At Simit Sarayı we attach importation to the privacy and security of your personal data. In this context, we wish to inform you about how we process the personal data obtained from our customers, suppliers, business partners, their employees and officers and all third parties while conducting our business relationships, and the purposes for which we use the same, and what we do to protect such data.

All the terms and expressions used herein shall have the meanings attributed to them in the Law on the Protection of Personal Data No. 6698 ("LPPD") and other legislation. The term "you" herein mentioned refers to you as a person. The term personal data is used to cover also sensitive personal data. The meanings of the terms and abbreviations mentioned in the policy are given in the ANNEX - Abbreviations section. 

We would like to remind that if you do not accept the Policy you should not provide your personal data to us. If you prefer not to provide your personal data to us, we will not be able to present you the products and services, or respond to your requests in some instances, or we may not ensure complete functionality of our services in some instances.

We would like to remind that it is your responsibility to ensure that the personal data you provide to our company are true, complete and current to the best of your knowledge. Furthermore, if you share data belonging to other persons with us, it shall be your responsibility to collect such data in accordance with the local legal requirements. In this case, this shall mean that we have obtained all the necessary permits in order for us to collect, process, use and disclose the information of such third person, and our Company may not be held liable within that scope.

About SİMİT SARAYI

Simit Sarayı is engaged in the manufacture, purchase, sales, import-export, as well as wholesale and retail trading of all kinds of floury food and beverage products, and establish the relevant facilities, and carry out Research and Development, Production & Development processes. It offers all services from concept management to architectural projecting, brand identity to communication studies within its own organization. The company opened the first simit factory of the world in in 2005 with the approval and cooperation of TUBITAK, and commissioned the "Flexible Simit Production Line" in 2015 equipped with the state-of-the-art technology and having the highest capacity of the world. It ships its products manufactured in its factory at world standards to the different parts of the world via a cold chain. Today, it offers services at home and abroad through the Franchise and subsidiary operation model, and is expanding its activities.

In the policy "we" or "the Company" or "Simit Sarayı" refers to the data processing activities carried out as Data Controller by Simit Sarayı Yatırım ve Ticaret A.Ş.(“Simit Sarayı”) with its principal place of business at Büyükdere Cad. No.191, Apa Giz Plaza, No.2/İstanbul registered with the registration number 545990.

OUR PERSONAL DATA PROCESSING PRINCIPLES

All personal data processed by our Company are processed in accordance with LPPD and the relevant legislation. Pursuant to article 4 of the LPPD the following principles and procedures are complied with in processing your personal data:

• Processing in compliance with the Law and The Rule of Honesty Our Company acts in accordance with the principles set forth with legal regulations and the principle of general trust and good faith in the processing of personal data. In this context, our Company takes into account the necessity of proportionality in the processing of personal data, and does not use personal data outside its purpose.
• Ensuring that Personal Data is Accurate and up-to-date when needed: Our Company ensures that the personal data it processes are accurate and up to date by taking into consideration the fundamental rights of personal data subjects and its legitimate interests.
• Processing of Data for Certain, Clear and Legitimate Purposes: Our Company determines its purpose of processing personal data which is legitimate and lawful clearly and conclusively. Our Company processes personal data in connection to and to such extent as is necessary for the products and services it offers.
• Being connected with, limited to and commensurate with the purposes of processing: Our Company processes the personal data in a manner that enables to carry out specified purposes and avoids the processing of personal data that is not relevant or not required for the fulfillment of the purpose.
• Storage of Data for a period stipulated by the Respective Legislation or required for the Processing Purpose: Our Company stores the personal data only for a period stipulated by the respective legislation that it is obliged to observe or required for the processing purpose. In this context, our Company, first of all, determines whether any time period is set forth in the legislation for the storage of personal data, and if a time frame has been set, then it abides by the stipulated time period, or if not, then it stores the personal data for such time as is necessary for the purpose for which the personal data is processed. If the time period expires or the reasons for processing no longer exist, your personal data are erased, destroyed or anonymized by our Company.

DATA SUBJECT CATEGORIES

The categories of data subjects whose personal data are processed by our Company except th employees (including interns and subcontractor employees) are described in the table below. A separate policy has been created and put into practice within the company for the processing of the personal data of our employees. The people who are not included in the following categories may submit their requests to our company in the scope of LPPD, and the requests of such people will also be considered by our company.

DATA SUBJECT CATEORY	EXPLANATION
Customer	Real persons or legal entities who buy our products or benefit from our services
Potential Customer	Real persons or legal entities who have requested to buy our products and services or are assumed to have such an interest in accordance with the customs and the rules of honesty.
Franchisee	Real persons or legal entities who have concessions in relation to the service rendered by Simit Sarayı for a certain period of time and within certain limitations and/or are assumed to have such an interest in accordance with the customs and the rules of honesty.
Visitor	Real persons who have entered the physical facilities (Simit Sarayı stores, offices etc.) owned by or in which an organization is carried out by our company for various purposes or who are visiting our websites.
Third Party	Third party real persons (such as guarantors, companions, family members and relatives) associated with the parties who are mentioned above in order to ensure the security of commercial transactions between our Company and such parties or to protect the rights of the said parties and to derive benefits or all real persons whose personal data our Company is obliged to process for a specific purpose (e.g. former employees)
Potential Employees / Potential Interns	Real persons who have applied for a job to our company by any means or who have made available their CV and related information to our Company for review
Simit Sarayı Subsidiary Employee	Employees and representatives of the domestic and international subsidiaries of Simit Sarayı
Employees, Shareholders, Officers of the Entities We Are in Cooperation	Real persons working at the entities with which our Company has any business relationship (including but not limited to business partners, suppliers, etc.), including the shareholders and officers thereof.

WHEN DO WE COLLECT PERSONAL DATA ABOUT YOU?

We basically collect your personal data when you:

• Purchase or use our products or services,
• Sell goods or provide services to us,
• Subscribe to our newsletters and choose to receive our marketing messages,
• Contact us to send complaints or feedback via e-mail or telephone,
• Enter into a Franchise relationship with us
• Apply for a job to our company,
• Participate in our company events, seminars, conferences and organizations,
• Contact us for any purpose as a potential customer / supplier / business partner / subcontractor / franchisee.

We will only process the personal data that we have obtained under the above circumstances in accordance with this Policy.

WHAT KIND OF PERSONAL DATA DO WE PROCESS IN RELATION TO YOU?

The personal data that we process about you varies depending on the type of business relationship between us (e.g. customer, supplier, business partner, franchisee etc.) and the method you use to contact us (e.g. phone, e-mail, printed documents, etc.).

"

In principle, our personal data processing methods include the situations in which you participate in our business events or surveys by phone or e-mail, or fill out the Franchisee application form on our website or otherwise interact with us. In this context, the personal data we process can be described under the following categories:

