KVKK

WITH YOUR HEART.COM

INFORMATION TEXT WITHIN THE SCOPE OF THE PERSONAL DATA PROTECTION LAW NO. 6698

KALBİNLE ORGANIZATION ( KALBİNLE.COM or the Company) respects your privacy and attaches importance to your data security. In this context, this information text has been prepared in order to inform and enlighten you within the scope of the Personal Data Protection Law No. 6698 (“Law”, “KVKK”) and other relevant legislation.

To inform

The Personal Data Protection Law No. 6698 was accepted on March 24, 2016 and entered into force upon publication in the Official Gazette on April 7, 2016. However, according to Article 32 of the Law titled Entry into Force, Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 of this Law entered into force as of October 7, 2016.

The Law was adopted to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data and to regulate the obligations of real and legal persons who process personal data and the procedures and principles they will comply with. With this text, visitors are informed and enlightened by XXX.

KALBİNLE.COM will process your name, e-mail address, work and home address, telephone number and other personal data provided by visitors through the forms on this site, only for the purpose of processing and within the limits specified in the information text and, if approval is given, in the explicit consent text.

DEFINITIONS

Explicit Consent	It refers to consent regarding a specific subject, based on information and expressed with free will.
Company	Refers to Kalbinle Organizasyon company located at Plevne Mahallesi, Fırat Cd. 83 A, 06930 Sincan/ Ankara.
Cookies	They are small files saved on users' computers or mobile devices that help store preferences and other information about the web pages they visit.
Related User	Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.
Destruction	Deletion, destruction or anonymization of personal data.
Contact Person	The natural person notified by the data controller during registration in the Registry for communication with the Authority regarding the obligations of the data controller representatives of legal entities resident in Turkey and legal entities not resident in Turkey within the scope of the Law and secondary regulations to be issued based on this Law. (The contact person is not authorized to represent the Data Controller. As the name suggests, he/she is the person assigned to only “liaise” with the data controller and the relevant persons and the Institution.)
Law/KVKK	Personal Data Protection Law No. 6698 dated 24 March 2016, published in the Official Gazette No. 29677 dated 7 April 2016.
Recording Environment	Any environment in which personal data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system.
Personal Data	Any information relating to an identified or identifiable natural person.
Processing of Personal Data	Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
Anonymization of Personal Data	Making personal data in such a way that it cannot be associated with an identified or identifiable natural person in any way, even by matching it with other data.
Personal Data Deletion	Deletion of personal data; rendering personal data inaccessible and reusable for the Relevant Users in any way.
Personal Data Destroying	The process of making personal data inaccessible, irreversible and reusable by anyone.
The Board	Personal Data Protection Board.
Special Qualified Personal Data	Data regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction	In case all the conditions required for the processing of personal data are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy will be carried out ex officio at recurring intervals.
Policy	Personal data protection policy established by the company.
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him.
Data Recording System	A recording system in which personal data is structured and processed according to certain criteria.
Data Owner/Relevant Person	The natural person whose personal data is processed.
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Source:	Law No. 6698 on the Protection of Personal Data - Regulation on the Deletion, Destruction or Anonymization of Personal Data - Regulation on the Registry of Data Controllers - Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Disclose - Communiqué on the Application to the Data Controller and the Procedural Principles Communiqué on the Procedures and Principles of Application to the Data Controller

DATA CONTROLLER AND CONTACT PERSON

As stated in this Information Text, the COMPANY is the data controller in accordance with the KVKK.

Data Controller Information

Full Name: ORGANIZATION WITH YOUR HEART

Short Name: COMPANY

Address: Plevne District, Fırat St. 83 A, 06930 Sincan/ Ankara

I. Website: https://www.kalbinle.com/

Contact Person

Name: : Furkan

Surname: Boztas

Title: Contact Person

E-mail: support@kalbinle.com

Phone: +905458825897

Reasons We Process Your Data

Your personal data is processed in accordance with Articles 5 and 6 of the Law for the purposes of carrying out the necessary activities within the company to ensure that the products and services provided by our company can be offered to you, carrying out the necessary studies with the relevant business unit and business partners to be able to recommend products and services that are suitable for your consumption and purchasing motivation, ensuring the rights of real persons by ensuring the management of human resources by our Company, taking the necessary steps for the making, implementation and execution of commercial decisions by our Company, ensuring the legal security of real persons with whom we have established business relations and our Company arising from these relations, and for similar purposes, including but not limited to these.

Your Personal Data may be processed by KALBİNLE.COM , as the Data Controller, without your express consent in the following cases:

a) It is clearly stated in the laws;
b) If it is necessary for the protection of the life or physical integrity of the person or someone else who is unable to give his consent due to a physical impossibility or whose consent is not legally valid.
c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the performance of the contract.

d) It is mandatory to fulfill our legal obligations as the data controller;

d) It has been made public by the relevant person himself.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person, and may be used for the purposes specified below, based on any of the conditions.

