Güven ve Uyum

Standard	Standard Name	File
ISO/IEC 27001	Information Security Management System	View
ISO 9001	Quality Management System	View
ISO 10002	Customer Satisfaction Management System	View
ISO 27701	Privacy Information Management System	View
PCI DSS 4.0.1	PCI DSS Card Payment Industry Data Security Standard	View

1. Objective

Our policy of storing and destroying personal data, in accordance with the Law on the Protection of Personal Data No. 6698 and in force in the Official Gazette No. 30224, in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data (the “Regulation”); Determination of procedures and principles for the operation of storage and destruction activities carried out within our company It has been prepared for the purpose of informing our parties as well. In this context, this Policy constitutes automatic or any data recording within the scope of the Personal Data Protection Act and other legislation of our Clients, Officials and Employees of the Organizations with which we cooperate, Supplier Authorities and Employees, Partners Officials and Employees, Visitors, Website Users, Candidates of Employees and other Third Constitutions processing of personal data collected by our Company in non-automated ways, provided that they are part of the system; and Prepared for the purpose of informing the public about its protection.

2. Scope

Our policy of storing and destroying personal data, in accordance with the Law on the Protection of Personal Data No. 6698 and in force in the Official Gazette No. 30224, in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data (the “Regulation”); Determination of procedures and principles for the operation of storage and destruction activities carried out within our company It has been prepared for the purpose of informing our parties as well. In this context, this Policy constitutes automatic or any data recording within the scope of the Personal Data Protection Act and other legislation of our Clients, Officials and Employees of the Organizations with which we cooperate, Supplier Authorities and Employees, Partners Officials and Employees, Visitors, Website Users, Candidates of Employees and other Third Constitutions processing of personal data collected by our Company in non-automated ways, provided that they are part of the system; and Prepared for the purpose of informing the public about its protection.

3. Abbreviations and Definitions

Company: Our Company

Personal Data: Any information relating to a specific or identifiable natural person. Therefore, the processing of information related to legal entities is not covered by the Law.

Specially Qualified Personal Data: It is biometric and genetic data and data relating to race, ethnicity, political opinion, philosophical belief, religion, denomination or other beliefs, disguise, association or union membership, health, sexual life, criminal convictions and security measures. Processing of Personal Data is any operation carried out on data, such as obtaining, recording, storing, retaining, changing, reorganizing, disclosing, transferring, acquiring, making available, classifying or preventing its use by any data recording system, such as obtaining, recording, storing, storing, changing, reorganizing, disclosing, transferring, acquiring, making available, classifying or preventing its use. Personal Data Owner/Contact Person Company Officials, Business Partners/Suppliers, Employee, Employee Candidates, Visitors, Company and Group Company Clients, Potential Clients are third parties and Third Parties that are shared with the Company and/or obtained by the Company on behalf of these institutions/companies with which the Company cooperates. Data Registration System refers to the registration request in which personal data are processed by configuring according to certain criteria. Data Controller is a natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system Data Processor is a natural and legal person who processes personal data on his behalf based on the authority of the Data Processor

Explicit consent: It is consent with respect to a specific subject, based on being informed and expressed in free will.

Anonymization: This means that personal data cannot in any way be associated with a specific or identifiable natural person, even if it is matched with other data.

Electronic media: Call server/IT software/Project software/Barrier system server/File sharing common area (NAS), Our company computers and telephones Non-electronic media Lockers defined by Numbering/Archive

Service Provider: A natural or legal person providing services under a specific contract with the Internet Service provider/Customer-based call service provider

Destruction: It is the deletion, destruction or anonymization of personal data. Law: Refers to the Law on the Protection of Personal Data No. 6698 Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette of 28.10.2017 and published in the Official Gazette No. 30224 Registration environment: Any environment in which personal data is processed by non-automatic means, provided that they are part of any data recording system, which is fully or partially automated, or processed by non-automatic means, provided that they are part of any data recording system. Category of natural or legal person to whom personal data is transferred by the person in charge Employee Staff of our company Contact person Natural person processing personal data Related User Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller Personal Data Processing Inventory Personal Data Processing Inventory The personal data processing activities carried out by the data controllers depending on the work processes of the data controllers; the purposes of processing personal data and by legal reason, data category, transferred recipient group and data subject contact group Storage of personal data in case of disappearance of all the processing conditions of personal data contained in the Periodic Destruction Law of the Board Personal Data Protection Board on Periodic Destruction of the Inventory, which they have created by associating and describing the maximum retention period necessary for the purposes for which personal data are processed, personal data are transferred to foreign countries and the measures taken regarding data security and the deletion, destruction or anonymization process to be performed at the intervals specified and repeated in the destruction policy Policy Personal Data Retention and Destruction Policy Data Controllers Registry Information System The information system created and managed by the Presidency, which can be accessed via the Internet, created and managed by the Presidency of the Data Controllers Data Controllers Register Information System

