GOAL- objective

This is a directive prepared by Albayrak Holding AŞ and its Group Companies, that have adopted the principle of working under the legal order and all legal/administrative regulations, which is the purpose of this directive, especially regarding the personal data processed by the Company following the Law on the Protection of Personal Data No.6698 and the relevant legislation. To protect the fundamental rights and freedoms of individuals, including the privacy of life, and to regulate the obligations of employees who process personal data and the procedures and principles to be followed.


With this directive, it is aimed to ensure the continuity of the Company’s Personal Data Protection Law and other legal regulations on the protection of personal data and to standardize the corporate culture.


The provisions of this directive are applied to the manager and other personnel who perform services to the Company with a service contract, and all persons who have a consultancy/procurement/subcontractor relationship with a contract, and those mentioned are obliged and responsible to act under the provisions of this directive.


Open Consent Consent on a specific subject, based on information and expressed with free will.
Constitution 1982 dated T.C. Constitution.
Anonymous status

Import / Anonymization

Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching other data.
Employee Candidate Real persons who have applied for a job to our Company in any way or who have submitted their CV and related information to our Company for review.
Related person The natural person whose personal data is processed.
Personal Data Any information pertaining to an identified or identifiable natural person.
Processing of Personal Data Your personal data completely or partially automated, or be part of any data recording system to record non-automatic means obtaining, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, can be obtained, making classification such as the Prevention of the use or any operation that is performed on the data.
Committee Personal Data Protection Committee
Board – establishment Personal Data Protection Board.
Institution Personal Data Protection Authority
KVKK Personal Data Protection Law No. 6698
Special Qualified Personal Data Race or ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, dress, Association or trade union membership, health, sexual life, criminal convictions and security measures, with data on genetic and biometric data.
Periodic Disposal Process If the terms of processing of personal data contained in the law are eliminated, the deletion, destruction or anonymization process will be performed according to the intervals specified in the policy of storing and destroying personal data.
Policy KVK policy.
Potential Customer Persons who have requested to use our services or have been assessed in accordance with the commercial practices and integrity rules to which they will be found.
Company, Albayrak Holding and Group Companies, Group companies
Data Owner Application Form 11 of the KVK code. The application form that they will use when preparing their application for their rights is contained in the article.
Data Processor A natural and legal person who processes personal data on its behalf based on the authority granted by the data controller.
Data Record System Registry system, directory where personal data are structured and processed according to certain criteria.
Data Supervisor A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Deleting Data It is making personal data inaccessible and unavailable in any way for the relevant users.
Data Destruction It is making personal data inaccessible, unrecoverable and reusable by anyone.



Company managers and employees are obliged to take care and act following the KVKK and related legislation. In this context, it is mandatory to comply with the following principles in the processing of personal data:

– Compliance with the law and the rules of honesty.

– Being accurate and up-to-date when necessary.

– Processing for specific, explicit, and legitimate purposes.

– Being connected, limited, and measured for the purpose for which they are processed.

– Being kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed.


  1. Conditions of Processing Personal Data

Personal data at the company are processed following the express consent of the person concerned or following the personal data processing requirements.

But it is possible to process personal data without the explicit consent of the person concerned if one of the following conditions are met:

If it is stipulated in the laws.

If it is compulsory for the protection of the life or physical integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid.

If it’s provided that it is directly related to the establishment or performance of a contract, it is necessary to process personal data belonging to the parties to the contract.

If the data controller must fulfill his legal obligation.

If it is made public by the person concerned.

If the data processing is mandatory for the establishment, use, or protection of a right.

If provided that it does not harm the fundamental rights and freedoms of the data subject, it is necessary to process data for the legitimate interests of the data controller.


  1. Conditions for Processing Special Quality Personal Data

– Individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are private. qualified personal data.

– Special quality personal data can be processed with the express consent of the person concerned.

Personal data other than health and sexual life can only be processed without the explicit consent of the person concerned in cases stipulated by the law.

– Personal data related to health and sexual life can be processed by persons under the obligation of confidentiality, without seeking the express consent of the person concerned, to protect public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.

– Health-related personal data can be processed by the workplace doctor, in the absence of a workplace doctor, the HR officer assigned for this issue, and the relevant unit manager or chief.

– Personal data of special nature are kept using the second lock/encryption system in physical environments and the second password system with the lowest security measure in digital environments and can only be accessed by authorized personnel.


  1. Deletion, Destruction or Anonymization of Personal Data

– Even though personal data have been processed following the KVKK and the relevant legislation, if the reasons for its processing disappear, it will be deleted, destroyed, or anonymized by our Company or upon a justified request of the person concerned.

– The provisions in the legislation regarding the deletion, destruction, or anonymization of personal data are reserved, and in case there is a legal obligation that requires not to be deleted, deletion, destruction, or anonymization is applied after this obligation is removed.

