KUZEY BORU A.Ş.
PERSONAL DATA PROTECTION AND PROCESSING POLICY

The protection of personal data is among the most important priorities of Kuzey Boru Anonim Şirketi ("Kuzeyboru"). The most significant aspect of this issue is the protection and processing of personal data belonging to our job applicants, shareholders, company executives, visitors, employees of institutions we cooperate with, shareholders and executives of those institutions, and third parties, which is governed by this "Policy."

According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of their personal data. In accordance with this constitutionally guaranteed right, Kuzeyboru demonstrates the necessary diligence in protecting and processing the personal data of job applicants, shareholders, company executives, visitors, employees, shareholders, and executives of cooperating institutions, and third parties, governed by this Policy. This is institutionalized as a company policy.

In this context, necessary administrative and technical measures are taken by the company to protect personal data processed within the framework of the legal regulations.

The fundamental principles that Kuzeyboru adheres to in the processing of personal data are as follows:

Processing personal data in compliance with the law and fairness principles,Keeping personal data accurate and, when necessary, up to date,Processing personal data for specific, explicit, and legitimate purposes,Processing personal data in a manner that is related, limited, and proportional to the purpose for which they are processed,Retaining personal data for the duration prescribed by relevant laws or for as long as necessary for the purpose for which they were processed,Informing and enlightening the data subjects,Establishing a system that enables data subjects to exercise their rights,Taking necessary measures to protect personal data,Ensuring that the transfer of personal data to third parties, in accordance with the purpose for which they are processed, complies with relevant legislation and the regulations of the Personal Data Protection Board (KVK Board),Showing necessary sensitivity in the processing and protection of sensitive personal data.

ARTICLE 1: PURPOSE OF THE POLICY

The primary purpose of this Policy is to inform individuals whose personal data is processed by Kuzeyboru and to ensure transparency and trust in the lawful processing of personal data by Kuzeyboru, including customers, employees, job applicants, shareholders, company executives, visitors, employees, shareholders, and executives of institutions we cooperate with, and third parties whose personal data are processed by Kuzeyboru.

ARTICLE 2: CONTENT AND DEFINITIONS

This Policy applies to all personal data of our employees, job applicants, company shareholders, company executives, visitors, employees, shareholders, and executives of institutions we cooperate with, and third parties, processed either automatically or non-automatically as part of a data recording system.

The scope of this Policy's application to the groups of personal data subjects mentioned above may include the entire Policy or only parts of it.

The definitions of the terms used in this Policy are as follows:

Recipient group: The category of natural or legal persons to whom personal data is transferred by the data controller.Explicit consent: Consent that is informed, based on information, and given freely for a specific matter.Anonymization: The process of making personal data impossible to associate with any identified or identifiable individual, even when combined with other data.Employee: A staff member of Kuzeyboru.Electronic environment: Environments where personal data can be created, read, modified, and written using electronic devices.Non-electronic environment: Any environment other than electronic environments, such as written, printed, visual, or other media.Service provider: A natural or legal person providing services to the company under a specific contract.Data subject: A natural person whose personal data is being processed.Relevant user: A person or unit within the organization of the data controller, or someone authorized and instructed by the data controller to process personal data, excluding those technically responsible for storing, protecting, and backing up the data.Destruction: The process of deleting, destroying, or anonymizing personal data.KVKK/Law: The Law on the Protection of Personal Data No. 6698.Data storage environment: Any environment where personal data processed automatically or non-automatically as part of a data recording system is stored, whether partially or entirely.Personal data: Any information relating to an identified or identifiable natural person.Personal data processing inventory: A detailed inventory created by data controllers, linking personal data processing activities to their purposes and legal grounds, data categories, recipient groups, and retention periods, along with measures for data security and data transfers to foreign countries.Personal data processing: Any operation performed on personal data, including but not limited to obtaining, recording, storing, maintaining, changing, reordering, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data, whether through automated or non-automated means.Board: The Personal Data Protection Board.Sensitive Personal Data: Data regarding a person's race, ethnicity, political opinions, philosophical beliefs, religion, sect, or other beliefs, dress, membership in associations, foundations or unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data.Periodic Destruction: The process of deleting, destroying, or anonymizing personal data automatically or at regular intervals as per the data retention and destruction policy, in cases where all conditions for processing personal data outlined in the law are no longer applicable.Policy: Personal Data Retention and Destruction Policy.Kuzeyboru/Company: Kuzey Boru Anonim Şirketi.Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.Data Recording System: A system in which personal data is processed according to specific criteria.Data Controller: The natural or legal person who determines the purposes and means of personal data processing and is responsible for the establishment and management of the data recording system.Data Controllers Registry Information System: An online information system established and managed by the Authority, used by data controllers for applications and other related operations regarding registration to the Registry.VERBIS: Data Controllers' Registry Information System.Regulation: The Regulation on the Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette of the Republic of Turkey on October 28, 2017.

ARTICLE 3: IMPLEMENTATION OF THE POLICY AND RELATED LEGISLATION

The applicable legal regulations on the processing and protection of personal data shall primarily be implemented. In the case of any inconsistency between the current legislation and the Policy, Kuzeyboru acknowledges that the applicable legislation shall take precedence.

This Policy is created by concretizing the rules set forth by the relevant legislation within the framework of Kuzeyboru’s practices.

ARTICLE 4: EFFECTIVENESS OF THE POLICY

This Policy, prepared by Kuzeyboru, will come into effect on the day it is published on our website. If there are any updates or changes to the Policy, the effective date will be updated accordingly.

The Policy is published on Kuzeyboru's website and will be made available to individuals upon request.

ARTICLE 5: PERSONAL DATA PROTECTION MATTER

In accordance with Article 12 of the KVKK, Kuzeyboru takes all necessary administrative, technical, and legal measures to prevent the unlawful processing of personal data, to prevent unauthorized access to data, and to ensure the protection of personal data, including necessary audits within this scope.

ARTICLE 6: ENSURING THE SECURITY OF PERSONAL DATA

6.1 Technical and Administrative Measures to Ensure the Lawful Processing of Personal Data

Kuzeyboru takes technical and administrative measures to ensure the lawful processing of personal data, considering technological capabilities and implementation costs.

