Personal Data Processing Policy

  1. ARTICLE - INTRODUCTION
    • 1.1. Introduction

      With the Law No. 6698 on the Protection of Personal Data ("Law"), important obligations have been imposed on personal data processors in order to protect the fundamental rights and freedoms of individuals, especially the privacy of private life. Headquarters address Beylikdüzü OSB Mah. Hürriyet Bulvarı No:10/9, 34524 Beylikdüzü Istanbul, Ekom Elektrik Elektronik Sanayi ve Ticaret Anonim Şirketi ("Company"), registered in the Istanbul Trade Registry, takes a meticulous and sensitive approach to fulfill the relevant obligations and to ensure that all data processing processes comply with the legislation. For this purpose, the Company's personal data processing processes have been determined in this Personal Data Processing and Protection Policy ("Policy") in all its dimensions based on the Law and the relevant legislation.

    • 1.2. Purpose and Scope
      • 1.2.1. Objective

        This Policy has been prepared in order to inform the persons and employees of the following data categories within the scope of the Company's personal data processing and protection activities, to create a detailed guide on the processes, principles and principles adopted by the Company, and to inform those concerned about the practices it has developed and implemented to fulfill its obligations arising from the Law and relevant legislation.

      • 1.2.2. Scope

        The relevant data subject groups subject to the Policy are detailed below. The personal data of natural persons in the categories of data subjects whose personal data are processed by the Company, such as employees, employee candidates, employee family relatives, supplier representatives, customers and visitors, are processed and protected by automatic means or non-automatic means as part of a data recording system within the framework of the provisions of this Policy.

        Data Subject Person Group Explanations
        “Employee” Refers to persons who have a service contract with the Company.
        “Employee Candidate” Refers to the persons who are taken into the evaluation process by the Company to make a service contract with the Company.
        “Working Relative” Family relatives of company employees such as spouses and children.
        “Customer” Refers to natural persons to whom the Company offers its products and/or services, whom the Company considers as customers through verbal or written agreements, or whose data is processed by considering them as prospective customers in line with the operations of the Company departments.
        “Customer's Representative” It refers to real persons working within legal entities to whom the Company offers its products and/or services, whom the Company considers as customers through verbal or written contracts, or whose data is processed by being considered as a customer candidate in line with the operations of the Company departments.
        “Supplier Representative” It refers to the real persons from whom the Company receives products and services within the framework of a contractual relationship or the officials and employees of legal entities from whom the Company receives products and services within this scope.
        “Visitors” It refers to the locations where the Company operates and the people who visit the Company's e-commerce website and corporate website.
        “Third Parties” Refers to persons whose personal data are not defined under a separate heading in the Policy and whose personal data are processed in accordance with the provisions of the Policy.

    • 1.3. Policy and Applicable Law

      This Policy aims to ensure that the obligations imposed by the Law and the relevant legislation on personal data processing are fulfilled in a systematic manner. Since the priority and sensitivity of our Company is "to act in accordance with the legislation in order to protect the right of individuals to protect their personal data arising from the Constitution of the Republic of Turkey", in case of a conflict between this Policy and the provisions of the Applicable Law, our Company will work for the implementation of the Applicable Law.

    • 1.4. Enforcement and Amendment of the Policy

      This Policy has been prepared under the meticulous work and leadership of the Company's Personal Data Protection Commission and has entered into force upon approval by the authorized body. It will be audited by the Personal Data Protection Commission every 6 months and, if necessary, relevant changes will be made to comply with the relevant current legislation. These changes will be published on the Website with the approval of the authorized body of the Company. Upon request, in the light of the legislative limits and at the initiative of the Company, it may be presented to the information of the Data Subjects through different channels.

