Law on the Protection of Personal Data

SERAPOOL PORCELAIN INDUSTRY AND TRADE INC. PERSONAL DATA PROTECTION AND PROCESSING POLICY

The protection of personal data is among the highest priorities of Serapool Porselen San. ve Tic. A.Ş. (“Company”). The most crucial aspect of this issue is the protection and processing of the personal data of our employees, employee candidates, customers, company shareholders, company officials, visitors, employees of institutions with which we cooperate, their shareholders and officials, and third parties, all of which are managed under this Policy.

With regard to the protection of personal data, which is a right guaranteed by the Constitution, the Company, as governed by this Policy, pays due attention to the protection of the personal data of its employees, employee candidates, customers, company shareholders, company officials, visitors, employees of institutions with which it cooperates, their shareholders and officials, and third parties, and establishes this as a Company policy.

In this context, the Company takes the necessary administrative and technical measures to protect personal data processed within the framework of legal regulations. The fundamental principles adopted by the Company in the processing of personal data, as set forth in this Policy, are as follows:

  • Processing personal data in compliance with the law and the principles of honesty,

  • Ensuring that personal data is accurate and kept up-to-date when necessary,

  • Processing personal data for specific, explicit, and legitimate purposes,

  • Processing personal data in a manner relevant, limited, and proportionate to the purpose for which they are processed,

  • Retaining personal data for the period stipulated in the relevant legislation or as required for the purpose for which they are processed,

  • Informing and enlightening data subjects,

  • Establishing the necessary system to enable data subjects to exercise their rights,

  • Taking necessary measures to protect personal data,

  • Acting in compliance with the relevant legislation and the regulations of the Personal Data Protection Board when transferring personal data to third parties as required by the processing purpose,

  • Paying due diligence to the processing and protection of special categories of personal data.

ARTICLE 1: PURPOSE OF THE POLICY
The main purpose of the Policy is to ensure transparency and trust by informing individuals whose personal data are processed by our Company, primarily our customers, employees, employee candidates, company shareholders, company officials, visitors, employees of institutions with which we cooperate, their shareholders and officials, and third parties, regarding the personal data processing activities carried out by the Company in accordance with the law.

ARTICLE 2: SCOPE AND DEFINITIONS
This Policy covers all personal data of our employees, employee candidates, company shareholders, company officials, visitors, employees of institutions with which we cooperate, their shareholders and officials, and third parties, whether processed automatically or non-automatically as part of any data recording system.

The scope of this Policy may encompass all or only part of the personal data subject groups mentioned above.

The definitions of the concepts in this Policy are as follows:

  • Recipient group: The category of natural or legal persons to whom personal data is transferred by the data controller.

  • Explicit consent: Consent based on information and expressed with free will, given in relation to a specific subject.

  • Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.

  • Employee: Company personnel.

  • Electronic environment: Environments where personal data can be created, read, modified, and written using electronic devices.

  • Non-electronic environment: All written, printed, visual, etc., environments other than electronic environments.

  • Service provider: A natural or legal person providing services to the institution under a specific contract.

  • Data subject: The real person whose personal data is processed.

  • Relevant user: Persons who process personal data within the organization of the data controller or in line with the authority and instructions received from the data controller, except for those responsible for the technical storage, protection, and backup of data.

  • Destruction: Deletion, destruction, or anonymization of personal data.

  • Law: Law on the Protection of Personal Data No. 6698.

  • Recording environment: Any environment in which personal data processed fully or partially automatically or non-automatically, provided that they are part of any data recording system, are kept.

  • Personal data: Any information relating to an identified or identifiable real person.

  • Personal data processing inventory: An inventory detailing the personal data processing activities carried out depending on the business processes of the data controllers, the purposes and legal grounds for processing personal data, the data category, the recipient group to whom data is transferred, and the group of data subjects, the maximum period required for processing, personal data foreseen to be transferred abroad, and measures taken regarding data security.

  • Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, keeping, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of data, fully or partially automated or non-automated provided that it is part of any data recording system.

  • Board: Personal Data Protection Board.

  • Special categories of personal data: Data relating to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of an association, foundation, or trade union, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

  • Periodic destruction: Deletion, destruction, or anonymization of personal data at recurring intervals as specified in the personal data retention and destruction policy, in the event that all conditions for processing personal data have ceased as per the Law.

  • Policy: Personal Data Retention and Destruction Policy.