Data categories	Examples
Identity Details	The data contained in identity documents such as name, surname, title, date of birth
Contact Details	Email, phone number, address
Photographs and / or videos that help to identify you	Photographs and videos and audio data that are processed for security reasons when you visit our company or when you participate in events organized by our Company
Financial data	Bank account details, billing information
Any other information you voluntarily decide to share with Simit Sarayı	Personal data you share at your own initiative, any feedback, opinions, requests and complaints, evaluations, comments and other assessments that you submit to us, or uploaded files, areas of interest, the information provided for our due diligence process before establishing a business relationship with you
Electronic data collected automatically	When you visit or use our website or applications, or subscribe to our newsletters, or otherwise interact with us through other electronic channels, we may collect the electronic data sent to us by your computer, mobile phone, or other access device, in addition to the information you provide directly to us (e.g. device hardware model, IP address, operating system version and settings, hours and duration during which you use our digital channel or product, your actual location which can be collected when you activate location-based products or features, or the links you click, motion sensor data, etc.)
Legal transaction and compliance information	Your personal data, audit and inspection data that are processed within the scope of determination and monitoring of our legal receivables and rights, and performance of our debts, and compliance with our legal obligations and our Company's policies
Corporate customer / supplier / franchisee data	Information obtained about the data subjects, such as the data subject customer / supplier / franchisee or the employee / signatory of the customer / supplier / franchisee as a result of the operations carried out by our business units within the scope of our services
Incident management and security information	Information and assessments about the incidents that have the potential to affect our company's employees, managers or shareholders as well as vehicle license plate and vehicle details, transportation and travel details
Personal data collected from other sources	We may also collect your personal data through publicly available databases, the methods and platforms by which our partners collect personal data on our behalf to the extent permitted by applicable laws and regulations. For instance, we may conduct research from public sources about you before establishing a business relationship with you in order to guarantee the technical, administrative and legal security of our commercial activities and transactions. In addition, there may be instances where you may transfer certain personal data belonging to third parties to us (e.g. personal data of guarantors, companions, family members, etc.). We may process your personal data through methods used in accordance with the legal or commercial practice and the rules of honesty generally accepted in these areas in order to manage our technical and administrative risks.
PROCESSING OF THE PERSONAL DATA OF POTENTIAL EMPLOYEES Aside from the personal data categories listed above, we also collect personal data such as the school of graduation, previous work experience, disability, etc. in order to understand the experience and qualifications of the candidate and evaluate the suitability of the candidate for the open positions, verify the accuracy of the information provided if necessary, and conduct research about the candidate by contacting the third parties whose contact information the candidate has provided, and to contact the candidate in relation to the job application process, to carry out the recruitment process if the candidate is suitable for open positions, to ensure compliance with legal regulations and to apply our Company's recruitment rules and human resources policies. The personal data of potential employees are processed through the job application form available in hard and soft copies, the electronic job application platform of our Company, applications sent to our Company either physically or via e-mail, employment and consultancy companies, face-to-face or electronic media interviews, the checks carried out about the candidate by our Company, recruitment tests conducted by the human resources experts to evaluate the suitability of the candidate during the recruitment process. Candidates are informed in detail in accordance with LPPD in a separate document before submitting their personal data when applying for a job, and their explicit consent is obtained for the required personal data processing activities.

PROCESSING OF PERSONAL DATA OF OUR VISITORS AT OUR OFFICES / FACTORIES

Our company processes personal data for the purposes of ensuring the physical security of our Company, our employees and visitors, and inspecting the workplace rules during the entrance and exit processes of the visitors visiting our building. Within this scope, the name - surname and Turkish identification numbers of our visitors are confirmed with their ID cards, and written down in the guest book for the purpose of monitoring visitor entrance and exit. However, the visitor's ID card is not kept during the time he/she is in the company premises, and is returned back to the visitor after the said registration is made in the guest book.

Before their information is taken, visitors are informed about the processing of personal data via a clarification text which is available in the security entrance. However, since our company has a legitimate interest, the visitor's explicit consent is not taken pursuant to art. 5/2/f of the LPPD. These data are only kept physically in the guest registration book, and are not transferred to any other media unless anything suspicious that threatens the Company security arises. However, these data may be used in circumstances such as ensuring the Company's security.

The medical data of the visitors who arrive at Simit Sarayı factories are processed based on their explicit consent pursuant to art. 6 of the LPPD in order to guarantee food safety. Within this scope, the necessary clarification is made to the factory visitors, and their explicit consents are taken in accordance with LPPD. 

In addition, internet access is provided to our visitors who request it throughout the period of time thy spend in the premises of our Company for ensuring the security of our Company and for the purposes set forth in the Policy. In that case, the log records relating to your internet access are recorded in accordance with the Law No. 5651 and the mandatory provisions of the legislation enacted on the basis of the said Law, and these records are processed if required by the authorized public institutions and entities or to fulfill our legal obligation during the inspection processes to be carried out in-house.

In this framework, the log records to be obtained can only be accessed by a limited number of Simit Sarayı employees. The company employees who have access to such records access these in order to use them upon demands from the competent public authorities and entities or during audit processes and share these only with legally authorized persons.

PROCESSING OF PERSONAL DATA THROUGH CLOSED CIRCUIT CAMERA RECORDING

Security cameras are used in order to ensure the security of our Company, facilities and Simit Sarayı stores and personal data are thereby processed. With the monitoring activity performed via the security cams, our Company intends to improve the quality of the services rendered, the secure the physical premises of the company and Simit Sarayı stores and the life and property of their occupants, to prevent misuse and to protect the legitimate interests of the data subjects.

The personal data processing activities carried out by our company via security cameras are performed in accordance with the Constitution, the LPPD, the Law on the Private Security Services Numbered 5188 and the relevant legislation.

Our Company processes the personal data in connection with, limited to and commensurate with the purposes of processing pursuant to art. 4 of the LPPD. The security cameras are not used in a manner which might result in intervention in a person's privacy outside the scope of the security purposes. In this context, data subjects are informed by warning signs placed in common areas where CCTV recordings are made. However, explicit consents are not obtained because our Company has a legitimate interest in keeping CCTV records. Also pursuant to Art. 12 of the LPPD, technical and administrative measures are taken by the Company to ensure security of personal data obtained as a result of CCTV monitoring activity.

Furthermore, a procedure has been prepared and put in place in our Company regarding the areas where CCTV cameras are installed, the coverage of cameras and the period of keeping records. The said procedure is taken into account before installing a CCTV camera, and the camera is thereafter installed. The installation of cameras in a manner to exceed the purpose of security and privacy of individuals is not permitted. The images of CCTV cameras can only be accessed by a limited number of Company employees, and these authorizations are regularly reviewed. The employees who have access to such records are caused to sign a letter of undertaking that they shall lawfully protect the personal data. 

Image recording is performed for the purpose of securing the premises with a sum of 32 security cameras at the company's head office which are installed at the entrance doors, exterior façade of the building, the dining room, cafeteria, visitor waiting room and service areas of the floor corridors and a sum of 72 security cameras in our factory, and the recording process is inspected by our IT department.

FOR WHAT PURPOSES DO WE USE YOUR PERSONAL DATA

The purposes for which we use your personal data varies depending on the type of business relationship between us (e.g. customer, supplier, business partner, franchisee etc.). Basically, your personal data are processed for the purposes described below. The personal data processing activities related to potential employees are described under the section "Processing of Personal Data of Potential Employees".

Our Purposes of Processing of Personal Data	Examples
Assessment of potential suppliers / business partners / franchisees	Execution of the necessary examination and conflict of interest process due to our risk rules, assessment of franchisees in terms of suitability for a franchise relationship
Establishment and management of customer relations, execution and conclusion of the contract process with suppliers / business partners / franchisees	Implementation of the sales operations of the products offered by our company (also as sales to individual customers are permitted, and wholesale block sales can be made to dealers and customer centers), submission of quotes, supply of goods, invoicing, formation and performance of contracts, ensuring post-contract legal transaction security, service development, evaluation of new technologies and practices, determination and implementation of the commercial and business strategies of our company, managing operations (requests, quotes, evaluation, order, budgeting, contract), management of financial operations and financial affairs, offering alternatives to legal / real persons with commercial relations, improving the customer relations with a customer loyalty program, monitoring the personnel expenses of the foreign subsidiaries where Simit Sarayı's subsidiary stores are located inspecting Simit Sarayı stores, carrying out store rental procedures, executing store establishment processes, carrying out the processes regarding the processes related to supplier employees who will work in Simit Sarayı stores located in shopping malls or private institutions, executing visa processes of supplier employees who will work in Simit Sarayı stores located abroad, creating store designs, benefiting from government incentives, carrying out insurance transactions of products, equipment and materials damaged during logistics operations, establishing a franchise relationship, recognizing the business partner, establishing and executing franchise contracts, renting shops and carrying out leasing for subsidiary stores, planning trips for the establishment of the store installation process, creating registrations with the municipality and other official authorities and completing the licensing procedures. invoicing, ensuring post-contract legal transaction security, determining and implementing our company's commercial and business strategies, managing operations (request, quote, evaluation, order, budgeting, contract), managing finance operations, handling financial affairs, carrying out store setup processes, performing business and transactions arising from termination of the franchise relationship, checking the compliance of health and safety processes, performing store repair, maintenance and renovation processes
Executing marketing processes directly	Making marketing notifications about our services by e-mail and phone, conducting satisfaction surveys or evaluation of your opinions, complaints and comments transmitted via the social media, online platforms or other channels, informing our customers about the company's innovations, campaigns, and conducting campaigns and competition activities, carrying out marketing activities with the participants during the events to be held.
Communication and support (upon your request)	Answering requests for information about our products, providing support for requests received through our communication channels, updating our records and database
Compliance with legal obligations	Execution of tax and insurance processes, fulfilling our legal obligations arising from relevant legislation, including inter alia Law No. 5651 and other legislation, Law on the Regulation of Electronic Commerce No. 6563 and other legislation, Turkish Criminal Code No. 5237 and Law on the Protection of Personal Data No. 6698, carrying out the necessary processes within the scope of compliance with the laws and regulations that we are subject to, such as the execution of processes before the official institutions, the obligations to keep records and provide information, compliance and supervision, audits and inspections of official authorities, following up and finalizing our legal rights and claims, and disclosure of data upon the request of official authorities, ensuring the fulfillment of the legal obligations specified in LPPD as required or mandated by regulatory and supervisory authorities, applicable regulations and as specified in the LPPD
Ensuring the protection and security of company interests
Planning and executing the company's commercial activities	Carrying out the commercial and business strategies, communication, market research and social responsibility activities conducted out by our company in line with the purpose of determining, planning and implementing the commercial policies of the Company in the short, medium and long term, and carrying out the purchase operations,
Reporting and auditing	Ensuring communication with Simit Sarayı affiliates, conducting necessary activities, internal audit and reporting processes
Protection of rights and interests	Defense in lawsuits, investigations, claims etc. filed against our company

