TR
Corporate

Policies



PERSONAL DATA PROCESSING AND PROTECTION POLICY

1. Purpose

This Personal Data Processing and Protection Policy (“Policy”) sets forth the principles adopted by our Foundation to ensure compliance with the applicable legislation regarding the processing of personal data and the conduct of personal data processing activities.

2. Definitions

  • Explicit Consent: It refers to the consent given for a specific subject, based on information and expressed with free will.
  • Anonymization: It refers to rendering personal data unrelatable to an identified or identifiable natural person under any circumstances, even when matched with other data.
  • Secondary Legislation: It refers to any regulation, communiqué, notice, principle decision, or similar administrative decision or general opinion issued or adopted by the Personal Data Protection Authority by the Law.
  • Relevant Users: It refers to individuals within the data controller organization, or those processing personal data on behalf of the data controller under the authority and instructions received, excluding those responsible for the technical storage, protection, and backup of the data.
  • Law: It refers to the Personal Data Protection Law No. 6698.
  • Personal Data: It refers to any information relating to an identified or identifiable natural person.
  • Processing of Personal Data: It refers to any operation performed on personal data, including the collection, recording, storage, preservation, modification, rearrangement, disclosure, transmission, acquisition, making available, classification, or restriction of use, whether carried out fully or partially by automated means or non-automated means as part of any data filing system.
  • Board: It refers to Personal Data Protection Board
  • Authority: It refers to Personal Data Protection Authority
  • Special Categories of Personal Data: It refers to data regarding a person's race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
  • Registry: It refers to the Data Controllers' Registry, which is a registration system where data controllers are required to register and provide information about their data processing activities.
  • Deletion: It refers to making personal data completely inaccessible and unusable for the relevant users.
  • Deletion and Destruction Policy: It refers to the policy prepared by the Foundation, which regulates the procedures and principles related to deletion, destruction, or anonymization of personal data, in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.
  • Foundation: It refers to Suna and İnan Kıraç Foundation.
  • VERBİS: Data Controllers Registry System
  • Data Processor: It refers to the natural or legal person who processes personal data on behalf of the Data Controller, based on the authorization granted by the Data Controller.
  • Data Protection Commission: It refers to the Personal Data Protection Commission of the Foundation.
  • Data Subject: The Data Subject, defined as the "Relevant Person" in the Law, refers to the natural person whose personal data is processed. Data Subjects include customers, internet users, individuals on communication, email, and marketing database lists, employees, contract parties, and suppliers.
  • Data Controller: It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.
  • Destruction: It refers to the process of making personal data completely inaccessible, irretrievable, and unusable by anyone under any circumstances.

3. Scope

Personal data within the Foundation is under the protection of the Foundation, which is the Data Controller. In accordance with the Law, the Foundation takes necessary technical and administrative measures by utilizing its technological and infrastructural capabilities to ensure the lawful processing and secure storage of Personal Data. The Foundation has adopted this Policy to establish the principles of understanding, policies, and procedures regarding the protection and processing of Personal Data.

4. Principles

4.1. Principles to be Followed in the Processing of Personal Data

  • Personal data is processed only in compliance with the law and the principles of honesty.

    The Foundation acts in compliance with the law and the principle of honesty in the processing of personal data. In this context, the Foundation processes personal data in accordance with the rules established by the Law. Additionally, the Foundation follows and ensures compliance with the regulations and decisions related to data processing activities that may be issued by the Board through Secondary Legislation from time to time.

  • Personal data must be accurate and, when necessary, kept up to date.

    The Foundation takes necessary measures to ensure that the personal data it processes is accurate and, when necessary, kept up to date. To ensure that personal data remains accurate and up to date, the Foundation identifies the sources from which the personal data is obtained, tests the accuracy of the data collected, considers requests related to the inaccuracy of personal data, and takes reasonable measures in this regard.

  • Personal data must be processed for specified, explicit, and legitimate purposes.

    The Foundation clearly and definitively defines the purpose of data processing and processes personal data solely for legitimate purposes. The personal data processed by the Foundation is related to and necessary for the activities it carries out.

  • Personal data should be retained for no longer than the period required by the relevant legislation or the purpose for which they were processed.

    The Foundation retains personal data only for the period required by the relevant legislation or for as long as necessary for the purpose for which they were processed. In this context, if a retention period for personal data is specified in the relevant legislation, the Foundation stores the personal data only for the duration of that period.

    However, considering the retention periods required under different legislation, including statute of limitations periods for lawsuits, the Foundation adopts maximum retention periods for the storage of data to prevent any loss of rights for its employees and customers. If no retention period is specified in the legislation or if there is no legal reason requiring the data to be retained for a longer period, the Foundation retains personal data only for the duration necessary for the purpose for which it was processed.

    In addition to this, the Foundation also complies with the rules and procedures regarding data retention outlined in the Destruction Policy.

4.2. Conditions for Processing

4.2.1 Processing of Personal Data

Personal data is processed based on one or more of the legal grounds for processing personal data specified in the Law, and in compliance with the regulations introduced by the Law.

In this context:

  • Personal data may be processed with the explicit consent of the Data Subject.
  • Personal data may also be processed without the explicit consent of the Data Subject, provided that one of the following conditions exists:
    • a. It is explicitly required by law;
    • b. It is necessary to protect the life or physical integrity of the Data Subject or another person, where the Data Subject is unable to give consent due to physical impossibility or where consent is not legally valid;
    • c. It is necessary for the performance of a contract, provided that the personal data of the parties to the contract is directly related to the establishment or performance of the contract;
    • d. It is mandatory for the Data Controller to fulfill a legal obligation;
    • e. It has been made public by the Data Subject themselves;
    • f. It is necessary for the establishment, exercise, or defense of a legal claim;
    • g. It is necessary for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the Data Subject.

