Personal Data Protection Policy

1. Legal Basis: Based on Article 20 of the Constitution, which stipulates that everyone has the right to request the protection of their personal data, and this right includes being informed about personal data concerning themselves, accessing this data, requesting its correction or deletion, and learning whether it is being used for its intended purposes. Personal data can only be processed in cases prescribed by law or with the explicit consent of the person concerned. In accordance with the Personal Data Protection Law No. 6698, we attach utmost importance to the lawful protection and processing of personal data and act with this diligence in all our planning and activities. As a company, we take all administrative and technical measures for the protection and processing of personal data, which is fundamental to the privacy of personal life, and we inform our staff about the legal sanctions regulated under Articles 135 and following of the Turkish Penal Code (TCK).

2. Purpose: The purpose of our policy, prepared considering the applicable Personal Data Protection Law No. 6698, is to ensure compliance with obligations regarding the protection of personal data, and to evaluate issues related to the processing, transfer, and confidentiality of information obtained within the scope of the Company’s activities using a risk-based approach. It involves determining strategies, internal controls and measures, operational rules, and responsibilities, and raising awareness among the employees on these matters. Additionally, it aims to ensure transparency by informing individuals whose personal data is processed by the Company, including our customers, potential customers, employees, job applicants, shareholders, company officials, visitors, employees, shareholders, and officials of cooperating institutions/organizations, as well as third parties.

3. Scope: This policy covers all personal data processed through automatic or non-automatic means, as part of any data recording system, concerning our customers, potential customers, employees, job applicants, shareholders, company officials, visitors, employees, shareholders, and officials of cooperating institutions, and third parties.

4. Definitions

4.1. Explicit Consent: Consent expressed freely and based on being informed about a specific issue.

4.2. Anonymization: The process of modifying personal data so that it can no longer be associated with a specific individual in a way that cannot be reversed. Examples include masking, aggregation, data obfuscation, etc.

4.3. Employee: Individuals working at the Company under an employment contract.

4.4. Job Applicant: Individuals who have applied for a job at the Company through any means or have opened their resumes and relevant information for the Company’s review.

4.5. Natural Persons and Private Law Legal Entities: Natural persons are those who are alive and fully born according to the Turkish Civil Code. Private law legal entities refer to commercial companies defined in the Turkish Commercial Code and associations and foundations defined in the Turkish Civil Code.

4.6. Public: Refers to the group of individuals that includes everyone, without any specific distinguishing characteristics.

4.7. Shareholders: Individuals or entities that own shares in the Company.

4.8. Business Partner: Parties with whom the data controller conducts commercial activities and has commercial relationships.

4.9. Employees, Shareholders, and Officials of Partner Institutions: Individuals who are employees, shareholders, or officials of institutions with which the Company has any kind of business relationship (e.g., partners, suppliers, but not limited to these).

4.10. Affiliates and Subsidiaries: An affiliate is a company in which the data controller holds shares of another company’s capital. If the company has more than 50% of the voting rights in the associated company, it constitutes a subsidiary; otherwise, it is simply an affiliate relationship.

4.11. Processing of Personal Data: All kinds of operations performed on personal data, whether by automated means or as part of any data recording system, including obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transmitting, receiving, making available, classifying, or preventing the use of data.

4.12. Data Subject: The natural person whose personal data is being processed. For example, customers and employees.

4.13. Personal Data: Any information relating to an identified or identifiable natural person. Processing of information related to legal entities is not covered by the law. Examples include name, surname, ID number, email, address, date of birth, credit card number, etc.

4.14. Customer: Individuals who use or have used the products and services offered by the Company, regardless of whether they have a contractual relationship with the Company.

4.15. Sensitive Personal Data: Data related to race, ethnicity, political opinions, philosophical beliefs, religion, sect, or other beliefs, attire, membership in associations, foundations, or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

4.16. Potential Customer: Individuals who have shown interest or requested to use our products and services, evaluated according to commercial practices and principles of honesty.

4.17. Intern: Individuals who have applied for an internship at the Company with the aim of applying their theoretical knowledge in practice.

4.18. Company Shareholder: Individuals who are shareholders of the Company.

4.19. Company Official: Members of the board of directors and other authorized individuals of the Company.

4.20. Supplier: Parties that have a business relationship with the data controller based on a service contract and/or power of attorney, for the purpose of service procurement.