6.1.1 Technical Measures Taken to Ensure the Lawful Processing of Personal Data

The main technical measures taken by Kuzeyboru to ensure the lawful processing of personal data are as follows:

Personal data processing activities carried out within Kuzeyboru are monitored using technical systems.The technical measures taken are periodically reported to the relevant parties through the internal audit mechanism.Personnel with expertise in technical matters are employed.

6.1.2 Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

The main administrative measures taken by Kuzeyboru to ensure the lawful processing of personal data are as follows:

Employees are informed and trained regarding personal data protection law and the lawful processing of personal data.All activities conducted by Kuzeyboru are analyzed in detail for each business unit, and based on this analysis, personal data processing activities related to commercial activities are outlined.Personal data processing activities carried out by Kuzeyboru’s business units are specified, along with the necessary requirements for ensuring compliance with the personal data processing conditions prescribed by Law No. 6698, for each business unit and specific activity.Awareness is raised within the business units, and implementation rules are established; necessary administrative measures to ensure monitoring and continuity of implementation are carried out through internal policies and training.Contracts and documents regulating the legal relationship between Kuzeyboru and its employees include clauses that obligate employees not to process, disclose, or use personal data, except as directed by Kuzeyboru’s instructions or legal exceptions. Employees are made aware of this obligation, and audits are conducted.

6.2 Technical and Administrative Measures to Prevent Unauthorized Access to Personal Data

Kuzeyboru takes technical and administrative measures to prevent the unauthorized disclosure, access, transfer, or any other unlawful access to protected data, based on the nature of the data, technological capabilities, and implementation costs

6.2.1. Technical Measures Taken to Prevent Unauthorized Access to Personal Data

The main technical measures taken by Kuzeyboru to prevent unauthorized access to personal data are as follows:

Technical measures are implemented in accordance with technological advancements and are periodically updated and renewed.Business unit-based access and authorization technical solutions are deployed.The technical measures taken are periodically reported to the relevant parties through the internal audit mechanism, and any risk-related issues are reassessed and addressed with necessary technological solutions.Antivirus systems and security firewalls are installed.Personnel with expertise in technical matters are employed.

6.2.2 Administrative Measures Taken to Prevent Unauthorized Access to Personal Data

The main administrative measures taken by Kuzeyboru to prevent unauthorized access to personal data are as follows:

Employees are trained on the technical measures to be taken to prevent unauthorized access to personal data.Access and authorization processes for personal data are designed and implemented within Kuzeyboru on a business unit basis.Employees are informed that they are prohibited from disclosing personal data they have learned in violation of the KVKK and from using it for purposes other than the intended purpose. Employees are required to provide necessary assurances regarding this obligation, which continues even after their employment ends.Contracts with individuals to whom personal data is transferred by Kuzeyboru include provisions that the recipients of personal data will take necessary security measures to protect the data and ensure that these measures are followed within their organizations.

6.3 Storage of Personal Data in Secure Environments

Kuzeyboru takes necessary technical and administrative measures, based on technological capabilities and the cost of implementation, to ensure that personal data is stored in secure environments and to prevent unlawful destruction, loss, or alteration of personal data.

6.3.1 Technical Measures Taken for Storing Personal Data in Secure Environments

The main technical measures taken by Kuzeyboru to ensure the secure storage of personal data are listed below:

Systems suitable for technological developments are used to store personal data in secure environments.
Personnel specialized in technical matters are employed.

 

Technical security systems are established for storage areas. The technical measures taken are periodically reported to the relevant parties as part of the internal audit mechanism. Risk factors are reassessed and necessary technological solutions are implemented.
Backup programs are used in compliance with the law to ensure the secure storage of personal data.

 

6.3.2 Administrative Measures Taken for Storing Personal Data in Secure Environments

The main administrative measures taken by Kuzeyboru to ensure the secure storage of personal data are listed below:

Employees are trained to ensure the secure storage of personal data.In cases where external services are obtained for the storage of personal data due to technical requirements, contracts with the relevant companies to which personal data is transferred include provisions ensuring that these companies will take necessary security measures for the protection of personal data and will ensure compliance with these measures in their organizations.

6.4. Audit of Measures Taken for the Protection of Personal Data

Kuzeyboru conducts or commissions audits in accordance with Article 12 of the Personal Data Protection Law (KVKK). The results of these audits are reported to the relevant unit within Kuzeyboru's internal workflow, and necessary activities are carried out to improve the measures taken.

6.5. Measures to Be Taken in Case of Unauthorized Disclosure of Personal Data

In accordance with Article 12 of the KVKK, if personal data is obtained by others unlawfully, Kuzeyboru will ensure that the relevant data subject and the Personal Data Protection Authority (KVK) are notified as soon as possible.
If deemed necessary by the KVK, this situation may be announced on the KVK's website or through another method.

ARTICLE 7: OBSERVATION OF DATA SUBJECTS’ RIGHTS; CREATION OF CHANNELS TO COMMUNICATE THESE RIGHTS TO KUZEYBORU AND EVALUATION OF DATA SUBJECTS’ REQUESTS

Kuzeyboru carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners. Data subjects can submit their requests in writing to Kuzeyboru, and Kuzeyboru will respond to the request in the shortest possible time and at the latest within thirty days, free of charge. However, if the process requires a fee, Kuzeyboru will charge the fee determined by the Personal Data Protection Authority (KVK). Data subjects have the following rights:

To learn whether their personal data is being processed,To request information regarding their processed personal data,
To learn the purpose of processing their personal data and whether it is being used in accordance with its purpose,
To know the third parties to whom their personal data is transferred, either within the country or abroad,
To request the correction of any incomplete or inaccurate personal data and to request that this correction be communicated to third parties to whom their personal data has been transferred,
To request the deletion or destruction of personal data, in cases where the processing no longer serves a lawful purpose, and to request that this deletion or destruction be communicated to third parties to whom their personal data has been transferred,
To object to the processing of personal data based solely on automated systems, which results in an outcome unfavourable to the data subject,
To request compensation for damages arising from the unlawful processing of personal data.

