The groups of individuals whose data is recorded by the company are listed below. In this regard, certain changes may occur in these groups of individuals should a new need arise. The company reserves the right to make changes in this situation.

Candidate/Prospective Employee Refers to the person or persons who submit a CV, job application request, and documents containing personal data within the scope of a job application to us via job platforms, the company website’s contact/career unit, or physically.

Contracted Employee Refers to individuals who have concluded an employment contract with the company and have an existing employment relationship within this scope.

Contracted Employee’s Relative Refers to the first-degree relatives and/or dependents of individuals who are in employee status under the employment agreement.

Customer/Business Partner (Supplier) Refers to the person or groups of persons with whom the company establishes commercial contracts, receives support, establishes commercial project partnerships, and develops purchase/sale relationships within the scope of its sectoral activities.

Supplier Official/Employee Refers to the official and employee within the person or groups of persons with whom the company establishes commercial contracts, receives support, establishes commercial project partnerships, and develops purchase/sale relationships within the scope of its sectoral activities.

Potential Product and Customer Buyer Refers to the person or groups of persons with whom the company may establish a commercial relationship within the scope of its commercial policies.

Product and Service Buyer/Official/Personnel Refers to the person or groups of persons with whom the company establishes a commercial relationship and provides products and services within the scope of its commercial policies.

Visitor Includes all persons who have/do not have an existing contract with the company within the scope of business or commercial law, and who pass through the company entrance in the company areas.

Intern Refers to the person who works temporarily within the company for the purpose of learning vocational qualifications and gaining experience.

Consultancy Company Employee Refers to the person or company employee from whom support is received for the potential establishment of a business relationship.

Business Partner Refers to the person referred to as a partner in jointly undertaken projects and technical support matters.

Other The definition refers to individuals who are not a party to commercial contracts but are indirectly part of an established commercial relationship, even though they have no established relationship with the company, as well as other individuals who are not directly or indirectly connected within the scope of existing commercial and business relationships, despite having no relationship with the company.

Unidentified 3rd Parties Passing by the Company’s Vicinity Based on Camera Position Refers to 3rd parties whose recordings are captured by cameras positioned to ensure company security.

Personal Data Storage and Destruction Processes

The personal data storage and destruction processes are managed by the authorized units of the Company. Your personal data is stored by us in compliance with the periods mandatorily stipulated in the Law on the Protection of Personal Data and relevant legislation concerning the protection of personal data, and is kept on record by the relevant Company units on behalf of the Company as long as the legal and legitimate purposes mentioned in the legal purpose section persist.

It is important to note that necessary administrative and technical measures are taken by the Company units on behalf of the data controller for the security of your personal data. Regarding these administrative and technical measures, the company also carries out controls on the environments where data is recorded, and these control plans are kept up to date. Data destruction processes are also determined in accordance with legal periods, and deletion and destruction processes are carried out through routine controls. Regulations containing company policies regarding the deletion/destruction of data are also made separately.

Regarding the cessation of the purpose of using personal data, processes will take place ex officio, and destruction and deletion processes can also be carried out upon the request of the data subject. If your personal data, for which all processing conditions have ceased and which needs to be deleted/destroyed and is subject to a request, has been transferred to third parties, we will also notify this situation to the third party. All processes related to the deletion and destruction of personal data are recorded by us, and records within this scope are stored by us for a period of at least three years, excluding other legal obligations regarding storage.

Personal Data Destruction Periods

Your personal data is processed by us either fully or partially automatically or non-automatically as part of any data recording system.

If the processing purpose ceases, your data is irreversibly deleted from the system. Personal data obtained physically is destroyed in accordance with the destruction policy.

Your Identity Information Identity data of personnel (employees) and their relatives is stored for a period of 10 years from the termination of the employment relationship. Identity data obtained from Product and Service buyers/Potential Product and Service Buyers, Service and Goods suppliers, consultancy company employees, and business partners is stored for a period of 10 years from the actual termination of the commercial activity.

Your Contact Information Contact data of personnel (employees) is stored from the termination of the employment relationship. Contact data obtained from Product and Service buyers/Potential Product and Service Buyers, Service and Goods suppliers, consultancy company employees, and business partners is stored for a period of 10 years from the actual termination of the commercial activity.

Your Residence Information This information, obtained for the purpose of providing technical support and operating and conducting processes related to faulty products, is stored for a period of 10 years from the date of the actual termination of the commercial agreement.

