Hage Grup - High Aim Great Exhibition

KVKK ILLUMINATION TEXT

PERSONAL DATA PROTECTION POLICY

Policy, Scope and Purpose

Hage Grup pledges itself to abide by the principles and rules stipulated by the Constitution of the Republic of Turkey, Personal Data Protection Act (KVKK) no: 6698 and other legislations and to protect the rights and freedoms of the individuals whose data has been processed by Hage Grup. To that end, the Board of Directors has adopted a written personal data protection policy and system to be applied and developed.

Scope

Terms of the policy cover all information systems and sub information, contracts, environments and physical areas included in the subject and area of activities of Hage Grup and all systems and settings produced therefor.
This policy applies to all units, staff of the company providing support service, visitors, third parties, interns and contract employees of Hage Grup.

Purpose of Personal Data Protection Policy and System

The purpose of Personal Data Protection Policy and System is to ensure that Hage Grup develops and realizes its standards regarding personal data management, to determine and support the organizational objectives and responsibilities, to establish control mechanisms in compliance with the acceptable risk level of Hage Grup, to fulfill responsibilities that ‘Hage Grup’ is subject to as per international conventions, the Constitution, the Law, contracts, and codes of practice with respect to personal data protection and to secure the benefits of the individuals in the best way possible.

Hage Grup will abide by personal data protection legislation and data protection principles. Data protection principles adopted by Hage Grup are provided hereinbelow:
To process personal data only on the condition that it is explicitly required considering legitimate corporate purposes,
To process only the minimum amount of personal data required in line with said purposes,
To provide individuals with explicit information regarding who uses these data and how it is used,
To process only relevant and appropriate personal data,
To process personal data legally and equitably,
To maintain an inventory of personal data categories processed by Hage Grup,
To ensure that the personal data is correct and, if needed, updated,
To store the personal data only for a period required by legal regulations, legal responsibilities of Hage Grup or legitimate corporate benefits,
To respect the rights of the individuals regarding their personal data, including the right to access,
To keep all personal data safe and secure,
To transfer personal data abroad only on the condition that enough protection is available,
To apply the exceptions permitted by the legislation,
To establish and implement the personal protection system for performing the policy,
To determine the internal and external stakeholders of the company who are a party to the personal data protection system and to which extent they are involved in the personal protection system of Hage Grup,
To determine the employee(s) who have/has special powers and responsibilities regarding the personal data protection system.

Notifications

In case they violate this policy in any way whatsoever, all units, company staff providing support service, interns and contract employees will be subjected to disciplinary regulations of Hage Grup and if the violation in question constitutes any crime or misdemeanor, relevant authorities are notified accordingly as soon as possible.

The solution partners of Hage Grup, who have access to or have a possibility to access personal data, and all third parties working with Hage Grup are encouraged to read and to abide by this policy. No third party can provide access to personal data processed by Hage Grup without signing a written confidentiality agreement which stipulates responsibilities whose standards are at least as strict as the ones of Hage Grup and the supervising right of Hage Grup thereon.

Definitions

Explicit consent: means freely given, specific and informed consent,
Anonymization: means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data,
President: means President of the Personal Data Protection Authority
Data subject: (natural person concerned) means the natural person, whose personal data are processed
Personal data: means any information relating to an identified or identifiable natural person,
Sensitive personal data: The data regarding the race, ethnicity, political view, philosophical belief, religion, sect and other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal records and security precautions as well as biometric and genetic data of the individuals,
Processing of personal data: means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,
KVKK: Personal Data Protection Act no: 6698,
The Board: means the Personal Data Protection Board,
Authority: means the Personal Data Protection Authority,
Data Processor: means the natural or legal person who processes personal data on behalf of the data controller upon its authorization,
Data filling system: means the system where personal data are processed by being structured according to specific criteria,
Data controller: means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

Duties and Responsibilities
Hage Grup is the data controller as per KVKK.
All employees, particularly the Top Management, who works in the manager and auditor positions, are responsible for the development and promotion of proper practices regarding personal data processing at Hage Grup as well as for other liabilities with respect to this matter that are included in their job definitions.
The Committee of KVK has been established as the unit of authority in the management of the personal data protection system and compliance to KVKK and other legislations and the documentation thereof and regarding these aspects it is responsible to the Board of Directors.