 

More detailed information on the rights of data subjects is provided in this Policy.

 

ARTICLE 8: PROTECTION OF SENSITIVE PERSONAL DATA

Under the Personal Data Protection Law (KVKK), certain personal data are given special importance due to the risk of causing harm or discrimination to individuals if processed unlawfully.

 

These data include race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and appearance, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

Kuzeyboru takes great care in protecting sensitive personal data, which are designated as "special categories" under the KVKK, and processed in compliance with the law. In this regard, the technical and administrative measures taken by Kuzeyboru for the protection of personal data are applied with particular attention to sensitive personal data, and necessary inspections are carried out within the company.

Detailed information regarding the processing of sensitive personal data is provided in this Policy.

 

ARTICLE 9: INCREASING AWARENESS AND SUPERVISION OF BUSINESS UNITS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA

Kuzeyboru ensures that necessary training is organized for business units to raise awareness and prevent unlawful processing of personal data, unlawful access to data, and to ensure data retention.

Systems are established to ensure that current employees and new employees of business units are aware of the protection of personal data, and if needed, professional assistance is sought for the training.

 

ARTICLE 10: INCREASING AWARENESS AND SUPERVISION OF BUSINESS PARTNERS AND SUPPLIERS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA

Kuzeyboru organizes training sessions and seminars for business partners to increase awareness regarding the prevention of unlawful processing of personal data, unlawful access to data, and data retention.

These training sessions for business partners are repeated periodically, and systems are set up to ensure that current employees and new employees in the business partner units are aware of personal data protection. If necessary, professional assistance is also provided.

The results of the training aimed at raising awareness about the protection and processing of personal data are reported to the holding company. Kuzeyboru evaluates participation in these trainings, seminars, and information sessions, and conducts or arranges necessary audits. Kuzeyboru updates and renews its training in line with updates to the relevant legislation.

 

ARTICLE 11: ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

In accordance with Article 20 of the Constitution of the Republic of Turkey and Article 4 of the KVKK, Kuzeyboru processes personal data in compliance with the principles of lawfulness and fairness, ensuring accuracy and, where necessary, keeping it up to date; for specific, explicit, and legitimate purposes; and in a way that is relevant, limited, and proportionate to the purpose. Kuzeyboru retains personal data for the period prescribed by law or as required by the purpose for processing the data.

In accordance with Articles 20 of the Constitution of the Republic of Turkey and Article 5 of the KVKK, Kuzeyboru processes personal data based on one or more of the conditions specified in Article 5 of the KVKK.

In line with Articles 20 of the Constitution of the Republic of Turkey and 10 of the KVKK, Kuzeyboru informs the data subjects and provides necessary information upon their request.

Kuzeyboru acts in accordance with the provisions for processing sensitive personal data as stipulated in Article 6 of the KVKK.

Kuzeyboru complies with the regulations regarding the transfer of personal data as outlined in Articles 8 and 9 of the KVKK and follows the guidelines set by the Personal Data Protection Authority.

 

ARTICLE 12: PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES SET OUT IN THE RELEVANT LEGISLATION

 

12.1 Lawfulness and Fairness in Processing

Kuzeyboru ensures that the processing of personal data complies with the principles outlined in legal regulations and the general principles of trust and fairness. In this context, Kuzeyboru takes proportionality requirements into consideration when processing personal data and does not use personal data for purposes beyond those required for the specific purpose.

 

12.2 Ensuring Accuracy and Timeliness of Personal Data
Kuzeyboru ensures that the personal data it processes is accurate and, where necessary, kept up to date, taking into account the fundamental rights of data subjects and its own legitimate interests. Necessary measures are taken in this regard.

 

12.3 Processing for Specific, Explicit, and Legitimate Purposes

Kuzeyboru explicitly and definitively defines the legitimate and lawful purpose for processing personal data. Kuzeyboru processes personal data only to the extent necessary for the services it provides and for the specific purposes related to those services.

 

12.4 Adequacy, Relevance, and Proportionality to the Purpose

Kuzeyboru processes personal data in a manner conducive to achieving the specified purposes and avoids processing personal data that is irrelevant or unnecessary for the purpose at hand. For instance, personal data is not processed for potential future needs.

 

12.5 Retention for the Period Necessary for Legal or Purposeful Requirements

Kuzeyboru retains personal data only for the duration specified in the relevant legislation or for as long as necessary for the purpose for which the data was processed. In this regard, Kuzeyboru first determines whether the legislation stipulates a retention period for personal data; if such a period is specified, it adheres to this period. If no retention period is specified, Kuzeyboru retains personal data for the period necessary to fulfill the purpose for which the data was processed. Upon the expiration of the retention period or the cessation of the reasons for processing, personal data is deleted, destroyed, or anonymized by Kuzeyboru. Kuzeyboru does not retain personal data for potential future use. Detailed information on this matter is provided in this Policy.

 

ARTICLE 13: PROCESSING PERSONAL DATA BASED ON ONE OR MORE OF THE PERSONAL DATA PROCESSING CONDITIONS SPECIFIED IN ARTICLE 5 OF THE KVKK AND LIMITED TO THESE CONDITIONS

 

The protection of personal data is a constitutional right. Fundamental rights and freedoms can only be restricted by law, and such restrictions must not touch the essence of the rights. In accordance with the third paragraph of Article 20 of the Constitution, personal data can only be processed in cases foreseen by law or with the explicit consent of the individual. In this regard, and in accordance with the Constitution, Kuzeyboru processes personal data only in the cases specified by law or with the explicit consent of the data subject. Detailed information on this matter is provided in this Policy.