Your Personnel Information The personnel information of the Contracted Employee is stored for 10 years from the termination of the employment relationship, and the information of the intern is stored for 2 years from the end of the internship.

Professional Experience Information Employee experience information is stored for a period of 10 years from the termination of the employment relationship, and intern information is stored for a period of 2 years from the end of the internship.

Your Biometric Information Employee biometric information is stored for a period of 10 years from the termination of the employment relationship, and intern information is stored for a period of 2 years from the end of the internship.

Dress Code Information Employee dress code information is stored for a period of 10 years from the termination of the employment relationship.

Financial Information Financial information of personnel is stored for 10 years from the termination of the employment contract. Financial information of product and service buyers/potential product and service buyers, service and goods suppliers, consultancy company employees, and business partners is stored for a period of 10 years from the actual termination of the business agreement and commercial relationship. Intern information is stored for a period of 2 years from the end of the internship.

Customer Transactions Customer transaction data of product and service buyers, and customer transaction data of product service recipients are stored for a period of 10 years from the actual termination of the business agreement between the parties.

Your Physical Space Security Information Camera recordings taken for space security are stored for a period of up to 100 days.

Your Health Information Blood type and incapacity for work document information of the contracted employee is stored from the termination of the employment relationship. Blood type information of product and service buyers/business partners (suppliers) is stored for 10 years from the termination of the business agreement. Health data information regarding personnel candidates is stored for 2 years from the date the information reaches us. Intern information is stored for a period of 2 years from the end of the internship. Other health data is stored for 25 years.

Transaction Security Stored for a period of 2 years from the date the record is processed.

Legal Action This data obtained from the contracted employee is stored for a period of 10 years from the date of termination of the employment contract.

Visual and Audio Records Records related to photographs and images obtained from product and service buyers for the determination of sales policies are stored for 10 years from the actual termination of the commercial agreement. Audio recordings obtained from product and service buyers, supplier employees, and officials are stored for 2 years. Other camera footage is stored for up to 100 days.

It is not possible to transfer personal data recorded by the data controller to third parties without obtaining the explicit consent of the data owner. The exception to this situation is when the controller can transfer the data in accordance with Articles 8 and 9 of the Law on the Protection of Personal Data No. 6698.

The data to be transferred is aimed at ensuring the legitimate interests of the data owner and the company and fulfilling legal obligations, and the transfer of data for purposes other than the intended one is prevented by the data controller in this context.

The data is processed by us for the execution of processes related to human resources recruitment and employment activities, for the company to fulfill its obligations legally within the scope of commercial contracts, and for the execution of business processes related to providing products and services to the contract parties. It is shared with other third parties with measures taken to ensure data processing security.

As stated in the Law, personal data transfer can be made to domestic institutions as well as to foreign countries/institutions and organizations existing in foreign countries.

If the country to which the data will be transferred has been declared a safe country by the Personal Data Protection Board according to Law No. 6698, data transfer can be carried out without seeking explicit consent, in accordance with legal grounds. If the country to which the transfer will be made is not among the safe countries, the company and the data controller in the relevant country must commit in writing to provide sufficient protection. In this case, data transfer can be made without seeking explicit consent, with legal grounds and the permission of the Personal Data Protection Board.

INTRODUCTION

1.1. Purpose

The Personal Data Storage and Destruction Policy has been prepared to determine the procedures and principles for the storage and destruction of personal data processed by PROLİNE BİLİŞİM SİSTEMLERİ VE TİCARET A.Ş. within the scope of Article 7 of the Law on the Protection of Personal Data (KVKK).

PROLİNE BİLİŞİM SİSTEMLERİ VE TİCARET A.Ş., while carrying out its activities, processes and protects the personal data it has recorded in accordance with the KVKK and relevant legislation. Just as personal data must be processed legally, it must also be destroyed legally. This storage and destruction policy includes the stages for planning the process for storing and destroying processed personal data.

1.2. Scope

The Company takes care to fulfill the obligations foreseen for data controllers by Law No. 6698 on the Protection of Personal Data and performs all procedural actions required by the Personal Data Protection Board for processing personal data.

Personal data belonging to the relevant persons recorded in the data inventory prepared by the Company, and personal data to be obtained from the relevant persons in the subsequent process, are covered by this policy.