For all data groups processed by the Foundation, legal grounds for processing have been defined, and explicit consent texts have been prepared for business processes where legal grounds are not available.

4.2.2. Processing of Sensitive Personal Data

The Law has established different conditions for the processing of Sensitive Personal Data compared to Regular Personal Data.

In this context:

  • Sensitive Personal Data may be processed with the explicit consent of the Data Subject.
  • Sensitive Personal Data of the Data Subject, excluding health and sexual life data (such as race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing and attire, membership in associations, foundations or unions, criminal convictions, security measures, biometric and genetic data), may be processed without the explicit consent of the Data Subject in cases specified by law.
  • Personal data related to health and sexual life may only be processed without the explicit consent of the Data Subject by individuals or authorized institutions and organizations who are subject to the obligation of confidentiality, for purposes such as the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

4.3 Consent

  • To be valid, consent must be based on information, be clear, and be given freely.
  • The Data Subject must be provided with clear and understandable information regarding all matters related to processing. The information provided must be in a language that an average person can understand and should be easily accessible.
  • Explicit consent must be given clearly, leaving no room for doubt, and it must be limited to that specific processing activity.
  • Explicit consent may be obtained in writing or electronically.
  • Consent can be withdrawn by the Data Subject at any time.
  • The situations where explicit consent is required are determined by the Foundation. The Data Protection Commission ensures that explicit consent texts are regularly obtained and archived by the relevant departments.

4.4 Transfer of Personal Data

4.4.1 Transfer of Personal Data to Third Parties

Personal Data may be transferred in the following cases, if any of the conditions listed below apply:

  • a) The Data Subject has given explicit consent for the transfer;
  • b) The transfer is explicitly required by law;
  • c) The transfer is necessary to protect the life or physical integrity of the Data Subject or another person, where the Data Subject is unable to give consent due to physical impossibility or where consent is not legally valid;
  • d) The transfer is directly related to the establishment or performance of a contract, and the processing of Personal Data of the parties to the contract is necessary;
  • e) The transfer is necessary for the Data Controller to fulfill a legal obligation;
  • f) Personal Data that has been made public by the Data Subject may be transferred;
  • g) The transfer is necessary for the establishment, exercise, or defense of a legal claim;
  • h) The transfer is necessary for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the Data Subject.
  • i) With the necessary precautions in place, personal data, other than health and sexual life data, may be transferred without the explicit consent of the Data Subject in cases specified by law. Personal data related to health and sexual life, however, may only be processed without the explicit consent of the Data Subject by individuals or authorized institutions and organizations subject to a confidentiality obligation, to protect public health, preventive medicine, medical diagnosis, treatment and care services, as well as planning and management of health services and their financing.

4.4.2 Transfer of Personal Data Abroad

Our Foundation may transfer the Personal Data it processes to third parties located abroad, subject to the conditions specified in Article 4.4.1 above. However, in accordance with the Law, except in cases where the Data Subject has given Explicit Consent for the transfer, Personal Data may only be transferred to foreign countries that are declared by the Board to have adequate protection, or — in cases where adequate protection is not available — to foreign countries where the data controllers in Turkey and the relevant foreign country have committed in writing to provide adequate protection and where the Board has granted permission. Within this scope, a Standard Contract is signed between our Foundation and the third parties residing abroad, and these Contracts are submitted to the Board.

Transfers abroad also include cases where the servers of the programs and applications we use (such as Google Drive, Microsoft Outlook, Office, etc.) are located outside the country.

4.5. Monitoring of In-House Activities of the Foundation

For the purpose of ensuring security, the Foundation processes the personal data of individuals such as employees, customers, and visitors through closed-circuit camera monitoring activities conducted in the Foundation’s premises and museum entrances. The Foundation duly informs the relevant individuals about the purposes it has identified within this scope. In addition to general disclosures, the Foundation also provides notice regarding the closed-circuit camera monitoring activity through alternative methods it deems appropriate. Personal data processed within the scope of the closed-circuit camera monitoring activity is retained for a maximum period of 3 months.

In addition, for security purposes, identity checks are conducted at the entrances of the Foundation’s headquarters and museum, and a visitor log is maintained. Necessary measures are taken regarding the processing and security of personal data within this scope. When obtaining the names and surnames and vehicle plate numbers of individuals visiting the Foundation premises as guests, these data subjects are informed through texts displayed or otherwise made available to them by the Foundation. The data collected for the purpose of tracking visitor entry and exit is processed solely for this purpose and recorded in a physical data recording system.

The Foundation may provide internet access to visiting guests during their stay within the Foundation’s premises. In such cases, internet access logs are recorded in accordance with Law No. 5651 and the relevant provisions of the legislation issued under this Law. These records may only be processed if requested by authorized public institutions and organizations or for the purpose of fulfilling legal obligations during audit processes conducted within the Foundation.

Access to the log records obtained within this framework is limited to a restricted number of Foundation employees. Employees of the Foundation who have access to these records may only access them for the purpose of responding to requests from authorized public institutions and organizations or for audit processes, and may share them only with legally authorized persons. Access authorization is granted by the Data Protection Commission.

4.6. Enlightenment During the Acquisition of Personal Data

Enlightenment regarding the data processing activity is provided to the Data Subject at the moment their Personal Data is processed or at the earliest opportunity following that moment. In this context, the Data Subject will be informed about -but not limited to- the following

  • The name/title and address of the Data Controller, and if applicable, the name and address of the representative of the Data Controller
  • The purpose(s) of data processing
  • The purpose of data transfer and the recipients to whom data will be transferred
  • The method of data collection and its legal basis
  • The rights of the Data Subject as stated in the Law, such as the right to access data, obtain a copy of the data, delete or correct the data, and the methods of exercising these rights
  • The type of processed data

The information can be provided verbally, electronically, orally, or in writing. In cases where the information is provided orally, the person providing the explanation must use an appropriate written text or form that has been previously approved by the Foundation or the Data Protection Commission. A receipt or form must be kept with a simultaneous record that specifies the method, content, date, and event of the explanation.

