, with identity verification; or • Via your registered electronic mail (KEP) address, secure electronic signature, mobile signature, or by using the e-mail address you previously notified to Mangodo and which is registered in Mangodo's system, sent to our Company's e-mail address.
Under the Communiqué on the Procedures and Principles of Application to the Data Controller ("Communiqué"), your application must include your name, surname, signature (if in writing), T.R. ID number (or nationality, passport number, or ID number if you are a foreign national), domicile or work address for service, an e-mail address for notification (if any), phone and fax numbers, and information about the subject of your request.
To exercise the rights listed above, the data subject must clearly and understandably set out the matter requested. Relevant information and documents must be attached to the application.
If the information you provide is inaccurate or outdated, or if the application is made by an unauthorized person using false or misleading information, the application will be rejected, and legal action may be taken against the unauthorized applicant. The subject of the request must concern the applicant in person; if a third party is acting on someone else's behalf, that third party must be specifically authorized and the authorization must be documented (notarized power of attorney or authority document). To prevent unauthorized access through data-subject applications and ensure the security of your personal data, identity-verification documents (copy of ID card or driver's licence, etc.) must be attached.
15.1. Evaluation of the Application
i. Response Time Under Article 13(1) of the PDPL, applications to the Company in its capacity as data controller must be submitted as set out above. Under Article 6 of the Communiqué, your request will be finalized free of charge as soon as possible — and within thirty days at the latest from the date it reaches us — according to the nature of the request. Where a separate cost arises, a fee may be charged under Article 7 of the Communiqué.
ii. Our Right to Refuse the Application Applications regarding personal data may be refused — but not only — in the following cases: ● where personal data are processed for purposes such as research, planning, and statistics after being anonymized for official statistics; ● where personal data are processed for art, history, literature, or scientific purposes, or within the scope of freedom of expression, provided that they do not violate the data subject's right to privacy or personality rights, or constitute an offence; ● where personal data are made public by the data subject; ● where the application has no justified ground; ● where the application includes a request contrary to the relevant legislation; and ● where the application procedure is not followed.
15.2. Procedure for Evaluating the Application
For the response period set out in this Policy to begin, applications must be submitted via the Data Subject Application Form, either delivered by hand with an original signature or sent through a notary, sent with electronic signature via KEP, or sent through the e-mail address the data subject has previously notified to the data controller and which is registered in the controller's system.
If the request is accepted, the necessary actions are taken within 30 days and the applicant is notified in writing or electronically. If the request is refused, the applicant is notified — with reasons — within 30 days, in writing or electronically.
15.3. Right of Complaint to the Personal Data Protection Board
If an application is refused, the response is found inadequate, or no response is given within the time limit, the applicant has the right to file a complaint with the PDP Board within 30 days from learning the response and in any event within 60 days from the date of application.
PERIODIC DESTRUCTION PERIOD
The Company has set its periodic destruction period at 2 years. Periodic destruction is carried out in the May-November period of each two-year cycle.
UPDATES TO THE POLICY
The Policy is reviewed as needed, and the necessary sections are updated.
ENTRY INTO FORCE
This Policy enters into force by resolution of the Board of Directors.
Last updated: 2026