1. PURPOSE

Law No. 6698 on the Protection of Personal Data (“KVKK” or the “Law”) was published in the Official Gazette dated 7 April 2016 and numbered 29677. The Law aims to protect the fundamental rights and freedoms of natural persons whose personal data are processed—particularly the right to privacy, which is also protected under the Constitution—and to set forth the obligations of natural and legal persons who process personal data.

The purpose of this Policy is to define the implementation rules and relevant obligations to ensure that Artı ve Artı Teknoloji Hizmetleri San. ve Tic. A.Ş. and its Group Companies (“Artı ve Artı”) process and protect personal data belonging to data subjects in compliance with the Law.

2. SCOPE

Within the scope of this Policy, data subjects include customers, individual customers, job applicants, employees, company shareholders, company officers, visitors, employees/shareholders/officers of companies with which we cooperate, and third parties whose personal data are processed by automated means or by non-automated means, provided that such processing forms part of a data recording system. This Policy applies to all activities carried out for the processing and protection of personal data that are owned by or managed by Artı ve Artı.

This Policy has been prepared in accordance with the Law and other relevant legislation.

Artı ve Artı shall provide all employees with adequate training and supporting reference materials to ensure the proper protection of company assets.

This Policy sets out the essential control measures that everyone within Artı ve Artı is expected to know and continuously comply with.

3. DEFINITIONS AND ABBREVIATIONS

This section briefly explains the specific terms and expressions, concepts, abbreviations, etc. used in this Policy.

Explicit Consent: Consent given freely, based on being informed, for a specific subject matter, and limited to the purpose of processing.

Anonymization: Rendering personal data incapable of being associated with an identified or identifiable natural person in any manner whatsoever, even by matching with other data.

ARTI VE ARTI: Artı ve Artı Teknoloji Hizmetleri San. ve Tic. A.Ş. and its Group Companies.

Employee: An employee of Artı ve Artı.

Group Company: A legal entity in which Artı ve Artı Teknoloji Hizmetleri San. ve Tic. A.Ş. and/or its shareholders, directly or indirectly, individually or jointly, hold at least 50% of the share capital, dividend entitlement, or voting rights. Subject to a resolution by the Boards of Directors of the relevant companies and in addition to the legislation of the country in which they are established, this definition also includes companies in which Artı ve Artı Teknoloji Hizmetleri San. ve Tic. A.Ş. and/or its shareholders hold an interest below the aforementioned ratio.

Service Provider: An employee of a company from which Artı ve Artı receives and/or to which it provides services (supplier, subcontractor, customer, etc.).

Data Subject (Relevant Person): The natural person whose personal data are processed.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed on personal data, whether wholly or partially by automated means, or by non-automated means provided that it forms part of a data recording system, such as collection, recording, storage, retention, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or preventing use.

Board: Personal Data Protection Board.

Authority: Personal Data Protection Authority.

KVKK: Law No. 6698 on the Protection of Personal Data published in the Official Gazette dated 7 April 2016 and numbered 29677.

Special Categories of Personal Data: Data defined as such under Article 6 of the Law.

Policy: Artı ve Artı Personal Data Protection and Processing Policy.

Data Processor: A natural or legal person that processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Controller: A natural or legal person that determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system, and obliged to register with the Data Controllers’ Registry.

4. ROLES AND RESPONSIBILITIES

4.1 Data Controller

Under the Law, any operation performed on personal data—such as collection, recording, storage, retention, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or preventing use—whether wholly or partially by automated means or by non-automated means forming part of a data recording system, constitutes the processing of personal data.

Artı ve Artı is responsible for establishing and managing the data recording system by determining the purposes and means of processing personal data recorded in its database, and declares that, once the Data Controllers’ Registry becomes operational, it shall complete its registration and acquire the status of a registered data controller.