4.21. Group Companies: According to the definition in the Turkish Commercial Code, “companies directly or indirectly affiliated with the controlling company form a group of companies together with it.”

4.22. Third Party: Natural persons (e.g., family members and close relations) associated with the aforementioned parties, who ensure the security of commercial transactions or protect the rights and interests of these individuals.

4.23. Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on authorization. For example, firms or companies holding the Company’s data.

4.24. Data Controller: The person or entity who determines the purposes and means of processing personal data, manages the place where data is systematically stored (data recording system), and provides necessary information and guidance to the data subject in response to their requests.

4.25. Authorized Public Institutions and Organizations: Public institutions and organizations authorized by relevant legislation to request information and documents from the data controller and to which the data controller must transfer data to fulfill legal obligations.

4.26. Visitor: Individuals who enter the Company’s physical premises for various purposes or visit our websites.

5. Abbreviations

5.1. KVKK: Law No. 6698 on the Protection of Personal Data, published in the Official Gazette No. 29677 dated April 7, 2016, and enacted on March 24, 2016.

5.2. Constitution: The Constitution of the Republic of Turkey, published in the Official Gazette No. 17863 dated November 9, 1982, and enacted on November 7, 1982.

5.3. Personal Data Protection Board (KVK Kurulu): The authority responsible for overseeing the implementation of personal data protection laws.

5.4. Personal Data Protection Authority (KVK Kurumu): The institution responsible for ensuring compliance with personal data protection regulations.

5.5. Policy: Company’s Personal Data Protection and Processing Policy.

5.6. Turkish Code of Obligations (TBK): Law No. 6098 on the Turkish Code of Obligations, published in the Official Gazette No. 27836 dated February 4, 2011, and enacted on January 11, 2011.

5.7. Turkish Penal Code (TCK): Law No. 5237 on the Turkish Penal Code, published in the Official Gazette No. 25611 dated October 12, 2004, and enacted on September 26, 2004.

5.8. Turkish Commercial Code (TTK): Law No. 6102 on the Turkish Commercial Code, published in the Official Gazette No. 27846 dated February 14, 2011, and enacted on January 13, 2011.

6. Data Categories: The Company may record, process, or transfer data related to the following categories:

6.1. Identity: (e.g., name and surname, date of birth, marital status, ID number)

6.2. Contact: (e.g., address, email address, contact address, registered electronic mail (KEP), phone number)

6.3. Personal: (e.g., payroll information, disciplinary investigations, employment records, resume information)

6.4. Legal Process: (e.g., information in correspondence with judicial authorities, information in legal case files)

6.5. Customer Transactions: (e.g., invoice, order details, request information)

6.6. Transaction Security: (e.g., IP address information, website login/logout details, password and security credentials)

6.7. Risk Management: (e.g., information processed for managing commercial, technical, and administrative risks)

6.8. Finance: (e.g., balance sheet information)

6.9. Professional Experience: (e.g., diploma information, courses attended, in-service training information, certifications, transcripts)

6.10. Marketing: (e.g., shopping history, surveys, cookie records)

6.11. Visual and Auditory Records: (e.g., visual and auditory recordings)

7. Purposes of Personal Data Processing: The Company may record, process, or transfer personal data for the following purposes:

7.1. Emergency Management Processes: Managing processes related to emergency situations.

7.2. Information Security Processes: Implementing measures for information security.

7.3. Selection and Placement Processes for Job Applicants / Interns / Students: Managing processes related to recruiting and placing job applicants, interns, and students.

7.4. Application Processes for Job Applicants: Managing the application process for job candidates.

7.5. Employee Satisfaction and Engagement Processes: Managing processes to enhance employee satisfaction and engagement.

7.6. Compliance with Employment Contracts and Legal Obligations for Employees: Fulfilling obligations arising from employment contracts and legislation.

7.7. Employee Benefits and Entitlements Processes: Managing processes related to employee benefits and entitlements.

7.8. Audit / Ethical Activities: Conducting audits and ethical reviews.

7.9. Training Activities: Managing training activities.

7.10. Access Rights Management: Managing access permissions and rights.

7.11. Compliance with Regulations: Ensuring activities are conducted in compliance with relevant regulations.

7.12. Finance and Accounting Operations: Managing financial and accounting tasks.

7.13. Company / Product / Service Loyalty Processes: Managing processes related to customer loyalty towards the company, products, or services.