1.3. Definitions

Law: Law on the Protection of Personal Data No. 6698. Board: Personal Data Protection Board. Relevant Person/Data Subject: The real person whose personal data is processed. Personal Data: Any information relating to an identified or identifiable real person. Special Categories of Personal Data: Data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data of individuals. Processing of Personal Data: Any operation performed upon personal data, such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use, wholly or partly by automated means or by non-automated means as part of a data filing system. Data Controller: The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system. Data Processor: The real or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. Destruction of Personal Data: The process of rendering personal data inaccessible, irrecoverable, and unusable by anyone in any way. Erasure of Personal Data: The process of rendering personal data inaccessible and unusable by the relevant users in any way. Anonymization: The process of rendering personal data incapable of being associated with an identified or identifiable real person, even by matching it with other data. Periodic Destruction: The deletion, destruction, or anonymization process that will be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy when all the conditions for processing personal data included in the Law cease to exist. Personal Data Processing Inventory: An inventory created by data controllers by associating the personal data processing activities they carry out depending on their business processes with the purposes and legal grounds for processing personal data, data categories, transferred recipient groups, and data subject groups, detailing the maximum retention period required for the purposes for which the personal data is processed, personal data intended for transfer to foreign countries, and the measures taken regarding data security. Electronic or Non-Electronic Recording Medium: Any medium where personal data is processed, wholly or partly by automated means or by non-automated means as part of any data filing system. 

2. ELECTRONIC-PHYSICAL RECORDING MEDIUM

2.1 Electronic media • Computer, Phone, Tablet, etc. • Hard disk, USB drive, SD card • CD, DVD etc. • Backup Areas • Software Applications • Company Portal • Camera • Scanner, Photocopier

2.2 Physical media • File • Cabinet • Archive

3. DATA CONTROLLER AND RELEVANT PERSON

PROLİNE BİLİŞİM SİSTEMLERİ VE TİCARET A.Ş. prioritizes the protection of fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and strives to make plans in accordance with the procedures and principles determined in the law to ensure the protection of processed and to be processed personal data with necessary administrative and technical measures. 

The company also makes the necessary plans and carries out the relevant processes in all procedural matters related to the storage and destruction of personal data in accordance with the Law.

All real persons with whom the company has a commercial and/or legal relationship within the scope of its sectoral activities can be data owners/relevant persons, as can persons who have developed indirect commercial/legal relationships with the company.

Relevant persons consist of those listed in detail in the company’s data inventory, such as contracted personnel, technical support service personnel, guest personnel, visitors, customers, vendors, other third parties, etc.

4. PURPOSES AND LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

The personal data in question is not processed unless one of the data processing conditions is met, such as being explicitly stipulated in the Laws by the data controller, being directly related to the establishment or performance of a contract, being necessary for the processing of personal data of the parties to the contract, being mandatory for the data controller to fulfill its legal obligation, being mandatory for the establishment, exercise, or protection of a right, or being mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. 

Data is recorded by the data controller in accordance with relevant laws and regulations, and the storage and destruction periods of the data are regulated taking into account the provisions contained in these laws.

The Company acts in accordance with the following principles written in the law when processing personal data:

• Lawfulness and fairness. • Accuracy and, where necessary, kept up to date. • Processed for specified, explicit, and legitimate purposes. • Relevant, limited, and proportionate to the purposes for which they are processed. • Stored for the period stipulated in the relevant legislation or required for the purpose for which they are processed. 

5. EXPLANATIONS REGARDING STORAGE AND DESTRUCTION

The Company stores and destroys the data it has processed in accordance with Articles 5 and 6 of the KVKK and in accordance with its destruction policies.

5.1. Legal Grounds Requiring Storage

The Company keeps personal data on record in accordance with the procedures and principles written below:

• Being necessary for the processing of personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract. • Being mandatory for the data controller to fulfill its legal obligation. • Having been made public by the data subject himself/herself. • Being mandatory for the establishment, exercise, or protection of a right. • Being mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. • Being stipulated in the Laws. • Obtaining explicit consent when necessary. 

5.2. Processing Purposes Requiring Storage

• Execution of Human Resources processes for both personnel and personnel candidates, monitoring of their health status and adaptation processes to work. • Ensuring communication and information flow with Public Institutions and Organizations. • Following up and conducting legal affairs. • Controlling entries and exits to the company building, ensuring secure entry and exit. • Carrying out commercial business and transactions and ensuring the follow-up of business activity processes. • Protecting the computer systems and software used against cyber attacks. • Ensuring the internet security of the company. • Ensuring physical space security. • Carrying out financial affairs as required by commercial agreements and legal obligations. • Establishing and maintaining potential business relationships. • Determining sales policies, fulfilling contractual obligations. • Fulfilling legal and regulatory obligations. • Providing information to authorized public institutions and organizations.