4.2 Data Controller Representative

For all Group Companies within Artı ve Artı, when the Data Controllers’ Registry is established, a data controller representative shall be appointed for the registration process. This person shall be a specialist responsible for managing and carrying out activities related to the protection and processing of all personal data, the implementation of security measures, and the conduct of regular audits.

4.3 Data Processor

Natural or legal persons who process personal data on behalf of Artı ve Artı based on the authority granted by Artı ve Artı (e.g., contractors, suppliers) shall be deemed data processors.

Where personal data are processed on behalf of Artı ve Artı by another natural or legal person, Artı ve Artı (as the data controller) and the data processors shall be jointly responsible for taking necessary measures. Artı ve Artı, as the data controller, periodically audits the data processors’ compliance with this Policy to ensure that the trust of data subjects who share their personal data with Artı ve Artı is equally maintained by its business partners, service providers, suppliers, and contractors.

5. LEGAL OBLIGATIONS

Pursuant to the Law, Artı ve Artı has legal obligations regarding the protection and processing of personal data. These obligations are as follows:

5.1 Obligation to Inform

During the collection of personal data, Artı ve Artı is obliged to inform the data subject and, within this scope, provide information on the following:

• The identity of the data controller and, if any, its representative,
• The purposes for which personal data will be processed,
• To whom and for what purposes the processed personal data may be transferred,
• The method and legal basis of collecting personal data,
• The rights of the data subject.

Within the scope of its obligation to inform, Artı ve Artı shall inform data subjects about the processing of their personal data through various means. Artı ve Artı also places importance on ensuring that publicly available policies are comprehensible to data subjects. Artı ve Artı’s websites contain information on the matters stated above.

The internal policies specify which tools will be used to inform data subjects and how such information will be provided.

5.2 Obligation to Provide Information

Pursuant to Article 11 of the Law, the rights of the data subject from whom personal data are obtained are as stated in Section 11 of this Policy. Pursuant to Article 13 of the Law, Artı ve Artı is obliged to evaluate requests regarding such rights and inform data subjects within the legally prescribed period.

Such requests must be submitted to Artı ve Artı in writing or through other methods to be determined by the Board. Without contradicting the Board’s decisions, Artı ve Artı endeavors to provide additional facilities to data subjects for submitting applications.

5.3 Obligation to Ensure Data Security

As the data controller, Artı ve Artı’s obligations regarding data security arising from Article 12 of the Law are set out in Section 10 of this Policy.

5.4 Obligation to Register with the Data Controllers’ Registry

Pursuant to Article 16 of the Law, Artı ve Artı is obliged to register with the Data Controllers’ Registry within the period determined and announced by the Board.

Pursuant to Article 16/3 of the Law, considering objective criteria to be determined by the Board—such as the nature and number of processed personal data, whether processing arises from law, or whether data are transferred to third parties—an exemption from the obligation to register may be introduced for some of the Group Companies.

6. CLASSIFICATION OF PERSONAL DATA

6.1 Personal Data

The Law defines personal data as any information relating to an identified or identifiable natural person. Accordingly, the person must be identified or identifiable (i.e., the person can be reached when combined with another piece of information). A person’s name, surname, date and place of birth, identity number, social security number, phone number, address, images, payment information, health information, and similar information fall within the definition of personal data.

The Law applies to natural persons whose data are processed; legal entities are outside its scope. Therefore, information such as registry numbers, trade names, and registry records of a legal entity that do not include information about a natural person are not protected as personal data under the Law.

6.2 Special Categories of Personal Data

Special categories of personal data are information that may lead to the data subject’s victimization or discrimination if learned. Article 6(1) of the Law lists such data as: race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. Processing special categories of personal data is prohibited without the explicit consent of the data subject, except in cases expressly permitted by law.

Accordingly, Artı ve Artı does not process such personal data unless permitted under the Law, or otherwise processes them in compliance with the conditions set forth in Article 6 of the Law by obtaining the data subject’s explicit consent.