  2. ARTICLE - DEFINITIONS
    Definition Explanations
    Buyer Group Refers to the category of natural or legal person to whom personal data is transferred by the data controller.
    Online Space It refers to the Company's website www.e-kom.com and e-commerce website www.e-komponent.com.
    Contact Person Employees whose personal data are processed. It can be used instead of Employee in the Clarification Text.
    Personal Data Any information relating to an identified or identifiable natural person.
    Processing of Personal Data It refers to all kinds of operations performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
    Sensitive Personal Data Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
    Data Category It refers to the class of personal data belonging to the data subject group or groups of persons in which personal data are grouped according to their common characteristics.
    Data Subject Person Group Refers to the category of data subjects whose personal data are processed by data controllers.
    Board Personal Data Protection Board.
    Demand Management Procedure It refers to the guiding procedure that determines the details of the Data Subject's right to apply to the Company, which is the Data Controller recognized in Article 11 of the Law, and the Company's response process regarding the application.
    Data Controller It refers to the natural or legal persons who determine the purposes and means of processing personal data, who are responsible for the establishment and management of the data recording system, and the Company responsible for this activity in the context of this Clarification Text.
    Website It refers to the corporate website and e-commerce site where the Company carries out its online activities.

  3. ARTICLE - PROCESSING OF PERSONAL DATA

    While designing the processes of processing personal data of each data subject group, the Company acts in accordance with the provisions stipulated in the Law from the first moment of contact with personal data to the last moment of destruction of personal data. One of the main purposes of this Policy is to transparently inform the relevant persons about our Company's personal data processing and protection principles. The methodology adopted in the Policy is based on the goal that "the Data Subject follows the personal data's journey within the Company from beginning to end". For this reason, the Data Subject will find answers to the following questions respectively in this article.

    1. Which categories of personal data does the Company process?
    2. Which sensitive personal data does the Company process?
    3. How has the Company structured the processes of informing the Data Subject and obtaining the Data Subject's Explicit Consent? What are the situations where the Company processes data without Explicit Consent?
    4. What principles does the Company adopt when processing personal data?
    5. For what purposes does the Company process personal data?
    6. In which environments does the Company record and store personal data?
    7. To which recipient groups in Turkey and abroad does the Company transfer personal data?
    8. What is the Company's retention and destruction policy for personal data processed by the Company?

    • 3.1. Categories of Data Processed by the Company

      In the light of the principles in Article 4 of the Law and limited to the conditions in Articles 5 and 6 of the Law, the Company processes data in the following data categories within the purposes specified in Article 3.5 of the Protocol.

      Data Category Description
      Identity It refers to information such as name-surname, Turkish ID number, nationality, parents' name, place of birth, date of birth, gender, workplace information, blood group, registration no., tax number, title, biography, which is processed automatically or non-automatically provided that it is part of the data recording system of an identified or identifiable natural person, such as identity card, residence card, driver's license, passport, lawyer's ID, marriage certificate and similar documents.
      Contact It refers to information such as telephone, e-mail, fax number, social media accounts, etc. belonging to an identified or identifiable natural person, which are processed automatically or non-automatically provided that they are part of the data recording system.
      Personnel Educational status, certificate and diploma information, foreign language information, education and skills, CV, courses taken, leave, seniority base date, leave seniority additional days, leave group, departure/return date, day, reason for leave, address/phone, position name, department and unit title, last date of employment, dates of entry and exit, insurance entry/pension, social security number, flexible working hours, travel status, number of working days, projects worked, total monthly working hours, severance pay base date, severance pay additional days, days on strike, employee internet access logs, all kinds of personal data processed for the purpose of obtaining entry and exit logs, and the performance, training and skills required for the employee to progress in his/her position, information on which training he/she received on which date, e-mail, signed participation form, customer interview quality evaluation form, monthly performance evaluation and target realization status, activity information, such as information processed by automatic or non-automatic means provided that it is part of a data recording system belonging to an identified or identifiable natural person.
      Legal Action It refers to information processed by automatic means or non-automatic means, provided that it is part of a data recording system, belonging to an identified or identifiable natural person, such as attachment notices and similar court/execution offices documents.
      Customer Transaction It refers to information such as waybills, invoice information and order information belonging to an identified or identifiable natural person, which is processed automatically or non-automatically provided that it is part of the data recording system.
      Physical Space Security Personal data related to the records and documents taken at the entrance to the physical space, during the stay in the physical space; camera recordings, vehicle license plate information, records taken at the security point, voice recordings taken in telephone calls, such as camera recordings, vehicle license plate information, records taken at the security point, voice recordings taken in telephone calls, etc. It refers to information belonging to an identified or identifiable natural person that is processed automatically or non-automatically provided that it is part of the data recording system.
      Process Security Internet traffic data refers to information such as network movements, IP address, visit data, time and date information belonging to an identified or identifiable natural person, which is processed automatically or non-automatically provided that it is part of a data recording system.
      Finance Bank account number, bank account information, (IBAN no, account holder, etc.) credit card information, financial and salary details of employees, payrolls, premium entitlements, premium amounts, file and debt information related to execution proceedings, bank passbook, minimum subsistence allowance information, private health insurance amount, etc. It refers to information that belongs to an identified or identifiable real person, such as bank passbook, minimum subsistence allowance information, private health insurance amount, which is processed automatically or non-automatically provided that it is part of the data recording system.
      Professional Experience It refers to information processed by automatic means or non-automatic means provided that it is part of the data recording system of an identified or identifiable natural person, such as the former workplaces of the employee and the professional certificates acquired.
      Marketing It refers to information processed by automatic means or non-automatic means, provided that it is part of the data recording system, belonging to an identified or identifiable natural person, such as user behavior obtained through cookie technology.
      Audio and Visual Recordings It refers to information such as photographs, audio and video recordings of an identified or identifiable natural person, which are processed automatically or non-automatically provided that they are part of a data recording system.
      Other Information Personality test inventory results, identity and contact information of family members, performance evaluation, movable information allocated to the employee, such as the result of the personality test inventory, identity and contact information of family members, performance evaluation, information processed by automatic or non-automatic means provided that it is part of the data recording system of an identified or identifiable natural person.