 

ARTICLE 14: INFORMING AND NOTIFYING THE PERSONAL DATA SUBJECT

In accordance with Article 10 of the KVKK, Kuzeyboru informs personal data subjects during the collection of their personal data. In this context, Kuzeyboru provides information about the purpose of processing personal data, who the data may be transferred to and for what purposes, the method and legal basis for data collection, and the rights of the data subject. Detailed information on this subject is provided in this Policy.
Article 20 of the Constitution of the Republic of Turkey states that everyone has the right to be informed about their personal data. In line with this, Article 11 of the KVKK lists "the right to request information" as one of the rights of personal data subjects. In this regard, Kuzeyboru, in accordance with Articles 20 of the Constitution of the Republic of Turkey and 11 of the KVKK, provides the necessary information if the personal data subject requests information. Detailed information on this matter is provided in this Policy.

 

ARTICLE 15: PROCESSING OF SENSITIVE PERSONAL DATA

Kuzeyboru processes sensitive personal data, which is designated as "special categories" under the KVKK, in strict compliance with the regulations set out in the KVKK.

Article 6 of the KVKK identifies certain personal data as "special categories" due to the risk of causing harm or discrimination to individuals if processed unlawfully. These data include race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and appearance, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

In accordance with the KVKK, Kuzeyboru processes sensitive personal data under the following conditions, provided that sufficient measures, as determined by the Personal Data Protection Authority, are implemented:

 

If the data subject gives explicit consent, orIf the data subject does not give explicit consent:

 

Sensitive personal data, other than health and sexual life, may be processed in cases specified by law,Sensitive personal data related to the health and sexual life of the data subject can only be processed by individuals or authorized institutions and organizations that are subject to confidentiality obligations, and only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.

 

ARTICLE 16: TRANSFER OF PERSONAL DATA

Kuzeyboru may transfer the personal data and sensitive personal data of the data subject to third parties (third-party companies, business partners, third parties) in accordance with lawful personal data processing purposes, by taking necessary security measures. Kuzeyboru acts in compliance with the provisions set out in Article 8 of the Personal Data Protection Law (KVKK). Detailed information on this matter is provided in this Policy.

 

16.1 Transfer of Personal Data

Kuzeyboru may transfer personal data to third parties based on one or more of the personal data processing conditions specified in Article 5 of the KVKK and for lawful and legitimate purposes, subject to certain limitations, as follows:

If the data subject has given explicit consent;If there is a clear provision in the law allowing the transfer of personal dataIf necessary for the protection of the life or physical integrity of the data subject or another person, and the data subject is unable to give consent due to physical impossibility, or if their consent is not legally valid;If the transfer of personal data is necessary for the establishment or performance of a contract, directly related to the contract parties;If the personal data transfer is required for Kuzeyboru to fulfill its legal obligations;If the personal data has been made public by the data subject;If the personal data transfer is necessary for the establishment, exercise, or protection of a legal right;If the transfer of personal data is necessary for Kuzeyboru's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.

16.2 Transfer of Sensitive Personal Data

Kuzeyboru may transfer sensitive personal data to third parties in accordance with lawful personal data processing purposes, with due diligence and by taking necessary security measures, and by ensuring compliance with the sufficient precautions determined by the Personal Data Protection Board (KVK).

Sensitive personal data may only be transferred under the following conditions:

If the data subject has given explicit consent, orIf the data subject has not given explicit consent:Personal data other than health and sexual life (such as race, ethnicity, political opinions, philosophical beliefs, religion, sect, or other beliefs, clothing, membership in associations, foundations, or unions, criminal convictions, security measures, biometric and genetic data) may be transferred in situations provided by law

 

Health and sexual life data of the data subject may be transferred only for purposes such as the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, and only by individuals or authorized institutions and organizations who are bound by confidentiality obligations.

 

ARTICLE 17: TRANSFER OF PERSONAL DATA ABROAD

 

Kuzeyboru may transfer the personal data and sensitive personal data of the data subject to third parties abroad, in accordance with lawful personal data processing purposes, by taking necessary security measures.

 

Personal data is transferred by Kuzeyboru to countries that the Personal Data Protection Board (KVK) has declared to offer adequate protection ("Adequately Protected Foreign Countries") or to foreign countries where there is no adequate protection, but where the data controllers in Turkey and the relevant foreign country have committed in writing to provide adequate protection and the KVK’s permission has been obtained ("Foreign Countries with Data Controllers Offering Adequate Protection"). The transfer is also carried out via standard contractual clauses or binding corporate rules. Kuzeyboru acts in compliance with the provisions of Article 9 of the KVKK and the Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad. Detailed information regarding this matter is provided in this Policy.

 

17.1 Transfer of Personal Data Abroad

Kuzeyboru may transfer personal data to "Adequately Protected Foreign Countries" or "Foreign Countries with Data Controllers Offering Adequate Protection" as well as through standard contractual clauses or binding corporate rules, in the following cases:

If there is a clear provision in the law allowing the transfer of personal data;

If the transfer of personal data is necessary for the protection of the life or physical integrity of the data subject or another person, and the data subject is unable to give consent due to physical impossibility, or if their consent is not legally valid;

If the transfer of personal data is necessary for the establishment or performance of

a contract, directly related to the contract parties;

If the personal data transfer is necessary for Kuzeyboru to fulfill its legal obligations;

If the personal data has been made public by the data subject;

If the personal data transfer is necessary for the establishment, exercise, or protection of a legal right;

If the transfer of personal data is necessary for Kuzeyboru’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.

 

17.2 Transfer of Sensitive Personal Data Abroad

 

Kuzeyboru may transfer sensitive personal data to "Adequately Protected Foreign Countries" or "Foreign Countries with Data Controllers Offering Adequate Protection" as well as through standard contractual clauses or binding corporate rules, in accordance with lawful personal data processing purposes, by taking the necessary security measures and complying with the sufficient precautions determined by the Personal Data Protection Board (KVK).
Sensitive personal data may only be transferred abroad under the following conditions:

 

If the data subject has given explicit consent, orIf the data subject has not given explicit consent:

 

Personal data other than health and sexual life (such as race, ethnicity, political opinions, philosophical beliefs, religion, sect, or other beliefs, clothing, membership in associations, foundations, or unions, criminal convictions, security measures, biometric and genetic data) may be transferred in situations provided by law.

 

Health and sexual life data of the data subject may only be transferred by persons or authorized institutions and organizations that are subject to confidentiality obligations and only for purposes such as the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services, and financing.