7. PERSONAL DATA PROCESSING POLICY

7.1 Principles to be Observed in the Processing of Personal Data

All collected personal data must be processed in accordance with the principles set out in Article 4 of the Law and in compliance with the conditions specified in Articles 5 and 6. Pursuant to Article 4, Artı ve Artı is responsible for processing personal data in a manner that is lawful and in line with the rules of good faith; accurate and, where necessary, up to date; for specific, explicit, and legitimate purposes; limited and proportionate to the purposes; and retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed (see Section 9).

This means that:

• Artı ve Artı must act in accordance with the principles prescribed by laws and other legal regulations while processing personal data.
• Artı ve Artı must be transparent in processing personal data as required by the rules of good faith and must comply with its obligations to inform and provide clarification.
• Artı ve Artı must process personal data for legitimate and specific reasons, i.e., only for limited purposes that are explicitly determined and lawful.
• Artı ve Artı must process personal data in connection with the activities it carries out.
• Artı ve Artı must process personal data only to the extent necessary. In this respect, the principle of proportionality must be observed and personal data must not be used beyond what the purpose requires. In addition, processing personal data that is not needed or is not required must be avoided.
• Artı ve Artı must retain personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed (see Section 9) and must not store such data beyond this period for any reason without anonymizing them. Where no retention period is specified in the legislation, reasonable retention periods shall be determined considering the purpose of use and company procedures, and data shall be retained only for such period. Following the expiration of these periods, personal data shall be deleted, destroyed, or anonymized in accordance with company procedures.

7.2 Purposes of Processing Personal Data by Artı ve Artı

Artı ve Artı processes personal data within the purposes and conditions set out in Articles 5 and 6 of the Law, limited to the grounds for processing personal data and special categories of personal data. These purposes and conditions are as follows:

• Processing of personal data is expressly provided for by laws,
• Processing of personal data by Artı ve Artı is directly related to and necessary for the establishment or performance of a contract,
• Processing of personal data is mandatory for Artı ve Artı to fulfill its legal obligations,
• Processing of personal data by Artı ve Artı is limited to the purpose of disclosure, provided that the personal data have been made public by the data subject,
• Processing of personal data by Artı ve Artı is mandatory for the establishment, exercise, or protection of the rights of Artı ve Artı, the data subject, or third parties,
• Processing of personal data is mandatory for the legitimate interests of Artı ve Artı, provided that it does not harm the fundamental rights and freedoms of the data subject,
• Processing of personal data is mandatory to protect the life or physical integrity of the data subject or another person where the data subject is unable to express consent due to actual impossibility or legal invalidity,
• For special categories of personal data other than health and sexual life, processing is permitted by laws,
• For special categories of personal data relating to health and sexual life, processing is carried out by persons under an obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing.

Within this scope, Artı ve Artı processes your personal data for the following purposes:

• Planning, auditing, and execution of information security processes,
• Planning and execution of corporate sustainability activities,
• Event management,
• Management of relationships with business partners or suppliers,
• Execution of recruitment processes for Artı ve Artı personnel,
• Supporting recruitment processes of the Company and Group Companies,
• Execution/follow-up of Artı ve Artı financial reporting and risk management processes,
• Execution/follow-up of Artı ve Artı legal affairs,
• Planning and execution of corporate communication activities,
• Planning and execution of corporate governance activities,
• Conducting company and corporate law transactions,
• Request and complaint management,
• Ensuring the security of Artı ve Artı assets,
• Supporting Group Companies in compliance with relevant legislation,
• Supporting the planning and execution of fringe benefits and entitlements to be provided to senior executives of Artı ve Artı,
• Planning and execution of audit activities to ensure that the activities of Group Companies are carried out in compliance with Artı ve Artı procedures and relevant legislation,
• Supporting Group Companies in conducting company and corporate law transactions,
• Carrying out activities to protect the reputation of Artı ve Artı,
• Management of investor relations,
• Providing information to authorized institutions as required by legislation,
• Creating visitor records.