  • Company: Serapool Porselen San ve Tic. A.Ş.

  • Data processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller.

  • Data recording system: A recording system in which personal data are structured according to specific criteria.

  • Data controller: The natural or legal person who determines the purposes and means of processing personal data, and is responsible for establishing and managing the data recording system.

  • Data Controllers Registry Information System: The information system created and managed by the Presidency, accessible via the internet, which data controllers use for registry applications and other related operations.

  • VERBIS: Data Controllers Registry Information System.

  • Regulation: Regulation on Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

ARTICLE 3: IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION
In matters related to the processing and protection of personal data, the relevant legal regulations in force will primarily apply. In case of any incompatibility between the legislation in force and the Policy, the Company acknowledges that the provisions of the legislation in force shall apply.

The Policy has been drafted by concretizing the rules introduced by the relevant legislation within the scope of Company practices.

ARTICLE 4: ENTRY INTO FORCE OF THE POLICY
This Policy, as prepared by our Company, enters into force on the day it is published on our website. In case of any updates or changes, the effective date will be updated accordingly.

The Policy is published on our Company’s website and made accessible to relevant individuals upon request.

ARTICLE 5: ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
Pursuant to Article 12 of the Law on the Protection of Personal Data, our Company takes all necessary administrative, technical, and legal measures to ensure adequate security in order to prevent the unlawful processing of personal data, prevent unlawful access to data, and ensure the retention of data. All necessary audits are carried out within this context.

The main administrative, technical, and legal measures taken by our Company to ensure the lawful processing of personal data are listed below:

  • Personal data processing activities carried out within our Company are monitored through established technical systems.

  • The technical measures taken are periodically reported to the relevant parties as required by the internal audit mechanism.

  • Personnel knowledgeable in technical matters are employed.

  • Employees are informed and trained on personal data protection law and the lawful processing of personal data.

  • All activities carried out by our Company are analyzed in detail for each business unit, and as a result of this analysis, personal data processing activities specific to the commercial activities of the relevant business units are determined.

  • Technical and administrative measures are taken in line with the nature of the data to be protected, technological possibilities, and implementation costs in order to prevent the disclosure, access, transfer, or any other forms of unlawful access to personal data due to negligence or unauthorized access.

  • Technical measures compatible with technological developments are taken, and these measures are updated and renewed periodically.

  • Technical solutions for access and authorization are implemented in accordance with the legal compliance requirements determined on a business unit basis.

  • Software and hardware including virus protection systems and firewalls are established.

  • Personnel with technical expertise are employed.

  • Employees are trained regarding technical measures to prevent unlawful access to personal data.

  • Employees are informed that personal data they learn may not be disclosed to others or used for purposes other than processing, in violation of the Law on the Protection of Personal Data, and this obligation will continue after their departure from duty. Necessary commitments are obtained accordingly.

  • Provisions are added to the contracts concluded with persons to whom personal data is lawfully transferred by our Company stating that such persons shall take the necessary security measures to protect personal data and ensure compliance with these measures within their own organizations, or a separate agreement is made to this effect.

  • Our Company takes the necessary technical and administrative measures, considering technological possibilities and implementation costs, to ensure the secure storage of personal data and to prevent their unlawful destruction, loss, or alteration.

  • Systems compatible with technological developments are used for the secure storage of personal data.

  • Personnel with technical expertise are employed.

  • Backup programs compliant with legal requirements are used to ensure the secure storage of personal data.

  • Employees are trained on ensuring the secure storage of personal data.

  • If an external service is used for technical requirements regarding the storage of personal data, provisions are included in the contracts with the relevant firms stating that such persons shall take the necessary security measures to protect personal data and ensure compliance with these measures within their own organizations, or a separate agreement is made to this effect.

Audit of Measures Taken for the Protection of Personal Data
Our Company conducts or commissions necessary audits within its own structure in accordance with Article 12 of the Law on the Protection of Personal Data. The results of these audits are reported to the relevant unit within the framework of the Company's internal operations, and necessary activities are carried out to improve the measures taken.

Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
In the event that personal data processed in accordance with Article 12 of the Law on the Protection of Personal Data is obtained by others through unlawful means, our Company will ensure that the relevant data subject and the Personal Data Protection Board are notified as soon as possible.

If deemed necessary by the Personal Data Protection Board, this situation may be announced on the Board’s website or by other means.