4. Recording Environments

The table below shows in which environments the personal data stored by OUR COMPANY is recorded. The personal data stored by our company is stored in the most appropriate recording environment according to its nature and legal situation. Data Recording Environment Description Electronic Environments • Servers (Backup, File Sharing, Local Server, Domestic Cloud System, etc.) • Our Company Computers (Desktop, Laptop, etc.) Non-Electronic Media • Paper, File, Folder, Notebook

5. Distribution of Responsibilities and Duties

In accordance with Article 6 (f) of the Regulation, it is regulated that the names, duties and units of persons involved in the storage and destruction of personal data must be indicated. In this scope, the titles, duties and units belonging to the persons within our Company are specified in terms of data security, management of storage and destruction processes, taking technical and administrative measures in order to prevent unlawful processing and access of personal data, to ensure the proper storage of personal data in order to prevent processing and access to personal data in accordance with the law. Each department supervisor directs all types of planning, analysis, research, risk determination in projects carried out within the scope of the compliance process within the scope of his department; to manage the processes to be carried out in accordance with the Law, the Policy on Processing and Protection of Personal Data and the Policy on the Retention and Destruction of Personal Data and other regulated policies and procedures, and to decide and respond to requests received by interested persons from conducting an audit of the storage and destruction processes and reporting these audits to the Personal Data Manager; storage and destruction responsible for the execution of their processes and the implementation of retention and disposal policies. Business and operations involving multiple departments will be coordinated by the Computing department. The Quality Manager and the Information Processing Department is the Personal Data Manager.

6. Processing of Personal Data

Our company is engaged in processing personal data in accordance with Article 20 of the Constitution, Privacy of Private Life, and Article 4 and Article 6 of the Law; in accordance with the law and the rules of honesty, accurate and, if necessary, up to date; with specific, clear and legitimate purposes; in a limited and measured form in connection with the purpose. Our company retains personal data for as long as stipulated by law or required by the purpose of personal data processing and/or recognized on a sectoral basis and in the light of the following principles. a) In accordance with the law and the rules of honesty, b) Keeping accurate and as necessary up to date, c) To be processed for specific, clear and legitimate purposes, c) For the purpose for which they are processed linked, as necessary, limited and in moderation (d) maintained for as long as is necessary for the purpose for which they are processed or provided for in the relevant legislation.

7. Terms of Processing of Personal Data Personal

the data is not processed without the express consent of the person concerned. However, in the presence of one of the following conditions specified by law, it is possible to process personal data without the express consent of the person concerned. That is; a) It is expressly provided for in the laws. b) The obligation of the person whose consent cannot be disclosed by reason of actual impossibility or whose consent is not legally valid is required for the protection of the life or bodily integrity of the person or of another. c) Provided that the contract is directly related to the establishment or performance of a contract, the need for the processing of personal data belonging to the parties. ç) that the data controller is obliged to fulfill his legal obligation. d) that it has been made public by the data subject himself. e) Compulsory processing of data for the establishment, exercise or protection of a right. f) Compulsory processing of data for the legitimate interests of the data controller, so as not to prejudice the fundamental rights and freedoms of the data subject.

8. Terms of Processing of Personal Data of Special Qualification

As a Company operating in the technology sector, due to the nature of the work we do, due to the nature of our work, we are sensitive and treated accordingly to the regulations stipulated in the Law. In Article 6 of the Law, a number of personal data that, when processed unlawfully, have a risk of causing victimization or discrimination against persons is designated as “special nature”. These data include biometric and genetic data as well as data on race, ethnicity, political thought, philosophical belief, religion, denomination or other beliefs, dress and dress, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures. Our company does not process personal data of a special nature without the express consent of the interested party. If the person has his consent or personal data relating to health and sexual life can only be processed without seeking the express consent of the persons or authorized bodies and organizations concerned for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing the financing of health services and health services. In these cases, when processing personal data of a special nature, it is also necessary to take adequate measures determined by our KVK Board.

9. Transfer of Personal Data/Transfer of Personal Data Abroad

Personal data cannot be transferred without the express consent of the person concerned. Only if one of the conditions specified in articles 5 and 6 is found, it can be transferred without the express consent of the person concerned. The necessary confidentiality conditions and security measures in the transfer process may be transferred by the data controller to third parties. Personal Data by our company; to foreign countries declared to have adequate protection by the KVK Board, or in case of lack of adequate protection, data controllers in Turkey and in the relevant foreign country undertake adequate protection in writing, provided that personal data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data subject can be transferred to foreign countries. If the person has consent or personal data relating to health and sexual life can only be processed without the express consent of the persons or authorized bodies and organizations who are under a duty to keep secrets for the protection of public health, the implementation of preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. In these cases, when processing personal data of a special nature, it is also necessary to take adequate measures determined by our KVK Board.