If the processing activity carried out for the above-mentioned purposes does not meet any of the conditions stipulated under the Law, Artı ve Artı shall request the data subject’s explicit consent for the relevant processing activity.

7.3 Ensuring Lawful Processing of Personal Data

To ensure the lawful processing of personal data, Artı ve Artı is obliged to:

• Take the technical measures listed below,
• Establish an internal organization to ensure lawful processing and storage of personal data,
• Create technical infrastructure to ensure the security of databases in which personal data will be stored,
• Ensure auditing of the established technical infrastructure and processes,
• Determine procedures for reporting on the technical measures taken and audit processes.

Artı ve Artı also takes the following administrative measures to ensure the lawful processing of personal data:

• Inform and train company employees regarding the lawful protection and processing of personal data,
• Record the measures to be taken in cases where company employees process personal data unlawfully in contracts, documents, or policies executed with employees,
• Audit the personal data processing activities of its data processors and partners.

8. PERSONAL DATA TRANSFER POLICY

8.1 Domestic Transfer of Personal Data

Artı ve Artı is obliged to act in accordance with the provisions of the Law and the decisions and regulations issued by the Board regarding the transfer of personal data. Personal data and special categories of personal data belonging to data subjects may not be transferred to other natural or legal persons without the data subject’s explicit consent.

However, in cases mandated by the Law and other relevant legislation, data may be transferred without the data subject’s explicit consent to authorized administrative or judicial authorities within the limits and procedures stipulated in the legislation.

In addition, pursuant to Article 8 of the Law, personal data may be transferred without the data subject’s consent in the cases set out in Article 5(2) of the Law (e.g., being mandatory for the establishment or performance of a contract or for fulfilling a legal obligation) or, for special categories of personal data, in the cases set out in Article 6(3) of the Law.

Artı ve Artı may transfer personal data to third parties located in Türkiye in accordance with the conditions stipulated by law and by taking all necessary security measures.

8.2 Transfer of Personal Data Abroad

Artı ve Artı may transfer personal data to third parties in Türkiye, and may also transfer personal data abroad either by processing them in Türkiye or for processing and retention outside Türkiye. In exceptional cases where explicit consent is not required for transfer under the Law, in addition to the conditions for processing/transfer without consent, it is required that the country to which the data will be transferred provides adequate protection. The Board shall determine whether adequate protection is provided pursuant to the mandatory provision of the Law. Where adequate protection is not available, both the data controllers in Türkiye and in the relevant foreign country must undertake in writing to provide adequate protection, and the Board’s authorization must be obtained.

8.3 Recipients / Categories of Recipients

Authorized institutions and organizations:
Information requested within the scope of applicable legislation by public legal entities and legally authorized private persons or organizations is shared pursuant to Article 8/1 of the Law.

For the purposes set out in Section 7.2, other persons or organizations to whom personal data may be transferred include: subsidiaries and/or direct/indirect domestic/foreign affiliates, and domestic/foreign institutions and other third parties from whom services are obtained, with whom cooperation is established, or who act as program partners under relevant agreements—jointly and severally responsible together with Artı ve Artı for taking data security measures such as retention of personal data, prevention of unauthorized access, and prevention of unlawful processing.

8.4 Measures Taken by Artı ve Artı for Lawful Transfer of Personal Data

Technical measures:
Artı ve Artı takes measures to prevent unauthorized access and use of personal data that are processed and transferred, or obtained as a result of transfer, by different Group Companies within Artı ve Artı, different departments within such Group Companies, and natural or legal persons who process personal data on behalf of Artı ve Artı within the scope of its responsibilities and authority under the Law.

Administrative measures:
Internal policies have been established regarding how access to personal data shall be granted, to whom, and for which processing purposes by different Group Companies within Artı ve Artı, different departments within such Group Companies, and natural or legal persons who process personal data on behalf of Artı ve Artı within the scope of its responsibilities and authority under the Law.