Your personal data may be processed for the following purposes;

Communicating with you and others as part of the job.
To send you important information about changes to our terms of service, changes to our electronic services, and other administrative information.
To provide quality, training and security improvement (for example, regarding recorded or monitored phone calls to our contact numbers)
Resolve complaints and process data access or correction requests.
Prevent, detect and investigate crime, including fraud and money laundering, and analyse and manage other business risks.
To comply with applicable laws and regulatory obligations (including those outside your country of residence), including anti-money laundering and anti-terrorism laws; to comply with legal process and to respond to requests from public and government authorities (including those outside your country of residence).
To manage our infrastructure and business operations and comply with internal policies and procedures, including those related to auditing, finance and accounting; billing and collections; IT systems; data and website hosting; business continuity; and records, document and print management.
To establish and defend legal rights; to protect our operations or the operations of our business partners, our rights, privacy, safety or property and/or yours or others; and to enforce available remedies or limit our damages.
Conducting market research and analysis, including satisfaction surveys.
To enable you to participate in contests, prize draws and similar promotions and to administer these activities.
Facilitate social media sharing functionality.
To personalize your experience with electronic services by providing you with tailored information and advertisements.

Your Personal Data We Process

Identity Information : Your name, surname and other information provided to the Company with your express consent.

Contact Information : Your residence address, workplace address, telephone number and e-mail address, KEP address, and if available, your mobile phone number, fax number or other communication channels that you have provided with your consent so that we can reach you, which you have notified the Company of your preference for communication.

To Whom and For What Purposes Can Processed Personal Data Be Transferred?

Your collected personal data may be transferred to our business partners, suppliers, shareholders, legally authorized public institutions and private persons within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the KVKK for the purposes of ensuring the legal and commercial security of our Company and the persons who have a business relationship with our Company; ensuring that the necessary work is carried out by our business units to enable you to benefit from the products and services offered by our Company; customizing the products and services offered by our Company according to your tastes, usage habits and needs and recommending them to you; determining and implementing our Company's commercial and business strategies; and ensuring that our Company's human resources policies are carried out.

Method and Legal Reason for Collecting Personal Data

Your personal data is collected by our Company through different channels and based on different legal reasons in order to carry out our commercial activities.

Your personal data is collected through the member registration form or business partner registration form, registration/application forms filled out online, receipt and expenditure documents, image and audio recording devices used in events, security camera recordings and in case of sending personal data to the COMPANY official e-mail address destek@kalbinle or the contact address +905458825897, through the relevant communication channels.

Personal data is also collected by physically sending a document, physically filling out a document provided by the Company, filling out a library membership form with a wet signature in order to provide library services, or calling +905458825897 or other extension numbers belonging to the Company.

Your personal data is also collected automatically through cookies used on https://www.kalbinle.com and its extensions. These cookies are only necessary for the visitor to use the site at full efficiency and are used to remember the visitor's preferences and do not provide any other personal data. You can access our cookie policy at ww.kalbinle.com/cerezler.

The Company does not engage in any personal data processing activities that do not fall within the scope of personal data processing conditions.

The personal data processing conditions included in the KVKK are as follows;

The explicit consent of the relevant person is available,
It is clearly stated in the laws ,
If it is necessary for the protection of the life or physical integrity of a person or someone else who is unable to give his consent due to a physical impossibility or whose consent is not legally valid,
It is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract ,
It is mandatory for the data controller to fulfill its legal obligations ,
The data has been made public by the data owner himself,
Data processing is mandatory for the establishment, exercise or protection of a right ,
Data processing is necessary for the legitimate interests of the data controller , provided that it does not harm the fundamental rights and freedoms of the data owner.

The basic processing condition for special personal data is explicit consent, and the Company does not fundamentally aim to process special personal data.

One or more personal data processing conditions that make a personal data processing activity lawful may exist at the same time.

In order to achieve our purposes, it is necessary to process your data as stated above. While identity information is being transferred to our company, data that is not actually within the scope of our processing purposes may also be transferred to us. Within the scope of administrative and technical measures, we delete and/or anonymize the data in question at the end of the periods stipulated in the legislation, but it is not possible to ensure this situation under all circumstances. In this case, it is necessary to seek your explicit consent for the processing of the data in question.