If the initial explanation is insufficient, further clarifications can be made, and the event, date, content, and method of these additional explanations will be recorded.

4.7. Avoidance of New Activities that are Incompatible with the Law

As a rule, the Foundation will not engage in new or expanded activities for obtaining or processing Personal and/or Special Categories of Personal Data without the approval of the Data Protection Commission. All relevant departments and managers will strive to work in harmony with the Data Protection Commission and other departments, and will avoid new activities that are incompatible with the Law.

4.8 Rights of the Data Subject

The Foundation will establish a system in line with its policies and practices to ensure that the Data Subject can exercise their rights listed in Article 11 of the Law through the Data Protection Commission, facilitate this process, and provide information to the relevant parties in case of improper disclosure of Personal Data.

The Data Subject, with a request made following the policies and procedures set by the Foundation and the Data Protection Commission, can:

  • Learn whether the Foundation processes Personal Data about the Data Subject, and if so, request information regarding this
  • Learn the purpose of processing the Personal Data and whether they are being used under that purpose
  • Learn whether the Personal Data has been transferred domestically or internationally, and to whom it has been transferred

The Data Subject also has the right to request the Foundation to correct any inaccurate or incomplete Personal Data and to inform the recipients to whom the data has been or may have been transferred.

The Data Subject, following Article 7 of the Law, may request the Foundation to delete and destroy their Data if the reasons for processing the data no longer exist.

All requests made to the Foundation by the Data Subject to exercise the above rights must be submitted in writing by filling out the application form available on the Foundation's website.

All departments receiving a request from the Data Subject for access to Personal Data will report these requests to the Data Protection Commission.

The Foundation will establish a system to record the requests mentioned here and determine the dates on which responses are provided.

Unless otherwise required by applicable laws and regulations, the Foundation will respond to an information request made as described above within 30 days from the date the written request is received from the Data Subject and the identity of the Data Subject or their authorized legal representative is appropriately verified. Incomplete, unclear, or unreadable requests will not be considered by the Foundation. In such cases, the Foundation will inform the applicant within 30 days that the application will not be processed.

Even if the Foundation cannot fully respond to the request within the specified time, the Data Protection Department must, in any case, provide the Data Subject with the following information within the 30 days:

  • A confirmation that the Data Subject’s request has been received,
  • An explanation of all the information collected so far that is related to the request made,
  • An explanation regarding the information or changes requested by the Data Subject that the Foundation cannot provide or implement, the reason(s) for rejecting the Data Subject's request, and, if applicable, an explanation of the objection procedure within the Foundation,
  • If applicable, notification of the fee to be paid by the Data Subject, or an estimate of the fee, provided that it does not prevent the Data Subject’s obligation under applicable laws and regulations.

4.9 Storage, Deletion, Destruction, and Anonymization of Personal Data ("Storage and Disposal of Personal Data")

The procedures and principles regarding the storage and disposal of Personal Data, along with the retention periods of personal data, are outlined in the Foundation's Storage and Disposal Policy.

Our Foundation stores the Personal Data it processes in accordance with the principles outlined in the Law for the duration specified in the regulations. If no specific retention period is prescribed for the relevant categories of Personal Data in the legislation, the Personal Data is kept until the purpose for which it was processed is fulfilled.

In the absence of a specific retention period prescribed for the relevant categories of Personal Data in the legislation, retention periods are determined for each data processing purpose. In this context, retention periods are determined considering the practices of our Foundation and the requirements of its commercial activities.

Personal Data may be stored to serve as evidence in potential legal disputes beyond the processing purpose, for asserting a right that can be proven with Personal Data, for establishing a defense, and for responding to information requests from competent public authorities. In determining the retention periods, the statutes of limitations for asserting the mentioned right, the retention obligations arising from the legislation applicable to the Foundation’s activities, the contracts it is a party to, and the international regulations it is subject to are taken into account.

The Foundation carries out the necessary procedures to destroy the relevant Personal Data reasonably and appropriately once the specified retention periods have expired. Additionally, the Foundation may, either on its own initiative or upon the Data Subject’s request, delete, destroy, or anonymize the Personal Data. Through the Data Protection Commission, the Foundation will decide which of these methods is reasonable and will apply that method. The Data Subject may request information regarding the reason for the selection of this method by exercising their rights as outlined in Article 4.8.

In accordance with Article 28 of the Law, Personal Data that has been anonymized may be processed for purposes such as research, planning, and statistics.

5. Registration of the Foundation’s Processing Activities in the Registry

In accordance with the Board's decision dated 22/04/2020 and numbered 2020/315, which amended the decision dated 02/04/2018 and numbered 2018/32, an exception has been made to the obligation of registration in the Registry for "associations, foundations, and unions based in Turkey that process personal data only in accordance with the relevant legislation and purposes, and limited to their areas of activity."

However, as a result of the evaluation regarding the criteria for the exception to the obligation of registration in the Registry for associations, foundations, and unions, it has been deemed inappropriate to apply the mentioned exception to the economic enterprises of associations, foundations, and unions due to the commercial activities they carry out for the purpose of generating income.

In this regard, it is important that the personal data processed in the activities carried out within the economic enterprises of associations, foundations, and unions be reflected as information entries in the Data Controllers' Registry Information System (VERBİS)

Considering the number of people and the annual turnover of the Foundation, it is obligated to register in VERBİS. The Foundation fulfills its registration obligation through the contact person selected by the Data Commission. If any updates need to be made regarding the notifications made by the Foundation, it will promptly carry out the necessary updates without delay.

