PERSONAL DATA PROCESSING AND PROTECTION POLICY

PERSONAL DATA PROCESSING AND PROTECTION POLICY

1.PURPOSE and SCOPE

The protection and privacy of personal data has been adopted as a corporate culture for MAVI GOK HAVACILIK ANONIM SIRKETI (hereinafter "MGA" or "Company"). The Company takes utmost care and endeavours within the scope of its activities to process and protect the personal data of natural persons in accordance with the legal norms in force and universal legal principles. Acting in the capacity of data protection officer, the Company processes and protects personal data within the scope of this Policy on Processing and Protection of Special Categories of Personal Data ("Policy").

This Policy on the Protection of Personal Data relates to the personal data of persons other than our employees, which our Company, as the Data Protection Officer, processes in whole or in part by automatic or non-automatic means, provided that it is part of any data recording system. It shows how the principles and guidelines stipulated by the relevant legislation are applied in the Company's processes for the protection of personal data. This Policy describes the Company's general policy and processes regarding the processing and protection of personal data. In this context, the obligation provide information to data subjects under Article 10 of the Personal Data Protection Law is fulfilled with the relevant clarification texts to be presented to the data subjects on a concrete process basis.

The applicable legislation in this field, secondary regulations and universal legal principles shall apply in the protection and processing of personal data in accordance with the law. In the event of a conflict between our Policy on the Protection of Personal Data and the relevant regulations in force, the regulations in force shall prevail.

We may make updates to this Policy as necessary, so make sure you have access to our current Policy at the time you use our services.

2.DEFINITIONS

Explicit ConsentRefers to freely given, specific and informed consent.

“Obligation to Provide Information”  Refers to the Company's obligation to provide information to the Data Subjects during the collection of personal data via the Data Protection Officer or persons authorised by him/her within the scope of Article 10 of the Law on the Protection of Personal Data and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Provide Information.

“Relevant Person”, “Data Subject”: Refers to natural persons whose personal data are processed by the Company or by persons/institutions authorised by or on behalf of the Company.

“Destruction”: Refers to the deletion, destruction or anonymization of personal data.

“Personal Data”: Refers to any information relating to an identified or identifiable natural person.

“Anonymization of Personal Data”: Refers to rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

“Processing of Personal Data”: Refers to any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided  that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.

“Erasure of Personal Data”: Refers to the process of making personal data inaccessible and non-reusable in any way for the relevant users.

“Destruction of Personal Data” : Refers to the process of making personal data inaccessible, irreversible and non-reusable by anyone in any way.

“Board”: Personal Data Protection Board

“Authority” : Personal Data Protection Authority

“Law”, “Law on Protection of Personal Data” : Refers to the Law No. 6698 on the Protection of Personal Data

“Policy on Protection of Personal Data”: Refers to the Policy on Protection and Processing of Personal Data adopted by the Company.

“Special Category of Personal Data”: Refer to personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data.

“Company”: Refers to MAVI GOK HAVACILIK ANONIM SIRKETI

“VERBIS”, “Registry”: Refers to the Data Protection Officers' Registry Information System kept by the Personal Data Protection Authority. Any data declared in the system are open to public access at verbis.kvkk.gov.tr.

“Data Processor”: Refers to the natural or legal person who processes personal data on behalf of the data protection officer upon its authorization.

“Data Protection Officer”: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

3. GENERAL PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

The Company adheres to the "General Principles" listed in Article 4 of the Law on the Protection of Personal Data, which must be complied with when processing personal data:

3.1. Processing in accordance with the Law and Good Faith

The Company manages personal data processing processes in accordance with legal norms and universal legal principles and rules of honesty, informs the relevant persons as necessary to ensure the transparency of the processes, and takes into account the interests and reasonable expectations of the relevant person in such processes. In this context, the company prevents the consequences of the data processing activity that the data subject does not expect and does not need to expect.