Rights of the Data Subject Listed in Article 11 of the KVKK

As personal data owners, if you submit your requests regarding your rights to our Company using the methods set out below in this Information Text, our Company will finalize the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if a fee is foreseen by the Personal Data Protection Board, the fee in the tariff determined by our Company will be charged. In this context, personal data owners;

Learning whether personal data is being processed,
To request information regarding the processing of personal data,
To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
To know the third parties to whom personal data is transferred, either domestically or abroad,
To request correction of personal data if it is processed incompletely or incorrectly and to request notification of the action taken to third parties to whom personal data is transferred,
To request the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of the KVKK and other relevant laws, and to request that the action taken within this scope be notified to third parties to whom personal data has been transferred,
To object to a result that is to the detriment of the person himself/herself, as a result of the analysis of the processed data exclusively through automatic systems,
In case of damages due to unlawful processing of personal data, the person has the right to demand compensation for the damages.

How to Exercise Your Rights?

You can download the “application form” from the link www.kalbinle.com/basvuru and fill it out according to your request/complaint, and send it to us via destek@kalbinle.com or you can fill out the form physically and send it to the address “ Plevne Mahallesi, Fırat Cd. 83 A, 06930 Sincan/ Ankara” via cargo/mail.

If you submit your request to us using one of the methods shown above, your request will be evaluated within 30 days at the latest in accordance with Article 13/2 of the KVKK and you will be informed about the subject. If your request is accepted, the necessary procedures will be carried out immediately by the COMPANY, the data controller.

As a rule, requests are met free of charge, however, if fulfilling the request requires a fee, the COMPANY may request a fee in accordance with the provision in Article 7 of the “Communiqué on the Procedures and Principles of Application to the Data Controller”; “If the application of the relevant person is to be answered in writing, no fee will be charged for up to 10 pages. A processing fee of 1 TL may be charged for each page over 10 pages. If the answer to the application is given on a recording medium such as a CD or flash memory, the fee that may be requested by the data controller cannot exceed the cost of the recording medium.”

CHANGE

Change 1: No changes have been made to the document yet.

Change Details:

WITH YOUR HEART.COM

PERSONAL DATA PROCESSING AND PROTECTION POLICY

ENTRANCE

1.1 Introduction

1.2 Scope

1.3 Implementation of Policy and KVKK Legislation

1.4 Enforcement of the Policy

ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

2.2. Protection of Special Personal Data

2.3. Increasing Awareness and Supervision of Business Units Regarding the Protection and Processing of Personal Data

ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation

3.2. Conditions for Processing Personal Data

3.3. Processing of Special Personal Data

3.4. Information to the Personal Data Owner

3.5. Processing of Data Processed by KALBİNLE.COM Companies by KALBİNLE.COM

3.6. Transfer of Personal Data

CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND PURPOSES OF PROCESSING

STORAGE AND DESTRUCTION OF PERSONAL DATA

RIGHTS OF PERSONAL DATA OWNERS AND EXERCISE OF THESE RIGHTS

6.1. Rights of the Data Subject

SPECIAL CASES WHERE PERSONAL DATA IS PROCESSED

7.1. Personal Data Processing Activities Conducted at Building and Facility Entrances and Within the Building and Facility and Website Visitors

7.2. KALBİNLE.COM Camera Monitoring Activities Conducted at Building and Facility Entrances and Inside

7.3. Monitoring of Guest Entrances and Exits at KALBİNLE.COM Building and Facility Entrances

MEASURES REGARDING THE SECURITY OF PERSONAL DATA

1. INTRODUCTION

1.1 Introduction

Since the protection of personal data is a fundamental human right, it is among the most important priorities of Kalbinle Organization Company (“ KALBİNLE.COM ” or the “ Company ”). In order to ensure the right to protection of personal data, the Company makes every effort to act in accordance with all applicable legislation in this regard. Within the framework of this Kalbinle Organization Company Personal Data Protection and Processing Policy (“ Policy ”), the principles adopted by our Company in the execution of personal data processing activities and the basic principles adopted in terms of the compliance of our Company’s data processing activities with the regulations in the Law No. 6698 on the Protection of Personal Data (“ Law ”) are explained, and thus our Company ensures the necessary transparency by informing the relevant persons. With full awareness of our responsibility in this context, your personal data is processed and protected within the scope of this Policy.

1.2 Scope

Kalbinle Organizasyon (“COMPANY”) Personal Data Processing and Protection Policy (“Policy”) has been prepared with the aim of disciplining the processing of personal data within the framework of the legislation on personal data and protecting the fundamental rights and freedoms, especially the privacy of private life, as stipulated in the Constitution.

While preparing the “Policy”, it was determined as a basic principle to first determine which data the work units within the “COMPANY” organization chart collect, why they collect it and why there is a need to transfer this data to third parties and to understand the COMPANY’s personal data processing procedure. While transferring the requirements of the relevant legislation to the “Policy”, it was adopted as a principle to explain in a simple and understandable language which data the “COMPANY” collects and why it processes this data, within the framework of the sensitivity felt within the necessity of protecting personal data. In addition, it is aimed to take the necessary administrative and technical measures to protect data privacy within and outside the “COMPANY” organization and to inform and enlighten the individuals whose data is processed.