5.3. Circumstances Requiring Destruction

• Cessation of the purpose requiring processing and storage. • Withdrawal of the explicit consent of the data subject regarding personal data processed based on explicit consent. • Change or repeal of legislative provisions. • Cessation of legal grounds related to personal data processing.

In these cases, data kept in a physical environment is destroyed by the destruction method, and data recorded in electronic environment (recorded on computer, server) is destroyed by the deletion (irreversible destruction) method.

6. PERSONS AND UNITS RESPONSIBLE FOR PROCESSING, STORING, AND DESTROYING PERSONAL DATA

The Company is primarily responsible for the legal processing of personal data and includes all persons and units it authorizes in the data processing process within the scope of this responsibility. This responsibility also includes the personnel with whom the company has signed confidentiality agreements regarding data privacy, the units implementing the disciplinary procedure, the relevant units and responsible persons involved in the storage of processed personal data.

The company actively supports all data processing processes and, in particular, controls the administrative and technical measures taken to protect personal data, regularly auditing the responsible and authorized units.

7. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR THE PROTECTION/STORAGE OF PERSONAL DATA

7.1. Administrative measures

The Company creates a data inventory regarding the personal data obtained from the relevant persons and provides training to the employees of the relevant units on keeping the data processed in the inventory up-to-date and accurate. Data foreseen to be recorded by the Company is protected by the units authorized to process data, and unauthorized access to the relevant personal data is prevented. Physical security of personal data kept physically is also ensured, and this data is kept away from areas accessible to unauthorized and irrelevant persons. Special categories of personal data kept by the Company are data that need to be specially protected, and the relevant data is protected only by the relevant responsible person in the relevant department. The Company has identified the risks related to illegal data processing and has made plans to prevent these risks. The unit authorized to process data consists of a single person, and it is ensured that data is not processed by other persons. Provisions regarding data security are added to contracts made with third parties, and if necessary, separate contracts regarding data security are made with third parties. In the event that processed personal data is obtained by others through illegal means, the Company notifies the data subject and the Board as soon as possible. The company conducts random audits on the personnel in the units authorized to process data and checks whether the security of this data is ensured. The company makes plans to prevent risks related to illegal data processing. If the personal data in question is recorded in an electronic environment, software security measures are in place to protect these records. Provisions regarding data security are added to contracts made with third parties, and if necessary, separate contracts regarding data security are made with third parties. The company also establishes a technical infrastructure to prevent data from being leaked to unauthorized persons and performs regular controls on the operation of the technical infrastructure system. The software security of the applications used to access data is ensured, and the personnel working in this area have been trained. Encryption technique is used for the company portal and applications, and passwords are used to enter the sites. Agreements are signed with companies that prioritize confidentiality in the use of IT systems and have a strong infrastructure, and technical support is received. Regarding the use of data, access to the relevant data is provided only for their purposes, and unnecessary information flow is prevented.

7.2. Technical measures

Necessary measures are taken for the physical security of the Institution’s IT Systems Equipment, Software, and Data. Risks aimed at preventing unlawful processing are identified, and appropriate technical measures are taken for these risks. Procedures are created and implemented for access authorizations and role assignments, and accesses are recorded to control inappropriate accesses. Destruction processes are defined and implemented in accordance with the Storage and Destruction Policy. A system and infrastructure are created to notify the relevant person and the Board in case of detection of unlawful processing. Information Systems are kept up-to-date. Strong passwords are used in the electronic environments where personal data is processed. Backup programs that ensure the secure storage of personal data are used.

8. PERSONAL DATA DESTRUCTION TECHNIQUES

8.1. Erasure of personal data Erasure of personal data is the process of rendering personal data inaccessible and unusable by the relevant users in any way.

8.2. Destruction of personal data Destruction of personal data is the process of rendering personal data inaccessible, irrecoverable, and unusable by anyone in any way.

8.3. Anonymization of personal data Anonymization of personal data is the process of rendering personal data incapable of being associated with an identified or identifiable real person, even if matched with other data. For personal data to be anonymized; it must be rendered incapable of being associated with an identified or identifiable real person, even by using appropriate techniques in terms of the recording medium and the relevant field of activity, such as reversing and matching data with other data by the data controller, recipient, or recipient groups. 