 

ARTICLE 18: CATEGORIZATION, PROCESSING PURPOSES, AND STORAGE PERIODS OF PERSONAL DATA PROCESSED BY KUZEYBORU

 

Kuzeyboru, in accordance with Article 10 of the Personal Data Protection Law (KVKK), informs the data subject about which personal data groups it processes, the purposes of processing the data subject’s personal data, and the storage periods of those data.

 

ARTICLE 19: CATEGORIZATION OF PERSONAL DATA

In accordance with Article 10 of KVKK, and with the necessary information provided to the relevant individuals, Kuzeyboru processes personal data under the categories listed below, based on one or more of the data processing conditions stated in Article 5 of KVKK, for legitimate and legal purposes, in compliance with the principles specified in Article 4 of KVKK, as well as all obligations stipulated under the Law. The data categories processed under this Policy are limited to the individuals specified in this Policy.

IDENTITY INFORMATION: Data that is processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, such as information found in documents like Driver’s License, Identity Card, Residence Permit, Passport, Attorney's ID, Marriage Certificate, etc.

CONTACT INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, such as phone number, address, and email.

CUSTOMER INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, obtained and produced through commercial activities or operations conducted by relevant business units.

PHYSICAL FACILITY SECURITY INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, related to records and documents taken during physical entry and presence in a facility.

OPERATIONAL SECURITY INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, to ensure technical, administrative, legal, and commercial security during business activities.

RISK MANAGEMENT INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, used and processed in accordance with generally accepted legal, commercial customs, and rules of integrity for managing commercial, technical, and administrative risks.

FINANCIAL INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, related to the financial outcomes of the legal relationship established between Kuzeyboru and the data subject.

EMPLOYEE INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, related to the personal rights of employees or individuals in working relationships with Kuzeyboru.

CANDIDATE INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, related to individuals who have applied to become employees of Kuzeyboru or who have been considered for employment based on Kuzeyboru’s human resources needs.

EMPLOYEE OPERATION INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, related to the work performed by employees or individuals in working relationships with Kuzeyboru.

PERFORMANCE AND CAREER DEVELOPMENT INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, related to the measurement of employee performance and career development planning and implementation under Kuzeyboru’s human resources policies.

FRINGE BENEFITS AND ADVANTAGES INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, related to the planning of fringe benefits and advantages provided to employees or individuals in working relationships with Kuzeyboru.

LEGAL TRANSACTION INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, related to the identification, monitoring, and enforcement of legal claims and obligations in accordance with legal requirements and Kuzeyboru’s policies.

AUDIT AND INSPECTION INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, related to the monitoring and auditing of compliance with Kuzeyboru’s legal obligations and policies.

SPECIAL CATEGORIES OF PERSONAL DATA: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, as defined under Article 6 of the Law No. 6698.

REQUEST/COMPLAINT MANAGEMENT INFORMATION: Information processed automatically or non-automatically as part of the data recording system, clearly identifying or identifiable to a specific person, related to the receipt and evaluation of any requests or complaints directed to Kuzeyboru.

ARTICLE 20: PURPOSES OF PROCESSING PERSONAL DATA

The general purposes for processing personal data, as prepared by Kuzeyboru, are shared below:

Conducting necessary work by relevant business units to implement the commercial activities carried out by Kuzeyboru and managing related business processes,Planning and executing Kuzeyboru’s commercial and/or business strategies,Carrying out necessary activities by relevant business units to benefit relevant individuals from products and services offered by Kuzeyboru and executing related processes,Planning and implementing Kuzeyboru’s human resources policies and processes,Ensuring the legal, technical, and commercial security of the individuals in business relations with Kuzeyboru.

The specific purposes of data processing under the aforementioned general objectives include:

Event ManagementPlanning and Execution of Research and Development ActivitiesPlanning and Execution of Business ActivitiesCorporate Communication ActivitiesPlanning and Execution of Information Security ProcessesEstablishing and Managing IT InfrastructurePlanning and Execution of Access Rights for Business Partners and/or SuppliersPlanning and Execution of Fringe Benefits for Employees and/or Business PartnersMonitoring Finance and/or Accounting ActivitiesPlanning and Execution of Logistics ActivitiesManaging Relationships with Business Partners and/or SuppliersDetecting Financial Risks for CustomersManaging Customer RelationsMonitoring Contract Processes and/or Legal ClaimsMonitoring Customer Requests and/or ComplaintsPlanning Human Resources ProcessesManaging Recruitment ProcessesMonitoring Legal AffairsExecuting Operational Activities to Ensure Kuzeyboru’s Activities are in Compliance with Kuzeyboru Procedures and Relevant LegislationCollecting Entry and Exit Records of Business Partner/Supplier EmployeesCreating and Monitoring Visitor RecordsPlanning and Executing Kuzeyboru Audit ActivitiesPlanning and Executing Occupational Health and/or Safety ProcessesEnsuring Data Accuracy and CurrencyManaging and/or Auditing Relations with AffiliatesEnsuring the Security of Kuzeyboru Premises and/or FacilitiesEnsuring the Security of Kuzeyboru’s Assets and/or ResourcesPlanning and/or Executing Kuzeyboru’s Financial Risk Processes

In addition to the above-mentioned data processing purposes, Kuzeyboru seeks the explicit consent of data subjects for processing personal data under the following circumstances:

Planning and Executing Access Rights for Business Partners and/or SuppliersPlanning and Executing Logistics Activities

III. Managing Relationships with Business Partners and/or Suppliers

Monitoring Contract Processes and/or Legal ClaimsPlanning Human Resources ProcessesManaging Recruitment Processes

VII. Planning and/or Executing Customer Satisfaction Activities

VIII. Executing Operational Activities to Ensure Kuzeyboru’s Activities are in Compliance with Kuzeyboru Procedures and Relevant Legislation

Collecting Entry and Exit Records of Business Partner/Supplier EmployeesPlanning and Executing Kuzeyboru Audit ActivitiesPlanning and/or Executing Occupational Health and/or Safety Processes

XII. Ensuring the Security of Kuzeyboru’s Premises and/or Facilities

ARTICLE 21: RETENTION PERIODS OF PERSONAL DATA

Kuzeyboru retains personal data for the period specified in the relevant laws and regulations, if such retention period is prescribed in those regulations.