10. Legal Reasons Requiring Retention

Personal data processed within the framework of our company's activities are kept for as long as stipulated in the relevant legislation. In this scope, personal data; Labor Law No. 4857. Turkish Trade Law No. 6102. Turkish Debt Law No. 6098. Law on Consumer Protection No. 6502. Occupational Health and Safety Law No. 6331. Tax Procedure Law No. 213. Social Insurance and General Health Insurance Law No. 5510 and other related provisions of legislation is kept in. If the person has his consent or personal data relating to health and sexual life can only be processed without seeking the express consent of the persons or competent bodies and organizations concerned for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing the financing of health services and health services. In these cases, when processing personal data of a special nature, it is also necessary to take adequate measures determined by our KVK Board.

11. Processing Purposes That Require Storage

Our company stores the personal data it processes within the framework of its activities for certain purposes. In this context, the objectives are listed as follows: To carry out human resources processes. Ensuring corporate communication. To ensure the safety of the institution, to be able to carry out statistical studies. To be able to perform work and operations as a result of signed contracts and protocols. Within the scope of VERBIS, to identify the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, organize the services provided accordingly and update them if necessary. To ensure the fulfillment of legal obligations, as required or required by legal regulations. To liaise with natural/legal persons who have a business relationship with the institution. Manage call center processes. Obligation to prove as evidence in future legal disputes Execution of Emergency Management Processes Execution of Information Security Processes Execution of Employee Candidate/Trainer/Student Selection and Placement Processes Execution of Application Processes of Employee Candidates Execution of Application Processes for Employees Fulfillment of Obligations arising from the Employment Contract and Legislation Execution of Benefits and Benefits Processes for Employees Conducting Training Activities Execution of Activities in Compliance with Legislation Execution of Financial and Accounting Business Physical Execution of Assignment Processes of Provision of Space Security Monitoring and Execution of Legal Affairs Internal Auditing/Investigation/Execution of Intelligence Activities Execution of Communication Activities Planning of Human Resources Processes Execution of Work Activities/ Audit Execution of Occupational Health/Safety Activities Ensuring Business Continuity Execution of Activities Carrying out Goods/Services Purchasing Processes Care/Service After-sales Support Services Execution of Goods/Services Sales Processes Customer Relations Execution of Management Processes Execution of Performance Evaluation Processes Execution of Risk Management Processes Execution of Storage and Archive Activities Execution of Contract Processes Execution of Security of Movable Goods and Resources Execution of Fee Policy Providing Information to Authorized Persons, Institutions and Organizations

12. Reasons Required Destruction

Personal data; Modification or amendment of the relevant provisions of the legislation that constitutes the basis for its processing, the disappearance of the purpose requiring its processing or storage, where the processing of personal data takes place only on the basis of explicit consent, the withdrawal of the express consent of the person concerned, the application for the erasure and destruction of his personal data within the framework of the rights of the person concerned in accordance with Article 11 of the Law Acceptance by our company, deletion, destruction or anonymization of personal data of our company by the person concerned If he refuses the application made to him with the request to be brought, considers the answer he gave insufficient or does not respond within the time prescribed by the Law; if he complains to the Personal Data Protection Agency and this request is found to be appropriate by the Authority, the maximum period requiring the storage of personal data has passed and there are no conditions that justify storing personal data for a longer period of time In the case of expiration of the retention periods provided for in the relevant legislation, they are deleted by our Company at the request of the person concerned, destroyed or re's will be deleted, destroyed, or anonymized.

13. Technical Measures

Network security and application security are provided. A closed system network is used for personal data transfers through the network. Key management is implemented. Security measures are taken in the scope of procurement, development and maintenance of information technology systems. The security of personal data stored in the cloud is ensured. Training and awareness work on data security for employees is carried out at regular intervals. Access logs are kept on a regular basis. Data masking measures are applied when necessary. The powers of employees who have had a change of duties or leave work in this area are removed. Up-to-date anti-virus systems are used. Firewalls are used. Personal data is reduced as much as possible. Personal data is backed up and the security of the personal data backed up is also ensured. User account management and authorization control system are implemented and they are also monitored. Periodic and/or random audits are carried out and carried out in-house. Log records are kept in such a way that there is no user interference. Existing risks and threats have been identified. Protocols and procedures for the security of personal data of a special nature have been established and implemented. If personal data of a special nature is to be sent by electronic mail, it is necessarily sent in encrypted form and using a KEP or corporate mail account. Secure encryption/cryptographic keys are used for private personal data and managed by different units. Intrusion detection and prevention systems are used. Encryption is carried out. Specially qualified contacts transferred on portable memory, CD, DVD media are transferred by encrypting data. The personal data processing activities that take place are periodically tested and audited with the established technical systems. The test and audit results are again periodically reported to the relevant party and the Risk Board. The provision of technical controls is carried out with the employment of competent personnel. It is periodically updated, taking technical measures in accordance with technological developments. Users are given the minimum authority needed. Access and authorization technical solutions are implemented within the framework of legal requirements on the basis of our units. Access permissions are limited and reviewed regularly. Access to the data storage areas where personal data is located is logged and inappropriate accesses or access attempts are detected and reported to senior management. Software and hardware that includes virus protection and firewall systems are used. Technical and administrative measures are taken according to the cost of technological facilities and applications to prevent the storage of personal data in secure environments and to prevent its destruction or alteration for unlawful purposes. Technical security systems for hiding areas are installed, security tests and investigations are carried out for the detection of security vulnerabilities on information systems, and existing or potential risks identified as a result of tests and investigations are eliminated. The technical measures taken are periodically reported to the interested party and senior management in accordance with the internal audit mechanism. Legal backup programs are used to ensure the safe storage of Personal Data.