    • 3.2. Categories of Data Processed by the Company

      In Article 6 of the Law, Data Categories that are subject to special treatment due to the risk that their processing may cause discrimination in society have been determined and these Data Categories are called Special Categories of Personal Data. The Company endeavors to process Special Categories of Personal Data only in mandatory cases and as narrowly as possible. The Company takes all necessary administrative and technical measures to protect the Special Categories of Personal Data it processes. It ensures the effective and reliable execution of the administrative and technical measures taken through regular audits under the management of the Personal Data Protection Commission.
      Sensitive Personal Data related to health and sexual life;

      1. It is expressly provided for in the law; or
      2. In terms of Sensitive Personal Data relating to the health and sexual life of the Data Subject, it may be processed without the explicit consent of the Data Subject if it is processed by persons under the obligation of confidentiality or authorized institutions and organizations for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

      Special categories of personal data processed in the Company are subject to a more sensitive treatment in terms of storage conditions. The data obtained within this scope are kept in separate files and locked cabinets and are kept in a limited number and accessible to authorized employees. The categories of Sensitive Personal Data processed by the Company are as follows.

      Special Categories of Personal Data Description
      Association Membership It refers to the information processed by automatic or non-automatic means, provided that it is part of the data recording system, of an identified or identifiable natural person, indicating the associations of which the person is a member.
      Foundation Membership It refers to the information processed by automatic or non-automatic means, provided that it is part of the data recording system, belonging to an identified or identifiable natural person indicating the foundation memberships in which the person is a member.
      Union Membership It refers to the information processed by automatic or non-automatic means, provided that it is part of the data recording system, of an identified or identifiable natural person indicating the union of which the person is a member.
      Health Information It refers to the information processed by automatic or non-automatic means, provided that it is part of the data recording system, of an identified or identifiable natural person indicating the health status of the person in documents such as health report, disability report.

    • 3.3. Informing the Relevant Person and Obtaining Explicit Consent
      • 3.3.1 Methods of Obtaining Personal Data

        The Company obtains personal data through the following methods.

      • 3.3.2 Lighting

        While obtaining personal data, the Company fulfills its obligation to inform in accordance with Article 10 of the Law. During the acquisition of personal data, the Company informs the Data Subjects at least about his/her identity, the purpose for which personal data is processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the other rights of the Data Subject listed under Article 11 of the Law.
        In accordance with the way the personal data is obtained, the Company may fulfill its obligation to inform in physical or electronic media such as verbal, written, voice recording, call center.
        In cases where the personal data processing activity is carried out on the basis of Explicit Consent when the Company receives the personal data of the Data Subject, it fulfills the obligation to inform and obtains Explicit Consent separately.