All natural persons whose data is processed by the “COMPANY” are included within the scope of the “Policy”.

Within the scope of this “Policy”, it has been attempted to include customized information on the data processed within the scope of the transactions and activities within the “COMPANY” organization, the categorization of data, data recipient groups, legal reason and method of data collection, third party groups to which data is transferred, data processing periods, data deletion periods. However, in the event that data processing is/will be performed by the “COMPANY” outside of the current processing activities, it is possible to carry out processing activities and provide information within the scope of an external information text, provided that the basic principles and principles specified in this policy are complied with. In this case, the information provided will constitute an integral part of this “Policy” and it cannot be claimed that it is not included in this “Policy”. As a matter of fact, within the scope of Article 5 of the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Information Obligation, information can be provided verbally, in writing, by using a physical or electronic medium such as voice recording, call center.

1.3 Implementation of Policy and KVKK Legislation

Relevant legal regulations in force will primarily be applied regarding the processing and protection of personal data. In the event of any inconsistency between the current legislation and the Policy, our Company accepts that the current legislation will be applied. The Policy regulates the rules set forth by the relevant legislation within the scope of Company practices by concretizing them.

1.4 Enforcement of the Policy

The effective date of this Policy is 02.04.2022. The updated version, which was edited by KALBİNLE.COM and entered into force on 02.04.2022, has been renewed as of the effective date of this Policy.

This Policy is published on the KALBİNLE.COM website at [ https://www.kalbinle.com/kvkk ].

2. ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

In accordance with Article 12 of the Law, our Company takes the necessary measures according to the nature of the data to be protected in order to prevent unlawful disclosure, access, transfer or other security deficiencies that may occur in personal data. In this context, our Company takes administrative measures and carries out or has audits carried out to ensure the necessary level of security in accordance with the guidelines published by the Personal Data Protection Board (“ Board ”).

2.2. Protection of Special Personal Data

The law has given special importance to certain personal data due to the risk of causing victimization or discrimination when processed illegally. These data include data on race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

KALBİNLE.COM is meticulous in protecting special personal data that is determined as “special” by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by KALBİNLE.COM to protect personal data are meticulously implemented in terms of special personal data and the necessary inspections are carried out within KALBİNLE.COM.

Note: Detailed information on the technical and administrative measures taken in the processing of personal data is included in section “8” of this policy.

2.3. Increasing Awareness and Supervision of Business Units Regarding the Protection and Processing of Personal Data

KALBİNLE.COM organizes training at regular intervals to raise awareness on preventing the unlawful processing of personal data, unlawful access to personal data and ensuring the preservation of personal data.

KALBİNLE.COM establishes the necessary systems to raise awareness among its employees on the protection of personal data, and works with consultants when needed. In this regard, our Company participates in relevant trainings, seminars and information sessions, especially those prepared by the Personal Data Protection Authority, through its employees, and renews its trainings in parallel with the updating of the relevant legislation.

3. ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation

Processing in Accordance with Law and Fairness

KALBİNLE.COM acts in accordance with the principles brought by legal regulations and the general rule of trust and honesty in the processing of personal data. Within this framework, personal data is processed to the extent and limited to the business activities of our Company.

3.1.2. Ensuring Personal Data is Accurate and Up-to-Date Where Necessary

KALBİNLE.COM takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the period it is processed and establishes the necessary mechanisms to ensure the accuracy and up-to-dateness of personal data for certain periods.

3.1.3. Processing for Specific, Clear and Legitimate Purposes

KALBİNLE.COM clearly states the purposes of processing personal data and processes it in line with its business activities and for purposes related to these activities.

3.1.4. Being Relevant, Limited and Proportionate to the Purpose for Which They Are Processed

KALBİNLE.COM collects personal data only in the nature and to the extent required by its business activities and processes it limited to the specified purposes.

Preservation for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose of Processing KALBİNLE.COM preserves personal data for the period required for the purpose of processing and for the minimum period stipulated in the legal legislation governing the relevant activity. In this context, our Company first determines whether a period is stipulated in the relevant legislation for the storage of personal data, and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data is stored for the period required for the purpose of processing. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the data owner and with the specified destruction methods (deletion and/or destruction and/or anonymization).

3.2. Conditions for Processing Personal Data

Unless the personal data owner gives explicit consent, the basis for personal data processing may be only one of the conditions specified below, or more than one condition may be the basis for the same personal data processing activity. If the processed data is special personal data, the conditions set out in heading 3.3 (“ Processing of Special Personal Data ”) of this Policy shall apply.

i. Explicit Consent of the Personal Data Owner

One of the conditions for processing personal data is the explicit consent of the data owner. The explicit consent of the personal data owner must be related to a specific subject, based on information and expressed with free will.