The Committee of KVK

The members of the Committee of KVK with expertise and experience in personal data protection legislation and practices are assigned by the Board of Directors and they directly report to the Board of Directors.

Duties and Responsibilities of the Committee of KVK

The Committee should be informed in respect of Personal Data Protection legislation and developments.
The Committee is responsible for ensuring that the policies and procedures of Hage Grup are up to date and the data processing audits take place according to the schedule and for the compliance thereof with the relevant legislation.
Regarding data protection, the Committee functions in harmony with the relevant staff.
The main duties and responsibilities of the Committee are listed hereinbelow:

To provide information and guidance to Hage Grup, its relevant partners and support service Suppliers regarding personal data protection legislation and compliance.
To provide information and guidance to the staff of Hage Grup about their liabilities as per personal data protection legislation.
To observe the compliance of data processing activities of Hage Grup with personal data protection legislation.
To contribute to the development and maintaining of personal data protection policy and relevant procedures and processes of Hage Grup.
To distribute the responsibilities within Hage Grup in the scope of compliance with personal data protection legislation.
To ensure that all employees involved in personal data processing processes are well-trained and well aware.
To observe compliance with the data protection legislation by performing audits regularly and reporting to the Board of Directors.
To function in cooperation and in contact with the Board of KVK.
To determine the responsible employees that will function as the point of contact and representative of Hage Grup before the Board of KVK.
To develop an official procedure to communicate personal data protection violation incidents and investigations to the Board.
To contribute to the process of the business continuity plan.
To provide knowledge and guidance on storing corporate records.
To observe the scope of the collected personal data, which were kept and used at Hage Grup and to provide the data storage conditions in compliance with the relevant legislation.
To supervise and evaluate compliance, sanity, security practices and other checks that may be required.
To determine and perform the controls to ensure the confidentiality, integrity and accessibility of the personal data and recommend the additional checks that may be needed.
To submit the issues that pose a risk regarding personal data within Hage Grup and relevant recommendations to the agenda of the Board of Directors
1. The Committee of KVK has the power to audit the activities of Hage Grup in the systems regarding the collection, process and storage of personal data. The Committee of KVK may request the cooperation of all employees to fulfill its duties, including access to the systems and records. If this cooperation is not established, the Committee reports the situation to the Board of Directors.

All employees of Hage Grup processing data are responsible to abide by the Personal Data Protection legislation.
Human Resources unit is responsible to arrange all communication and training required for all employees to know their responsibilities and become well aware of personal data protection.
Hage Grup staff is liable to ensure that all the personal data provided to Hage Grup or personal data of the employees is correct and up to date.

Data Protection Principles

All data processing activities must be conducted in compliance with data protection principles provided hereinbelow. The policy and procedures of Hage Grup aspire to ensure compliance with these principles:

To be in compliance with legal rules and good faith.
To be correct and when required, up to date.
To be processed for specified, explicit and legitimate purposes.
To be relevant to the purpose of processing, to be limited and in moderation.
To be kept for a period of time required by the relevant legislation or the purpose of processing.

Personal data is processed in transparency and in compliance with legal rules and good faith.

In line with this, Hage Grup publishes clarification texts/privacy notices on their personal data processing activities on data collection channels. Hage Grup determines the areas where these notices, which include explicit and clear information with respect to which data is processed for which purposes, are to be available and declared. These notices cover the items listed hereinbelow:

The identity of Hage Grup as data controller and contact details thereof,
Types of personal data processed,
Purposes of personal data processing,
Anticipated storage period for personal data,
Rights of the data subject,
Third parties that data may be shared with.

Personal data may only be processed for specific, clear and legitimate purposes.

The justifications/purposes of data processing are determined in the personal data inventory and the personal data may not be used for other than the specified purpose without any other legal justification or without the explicit consent of the data subject.
In case the conditions that require the personal data to be used for other than the purpose specified in the personal data inventory occur, the Committee of KVK is notified by the relevant employee/unit. The Committee of KVK investigates the appropriateness of the new purpose and if required, ensures that the data subject is informed about the new data processing for the new purpose.

The personal data should be appropriate and relevant and must be processed within the limits of the purpose.

It is responsible for providing that Hage Grup neither collect nor process any personal data which is not explicitly needed for the processing purpose.
Hage Grup periodically investigates whether the data processed via the personal data inventory is appropriate and relevant.
Hage Grup investigates annually whether all of its data processing methods are appropriate and relevant through internal and/or external audits.
With respect to personal data that Hage Grup does not find appropriate or relevant or finds excessive regarding the processing purpose, it is responsible for ceasing the data processing activities and for secure destruction of the processed data as per storage and destruction procedure.