6. Use of Third-Party Data Processors

6.1. Obligations of the Third-Party Data Processor

In cases where the Foundation receives services or other forms of support from others to assist with its processing activities, a Data Processor will be selected in accordance with the Law, Secondary Legislation, and Foundation policies, ensuring adequate security measures are in place and taking reasonable steps to comply with these measures.

6.2 Written Agreements for Third-Party Data Processors

The Foundation will establish a written protocol with each Data Processor that requires compliance with the data privacy and security requirements that the Foundation is obligated to fulfill under the Law and Secondary Legislation.

6.3 Audit of the Third-Party Data Processor

As part of the Foundation’s internal data audit processes, the Foundation will periodically conduct audits of the data processing activities carried out by third-party Data Processors, especially concerning data security and measures. The Foundation will establish the necessary legal infrastructure to carry out these audits.

7. Data Security

7.1 Physical, Technical, and Organizational Security Measures

The Foundation will take physical, technical, and organizational measures to ensure the security of Personal Data, considering the level of technological development, the nature of the data, and the risks it faces from human, physical, or environmental factors, including alterations, loss, damage, unauthorized processing, or access.

The security measures to be taken will be determined and implemented in accordance with the Foundation’s information security policies.

7.2 Employee Confidentiality Agreements

Everyone involved in any stage of the processing of Personal Data is required to explicitly commit to confidentiality, which must continue even after the end of the employment relationship, and sign a confidentiality agreement.

8. Compliance Audit

8.1 Data Protection Commission

As part of the Foundation’s compliance program, it has been decided that the personal data processing activities will be carried out and audited by the Data Protection Commission, consisting of the Foundation’s General Manager, Secretary General, Human Resources Manager, Corporate Communications and Events Executive, IT Specialist, and Deputy General Coordinator of the Suna’s Daughter project. The Data Protection Commission is managed by the General Secretary. The duties of the Data Protection Commission are as follows:

  • a) To establish regular audit mechanisms, procedures, and applicable rules to ensure compliance with this Policy,
  • b) To determine, maintain, and implement the system that ensures quick and appropriate responses to the requests that the Data Subject may direct to the Foundation when exercising their rights under the Law,
  • c) To establish a mechanism to verify the accuracy and currency of the data processed by the Foundation,
  • d) To manage and execute the Foundation’s relationships with the Institution, Board, and Registry,
  • e) To fulfill the obligation of registration in VERBİS and ensure it remains up to date.
  • f) To manage and implement activities aimed at applying the Board’s decisions,
  • g) To check that the clarification and explicit consent texts are regularly obtained by the relevant departments and archived,
  • h) To ensure that transfer protocols have been signed with the relevant parties,
  • i) To regularly check compliance with the destruction policy and destruction periods. To ensure the destruction of data whose retention period has expired and verify that these actions are logged,
  • j) To conduct periodic audits through the data security audit checklist.

8.2 Current Compliance Assessment

The Foundation, through the Data Protection Commission, should establish a program and conduct a data protection compliance audit for all business units. The Foundation, in coordination with the business units, should create a plan and schedule to correct any identified deficiencies within a reasonable period.

8.3 Annual Data Protection Audit

Each business unit should evaluate its data collection, processing, and security practices. This annual assessment should at least cover the following points:

  • Departments will assess the following aspects: which Personal Data is collected by the department, which data is planned to be collected, the purpose of data collection and processing, any permitted additional purposes, the primary use of the data, whether the data subject’s consent exists and the scope of that consent, any legal obligations related to the collection and processing of the data, and the scope, adequacy, and implementation status of security measures.
  • Departments should identify the recipients to whom Personal Data under their control or authority is transferred. The department should determine the locations of the recipients, the purposes of the transfer, and the physical and technical systems and processes in place to maintain at least the current level of data security.

The information obtained from this annual assessment should be reported to the Data Protection Commission for the implementation of appropriate measures, updates to the foundation’s policies and procedures, and the provision of appropriate processes.

A "Clean-up Day" will be designated by the Data Protection Commission each year. On the designated Clean-up Day, all employees are required to review documents containing personal data in both physical and electronic formats, identify any redundant or unnecessary data, and ensure its destruction.

9. Other Provisions

This policy will be presented to employees by the Data Protection Commission.

This Policy will enter into force as soon as it is published.

All departments, in collaboration, will develop a timeline and process for the implementation of this policy. This implementation process will include the resolution of conflicts between this Policy and other existing policies.

Changes may be made to this Policy at any time. Any changes must be communicated to employees by the Data Protection Commission



PERSONAL DATA STORAGE AND DESTRUCTION POLICY

SUNA & İNAN KIRAÇ FOUNDATION

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

1. INTRODUCTION

The protection of personal data is of great importance to Suna & İnan Kıraç Foundation (the “Foundation”), and utmost sensitivity is shown in this regard. In line with this, processing personal data in a manner consistent with individuals' expectations and in compliance with applicable laws is one of the core pillars of our Foundation.

In this regard, our Foundation stores and destroys the personal data it obtains in the course of its activities in compliance with the Constitution, the Law on the Protection of Personal Data No. 6698 (the “Law”), the Regulation on the Deletion, Destruction or Anonymization of Personal Data (the “Regulation”), and other relevant regulations, as set out in this Personal Data Storage and Destruction Policy (the “Policy”).

2. PURPOSE AND SCOPE OF THE POLICY

This Policy aims to establish the general principles and guidelines of the Foundation regarding the storage and destruction of personal data processed within the scope of the Law and to fulfill the obligations stipulated by the relevant regulations.

This Policy applies to all personal data processed by our Foundation under the Law. Unless otherwise stated in this Policy, the documents referenced herein include both physical and electronic copies.