If the personal data processing conditions listed below are met, personal data may be processed without the need for the explicit consent of the data owner.

ii. Explicitly Provided in Laws

If the personal data of the data owner is clearly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, the existence of this data processing condition can be mentioned.

iii. Failure to Obtain the Explicit Consent of the Person Concerned Due to Actual Impossibility

If the processing of personal data is necessary to protect the life or physical integrity of the person or another person who is unable to give his consent due to a de facto impossibility or whose consent cannot be validated, the personal data of the data owner may be processed.

iv. Direct Interest in the Establishment or Performance of the Contract

This condition may be deemed to be fulfilled if the processing of personal data is necessary, provided that it is directly related to the establishment or performance of a contract to which the data owner is a party.

v. Fulfillment of the Company's Legal Obligations

The personal data of the data owner may be processed if processing is necessary for our company to fulfill its legal obligations.

vi. Personal Data Owner's Making His/Her Personal Data Public

If the data owner has made his/her personal data public, the relevant personal data may be processed limitedly for the purpose of making it public.

vii. Data Processing is Necessary for the Establishment or Protection of a Right

If data processing is necessary for the establishment, exercise or protection of a right, the data subject's personal data may be processed.

viii. Data Processing is Necessary for the Legitimate Interest of Our Company

Personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

3.3. Processing of Special Personal Data

Special personal data is not processed by our Company.

3.4. Informing the Relevant Persons

KALBİNLE.COM, in accordance with Article 10 of the Law and secondary legislation, informs personal data owners. In this context, KALBİNLE.COM, as the data controller, informs the relevant persons about who processes personal data, for what purposes, with whom it is shared and for what purposes, by what methods it is collected and its legal basis, and the rights of data owners within the scope of processing their personal data.

3.5. Transfer of Personal Data

Our company may transfer the personal data and special personal data of the personal data owner to third parties (third party companies, official and private authorities, third real persons) by taking the necessary security measures in line with the legal personal data processing purposes. In this regard, our company acts in accordance with the regulations stipulated in Article 8 of the Law. Detailed information on this subject can be found in ANNEX 5 of this Policy (“ANNEX 5 - Third Parties to Which Personal Data is Transferred and the Purposes of Transfer”) .

3.6.1 Transfer of Personal Data

Even if there is no explicit consent of the personal data owner, personal data may be transferred to third parties by our Company, provided that one or more of the conditions specified below are met, by taking all necessary security measures, including the methods prescribed by the Board.

The relevant activities regarding the transfer of personal data are clearly prescribed by law,
The transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,
The transfer of personal data is mandatory for our Company to fulfill its legal obligations,
Transfer of personal data by our Company for the limited purpose of publicity, provided that the data owner has made the data public,
The transfer of personal data by the Company is necessary for the establishment, exercise or protection of the rights of the Company or the data owner or third parties,
It is mandatory to transfer personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner.
If the person is unable to give his consent due to a physical impossibility or if his consent is not legally valid, it is necessary to protect his own life or the physical integrity of another person.

In addition to the above, personal data may be transferred to foreign countries that will be declared by the Board to have sufficient protection (“ Foreign Country with Sufficient Protection ”) if any of the above conditions are met. In the absence of sufficient protection, personal data may be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country have undertaken to provide sufficient protection in writing and where the Board has granted its permission (“ Foreign Country with a Data Controller Undertaking to Provide Sufficient Protection ”) in line with the data transfer conditions stipulated in the legislation.

3.6.2 Transfer of Special Personal Data

Special personal data is not transferred by our Company.

In addition to the above, personal data may be transferred to Foreign Countries with Sufficient Protection if any of the above conditions are met. In the absence of sufficient protection, personal data may be transferred to Foreign Countries with a Data Controller Who Undertakes Sufficient Protection in accordance with the data transfer conditions stipulated in the legislation.

4. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND PURPOSES OF PROCESSING

In accordance with the purposes of processing personal data of our Company, personal data is processed in accordance with the general principles set forth in the Law, primarily the principles set forth in Article 4 of the Law on the processing of personal data, by informing the relevant persons in accordance with Article 10 of the Law and secondary legislation. Within the framework of the purposes and conditions set forth in this Policy, the categories of personal data processed and detailed information about the categories can be accessed in the document ANNEX 4 of the Policy (“ ANNEX 4- Personal Data Categories ”) .

Detailed information on the purposes of processing the personal data in question is included in ANNEX 2 of the Policy (“ ANNEX 2 - Purposes of Processing Personal Data ”) .

5. STORAGE AND DESTRUCTION OF PERSONAL DATA

Our Company stores personal data in accordance with the period required for the purpose for which they are processed and the minimum periods stipulated in the legal legislation governing the relevant activity. In this context, our Company first determines whether a period is stipulated in the relevant legislation for the storage of personal data, and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data is stored for the period required for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the data owner and with the specified destruction methods (deletion and/or destruction and/or anonymization).