14. Administrative Measures

Our employees are periodically provided with information and awareness training. All personal data activities carried out in our company are analyzed specifically by the processing unit and other interacting units, revealing the processing activities. In these activities, activities are determined by the entities that process and interact with the requirements sought by the law. To ensure legal compliance requirements, awareness is raised by the units, rules of practice are established and implemented through documents and trainings such as policies, procedures, instructions, tables, etc., to ensure the control of these aspects. Contract/s and approved instructions are implemented to manage the legal relationship with our employees and customers.

15. Supervision of Personal Data Protection Activities

In accordance with Article 12 of the Law with internal audits, application processes such as processing, storage, storage and destruction of personal data are checked and reported to senior management, necessary technological and administrative solutions are urgently taken to the elements that contain risks. Improvements are identified and their investments are planned in the long term.

16. Measures to Be Taken in Case of Protection of Legal Rights of Personal Data Subjects and Disclosure of Personal Data

With this policy and activities, law enforcement and all personal data of personal data holders, we take the necessary measures to protect rights by respecting all legal rights, especially for data of a Special nature. If the Personal Data processed in accordance with Article 12 of the Law are obtained by others through unlawful means, the system is implemented that ensures that this situation is reported as soon as possible to the relevant Personal Data Holder and the KVK Board. If deemed necessary by the KVK Board, this situation can be announced on the KVK Board's website or by other means.

17. Classification of Personal Data Credentiality

Documents such as first name, T.C. identification number, nationality information, maternal name-surname, paternal name-surname, place of birth, date of birth, date of birth, gender, and other documents containing this information, as well as other documents containing such information, tax number, SSR number, signature information, vehicle license plate, etc. Contact Information Telephone number, address Special Qualified Personal Data, such as Prescription information, doctor's report, test and radiology results, health report, blood type, genetic data, etc., with all kinds of health data, such as electronic mail (e-mail) address, fax number, IP address, etc. religion, member association data, etc. Physical Space Security Information Personal data relating to records and documents received during the stay in the physical space where our company is or is a tenant: camera recordings, records taken at the security point, etc. Financial Information Providers, Business Partners and other 3rd parties or other personal data holders created according to the type of financial relationship it has established with financial information suppliers, business partners and other third parties or other personal data holders information indicating the result, documents and records processed as well as bank account number, IBAN number, credit card information, financial profile, asset data, income information data, etc. Claid/Complaint Management Information Data on receiving and evaluating all kinds of requests or complaints addressed to our Company. Transaction Security Information Personal data processed to ensure the technical, administrative, legal and commercial security of both the data subject and our Company while carrying out the business activities of our Company Legal Transaction Compliance Information will receive legal recognition to our Company and the determination, determination, monitoring and performance of its debts and legal obligations and our Company Personal data processed within the scope of compliance with our policies.

18. Data Controller's Disclosure Obligation

Our company informs the owners of personal data of our interested parties with the “Information text (TA.KY.02) in accordance with the protection of personal data”. This text provides information on the identity of the data controller and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and the legal reason for collecting personal data, as well as other rights enumerated in Article 11. In the event that the application submitted by the personal data subject to our Company is rejected by our Company, the answer given is insufficient or the application is not responded to in due time, the data subject has the right to complain to the KVK Board within thirty and in any case sixty days from the date of application.

19. Update and Implementation of Changes

Our company reserves the right to make changes to this policy and other related policies in accordance with the decisions of the KVK Board or in line with developments in the sector or in the field of IT, due to changes in the Law. Actions are initiated to revise the changes in the resulting legal updates as soon as possible.

20. Transaction Security

All necessary technical and administrative measures are taken to protect the personal data collected by OUR COMPANY and not to fall into the hands of unauthorized persons and that our customers and prospects are not victims. In this framework, it is ensured that the software complies with the standards, the careful selection of third parties and the observance of the data protection policy within our Company. Safety measures are constantly being renewed and improved.