– The company prepares a destruction policy regarding deletion, destruction, and anonymization, and action is taken under this policy.

– The company periodically examines the personal data inventories in January and July every year and takes the necessary actions regarding the personal data that need to be anonymized, deleted, or destroyed.

– The relevant department officer is responsible for the processes regarding the deletion, destruction, and destruction of personal data. Department official cooperates with the Personal Data Protection Committee on this issue.


  1. Transfer of Personal Data to Third Parties

– Personal data are not transferred to third parties without the express consent of the person concerned.

– Personal data can be transferred without seeking the explicit consent of the person concerned, provided that the conditions specified in the second paragraph of Article 5, paragraph 3 of Article 6, and articles 1 and 2 of this directive are fulfilled and sufficient precautions are taken.

– It is informed about the transfer of all personal data, including special personal data, processed by the Company to the Company’s shareholders, partners, and suppliers.


  1. Transfer of Personal Data Abroad

– Personal data cannot be transferred abroad without the express consent of the person concerned.

– In case of the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the KVKK and in the foreign country where the personal data will be transferred, personal data adequate protection is available.

– Adequate protection in the absence of a sufficient commitment to the responsible data protection in Turkey and the foreign countries and the presence of written consent of the Board, can be transferred abroad without the explicit consent of the person concerned.


6.The Company’s Obligation to Disclose as a Data Officer

Employees or managers authorized by the Company, during or before the acquisition of personal data, to relevant persons;

– Company identity

– The purpose for which personal data will be processed,

– To whom and for what purpose the processed personal data can be transferred,

– The method and legal reason for collecting personal data,

– It gives information about other rights listed in article 7 of this directive.

This information is primarily presented to the relevant persons on the Company’s website, other application channels, and channels where personal data are processed, in a way that everyone can see and read, by directing them to the website in a layered manner when necessary.


7.Rights of the Relevant Person

By applying to the Company, relevant persons can:

– Learn whether personal data is processed

– Request information regarding if personal data has been processed

– Learn the purpose of processing personal data and whether they are used appropriately for their purpose,

– Know the third parties in the country or abroad to whom personal data have been transferred

– Request correction of personal data in case of incomplete or incorrect processing

– Request the deletion or destruction of personal data within the framework of the provisions stipulated in the law

– Request notification of the transactions made according to subparagraphs (d) and (e) to third parties to whom personal data have been transferred

– Object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems

– Demand the compensation of the damage in case of damage due to illegal processing of personal data

Necessary explanations are made about the methods of application and other procedures in the disclosure text published on the website and the clarification texts written/published in other media regarding the rights of the relevant person listed in this directive.

Within 30 days from the notification of the duly application of the relevant person, a reply is given by the Company to the relevant person about their requests. The Contact Person is responsible for the follow-up and management of the processes related to this subject.


  1. Obligations Regarding Data Security

The personnel who are authorized and responsible for both the processing of personal data and personal data of the company are required to:

– Prevent unlawful processing of personal data

– Prevent unlawful access to personal data

– Ensure the protection of personal data

They have to take all necessary technical and administrative measures to ensure the appropriate level of security for its purposes.

In case personal data is processed by another natural or legal person on behalf of the Company, these persons are warned about taking the measures specified in the first paragraph, a written commitment is taken from them and this subject is added to their contracts.

Employees who are authorized and responsible for the processing and protection of personal data carry out the necessary work to ensure that the provisions of this directive are implemented in their fields of duty and authority. In this regard, senior managers have to make or have the necessary inspections.


  1. Confidentiality

Company employees and managers cannot disclose the personal data they have learned to anyone in violation of the provisions of the KVKK and the relevant legislation and this directive and cannot use it for purposes other than processing. This obligation continues even after they leave the job.


  1. Notification

If it is determined that the processed personal data has been obtained by others through illegal means, the Contact Person informed about the subject notifies the relevant person and the senior management as soon as possible. The violation experienced is also notified to the Board by the Contact Person.


  1. Administrative and Technical Measures

The company takes all kinds of administrative and technical measures to ensure data security, and in this process, the data processing officer (s), the relevant Contact Person, and the Personal Data Protection Committee takes an active role in a coordinated manner. Regarding the administrative and technical measures to be taken in this regard, a written report is submitted to the Company senior management within February of each year by the information processing officer (s) and the Contact Person and/or the Personal Data Protection Committee.

The data processing officer carries out studies to take the necessary measures following the Administrative and Technical Measures guide published by the Board. By the data processing officer;

– After determining the current risks and threats, identifying these risks, and determining their priority; Control, and solution alternatives to reduce or eliminate the mentioned risks; The cost should be evaluated in line with the principles of applicability and usefulness, and the necessary technical and administrative measures should be planned and implemented.

– Efforts should be made to educate and raise awareness of employees on information and personal data security.

– Efforts should be made to ensure cybersecurity.

– Efforts should be made to ensure the security of environments containing personal data.