3. DEFINITIONS

Unless otherwise required by the context, the following definitions shall apply in this Policy such as:

  • “Explicit Consent” Consent given on a specific subject based on information and freely expressed will.
  • “Recipient Group” A category of natural or legal persons to whom personal data is transferred by the data controller
  • “Constitution” The Constitution of the Republic of Turkey.
  • “Authorized User” Except for the person or unit responsible for the technical storage, protection, and backup of data, the individuals who process personal data within the data controller's organization or under the authority and instructions received from the data controller.
  • “Destruction” The erasure, destruction, or anonymization of personal data
  • “Redaction” Refers to the process of obscuring personal data in a manner that prevents identification of the data subject, including by means such as blacking out, blurring, or masking.
  • “Data Environment” Any environment in which personal data is processed, either wholly or partially by automated means, or by non-automated means that form part of a data recording system.
  • “Personal Data” Any information relating to an identified or identifiable natural person (e.g., name-surname, national identification number, email address, residential address, date of birth, credit card number, bank account number). Accordingly, information relating to legal entities does not fall within the scope of the Law.
  • “Data Subject” The natural person whose personal data is processed.
  • “Processing of Personal Data” Any operation which is performed on personal data wholly or partially by automated means or by non-automated means that form part of a data recording system, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, retrieval, classification, or prevention of use.
  • “Anonymization of Personal Data” The process by which personal data is rendered impossible to associate with an identified or identifiable natural person, even when combined with other data.
  • “Deletion of Personal Data” The process of rendering personal data inaccessible and unusable for the authorized users.
  • “Destruction of Personal Data” The process of rendering personal data inaccessible, irretrievable, and unusable by anyone.
  • “Board” The Personal Data Protection Board
  • “Masking” The deletion, blacking out, redaction, or replacement with asterisks of certain parts of personal data in a way that prevents it from being associated with an identified or identifiable natural person.
  • Special Categories of Personal Data" (Sensitive Personal Data) Personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
  • “Periodic Destruction” The anonymization, deletion, or destruction of personal data at recurring intervals, as defined under this Policy, in cases where the legal grounds for processing no longer exist as per the Law.
  • “Data Recording System” A system in which personal data is processed by being structured according to specific criteria.
  • “Data Controller” The natural or legal person who determines the purposes and means of the processing of personal data and is responsible for the establishment and management of the data recording system.

4. DATA STORAGE ENVIRONMENTS COVERED BY THIS POLICY

The Foundation stores all personal data that are subject to data processing activities within the scope of the Law, whether processed by fully or partially automated means or through non-automated means that form part of a data recording system, in the environments listed below:

Personal data is stored in the Foundation’s databases, email accounts, file servers, SharePoint sites, physical (paper-based) environments, and computers allocated for end-user access.

Electronic Environments:

Databases, backup areas, and systems such as:

  • Oracle databases, Google Drive, BSD systems
  • Shared network drives and servers
  • Email systems
  • Personal computers (desktops and laptops)
  • Mobile devices (phones, tablets, etc.)
  • Optical media (CDs, DVDs)
  • Removable media (USB drives, memory cards, etc.)
  • Peripheral devices such as printers, scanners, fax machines, and photocopiers
  • CCTV (closed-circuit television) systems
  • Data backup systems

Non-Electronic Environments:

  • Physical folders
  • Locked cabinets

5. REASONS REQUIRING THE RETENTION AND DESTRUCTION OF PERSONAL DATA

In the course of its personal data processing activities, the Foundation adheres to the following fundamental principles:

  • Compliance with the law and the principles of fairness and good faith,
  • Ensuring that personal data is accurate and, where necessary, kept up to date,
  • Processing for specified, explicit and legitimate purposes,
  • Being relevant, limited, and proportionate to the purposes for which it is processed, and
  • Retention for the period stipulated by the relevant legislation or for the time necessary for the purpose of processing.

The Foundation retains and processes personal data in accordance with the above principles and the lawful processing conditions listed under Articles 5 and 6 of the Law. Where all of these conditions no longer apply, the Foundation shall, ex officio or upon the request of the data subject, destroy the relevant personal data.

  • (a) Explicit Consent of the Data Subject

    One of the lawful bases for processing personal data is the explicit consent of the data subject. Such consent must relate to a specific subject, be based on informed choice, and given freely by the individual.

  • (b) Explicit Provision by Law

    Personal data of the data subject may be processed without their consent if such processing is explicitly provided for by law.

  • (c) Inability to Provide Consent Due to Actual Impossibility

    Where it is not possible to obtain the explicit consent of the data subject due to actual impossibility, and processing is necessary to protect the life or physical integrity of the data subject or another person, the personal data in question may be lawfully processed.

  • (d) Necessity for the Establishment or Performance of a Contract

    Personal data may be processed without consent if it is necessary for the conclusion or performance of a contract to which the data subject is a party.

  • (e) Compliance with a Legal Obligation

    Where data processing is necessary for the Foundation to fulfill its legal obligations, personal data may be processed accordingly.

  • (f) Public Disclosure by the Data Subject

    If the data subject has made their personal data public, the data may be processed to the extent necessary and limited to the purpose of public disclosure.

  • (g) Necessity for the Establishment, Exercise or Protection of a Right

    Where data processing is necessary for the establishment, exercise, or defense of a legal right, the personal data of the data subject may be lawfully processed.

  • (h) Legitimate Interests of the Foundation

    Provided that it does not violate the fundamental rights and freedoms of the data subject, personal data may be processed where necessary for the legitimate interests of the Foundation.

Accordingly, a data processing activity may be based on one or more of the above-mentioned legal grounds.