HOW DO WE USE YOUR PERSONAL DATA FOR MARKETING PURPOSES?

As a rule, we always obtain your consent to process your personal data as part of marketing activities because marketing activities are not considered within the scope of the exceptions regulated under art. 5/2 and art. 6/3 of the LPPD. Our company may send you promotional communications at regular intervals about products, services, events and promotions. Such promotional communications can be sent to you via different channels such as email, phone, SMS text messages, regular mail and third-party social networks. 

In order to provide you with the best personalized experience, these communications may sometimes be adapted to your preferences (for example, according to the results we extract from your website visits or based on the links you click on in our emails as you specify these to us).

Based on your consent, we may carry out processing for the purpose of offering you opportunities for specific products and services such as internet advertising, Targeting, Re-targeting, cross-selling, campaigns, opportunity and product/service ads, using cookies for that purpose, making commercial offers taking into account your preferences and recent purchases, and also tracking your usage habits according to your previous records during your use of Simit Sarayı Mobile Apps, and offering you special products; offering special advertising, campaigns, advantages and other benefits for the sales and marketing activities and carrying out other marketing and CRM studies, and we may also perform processing for the purpose of creating new products and service models, sending electronic commercial messages (campaigns, newsletters, customer satisfaction surveys, product and service advertisements); gifts and promotions, and we may also carry out marketing activities in order to organize corporate communication and other events and invitations within that context and providing informing thereabout.

When required by applicable legislation, we will ask for your permission before starting the above activities. You will also be given the opportunity to withdraw (stop) your consent at any time. Particularly, you can always stop the sending of marketing notifications by following the unsubscribe instruction contained in every email and SMS message.

If you log into a Simit Sarayı account, you may be given the option to change your communication preferences under the relevant section of our website or application. You can always contact us to stop sending you marketing communications (contact details can be found in the section "What rights do you have regarding your personal data?" below).

ON WHAT LEGAL GROUNDS DO WE PROCESS YOUR PERSONAL DATA?

We process your personal data within the legal grounds set forth below, including notably the Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Tax Procedure Law No. 213, electronic commerce legislation, and art. 5 of the LPPD:

Legal Grounds	Examples
We process your personal data based on your consent in cases where we need to obtain your explicit consent in accordance with LPPD and other legislation (In this case, we would like to remind you that you can withdraw your consent at any time).	We seek your consent to carry out our marketing activities.
In any case permitted by applicable legislation	Specifying the name of the data subject on the invoice in accordance with Art. 230 of the Tax Procedure Law
In cases when it is necessary to protect the vital interests of any person	Giving the medical information about the member of the board of directors who faints in a gathering of the board
In cases where we need to establish a contract with you, perform a contract and fulfill our obligations under the contract	Obtaining customer account information within the scope of the contractual relationship with franchisee
Fulfilling our legal obligations,	Fulfilling our tax obligations, submitting the information requested by a court order to the court
In cases when your personal data has been made public by you	Using the personal data you have made public by sending us an e-mail for us to contact you, writing the contact information of a potential employee to the website where job applications are collected, or using social media channels in accordance with the purposes for which the same has been made public
It being imperative that we process data to create or protect a right, exercising our legal rights and defending against legal claims against us.	Storing documents that constitute proof / evidence and using them when necessary
In cases where our legitimate interests require, however without prejudice to your fundamental rights and liberties	Procuring the security of our company's communication networks and information, carrying out our company activities, investigating suspicious transactions and conducting research in order to comply with our risk rules, benefiting from storage, hosting, maintenance, support services in order to provide technical and security IT services, ensuring the efficiency of our company activities and leveraging the cloud technology for making use of the opportunities of technology

In cases where your Personal Data are processed with your explicit consent, we would like to emphasize that if you withdraw your explicit consent, you will be removed from the commercial membership program which requires processing based on an explicit consent, and that you will not any longer be able to take advantage of the benefits offered through such transactions.

WHEN DO WE SHARE YOUR PERSONAL DATA?

Transfer of Personal Data in Turkey

Our company has the responsibility for acting in accordance with the decisions and related regulations set forth in the LPPD, notably article 8 of LPPD and the resolutions taken by the Board in respect of the transfer of personal data. As a rule, the personal data and sensitive data belonging to data subjects cannot be transferred by our Company to other real persons or legal entities without the express consent of the person concerned.

In addition, no transfer is possible without the consent of the person concerned in the cases stipulated in articles 5 and 6 of the LPPD. Our company may transfer personal data to third parties in Turkey and subsidiaries of Simit Sarayı in accordance with the conditions stipulated in LPPD and other relevant legislation and taking the security measures specified in the legislation unless otherwise specified in the Law and other relevant legislation (if there is a contract signed with the data subject, also in the contract in question).

Transfer of Personal Data Abroad

Our company may transfer personal data to third parties in Turkey, or also abroad provided that data is processed and maintained in Turkey or outside of Turkey in accordance with the conditions prescribed in the Law and other legislation as mentioned above, including the user of outsourcing, and by taking the security precautions specified in the legislation. We transfer your personal data abroad by taking necessary technical and administrative measures through cloud computing technology in order to carry out our company activities in the most efficient manner and to benefit from the opportunities of technology. Our company may transfer personal data to subsidiaries of Simit Sarayı abroad in accordance with the conditions stipulated in LPPD and other relevant legislation and taking the security measures specified in the legislation.

In accordance with art. 9 of the LPPD, we, as a rule, seek the explicit consent of data subjects for the transfer of personal data abroad. However, pursuant to art. 9 of the LPPD, in the event that any one of the conditions regulated in art. 5/2 or art. 6/3 of the LPPD exists, and if, in the foreign country where personal data will be transferred,

1. a) sufficient protection is available,
2. b) where such sufficient protection is not provided, then only if the data controllers in Turkey and the relevant foreign country commit to provide a sufficient protection in writing and if there is the permit of the Board,

then, the transfer abroad can be made without seeking the explicit consent of the data subject.

In this context, in exceptional cases where explicit consent is not sought for the transfer of the above mentioned personal data, in addition to the conditions of processing and transfer without consent, it is imperative that there is sufficient protection in the country where the data will be transferred in accordance with LPPD. It is the Personal Data Protection Board that will determine whether sufficient protection is provided or not, where sufficient protection is not provided, it is essential that the data controllers in Turkey and the relevant foreign countries undertake an adequate protection, and the Personal Data Protection in Turkey must permit the transfer.

Please refer to the link https://azure.microsoft.com/tr-tr/overview/trusted-cloud/ link for the service providers whose head office is abroad and from which we receive support pursuant to this paragraph. 