– It should be ensured that the data is backed up for use in cases where personal data is damaged, destroyed, stolen, or lost for any reason.

– Especially advisory by the Board,

– Authorization Matrix

– Authority Control Access Logs

– User Account Management

– Network Security Application Security

– Encryption

– Penetration Test

– Attack Detection and Prevention Systems

– Log Records

– Data Masking

– Data Loss Prevention Software

– Backup

– Firewalls

– Current Anti-Virus

– Deleting, Destroying, or Anonymizing Systems Key Management

such as necessary studies that are carried out to take technical measures.


12.Personal Data Protection Committee

– A Personal Data Protection Committee is established by Albayrak Holding A.Ş. The Committee consists of at least three people under the chairmanship of Albayrak Holding AŞ and Group Companies. One or more persons may be assigned for the obligations to be fulfilled by the committee.

In addition, each company establishes a Personal Data Protection committee consisting of at least three people under the chairmanship of a senior manager. All references to the committee in this directive are valid for both the company and the personal data protection committees of the Group Companies.

– Committee, Preparation of Personal Data Processing Inventory, Corporate Policies (Access, Information Security, Use, Storage and Destruction, etc.) Agreements (Between Data Supervisor – Data Supervisor, Data Controller – Data Processor) Confidentiality Undertakings Periodic and/or Random Audits within the Institution Risk Analysis Employment Contract, Discipline Regulation (Addition of Provisions Appropriate to Law) Corporate Communication (Crisis Management, Information Process for the Board and Related Person, Reputation Management, etc.) Training and Awareness Activities (Information Security) Data Controllers by Notification to the Registry Information System (VERBİS) It is responsible for taking and implementing administrative and technical measures that are notified in writing by the Information Technologies Directorate. If the Board of Directors is authorized to fulfill these obligations, the situation is notified to the Board of Directors, and if the General Manager is authorized, the situation is notified to the general manager in writing. Within the financial and technical possibilities of the company, action is taken under the Committee’s requests.

– The Committee follows the periodic review and destruction processes of the personal data inventories together with the relevant department heads.

– The Committee can distribute tasks among themselves.


  1. Contact Person, Duties, Authorities and Responsibilities.

– Based on the authority given by the Board of Directors, a Contact Person is appointed by the General Manager from among the members of the Personal Data Protection Committee.

– The Contact Person is primarily responsible for conducting VERBIS registration procedures and relations with the Board on behalf of the company.

– The Contact Person is obliged to evaluate the legal requests of the relevant person with the Committee and to provide the necessary answers on behalf of the Company in line with the Committee’s instructions.

– The Contact Person ensures the creation of the personal data inventory of the Company, monitors the relevant units and identifies the work to be done under the inventory with the Committee and shares it with the relevant units and senior management.

– The Contact Person cooperates with the IT department and the committee in taking administrative and technical measures regarding the protection of personal data.

– The Contact Person plans awareness training for Company employees regarding KVKK and related legislation together with the Committee.

– The Contact Person works with the Committee to prepare and publish clarification texts, to add special clauses on the protection of personal data to contracts, to realize confidentiality agreements and regulations.

– Contact Person works with the Committee to ensure data minimization.


  1. Awareness Training

The Company provides regular awareness training to employees who come into contact with personal data in the light of Personal Data Protection legislation and new developments and ensures that both new personnel and existing personnel are competent in this regard.


  1. Personal Data Inventory

The company prepares a personal data inventory regarding the personal data it has processed. If deemed necessary, a personal data inventory preparation directive is created.

Prepared personal data inventories are reviewed every year in January and July, and additions and deletions are made.


  1. Data Controllers Registry Information System
  2. a) The company has to be registered in the Registry since it has the title of the data controller. (For companies whose last annual financial balance is 25 million Turkish Liras and the number of employees is less than 50, the Company can register with VERBIS if it wishes to be considered as a data controller.)
  3. b) Registration application to the Registry is made with a notification including the following matters:

– Identity and address information of the data controller and, if any, it’s representative.

– The purpose for which personal data will be processed.

– Explanations about the group and groups of data subject persons and the data categories belonging to these persons.

– Recipient or recipient groups to which personal data can be transferred.

– Personal data intended to be transferred to foreign countries.

– Measures were taken regarding personal data security.

– The maximum period required for the purpose for which personal data are processed.

– Changes in the information provided are immediately notified to the Board.

  1. c) All kinds of transactions related to registration in the Registry are carried out by the Contact Person.


  1. Measures to be Taken Against Unauthorized Disclosure of Personal Data

Our company will notify the relevant person and the Board within 72 hours if the personal data it processes is illegally obtained by others.

If deemed necessary by the Board, this may be announced on the Board’s website or by any other method.


  1. Enforcement

This directive is executed by the general managers of the relevant companies, with the approval of the management bodies of Albayrak Holding AŞ and Group Companies.