Personal data must be correct and up to date.

Data kept for a long period must be reviewed whether it is correct and up to date.
The manager of the Human Resources unit is responsible to train all staff to collect and keep personal data correct and up to date.
The employees are responsible for providing correct and up to date data about themselves.
The employees/customers and other relevant persons should inform Hage Grup to update the processed personal data. In case notified, the relevant unit is responsible for correcting and updating the record in question.
Through evaluating the type of processed data, storage period and the amount by utilizing the data inventory, the Committee of KVK may instruct the relevant unit to review whether the specific data is correct or up to date.

Personal data must only be processed only on the condition that is required for data processing purposes.

In case the personal data is stored due to necessities such as back-up, longer than the required period of time, the personal data must be enciphered and/or anonymized/masked for the sake of individual rights and freedoms when data security vulnerability occurs.
According to the Personal Data Storage and Destruction Policy, the processing of data after the specified periods of time is subject to the written approval of the Committee of KVK.

Rights of The Data Subjects

Data Subjects have the rights listed hereinbelow regarding the data processing activities about them at Hage Grup:

To be informed whether their personal data is processed or not,
To demand information if their personal data is processed,
To be informed about the processing purpose of the data and whether they are used according to the purpose or not,
To be informed about the third persons to whom personal data is transferred within the country or abroad,
To demand personal data to be corrected in case they are processed inadequately or incorrectly,
To demand personal data for which there is no legal justification or foundation to be processed as per this policy and KVKK to be deleted or destroyed,
To demand that the third parties to whom their data is transferred are informed of the correction and deletion operations that are performed upon their request,
To object to any result against them, which is obtained through the exclusive analysis of data processed by automatic systems,
To demand compensation for damage in case they suffer a loss due to the illegal processing of personal data.

The data subjects demand access to their personal data and demand to exercise their right listed hereinabove. Regarding these demands, the responses are given within 30 days. The processes for receiving, communicating and responding to demands are conducted according to the Demand Management Procedure.

Data subjects may deliver their requests by mailing to [email protected] as e-mail.

Regardless of their job definition, all employees of Hage Grup are liable to direct data subjects about the right application method regarding their access demands submitted to them. The staff of Hage Grup must be informed and trained about how to handle the demands of data subjects.

Receiving Explicit Consent

Hage Grup considers the consent that is given by the data subject regarding specified data processing activities and based on notification and that manifests the decision to have their data processed by their freewill by written/oral declaration and/or explicit confirmatory act as explicit consent. When it comes to sensitive data, explicit consent must absolutely be received in written form. Explicit consent may always be retrieved by the data subject.

Explicit consent may be received by having explicit consent form template signed by data subject or by making a contract with the data subject or including the items covered by this template in the electronic form. Explicit consent regarding the routinely processed personal data of employees, prospective employees and customers are received by means of relevant contracts and forms.

In case the data processing activities based on explicit consent is continuous or to be repeated, a single list of people whose explicit consents are received is kept by the relevant unit. The relevant unit is responsible for keeping this list correct and up to date. Explicit consent forms regarding data processing activities based on explicit consent and relevant proofs are kept by relevant unit.

Data Security

All employees are responsible for keeping the personal data processed by Hage Grup and under their responsibility secure.

Personal data must be accessible to solely the ones required to access such data. Security of the personal data is maintained as per KVK Policy of Hage Grup and related documents.

Data security incidents regarding personal data is communicated as soon as possible to the Board of KVK and the relevant person by Hage Grup.

Data Sharing
Personal data may only be shared with third parties legally and equitably. In line with this, for sharing personal data one of the conditions listed hereinbelow must be met:

Explicit consent of the data subject is received.
It is stipulated explicitly by law.
It is required to protect the life or bodily integrity of the person who cannot declare his consent due to actual impossibility or whose consent is not legally valid or of someone else.
In case it is required to process personal data of the parties for the establishment and execution of a contract that is signed or to be signed by Hage Grup.
It is compulsory for Hage Grup to perform its legal liability.
It is made public by the relevant person.
Data processing is compulsory for establishment, exercise and protection of the rights of Hage Grup
Data processing is compulsory for the legitimate benefits of Hage Grup on condition that it does not violate the rights and freedoms of the relevant person.