The Parties to the Transfer in Turkey and Abroad

We do not share your Personal Data except for the special circumstances herein described. Within the Simit Sarayı, access to your Personal Data will be limited to those who only need to know the information for the purposes described in this Policy. In order to achieve the purposes of collecting your data (for detailed information on such purposes, see "For what purposes do we use your personal data?"), we transfer your Personal Data to the following individuals and entities:

1. Simit Sarayı Subsidiaries: We share your personal data with Simit Sarayı subsidiaries, with which we conduct our company activities with an organic bond. However, please note that we hand the data exchange with Simit Sarayı subsidiaries in the scope of financial reporting regarding the company activities in a manner not to include personal data, such as conducting the necessary processes related to profitability, efficiency, administrative operations (operational, legal, technical, marketing, financial affairs, activities etc.), sharing the necessary information for the organization of the company affairs, management of daily payment process and daily mail process of Simit Sarayı stores. In some exceptional cases, we may share personal data instead of sharing anonymous information with Simit Sarayı subsidiaries (such as exchanging loss details to initiate an insurance claim, conducting personal affairs, evaluating supplier companies, carrying out the contract process with suppliers and subcontractors, etc.). A Data Sharing Agreement regarding the transfer of your personal data to Simit Sarayı subsidiaries has been signed and necessary measures are in place.

2. Service Providers: We identify the parties with whom our Company has established a business partnership for purposes such as sales, promotion and marketing while carrying out the commercial activities of our company. Like many enterprises, we can work and share data with trusted third parties, such as information and communication technology providers, consulting services providers, cargo companies, travel agencies with a view to performing the functions and services in the most efficient and current manner in the scope of certain data processing activities. Such exchange is limited to the purpose of establishing a business partnership and fulfilling the purposes of the partnership. We use the cloud computing technologies in order to carry out our activities in most efficiently and make utmost use of technology and in this context, we can process your personal data at home and abroad through companies that offer cloud computing services. The marketing services support company with which we share data may have been incorporated abroad and within this scope, exchange of data may occur with the foreign company in accordance with the provisions of art. 8 and art. 9 of the LPPD regarding the transfer of data abroad.

2. Public Institutions and Organizations: Where required by law or when we need to defend our rights, we may share your personal data with relevant official, judicial and administrative authorities (e.g. Tax offices, law enforcement authorities, courts and enforcement offices).

3. Private Persons: Pursuant to the provisions of the relevant legislation, personal data may be shared limited to the purposes requested by the private persons who are authorized to receive information and documents from our Company (e.g. Occupational Health and Safety Company).

4. Professional consultants and others: We share your Personal Data with other people including professional consultants such as those mentioned above for the purpose of establishing and managing customer relationships, executing and finalizing the contract process with our suppliers, business partners and franchisees:

• Banks
• Insurance companies
• Auditors
• Attorneys
• Accountants
• Other external professional consultants
• Chambers of Commerce
• Customs Advisor
• Exporters Union
• Company Providing Us the Call Center Service
• Airport Administrations
• Insurance Appraisers
• Shopping Center Managements
• PR Agencies

5. Other parties connected with corporate transactions: In addition, we share your Personal Data from time to time with other parties connected with the corporate transactions, such as our service providers and consultants at home and abroad, customers, subcontractors, suppliers, business partners, within the scope of corporate transactions such as the execution of contracts, contractual and commercial relations created for the execution of the Company's business and activities, ensuring the efficiency and security of the corporate processes and the fulfillment of the commitments made or during the sale of a company or a department of a company to another company, or in cases when the assets or shares of Simit Sarayı are subject to any other reorganization/structuring, merger, joint venture or other sale or disposal (including those related to bankruptcy or similar transactions).

FOR HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We store your personal data only for the time period required to fulfill the purpose for which they were collected. We fix these periods separately for each business process and if there is no other reason to store your personal data at the end of the related periods, we destroy your personal data in accordance with LPPD.

When determining the destruction periods for your personal data, we consider the following criteria:

• The time period recognized as a general practice in the sector in which the data controller operates within the scope of the purpose of processing of the relevant data category;
• The duration in which the legal relationship which necessitates the processing of personal data in the relevant data category and which is established with the data subject will continue;
• The duration in which the legitimate interest to be obtained by the data controller will be valid in accordance with the law and the rules of integrity depending on the purpose of processing of the relevant data category,
• The duration during which the risk, cost, and responsibilities that will occur due to the storage will legally continue depending on the purpose of processing of the relevant data category,
• Whether the maximum period to be determined is suitable for keeping the relevant data category accurate, and up-to-date when necessary,
• The duration in which the data controller has to store personal data in the relevant data category due to its legal obligation,
• The lapse of time set by the data controller to assert a right associated with to personal data in the relevant data category.

HOW DO WE DESTROY YOUR PERSONAL DATA?

Even though personal data have been processed in accordance with the provisions of article 138 of the Turkish Criminal Code and the article 7 of the LPPD pursuant to the relevant legal provisions, if the reasons requiring the processing of data cease to exist, our Company will, by its own resolution, or the request of the data subject to that effect, erase, destroy or anonymize the personal data.

In this context, Personal Data Storage and Destruction Policy has been prepared. Our company reserves the right not to fulfill the request of the data subject in cases where it has the right and / or obligation to protect personal data in accordance with the provisions of the relevant legislation. When personal data is processed in non-automated means, provided that it is part of any data recording system, the system requires physical destruction of the personal data while the data is erased / destroyed in a way that it cannot be used subsequently. When our company makes an agreement with a person or organization to process personal data on its behalf, the personal data is securely erased by such persons or organizations to prevent subsequent recovery. Our company may anonymize personal data when the causes for the lawful processing of personal data cease to exist.

DESTRUCTION METHODS OF PERSONAL DATA

Erasure of Personal Data

Even though personal data have been processed in accordance with the provisions of the relevant legal provisions, if the reasons requiring the processing of data cease to exist, our Company may, by its own resolution, or the request of the data subject, erase the personal data. Erasure of personal data is the process of making personal data inaccessible and non-reusable for the users concerned. Our company takes all necessary technical and administrative measures to make the erased personal data inaccessible and non-reusable for the users concerned.

Erasure Process of Personal Data

The process to be followed in the erasure of personal data is as follows:

• Determining the personal data that will be subject to erasure.
• Identifying the relevant users for each personal data using an access authorization and control matrix or a similar system.
• Determining the authorities and methods of the relevant users such as access, retrieval and reuse.
• Closing and canceling access, retrieval, reuse authorities and methods of the relevant users within the scope of personal data.

Personal Data Erasure Methods

Data Recording Medium	Description
Personal Data Stored in Servers	The personal data in servers whose storage period has expired are erased by revoking the access authorities of the relevant users by the system administrator.
Personal Data Stored in Electronic Media	Those personal data stored in electronic media whose period of storage has expired shall be made inaccessible and unusable for other employees (relevant users) than the database manager.
Personal Data in Physical Environment	Those personal data stored in physical media whose period of storage has expired shall be made inaccessible and unusable for other employees than the unit manager in charge of the document archive. In addition, they will be obscured by striking/painting/deleting them in a manner to make them illegible.
Personal Data Stored in Portable Media	Those personal data stored in flash disk-based storage media whose period of storage has expired are kept in secure environments through encryption by the system administrator and encryption keys whose access authority is only given to the system administrator.

Personal data should be deleted through the methods that suit the record environments as they can be kept in various record environments. The relevant examples are given below:

Software as a Service Type Cloud Solutions (e.g. Office 365 Salesforce, Dropbox): The data in the cloud system should be deleted by giving a delete command. While performing the said transaction, it should be noted that the relevant user does not have the authority to recover deleted data over the cloud system.

Personal Data Stored in Hard Copy: Personal data stored in hard copy should be erased using the blackening method. The blackening operation is performed by, where possible, cutting out the personal data on the relevant document, or where impossible, by making the personal data invisible to users using indelible ink to render it unreadable via technological solutions.

Office Files on the Central Server: The file should be deleted by the delete command in the operating system or the access rights of the relevant user should be deleted on the file or the directory where the file is located. While performing the said operation, it should be noted that the relevant user is not the system administrator at the same time.

Personal Data Stored in Portable Media: Personal data in Flash-based storage media must be stored in encrypted form and deleted by using appropriate software.

Databases: The relevant rows containing personal data must be deleted by database commands (DELETE, etc.). While performing the said operation, it should be noted that the relevant user is not the database administrator at the same time.

Destruction of Personal Data

Even though personal data have been processed in accordance with the provisions of the relevant legal provisions, if the reasons requiring the processing of data cease to exist, our Company may, by its own resolution, or the request of the data subject, destroy the personal data. Destruction of the personal data is a process, by which personal data are made inaccessible, non-recoverable, or non-reusable for anyone. The data controller is obliged to take all necessary technical and administrative measures for the destruction of personal data.