ARTICLE 6: ENSURING THE EXERCISE OF THE DATA SUBJECT’S RIGHTS, CREATING CHANNELS TO COMMUNICATE THESE RIGHTS TO THE COMPANY, AND EVALUATION OF DATA SUBJECT REQUESTS
Our Company implements the necessary channels, internal operations, administrative, and technical arrangements in accordance with the Law on the Protection of Personal Data to evaluate the rights of personal data subjects and provide the necessary information to them.

If data subjects submit their requests regarding their rights listed below in writing to our Company, our Company will conclude the request free of charge as soon as possible and within a maximum of thirty days depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged as determined by the Personal Data Protection Board. Data subjects have the right to:

  • Learn whether personal data is being processed,

  • Request information if personal data has been processed,

  • Learn the purpose of processing personal data and whether they are used in accordance with their purpose,

  • Know the third parties to whom personal data is transferred at home or abroad,

  • Request the correction of personal data if it is incomplete or incorrectly processed and to request notification of such correction to third parties to whom personal data has been transferred,

  • Request the deletion or destruction of personal data in case the reasons requiring its processing cease to exist, even though it has been processed in accordance with the provisions of the Law on the Protection of Personal Data and other relevant laws, and to request notification of such deletion or destruction to third parties to whom personal data has been transferred,

  • Object to the occurrence of a result against the data subject by analyzing the processed data exclusively through automated systems,

  • Demand compensation in case of damage due to unlawful processing of personal data.

ARTICLE 7: PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Certain personal data is attributed special importance under the Law on the Protection of Personal Data due to the risk of causing victimization or discrimination if processed unlawfully.

These data include data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of an association, foundation, or trade union, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Our Company acts with due care in protecting special categories of personal data that are identified as “special categories” by the Law on the Protection of Personal Data and processed lawfully. Within this scope, technical and administrative measures taken for the protection of personal data are meticulously implemented for special categories of personal data, and necessary audits are carried out within the Company.

ARTICLE 8: PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
Our Company meticulously complies with the regulations stipulated by the Law on the Protection of Personal Data regarding the processing of personal data identified as “special categories.”

In accordance with Article 6 of the Law on the Protection of Personal Data, certain personal data that may cause victimization or discrimination if processed unlawfully are classified as “special categories.” These data include data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of an association, foundation, or trade union, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

In compliance with the Law on the Protection of Personal Data, our Company processes special categories of personal data in the following cases, provided that adequate precautions as determined by the Personal Data Protection Board are taken:

  • If the explicit consent of the data subject exists, or

  • If the explicit consent of the data subject does not exist:

    • Special categories of personal data other than those relating to health and sexual life may be processed in cases stipulated by law,

    • Special categories of personal data relating to health and sexual life may only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.

ARTICLE 9: TRANSFER OF PERSONAL DATA
Our Company may transfer the personal data and special categories of personal data of data subjects to third parties (third-party companies, business partners, third natural persons) in line with lawful personal data processing purposes and by taking necessary security measures. In this regard, our Company acts in accordance with Article 8 of the Law on the Protection of Personal Data.

9.1 Transfer of Personal Data
Our Company may transfer personal data to third parties based on one or more of the personal data processing conditions specified in Article 5 of the Law, limited to the relevant purposes, in the following cases:

  • If the explicit consent of the data subject exists,

  • If there is an explicit regulation in the law regarding the transfer of personal data,

  • If it is mandatory for the protection of the life or physical integrity of the data subject or another person and the data subject is unable to express consent due to actual impossibility or his/her consent is not legally valid,

  • If it is necessary to transfer personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract,

  • If it is necessary for our Company to fulfill its legal obligation,

  • If the personal data has been made public by the data subject,

  • If the transfer of personal data is necessary for the establishment, exercise, or protection of a right,

  • If it is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data subject.

9.2 Transfer of Special Categories of Personal Data
Our Company may transfer special categories of personal data of data subjects to third parties, provided that necessary precautions are taken and adequate security measures as determined by the Personal Data Protection Board are implemented, in the following cases in line with legitimate and lawful personal data processing purposes:

  • If the explicit consent of the data subject exists, or

  • If the explicit consent of the data subject does not exist:

    • Special categories of personal data other than those relating to health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of an association, foundation, or trade union, criminal conviction and security measures, and biometric and genetic data) may be processed in cases stipulated by law,

    • Special categories of personal data relating to health and sexual life may only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.