According to these explanations, the destruction techniques for personal data kept by PROLİNE BİLİŞİM SİSTEMLERİ VE TİCARET A.Ş. in electronic and physical environments are specified below:

For Personal Data Kept in Electronic Environment

Computer: The method of destroying the records inside the computer by removing the recording unit and destroying the hard disk, and using the other parts as spare parts is preferred. Mobile phone / Tablet: The method of deleting all information inside and returning the phone to factory settings is preferred. Hard disk: The method of removing the magnetic medium inside the hard disk and destroying it in a paper shredder is preferred. USB drive / SD card: The method of breaking and destroying is preferred. Backup Areas: Weekly deletion (irreversibly) method is used. Software Applications: Record deletion (irreversibly) method is used. Customer Portal: Record deletion (irreversibly) method is used. Camera (NVR device): Periodic automatic file (camera recording) deletion (irreversibly by re-recording over it) method is used.

For Personal Data Kept in Physical Environment

File, Cabinet, Archive: Since data is on paper in these locations, destruction methods such as burning the documents or passing them through a paper shredder are preferred.

9. PERSONAL DATA DESTRUCTION AND DESTRUCTION PROCESSES

Personal data can be destroyed ex officio by the company or upon the request of the data subject. The company keeps personal data only for the period specified in the legislation it is obliged to comply with and/or required for the purpose for which it is processed, and at the end of the foreseen period, it is deleted or destroyed in accordance with its destruction policies.

If the personal data owner applies to the company and requests the destruction of his/her personal data, the Company:

• If all conditions for processing personal data have ceased, the company concludes the personal data owner’s request within thirty days at the latest and informs the personal data owner. Furthermore, if the personal data subject to the request has been transferred to other third parties, this situation is notified to the third party. • If all conditions for processing personal data have not ceased, the company may reject the personal data owner’s request by explaining the reason in accordance with the third paragraph of Article 13 of the Law and notifies the refusal response to the personal data owner in writing or electronically within thirty days at the latest.

If the necessity of destroying the processed personal data arises and the relevant retention period expires, plans are made for the destruction process, and the data is deleted or destroyed within the scope of these plans. Minutes are prepared for the destruction of data and are signed by the authorized units.

Destruction minutes kept regarding the deletion and destruction of personal data are recorded by the company, and records within this scope are stored for at least three years, excluding other legal obligations regarding storage. Finally, these minutes are also destroyed at the end of the relevant period.

10. PERSONAL DATA STORAGE AND DESTRUCTION PERIODS

The personal information and documents, the details of which are kept by the company below, are destroyed at the end of the indicated periods. At the end of the relevant periods, the data is destroyed periodically automatically and/or manually.

Candidate Is retained for a period of 100 days until the deletion time of the record due to camera recording.

Consultancy Company Employee Is stored for a period of 1 year from the termination of the potential business relationship.

3rd Parties Passing by the Company’s Vicinity Based on Camera Position Is retained for a period of 100 days until the deletion time of the record due to camera recording.

Personnel, contracted employee, and contracted employee’s relative Is retained from the termination of the employment contract between the parties, taking into account periods of 10 years, 25 years, 1 year, 2 years, and 100 days, according to the methods of recording.

Contracted Employee Candidate / Intern 1 year from the date of recording the data.

Potential product and service buyer, Supplier, Employee, Official, Product and Service Buyer, Product and Service Buyer supplier, Product and Service Buyer personnel Is retained for 10 years from the actual termination of the business agreement between the parties, and also, taking into account periods of 1 year, 2 years, and 100 days according to the methods of recording.

Visitor / Other Is retained for a period of 100 days until the deletion time of the record due to camera recording, and for a period of 1 year and 2 years due to transaction security.

11. PERIODIC DESTRUCTION PROCESS

In accordance with Article 11 of the Regulation, the Institution has determined the periodic destruction period as 6 months. Accordingly, the periodic destruction process is carried out in the Company every year in January and July. 

12. ADDITIONS AND AMENDMENTS TO DESTRUCTION PROCESSES

The necessary sections in this policy can be updated as required. Changes will be made by filling in the necessary fields in the table below, and the final version of the storage and destruction policy will be published.

13. PUBLICATION – STORAGE OF THE POLICY

The policy is published electronically and made public on the website. In case of additions or amendments to the policy, the version with additions and/or amendments is stored in pdf format.

14. EFFECTIVENESS AND REPEAL

The policy will come into effect as of its publication date. In case of additions or amendments to the policy, the previous policy is removed from publication, and the new version with additions and/or amendments is published. The new version of the policy will also come into effect as of its publication date.