21. Personal Data Destruction Techniques

Personal Data is stored on the basis of one or more of the personal data processing conditions specified in articles 5 and 6 of the Law, and within this scope, personal data is stored for the duration of the validity of the specified conditions for the processing of personal data, when the said processing conditions expire or upon the application of the person concerned to our Company, (check other legal obligations that our Company must comply with after processing) the personal data stored on request are deleted, destroyed or anonymized. The deletion, destruction and anonymization techniques used are listed below a.Deletion Methods Personal data is deleted by the methods given in the table below. Deletion Methods for Personal Data Retained in Physical Environment Dimming Personal data contained in the physical environment is deleted using the dimming method. Blackening is done in the form of cutting off the personal data on the relevant document where possible and making it invisible using fixed ink, which cannot be returned and cannot be read by technological solutions, in cases where it is not possible. Deletion Methods for Personal Data Retained in Cloud and Local Digital Environment/Software Secure deletion from the software At the end of the period requiring storage of personal data held in the cloud or in local digital media, it is deleted by digital command and rendered inaccessible to any other relevant employee except the database administrator and made unavailable again. Deletion of Personal Data on Servers by removing access authorization for those who have expired from the personal data contained on the servers, the access authorization of the relevant users is removed by the system administrator and the deletion is carried out. b.Destruction/Destruction Methods Personal data is destroyed by the methods given in the table below. Methods of Destruction for Personal Data Held in Physical/Printed Media Physical Destruction Documents held in this medium are destroyed in such a way that they cannot be reassembled by paper shredders. If there is no machine, it is torn by hand and wetted so that it is not put back together into a dough. Methods of Destruction for Personal Data Held in the Local Digital Environment and on Servers Physical destruction is the process of physical destruction of optical and magnetic media containing personal data, such as melting, burning or pulverizing it. Data is made inaccessible by processes such as melting optical or magnetic media, burning it, pulverizing it or passing it through a metal grinder. De-magnetization (degauss) is the process of unreadable distortion of data on magnetic media by exposure to a high magnetic field. Overwriting Random data consisting of 0's and 1's at least seven times on magnetic media and rewritable optical media prevents reading and recovering old data. Destruction by removing access authorization For those that require storage of personal data contained on servers, access to the users concerned is removed by the system administrator and the destruction is carried out in a way that is no longer reachable Destruction Methods for Personal Data Held in the Cloud Secure deletion from the software Personal data held in the cloud is deleted by digital command so that it can no longer be recovered and the cloud Encryption required to make personal data usable when the IT service relationship ends All copies of their keys are destroyed. Data deleted in this way cannot be accessed again. c. Anonymization Methods Our company makes personal data unrelatable to a specific or identifiable natural person, even through the use of appropriate techniques. It anonymizes personal data by the methods given in the table below. Anonymization Methods for Personal Data Retained in Physical/Printed Media Subtraction of variables is the extraction of one or more of the direct identifiers contained in the personal data of the data of the person concerned that will be used to identify the person concerned in any way. This method can be used for anonymization of personal data, and can also be used for the purpose of deleting such information if personal data is found in personal data that does not correspond to the purpose of data processing. Regional concealment is the process of deleting information that may be distinctive in relation to data that may be of an exceptional nature in the data table in which the personal data is located in an anonymous aggregate form. Generalization is the process of combining personal data belonging to many individuals and turning them into statistical data by removing their distinctive information. Lower and upper bound encoding/Global encoding is categorized by defining the ranges for that variable for a given variable. If the variable does not contain a numeric value, then the closely related data within the variable are categorized. The remaining values within the same category are combined. With this method of microaggregation, all records in a dataset are first arranged in a meaningful order, and then the whole set is divided into a certain number of subsets. Then the value of each subset of the specified variable is averaged and the value of that variable is replaced by the mean value of the subset. In this way, the indirect identifiers contained in the data will be corrupted, making it difficult to associate the data with the person concerned. Mixing and distorting data, direct or indirect identifiers in personal data are confused or corrupted with other values, and their relationship with the person concerned is severed and they lose their identifying qualities. Methods of Anonymization of Personal Data Retained in Digital Media/Servers/Cloud Environment Masking (Encryption, use of icons, blurring, mixing, invalidation) Data masking is the incomprehensible purpose of preventing access to personal data by unauthorized persons. This method is used to prevent confidential and sensitive information contained in the institution from leaking inside and outside the institution and from being intercepted by malicious persons. In data masking, the data format is not changed, only the values are changed, but this change is made in such a way that it is not detected and returned in any way. In addition, it is determined who can access which data, so that only those with authority can see the information they need to see, and other information is masked.

22. Retention and Destruction Periods of Personal Data

In relation to personal data processed by OUR COMPANY within the scope of its activities; Identity Data; data processed under employment contracts are stored for 15 years from the end of the employment contract, otherwise 10 years from the end of the employment contract, if it is related to occupational health and safety. In addition, the data and contracts resulting from the works contract are stored for a period of 20 years. Data of candidates for workers who are not accepted for employment are stored for a period of 1 year. Communication Data; If the data processed under employment contracts are related to occupational health and safety, it is stored for 15 years from the end of the employment contract, otherwise for a period of 10 years from the end of the employment contract. In addition, the data and contracts resulting from the works contract are stored for a period of 20 years. Data of candidates for workers who are not accepted for employment are stored for a period of 1 year.

Location Data: stored for 5 years Specificity Data: Data processed under employment contracts are stored for 15 years from the end of the employment contract if it concerns occupational health and safety, otherwise 15 years from the end of the employment contract. In addition, the data and contracts resulting from the works contract are stored for a period of 20 years. Data of candidates for workers who are not accepted for employment are stored for a period of 1 year.