      • 3.3.3 Explicit Consent

        The Company starts to process personal data after obtaining the consent of the Data Subject with his/her free will regarding the processing of his/her personal data, without prejudice to the exceptional cases where there is no obligation to obtain explicit consent. Explicit consent is based on the processing of personal data of the Data Subject in the relevant data categories limited to the purposes of personal data processing specified during the disclosure made within the scope of Article 3.3.2. and the principles adopted when processing personal data. The Company is aware that the personal data processing activity will be limited to the consent given in this explicit consent. It declares and undertakes that if it wishes to change or increase the purposes of data processing about the relevant data categories, it will inform the Data Subject and obtain a separate explicit consent for this.

      • 3.3.4 Situations where personal data can be processed without explicit consent

        In the following cases, personal data may be processed by the Company without the explicit consent of the Data Subject.

        1. Explicit Provision in the Laws: Explicit consent is not required if there is a provision in the legislation regarding the processing of personal data and data is processed based on this provision. Keeping personal information of the employee in accordance with the Labor Law, including the name and surname information on the invoice in accordance with the Tax Procedure Law can be given as examples of this situation.
        2. It is Mandatory for the Protection of the Life or Physical Integrity of the Person or Someone Else, Who is Unable to Disclose His/her Consent Due to Actual Impossibility or Whose Consent is Not Given Legal Validity: In the event of a de facto impossibility, the Company has the right to process the data of the Data Subject, whose consent cannot be obtained or whose consent is not legally valid, in order to protect his or someone else's life and physical integrity. Processing personal data such as name, surname, blood type, telephone number in order to protect the life of a person who has lost consciousness can be given as an example of this situation.
        3. Processing of Personal Data of the Parties to the Contract is Necessary, Provided that it is Directly Related to the Establishment or Performance of a Contract: The Company has the right to process the personal data of the other party without obtaining explicit consent in order to establish and perform the contracts to which it is a party. Processing the address and account information of the real person addressee in a contract with payment and delivery obligation can be given as an example of this situation.
        4. The Company has the right to process personal data without explicit consent in order to fulfill its legal obligations. An example of this situation is the processing of employee account information in order for the Company to pay its employees their wages.
        5. Publicized by the Data Subject Him/herself: The Company has the right to process personal data provided that the information disclosed and made public by the Data Subject remains within the limits of the purpose of disclosure. An example of this situation is that the Company processes the contact information of its customers who leave contact information for promotion and advertising only for this purpose.
        6. Data Processing is Mandatory for the Establishment, Exercise or Protection of a Right: The Company has the right to process personal data without the explicit consent of the Data Subject for the establishment, exercise or protection of a right. An example of this situation can be given as an example of the Company sending an attachment notice about a former employee and notifying that the person's service contract with the Company has ended.
        7. Data Processing is Mandatory for the Legitimate Interests of the Data Controller, Provided that it does not harm the Fundamental Rights and Freedoms of the Data Subject: The Company has the right to process data provided that it is mandatory for its legitimate interests, provided that it does not harm the fundamental rights and freedoms of the Data Subject. An example of this situation is when it is mandatory for the Company to process the personal data of employees in order to ensure workplace safety.
        8. Sensitive Personal Data: The provisions adopted regarding the processing of sensitive personal data without explicit consent are set out in Article 3.2.
    • 3.4. Principles Regarding Personal Data Processing

      While designing the processes of processing personal data of each data subject group, the Company acts in accordance with the law and good faith from the first moment of contact with personal data to the last moment of destruction of personal data. Takes necessary measures to ensure the accuracy and timeliness of personal data. Processes personal data based on specific, clear and legitimate purposes without ambiguity. Keeps personal data limited to the period stipulated in the relevant legislation or required for the purpose for which they are processed. The Company evaluates each data category in line with these principles while designing the process in accordance with the Law and relevant legislation. Detailed explanations of these principles are given below.

