SUNSEEKER TURKEY YATÇILIK HİZMETLERİ LİMİTED ŞİRKETİ

PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. INTRODUCTION

1.1. Generally

Ensuring the confidentiality and security of personal data and compliance with relevant legal regulations, is among the most important priorities of Sunseeker Turkey Yatçılık Hizmetleri Limited Şirketi (‘‘Company’‘) and maximum care is taken in this regard. In this context, this Personal Data Protection and Processing Policy regarding the processing and protection of personal data (‘‘Policy’‘) and the process managed by other written policies within the Company and the targeted purpose is informing our employees, employee candidates, visitors, guests and other third parties (‘‘Related Persons‘‘) about processing, storing and protecting their personal data in accordance with the law and reflecting our corporate culture.

In the preparation of this Policy; we see the Constitution of Turkey and especially the regulations in the Law on Personal Data Protection No. 6698  (‘‘KVKK‘‘), the provisions of the relevant legal norms regarding the protection and processing of personal data and the decisions of the Personal Data Protection Board, as a guide to our company. 

In this Policy, explanations regarding the following basic principles adopted by our Company for the processing of personal data will be made:

• Processing of personal data in accordance with the law and good faith,
• Keeping personal data accurate and up-to-date when necessary,
• Processing personal data for specific, clear and legitimate purposes,
• Being linked, limited and measured for the purposes for which personal data are processed,
• Retaining Personal Data for the Period Required for the Purpose stipulated in the Legislation or for the Purpose for which they were processed,
• Enlightening the relevant persons,
• Establishing the necessary processes for the relevant persons to exercise their rights,
• Taking necessary measures in the processing and preservation of personal data,
• Transfer of personal data to third parties in line with the requirements of the processing purpose,
• Showing the necessary sensitivity in the processing and protection of special quality personal data,
• Deletion, destruction or anonymization of personal data whose purpose of processing is lost.

1.2. Purpose of the Policy

The main purpose of this Policy is, to make explanations about the personal data processing activities carried out by our Company in accordance with the law and the procedures adopted for the protection of personal data and the procedures adopted for the protection of personal data, and within this scope to provide transparency by informing Related Persons. In addition, this KVK Policy and other written policies aim to make our principle of compliance with KVKK and other relevant legal regulations regarding personal data security sustainable.

1.3. Scope of the Policy

The scope of this policy, Our Company It is aimed at natural persons whose personal data are processed by automatic means or by non-automatic means provided that they are part of any data recording system, and an Internal Directive on the Protection of Personal Data has been created within the scope of this Policy.

1.4 Implementation of the Policy and Relevant Legislation

This Policy has been concretized and arranged within the principles set forth by the relevant legislation. Our Companyundertakes and accepts that in the event of inconsistency between the current legislation and this Policy, the current legislation will find its application.

1.5. Enforcement of the Policy

This policy, enters into force after being approved by the board of directors of our Company, and it is published on the website (sunseekerturkey.com.) and in this way are made available to Related Persons. 

2. DEFINITIONS AND ABBREVIATIONS

3. PRINCIPLES OF PROCESSING PERSONAL DATA

3.1. Processing of Personal Data According To The Principles Provided In The Legislation

3.1.1. Processing in Compliance with Law and Good Faith Rules

Our Company has adopted the basic principle to comply with the law and the rules of honesty in all kinds of transactions to be carried out on personal data. In this context, by adopting the principle of transparency, it provides information through this Policy and other texts about the purpose of use of the personal data collected to the persons related.

3.1.2. Ensuring Personal Data is Accurate and Updated When Required

Our Company has a system and process to ensure the accuracy and up-to-dateness of the personal data it processes while conducting its personal data processing activity. In this context Related Persons can make it possible to keep their personal data accurate and up to date by making an application to our Company

3.1.3. Processing for Specific, Clear, and Legitimate Purposes

Our Company determines the purpose of personal data processing within legitimate and legal limits, and it provides the information of the Related Persons through this Policy and other texts before the personal data processing activity begins.

3.1.4. Being Related, Limited, and Proportional to The Purposes for Which They are Processed

Our Company processes personal data for the purposes required for the execution of the activity in relation to and proportionate to the field of activity. In this context, while carrying out data processing activities, it carefully avoids processing personal data that are not related to the realization of the purpose and are not needed now / in the future. 