ARTICLE 10: TRANSFER OF PERSONAL DATA ABROAD

Our Company may transfer the personal data and special categories of personal data of data subjects to third parties abroad in line with lawful personal data processing purposes and by taking necessary security measures. Personal data may be transferred to foreign countries declared by the Personal Data Protection Board to have adequate protection (“Foreign Country with Adequate Protection”), or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and have the permission of the Personal Data Protection Board (“Foreign Country Where Data Controller Undertakes Adequate Protection”). Our Company acts in accordance with Article 9 of the Law on the Protection of Personal Data in this regard.

10.1 Transfer of Personal Data Abroad
Our Company may transfer personal data to Foreign Countries with Adequate Protection or Foreign Countries Where Data Controller Undertakes Adequate Protection in the following cases if the explicit consent of the data subject exists or if one of the following conditions is met in the absence of explicit consent:

  • If there is an explicit regulation in the law regarding the transfer of personal data,

  • If it is mandatory for the protection of the life or physical integrity of the data subject or another person and the data subject is unable to express consent due to actual impossibility or his/her consent is not legally valid,

  • If it is necessary to transfer personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract,

  • If it is necessary for our Company to fulfill its legal obligation,

  • If the personal data has been made public by the data subject,

  • If the transfer of personal data is necessary for the establishment, exercise, or protection of a right,

  • If it is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data subject.

10.2 Transfer of Special Categories of Personal Data Abroad
Our Company may transfer special categories of personal data of data subjects to Foreign Countries with Adequate Protection or Foreign Countries Where Data Controller Undertakes Adequate Protection, provided that necessary precautions are taken and adequate security measures as determined by the Personal Data Protection Board are implemented, in the

following cases in line with legitimate and lawful personal data processing purposes:

  • If the explicit consent of the data subject exists, or

  • If the explicit consent of the data subject does not exist:

    • Special categories of personal data other than those relating to health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of an association, foundation, or trade union, criminal conviction and security measures, and biometric and genetic data) may be processed in cases stipulated by law,

    • Special categories of personal data relating to health and sexual life may only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.

ARTICLE 11: CATEGORIZATION OF PERSONAL DATA

Within our Company, the following categories of personal data are processed in accordance with the obligations set forth in the Law on the Protection of Personal Data and limited to the periods specified under this Policy. The association of the personal data processed within these categories with the relevant data subjects is also indicated in this Policy.

  • Identity Information: All information found in documents such as driver's license, identity card, residence permit, passport, attorney's card, marriage certificate, processed automatically or non-automatically as part of any data recording system.

  • Contact Information: Information such as phone number, address, and e-mail, processed automatically or non-automatically as part of any data recording system.

  • Customer Information: Information obtained and produced about the relevant person as a result of our commercial activities and the operations carried out by our business units.

  • Physical Space Security Information: Records and documents regarding entries to and stays in physical spaces, as well as other security-related personal data.

  • Transaction Security Information: Personal data processed to ensure the technical, administrative, legal, and commercial security of our activities.

  • Risk Management Information: Personal data processed to manage our commercial, technical, and administrative risks in line with generally accepted legal and commercial practices.

  • Financial Information: Personal data relating to all types of financial outcomes created depending on the legal relationship established between our Company and the data subject.

  • Personnel Information: Personal data processed for the acquisition of rights regarding employees or real persons with a working relationship with our Company.

  • Employee Candidate Information: Personal data processed regarding individuals who have applied to be an employee of our Company or have been evaluated as employee candidates.

  • Employee Transaction Information: Personal data processed regarding any work-related transactions carried out by our employees or real persons with a working relationship with our Company.

  • Employment Performance and Career Development Information: Personal data processed for the measurement of the performance and career planning of employees or real persons with a working relationship with our Company.

  • Benefits and Interests Information: Personal data processed for the planning and tracking of side benefits and interests offered to employees or real persons with a working relationship with our Company.

  • Legal Transaction and Compliance Information: Personal data processed for the determination and pursuit of our legal receivables and rights, and for compliance with legal obligations and Company policies.

  • Audit and Inspection Information: Personal data processed for compliance with legal obligations and Company policies.

  • Special Categories of Personal Data: Data specified in Article 6 of the Law on the Protection of Personal Data.