Data Recording Medium	Description
Personal Data in Physical Environment	Those personal data stored in hard copy whose period of storage has expired shall be destroyed using shredder in a irrecoverable manner.
Personal Data Stored in Optic / Magnetic Media	Those personal data stored in optic media and magnetic media whose period of storage has expired are physically destroyed by melting, burning or pulverization. Furthermore, the magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.

Physical Destruction: The personal data can be processed by non-automated means, provided that it is part of any data recording system. The system requires physical destruction of the personal data while the data is erased / destroyed in a way that it cannot be used subsequently.

Secure Erasure from the Software: While any data processed by fully or partially automated ways and stored in digital media is deleted/destroyed, methods that enable to erase the data irretrievably from the related software are used.

Secure Erasure by a Specialist: In some cases, you can agree with a specialist to erase the personal data on your behalf. In this case, the personal data is erased/destroyed securely and irretrievably by the person skilled in the art. 

Blackening: It is the process by which personal data are rendered physically unreadable.

Methods of Destruction of Personal Data

To destroy the personal data, all copies of the data must be identified and disposed of individually by using one or more of the following methods, depending on the type of systems where the data is located:

Local Systems: One or more of the following methods can be used to destroy data on these systems: i) De-magnetization: It is a process, by which the magnetic medium is passed through a special device and exposed to a high magnetic field and the data on this device is destroyed making the data on it unreadable. ii) Physical Destruction: It is a process, by which the optic media and magnetic media are destroyed physically by melting, burning or pulverization. Data is rendered inaccessible by melting, burning or pulverizing, or shredding the optical media or magnetic media. If rewriting or de-magnetization is not successful on the hard disks, such media must also be destroyed physically. iii) Overwriting: It is a process, by which the recovery of old data is prevented by writing random data consisting of 0 and 1 at least seven times on the magnetic media and rewritable optical media. This process is carried out by using special software.

Peripheral Systems: The destruction methods that can be used depending on the media type are as follows: i) Network devices (switches, routers, etc.): The storage media inside these devices are fixed. Products have often a delete command, but no destruction property. They must be destroyed by using one or more of the suitable methods specified in (a). ii) Flash-based media: Those of the flash-based hard disks, which have ATA (SATA, PATA, etc.) and SCSI (SCSI Express, etc.) interfaces must be destroyed by using the destruction method recommended by the manufacturer, if they are supported, or by using the <block erase> command or by using one or more of the appropriate methods specified in (a), if they are not supported. iii) Magnetic tape: They are the media that stores data by means of the micro-magnet parts on the flexible tape. They should be destroyed by exposure to very strong magnetic media and and de-magnetization or by physical destruction methods such as incineration or melting. iv) Units like magnetic disks: They are the media that stores data by means of the micro-magnet parts on flexible plates or fixed media. They should be destroyed by exposure to very strong magnetic media and and de-magnetization or by physical destruction methods such as incineration or melting. v) Mobile phones (Sim cards and fixed memory areas): The fixed memory areas in the portable smartphones have a delete command, but no destruction command. They must be destroyed by using one or more of the suitable methods specified in (a). vi) Optic disks: Data storage media such as CD, DVD. It must be destroyed by physical destruction methods such as incineration, disintegration, melting. vii) Peripherals such as a printer, fingerprint door access system with removable data recording media: All data recording media must be destroyed by verifying that they are dismounted by using one or more of the suitable methods specified in (a). viii) Peripherals such as a printer, fingerprint door access system with fixed data medium: Most of the said systems have a delete command, but no destruction command. They must be destroyed by using one or more of the suitable methods specified in (a).

Hardcopy and Microfiche Media: The main medium must be destroyed because the personal data on such media is permanently and physically written on the media. While performing this operation, it is necessary to divide the media into small pieces with paper shredders or trimmers, horizontally and vertically if possible, so that they cannot be understood and reassembled. Any personal data transferred from the original hardcopy format to the electronic medium by scanning must be destroyed by using one or more of the suitable methods specified in (a) according to the electronic medium in which they are located.

Cloud Environment: During storage and use of personal data in these systems, it must be encrypted by the cryptographic methods, and where possible for personal data, especially for each cloud solution that is serviced, separate encryption keys must be used. When the cloud communication service relationship ends, all copies of the encryption keys required to make personal data usable must be destroyed. In addition to the above media, the destruction of personal data on devices that fail or are serviced is carried out as follows: i) The personal data contained in the related devices must be destroyed by using one or more of the suitable methods specified in (a) before these devices are delivered to the third institutions such as the manufacturer, seller, authorized service center for maintenance and repair of the related devices. ii) Where such destruction is not possible or not suitable, the data storage media must be removed and stored, and other defective components must be delivered to third parties such as manufacturers and sellers. iii) any necessary measures should be taken to prevent any external personnel from copying and taking the personal data out of the organization.

Anonymization of Personal Data

Anonymization of personal data means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data. Our company may anonymize personal data when the causes for the lawful processing of personal data cease to exist. In order to anonymize personal data, the personal data must be rendered impossible to associate with a specific or identifiable natural person, even by using the suitable techniques for the recording medium and relevant field of activity, such as the return of data by the data controller or recipient groups and/or matching the data to other data. Our Company takes all technical and administrative measures necessary to anonymize personal data.

Any personal data made anonym in accordance with Article 28 of the LPPD can be processed for research, planning and statistical purposes. Such operations are outside the scope of the LPPD and will not require explicit consent of the personal data subject.

Methods of Anonymization of Personal Data

Anonymization of personal data is rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data;

In order to anonymize personal data, the personal data must be rendered impossible to associate with a specific or identifiable natural person, even by using the suitable techniques for the recording medium and relevant field of activity, such as the return of data by the data controller or third parties and/or matching the data to other data.

Anonymization means that all direct and/or indirect identifiers in a data set are removed and replaced with a view to preventing the relevant person from being identified, or can no longer be used to distinguish such person in a group or crowd or associate them with a natural person. Any data is deemed anonymized when it does not indicate a particular person as a result of preventing or losing such properties. In other words, anonymized data is the information that identifies a natural person before this process, but, after the process, cannot be associated with the relevant person and has been disconnected from the person. The purpose of anonymizing personal data is to break the link between the data and the person identified by such data. All such link-breaking operations carried out by automated or non-automated methods such as grouping, masking, derivation, generalization, randomization, etc. which are applied to the records in the data recording system where the personal data is stored are called anonymization methods. The data obtained as a result of the application of these methods should not be able to help identify a particular person.

The examples to anonymization methods are described as follows:

Anonymization Methods That Do Not Create Value irregularity: Where methods that do not provide value irregularity are concerned, no change or addition, subtraction is applied to the values of the data in the cluster; instead, changes are made to all rows or columns in the cluster. Thus, while changes are made overall the data, the values in the fields keep their original state.

Removing the Variables

It is a method of anonymization which is achieved by means of completely deleting one or more of the variables from the table. In such a case, the entire column in the table will be removed completely. This method can be used for reasons such as the fact that the variable is a highly descriptive variable, or that there is no better solution, that the variable is too sensitive to be disclosed to the public, or that it does not serve analytical purposes.

Removing the Records

In this method, anonymity is reinforced by removing a line containing singularity in the dataset, and the probability of generating assumptions about the dataset is reduced. In general, the records that are removed are those that do not have a common value with other records and can easily be guessed by those who have an idea of the dataset. For instance, in a dataset that includes survey results, only one person from any sector is included in the survey. In such a case, it may be preferable to remove only the record of this person rather than to remove the "sector" variable from all survey results.

Regional Masking

The objective of the regional masking method is to make the dataset more secure and to reduce the risk of predictability. If the combination of the values of a particular record creates a very uncommon condition, and it is likely to cause the individual to become distinguishable in the relevant community, the value that creates the exception is changed to "unknown".

ç. Generalization

It is the process of converting the relevant personal data from a special value to a more general value. It is the most commonly used method for generating cumulative reports and performing operations based on total figures. The resulting new values show the total values or statistics of a group that makes it impossible to access to a natural person. For example, assume that a person with Turkish ID No.12345678901 buys diapers from the e-commerce platform, and then also buys wet napkins. In the anonymization process, it can be concluded that xx% of people, who buy diapers from the e-commerce platform, also buy the wet napkin by using the generalization method.