3.1.5. Retaining Personal Data for the Period Required for the Purpose Stipulated in the Legislation or for the Purpose for Which They are Processed

Our company preserves personal data only for the period specified in the relevant legislation or for the purpose for which they are processed. In this context, first of all, it is determined whether a period is determined in the relevant legislation for the storage of personal data, if a period is determined, the appropriate action is taken, and if a period is not specified, the time required for the purpose of processing each personal data is determined and kept for this period.

In this context Our Company prepares and implements a policy and directive for the deletion, destruction or anonymization of personal data.

3.2. 5. Processing Personal Data in accordance with the in the Article 5th of the Personal Data Processing Conditions Specified and Limited to These Conditions

Our Company processes personal data on the basis of explicit consent of the Related Person or in cases where explicit consent is not sought in the KVKK, and is limited to these conditions and conditions without express consent.

3.2.1. Explicit Consent

Explicit consent is the statement made by the Related Person with free will on a specific subject and based on information. Pursuant to Article 5/1 of KVKK, our Company respects and abides by the explicit consent of the Related Person, if required in personal data processing.

3.2.2. Cases Where Explicit Consent is Not Required

article 5/2 of KVKK, regulated the processing of personal data where some cases without the explicit consent of the Related Person. Obtaining explicit consent from the person concerned in the existence of any of the specified conditions,since obtaining explicit consent from the relevant person will be considered as misleading the Related Person, our Company does not apply for explicit consent in cases where data processing conditions exist.

3.3. Processing of Personal Data of Special Nature

Our Company shows maximum sensitivity in the processing and protection processes of personal data determined as ‘‘special quality’‘ by the KVKK due to the risk of causing greater victimization or discrimination when processed, and the principles accepted for special quality personal data are is also discussed hereby in politics. 

If the person concerned does not have explicit consent Personal data of special nature can only be processed by our Company in the following cases, provided that adequate precautions to be determined by the Board are taken.

1. Special quality personal data other than the health and sexual life of the relevant person, in cases stipulated by the law,
2. Special quality personal data regarding the health and sexual life of the related person can only be collected by persons or authorized institutions and organizations under the obligation of secrecy for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. It can be processed without the explicit consent of the related person.

Our Company has set additional measures and processes regarding the processing of special quality data and accessing these data. In this context, the environments where private personal data are stored are protected by secondary lock and secondary passwords, and only processed by authorized persons within the framework of the authorization matrix.

3.4. Transfer of Personal Data

Personal data, can be transferred in order to fulfill the purposes stated in this Policy, to supervisory institutions within the framework of audit activities, to our shareholders, legally authorized public institutions and organizations, domestic and / or abroad suppliers and to our business partners, to real persons to whom service is provided or to third persons to whom service is provided within the framework of the personal data processing conditions and purposes specified in Article 8 and Article 9 of KVKK.

4. PRINCIPLES ON THE PROTECTION OF PERSONAL DATA

4.1. Technical and Administrative Measures Taken by Our Company Regarding the Security of Personal Data

4.1.1. Technical Measures

The main technical measures taken by Our Company to ensure the legal processing of personal data and to prevent unlawful access to personal data are as follows:

• Personal data processing activities carried out within our company are audited by established technical systems.
• Personnel with technical knowledge are employed.
• Departments related to technical issues have been established.
• The technical measures taken are periodically reported to the authorized unit / person as required by the internal audit mechanism.
• In order to ensure the safe storage of personal data, a backup program is used in accordance with the law.
• New technological developments are followed and technical measures are taken on systems, especially in the field of cyber security, the measures taken are periodically updated and renewed.
• Specific to each department within our Company Access and authorization technical measures are used within the framework of legal compliance requirements
• Access authorizations are restricted, authorities are regularly reviewed, and former employees’ accounts are closed. 
• Software and hardware including virus protection systems and firewalls are installed.
• The use of counterfeit software and hardware is strongly avoided. All of our products we use are original and licensed.