7.14. Physical Security of Premises: Ensuring the physical security of company premises.

7.15. Assignment Processes: Managing processes related to employee assignments.

7.16. Legal Affairs Tracking and Management: Managing and monitoring legal matters and processes.

7.17. Internal Audit / Investigation / Intelligence Activities: Conducting internal audits, investigations, and intelligence activities.

7.18. Communication Activities: Managing communication-related activities.

7.19. Human Resources Planning: Planning human resources processes.

7.20. Business Operations / Oversight: Managing and overseeing business operations.

7.21. Occupational Health and Safety Activities: Managing activities related to occupational health and safety.

7.22. Improvement Suggestions for Business Processes: Collecting and evaluating suggestions for improving business processes.

7.23. Business Continuity Management: Ensuring business continuity through appropriate measures.

7.24. Logistics Activities: Managing logistics processes.

7.25. Procurement of Goods / Services: Managing processes related to the purchase of goods and services.

7.26. Post-Sales Support Services: Providing support services after the sale of goods or services.

7.27. Sales Processes for Goods / Services: Managing processes related to the sale of goods or services.

7.28. Production and Operational Processes for Goods / Services: Managing the production and operational processes of goods and services.

7.29. Customer Relationship Management: Managing customer relationship processes.

7.30. Customer Satisfaction Activities: Conducting activities to enhance customer satisfaction.

7.31. Organization and Event Management: Managing organizational activities and events.

7.32. Marketing Analysis: Conducting marketing analysis studies.

7.33. Performance Evaluation Processes: Managing performance evaluation processes.

7.34. Advertising / Campaign / Promotion Processes: Managing processes related to advertising, campaigns, and promotions.

7.35. Risk Management Processes: Managing risk management activities.

7.36. Storage and Archiving Activities: Managing storage and archiving of records.

7.37. Social Responsibility and Civil Society Activities: Managing social responsibility and civil society activities.

7.38. Contract Management Processes: Managing contract-related processes.

7.39. Sponsorship Activities: Managing sponsorship activities.

7.40. Strategic Planning Activities: Conducting strategic planning activities.

7.41. Request / Complaint Tracking: Tracking and managing requests and complaints.

7.42. Security of Movable Assets and Resources: Ensuring the security of movable assets and resources.

7.43. Supply Chain Management Processes: Managing processes related to supply chain management.

7.44. Salary Policy Management: Managing the company’s salary policies.

7.45. Marketing Processes for Products / Services: Managing processes for marketing products and services.

7.46. Ensuring Security of Data Controller Operations: Ensuring the security of operations carried out by the data controller.

7.47. Work and Residence Permit Procedures for Foreign Personnel: Managing work and residence permit processes for foreign employees.

7.48. Investment Processes: Managing investment-related processes.

7.49. Talent / Career Development Activities: Conducting activities related to talent and career development.

7.50. Providing Information to Authorized Persons, Institutions, and Organizations: Providing information to authorized entities as required.

7.51. Management Activities: Managing company administrative and operational activities.

7.52. Visitor Registration and Tracking: Creating and tracking visitor records.

8. Legal Grounds for Processing Personal Data: The legal grounds for processing personal data are regulated under Article 5 of the KVKK (Personal Data Protection Law). Personal data cannot be processed without the explicit consent of the data subject. However, processing personal data without the explicit consent of the data subject is possible under the following conditions:

8.1. Explicit Provision in Laws: When explicitly provided by laws.

8.2. Inability to Give Consent Due to Physical Impossibility: When the data subject is incapable of expressing consent due to physical impossibility or when the consent is not legally valid, and processing is necessary to protect the life or physical integrity of the data subject or another person.

8.3. Necessity for Contract Formation or Execution: When processing personal data is necessary for the establishment or performance of a contract directly related to the data subject.

8.4. Legal Obligation of the Data Controller: When processing is mandatory for the data controller to fulfill a legal obligation.