Legal Transaction Data: data processed under employment contracts are stored for a period of 10 years from the end of the employment contract.

Physical Space Safety Data: Camera recordings are stored for 20 days. However; the records that must be submitted to the judicial administrative authorities and the records that are essential for disciplinary proceedings are kept for 10 years from the end of the employee's employment contract.

Financial Data: the data processed under employment contracts are stored for a period of 10 years from the end of the employment contract. In addition, the data and contracts resulting from the works contract are stored for a period of 20 years.

Professional Experience Data: Retained for a period of 10 years. However, if the data processed under employment contracts are related to occupational health and safety, it is stored for 15 years from the end of the employment contract, otherwise for 10 years from the end of the employment contract. In addition, the data and contracts resulting from the works contract are stored for a period of 20 years. Data of candidates for workers who are not accepted for employment are stored for a period of 1 year.

Visual and Auditory Records: data processed under employment contracts are stored for a period of 10 years from the end of the employment contract. Data of candidates for workers who are not accepted for employment are stored for a period of 1 year.

Health Information: It is stored for a period of 15 years from the date of termination of the employment contract.

Criminal Conviction Data: It is stored for a period of 10 years from the date of termination of the employment contract. Digital Trace Data: It is stored for a period of 10 years. Training Data, Military Data: If the data processed under employment contracts are related to occupational health and safety, it is stored for 15 years from the end of the employment contract, otherwise for 10 years from the end of the employment contract. Data of candidates for workers who are not accepted for employment are stored for a period of 1 year.

Service-Product Information: Stored for 10 years. The work is stored for 20 years if it arises from the contract.

Business Information: Room registration and billing information is stored for 10 years. In addition, the data and contracts resulting from the works contract are stored for a period of 20 years.

Vehicle Information: It is maintained for 10 years. However, data processed under employment contracts are stored for a period of 10 years from the end of the employment contract. In addition, the data and contracts resulting from the works contract are stored for a period of 20 years.

Immovable Information: STORED FOR 20 YEARS. The data, the storage periods specified above, are destroyed in the first period of destruction following the expiration of the period.

23. Periodic Destruction Period

In the event of the disappearance of all the terms of processing of personal data contained in the law; OUR COMPANY will delete, destroy or anonymize the personal data whose processing conditions have disappeared at intervals specified in this Personal Data Retention and Destruction Policy and will be performed by you at repeated intervals.

CEyBer's MAIN GOAL is to manage all risks to our information assets in accordance with international criteria, applicable legislation, specifications and standards, without disregarding quality, environmentally friendly, occupational health and safety requirements in the prescribed period, without ignoring the requirements of quality, environmentally friendly, occupational health and safety; by meeting customer satisfaction at the highest level and profitably.

The purpose of CEYber MANAGEMENT SYSTEM is to follow the sectoral developments and innovations closely and ensure sustainability by following the quality human resources and customer satisfaction oriented service concept.

CEyBer SENIOR MANAGEMENT; To accomplish this purpose;

To make documentation, continuous improvement of our management systems within the scope of Quality, Environment, Occupational Health and Safety, Customer Satisfaction and Information Security, and to make employees aware;

Planning and delivery of training needs, Compliance with all legal legislation and contracts, Quality, Environment, Occupational Health and Safety, Systematic management of risks to Customer Satisfaction and Information assets, Seeing our customers and suppliers as part of our quality system and ensuring their development, Uninterrupted execution of the Information security management system and only authorized persons Ensuring that it is accessible by, performing our services at the quality desired by our customers and providing timely feedback the implementation of, the establishment of systems for the appropriate working environment by following technological developments, ensuring the selection of quality materials and equipment suitable for human and environmental health, maintaining the optimal level of natural resource use in its activities and supporting recycling, ensuring and maintaining working conditions that respect society, the environment and our employees, our employees are willing create a participatory and positive company culture, in which they work with high motivation, review of these policies by senior management, CEYBER EMPLOYEES are committed to preventing injuries and health deterioration, eliminating hazards, employee participation and solidarity, and taking actions to prevent environmental pollution; CEYBER EMPLOYEES will achieve outstanding and continuous achievements with the spirit of teamwork and trust, love and respect for each other. Creating and maintaining a healthy, safe and environmentally responsible working culture at CEYBER is the desire and responsibility of all employees, especially senior management.

introduction
This document is a Stakeholder Engagement Plan (PKP) prepared for the institution, which aims to determine the actions to be reasonably implemented by CEYBER EĞİTİTİM TEKNOLOJİ TİC.A.Ş to provide adequate public information and appropriate measures for the collection and response of local stakeholder complaints.

The PKP takes into account international best practice regarding information disclosure and outlines the general principles of engagement recommended for the sponsor to adopt.

The methods, procedures, policies and actions undertaken by the Sponsor in order to inform stakeholders in a timely manner about the possible effects of the project are the main subject of this document.