If no retention period is specified in the legislation regarding how long personal data should be stored, personal data is processed for the period necessary based on Kuzeyboru’s services related to the processing of that data, as per the company's practices and commercial customs, and is then deleted, destroyed, or anonymized. Detailed information regarding this matter is provided in this Policy.

If the purpose of processing personal data has ended, and the retention periods specified by the relevant legislation and Kuzeyboru have expired, personal data can only be retained to serve as evidence in potential legal disputes or to assert a related right or establish a defense. In determining these retention periods, the limitation periods for asserting the relevant right, as well as examples from previous requests made to Kuzeyboru regarding similar matters, are taken into account. In such cases, personal data is not accessed for any other purpose and is only accessible when it is needed in the relevant legal dispute. Once the period has expired, personal data is deleted, destroyed, or anonymized.

 

ARTICLE 22: CATEGORIZATION OF PERSONAL DATA OWNERS PROCESSED BY KUZEYBORU

Kuzeyboru processes the personal data of individuals in the categories listed below, but the scope of this Policy is limited to our customers, potential customers, job applicants, company shareholders, company officials, visitors, employees of the institutions we cooperate with, shareholders and officials of those institutions, and third parties.

While the categories of individuals whose personal data are processed by Kuzeyboru are outlined above, individuals outside these categories may also submit requests to Kuzeyboru under the KVKK; such requests will be evaluated in accordance with this Policy.
The terms for customer, potential customer, visitor, job applicant, shareholder, board member, individuals at cooperating institutions, and related third parties under this Policy are clarified below.

 

ARTICLE 23: CATEGORIES AND EXPLANATIONS

Visitor: A real person who has entered the physical premises owned by Kuzeyboru for various purposes or visited our websites.

Third Parties: Real persons or employees of third-party entities involved with Kuzeyboru in ensuring the security of commercial transactions or protecting the rights and interests of these individuals, who are not covered under the scope of this policy regarding personal data protection and processing.

Job Applicant: A real person who has applied for a job at Kuzeyboru through any method or submitted their resume-related information to Kuzeyboru.

Company Shareholder: A real person who holds shares in Kuzeyboru.

Company Officer: A real person who is a board member or other authorized person at Kuzeyboru.

Employees, Shareholders, and Officers of Entities with Which We Collaborate: Real persons who are shareholders or officers of institutions with which Kuzeyboru is in any business relationship (including, but not limited to, business partners, offices, suppliers, etc.).

 

ARTICLE 24: THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY KUZEYBORU AND PURPOSES OF TRANSFER

 

Kuzeyboru informs the data subject about the categories of persons to whom personal data is transferred in accordance with Article 10 of the Personal Data Protection Law (KVKK).

Kuzeyboru may transfer personal data in accordance with Articles 8 and 9 of KVKK to the following categories of persons:

a.Kuzeyboru’s business partners,

Kuzeyboru’s suppliers,
Kuzeyboru’s affiliates,
Kuzeyboru’s shareholders,
Public institutions and organizations authorized by law,
Private legal persons authorized by law.

 

The scope of these third parties and the purposes of data transfer are as follows:

 

To ensure that the objectives of the business partnership are fulfilled,To ensure that the services provided by external suppliers necessary for the commercial activities of Kuzeyboru are delivered to Kuzeyboru,To ensure the continuation of commercial activities that require the participation of Kuzeyboru’s affiliates,To design and audit strategies and operations related to Kuzeyboru’s commercial activities according to legal requirements,If legally authorized public institutions or organizations request information and documents from Kuzeyboru within the framework of legal regulations, only to the extent necessary for the requested purpose,If legally authorized private legal persons request information and documents from Kuzeyboru within the framework of legal regulations, only to the extent necessary for the requested purpose.

 

The transfers conducted by Kuzeyboru are carried out in compliance with the provisions regulated in this policy.

 

In accordance with Article 10 of KVKK, Kuzeyboru informs the data subject about the personal data it processes.

 

Although the legal bases for processing personal data may differ, Kuzeyboru ensures that all personal data processing activities comply with the general principles set forth in Article 4 of KVKK No. 6698.

 

Personal data will be processed based on the explicit consent of the data subject, and explicit consent is obtained from visitors and third parties.

 

Personal data may be processed legally if expressly prescribed by law.

 

In the event that a person is unable to provide consent due to physical impossibility or when consent cannot be deemed valid, personal data may be processed when necessary to protect the life or physical integrity of the data subject or another person.

 

Personal data may also be processed if necessary for the formation or performance of a contract directly related to the parties.

 

If it is necessary for Kuzeyboru to fulfill its legal obligations as the data controller, personal data may be processed.

 

If the data subject has made their personal data public, such data may be processed.

Personal data may be processed when necessary for the establishment, exercise, or defense of a legal claim (e.g., for invoices).

 

Kuzeyboru may process personal data for its legitimate interests, provided that it does not infringe on the fundamental rights and freedoms of the data subject (e.g., for internal company calculations).

 

Personal data processing activities conducted by Kuzeyboru at building entrances and within facilities are carried out in accordance with the Constitution of the Republic of Turkey, KVKK, and other applicable regulations.

 

For security purposes, Kuzeyboru monitors with security cameras and tracks the entry and exit of visitors within its buildings and facilities.

 

The use of security cameras and the recording of visitor entries and exits by Kuzeyboru constitute personal data processing activities.

 

In this context, Kuzeyboru complies with the Constitution of the Republic of Turkey, KVKK, and other relevant legislation. The purpose of security camera monitoring is to enhance service quality, ensure reliability, safeguard the security of Kuzeyboru, its employees, and others, and protect the interests of third parties receiving services. These activities are conducted in accordance with the Private Security Services Law and relevant regulations.