Lower and Upper Limit Coding

The upper and lower limit coding method is achieved by defining a category for a given variable and combining the values that fall within the grouping created by that category. Usually, the lower or higher values in a given variable are combined and a new definition is made for these values.

Global Coding

The global coding method is a grouping method used in datasets with values that cannot be applied to lower and upper limit codes, do not contain numerical values or cannot be numerically sorted. It is generally used when it is easier to cluster certain values and execute assumptions and estimations. All records in the dataset are replaced by this new definition by creating a common and new group for the selected values.

Sampling

In the sampling method, a subset from the cluster is described or shared, rather than the entire dataset. This reduces the risk of generating accurate estimates of individuals since it is not known whether a person known to be in the entire dataset is included in the disclosed or shared subset sample. Simple statistical methods are used to determine the subset to be sampled. For example, it may be meaningful to carry out scans and make estimates in the relevant dataset of a woman who is known to live in Istanbul if a dataset of demographic information, occupations and health status of women living in Istanbul are anonymously disclosed or shared. However, only the records of the women, who are registered in the civil registration office in Istanbul, are left in the relevant dataset and the anonymization is applied and data are disclosed or shared by removing those registered in other cities from the dataset of those who are not living, a malicious person who accesses the data will not know the city of registration of a woman is known to live in Istanbul, he will not be able to execute a reliable estimation whether the information of such person is included within the dataset he has in his hand.

Anonymization Methods That Create Value Irregularity: In the methods that create value irregularity, unlike the above mentioned methods, the values of the dataset are distorted by changing the existing values. In this case, since the values of the records are changed, it is necessary to calculate the benefit planned to be obtained from the data set correctly. Even if the values in the dataset are changed, it is still possible to benefit from the data by ensuring that the total statistics remain intact.

Micro Joining

With this method, all records in the data set are first arranged in a meaningful order and then the whole set is subdivided into a certain number of subsets. Then, the value of each subset of that variable is replaced with the average value by taking the average of the value of the specified variable. Thus, the average value of that variable for the entire dataset will not change.

Data Exchange

The data exchange method involves the change of records obtained by exchanging values of a variable subset between the pairs selected from the records. This method is mainly used for categorized variables and the main idea is to transform the database by changing the values of the variables between the records of individuals.

Adding Noise

With this method, additions and subtractions are performed in order to achieve the determined distortions in a selected variable. This method is often applied to datasets that contain numeric values. Distortion is applied equally to each value.

Statistical Methods Strengthening Anonymization

In some anonymized datasets, the combination of some values in the records with individual scenarios may lead to the identification of persons in the records or the assumption that their personal data can be derived.

For this reason, anonymity can be strengthened by using various statistical methods in the anonymized datasets by minimizing the singularity of the records in the dataset. The main purpose of these methods is to minimize the risk of anonymity deterioration while keeping the benefit of the dataset at a certain level.

K-Anonymity

The confidence in anonymization processes have been shaken by the fact that in the anonymized datasets the identities of the persons in the records become identifiable or the information about a particular person becomes easily predictable if the indirect identifiers are combined with the correct combinations. Accordingly, the datasets anonymized by the various statistical methods had to be made more reliable. K-anonymity has been developed to prevent the disclosure of information specific to individuals that exhibit unique characteristics in certain combinations by allowing the identification of more than one person in specific fields in a dataset. If there are multiple records of combinations creating by bringing together some of the variables in a dataset, the likelihood of identifying the persons corresponding to that combination is reduced.

L- Diversity

The L-diversity method, which is developed through the studies conducted on the deficiencies of K-anonymity, takes into account the diversity of the sensitive variables corresponding to the same variable combinations.

T-Proximity

Although the L-diversity method provides diversity in personal data, there are circumstances where it cannot provide adequate protection because the method does not deal with the content and sensitivity of personal data. In such a case, the process of calculating the degree of proximity of personal data and values among themselves and anonymizing the dataset by subdividing it according to these proximity degrees is called the T-proximity method.

Choosing the Anonymization Method

Our company decides which of the above methods will be applied by looking at the data in hand and considering the following features of the dataset:

Nature of the data;

Size of the data;

Structure of data in physical media;

Data diversity;

The purpose of benefiting from/processing the data;

Processing frequency of data;

Reliability of the party to which the data will be transferred;

Whether the efforts to be used for anonymizing the data are meaningful;

The magnitude of the damage that may arise in case of deterioration of the anonymity of data, and its influence area;

The distribution/centrality ratio of the data;

Control of users' access to relevant data; and

The probability that the efforts to be spend to construct and launch an attack that would disrupt anonymity would make sense.

While anonymizing data, the Company checks by means of contracts and risk analyses whether such data is capable of re-identifying a person by using known or publicly available information from other institutions and organizations to which it transfers personal data.

Anonymity Assurance

When it decides to anonymize personal data instead of erasing or destroying it, our Company takes care not to disrupt the anonymity by combining the anonymized dataset with any other data sets, or create a meaningful whole when one or more values can make a record unique, and ensures that the values in the dataset cannot be combined to produce an assumption or result, and we carry out controls on the datasets anonymized by our Company when the properties listed in this article change and make sure that anonymity is maintained.

Risks of De-anonymization by Reverse Processing of Anonymous Data

Since anonymization is a process applied to personal data destroying the distinctive and identifiable characteristics of the dataset, there is a risk that these operations can be reversed by various interventions and that anonymized data becomes re-identifiable and distinctive. This is referred to as de-anonymization. Anonymization processes can be accomplished only by manual or automated processes, or by hybrid processes consisting of a combination of both. It is important, however, that after anonymized data is shared or disclosed, any measures are taken to prevent anonymity from being compromised by new users who can access or own the data. The actions carried out consciously about de-anonymization are called "de-anonymization attacks". In this context, our Company investigates whether there is a risk that anonymized personal data may be reversed by various interventions, and that anonymized data may become re-identifiable and allow natural persons to be distinguished, and takes actions accordingly.

HOW DO WE PROTECT YOUR PERSONAL DATA?

In order to protect your personal data and prevent unlawful access, the Company takes necessary administrative and technical measures in line with the Personal Data Security Guideline published by the PDP Committee, prepares the procedures in the company, prepares the clarification and explicit consent texts, conducts any necessary audits to ensure the implementation of the provisions of the LPPD in accordance with article 12/3 of the LPPD, or procure external services. The results of these audits are evaluated within the scope of the internal operation of the Company and necessary actions are taken to improve the measures taken.

Your personal data mentioned above will be transferred to physical archives and information systems of our Company and/or our suppliers and kept in both digital and physical media. The technical and administrative measures taken to ensure the security of personal data are described in detail below under two headings:

Technical Measures

We use generally recognized standard technologies and operational security methods, including the standard technology called Secure Socket Layer (SSL), to protect the personal information collected. However, due to the nature of the Internet, information can be accessed by unauthorized persons over networks without the necessary security measures. We take technical and administrative measures to protect your data from risks such as destruction, loss, tampering, unauthorized disclosure or unauthorized access, depending on the current state of technology, the cost of technological implementation, and the nature of the data to be protected. Within this scope, we conclude data security agreements with the service providers we work with. You can access detailed information about these service providers at [related link].

• Ensuring Cyber Security: We use cyber security products to ensure personal data security, however, our technical measures are not limited to this. The first line of defense against attacks from environments such as the Internet is established through measures such as firewall and gateway. However, almost every software and hardware is subject to a number of installation and configuration operations. Considering that some of the commonly used software, older versions in particular, may have documented security vulnerabilities, unused software and services are removed from the devices. Therefore, such unused software and services are primarily preferred because of their ease of removal rather than keeping them up to date. Patch management and software upgrades ensure to check regularly that the software and hardware work properly and that the security measures taken for the systems are sufficient.

• Access Restrictions: Access rights to systems containing personal data are restricted and reviewed regularly. Within this scope, employees are granted access rights to the extent as is necessary for their functions, duties, powers and responsibilities, and access to related systems is granted with a user name and password. When creating these passwords and passwords, combinations of uppercase and lowercase letters, numbers and symbols are preferred instead of numbers or letter sequences associated with easy-to-guess personal information. Accordingly, an access authorization and control matrix are created.