6. RIGHTS OF THE RELATED PERSON

6.1. Rights of the Data Subject

Within the scope of KVKK

i. Learning whether your Personal Data is being processed,

ii. Request information regarding your Personal Data if it has been processed,

iii. To learn the purpose of processing your Personal Data and whether they are used in accordance with their purpose,

iv. To know the third parties to whom your Personal Data is transferred, either domestically or abroad,

v. Request correction of your Personal Data if it is processed incompletely or incorrectly,

vi. Request the deletion or destruction of your Personal Data within the framework of the conditions stipulated in the KVKK legislation,

vii. Request that the transactions made within the scope of articles v and vi be notified to third parties to whom your Personal Data has been transferred,

viii. To object to the emergence of a result to your detriment as a result of the analysis of processed data exclusively through automatic systems,

ix. To request compensation for damages in case you suffer damages due to the unlawful processing of your Personal Data.

You have the rights.

How to Exercise Your Rights?

You can download the “application form” from the link https://www.kalbinle.com/bilgiformu and fill it out according to your request/complaint, and send it to us via destek@kalbinle.com or you can fill out the form physically and send it to the address “ Plevne Mahallesi, Fırat Cd. 83 A, 06930 Sincan/ Ankara ” via cargo/mail.

If you submit your request to us using one of the methods shown above, your request will be evaluated within 30 days at the latest in accordance with Article 13/2 of the KVKK and you will be informed about the subject. If your request is accepted, the necessary procedures will be carried out immediately by the COMPANY, the data controller.

As a rule, requests are met free of charge, however, if fulfilling the request requires a fee, the COMPANY may request a fee in accordance with the provision in Article 7 of the “Communiqué on the Procedures and Principles of Application to the Data Controller”; “If the application of the relevant person is to be answered in writing, no fee will be charged for up to 10 pages. A processing fee of 1 TL may be charged for each page over 10 pages. If the answer to the application is given on a recording medium such as a CD or flash memory, the fee that may be requested by the data controller cannot exceed the cost of the recording medium.”

7. SPECIAL CASES WHERE PERSONAL DATA IS PROCESSED

7.1. Personal Data Processing Activities Conducted at Building and Facility Entrances and Within the Building and Facility and Website Visitors

In order to ensure security, KALBİNLE.COM carries out personal data processing activities in KALBİNLE.COM buildings and facilities, by using security cameras to monitor guest entries and exits.

7.2. KALBİNLE.COM Camera Monitoring Activities Conducted at Building and Facility Entrances and Inside

In order to ensure security in its buildings and facilities, KALBİNLE.COM carries out camera monitoring activities in accordance with the Law on Private Security Services and relevant legislation. In order to ensure security in its buildings and facilities, KALBİNLE.COM carries out security camera monitoring activities in accordance with the purposes stipulated in the relevant legislation in force and the personal data processing conditions listed in the Law.

In accordance with Article 10 of the Law, KALBİNLE.COM informs the personal data owner with more than one method regarding camera monitoring activity. In addition, in accordance with Article 4 of the Law, KALBİNLE.COM processes personal data in a limited and proportionate manner in connection with the purpose for which they are processed.

The purpose of KALBİNLE.COM in carrying out video camera monitoring is limited to the purposes listed in this Policy. Accordingly, the monitoring areas, numbers and times of surveillance of security cameras are implemented in a way that is sufficient and limited to achieve the security purpose. The privacy of the person is not monitored in areas that may result in interventions that exceed security purposes (for example, toilets).

Only a limited number of KALBİNLE.COM employees have access to the records recorded and stored digitally with live camera images. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality commitment.

7.3. Monitoring of Guest Entrances and Exits at KALBİNLE.COM Building and Facility Entrances

KALBİNLE.COM carries out personal data processing activities to monitor guest entries and exits in KALBİNLE.COM buildings and facilities, to ensure security and for the purposes specified in this Policy.

While obtaining the names and surnames of the persons coming to KALBİNLE.COM buildings as guests or through texts hung on KALBİNLE.COM or made accessible to the guests in other ways, the personal data owners in question are informed within this scope. The data obtained for the purpose of monitoring guest entries and exits is processed only for this purpose and the relevant personal data is recorded in the data recording system in a physical environment.

MEASURES REGARDING THE SECURITY OF PERSONAL DATA

The “COMPANY”, with the awareness of the responsibility of being an important Company, provides all necessary reasonable care and attention regarding the confidentiality and security of the personal data it processes. In addition to the requirements of the relevant legislation, the “COMPANY” takes the necessary technical and administrative measures at a reasonable level to ensure data confidentiality and security within the framework of Article 12 of the KVKK. The aim of the said administrative and technical security measures is to prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to preserve personal data at an appropriate security level.