6. METHODS APPLIED IN THE DESTRUCTION OF PERSONAL DATA AND TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE LAWFUL DESTRUCTION OF PERSONAL DATA

In cases where all conditions for the lawful processing of personal data as set forth under Articles 5 and 6 of the Law cease to exist, the Foundation deletes, destroys, or anonymizes personal data using the methods described below. The Foundation exercises the utmost care and diligence in the destruction of personal data. In this regard, and in accordance with Article 12 of the Law, the provisions of the Regulation, the general principles stated above, this Policy, and the decisions of the Personal Data Protection Board, the Foundation takes all necessary technical and administrative measures with due consideration to available technological capabilities and the cost of implementation. All actions taken within the scope of data destruction are duly recorded by the Foundation and, unless otherwise required by applicable legal obligations, such records are retained for a minimum period of five (5) years.Unless otherwise decided by the Board, the Foundation selects the most appropriate method of deletion, destruction, or anonymization, taking into account technological means and the cost of implementation. Upon the request of the data subject, the Foundation shall provide justification for the chosen method.

  • (a) Methods of Deletion of Personal Data

    Deletion of personal data refers to the process by which personal data is rendered inaccessible and non-reusable for authorized users. The Foundation ensures, through necessary technical and administrative measures, that deleted personal data cannot be accessed or reused by authorized users, in line with technological capabilities and cost considerations.

  • (b) Methods of Destruction of Personal Data

    Destruction of personal data refers to the process by which personal data is rendered inaccessible, irretrievable, and non-reusable by anyone, under any circumstances. The Foundation takes all necessary technical and administrative measures in accordance with technological means and implementation costs to ensure complete destruction.

  • (c) Methods of Anonymization of Personal Data

    Anonymization of personal data refers to the process of rendering personal data unidentifiable and non-attributable to an identified or identifiable natural person, even if matched with other data. In order for data to be considered anonymized, it must be ensured that the data cannot be associated with an identified or identifiable person, even through the use of appropriate techniques for data matching and re-identification within the context of the data environment and relevant field of activity. The Foundation takes all necessary technical and administrative measures to anonymize personal data in a manner that is irreversible and compliant with applicable legislation, taking into account the available technological capabilities and cost of implementation.

7. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE SECURE STORAGE OF PERSONAL DATA AND TO PREVENT UNLAWFUL PROCESSING AND ACCESS

The Foundation exercises the utmost care and diligence in ensuring the secure storage of personal data and in preventing unlawful processing and unauthorized access. In accordance with Article 12 of the Law, the provisions of the Regulation, the general principles stated above, this Policy, and the decisions of the Data Protection Authority, the Foundation takes the necessary technical and administrative measures, taking into account technological capabilities and implementation costs, including but not limited to the following:

  • Personal data security policies and procedures have been established.
  • Institutional policies on access control, information security, and usage have been implemented.
  • Policies regarding data retention and destruction have been developed and enforced.
  • The collection of personal data is minimized to the extent possible.
  • Encryption mechanisms are employed.
  • Data is anonymized before being shared.
  • Personal data is stored in physically secured, locked cabinets.
  • Personal data is regularly backed up, and the security of backups is ensured.
  • Physical security measures have been implemented for environments containing personal data.
  • Measures have been taken to protect physical storage environments against external risks (e.g., floods, fires).
  • Employees receive regular training and awareness programs on data security.
  • Disciplinary procedures include provisions related to personal data protection and security.
  • Upon reassignment or termination, employees’ access rights to personal data are promptly revoked.
  • Access to documents containing personal data is restricted and granted only to individuals who have signed a confidentiality agreement.
  • Contracts entered into by the Foundation include provisions on data protection and security.
  • Internal audits, both periodic and random, are conducted or commissioned to ensure compliance.
  • Additional security measures are taken for personal data transmitted in physical (paper-based) form.

8. TITLES, DEPARTMENTS, AND DESCRIPTIONS OF DUTİES OF PERSONS INVOLVED IN PERSONAL DATA RETENTION AND DESTRUCTION PROCESSES

The Foundation provides information and training to individuals involved in the retention and destruction of personal data regarding personal data protection law and the lawful processing of personal data. In this context, Foundation employees and/or individuals who, by virtue of their duties, become aware of personal data, are obliged to retain and destroy such data in accordance with the provisions of the Law and other applicable legislation. This obligation shall continue even after the termination of their duties or employment.

Within this framework, the details concerning the individuals involved in the Foundation’s data retention and destruction processes are set out below:

9. RETENTION AND DESTRUCTION PERIODS

The Foundation retains and destroys personal data only for the duration specified in the applicable legislation to which it is subject, or for the period necessary for the purposes for which such data are processed. In this context, the Foundation retains and destroys personal data for no longer than the maximum periods set forth in Annex-1: Retention and Destruction Periods Schedule.

In the event that the data subject submits a request to the Foundation for the destruction of their personal data, the Foundation shall:

  • (a) If all conditions for processing personal data have ceased to exist:
    • (i) Conclude the data subject’s request within thirty (30) days at the latest and inform the data subject accordingly, and
    • (ii) If the personal data subject to the request has been transferred to third parties, notify the relevant third party of this situation and ensure that necessary actions are taken by such third party.
  • (b) If the conditions for processing personal data have not ceased to exist, the Foundation may reject the request by providing justification, in accordance with Article 13(3) of the Law, and shall notify the data subject of its response in writing or via electronic means within thirty (30) days at the latest.

10. PERIODIC DESTRUCTION PERIODS

Our Foundation destroys personal data during the first periodic destruction process following the date on which the obligation to erase, destroy, or anonymize personal data arises. In this context, our Foundation:

  • Personal data stored in electronic media, for which the retention period has expired and for which the obligation to destroy arises under Article 6 of this Policy, is subjected to anonymization at intervals of three (3) months.
  • Personal data stored in physical environment, for which the retention period has expired and for which the obligation to destroy arises under Article 6 of this Policy, is subjected to destruction at intervals of three (3) months.