9. PERSONAL DATA RETENTION POLICY

9.1 Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose of Processing

Pursuant to Article 7 of the Law and Article 138 of the Turkish Penal Code No. 5237, Artı ve Artı retains personal data it processes only for the period stipulated in the relevant legislation or, where no period is stipulated, for the period required by the purpose of processing. The retained data shall be deleted once the purpose of retention ceases. Although this period is determined as two (2) years on average, data for which a longer retention period is prescribed by legislation shall remain in the system for the period specified in such legislation.

For this reason, different retention periods may apply for each personal data depending on the period stipulated in the relevant legislation or required for the purpose of processing. For example, pursuant to Article 253 of the Tax Procedure Law No. 213, books and records must be retained for five (5) years.

Another example is that, pursuant to the Regulation on Commercial Communication and Commercial Electronic Messages published in the Official Gazette dated 15 July 2015 and numbered 29417, where the data subject withdraws consent for the use of personal data for marketing or promotional purposes, the records of personal data must be retained for one (1) year from that date. The content of the commercial electronic message and all other records related to the dispatch shall be retained for three (3) years to be submitted to the relevant Ministry when necessary.

On the other hand, data may be processed for more than one purpose. In such cases, once all reasons requiring the processing of the relevant data cease to exist, the relevant data shall be deleted, destroyed, or retained in anonymized form.

Measures Taken by Artı ve Artı Regarding Retention of Personal Data
Personal data processed in accordance with the Law and other relevant legislation must be deleted, destroyed, or anonymized by Artı ve Artı, either ex officio or upon the data subject’s request, in a manner that prevents any use and recovery, when the reasons requiring processing cease to exist. The procedures and principles for the lawful destruction or anonymization of personal data shall be fulfilled in accordance with the principles and rules set out in the regulation to be issued under the Law.

Technical measures:
Necessary systems and audit mechanisms regarding deletion, destruction, and anonymization of personal data are established by Artı ve Artı.

Administrative measures:
Artı ve Artı, based on its responsibilities and authority under the Law, informs and raises awareness of natural or legal persons who process personal data on behalf of the Group regarding the lawful retention of personal data; and ensures, within the framework of agreements executed with such persons, that they take measures for the lawful retention and deletion, destruction, or anonymization of personal data.
Artı ve Artı is obliged to audit the personal data retention activities carried out by natural or legal persons who process personal data on behalf of the Group based on its responsibilities and authority under the Law.

10. PERSONAL DATA SECURITY POLICY

10.1 Artı ve Artı’s Obligations Regarding Data Security

Pursuant to Article 12 of the Law, Artı ve Artı, as the data controller, has the following obligations regarding data security:

To take all necessary technical and administrative measures to:

• prevent unlawful processing of personal data,
• prevent unlawful access to personal data,
• ensure the retention of personal data,

To conduct or have conducted the necessary audits within its organization,

To take necessary measures to ensure that persons who process personal data on its behalf, or authorized persons in its organs, do not disclose personal data learned during their duties to others in violation of the provisions of the Law or use such data for purposes other than processing, even after leaving their duties,

To notify the data subject and the Board where processed personal data are obtained by third parties through unlawful means.

10.2 Measures Taken by Artı ve Artı Regarding Data Security

In order to fulfill obligations related to personal data security and to act swiftly in cases where security poses a risk, Artı ve Artı takes the measures listed below:

10.2.1 Technical and administrative measures taken to prevent unlawful access to personal data

The technical and administrative measures to be taken regarding the processing, transfer, and retention of personal data are set out in the relevant sections. Although Artı ve Artı is obliged to take these measures in full and prevent unlawful access, if unlawful access by third parties nevertheless occurs, Artı ve Artı shall take all technical and administrative measures in accordance with the relevant legislation and Board decisions to prevent harm to data subjects.