Kuzeyboru ensures compliance with the provisions of KVKK in its security-related monitoring activities.

 

Kuzeyboru conducts security camera monitoring for the purposes set forth in the laws and in accordance with the conditions of personal data processing specified in KVKK.

 

The announcement of monitoring activities is made in accordance with Article 10 of KVKK.

In addition to general disclosures, Kuzeyboru also provides multiple notifications in line with EU regulations on camera surveillance to ensure transparency and protect the fundamental rights and freedoms of data subjects.

 

Kuzeyboru processes personal data in a manner that is relevant, limited, and proportionate to the purpose for which it is processed, as outlined in Article 4 of KVKK.

 

The purpose of video surveillance is limited to the objectives outlined in this policy. Accordingly, the areas of surveillance, the number of cameras, and the times of monitoring are set in a way that is sufficient to achieve the security goal and are implemented strictly within these boundaries. Surveillance will not occur in areas that could infringe on personal privacy (e.g., restrooms).

Kuzeyboru takes the necessary technical and administrative measures to ensure the security of personal data obtained through surveillance in accordance with Article 12 of KVKK.

 

Recorded data stored in digital form is only accessible to a limited number of authorized Kuzeyboru employees. Live camera footage may be accessed by external security personnel. Individuals with access to the records are required to sign confidentiality agreements to ensure the protection of the data they access.

 

Kuzeyboru also processes personal data for tracking guest entry and exit at its buildings and facilities for security purposes, as described in this policy.

 

The names and surnames of guests coming to the company buildings are collected, and the data subjects are informed about this process through notices posted at the entrances or other means. The data obtained for tracking guest entries and exits is processed solely for this purpose and is recorded in physical data systems.

 

Kuzeyboru publishes this policy on its website (online policy) and provides onsite notifications by posting signs in areas where surveillance takes place (on-site notification).

 

On Kuzeyboru’s websites, visitors' internet activities are recorded using technical means for the purpose of ensuring that visits to the site are carried out in accordance with the intended purposes and to show customized content.

 

Detailed explanations regarding personal data protection and processing activities are available in the "Privacy Policy" texts on Kuzeyboru’s websites.

 

In accordance with Article 138 of the Turkish Penal Code and Article 7 of KVKK, Kuzeyboru deletes, destroys, or anonymizes personal data when the reasons for processing no longer exist, based on its own decision or upon the data subject’s request, even if the data has been processed in compliance with the law. Kuzeyboru fulfills this legal obligation through lawful methods.

 

ARTICLE 25: TECHNIQUES FOR DELETING, DESTROYING, AND ANONYMIZING PERSONAL DATA

25.1 Techniques for Deleting and Destroying Personal Data

Kuzeyboru, in accordance with the relevant legal provisions, may delete or destroy personal data when the reasons for its processing no longer exist, either by its own decision or upon the request of the data subject. The most frequently used techniques for deleting or destroying personal data are:

25.1.1 Physical Destruction

When personal data is part of a non-automated data system, it can be processed through manual means. In such cases, physical destruction ensures that the data cannot be used again.

25.1.2 Secure Deletion from Software

 

When deleting/destroying data processed by fully or partially automated means and stored in digital media; methods are used to delete the data from the relevant software so that it cannot be recovered again.

25.1.3 Expert Secure Deletion

In some cases, Kuzeyboru may contract an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by the person who is an expert in this field in a way that cannot be recovered again.

 

25.2 Techniques for Anonymizing Personal Data

Anonymization means ensuring that personal data can no longer be associated with an identified or identifiable individual, even by matching it with other data. Kuzeyboru may anonymize personal data when the reasons for processing no longer exist.
In accordance with Article 28 of KVKK, anonymized personal data may be processed for research, planning, or statistical purposes without the need for consent from the data subject. Anonymized data is outside the scope of KVKK, and the rights provided in this policy do not apply to such data.

The most commonly used anonymization techniques by Kuzeyboru include:

a. Masking

Masking removes key identifying information from a data set, making the data anonymous.

Aggregation

Aggregation combines multiple pieces of data, making it impossible to associate them with an individual.

Data Derivation

Data derivation involves generating broader data from specific personal data, making it impossible to link it to an individual.

Data Shuffling

Data shuffling involves mixing up the values within a dataset to sever the connection between the data and the individual.

 

Kuzeyboru, in accordance with Article 10 of KVKK, informs the data subject about their rights and provides guidance on how to exercise those rights, ensuring compliance with Article 13 of KVKK.

 

ARTICLE 26: RIGHTS OF THE DATA SUBJECT AND HOW TO EXERCISE THESE RIGHTS

 

26.1 Rights of the Data Subject

Data subjects have the following rights:

To learn whether personal data is being processed.
If personal data has been processed, to request information regarding it.
To learn the purpose of processing personal data and whether it is being used in accordance with that purpose.
To know the third parties to whom personal data has been transferred, whether within the country or abroad.
In case personal data is processed incompletely or incorrectly, to request its correction and to request that the correction be communicated to the third parties to whom the personal data has been transferred.
Even if the personal data has been processed in compliance with the KVKK (Personal Data Protection Law) and other relevant laws, to request the deletion or destruction of personal data if the reasons for its processing no longer exist, and to request that this process be communicated to the third parties to whom the personal data has been transferred.
To object to a decision made solely on the basis of automated processing of personal data, which results in an adverse outcome for the data subject.
To request compensation for the damage caused by the unlawful processing of personal data.

 

26.2 Situations in Which the Data Subject’s Rights Cannot Be Asserted

 

Under Article 28 of the Personal Data Protection Law (KVKK), the following situations are excluded from the scope of KVKK, and data subjects cannot assert their rights in the situations listed below:

The processing of personal data for purposes such as research, planning, and statistics, by anonymizing the data for official statistics purposes.The processing of personal data for purposes such as art, history, literature, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy, or personal rights, and does not constitute a crime.The processing of personal data by public institutions and organizations authorized by law for the purpose of national defense, national security, public safety, public order, or economic security as part of preventive, protective, and intelligence activities.The processing of personal data by judicial authorities or enforcement agencies in relation to investigations, prosecutions, trials, or execution procedures.