3.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

As a rule, personal data are processed upon the declaration of the data subjects and in the manner in which they are declared and declared personal data are deemed to be accurate. The Company takes reasonable care and attention to ensure that the personal data within its legal entity are kept accurate and up-to-date and do not contain false information. In the event that the changes in the processed personal data are notified to the Company by the relevant person, it ensures that the necessary administrative and technical mechanism is established to update the personal data in the relevant database.

3.3. Processing for Specified, Explicit and Legitimate Purposes

The Company sets out its legitimate and lawful data processing purposes in a specific and clear manner prior to the commencement of personal data processing and processes personal data in connection with and to the extent necessary for the Company's products and services.

3.4. Being Relevant, Limited and Proportionate to the Processing Purposes

Personal data are processed in a limited and proportionate manner in connection with the purposes determined by the Company and explained to the data subject. The Company takes care to ensure that a reasonable balance is established between the data processing activity and the purpose to be achieved and that the processing is to the extent necessary to achieve the purpose.

3.5. Retention for the Period laid down by Relevant Legislation or the Period required for the Purpose of Rrocessing

The Company retains personal data for the period stipulated by the legislation or required by the purpose of processing. However, it deletes, destroys or anonymizes personal data when the period stipulated by the legislation has expired or when all of the purposes of processing have disappeared. As the Data Protection Officer, the Company has determined the retention periods, destruction periods and technical and administrative measures to be implemented in the storage of personal data in the Personal Data Storage and Destruction Policy and is aware that it is obliged to ensure that personal data is kept in accordance with these principles.

Such principles shall apply regardless of whether the Company processes personal data based on explicit consent or in accordance with other data processing conditions. At this point, the Company processes personal data in accordance with the data processing conditions and general principles and fulfils its obligation to inform the data subjects.

4. INFORMATION ON THE PROCESSING OF PERSONAL DATA

The Company may regulate and update the categories of personal data to be processed, the groups of persons whose data are processed, the purposes of processing personal data, the legal conditions underlying the processing of personal data, the collection channels of personal data, the recipient groups to which they are transferred, the retention periods and destruction processes for expired personal data, and the security measures taken to ensure the security of personal data in all these processes. All this information is publicly published in the VERBIS (verbis.kvkk.gov.tr) registry information system on the website of the Authority and updated on the relevant platform.

4.1. CATEGORIES OF PERSONAL DATA

In order to ensure compliance with legal regulations and to manage personal data processing and protection processes properly, the Company has categorized the personal data to be processed.

All categories of personal data are basically organized under two main categories as "Personal Data" and "Special Categories of Personal Data".

All categories and definitions of personal data processed within our Company are as follows:

Identity Data: Name and surname, mother's and father's name, mother's maiden name, date of birth, place of birth, marital status, serial number of identity card, T.R. ID No., signature, etc.

Contact Data: Address, e-mail address, contact address, registered electronic mail address (REM), telephone no., etc.

Location Data: Person's current location

Personnel Data: Payroll data, disciplinary proceedings, employment records, property declaration, CV data, performance evaluation reports, etc.

Data on Legal Processes : Information in correspondence with judicial authorities, information in the court file, etc.

Data on Customer Transactions: Call centre records, invoices, bills, checks, information on the payment counter receipts, order information, request information, etc.

Physical Space Security : Entry and exit registration of employees and visitors, such as camera recordings, etc.

Data on Process Security: IP address, website login and logout records, passwords, etc.

Risk Management: Information processed for the management of commercial, technical, administrative risks, etc.

Financial Data: Bank, IBAN, balance sheet details, financial performance details, credit and risk details, asset details, etc.

Data on Professional Experience: Diploma details, attended courses, vocational trainings, certificates, transcripts, etc.

Marketing : Shopping history, surveys, cookie records, information obtained through campaign work.

Audio and Visual Recordings: Photographs, videos, audiovisual recordings, etc.

Criminal Conviction and Security Measures:  Information on criminal convictions, security measures, etc.