      • 3.4.1. Personal Data Processing Activity Complies with the Law and Good Faith

        The Company acts in accordance with the Law and the provisions stipulated in other legislation when processing personal data. However, while processing personal data, it remains within the limits of honesty rules and does not engage in processing activities that exceed the purpose of processing personal data. It always acts within the limits of legitimate purposes by displaying an attitude that will avoid causing injustice to the Data Subject.

      • 3.4.2. Ensuring that Personal Data Obtained is Accurate and Up-to-Date When Necessary

        The Company takes measures to ensure that the personal data it processes in accordance with this Policy provides reliable, accurate and up-to-date information on the subject it expresses. These measures are evaluated by the Company specifically for each data subject group and data category, and systems are established to ensure information accuracy and timeliness when necessary.

      • 3.4.3. Processing of Personal Data for Specific, Explicit and Legitimate Purposes

        The Company determines the purposes for which it processes the personal data it processes without any ambiguity and obtains explicit consent from the Data Subject within the scope of these purposes. These clear and specific purposes are related to the Company's products and services and are determined to be as much as required by these products and services. These purposes are determined before starting the data processing activity and the Data Subject is informed about the purposes.

      • 3.4.4. Personal Data to be Relevant, Limited and Proportionate to the Purpose for which they are Processed

        The Company processes data for the realization of the specific, explicit and legitimate purposes it has determined and only limited to this. It is aware that a personal data processing activity that does not serve these determined purposes will be contrary to the Law and takes care to process data in moderation with this awareness and sensitivity.

      • 3.4.5. Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

        If a time limit is given in the relevant legislation, the Company keeps the personal data it processes in accordance with these periods. If no such period is stipulated in the relevant legislation, it will be kept for the period required for the purpose. The Company destroys the personal data whose purpose has been realized and the periods required for the purpose have expired in accordance with the Personal Data Retention and Destruction Policy.

    • 3.5. Personal Data Processing Purposes of the Company

      In the light of the principles in Article 4 of the Law and limited to the conditions in Articles 5 and 6 of the Law, the Company processes data for the following purposes;

      1. Execution of emergency management processes,
      2. Execution of information security processes,
      3. Conducting employee candidate, intern and student selection and placement processes,
      4. Carrying out the application processes of employee candidates,
      5. Execution of employee satisfaction and loyalty processes,
      6. Fulfillment of employment contractual and regulatory obligations for employees,
      7. Execution of fringe benefits and benefits processes for employees,
      8. Conducting audit and ethics activities,
      9. Conducting training activities,
      10. Execution of access authorizations,
      11. Execution of activities in accordance with the legislation,
      12. Conducting financial and accounting affairs,
      13. Execution of commitment processes to the company, products and services,
      14. Ensuring physical space security,
      15. Execution of assignment processes,
      16. Follow-up and execution of legal affairs,
      17. Conducting internal audit, investigation and intelligence activities,
      18. Conducting communication activities,
      19. Planning of human resources processes,
      20. Execution and supervision of business activities,
      21. Conducting occupational health and safety activities,
      22. Receiving and evaluating suggestions for improving business processes,
      23. Carrying out activities to ensure business continuity,
      24. Execution of logistics activities,
      25. Execution of goods and service procurement processes,
      26. Providing after-sales support services for goods and services,
      27. Execution of goods and service sales processes,
      28. Execution of goods and services production and operation processes,
      29. Execution of customer relationship management processes,
      30. Conducting activities for customer satisfaction,
      31. Organization and event management,
      32. Conducting marketing analysis studies,
      33. Conducting performance evaluation processes,
      34. Execution of advertising, campaign and promotion processes,
      35. Execution of risk management processes,
      36. Carrying out storage and archive activities,
      37. Execution of contract processes,
      38. Conducting sponsorship activities,
      39. Carrying out strategic planning activities,
      40. Follow-up of requests and complaints,
      41. Ensuring the security of movable property and resources,
      42. Execution of supply chain management processes,
      43. Execution of the remuneration policy,
      44. Execution of marketing processes of products and services,
      45. Ensuring the security of data controller operations,
      46. Foreign personnel work and residence permit procedures,
      47. Execution of investment processes,
      48. Conducting talent/career development activities,
      49. Providing information to authorized persons, institutions and organizations,
      50. Conducting management activities,
      51. Creation and follow-up of visitor records.
    • 3.6. Environments where Personal Data is Recorded and Stored