  • Request/Complaint Management Information: Personal data processed regarding any request or complaint submitted to our Company.

ARTICLE 12: PURPOSES OF PROCESSING PERSONAL DATA

The primary purposes for processing personal data as categorized by our Company are as follows:

  • Carrying out necessary work by our business units for the execution of commercial activities conducted by our Company and the management of related business processes,

  • Planning and execution of our Company's commercial and/or business strategies,

  • Ensuring that relevant persons benefit from the products and services offered by our Company by carrying out necessary work by our business units,

  • Planning and execution of our Company's human resources policies and processes,

  • Ensuring the legal, technical, and commercial-business security of relevant persons who are in business relations with our Company.

The purposes of processing personal data within the scope of the aforementioned primary objectives are as follows:

  • Event Management

  • Planning and Execution of Research and Development Activities

  • Planning and Execution of Business Activities

  • Planning and Execution of Corporate Communication Activities

  • Planning and Execution of Information Security Processes

  • Creation and Management of Information Technology Infrastructure

  • Planning and Execution of Information and Facility Access Authorizations for Business Partners and/or Suppliers

  • Planning and Execution of Side Benefits and Interests for Supplier and/or Business Partner Employees

  • Follow-up of Finance and/or Accounting Affairs

  • Planning and Execution of Logistics Activities

  • Management of Relations with Business Partners and/or Suppliers

  • Conducting Activities for the Determination of Customers’ Financial Risks

  • Planning and Execution of Customer Relationship Management Processes

  • Follow-up of Contract Processes and/or Legal Requests

  • Follow-up of Customer Requests and/or Complaints

  • Planning of Human Resources Processes

  • Execution of Personnel Supply Processes

  • Follow-up of Legal Affairs

  • Planning and Execution of Operational Activities for Ensuring that Company Activities are Conducted in Accordance with Company Procedures and/or Relevant Legislation

  • Collection of Entry and Exit Records of Business Partner/Supplier Employees

  • Creation and Follow-up of Visitor Records

  • Planning and Execution of Company Audit Activities

  • Planning and/or Execution of Occupational Health and/or Safety Processes

  • Ensuring Data is Accurate and Up-to-date

  • Management and/or Audit of Relations with Affiliates

  • Ensuring the Security of Company Premises and/or Facilities

  • Ensuring the Security of Company Assets and/or Resources

  • Planning and/or Execution of Company Financial Risk Processes

If the above conditions are not met, our Company seeks the explicit consent of the data subjects for the following purposes of personal data processing:

  • Planning and Execution of Information and Facility Access Authorizations for Business Partners and/or Suppliers

  • Planning and Execution of Logistics Activities

  • Management of Relations with Business Partners and/or Suppliers

  • Follow-up of Contract Processes and/or Legal Requests

  • Planning of Human Resources Processes

  • Execution of Personnel Supply Processes

  • Planning and/or Execution of Customer Satisfaction Activities

  • Planning and Execution of Operational Activities for Ensuring that Company Activities are Conducted in Accordance with Company Procedures and/or Relevant Legislation

  • Collection of Entry and Exit Records of Business Partner/Supplier Employees

  • Planning and Execution of Company Audit Activities

  • Planning and/or Execution of Occupational Health and/or Safety Processes

  • Ensuring the Security of Company Premises and/or Facilities

ARTICLE 13: RETENTION PERIODS OF PERSONAL DATA

Our Company retains personal data for the period specified in the relevant laws and regulations, if provided.

If there is no period specified in the legislation regarding how long personal data should be retained, personal data are processed for the duration required by the services offered by our Company in connection with such data, according to the Company's practices and commercial life, and are then deleted, destroyed, or anonymized. Detailed information on this subject is included in this policy.

If the purpose for processing personal data has ended and the retention periods specified in the relevant legislation and by the Company have also expired, personal data are retained only for the purpose of serving as evidence in possible legal disputes or to assert a relevant right or establish a defense. The retention periods in this regard are determined based on the statute of limitations for asserting the mentioned right and by taking into account previous requests made to our Company on similar matters even after the statute of limitations has expired. In such cases, the stored personal data are not accessed for any other purpose and are only accessed if needed in the relevant legal dispute. After the aforementioned period expires, the personal data are deleted, destroyed, or anonymized.