Application Rights

Within the scope of the Law on the Protection of Personal Data No. 6698, data owners have the right to obtain information regarding their personal data processed by data controllers. Article 11 of the KVKK specifies the application rights related to this right. These rights are:

• To learn whether personal data is processed about him/her.
• To request information and documents if personal data has been processed.
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose.
• To request the rectification of personal data if it is incomplete or incorrectly processed. 
• To know the third parties to whom personal data is transferred domestically or abroad.
• To request the deletion or destruction of the data within the foreseen conditions if the reasons requiring processing cease to exist. 
• To learn whether rectification has been made in case personal data has been incorrectly processed.
• To learn and inquire whether operations regarding personal data requested to be deleted or destroyed have been carried out.
• To request that the third parties to whom personal data is transferred be notified.
• To object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automatic systems. 
• To demand the compensation of the damage in case the person suffers damage due to the unlawful processing of personal data.

You can apply to the company regarding the rights specified in writing above and obtain detailed information about the subject of your application.

Application Procedure

Regarding the application procedure and principles, Article 13 of the Law on the Protection of Personal Data and Article 5 of the Communiqué on the Procedures and Principles of Application to the Data Controller are taken as a basis, and the relevant application will be made according to these procedures and principles.

The data owner can submit their requests within the scope of the rights specified in Article 11 of the Law to us in writing or by using a registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the electronic mail address previously notified to the company by the data owner and registered in the data controller’s system. 

Application Process

PROLİNE BİLİŞİM SİSTEMLERİ VE TİCARET A.Ş. will conclude your applications containing the requests you have directed to us free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. The responses to be given to you by our company will be carried out as specified in Article 13 of the KVKK. PROLİNE BİLİŞİM SİSTEMLERİ VE TİCARET A.Ş., acting in accordance with the article, will send the information and documents containing the rectifications to be made in the data record, its positive/negative responses along with their justifications, to the addresses you will specify.

ARTICLE 13 – (1) The data subject shall submit their requests regarding the application of this Law in writing or by other methods to be determined by the Board to the data controller. (2) The data controller shall conclude the requests contained in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the process requires an additional cost, the fee in the tariff determined by the Board may be charged. (3) The data controller shall accept the request or reject it by explaining the reason and shall notify the data subject of its response in writing or electronically. If the request in the application is accepted, the data controller shall take the necessary action. If the application is due to the fault of the data controller, the fee collected shall be returned to the data subject. 

Form Content

In addition, checkboxes have been created below to assist with the issues to be specified in the request document part. You have the initiative to mark/not mark the justifications for the issues listed below along with your request, and if marked, this will be taken into consideration with your request and evaluated within this scope.

Request Document

You can specify the issues and questions regarding your personal data that are the subject of your requests according to KVKK Article 11 in the underlined area below, and you can detail your reason for application. Furthermore, it is necessary to enter your identity information so that channels for contacting you can be determined and the personal data of the person requesting can be examined.

• Regarding the issues written above; • I declare that the necessary explanations were made to me through the text content, • That I was informed about the relevant Article 13 of the Law on the Protection of Personal Data and the Communiqué on the Procedures and Principles of Application to the Data Controller, • That mandatory elements regarding the application principles were mentioned, • That I was informed that a fee would be charged from me if the process required a cost. 

I declare this and request that my application be evaluated within the scope of the Law on the Protection of Personal Data and that I be provided with information/documents regarding the matter I have applied for and/or that they be created.

The evaluation made as a result of your application to PROLİNE BİLİŞİM SİSTEMLERİ VE TİCARET A.Ş. needs to be communicated to you. Therefore, please specify the method by which you wish to be notified of the response to your application.

In response to your application request, PROLİNE BİLİŞİM SİSTEMLERİ VE TİCARET A.Ş. may request additional information and documents that can verify your identity in order to prevent the unlawful sharing of personal data with third parties and to ensure the security of your personal data. Proline Bilişim Sistemleri ve Ticaret A.Ş. always reserves the right to request the said information and documents.

Your personal data is collected, processed, and stored by the relevant units, either wholly or partly by automated means or by non-automated means as part of any data filing system, in accordance with the procedures and principles set out in Article 4 et seq. of the Law, both physically and electronically. The details of the purposes of data processing have been presented to you.