8.5. Made Public by the Data Subject: When the data has been made public by the data subject.

8.6. Establishment, Use, or Protection of a Right: When processing is necessary for the establishment, exercise, or protection of a legal right.

8.7. Legitimate Interests of the Data Controller: When processing is necessary for the legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject.

9. Legal Grounds for Processing Sensitive Personal Data: The legal grounds for processing sensitive personal data are regulated under Article 6 of the KVKK (Personal Data Protection Law). Sensitive personal data can only be processed in accordance with the conditions set out in Article 6/2. Specifically

10. Personal Data Transfer Recipients: The Company may transfer personal data to the following recipient groups:

10.1. Suppliers

10.2. Authorized Public Institutions and Organizations

11. Personal Data Subjects: The Company may record, process, or transfer personal data for the following types of individuals:

11.1. Job Applicants

11.2. Employees

11.3. Potential Buyers of Products and Services

11.4. Interns

11.5. Supplier Employees

11.6. Supplier Representatives

11.7. Persons Receiving Products or Services

12. Personal Data Retention Periods: The retention periods for personal data are detailed in the Personal Data Retention and Disposal Policy.

13. Deletion, Destruction, or Anonymization of Personal Data:

13.1. Personal data, even if processed in accordance with the law, must be deleted, destroyed, or anonymized by the data controller when the reasons for processing no longer exist, either ex officio or upon the request of the data subject.

13.2. The data controller will delete, destroy, or anonymize personal data during the first periodic destruction process following the date when the obligation to delete, destroy, or anonymize personal data arises.

13.3. The procedures related to these actions are detailed in the Personal Data Retention and Destruction Policy.

14. Transfer of Personal Data:

Personal data obtained for processing in accordance with the general principles specified in the Law can be transferred to third parties with the explicit consent of the data subject.

14.1. Domestic Transfer: Details regarding the transfer of personal and sensitive personal data within the country are regulated in the Personal Data Transfer Procedure.

14.2. International Transfer: Personal data can be transferred to countries with adequate protection, provided that the data subject’s explicit consent is obtained and the conditions specified in the Law are met. For countries without adequate protection, data transfer can occur if the conditions specified in the Law are met, explicit consent is obtained, written commitments of adequate protection are provided, and approval from the Board is received. Details are regulated in the Personal Data Transfer Procedure.

15. General (Fundamental) Principles for Processing Personal Data: Personal data will be processed in accordance with the following fundamental principles as specified in the Personal Data Processing Procedure and regulated under Article 4 of the Personal Data Protection Law:

15.1. Compliance with Law and Fairness: Personal data processing must adhere to the principles set by laws and other legal regulations, and should be conducted in a manner expected of a reasonable person, maintaining trust and fairness.

15.2. Accuracy and Up-to-date: Personal data must be kept accurate and up-to-date to protect the fundamental rights and freedoms of individuals. This principle safeguards the rights of the data subject and the interests of the data controller.

15.3. Processing for Specific, Explicit, and Legitimate Purposes: Data controllers must clearly define the purpose of data processing, and the purpose must be legitimate, meaning that the data is necessary and related to the work or service provided.

15.4. Relevant, Limited, and Proportional: The data processed should be relevant and suitable for achieving the specified purposes. Data that is not related or unnecessary for the purpose should not be processed. The principle of proportionality means maintaining a reasonable balance between the data processing and the intended purpose.

15.5. Retention for the Duration Necessary: Personal data should be retained only for the duration required to fulfill its purpose. The data controller must delete, destroy, or anonymize personal data if it exceeds the timeframes specified by relevant legislation or their own defined retention periods.

16. Explicit Consent:

Explicit consent is defined as consent that is given freely, based on being informed, and specifically related to a particular issue. As outlined in the explicit consent procedure, explicit consent must meet the following criteria:

17. Disclosure Obligation: During the collection of personal data, the company is required to inform the individuals concerned. As detailed in the Disclosure Procedure, this information must, at a minimum, cover the following points:

18. Identity of the Data Controller

18.1. The identity of the data controller and, if applicable, their representative.

18.2. The purposes for which personal data will be processed.

18.3. To whom and for what purposes personal data may be transferred.

18.4. The method of data collection and the legal basis for processing.

18.5. The rights of the individual as specified in Article 11 of the Law.

19. Methods for the Data Subject to Seek Rights: Data subjects, by applying to the Company, have the right to inquire whether their personal data has been processed, to request such data if it has been processed, to request the correction of the data if it is incomplete or incorrect, to request the deletion or destruction of the data if it has been processed unlawfully, to request that the necessary actions be communicated to third parties to whom the data has been disclosed, and to request compensation for damages incurred due to the unlawful processing of the data. The details of the data subject are provided in the Data Subject Rights Procedure, as per which the data subjects can exercise their rights to apply and complain.