ARTICLE 14: USE OF CLOSED-CIRCUIT CAMERA SYSTEMS

Within the premises of our Company, visual and audio data may be obtained via closed-circuit camera systems and stored only for the period necessary for the purposes stated below. The purpose of using closed-circuit camera systems is to prevent and monitor anti-social and criminal behavior, to ensure the security of Company premises and the tools and equipment within, and to protect the health and safety of visitors and employees present at Company premises. All necessary technical and administrative measures to ensure the security of data obtained via closed-circuit camera systems are taken by our Company.

ARTICLE 15: RIGHTS OF THE DATA SUBJECT AND EXERCISE OF THESE RIGHTS

15.1 Rights of the Data Subject

Personal data subjects have the following rights:

  • To learn whether personal data is being processed,

  • If personal data has been processed, to request information in relation thereto,

  • To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

  • To know the third parties to whom personal data is transferred at home or abroad,

  • To request the correction of personal data if it is incomplete or incorrectly processed and to request notification of such correction to third parties to whom personal data has been transferred,

  • To request the deletion or destruction of personal data in case the reasons requiring its processing cease to exist, even though it has been processed in accordance with the Law on the Protection of Personal Data and other relevant laws, and to request notification of such deletion or destruction to third parties to whom personal data has been transferred,

  • To object to the occurrence of a result against the data subject by analyzing the processed data exclusively through automated systems,

  • To demand compensation in case of damage due to unlawful processing of personal data.

15.2 Circumstances Where the Data Subject Cannot Exercise Rights

Pursuant to Article 28 of the Law on the Protection of Personal Data, the following circumstances are excluded from the scope of the Law, and data subjects cannot exercise the aforementioned rights in relation to these matters:

  • Processing of personal data for purposes such as research, planning, and statistics by anonymizing them with official statistics,

  • Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy, or personality rights or constitute a crime,

  • Processing of personal data for preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security,

  • Processing of personal data by judicial authorities or enforcement agencies in relation to investigations, prosecutions, trials, or execution of sentences.

According to Article 28/2 of the Law on the Protection of Personal Data, except for the right to demand compensation for damages, data subjects cannot exercise the other rights listed above in the following circumstances:

  • If the processing of personal data is necessary for the prevention of a crime or for criminal investigation,

  • If personal data has been made public by the data subject himself/herself,

  • If the processing of personal data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by public institutions and organizations and professional organizations with public institution status, based on the authority granted by law,

  • If the processing of personal data by judicial authorities or enforcement agencies is related to investigations, prosecutions, trials, or execution of sentences.

15.3 Exercising the Rights of the Data Subject

Data subjects may submit their requests regarding their rights listed above to our Company free of charge using the following methods:

  • By completing the form available at www.serapool.com, signing it with a wet signature, and personally delivering it to Ramazanoğlu Mah. Mahmut Bayram Cad. No: 13 Pendik/İstanbul,

  • By completing the form available at www.serapool.com, signing it with a “secure electronic signature” under Law No. 5070 on Electronic Signatures, and sending the securely signed form to [email protected] by e-mail.

Requests cannot be made by third parties on behalf of data subjects.

For a person other than the data subject to make a request, a special power of attorney issued by the data subject for the applicant must be present.

Data subjects must fill in the “Application Form for Applications to Data Controller by Data Subject in Accordance with the Law on the Protection of Personal Data No. 6698” available via the above link for their requests to exercise their rights. The method for making an application is also explained in detail in this form.

15.4 The Right of the Data Subject to File a Complaint with the Personal Data Protection Board

Pursuant to Article 14 of the Law on the Protection of Personal Data, if the request is rejected, the response is insufficient, or no response is provided within the time limit, the data subject may file a complaint with the Personal Data Protection Board within thirty days from the date of learning the Company’s response and in any event within sixty days from the date of application.

ARTICLE 16: COMPANY'S RESPONSE TO APPLICATIONS

16.1 Procedure and Time for Company’s Response to Applications

If the data subject submits his/her request to our Company in accordance with the procedure specified above, our Company will finalize the request as soon as possible and within no later than thirty days, depending on the nature of the request, free of charge.

However, if the transaction requires an additional cost, a fee may be charged to the applicant as determined by the Personal Data Protection Board.

16.2 Information That May Be Requested from the Data Subject by Our Company

Our Company may request information from the applicant to determine whether the applicant is the personal data subject.

Our Company may ask questions to the data subject regarding his/her application to clarify issues specified in the application.