Identity Information is processed by the data controller Company following the illumination text forms directed to you, based on the Company’s legitimate interests, the establishment of an employment contract, or the necessity of data processing for the establishment, exercise, or protection of a right. Identity data obtained by the Company from customers/business partners based on established commercial relationships is also evaluated within this scope and relies on an established business relationship.

Contact Information is recorded by the data controller Company for purposes such as establishing communication with personnel candidates, ensuring general communication with personnel as required by the employment contract, maintaining the relationship with customers/business partners, conducting the commercial process, and determining the service policy.

Residence Information is processed and protected by us within the scope of the Law for reasons such as the necessity of data processing for the establishment, exercise, or protection of a right, the necessity of data processing for the legitimate interests of the data controller provided that it does not harm the fundamental rights and freedoms of the data subject, and the necessity of processing personal data of the parties to a contract provided that it is directly related to the establishment or performance of a contract. The purposes include ensuring correspondence with personnel, planning how personnel candidates will reach work during the recruitment process they are subjected to, determining addresses for the delivery of goods and services to the contract parties, and executing the relevant performance processes. 

Visual and Audio Recording Information is processed by the data controller company for reasons such as the necessity of data processing for the legitimate interests of the data controller provided that it does not harm the fundamental rights and freedoms of the data subject, and being explicitly stipulated in the laws. The data is processed for the nature of the work performed and to ensure the general security of the company and is protected in accordance with the procedure specified in the law. 

Personnel Information is processed for reasons such as being stipulated in the laws, the establishment of an employment contract, the existence of a legal obligation required by legislation, and the necessity of data processing for the legitimate interests of the data controller provided that it does not harm the fundamental rights and freedoms of the data subject, for fulfilling contractual and legislative obligations for personnel, and for the data controller’s legitimate interest and fulfilling legal obligations under the employment contract. Criminal Record Information is among your special categories of personal data and cannot be processed, recorded, or used without your consent unless there are legitimate legal grounds for the data controller (as required by Articles 5 and 6 of the Law on the Protection of Personal Data) and/or in the absence of your explicit consent. Your criminal record information, existing information within the scope of judicial investigation, is processed and protected legally by the relevant company unit for reasons such as the necessity of data processing for the legitimate interests of the data controller provided that it does not harm your fundamental rights and freedoms, the establishment of an employment contract, and the desire to protect the data controller’s legitimate interest. 

Professional Experience Information, within the scope of professional information, includes your existing personal data. This is processed due to the establishment of an employment contract between the parties, the ability of the data controller to fulfill its legal obligation, and the necessity of data processing for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. Working Information, within the scope of leave information, documents containing your work data such as SRC documents and traffic driver’s licenses (for personnel who will drive mobile vehicles), SGK entry declaration, SGK service statement, information about the professional chamber you are registered with, and acquired certificates, are processed and recorded electronically and/or physically by the relevant Company units for purposes such as carrying out fringe benefits and benefit processes for personnel, fulfilling contractual and legislative obligations for personnel, and determining personnel work areas and responsibilities. 

Biometric Information is among your special categories of personal data and cannot be processed, recorded, or used without the data controller’s legitimate legal grounds (as required by Articles 5 and 6 of the Law on the Protection of Personal Data No. 6698) or in the absence of your explicit consent. The relevant data is obtained and processed for reasons such as the existence of an employment relationship, carrying out preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and their financing, obtaining explicit consent, and the necessity of data processing for the legitimate interests of the data controller provided that it does not harm the fundamental rights and freedoms of the data subject. 

Health Information: Due to the confidentiality obligation of the personnel in the Support Health Service unit, your explicit consent will not be obtained for your data to be processed by this unit, and your data will be processed by the unit for purposes such as carrying out preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and their financing as a result of the employment relationship. 

Health data that is requested to be processed or will be processed by Company units other than the Support Health Service unit on behalf of our Company will not be obtained or processed without obtaining explicit consent from you and without showing a legal justification.

Personal data to be processed by Human Resources with explicit consent includes the data subject’s blood type and psychotechnical report data such as attention level, reasoning, speed and distance perception, field of vision, reaction quality and speed, visual continuity, and coordination. This data is necessary for the performance of the legal and commercial relationships established by the Company and for fulfilling its legal obligations. The relevant personal data will be obtained from shipping personnel and the data to be obtained includes legally mandatory license elements for carrying out shipping activities.

Detailed information regarding the sharing of data will be provided to you again, and your explicit consent will be obtained at the stage of sharing the relevant data. The relevant data will not be shared with unauthorized third parties and may be shared with authorized, relevant institutions and organizations to the extent permitted by law.