Personal data may only be transferred abroad solely in case these conditions hereinabove are met and adequate protection is available in the target country and the explicit consent of the data subject is received regarding this transfer.

With respect to the transfer of personal data abroad, list of countries where adequate protection is available prepared by the Board of KVK is taken into consideration.
When it comes to transferring personal data abroad, it is ensured that required permit and notification procedures before the Board of KVK are conducted as per relevant legislation.

In case a continuous data sharing relationship is established without any legal foundation or legal liability, a KVKK Contract that stipulates data sharing terms is signed with the party in question. KVKK Contract must include at least these items listed hereinbelow:

The purpose(s) of the share,
Potential third party receivers or receiver type and terms of access rights,
The data categories to be shared (it must be at the minimum required for your purposes)
General principles about data processing,
Data security measures,
Storage period of shared data,
Rights and access demands of the data subject, procedures of responding to applications and complaints,
Review of ceasing the validity of the sharing contract,
Responsibilities and sanctions regarding the violation of the contract and individual violation by the employees.

Personal Data Processing Purposes, Personal Data Subjects, Personal Data Categories and Shared Parties Categories Processes in the Scope of Personal Data Processing Activities Conducted by Hage Grup

Purposes of Personal Data Processing

In the scope of Data Controller Registry Information System, data processing purposes for personal data processing activities conducted by Hage Grup are as such:

Conducting Emergency Management Processes
Conducting Data Security Processes
Conducting Application Processes of Prospective Employees
Fulfilling Employee Liabilities Arising from Contract of Employment and the Legislation
Conducting Employee Satisfaction and Loyalty Processes
Fulfilling Employees’ Liabilities Arising from Contract of Employment and the Legislation
Conducting Employees’ Fringe Benefits and Benefits Processes
Conducting Audit / Ethical Activities
Conducting Training Activities
Exercising Access Powers
Conducting Activities in Compliance with the Legislation
Conducting Financial and Accounting Works
Providing the Security of Physical Environment
Conducting Loyalty to Firm / Product / Services Processes
Conducting Assignment Processes
Following-Up and Conducting Legal Works
Conducting Communication Activities
Planning Human Resources Processes
Conducting / Auditing Business Activities
Conducting Occupational Health and Safety Activities
Conducting Business Continuity Maintaining Activities
Conducting Goods / Service Purchase Processes
Conducting Goods / Service After-Sales Support Services
Conducting Goods / Service Sale Processes
Conducting Customer Services Management Processes
Conducting Activities for Customer Satisfaction
Organization and Event Management
Conducting Marketing Analysis Works
Conducting Performance Evaluation Processes
Conducting Advertorial / Sale / Promotion Processes
Conducting Risk Management Processes
Conducting Contract Processes
Providing Security of Movable Property and Sources
Following-Up Demands / Complaints
Conducting Supply Chain Management Processes
Conducting Wages Policy
Informing Authorized Persons, Institutions and Organizations
Conducting Management Activities
Creating and Following-Up Visitor Records

Personal Data Subjects

PERSONAL DATA SUBJECT CATEGORY	DEFINITIONS
Prospective Employee	Real persons who have applied for a job at Hage Grup in any way or who have submitted their CV’s and related information for Hage Grup to view.
Employee	The employees whose personal data is processed within the framework of activities related to events, employee satisfaction, human resources, audit, maintaining the security of information technologies and infrastructure and legal compliance that are conducted by Hage Grup .
Supplier’s Employee	Employee of the party that provides services to Hage Grup based on contract and in compliance to the orders and instructions given by Hage Grup while Hage Grup conducts its business activities.
Authorized Personnel of the Supplier	Authorized Personnel of the party that provides services to Hage Grup based on contract and in compliance to the orders and instructions given by Hage Grup while Hage Grup conducts its business activities.
Customer (Person Purchasing Product or Service)	Regardless of whether there is a contractual relationship with Hage Grup, the real persons whose personal data is obtained through the business relationships within the scope of operations conducted by the business units of Hage Grup.
Legal Guardian, Guardian, Representative	The persons whose personal data is obtained at Hage Grup and who hold a title of legal guardian, guardian or representative.
Visitor	Real persons who enter the physical campuses of Hage Grup for various purposes or who visit our websites.
Other (Speaker)	Real persons who give a speech at the exhibitions held by Hage Grup.