According to Article 28/2 of KVKK, data subjects cannot assert their rights listed below, except for the right to request the compensation of damages in the following cases:

The processing of personal data is necessary for the prevention of a crime or for a criminal investigation.The processing of personal data made public by the data subject.The processing of personal data based on the authorization provided by law for public institutions, public professional organizations, or the performance of monitoring, regulatory tasks, or disciplinary investigations or prosecutions.The processing of personal data by judicial authorities or enforcement agencies in relation to investigations, prosecutions, trials, or execution procedures.

26.3 Exercising Data Subject’s Rights

Data subjects may submit requests related to the rights listed above using the methods described below to Kuzeyboru free of charge:

By filling out the form available at www.kuzeyboru.com.tr signing it with a wet signature, and submitting it in person to Kuzeyboru’s address: Kırımlı OSB Mah. Mehmetçik Bul. No:2 İç Kapı No:1 Merkez/Aksaray.
By filling out the form available at www.kuzeyboru.com.tr signing it with a wet signature, and sending it by cargo or post to Kuzeyboru’s address: Kırımlı OSB Mah. Mehmetçik Bul. No:2 İç Kapı No:1 Merkez/Aksaray.
By filling out the form available at www.kuzeyboru.com.tr, signing it with a "secure electronic signature" under the Electronic Signature Law No. 5070, and sending the securely signed form via e-mail to [email protected] (KEP address) or [email protected].

 

Requests by third parties on behalf of data subjects are not permitted.

For a third party to make a request on behalf of the data subject, the data subject must provide a special power of attorney for the individual who will submit the request.

Data subjects must fill out the "Application Form for Data Subjects to Make Applications to the Data Controller under the Personal Data Protection Law No. 6698" for their request to be processed. The application method is also explained in detail in this form.

 

26.4 Right to File a Complaint with the Personal Data Protection Board

According to Article 14 of KVKK, if the data subject’s request is rejected, if the response is found insufficient, or if no response is provided within the specified time, the data subject has the right to file a complaint with the KVK Board. The complaint must be filed within thirty days from the date the data subject is informed of the response from Kuzeyboru, or from the application date if no response is given.

 

ARTICLE 27: KUZEYBORU’S RESPONSE TO APPLICATIONS

 

27.1 Kuzeyboru's Response Procedure and Time for Applications

If a data subject submits a request to Kuzeyboru in accordance with the procedure outlined in the above section, Kuzeyboru will respond to the request as soon as possible and no later than within thirty days, free of charge.

However, if the process requires additional costs, Kuzeyboru will charge the applicant a fee according to the tariff determined by the Personal Data Protection Board (KVK Board).

 

27.2 Information Kuzeyboru May Request from the Data Subject

Kuzeyboru may request information from the applicant to confirm whether they are the data subject.

Kuzeyboru may ask the data subject questions related to their application in order to clarify certain details.

 

27.3 Kuzeyboru’s Right to Reject the Data Subject’s Application

 

Kuzeyboru may reject the application of the data subject in the following cases, providing the reason for the rejection:

The processing of personal data for purposes such as research, planning, and statistics, by anonymizing the data for official statistics purposes.
The processing of personal data for the purposes of national defence, national security, public safety, public order,
Economic security, the privacy of personal life, or personal rights, provided that it does not violate or constitute a crime within the scope of freedom of expression, or for artistic, historical, literary, or scientific purposes.
The processing of personal data by public institutions and organizations authorized by law for the purpose of national defense, national security, public safety, public order, or economic security, in the context of preventive, protective, and intelligence activities.
The processing of personal data by judicial authorities or enforcement agencies related to investigations, prosecutions, trials, or execution procedures.
The processing of personal data necessary for preventing a crime or conducting a criminal investigation.
The processing of personal data that the data subject has made public.
The processing of personal data by public institutions, public professional organizations, or other authorized bodies based on the authorization given by law, for conducting monitoring, regulatory tasks, or for disciplinary investigations or prosecutions.
The processing of personal data necessary for protecting the State’s economic and financial interests, especially related to budgeting, taxes, and financial matters.
The possibility that the data subject’s request might infringe on the rights and freedoms of other individuals.
Requests that require disproportionate effort.
The requested information is publicly available.

 

Article 28: Relationship of Kuzeyboru’s Personal Data Protection and Processing Policy with Other Policies

This policy outlines the basic principles related to personal data protection and processing, in connection with other policies implemented by Kuzeyboru in various domains. These policies ensure harmonization between Kuzeyboru’s various processes, each operating under different policy principles for similar objectives.

 

To manage this policy and related ones, Kuzeyboru has established a "Personal Data Protection Committee" with the approval of the top management. The duties of this committee are outlined below:

 

To prepare and submit the basic policies on personal data protection and processing for approval by the top management.To decide how the policies related to personal data protection and processing will be implemented and monitored, and to present any necessary internal assignments and coordination for approval by top management.To identify what needs to be done to ensure compliance with the Personal Data Protection Law and related regulations and submit them to the top management for approval, ensuring implementation and coordination.To raise awareness regarding personal data protection and processing within Kuzeyboru and the institutions it cooperates with.To identify potential risks in Kuzeyboru’s personal data processing activities and ensure necessary precautions are taken, submitting improvement suggestions for approval by top management.To design and facilitate the execution of training related to personal data protection and processing policies.To resolve applications from data subjects at the highest level.To coordinate the implementation of awareness-raising and training activities for data subjects regarding personal data processing activities and their legal rights.To prepare and submit changes in the personal data protection and processing policies for approval by the top management.To follow developments and regulations related to personal data protection and provide recommendations to top management on what needs to be done in accordance with these developments.To coordinate relations with the Personal Data Protection Board and related institutions.To carry out any other tasks related to personal data protection assigned by the top management.

 

Some of the mentioned policies are for internal use within Kuzeyboru. However, the key principles of these policies are reflected in publicly available policies as appropriate, ensuring that relevant parties are informed, and transparency and accountability regarding Kuzeyboru's personal data processing activities are achieved.