The document has the following structure:

Project Description;
Identification of stakeholders and other affected parties;
Legal and Institutional Framework;
Stakeholder participation program and participation methods and resources;
Complaint mechanism;
Monitoring and Reporting
Project Description

CEYBER A.S. was established in 2016 in Izmir province. In the period from its establishment until today, the Call Center provides services. Ceyber, with a capacity of over 3000 seats in Izmir location, in different sectors from Telecommunications to Energy

It is known for providing services. It has been involved in the Employment Creation Project because it has acquired the mission of providing the service that can bring the highest benefit to all stakeholders with the established strategic direction and constantly developing human resources.

Registered Employment Creation Project Grant Program, funded by the EU grant provided under the EU grant provided under the EU's Support for Refugees and Host Communities (FRIT-II) under the EU's Support for Refugees and Host Communities (FRIT-II) project, which is one of the components of the Registered Employment Creation Project, which is conducted by the World Bank of Turkey Development and Investment Bank with the World Bank and which is one of the components of the Registered Employment Creation Project to increase registered employment It was announced through the web page https://kayist.org/ and provided the necessary facilities as a company and submitted an application and received a grant.

The Grant Program has been implemented in 24 Project provinces determined according to the requirement to create registered employment in 24 Project provinces in order to increase the operational capacity of the enterprises already in operation, and contributed to the creation of new registered employment for Turkish citizens and refugees in these provinces.

CeyBer; Providing financial and spiritual support to refugees and Turkish women in particular, the formation of individuals who contribute to the economy, earn a living and have been raised to earn a profession, to set an example in society on this occasion, to use call center services in addition to Turkish as well as their native languages and, if any, as a second foreign language, and to create diversity in the volume of work, thereby restricting does not remain, but ensures that they are employed according to their qualifications if they are determined.

Stakeholder Identification

In general, stakeholders are people and organizations that may be directly or indirectly affected by the Project, wishing to express their views.

The following definitions have been applied:

Stakeholders: any person, group or organisation with an interest gained as a result of a work; and
Key stakeholder: Any stakeholder who has a significant impact on the work or is significantly affected by the study, and where those interests and effects must be recognized for the study to be successful.

Stakeholders can be divided into the following categories:

National financial institutions: TKYB;
Central government authority: Government of the Republic of Turkey;
Local government (including provinces and districts): İzmir Governorate, Bornova District Municipality, İzmir Metropolitan Municipality, District Municipalities and Mukhtaras.
Institutions (Universities, think tanks, etc.); Aydın Adnan Menderes University, Gaziantep University, İzmir Chamber of Industry, Other Professional Chambers and Professional Organizations and All Non-Governmental Organizations.
Internal stakeholders (employees, trade unions); CEYBER Employees and Managers
Public groups — nearby residents, hospitals, local schools; Local, Regional and Institutions and organizations established throughout our country.
Local NGOs; and
Media. Press, Broadcasting, Television, Social Media

Legal and Institutional Framework

National laws and regulations governing R&D risk mitigation, in addition to World Bank EQS to the Project

It will be applied in a proper manner. The requirements of Turkish laws and regulations regarding stakeholder participation and information are described in the following headings. The basic principles of effective participation can be summarized as follows:

a) Constitution of the Republic of Turkey (1982)

Article 10 - Everyone, for reasons of language, race, color, gender, political thought, philosophical belief, religion, sect, and so on

the distinction is equal before the law without regard to separation. Women and men have equal rights. The state is obliged to ensure that this equality passes into life. Measures taken for this purpose cannot be construed as contrary to the principle of equality.

Article 25 - Everyone has the right to freedom of thought and opinion. No matter what the cause and purpose,

He cannot be forced to explain his thoughts and opinions; he cannot be condemned and blamed for his beliefs.

Article 26 - Everyone has the right to express and disseminate his thoughts and opinions, individually or collectively, by word, writing, painting or other means. This freedom also includes the freedom to receive or give news or opinions without interference from the official authorities. This paragraph shall not prevent broadcasts made by radio, television, cinema or similar means from being linked to the permit system.

Article 74 - Citizens and foreigners residing in Turkey, provided that the principle of reciprocity is respected, have the right to apply to the competent authorities and the Grand National Assembly of Turkey in writing about their wishes and complaints concerning themselves or the public. Without delay, the result of the applications relating to them is notified to the petitioners in writing. Everyone has the right to obtain information and apply to the public auditor. The Public Audit Institution established under the Presidency of the Grand National Assembly of Turkey examines complaints about the functioning of the administration.b) Law No. 4982, the Law on the Right to Information, Number of Official Gazettes 25269 (24.10.2003) The purpose of this Law is to apply to individuals in accordance with the principles of equality, impartiality and transparency, which is a requirement of democratic and transparent administration to regulate the principles and procedures for their exercise of the right to information. Everyone has the right to information about the activities of public institutions and organizations.