• Encryption: In addition to using strong codes and passwords, methods used include limiting the number of log-in attempts to protect against common attacks such as the use of brute force algorithm (BFA), prompting frequent change of codes and passwords, and opening administrator account and admin privileges only for use when needed. and restricting access immediately for employees who have been dismissed from the Data controller, such as deleting an account or closing entries.

• Anti-virus Software: In order to protect against malware, products such as antivirus or antispam which regularly scan the information system network and detect hazards are used and are regularly kept current, and the required files are regularly scanned. If personal data will be obtained from different websites and/or mobile application channels, it is ensured that connections are established via SSL or more secure way.

• Monitoring of Personal Data Security: These activities include checking which software and services are operating in information networks, determining whether there is any penetration into IT networks or not, keeping the transaction activities of all users regularly (such as log records), reporting security problems as fast as possible. A formal reporting procedure is also created for employees to report security weaknesses in the systems and services and the threats that may utilize such weaknesses. Evidence is collected and stored securely in the event of undesired events such as an information system crash, malicious software, decommissioning attack, missing or incorrect data entry, violations of privacy and integrity, abuse of the information system.

• Ensuring the Security of Media Containing Personal Data: If personal data is stored on the devices or in hard copies which are located in the data controller's premises, physical security measures are taken against threats such as theft or loss of such devices and papers. The physical environments containing personal data are protected against external risks (fire, flood, etc.) by suitable methods and the entries to / exits from these environments are controlled.

If personal data is in electronic media, access between network components can be restricted or separated to prevent breach of personal data security. For example, if personal data is processed in this area by limiting it to a specific portion of the network in use, which is reserved for this purpose, the available resources can be reserved for the security of this limited area, not the entire network.

Measures at the same level are also taken for soft copy, electronic media and devices containing personal data belonging to the Company located outside the Company premises. As a matter of fact, although personal data security violations frequently occur due to theft and loss of devices containing personal data (laptop, mobile phone, flash disk, etc.), personal data to be transmitted by e-mail or mail is also sent carefully and with adequate precautions. Sufficient security measures are also taken in case employees provide access to the information system network with their personal electronic devices.

Access control authorization and / or encryption methods are used against loss or theft of devices containing personal data. In this context, the password key is stored only in the environment accessible to authorized persons, and unauthorized access is prevented.

Hard copy documents containing personal data are also stored in a locked and accessible environment only, and unauthorized access to these documents is prevented.

If any personal data is obtained by others by unlawful means, the Company shall inform the PDP Committee and the data subjects of this fact as soon as possible pursuant to article 12 of the LPPD. if they deem it necessary, the PDP Committee may announce this situation at the website or by any other means.

• Storage of Personal Data in the Cloud: In the event that personal data is stored in the cloud, it is necessary for the Company to assess whether the security measures taken by the cloud storage service provider are adequate and appropriate. In this context, two-step authentication control is applied for knowing in detail, backing up, synchronizing the personal data stored in the cloud and providing remote access when necessary. During storage and use of personal data in these systems, it must be encrypted by the cryptographic methods and placed in cloud environments after encryption, and where possible for personal data, especially for each cloud solution that is serviced, use of separate encryption keys are ensured. When the cloud service relationship ends, all copies of the encryption keys, which may be used to make personal data usable, are destroyed. Access to data storage areas with personal data is logged and improper access or access attempts are instantly communicated to those concerned.

• Information Technology Systems Procurement, Development and Maintenance: Security requirements are taken into consideration when determining the requirements related to the procurement, development or improvement of new systems by the Company.

• Backing up of Personal Data: In case of personal data being damaged, destroyed, stolen or lost due to any reason, the Company enables to recover, making use of the backed up data as soon as possible. The backed up personal data is accessible only by the system administrator, and data set backups are kept outside the network.

Administrative Measures

• All activities carried out by our company have been analyzed in detail in all business units and as a result of this analysis, a process-based personal data processing inventory has been prepared. Risky areas in this inventory are identified and necessary legal and technical measures are taken continuously. (E.g. the documents to be prepared within the scope of LPPD have been prepared considering the risks in this inventory)
• Personal data processing activities carried out by our Company are audited by information security systems, technical systems and legal methods. Policies and procedures regarding personal data security are determined and regular controls are conducted within this scope.
• From time to time, our company may provide services from external service providers to meet information technology needs. In this case, we ensure that these Data Processing external service providers meet at least the security measures provided by our Company. In this case, a written agreement is signed with the Data Processor and the contract includes at least the following points:
  • The Data Processor acts only in accordance with the instructions of the Data controller, the purpose and scope of the data processing specified in the agreement, the LPPD and other legislation;
  • The Data Processor acts in accordance with the Personal Data Storage and Destruction Policy;
  • The Data Processor is obliged to keep any data confidential indefinitely in relation to the personal data processed;
  • In the event of any data violation, the Data Processor is obliged to inform the Data controller of it immediately;
  • Our Company will perform or have the necessary audits performed on the Data Processor's systems containing personal data, and may review the reports and service provider on the spot;
  • Our Company will take the necessary technical and administrative measures for the security of personal data; and
  • Also, as long as the nature of the relationship between the Data Processor and us permit it, the categories and types of the personal data transferred to the Data Processor are also specified in a separate article.

• As emphasized in the guidelines and publications of the Authority, personal data is reduced as much as possible within the framework of the data minimization principle, and personal data that is not required, outdated and does not serve a purpose are not collected and if collected in the period prior to the introduction of LPPD, data is destroyed in accordance with the Personal Data Storage and Destruction Policy.
• Employees specialized in technical issues are employed.
• Our Company has determined provisions on confidentiality and data security in the Employment Agreements to be signed during the recruitment process of its employees and requests that the employees comply with these provisions. The employees are regularly informed and trained about the personal data protection law and taking necessary measures in accordance with this law. The roles and responsibilities of the employees have been revised and their job descriptions have been revised.
• Technical measures are taken in accordance with technological developments, and the measures taken are periodically checked, updated and renewed.
• The access authorizations are limited and reviewed regularly.
• The technical measures taken are regularly reported to the authorized person, and the issues that constitute risk are reviewed and efforts are made to produce the necessary technological solutions.
• Software and hardware including virus protection systems and firewalls are installed.
• The backup programs are used to ensure the safe storage of personal data.
• Security systems are used for storage areas, technical measures taken are periodically reported to the person concerned as a result of internal controls, risk issues are re-evaluated and necessary technological solutions are produced. The files/printouts stored in the physical environment are stored by the supplier companies and then destroyed in accordance with the established procedures.
• The protection of personal data is also accepted by the top management, a special Committee (the PDP Committee) has been established and started to work. A management policy regulating the working rules of the Company's PDP Committee has been put into effect within the Company and the duties of the PDP Committee have been explained in detail.

HOW DO WE PROTECT YOUR SENSITIVE PERSONAL DATA?

A separate policy on the processing and protection of sensitive personal data has been prepared and put into force.

Article 6 of the LPPD describes the data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data as sensitive data because they carry the risk of causing victimization or discrimination of the individuals when unlawfully processed, and stipulates a more sensitive protection for the processing of such data.

Pursuant Article 10 of the LPPD, our Company provides clarification to the Related Persons during the collection of sensitive personal data. Sensitive personal data are processed by taking appropriate measures and performing the necessary audits in accordance with LPPD. As a rule, one of the conditions for processing sensitive personal data is the explicit consent of the data subject. Our company offers data subjects the opportunity to disclose their explicit consent on a specific issue based on information and freewill.

In principle, our Company obtains the explicit consent of the Related Persons in writing for the processing of sensitive personal data. However, pursuant to article 6/3 of the LPPD and in case of the existence of any of the conditions specified in article 5/2 of the LPPD, the explicit consent of the Related Persons is not sought. However, pursuant to article 6/3 of the LPPD, data relating to health and sexual life may be processed by persons obliged to keep secret or authorized agencies and administrations for purposes such as preserving public health, rendering services such as preventive medicine, medical diagnosis, treatment and care giving, planning and management of health services and financing of such services. Regardless of the reason, the general data processing principles are always taken into account in the processing processes and are complied with.