In case personal data is processed on its behalf by another natural or legal person (data processor), the “COMPANY” will take the necessary measures to ensure that the above-mentioned measures are also taken by the relevant data processors.

In case of unlawful acquisition of personal data by third parties, it will notify the data owners, the Board and other relevant public institutions and organizations in accordance with the relevant legislation.

While taking measures regarding the security of personal data, the Personal Data Security Guide (Technical and Administrative Measures) published by the Board is taken into consideration.

Administrative Measures

Establishing and operating the information security management system within the company,
Signing commitments and confidentiality agreements with company personnel and relevant parties,
Creation of personal data inventories,
Operation of information security policies and procedures,
Organizing and evaluating training on information security and personal data processing activities,
In order to prevent unauthorized access to working computers, etc., only authorized persons should use the tools and equipment in question.
Creating records that will produce objective evidence for the transactions performed,

Technical Measures

As a result of real-time analysis with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
Access to information systems and authorization of users are done through security policies via the access and authorization matrix and the corporate active directory.
When software changes and/or updates are to be made on the systems, trials are carried out in a test environment, security vulnerabilities, if any, are detected and necessary precautions are taken, and the final form of the change to be made is given after these processes.
Necessary measures are taken for the physical security of the company's IT systems equipment, software and data.
In order to ensure the security of information systems against environmental threats, hardware (access control system that ensures only authorized personnel enter the system room, ensuring the physical security of the edge switches that form the area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, intrusion prevention systems, network access control, systems that block malware, etc.) measures are taken.
Risks to prevent unlawful processing of personal data are identified, appropriate technical measures are taken against these risks, and technical controls are carried out regarding the measures taken.
Access procedures are established within the company and reporting and analysis studies are carried out regarding access to personal data.
The Company takes the necessary measures to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.
In the event that personal data is obtained unlawfully by others, the Company has made appropriate preparations to notify the relevant person and the Board.
Security vulnerabilities are monitored, appropriate security patches are installed, and information systems are kept up to date.
Strong passwords are used in electronic environments where personal data is processed.
Secure record keeping (logging) systems are used in electronic environments where personal data is processed.
Data backup programs are used to ensure the safe storage of personal data.
Access to personal data stored in electronic or non-electronic media is limited according to access principles.
Access to the company's website is encrypted with the SHA 256 Bit RSA algorithm using the secure protocol (HTTPS).
If transfer is made between servers in different physical environments, data transfer is carried out by establishing a VPN between the servers or by using the sFTP method.
If it is necessary to transfer via paper, necessary precautions are taken against risks such as theft, loss or viewing by unauthorized persons, and the document is sent in a "confidential" format.

APPENDIX 1 – Definitions

Explicit Consent	It refers to consent regarding a specific subject, based on information and expressed with free will.
Company	KALBİNLE.COM located at Plevne Mahallesi, Fırat Cd. 83 A, 06930 Sincan/ Ankara.
Cookies	They are small files saved on users' computers or mobile devices that help store preferences and other information about the web pages they visit.
Related User	Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.
Destruction	Deletion, destruction or anonymization of personal data.
Contact Person	The natural person notified by the data controller during registration in the Registry for communication with the Authority regarding the obligations of the data controller representatives of legal entities resident in Turkey and legal entities not resident in Turkey within the scope of the Law and secondary regulations to be issued based on this Law. (The contact person is not authorized to represent the Data Controller. As the name suggests, he/she is the person assigned to only “liaise” with the data controller and the relevant persons and the Institution.)
Law/KVKK	Personal Data Protection Law No. 6698 dated 24 March 2016, published in the Official Gazette No. 29677 dated 7 April 2016.
Recording Environment	Any environment in which personal data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system.
Personal Data	Any information relating to an identified or identifiable natural person.
Processing of Personal Data	Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
Anonymization of Personal Data	Making personal data in such a way that it cannot be associated with an identified or identifiable natural person in any way, even by matching it with other data.
Personal Data Deletion	Deletion of personal data; rendering personal data inaccessible and reusable for the Relevant Users in any way.
Personal Data Destroying	The process of making personal data inaccessible, irreversible and reusable by anyone.
The Board	Personal Data Protection Board.
Special Qualified Personal Data	Data regarding individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, company, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction	In case all the conditions required for the processing of personal data are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy will be carried out ex officio at recurring intervals.
Policy	Personal data protection policy established by the company.
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him.
Data Recording System	A recording system in which personal data is structured and processed according to certain criteria.
Data Owner/Relevant Person	The natural person whose personal data is processed.
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Regulations	Regulation on the Erasure, Destruction or Anonymization of Personal Data.
Source:	Law No. 6698 on the Protection of Personal Data - Regulation on the Deletion, Destruction or Anonymization of Personal Data - Regulation on the Registry of Data Controllers - Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Disclose - Communiqué on the Application to the Data Controller and the Procedural Principles Communiqué on the Procedures and Principles of Application to the Data Controller

