KVK COMMITTEE INTERNAL DIRECTIVE

This Personal Data Protection Committee Internal Directive (“Internal Directive”) has been prepared in accordance with the Law No. 6698 on the Protection of Personal Data (“KVKK”) published in the Official Gazette dated 7 April 2016 and numbered 29677; the provisions of the Constitution and the Turkish Penal Code regarding the protection of personal data; the Regulation on Deletion, Destruction or Anonymization of Personal Data (“Regulation”); WEBTURES Personal Data Protection Policy; WEBTURES Information Security, Personal Data Security and Communication Instruction; and WEBTURES Personal Data Retention and Disposal Policy (hereinafter collectively referred to as the “Policies”), based on the decision of WEBTURES DİJİTAL BİLİŞİM ANONİM ŞİRKETİ (“WEBTURES”), with Mersis No. 0800053943700021, residing at Esentepe Mahallesi Milangaz Cad. Kartal Vizyon St. A-2 Bl. No: 77/219 Kartal/Istanbul, dated 01.01.2022 to establish a Personal Data Protection Board within WEBTURES for the purpose of taking necessary administrative and technical measures for the protection of personal data, determining authorized persons and responsible parties, and carefully performing task allocation and workflow. In this context, a Personal Data Protection Committee (“Committee”) has been established at WEBTURES (“WEBTURES/Company”), acting as the data controller, to conduct personal data retention and disposal processes and take necessary actions pursuant to the KVKK and the Regulation.

1. PURPOSE, SCOPE, AND LEGAL BASIS

Purpose:

Article 1- This Internal Directive has been prepared to determine matters regarding the Committee’s taking necessary administrative and technical measures for the protection of personal data within WEBTURES; carrying out compliance efforts with KVKK provisions and decisions of the Personal Data Protection Board (“Board”); determining authorized persons and responsible parties in personal data protection; carrying out task allocation and workflow; and fulfilling procedures to be applied based on the Policies.

Scope:

Article 2- This Internal Directive covers the responsibilities, work, and activities of the Committee and its members regarding personal data.

Legal Basis:

Article 3- This internal directive has been prepared in accordance with the legislation listed below.

Law:

Turkish Penal Code No. 5237 dated 26/09/2004
Law No. 6698 on the Protection of Personal Data dated 24/03/2016

Regulations:

Regulation on Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette dated 28/10/2017 and numbered 30224
Regulation on the Working Procedures and Principles of the Personal Data Protection Board, published in the Official Gazette dated 16/11/2017 and numbered 30242
Regulation on the Data Controllers Registry, published in the Official Gazette dated 30/12/2017 and numbered 30286
Regulation Amending the Regulation on Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette dated 28/04/2019 and numbered 30758
Regulation Amending the Regulation on the Data Controllers Registry, published in the Official Gazette dated 28/04/2019 and numbered 30758
Regulation on Personal Health Data, published in the Official Gazette dated 21/06/2019 and numbered 30808

Communiqués:

Communiqué on the Procedures and Principles to be Followed in Fulfillment of the Obligation to Inform, published in the Official Gazette dated 10/03/2018 and numbered 30356
Communiqué on the Procedures and Principles of Application to the Data Controller, published in the Official Gazette dated 10/03/2018 and numbered 30356

2. DEFINITIONS

Article 4- Definitions included in the Internal Directive are listed below.

Explicit Consent: Refers to consent expressed with free will, based on being informed, regarding a specific matter.

Anonymization: Refers to rendering personal data such that it cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Application Form: Refers to the application form prepared in accordance with the Law No. 6698 on the Protection of Personal Data and the Communiqué on the Procedures and Principles of Application to the Data Controller, to be submitted by the data subject (Personal Data Owner) to the data controller in order to exercise their rights.

Internal Directive: Refers to the Personal Data Protection Committee Internal Directive.

Data Subject / Personal Data Owner: Refers to the natural person whose personal data is processed by WEBTURES or on behalf of WEBTURES.

Personal Data: Refers to any data relating to an identified or identifiable natural person.

Processing of Personal Data: Refers to any operation performed on data such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, whether wholly or partially by automated means, or by non-automated means provided that it is part of any data recording system.

Board: Refers to the Personal Data Protection Board.

Authority: Refers to the Personal Data Protection Authority.

KVKK: Refers to the Law No. 6698 on the Protection of Personal Data.

KVK Regulations: Refers to the Law No. 6698 on the Protection of Personal Data and regulations, communiqués and related legislation regarding personal data protection, decisions of the Personal Data Protection Board, court decisions, applicable international agreements, and any other legislation regarding data protection.

Special Category Personal Data: Refers to data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association/foundation/union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Data Processor: Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Recording System: Refers to the data recording system (“VERBIS”) in which personal data is processed by structuring according to certain criteria.