Personal Data Categories

PERSONAL DATA CATEGORIES	DEFINITIONS
Identity Information	The data includes information regarding the identity of the person: full name, TR identity number, nationality, place of birth, date of birth, sex, workplace, registry number, tax identification number, title, biography etc. as well as documents such as occupational ID, ID and passport
Contact Information	The information such as telephone number, address, e-mail address, fax number etc.
Process Security Information	Your personal data processed for us to provide our technical, administrative, legal and business security while conducting our activities (e.g. log records, IP information, identity authentication information)
Customer Process Information	Information such as call center records, invoice, bill, check information, information on teller receipts, order information, demand information
Personnel Information	Personnel data such as payroll information, disciplinary proceeding, employment/leaving job certificate records, declaration of property information, CV information, and performance evaluation reports
Prospective Employee Information	The information that may be involved in the CV of the prospective employee
Location	Location information of where the person is etc.
Legal Transaction Information	Personal data processed within the scope of establishment and follow-up of legal debt and rights, discharge of our debts, our legal liabilities and compliance with the policies of our Company
Financial Information	Personal data processed regarding any information, document and records that manifests any sort of financial result created based on the type of relationship between Hage Grup and personal data subject as well as data such as bank account number, IBAN, income information, debt/credit information
Risk Management	Such as data processed for the management of business, technical and administrative risks
Physical Environment Security Data	The data regarding the records and documents taken at the entry of the physical environment and during the visit such as camera records, vehicle information records and the records taken at the security point
Occupational Experience	Information such as diploma, the courses attended, on-the-job training, certificates and transcript
Visual and Auditory Data	Photograph and camera recordings (except for the records in the scope of Physical Environment Security Data) and voice records
Health Data	Information about disabilities, blood type, personal health, medical device and prosthesis etc.
Criminal Records and Security Precautions	Information regarding criminal records and security precautions
Association Membership	Association membership information etc.
Philosophical Belief, Religion, Sect and Other Beliefs	Information regarding other beliefs, religious attachment, philosophical belief, sect attachment etc.

Shared Party Categories

SHARED PARTY CATEGORY	DEFINITION	SHARING PURPOSE
Real persons or private law legal persons	Private law legal persons who have the power to obtain information and document from the Company as per relevant legislation provisions	It is limited to the demanded purpose within the limits of the legal power of relevant private law persons.
Public	All real and legal persons	It is limited to the purpose of being publicly shared by Hage Grup.
Business Partners	The parties with whom Hage Grup has established a business partnership with various purposes such as conducting their business activities	It is limited to the purpose ensuring that the goals of the partnership are achieved.
Suppliers	Parties that provide services to Hage Grup based on contract and in compliance to the orders and instructions given by Hage Grup while Hage Grup conducts its business activities	It is limited to the purpose ensuring that the services that are outsourced from the supplier and that are required to conduct Company’s business activities
Affiliates and Subsidiaries	The companies of which the Company is a shareholder	It is limited to ensuring that the business activities that require the contribution of the affiliates of the Company are conducted.
Suppliers	The parties that provide services to Hage Grup based on contract and in compliance to the orders and instructions given by Hage Grup within the scope of conducting business activities of Hage Grup	It is limited to the purpose ensuring that the services that are outsourced from the supplier and that are required to conduct Company’s business activities
Group Companies	All companies that constitute Hage Grup	It is limited to purposes such as planning strategies regarding the business activities of the Company and conducting of the activities as well as audit.
Authorized State Institutions and Organizations	State institutions and organizations that have power to obtain information and documents from the Company as per relevant legislation provisions	It is limited to the demanded purpose within the limits of the legal power of authorized state institutions and organizations.

Management of the Records

Personal data, may not be kept any longer than the period of time required for its processing purposes. The classification of the records that include personal data and the storage period therefor are stipulated by Storage and Destruction Policy.

When the storage period is over or upon the rightful demand of the data subject, personal data is anonymized, deleted or destroyed as per Storage and Destruction Policy so that the real person who is the data subject cannot be identified.

Document Ownership and Approval

The owner of this document is the Committee of KVK and it is responsible for reviewing this document regularly as per review requirements specified hereinabove.

The updated version of this document has been made available to all Hage Grup staff on common areas and has been published at the website of the company.