The measures taken for the protection of personal data and their audits are periodically monitored and audited by following up whether the data recording systems used within the Company have been established and are being used in compliance with the Law and relevant legislation, and reporting is made to the authorized person or committee.

Artı ve Artı is obliged to inform and raise awareness of natural or legal persons who process personal data on its behalf based on the authority granted by it regarding the lawful protection of personal data, and to determine provisions in agreements executed with such persons to ensure lawful protection of personal data.

10.2.3 Measures to be taken in case of unauthorized disclosure of personal data

Artı ve Artı is obliged to take measures and establish internal policies to prevent unauthorized disclosure of personal data. In addition, in such cases, Artı ve Artı, as the data controller, is obliged to inform the persons whose personal data have been disclosed without authorization and the Board.

11. RIGHTS OF THE DATA SUBJECT

11.1 Right of Access to Personal Data

Data subjects have the right to access their personal data free of charge. Accordingly, Artı ve Artı informs the data subject that they have the right to:

• learn whether their personal data are processed,
• request information if their personal data have been processed,
• learn the purpose of processing and whether such data are used in accordance with the purpose,
• know the third parties to whom personal data are transferred domestically or abroad.

11.2 Right to Rectification or Erasure of Personal Data

Data subjects have the right to rectify or erase their personal data free of charge.

Within this scope, the data subject has the right to:

• request correction of personal data if processed incompletely or inaccurately,
• request deletion or destruction of personal data where the reasons requiring processing cease to exist,
• request that the correction, deletion, or destruction operations mentioned above be notified to third parties to whom personal data have been transferred,
• object to the occurrence of a result against them by analyzing processed data exclusively through automated systems.

11.3 Ensuring the Accuracy and Currency of Personal Data

Pursuant to the Law, there is an obligation to ensure that personal data are accurate and, where necessary, up to date. Therefore, for personal data to be kept accurate and up to date, the data subject must notify Artı ve Artı of any changes in their current status by sending such notification (together with documents verifying and evidencing identity) via registered mail with return receipt or through a notary public to the corporate address: Rüzgarlıbahçe Mah. Cumhuriyet Cad. Bozkurt Sok. Acarlar İş Merkezi F. Blok, No:3, 34000 Kavacık/Beykoz/İstanbul.

12. ARTİ VE ARTI’S RESPONSE TO APPLICATIONS

Applications regarding the personal data processing activities of the Group Companies must be submitted to the relevant Group Company. Applications to Artı ve Artı Teknoloji Hizmetleri San. ve Tic. A.Ş. must only be submitted where this company is deemed the data controller under the Law. This may occur where Artı ve Artı Teknoloji Hizmetleri San. ve Tic. A.Ş. directly collects personal data from the data subject, or where data sharing between the relevant Group Company and Artı ve Artı Teknoloji Hizmetleri San. ve Tic. A.Ş. qualifies as a data transfer from one data controller to another under the Law. Other than these cases, applications regarding personal data processing activities for which the relevant Group Company is deemed the data controller must be submitted to the relevant Group Company, not to Artı ve Artı Teknoloji Hizmetleri San. ve Tic. A.Ş.

12.1 Procedure and Time for Responding to Applications

To enable the fastest possible access to personal data processed by Artı ve Artı and the exercise of the rights stated above, data subjects may submit requests to Artı ve Artı. Artı ve Artı establishes the necessary application channels to meet such access requests. Applications shall be responded to as soon as possible and, in any event, within the period prescribed under the Law.

Data subjects must apply to the representative to be announced by Artı ve Artı and, once the legal infrastructure is in place, to be published in the Data Controllers’ Registry. The data controller representative shall finalize requests regarding the processing and protection of personal data, depending on their nature, as soon as possible and, in any event, within thirty (30) days—free of charge or, where the conditions set out in the tariff to be published by the Board regarding fees are met, in return for the fee in the tariff.