Pursuant to the Obligation to Provide Information set out in Article 5, Institutions and organizations are obliged to provide all kinds of information or documents for the benefit of applicants, other than the exceptions provided for in this Law, and to take the necessary administrative and technical measures in order to effectively, promptly and accurately conclude their application for information. According to the Information and Document Access Periods set out in Article 11, Institutions and organizations shall provide access to the information or document requested upon application within fifteen working days. However, if the requested information or document is provided from another entity within the requested institution and organization, access to the information or documents shall be provided within thirty working days if it is necessary to obtain the opinion of another institution or organization in relation to the application, or the content of the application concerns more than one institution and organization. In this case, the extension of the period and the grounds for it are notified to the applicant in writing and before the expiration of the fifteen business day period.

c) Law Number 3071, Law on the Exercise of the Right to Petition, Official Gazette Number 18571 (10.11.1984)

The purpose of this Law is to regulate the exercise of the right of Turkish citizens and foreigners residing in Turkey to apply in writing to the Grand National Assembly of Turkey and to the competent authorities about their wishes and complaints about them or the public.

According to Article 3 of the Law, about the wishes and complaints of Turkish citizens concerning themselves or the public,

They have the right to apply to the Grand National Assembly of Turkey and the competent authorities by writing. Foreigners residing in Turkey may benefit from this right provided that the principle of reciprocity is observed and their petitions are written in Turkish.

d) Regulation on Environmental Impact Assessment, Official Gazette No. 31907 (29.07.2022)

Article 9 - Meeting on public information and participation in the process:

In order to inform the public about the investment and to receive their opinions and suggestions on the project; With the participation of the institutions/organizations qualified by the Ministry and the project owner, a central meeting will be held on the date determined by the Ministry to inform the public and participate in the process at a central place and time determined by the provincial administration, which is easily accessible to the interested public who is expected to be most affected by the project.
Institutions/organizations qualified by the Ministry shall publish an announcement indicating the date, time, place and subject of the meeting; together with the local periodical published in the region where the project will be carried out, publish a notice in a newspaper defined as a common periodical at least 10 calendar days before the meeting date.
The meeting for informing the public and participation in the process is held under the chairmanship of the provincial director or an official to whom he will appoint. The meeting ensures that the public is informed about the project, receiving opinions, suggestions and questions. Opinions, suggestions and objections expressed by the public are indicated in the minutes to be held about the meeting. The meeting chair may ask participants to give their views in writing. The minutes of the meeting are sent to the Ministry, one copy of which will remain in the provincial directorate.
Before specifying the specific format, the members of the commission may examine the area where the project is planned, participate in the meeting on public information and participation in the process, which will be held on the announced date.
To inform the public about the project and its effects, to receive the public's opinions and suggestions on the project,

A stakeholder participation plan (PKP) is prepared by the institutions/organizations that have been qualified by the Ministry. The prepared stakeholder participation plan is presented in the EIA application file appendix. If deemed necessary, the Ministry may also ask qualified institutions/organizations to carry out additional work during the EIA process, such as distributing informational brochures, conducting studies such as surveys, seminars, or preparing a website related to the project and sharing information by preparing a website about the project. In addition, if requested by the Ministry, this plan is updated within the EIA process.

Stakeholder Engagement Program

The purposes of external communication are to maintain constant interaction with targeted audiences to inform about company performance, company development and investment plans, and their implementation, including company activities.

Stakeholder engagement is an ongoing process that begins before the development of this PKP and will continue throughout the life of the Project. KOSGEB will be in active contact with the designated stakeholders throughout the life of the Project. To meet the most effective implementation approaches, the Project will apply the following stakeholder engagement principles:

Openness and lifecycle approach: Public consultations for the project will be held throughout the entire life cycle, carried out in a clear way, without external manipulation, interference, coercion or intimidation;
Informed participation and feedback: Information will be provided and widely distributed among all stakeholders in an appropriate format. Opportunities are provided to communicate stakeholders' feedback, analyze and address comments and concerns;
Inclusiveness and sensitivity: Stakeholder identification is carried out to promote better communication and build effective relationships.

Information Security and Regulatory Compliance

Our Certificates

Our Policies

Newsletter

Menu

Solutions

Follow Us

ŞİRKET TÜRÜ:	TÜZEL
MERSIS:	0207054072000018
TİCARET SİCİL MEMURLUĞU:	İzmir Ticaret Sicil Müdürlüğü
TİCARET SİCİL NUMARASI:	194575
TİCARET ÜNVANI:	CEYBER EĞİTİM TEKNOLOJİLERİ TİCARET A.Ş.
ADRES:	Kazımdirik, Üniversite Cd. No:120, 35110 Bornova/İzmir
TAAHHÜT EDİLEN SERMAYE MİKTARI:	10.000.000 TL
ÖDENEN SERMAYE MİKTARI:	10.000.000 TL
ŞİRKET TESCİL TARİHİ:	18.05.2016
VERGİ DAİRESİ:	Gaziemir
VERGİ NUMARASI:	2070540720
SEKTÖR:	Çağrı Merkezi Hizmetleri, BİLİŞİM
TELEFON:	02322150106
E-POSTA:	info@ceyber.com
İNTERNET ADRESİ:	www.ceyber.com
YÖNETİM KURULU:	Ergun CİVELEK