Data Controller: Refers to the person who determines the purposes and means of processing personal data and manages the place where data is kept systematically (data recording system/VERBIS).

Data Controller Representative / Contact Person: Refers to the natural person appointed to fulfill the duties of the Data Controller within the scope of relevant provisions of the KVKK.

Visitor: Refers to natural persons who enter WEBTURES’s physical premises for various purposes or visit our websites.

3. COMPOSITION OF THE COMMITTEE

Personal Data Protection Committee:

Article 5- The Committee is appointed by the WEBTURES Board of Directors to fulfill its obligations under the KVK Regulations, ensure and audit the implementation of the Policies, and make recommendations regarding their functioning. The Committee is tasked with ensuring audit, compliance, and sustainable effectiveness of WEBTURES within the scope of KVK legislation. Assignment of duties among Committee Members, removal or addition of members to the Committee is carried out by the committee chair with the authority granted by the data controller.

Data Controller Representative:

Article 6- The Data Controller Representative is selected from within the Committee and manages WEBTURES’s relations with the Authority and WEBTURES’s compliance process with the KVK legislation, including conveying requests directed by the Authority to WEBTURES, transmitting WEBTURES’s response to the Authority, receiving applications to WEBTURES on behalf of WEBTURES and transmitting them to WEBTURES, and conveying WEBTURES’s responses to Data Subjects.

Members:

Article 7-

MEMBER

DUTY IN THE COMMITTEE

Committee Chair – responsible for governance and communication

Responsible for Information Technologies and data security

Responsible for KVKK Risk Management, Policies and Procedures

Responsible for KVKK compliance and audit

Responsible for business process planning – reporting

Responsible for KVKK compliance and audit

4. DUTIES AND RESPONSIBILITIES

Article 8- The Committee is responsible for operating the processes for the protection, storage, processing, and deletion/destruction/anonymization of personal data. If there is a change in the KVK legislation or Board decisions, it ensures that internal actions are taken for WEBTURES to comply with new regulations.

8.2. Prepares the personal data inventory. (KVKK Art. 16/3)

Periodically updates the personal data inventory. (KVKK Art. 16/4)

Ensures that the personal data inventory is notified to the registry and kept up to date. (KVKK Art. 16/4)

Carries out correspondence with the Registry and stores such correspondence. (KVKK Art. 16)

8.3. If there are third parties processing personal data, reviews the agreements to be made with such parties and confirms compliance within the scope of KVKK. Ensures that third parties are audited. (KVKK Art. 8)

8.4. Identifies and authorizes natural and legal persons processing personal data (e.g., call center, e-commerce, quality personnel recording customer complaints, personnel directorate following payroll and personnel affairs, door security personnel receiving visitor information, assistants, etc.).

Article 9- The Committee is obliged to take technical and administrative measures to protect all personal data within WEBTURES, to continuously follow developments and administrative activities, to prepare necessary procedures, announce them within WEBTURES, ensure compliance, and audit. The Committee ensures that audits are carried out by the Internal Audit Directorate at certain intervals within the scope of personal data protection. It gathers senior management periodically regarding KVKK to discuss both the current situation and risks. It documents meeting resolutions with wet signatures. It informs the relevant units regarding KVKK periodically via the portal/email/announcements.

Article 10- The Committee is obliged to ensure that the Obligation to Inform is fulfilled for all personal data processing processes, and to ensure and preserve explicit consent where necessary.

During the acquisition of personal data, the Committee ensures:

Announcement of the identity of the data controller. (KVKK Art. 10)
That the purposes of processing personal data are specific, legitimate, and explicit; audits this and ensures that it is announced to both employees and customers. (KVKK Art. 4/2©)
Disclosure of the data collection method and legal basis. (KVKK Art. 10/1(ç))

10.1. The Committee determines and implements the methods of obtaining explicit consent for the processing of personal data and audits these. (KVKK Art. 5/1)

10.2. In case special category personal data is recorded, it ensures that explicit consent is obtained without fail. (KVKK Art. 6)

10.3. If personal data will be stored in cloud systems or abroad, it ensures that explicit consent of the data subject is obtained and confirms that the foreign country to which personal data will be transferred has been announced by the Board. (KVKK Art. 9/2 and 9/3)

Article 11- If personal data is transferred to third parties, the Committee determines whether explicit consent will be obtained from the data subject according to the status of the recipient authority/institution. The cases where explicit consent will not be obtained are listed below. In any case, it records which data is shared with the institutions below and documents that third parties meeting the status below are compliant with the applicable basis. (KVKK Art. 5/2)