For this period to commence, requests must be submitted to the representative in writing or through other methods determined by the Board, and must be accompanied by documents verifying and evidencing the data subject’s identity. Until a method is determined by the Board, applications must be made in writing. When submitting an application, the data subject must clearly indicate which right is being exercised and, where applicable, send supporting information and documents via registered mail with return receipt or through a notary public to the corporate address of Artı ve Artı Teknoloji Hizmetleri San. ve Tic. A.Ş., Rüzgarlıbahçe Mah. Cumhuriyet Cad. Bozkurt Sok. Acarlar İş Merkezi F. Blok, No:3, 34000 Kavacık/Beykoz/İstanbul.

Requests submitted by the data subject shall be accepted by the data controller representative or rejected with justification, and the response shall be provided in writing or electronically. If the application is accepted, the necessary action shall be taken by Artı ve Artı, and where the application results from Artı ve Artı’s fault, any fee collected shall be refunded to the data subject. In certain cases, requests regarding the processing/rectification/erasure of personal data cannot be approved due to legal obligations or other grounds set out under Articles 5 and 6 of the Law. In such case, the rejection response shall set out the reasons in detail and state the legal basis.

Where the application is rejected by Artı ve Artı, the response is deemed insufficient, or no response is provided within the prescribed period, the data subject has the right to lodge a complaint with the Board within thirty (30) days from the date of learning the response and, in any event, within sixty (60) days from the date of application.

12.2 Information That Artı ve Artı May Request from the Applicant Data Subject

Artı ve Artı may request information from the applicant in order to determine whether the applicant is the data subject. Artı ve Artı may also ask the data subject questions regarding the application in order to clarify the matters stated therein.

12.3 Artı ve Artı’s Right to Reject the Data Subject’s Application

Artı ve Artı may reject the application of the applicant by explaining the reason in the following cases:

• Processing of personal data by natural persons within the scope of activities relating solely to themselves or to family members living in the same household, provided that such data are not disclosed to third parties and obligations regarding data security are complied with,
• Processing of personal data for purposes such as research, planning, and statistics by anonymizing them with official statistics,
• Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, the privacy of private life, or personal rights, and does not constitute a crime,
• Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security,
• Processing of personal data by judicial authorities or enforcement offices in relation to investigation, prosecution, trial, or execution proceedings,
• Processing being necessary for the prevention of crime or criminal investigation,
• Processing of personal data made public by the data subject,
• Processing being necessary for the performance of supervisory or regulatory duties, or for disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations having the status of public institutions, based on authority granted by law,
• Processing being necessary for the protection of the State’s economic and financial interests relating to budget, taxes, and financial matters,
• The data subject’s request may potentially prevent the rights and freedoms of others,
• Requests requiring disproportionate effort,
• The requested information is publicly available.

13. RELATIONSHIP OF THE ARTI VE ARTI GROUP PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES

In addition to internal sub-policies related to personal data protection and processing that are associated with the principles set out in this Policy, Artı ve Artı may establish fundamental policies for the Group Companies.

The principles of Artı ve Artı’s internal policies are, to the extent relevant, reflected in publicly available policies to ensure that data subjects are informed accordingly, and to provide transparency and accountability regarding Artı ve Artı’s ongoing personal data processing activities.

14. PUBLICATION AND RETENTION OF THE DOCUMENT

This data policy shall be notified to users whose personal data are held, together with the clarification obligation under the Law, and shall also be published on websites affiliated with Artı ve Artı.

15. UPDATE FREQUENCY

In the event of any amendment based on Artı ve Artı’s economic and commercial decision or the principle decisions of the Personal Data Protection Board, such amendment shall be recorded and notified to our members whose data are recorded through the channel by which they registered.

16. EFFECTIVE DATE

This data policy enters into force on the date of its publication and remains in force until it is removed from the website.

Artı ve Artı Teknoloji Hizmetleri San. ve Tic. A.Ş., 2019

This document may not be reproduced or distributed without the written permission of Artı ve Artı Teknoloji Hizmetleri San. ve Tic. A.Ş.