ANNEX 2 – Purposes of Processing Personal Data


PERSONAL DATA CATEGORY	CATEGORIZATION DESCRIPTION
Identity Data	Personal data regarding the identity information of real persons will be evaluated under this category. (name and surname, mother-father's name, mother's maiden name, date of birth, place of birth, marital status, Turkish identity number)
Contact Data	Any personal data that can be used for communication purposes with individuals will be evaluated under this category. (address number, e-mail address, contact address, registered electronic mail address (KEP), telephone number)
Data on Family Status	Information regarding the family and relatives of individuals will be included in this category. It does not matter whether the relevant person is a customer, employee or another data subject category.
Data on Education, Business and Professional Life	All kinds of data regarding the education and working life of individuals will be included under this category. (Education - Diploma - Certificate, Transcript, In-Service Training Information)
Financial Data	Account, bank and bill information of individuals
Audiovisual Recordings	Records made with organizations and events and visual/audio records kept for security purposes.
Digital Media Usage Data	Any personal data obtained as a result of monitoring users' activities in the digital environment will be classified under this category.
Special Personal Data	Race-Ethnicity, Health, Biometric Data, Criminal Conviction-Security Measures, Religion-Sect, Philosophical Belief, Union, Foundation, Association Memberships, Dress Code

ANNEX 4 – Personal Data Categories


PERSONAL DATA OWNER CATEGORY	CATEGORIZATION DESCRIPTION
Company Personnel	Administrative staff.
Board of Directors, Senate Members	Data of members involved in the company's bodies and activities
Third Parties Participating in Company Activities	Third parties involved in company commissions, working groups and organizations
Company Activities Invitees	Natural persons invited to the company's organizations
Participants in Company Activities	People who attend company events
Payment Addressee/Service Receiver	Third parties to whom payments must be made in Company Activities
Relatives of Company Employees	Company Employee Relatives, People living in the same residence and dependents
Potential Employees	Potential employees applying to work for the company
Supplier	Persons, organizations or persons associated with them that provide goods or services to the “COMPANY”.
Project Partner	Persons involved in projects carried out by the “COMPANY”
Advisor	Individuals, organizations or persons associated with them that provide external consultancy services to the “COMPANY”.
Other	Apart from the above, persons, organizations or persons related to them who have established a permanent or incidental, direct or indirect relationship with the "COMPANY".

ANNEX 5 – Third Parties to Which Personal Data is Transferred by Our Company and the Purposes of Transfer

KALBİNLE.COM may transfer the personal data of data owners governed by this Policy in accordance with Articles 8 and 9 of the Personal Data Protection Law to the following categories of persons:

To KALBİNLE.COM business partners,
To KALBİNLE.COM suppliers,
KALBİNLE.COM Community companies,
Legally Authorized public institutions and organizations
To legally authorized private law persons

The scope of the above-mentioned persons to whom the data is transferred and the purposes of data transfer are stated below.

Data Transfer Possible

People

Definition

Purpose of Data Transfer

Business Partner

While conducting the commercial activities of KALBİNLE.COM, personally or through KALBİNLE.COM

To carry out various projects together with their companies and to receive services for business purposes.

the parties to the partnership

Banks define,

KALBİNLE.COM Retirement and Assistance Fund Foundation

Establishment of business partnership

limited to ensure the fulfilment of its objectives

Supplier

Commercial of KALBİNLE.COM

While carrying out its activities, KALBİNLE.COM's orders and

providing services to KALBİNLE.COM on a contractual basis in accordance with its instructions

defines the parties.

KALBİNLE.COM outsources its services to suppliers and to carry out KALBİNLE.COM's commercial activities.

To ensure that the necessary services are provided to KALBİNLE.COM

for limited purposes.

Community Companies

KALBİNLE.COM Community companies

Carrying out commercial activities that require the participation of KALBİNLE.COM Community Companies

limited to providing

Legally Authorized Public Institutions and Organizations

According to the relevant legislation, public authorities are authorized to receive information and documents from KALBİNLE.COM.

institutions and organizations

Relevant public institutions and

limited to the purpose requested by the organizations within their legal authority

Legally Authorized Private Law Persons

According to the relevant legislation, a special person authorized to receive information and documents from KALBİNLE.COM

legal persons

Limited to the purpose requested by the relevant private legal persons within their legal authority.

ANNEX – 6 Data Controller Identity

Data Controller: KALBİNLE.COM

Address: Bosna Cad 54, 06930 Sincan/ Ankara

Phone :+905458825897

Website: www.kalbinle.com

Country/region

Language