Inability to obtain explicit consent due to actual impossibility
Where the life or physical integrity of the person or another person is at stake
Being directly related to the establishment or performance of a contract
Processing of personal data belonging to the parties of the contract is necessary
Processing is mandatory for the establishment, exercise, or protection of a right
Processing is mandatory for the data controller to fulfill its legal obligation
Where the person has made their own data public
Processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject
Processing of data relating to their own members and affiliates by non-profit organizations such as political parties, foundations, associations, or unions, provided that it is in accordance with their legislation and purposes, limited to their field of activity, and not disclosed to third parties
Processing by persons under confidentiality obligation or authorized institutions and organizations for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and planning, management and financing of health services

11.2. If personal data will be transferred abroad and explicit consent has not been obtained; it coordinates the transfer in cases where there is sufficient protection in the country of transfer or, if there is no sufficient protection, where data controllers in Türkiye and the relevant foreign country commit in writing to provide sufficient protection and where the Board’s permission is obtained. (KVKK Art. 9/4)

11.3. It ensures that the party sharing the data documents, in writing and with approval, the recipient and the purpose of sharing. It verifies and documents whether consent has been obtained. After receiving approval of the legal department and the data controller, it ensures the sharing.

Article 12- The Committee evaluates applications of Data Subjects and ensures internal coordination within the Company to respond to applications. Where communication with the Board is required, it ensures the necessary coordination and communication.

In case a personal data owner applies, it ensures the fulfillment of the following rights within 30 calendar days at the latest: (KVKK Art. 13/2)

To know whether their own personal data is processed (KVKK Art. 11/1(a))
To request information regarding personal data (KVKK Art. 11/1(b))
To disclose third parties to whom personal data is transferred domestically or abroad (KVKK Art. 11/1(ç) and (f))
To receive requests for correction of personal data if it is incomplete or incorrectly processed and to provide feedback upon completion (KVKK Art. 11/1(d))
To receive requests for deletion or destruction of personal data and to provide feedback upon completion (KVKK Art. 11/1(e))
To receive objections where an adverse result arises from analysis of processed data exclusively through automated systems and to provide feedback upon completion (KVKK Art. 11/1(g))
To check whether personal data is processed unlawfully and to follow up and finalize requests (KVKK Art. 11/1(ğ), KVKK Art. 12/1(a))

Article 13- If a deficiency or risk is identified regarding compliance of personal data protection, retention, processing, and disposal processes with the KVKK and the Policies, the Committee takes necessary measures to remedy it. In this scope, the Committee audits each new processing process reported to it.

Article 14- Determines the period required by relevant legislation or for the purposes for which personal data is processed. (KVKK Art. 4/2(d))

14.2. Pursuant to Article 11/2 of the Regulation on Deletion, Destruction or Anonymization of Personal Data, it audits processed personal data at intervals not exceeding six months and ensures deletion, destruction, or anonymization of personal data that must be disposed of.

14.3. Ensures that all operations performed regarding deletion, destruction, and anonymization of personal data are recorded and that such records are stored for at least three years, excluding other legal obligations.

14.4. When any of the reasons below exists, it ensures deletion, destruction, or anonymization of personal data within the framework of the procedures and principles set out in the regulations: (KVKK Art. 7)

When the reasons requiring processing cease to exist
When the retention period expires
Upon the request of the data owner

Article 15- The Committee creates an action plan in accordance with the KVK Regulations and Policies for violations related to acts, transactions, or actions that it deems contrary to the KVK Regulations and the procedures and principles specified in the Policies, as reported to it by WEBTURES employees. Taking into account the applicable legislation, the Committee prepares the notification to be made to the Data Subject or the Authority regarding the violation and manages correspondence and communication with the Authority.

Article 16- Sends documents and information requested by the Board within 15 calendar days and ensures that on-site inspection can be carried out when necessary. (KVKK Art. 15/3)

16.2. In case of a complaint or for any reason, it follows the Board’s notifications and ensures fulfillment within 30 calendar days. (KVKK Art. 15/5)

Article 17- The Committee ensures that WEBTURES employees are informed to ensure lawful processing and disposal of personal data and to prevent unlawful access. Necessary procedures are established to allow employees who need access to personal data within the company to access such personal data, and the Data Controller Representative and the Committee are jointly and severally responsible for establishing and implementing these procedures. The Committee tracks the list of limited employees granted access authority to special category personal data.

5. MISCELLANEOUS PROVISIONS

Adoption of the Internal Directive and Amendments

Article 18- This Internal Directive is put into effect by WEBTURES. Amendments and revisions to the internal directive are subject to the same procedure.

Effective Date

Article 19- This Internal Directive consisting of 19 (nineteen) articles, dated 01.01.2022 and numbered 1, of the WEBTURES Personal Data Protection Committee enters into force on 01.01.2022.