In any case, the aforementioned periods do not exceed the maximum periodic destruction period stipulated in Article 11 of the Regulation.

11. ENTRY INTO FORCE

This Policy entered into force on [●].[●].2025. The Policy may be updated from time to time in order to comply with changing conditions and applicable legislation.



POLICY ON THE PROCESSING AND PROTECTİON OF SPECIAL CATEGORIES OF PERSONAL DATA

1. INTRODUCTION

1.1. Purpose

The protection of personal data is among the top priorities of the Suna and İnan Kıraç Foundation (“Foundation”), and the Foundation makes its best efforts to act in full compliance with all applicable legislation in this regard. Law No. 6698 on the Protection of Personal Data (“Law”) classifies certain data — including individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, membership in associations, foundations or trade unions, health data, sexual life, criminal convictions and security measures, as well as biometric and genetic data — as Special Categories of Personal Data, assigning them particular importance and imposing stricter obligations on data controllers for their protection under an enhanced security standard.

This Suna and İnan Kıraç Foundation Policy on the Processing and Security of Special Categories of Personal Data (“Policy”) sets forth the principles adopted by the Foundation in conducting activities involving the processing of Special Categories of Personal Data, as well as the minimum data security measures to be implemented by the Foundation throughout such processing activities.

1.2. Scope

This Policy applies to Special Categories of Personal Data, as defined under the Law, which are processed by the Foundation through automated means or by non-automated means provided that they form part of a data recording system, and which relate to identified or identifiable natural persons.

2. PROVISIONS REGARDING THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

2.1. General Principles to be Observed in the Processing of Special Categories of Personal Data

The Foundation processes Special Categories of Personal Data in compliance with the procedures and principles stipulated in the Law and other applicable legislation. Accordingly, in the course of processing such data, the Foundation adheres to the following principles ("General Principles"):

The Foundation processes Special Categories of Personal Data:

  • (i) Lawfully and in good faith,
  • (ii) Accurately and, where necessary, kept up to date,
  • (iii) For specific, explicit, and legitimate purposes,
  • (iv) In a manner that is relevant, limited, and proportionate to the purposes for which they are processed,
  • (v) For the period required by the applicable legislation or for the purpose for which they are processed.

2.2. Conditions for Processing Special Categories of Personal Data

Special Categories of Personal Data are explicitly and narrowly defined under the Law due to their potential to cause harm or discrimination to individuals if processed unlawfully. For this reason, special protection measures are required.

The Foundation processes Special Categories of Personal Data in accordance with the principles set out in this Policy and by implementing all necessary administrative and technical measures, including the minimum security measures determined or to be determined by the Personal Data Protection Board (“Board”), provided that at least one of the following conditions is met:

  • (vi) If the explicit consent of the data subject has been obtained,
  • (i) In the absence of explicit consent:
    • (a) Special Categories of Personal Data, excluding those relating to health and sexual life, may be processed only in cases expressly permitted by law;
    • (b) Data relating to the health and sexual life of the data subject may be processed without explicit consent, provided that the processing is carried out by persons or authorized institutions and organizations under a confidentiality obligation, for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, or the planning and management of healthcare services and financing.

3. PROVISIONS REGARDING THE TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA

The Foundation may transfer Special Categories of Personal Data to third parties ("Third Parties") in line with its lawful data processing purposes, provided that necessary security measures are implemented. In doing so, the Foundation complies with the provisions stipulated under Articles 8 and 9 of the Law.

In cases where the explicit consent of the data subject has been obtained, the Foundation may transfer Special Categories of Personal Data in accordance with its data processing purposes, the General Principles, and by taking the necessary security measures, including the methods stipulated by the Personal Data Protection Board.

Where one of the following conditions is met, Special Categories of Personal Data may be transferred to Third Parties without obtaining the explicit consent of the data subject:

  • (i) Special Categories of Personal Data, excluding those relating to the data subject's health and sexual life, may be transferred in cases explicitly provided for by law;
  • (ii) Special Categories of Personal Data relating to the data subject’s health and sexual life may be transferred without explicit consent only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of healthcare services and financing, and only by persons or authorized institutions and organizations that are under a legal obligation to maintain confidentiality.

4. FULFILLMENT OF THE OBLIGATION TO INFORM THE DATA SUBJECT DURING THE COLLECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Pursuant to Article 10 of the Law, data controllers or persons authorized by them are obliged to inform data subjects during the collection of their personal data. In this regard, the Foundation fulfills its obligation to inform data subjects by providing them, at a minimum, with the following information:

  • (i) The identity of the data controller and, if any, its representative
  • (ii) The purposes for which the personal data will be processed,
  • (iii) The recipients to whom the personal data may be disclosed and the purposes of such disclosure,
  • (iv) The method and legal basis for the collection of personal data,
  • (v) The rights given to data subjects under Article 11 of the Law and the procedures for exercising these rights.

Except in cases where alternative methods and procedures are adopted, the Foundation uses written information notices, delivered either physically or electronically, in a manner that allows for subsequent verification, to fulfill its obligation to inform data subjects. Foundation personnel involved in the processing of Special Categories of Personal Data must ensure that data subjects have been provided with the relevant information notice and have been duly informed before the collection of any personal data.

5. RETENTION AND DESTRUCTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Pursuant to Article 7 of the Law, which regulates the obligation to erase, destroy, or anonymize personal data, all personal data, including Special Categories of Personal Data, shall be erased, destroyed, or anonymized by our Foundation either upon its own decision or upon the request of the relevant data subject, in the event that the reasons requiring the processing of such data no longer exist, even if the data has been processed in accordance with the provisions of the Law and other relevant legislation.

Detailed information regarding the retention and destruction of personal data is provided in the Suna and İnan Kıraç Foundation’s Data Retention and Destruction Policy.