In this context, our Company conducts continuous and sustainable studies regarding the following technical measures determined by the Board:

• Authorization Matrix
• Authority Control 
• Access Logs 
• User account management 
• Network Security 
• Application security 
• Encryption 
• Penetration Test 
• Intrusion detection and prevention systems 
• Log Records 
• Data Masking 
• Data loss prevention software
• Back-up
• Firewalls 
• Up-to-date anti-virus systems 
• Deletion, Destruction or Anonymization 
• Key Management

4.1.2. Administrative Measures

The main administrative measures taken by our Company to ensure the legal processing of personal data and to prevent unlawful access to personal data are as follows:

• Our personnel are informed and trained on the protection of personal data and the processing of personal data in accordance with the law.
• Personal data processing activities carried out by Our company’s business units are examined in order to ensure that these activities comply with the data processing conditions specified in the KVKK, the requirements to be fulfilled for each business unit and the activity carried out.
• With the agreements and documents that govern the legal relationship between the employees and Our Company, records imposing the obligation not to process, disclose or use personal data, except for the Company’s instructions and exceptions imposed by law, are placed and the awareness of employees on this issue is increased.
• In order to meet the legal compliance requirements determined on the basis of our business units, awareness is created and implemented in the relevant business units. Necessary administrative measures are implemented through internal policies and trainings to ensure the supervision of these issues and the continuity of the implementation.
• In accordance with the activity-based legal compliance requirements Access and authorization processes for personal data are designed and implemented in our Company.
• It is followed by the Personal Data Protection Committee, which has been established for convenience and compliance in the follow-up of work and transactions related to KVKK and other related regulations.
• In the contracts established with Our Company and the third parties to whom personal data are transferred in accordance with the law, provisions regarding that necessary security measures will be taken in order to protect the transferred personal data and that these measures will be followed in their own organizations are added.

In this context, regarding the following administrative measures determined by the Board, Our Company conducts continuous and sustainable studies:

• Preparation of Personal Data Processing Inventory 
• Corporate Policies (Access, Information Security, Use, Storage and Destruction etc.) 
• Contracts (Between Data Controller - Data Controller, Data Controller - Data Processor) 
• Confidentiality Commitments 
• Internal Periodic and / or Random Audits 
• Risk analysis 
• Employment Contract, Discipline Regulation (Addition of Provisions According to Law) 
• Corporate Communication (Crisis Management, Informing Processes of the Board and Related Person, Reputation Management etc.) 
• Education and Awareness Activities (Information Security and Law) 
• Notification to Data Controllers Registry Information System (VERBİS)

4.2. Raising Awareness of Our Employees in the Field of Personal Data Protection and Control

Our Company provides necessary trainings and meetings to raise awareness to prevent unlawful processing of personal data, to prevent unlawful access to data, and to secure data preservation.

In order to increase the awareness of the current employees of Our Company in the field of protection of personal data, we work with professional people in case of need.

4.3. Protection of sensitive personal data

Personal data determined as special by KVKK and processed in accordance with the law are protected with precision by our Company. In this context the technical and administrative measures taken by our Company was determined on the basis of the relevant legal regulation and the decision of “Adequate Precautions to be Taken by Data Controllers in the Processing of Special Qualified Personal Data” published by the Personal Data Protection Authority and it is applied with care in terms of the protection of special quality personal data.

4.4. The Process to be Followed In Case Of Unauthorized Disclosure Of Personal Data

In the event that the personal data it processes are illegally obtained by others, Our Company will notify the relevant person and the Board within 72 hours. 

If deemed necessary by the Board, this may be announced on the Board’s website or by any other method. 

4.5. Personal Data Inventory

Each unit of our Company creates an up-to-date personal data processing inventory. Unit manager is responsible for the accuracy, timeliness and submission of this inventory to the contact person when necessary. Up-to-date developments in keeping the inventories correctly, applying the current Company policy on the protection of personal data and and current developments in the protection of personal data are always followed.

5. APPLICATION OF RELATED PERSONS TO THE DATA CONTROLLER, OUR COMMUNICATION CHANNELS AND EVALUATION PROCESSES OF THE APPLICATION

5.1. Application Subject

Our Company gives great importance and value to Related Persons’ rights and provides them with the opportunity to exercise these rights. An ‘‘Application Form for Data Supervisor’‘ was prepared by our Company and published on our website, by which the relevant persons can easily submit their requests. But It is not mandatory to use this form by Related Persons. Every application made in accordance with the Communiqué on Application Procedures and Principles to the Data Controller will be evaluated.