Financial Information, such as IBAN and bank account numbers, is processed by the data controller for the purposes of fulfilling legal obligations, paying personnel salaries, and receiving/making payments for products and services within the scope of established/to be established commercial relationships.

Dress Code Information, such as shoe size and clothing size, is among your special categories of personal data and cannot be processed, recorded, or used without the data controller’s legitimate legal grounds (as required by Articles 5 and 6 of the Law on the Protection of Personal Data) and/or in the absence of your explicit consent. Your relevant personal data is processed due to the establishment of an employment contract, for the purposes of the data controller fulfilling its legislative obligations within the scope of occupational safety (such as providing work clothes by the company if the work is dangerous, issuing certificates for the training provided, etc.), and this data is protected in accordance with the procedure and law.

Customer Transactions: Stored for carrying out financial affairs as required by commercial agreements and legal obligations, carrying out finance and accounting affairs, and managing the goods-service sales process.

Physical Space Security Information is data obtained/processed by us to ensure the control and security of company entrances/exits and operational areas, and for the data controller to fulfill its legal obligations within the scope of occupational health and safety. This data is not recorded in any other recording system and is specifically available to us within the scope of security measures. The relevant data is destroyed at the end of the specified retention periods according to the storage and destruction policies. The processed data is not shared with third parties other than authorized public institutions and organizations.

Transaction Security includes IP, MAC, visited websites, and shopping information. The necessity of processing this data is for ensuring the Company’s internet security, auditing the applications used, regulating and storing the operation of information systems, and protecting the computer systems and software used against cyber attacks. It can be recorded in the system within the scope of carrying out Information Security Processes, ensuring the security of data controller operations, carrying out goods and service sales processes, conducting marketing analysis studies, and determining the discount amount based on the total sales amount within the year for customer satisfaction.

Legal Action personal data is processed for the purposes of effectively carrying out correspondence with judicial authorities, ensuring communication and information flow with Public Institutions and Organizations, and following up and carrying out legal affairs.

By definition, personal data refers to any information relating to an identified or identifiable real person. Relevant person refers to the real person whose personal data is processed, and processing of personal data refers to any operation performed upon personal data, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of data, wholly or partly by automated means or by non-automated means as part of a data filing system. The data processed/to be processed by us as the data controller are presented to you in detail below, categorized. 

Identity Information Processing of personal data is necessary for the establishment, exercise, or protection of a right; processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract; processing of personal data is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Contact Information Processing of personal data is necessary for the establishment, exercise, or protection of a right; processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract; processing of personal data is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. 

Residence Information Processing of personal data is necessary for the establishment, exercise, or protection of a right; processing of personal data is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject; processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract. 

Visual and Audio Records Processing of data is necessary for the legitimate interests of the data controller to complete R&D studies and resolve product-related issues, provided that it does not harm the fundamental rights and freedoms of the data subject; being explicitly stipulated in the laws.

Personnel Information Processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract; being explicitly stipulated in the laws; processing of personal data is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject; being mandatory for the data controller to fulfill its legal obligation. 

Physical Space Security Establishment of an employment contract; being mandatory for the data controller to fulfill its legal obligation; processing of personal data is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. 

Customer Transactions Processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract; being mandatory for the data controller to fulfill its legal obligation. 

Biometric Information (Special Categories of Personal Data) Processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract; processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract; being mandatory for the data controller to fulfill its legal obligation; obtaining explicit consent; processing of personal data is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. 

Health Information (Special Categories of Personal Data) Carrying out preventive medicine, medical diagnosis, treatment, and care services as a result of the existence of an employment relationship; planning and managing health services and their financing; processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract; obtaining explicit consent.

Transaction Security Processing of data is necessary within the scope of marketing activities, provided that it is directly related to the establishment or performance of a contract; being necessary for ensuring technical security.

Dress Code Information (Special Categories of Data) Being stipulated in the laws and the establishment of an employment contract; being mandatory for the data controller to fulfill its legal obligation.

Financial Information Processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract; being mandatory for the data controller to fulfill its legal obligation. 

Legal Action Ensuring communication and information flow with Public Institutions and Organizations; following up and conducting legal affairs.

Professional Experience Processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract. 

Your personal data, categorized as written above, is obtained by the Company within the scope of the obligation to inform, in accordance with the provisions contained in laws and other legal regulations, and is recorded by automated means or by non-automated means as part of any data filing system.