Our company takes special measures to ensure the security of sensitive personal data. Due to data minimization principle, sensitive personal data is not collected unless it is necessary for the relevant business process and is processed only when necessary. In case of processing of sensitive personal data, technical and administrative measures are taken to comply with the legal obligations and to comply with the measures determined by the PDP Committee.

WHAT RIGHTS DO YOU HAVE RELATED TO YOUR PERSONAL DATA?

Pursuant to article 11 of LPPD, as a data subject, you have the following rights related to your personal data:

• To find out whether your personal data is processed by our Company;
• To request information in case your personal data has been processed;
• To find out the purpose for processing of your personal data and whether they have been used in accordance with that purpose,
• To know the third parties to whom personal data have been transferred at home or abroad,
• To request for the correction of your personal data if they are incomplete or incorrectly processed and ask that the process carried out in this context be notified to the third parties to whom your personal data have been transmitted,
• To request for the deletion or destruction of your personal data if the reasons for processing the same have ceased to exist although they have been processed in accordance with the LPPD and other relevant laws, and ask that the process carried out in this context be notified to the third parties to whom personal data have been transferred,
• To object to occurrence of any result that is to your detriment by means of analysis of personal data exclusively through automated systems,
• To demand compensation of your loss if you incur a loss due to unlawful processing of your personal data.

You can forward these requests to our Company free of charge in accordance with the Application Communiqué and using the following methods:

• After filling and signing the form found at the address https://www.simitsarayi.com/kvkk-bilgi-edinme delivering it to the address Simit Sarayı Yatırım ve Ticaret A.Ş. Büyükdere Cad. No.191, Apa Giz Plaza, No.2/İstanbul, in person (we would like to remind that your identity card has to be presented).
• After filling and signing the form found at the address https://www.simitsarayi.com/kvkk-bilgi-edinme sending it to the address Simit Sarayı Yatırım ve Ticaret A.Ş. Büyükdere Cad. No.191, Apa Giz Plaza, No.2/İstanbul via a notary public.

The application should contain the following;

The application must contain the first name, last name, and signature if the application is in writing, Turkish ID Number for the citizens of the Republic of Turkey, nationality for foreigners, passport number or identification number (if any), residence or business address for the service of notices, electronic mail address, telephone and fax number for the delivery of notices if any, and subject of the request. Any relevant information and documents are also attached to the application.

Third parties cannot file a request on behalf of personal data subjects. In order for a person other than the personal data subject to make a request, a notarized special power of attorney issued by the personal data subject on behalf of the applicant and containing the original signature must be presented. In the application, which you will submit to exercise the above-specified rights as a data subject, and which contains the right you wish to exercise, the subject matter of your request must be clear and comprehensible, and the issue you request for must be related to you, or in case if you act on behalf of any other person, you must be specially authorized in this regard, and your authorization must be documented, also the application must include identity and address details and it must be accompanied by documents certifying your identification.

The applications that you will submit within this scope will be finalized within the shortest possible time, however, no later than 30 days. These applications are free of charge. However, if the process requires additional costs, the fee in the tariff determined by the PDP Committee may be charged.

If the personal data subject submits his/her request to our Company in accordance with the prescribed procedure, our Company shall conclude the request free of charge within the shortest time and no later within thirty days according to the nature of the request. However, if the process requires a separate cost, the fee in the tariff determined by the PDP Committee will be charged by our Company. Our company may require the relevant person any information to determine whether the applicant is a personal data subject or not. To clarify the matters set forth in the application of the personal data subject, our company may ask questions about the application of the personal data subject.

If our Company rejects your application, or you find our answer inadequate or we do not respond to the application within the period, you can submit a complaint to the PDP Committee within thirty days from the date, when you learn the response of our company and in any case within sixty days from the date of application pursuant to article 14 of the LPPD.

WHAT ARE THE CONDITIONS UNDER WHICH THE DATA SUBJECTS CANNOT PUT FORWARD THEIR RIGHTS?

The personal data subjects cannot claim their rights mentioned above in accordance with Article 28 of the LPPD because the following circumstances are excluded from the scope of the LPPD:

• Processing of personal data for official statistics and purposes such as research, planning and statistics by anonymizing the data;
• Processing of personal data within the scope of artistic, historical, literal, or scientific purposes, provided that such processing shall not violate national defense, national security, public security, public order, economic security, confidentiality of private life, or personal rights, or constitute any crime;
• Processing of personal data within the scope of the preventive, protective, and intelligence activities conducted by the competent legal public institutions and organizations with the intent of maintaining national defense, national security, public security, public order, or economic security;
• Processing of personal data by judicial or enforcement authorities in respect of investigations, proceedings, trials, or enforcement processes.

Pursuant to Article 28/2 of the LPPD, personal data subjects cannot claim any other rights listed in article below except for the right to claim damages when:

• Processing of Personal Data is necessary for the prevention of crime or for a criminal investigation,
• Any personal data made public by the personal data subject is processed;
• Processing of the personal data is necessary for the execution of inspection or regulation duties or disciplinary investigation or inquiry by the authorized and competent public authorities and entities, or professional institutions that are in the nature of a public institution based on the authorities granted to them by the laws,
• Processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial matters.

MISCELLANEOUS

As explained in detail above, your personal data can be stored, or classified due to market research, financial and operational processes and marketing activities, updated in different intervals, and transferred to any third persons and/or suppliers and/or services providers and/or foreign shareholders, to which we are affiliated, if the service necessitates such transfer to the extent permitted by the legislation and within the framework of the laws and confidentiality principles, and information may be transferred, stored, reported and processed in electronic media or hardcopy in accordance with the policies that we are bound by, and other reasons as may be stipulated by other authorities, and may be issued in the form of records and documents to serve as evidence of the transaction in electronic format or hardcopy.

In case of any inconsistency between the provisions of the LPPD, other relevant legislation and this Policy, the provisions of the LPPD and other relevant legislation shall prevail.

This policy prepared by our Company has entered into force in accordance with the decision taken by the Board of Directors of Simit Sarayı.

Please note that we may revise this policy due to changes from time to time in the legislation and changes in our company policies. We will publish the most current version of the statement on our website.

Before they enter the website, the User/Users agrees/agree, states/state and undertakes/undertake irrevocably that the User/Users has/have read this Personal Data Protection Policy, will comply with all provisions stated herein, and the contents of the website and all the electronic media and computer records of our Company will constitute conclusive evidence pursuant article 193 of the Code of Civil Procedure.

Effective Date: 15.01.2010

Version: 1.0

APPENDIX - ABBREVIATIONS

ABBREVIATIONS
Law numbered 5651	Law on the Regulation of the Publications Made on the Internet and Combat Against Crimes Committed through these Publications, rendered effective after its promulgation in the issue of the Official Gazette of May 23, 2007 and numbered 26530.
Constitution	The Constitution of the Republic of Turkey of November 7, 1982 and numbered 17863, promulgated in the issue of the Official Gazette of November 9, 1982 and numbered 2709
Application Communiqué	Communiqué on the Procedures and Principles Regarding Application to the Data Controller rendered effective after its promulgation on the issue of the Official Gazette of in March 10, 2018 and numbered 30356
Relevant Person/Relevant Persons or Data subject	A natural person, whose personal data is processed, including, without limitation, any customers of Simit Sarayı and/or subsidiaries of Simit Sarayı, corporate companies, companies, business partners, shareholders, officers, candidate employees, trainees, visitors, suppliers, employees of the entities that are cooperated with, and third persons and other persons with whom the Simit Sarayı has a relationship, or cooperates with.
Regulation on Erasure, Destruction and Anonymization of Personal Data	Regulation on Erasure, Destruction and Anonymization of Personal Data that entered into force as of January 1, 2018 after its promulgation in the issue of the Official Gazette of October 28, 2017 and numbered 30224.
LPPD	Law on the Protection of Personal Data, entered into force after its promulgation in the issue of the Official Gazette of April 7, 2016, and Numbered 29677.
PDP Committee	Personal Data Protection Board
PDP Authority	Personal Data Protection Authority
Art.	Article
E.g.	Example
Policy	Simit Sarayı Personal Data Protection and Confidentiality Policy
Company / Simit Sarayı	Simit Sarayı Yatırım ve Ticaret A.Ş.
Turkish Criminal Code	The Turkish Criminal Code dated September 26, 2004 and numbered 5237, promulgated in the issue of the Official Gazette of October 12, 2004 and numbered 25611.