Everyone, has right by applying to our company about themselves;

a) Becoming aware of whether his/her personal data has been processed or not, 

b) To request information if his personal data are processed, 

c) Learning the purpose of processing the personal data and whether they are used for the purpose or not, 

ç) To know the third parties to whom his personal data is transferred at home or abroad, 

d) To request the rectification of the incomplete or inaccurate data, if any, 

e) to request the erasure or destruction of his personal data under the conditions specified in Article 7 of the KVK Law, 

f) to request notification of the operations carried out to third parties to whom his personal data has been transferred in compliance with subparagraphs (d) and (e), 

g) To object to consequences to her/his detriment, arising from the analysis of the processed data exclusively via automatic systems,

  ğ) To claim compensation in case of suffering loss due to illegal processing of the personal data.

5.2. Application Method and Address

5.3. Post-Application Process

Applications submitted to us, depending on the nature of the request, are answered within 30 (thirty) days at the latest from the date it reaches our Company. Our responses are sent to the Data Supervisor based on the form of notification specified by the applicant in the Application Form. 

Related Persons; can make a complaint to the Board within thirty days from the date they learn our Company's answer, and in any case, within sixty days from the date of application in cases where the application is rejected, the response is found to be insufficient or the application is not responded in due time in accordance with Article 14 of the KVKK.

5. Application Fee

Applications are made free of charge as a rule. However, if the transaction requested by the relevant persons requires an additional cost, will be charged the fee in the tariff determined by the Board of our Company.

6. ENLIGHTENING AND INFORMING RELATED PERSONS

Our Company enlighten the relevant persons about the process of obtaining personal data through this Policy and the Clarification Text and other texts that are easily accessible on our website in accordance with the regulation in Article 10 of the KVKK. In this context Our Company informs the relevant persons about the identity of the data controller, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and other rights of the data subject.

An Application Form for Data Supervisor has been created and published on the website of our Company in order for the relevant Person to use his / her rights stated in the KVKK more easily. The relevant section is explained in detail under the title number 5.

7. PURPOSE OF PROCESSING PERSONAL DATA AND RETENTION PERIODS

7.1 Purposes of Processing of Personal Data

Our company, processes personal data limited to the purposes and conditions within the personal data processing conditions specified in Articles 5 and 6 of the KVKK. These terms and conditions are as follows:

• Processing of personal data Our company’s the relevant activity is clearly stipulated in the laws,
• The processing of personal data by our Company is directly related and necessary with the establishment or performance of a contract. |
• Processing of personal data is compulsory for our Company to fulfill its legal obligation,
• Provided that the personal data are made public by the person concerned; processing by the Company in a limited way for publicizing purposes,
• Personal data processing by Company is mandatory for the establishment, use or protection of a right of the Company,
• Provided that it does not harm the fundamental rights and freedoms of the relevant persons It is mandatory to perform personal data processing for the legitimate interests of the Company,
• It is compulsory for our company to process personal data for the protection of the life or body integrity of the person concerned or someone else, and in this case, the persons concerned are unable to disclose their consent due to actual impossibility or legal invalidity,
• Special quality personal data other than the health and sexual life of the relevant persons, in cases stipulated by the law, 
• Personal data of special nature of data subject relating to health and sexual life are processed by any person or authorized public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. 

7.2. Retention Times for Personal Data

As Company, we keep personal data for the period specified in this legislation, in case it is stipulated in the relevant legislation. In addition, our obligations arising from the relevant contracts, our administrative and legal responsibilities / liabilities are also taken into account in determining the retention periods.

When the purpose of processing personal data has expired and the retention period determined by the relevant legislation and the company has reached the end, these personal data are deleted and backed up only to provide evidence in possible legal disputes or to assert the relevant right related to personal data. In this case, access to personal data is not provided for any other purpose. Personal data, is destroyed or anonymized after the periods specified in our Company’s Personal Data Storage and Destruction Policy expire.

The processed personal data and personal data inventories are reviewed in 6-month periods and the personal data that need to be deleted / destroyed are deleted / destroyed within these 6-month periodic destruction periods and the transaction is recorded.