6. ENSURING THE SECURITY AND CONFIDENTIALITY OF SPECIAL CATEGORIES OF PERSONAL DATA

In order to prevent the unlawful disclosure, access, transfer, or other potential security deficiencies concerning Special Categories of Personal Data, our Foundation takes all necessary measures, to the extent possible, based on the nature of the data to be protected.

Within this scope, all necessary administrative and technical measures are implemented by our Foundation. These measures are reviewed and updated in accordance with the current decisions of the Board, and in cases of unlawful disclosure of personal data, actions are taken in compliance with the measures stipulated under the Law.

The data security measures set forth in this section constitute the minimum precautions to be taken by the Foundation during the processing of Special Categories of Personal Data. These measures are determined in accordance with the Board’s Decision dated 31 January 2018 and numbered 2018/10 on "Adequate Measures to Be Taken by Data Controllers in the Processing of Special Categories of Personal Data" and shall be updated in the event of new decisions issued by the Board in this regard.

The standard technical and administrative data security measures currently applied by the Foundation in its other processes shall continue to be implemented to the extent that they are deemed appropriate for the processes involving the processing of Special Categories of Personal Data.

6.1. Administrative Measures Taken by Our Foundation to Ensure the Lawful Processing of Special Categories of Personal Data and to Prevent Unlawful Access to Such Data

  • (i) Risks that may arise in relation to Special Categories of Personal Data have been identified by our Foundation, and the necessary precautions to mitigate such risks have been determined.
  • (ii) Our Foundation provides training to its employees regarding the processing and protection of Special Categories of Personal Data, ensures their awareness, and carries out regular awareness-raising activities.
  • (iii) In order to ensure the security of Special Categories of Personal Data, confidentiality undertakings are signed with employees who have access to such data.
  • (iv) The scope and duration of employees' access to Special Categories of Personal Data are limited.
  • (v) Periodic access and authorization checks are conducted.
  • (vi) Access rights of employees who are reassigned or whose employment is terminated are promptly revoked, and any allocated inventory is collected accordingly.

6.2. Technical Measures Taken by Our Foundation to Ensure the Lawful Processing of Special Categories of Personal Data and to Prevent Unlawful Access to Such Data

In cases where Special Categories of Personal Data are processed, stored, and/or accessed in electronic environments:

  • (i) Our Foundation stores Special Categories of Personal Data using cryptographic methods.
  • (ii) Cryptographic keys are stored securely and in separate environments.
  • (iii) All operations performed on Special Categories of Personal Data are securely logged.
  • (iv) Security updates for environments containing Special Categories of Personal Data are continuously monitored; necessary security tests are regularly conducted or commissioned, and the results of such tests are documented.
  • (v) If access to Special Categories of Personal Data is made through a software application, user authorizations for such software are managed; necessary security tests are regularly conducted or commissioned, and the results are documented.
  • (vi) If remote access to Special Categories of Personal Data is required, at least two-factor authentication is implemented.

In cases where Special Categories of Personal Data are processed, stored, and/or accessed in physical environments:

  • (i) Adequate physical security measures are ensured depending on the characteristics of the environment in which the data is kept (e.g., protection against electrical leakage, fire, flooding, theft, etc.).
  • (ii) Physical security of these environments is maintained to prevent unauthorized access.

6.3. Measures Taken by Our Foundation to Ensure the Lawful Transfer of Special Categories of Personal Data

  • (i) In cases where it is necessary to transfer Special Categories of Personal Data via email, our Foundation ensures that such data is transmitted either in encrypted form via a corporate email address or by using a Registered Electronic Mail (KEP) account.
  • (ii) If the data is to be transferred via physical media such as portable drives, CDs, or DVDs, it is encrypted using cryptographic methods, and the cryptographic keys are stored in a separate environment.
  • (iii) In cases of data transfer between servers located in different physical environments, the transfer is carried out through the establishment of a VPN connection or by using the sFTP method.
  • (iv) If Special Categories of Personal Data are to be transferred in paper format, necessary precautions are taken against risks such as theft, loss, or unauthorized access to the documents. In such cases, the documents are sent in a format classified as “confidential documents.

6.4. Measures to Be Taken in Case of Unlawful Disclosure of Special Categories of Personal Data

Within the scope of the processing of Special Categories of Personal Data carried out by our Foundation, in the event that such data is unlawfully obtained by unauthorized persons, the incident shall be reported to the Board within no later than seventy-two (72) hours, in accordance with the Board’s Decision dated 24.01.2019 and numbered 2019/10 . Furthermore, data subjects affected by the breach shall be informed as soon as possible.

Annex – 1 – DEFINITIONS

  • Explicit Consent: Consent given on a specific subject based on information and freely expressed will.
  • Data Subject: The natural person whose personal data is processed.
  • Personal Data: Any information relating to an identified or identifiable natural person (e.g., name-surname, national identification number, email address, residential address, date of birth, credit card number, bank account number). Accordingly, information relating to legal entities does not fall within the scope of the Law.
  • Special Categories of Personal Data (Sensitive Personal Data): Personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
  • Processing of Personal Data: Any operation which is performed on personal data wholly or partially by automated means or by non-automated means that form part of a data recording system, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, retrieval, classification, or prevention of use.
  • Data Controller: The natural or legal person who determines the purposes and means of the processing of personal data and is responsible for the establishment and management of the data recording system.
  • Registered Electronic Mail Address: The qualified form of electronic mail that provides legal evidence regarding its use, including the sending and delivery of electronic communications.
  • Mobile Signature: An electronic signature that is created using a mobile device.
  • Secure Electronic Signature: An electronic signature that is uniquely linked to the signatory, created using a secure signature creation device that is exclusively under the control of the signatory, and is based on a qualified electronic certificate that allows for the identification of the signatory, and also ensures the detection of any subsequent changes made to the signed electronic data.