19.1. Application: In order for data subjects to exercise their rights, they must first apply to the data controller. The route of complaint to the Board cannot be pursued without first exhausting this option.

19.2. Complaint: In order for the data subject to file a complaint, the Company must have rejected the application, provided an insufficient response, or failed to respond within 30 days. It is not possible for the data subject to directly approach the Board without first applying to the Company.

20. Obligation to Implement Board Decisions: If the Board determines the existence of a violation as a result of its investigation into matters within its jurisdiction, either upon a complaint or upon learning of an alleged violation, it will issue a decision requiring the Company to remedy the unlawful act, and will notify the relevant parties of the decision. As detailed in the Procedure for Implementing Board Decisions, the Company must implement this decision without delay and within no later than thirty days from the date of notification.

21. Obligation to Register with the Data Controllers’ Registry (VERBİS): The Company registers with the Data Controllers’ Registry (VERBİS), which is the registration system where data controllers are required to register and declare information regarding their data processing activities, in accordance with the procedure specified in the Data Controllers’ Registry (VERBİS) registration procedure, and updates these records.

22. Personal Data Breach: In the event that personal data processed by the Company is obtained by others through unlawful means, the Company shall notify the data subject and the Board as soon as possible in accordance with the Personal Data Breach Procedure. The Board may announce this breach on its website or by another method it deems appropriate, if necessary.

23. Personal Data Security Measures: The Company takes the following technical and administrative measures at an appropriate level for its structure to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the safe retention of personal data:

23.1. Network security and application security are ensured.

23.2. A closed network system is used for the transfer of personal data via the network.

23.3. Key management is applied.

23.4. Security measures related to the supply, development, and maintenance of information technology systems are taken.

23.5. Disciplinary regulations that include provisions on data security are in place for employees.

23.6. Regular training and awareness activities on data security are conducted for employees.

23.7. Access logs are regularly maintained.

23.8. Data masking measures are applied when necessary.

23.9. Confidentiality agreements are made.

23.10. The authorities of employees who change positions or leave the job are revoked in this area.

23.11. Up-to-date antivirus systems are used.

23.12. Firewalls are used.

23.13. Signed contracts include data security provisions.

23.14. Additional security measures are taken for personal data transmitted in paper form, and related documents are sent in a confidential document format.

23.15. Personal data security policies and procedures are established.

23.16. Personal data security issues are reported promptly.

23.17. Personal data security is monitored.

23.18. Necessary security measures are taken for the entry and exit of physical environments containing personal data.

23.19. Security of physical environments containing personal data is ensured against external risks (e.g., fire, flood).

23.20. Security of environments containing personal data is ensured.

23.21. Personal data is minimized as much as possible.

23.22. Personal data is backed up, and the security of the backed-up data is also ensured.

23.23. User account management and authorization control systems are implemented, and they are monitored.

23.24. Internal periodic and/or random audits are conducted.

23.25. Log records are maintained without user intervention.

23.26. Existing risks and threats have been identified.

23.27. Protocols and procedures for the security of special categories of personal data are established and implemented.

23.28. Attack detection and prevention systems are used.

23.29. Penetration testing is conducted.

23.30. Cybersecurity measures are taken, and their implementation is continuously monitored.

23.31. Data processors’ service providers are regularly audited for data security.

23.32. Data loss prevention software is used.

Data Controller Information
Title of Data Controller:
Wise Bilişim Teknolojileri A.Ş.
MERSIS Number: 0814058908200001
Email Address: info@wiseback.com
KEP Address: wisebilisim@hs01.kep.tr
Address: Reşitpaşa Mah. Katar Cad. İTÜ Arı Teknokent 4 Binası No: 2/50 İç Kapı No: 6 Sarıyer / İstanbul