      Any medium in which personal data that is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system, falls within the scope of the recording medium.
      Personal data collected by the Company may be recorded in various media depending on principles such as the nature of the data, the purposes of processing and the frequency of use. The Company's personal data are securely stored in electronic and physical environments in accordance with the relevant legislation and within the framework of international data security principles.
      Electronic Environments:
      Software, cloud, central server, portable media, database.
      Physical Media:
      Environmental systems such as locked or unlocked cabinets, archives, paper, network devices, flash-based media, magnetic tape, magnetic disk, mobile phone, optical disk, printer, door access/security system.
      The Company processes and stores personal data for specific and legitimate purposes, in the light of the principles detailed in the Law and the Policy and in accordance with the retention period stipulated in the Law. The Company has included detailed information about the environments where personal data are recorded and stored in the Personal Data Retention and Destruction Policy. This Policy can be accessed from the Personal Data Storage and Destruction Policy link.

    • 3.7. Transfer of Personal Data
      • 3.7.1. Domestic Personal Data Transfer

        The Company acts in accordance with the following conditions when transferring personal data domestically.

        1. If the Data Subject has explicit consent, it can transfer personal data domestically.
        2. Personal data may be transferred without the explicit consent of the Data Subject if there is a clear regulation in the legislation regarding the transfer of personal data.
        3. Personal data may be transferred to third parties without the explicit consent of the Data Subject if it is mandatory for the protection of the life or physical integrity of the personal data owner or someone else and if the personal data owner is unable to disclose his consent due to actual impossibility or if his consent is not legally valid.
        4. Personal data may be transferred to third parties if it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract without the explicit consent of the Data Subject.
        5. Personal data may be transferred to third parties if personal data transfer is mandatory for the Company to fulfill its legal obligation without the explicit consent of the Data Subject.
        6. If personal data is publicized by the personal data owner without the explicit consent of the Data Subject, it may be transferred to third parties limited to the purpose of publicization.
        7. Personal data may be transferred to third parties without the explicit consent of the Data Subject if the transfer of personal data is mandatory for the establishment, exercise or protection of a right.
        8. Personal data may be transferred to third parties without the explicit consent of the Data Subject, provided that it does not harm the fundamental rights and freedoms of the Data Subject, if personal data transfer is mandatory for the legitimate interests of the Company.
      • 3.7.2. Transfer of Personal Data Abroad

        The Company transfers the personal data it processes abroad only with the explicit consent of the Data Subject.

        1. The Company may also transfer the personal data of the Data Subjects abroad without explicit consent. In cases where the country or countries to which the personal data will be transferred (a) is one of the countries declared by the Board to have adequate protection or (b) if it is not one of the countries declared by the Board, permission has been obtained from the Board by obtaining a written commitment from the data controllers in the relevant foreign country providing adequate protection, personal data may be transferred abroad without obtaining explicit consent if one or more of the following conditions are present.
          1. If there is a clear regulation in the legislation regarding the transfer of personal data, it can be transferred abroad.
          2. If it is mandatory for the protection of the life or physical integrity of the personal data owner or someone else and if the personal data owner is unable to disclose his consent due to actual impossibility or if his consent is not legally valid, it may be transferred abroad.
          3. Personal data may be transferred abroad if it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract without the explicit consent of the Data Subject.
          4. If personal data transfer is mandatory for the Company to fulfill its legal obligation, personal data may be transferred abroad.
          5. If personal data is publicized by the owner, it may be transferred abroad limited to the purpose of publicization.
          6. Personal data may be transferred abroad if personal data transfer is mandatory for the establishment, exercise or protection of a right.
          7. Personal data may be transferred to third parties without the explicit consent of the Data Subject, provided that it does not harm the fundamental rights and freedoms of the Data Subject, if personal data transfer is mandatory for the legitimate interests of the Company.
        2. The Company may transfer Special Categories of Personal Data ; abroad in the light of the principles and purposes set out in this Policy, by applying administrative and technical measures and by obtaining the Explicit Consent of the Data Subject by complying with the special measures taken by the Board. In order for the Company to transfer Special Categories of Personal Data abroad even without obtaining the Explicit Consent of the Data Subject, the country or countries to which the personal data will be transferred (a) must be one of the countries declared by the Board to have adequate protection or (b) if it is not one of the countries declared by the Board, permission must be obtained from the Board by obtaining a written commitment from the data controllers in the relevant foreign country providing adequate protection, and(c) one or more of the following conditions must be present.
          1. Sensitive Personal Data other than health and sexual life: The Company will be able to process Sensitive Personal Data other than health and sexual life without obtaining the explicit consent of the data subject if explicitly stipulated in the legislation.
          2. Sensitive Personal Data related to health and sexual life: For the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, persons under the obligation of confidentiality or authorized institutions and organizations can be processed without seeking explicit consent.
    • 3.8. Personal Data Storage and Destruction Policy