8.PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT IN THE WORK AREAS

8 .1. Camera Monitoring Activities Conducted at the Entrances of the Work Areas and Inside

By our company; in order to ensure the security of the relevant Persons and our Company, we perform personal data processing activities for the place where we serve and carry out these services, security camera monitoring activity at the entrance and inside of the work areas, and tracking the entrances / exits and overtime. In this context as Company, we act in accordance with KVKK and other relevant legislation.

8.1.1. Informing about Camera Monitoring Activity

the relevant persons are enlightened by Our Company in accordance with Article 10 of the KVKK; in this way, it is aimed to prevent harm to the fundamental rights and freedoms of the persons concerned and to ensure transparency. For camera surveillance activities, the Company’s website provides illumination with this Policy (online Policy) and a notification letter stating that monitoring will be made at the entrances of the areas where monitoring is performed (on-site lighting / layered lighting).

8.1.2. The Purpose of Surveillance with Cameras and Limitation of Purpose

As Company, we process personal data in connection with the purpose for which they are processed, in a limited and measured manner in accordance with KVKK. The purpose of the company in continuing the video camera recording and monitoring activity is limited to the purposes listed in this Policy. In this respect, security camera coverage, number of them and when to conduct surveillance are determined in a way that is sufficient enough to achieve the security purpose and limited for this purpose.

8.1.3. Ensuring the Security of Data Obtained by Camera Monitoring

All necessary technical and administrative measures are taken by the Company to ensure the security of personal data obtained by camera recording. Detailed information is included in the section on measures regarding data security. 

8.1.4. Who can Access to Information Obtained as a Result of Surveillance and To Whom This Information Is Transmitted

Only authorized persons can access the information obtained as a result of monitoring and the storage environment. On the other hand, the live camera images can be watched by the security guards who are employees of the Company or outsourced. A limited number of people having access to the records declare, through the confidentiality commitment, that they will protect the confidentiality of the data they access.

8.2. Visitor Entry / Exit Tracking at the Entrances of the Work Areas and Inside

By the Company and by the outsourced company; for ensuring security and for the purposes specified in this Policy,Personal data processing is carried out for tracking visitor entry and exit in work areas of the Company. 

While obtaining the names and surnames of the people who come to our work areas as visitors, the relevant persons are enlightened through the texts posted in the relevant areas or made available to the guests in other ways. The data obtained for tracking guest entrance and exits are processed for this purpose only, and the personal data are recorded in the data recording system in physical domains.

8.3. Recording of Information on Electronic Devices at the Entrances of Work Areas

In connection with the care and sensitivity we show as a company to information security and protection of personal data; when our guests use their personal computers or similar electronic devices, we record the MAC addresses of computers or similar electronic devices. The reason for this is to ensure the security of our company and the people whose personal data are within our company. 

9. REVISING

This policy comes into effect after being approved by the Company’s board of directors. Regarding the changes to be made in the policy, the approval of the person (s) to be authorized by the board of directors is obtained. The issues regarding the implementation of this policy within the Company have been systematized with the internal policies, procedures and internal directives. The policy is reviewed every 6 months and, if necessary, revisions are made regarding the approval of the authorized person.

10.PERSONAL DATA PROTECTION COMMITTEE

Company has appointed a contact person within the framework of personal data protection law. A Committee of 4 people was formed among the employees of the units of the Company. The Personal Data Protection Committee (‘‘Committee’‘) is chaired by the Company contact person.

The contact person acts with the views and recommendations of the Committee on administrative and technical measures. With regard to administrative and technical measures, the principles determined by the Committee are taken into account. The Committee, strives to comply with personal data protection legislation of the Company. The contact person supervises the Company units for which she is responsible within the scope of personal data protection law. As a result of these audits, he/she warns the relevant units when necessary and informs the senior management about the situation.

Contact person coordinates the contact person applications made to the company responses of the related person applications within the legal periods and in accordance with the procedure. Contact person, Manages Company’srelations with the Personal Data Protection Authority.

11. ENFORCEMENT:

This Policy comes into force as of the date it is accepted and announced by the cCompany’s board of directors / authorized bodies.