      The Company stores personal data limited to the period stipulated in the relevant legislation. If no retention period is stipulated in the legislation regarding the stored personal data, the Company determines reasonable retention periods in accordance with the purpose of personal data processing and commercial customs and stores personal data for these periods. If the retention periods mentioned in this article expire, personal data shall be deleted, destroyed or anonymized by the Company. The Company has prepared a Personal Data Retention and Destruction Policy to store and destroy personal data in accordance with the legislation. In this Storage and Destruction Policy; the purpose of the preparation of the policy, the recording media regulated by the personal data storage and destruction policy, the definitions of the legal and technical terms included in the personal data storage and destruction policy, the explanation regarding the legal, technical or other reasons requiring the storage and destruction of personal data, the technical and administrative measures taken to ensure the safe storage of personal data and to prevent unlawful processing and access, The technical and administrative measures taken for the destruction of personal data in accordance with the law, the titles, units and job descriptions of those involved in the storage and destruction of personal data, the table showing the storage and destruction periods, periodic destruction periods, and if the existing personal data storage and destruction policy has been updated, the change in question is included.
      This policy can be accessed from the Personal Data Storage and Destruction Policy link.

  4. RIGHTS OF THE DATA SUBJECT
    • 4.1. Rights of the Relevant Person

      The Data Subject has the right to apply to the Company regarding his/her personal data by using the application form attached below;

      1. Learn whether personal data is being processed,
      2. Request information if their personal data has been processed,
      3. To learn the purpose of processing personal data and whether they are used for their intended purpose,
      4. To know the third parties to whom personal data are transferred domestically or abroad,
      5. To request correction of personal data in case of incomplete or incorrect processing,
      6. Request deletion or destruction of personal data,
      7. In the event that personal data is incomplete or incorrectly processed, to request that third parties to whom personal data is transferred be notified of the transactions regarding the correction and/or deletion or destruction of personal data,
      8. To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
      9. In case of damage due to unlawful processing of personal data, to demand compensation for the damage.
    • 4.2. The Company's Demand Management

      The Company has prepared a Procedure in order to protect the rights of the Data Subject regulated in the Law and the relevant legislation and to fulfill its obligations in this regard. In accordance with this Procedure, the Company makes maximum efforts to provide the information requested by the Data Subject by applying to the Company regarding the personal data of the Data Subject free of charge as soon as possible, within thirty days at the latest. If the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged to the Data Subject. As a result of the examination of the request, the Company accepts the request or rejects it by explaining its reasoning and notifies its response to the Relevant Person in writing or electronically. If the request in the application is accepted, the Company shall fulfill the requirements of the request. In case the application is caused by the Company's error, the fee charged shall be refunded to the Relevant Person. Relevant persons shall exercise their rights by filling out the application form, wet signed, via notary public, KEP or electronic mail to Beylikdüzü OSB Mah. Hürriyet Bulvarı No:10/9, 34524 Beylikdüzü İstanbul address or deliver it to the same address in person or by proxy or send it to info@e-kom.com e-mail address. Documents proving his/her identity, documents supporting the request, if any, and if the Relevant Person wishes to exercise this right through his/her proxy, a copy of the power of attorney containing special authorization in this regard must be attached to the form.
      The application form can be accessed from this link.