Race and Ethnicity: Information on race, ethnicity, etc.

Philosophical Belief, Religion, Sect and Other Beliefs : Information on religious affiliation, philosophical beliefs, sectarian affiliation, other beliefs, etc.

Health Data: Disability status, blood type, personal health status, used devices and prostheses, etc.

4.2. GROUPS OF PERSONS WHOSE PERSONAL DATA ARE PROCESSED

The relevant groups of persons whose personal data are processed by our Company and their definitions are publicly disclosed and published at VERBIS (verbis.kvkk.gov.tr) on the website of the Authority.

4.3. PURPOSES FOR PROCESSING PERSONAL DATA

The Company processes personal data in accordance with the aforementioned "General Principles for the Processing of Personal Data" set out in Article 4 of the Law and based on and limited to at least one of the personal data processing conditions set out in Articles 5 and 6 of the Law. In accordance with Article 10 of the Law and secondary legislation, the Company informs the relevant groups of persons separately about the categories and purposes of data processing in the relevant clarification texts. The Company's purposes for processing personal data have been declared in the Data Protection Officers' Information System (VERBIS) and are kept open to public access in the system (link:verbis.kvkk.gov.tr)

4.4. CONDITIONS FOR PROCESSING PERSONAL DATA

The Company processes personal data with the explicit consent of the data subject or in the presence of one or more of the other data processing conditions in accordance with these conditions or conditions. In the event that the processed personal data is special categories of personal data, the conditions specified in the heading "Processing of Special Categories of Personal Data" of this Policy shall apply.

  • Presence of Explicit Consent of the Data Subject

This data processing condition is met in the event that the data subject provides specific, informed and freely given explicit consent. The explicit consent obtained from the data subject is provably maintained by the Company for the required period of time within the scope of the Personal Data Protection legislation. In the presence of the following personal data processing conditions, personal data may be processed without the explicit consent of the data subject.

  • In Cases Where Data Processing is explicitly Stipulated in Laws

In the event that there is a clear provision in the relevant law regarding the processing of that personal data, this data processing condition is met. For example, personal data are processed for the purposes of fulfilling legal obligations under the provisions of the Law on the Protection of Personal Data, Turkish Civil Aviation Law, Consumer Protection Law, Turkish Code of Obligations, Turkish Commercial Code, Tax Procedure Law and other relevant legislation.

  • Failure to Obtain the Explicit Consent of the Data Subject Due to Physical Impossibility

In the event that it is mandatory to process the personal data of a data subject who is unable to disclose his/her consent due to physical impossibility or whose consent is not legally valid, for the protection of his/her or someone else's life or physical integrity, the personal data of the data subject shall be processed based on this data processing condition.

  • In Cases Where Data Processing is Directly Related to the Establishment or Performance of a Contract

Processing on the basis of this data processing condition shall occur in the event that the processing of personal data is necessary, provided that it is directly related to the establishment or performance of a contract to which the data subject is a party.

  • In cases where data processing is mandatory for the Data Protection Officer to fulfil its legal obligations

In the event that the processing of personal data is mandatory for our Company to fulfil its legal obligations arising from legislation or contract, the data may be processed based on this data processing condition.

  • In cases where the Personal Data has been made public by the Data Subject himself/herself

Personal data made public by the data subject himself/herself shall only be processed limited to the scope of those made public.

  • Where Data Processing is Mandatory for the Establishment, Exercise or Protection of a Right

In the event that data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data subject shall be processed based on this data processing condition.

  • In cases where Data Processing is Mandatory for the Legitimate Interests of the Data Protection Officer

In the event that data processing is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject, processing shall be carried out based on this data processing condition.

4.5. CONDITIONS FOR THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

The Company shall process special categories of personal data in compliance with the additional measures announced by the Personal Data Protection Board and by taking all necessary administrative and technical measures and in the presence of one of the following data processing conditions:

  • Explicit consent of the data subject.
  • In the event that processing of special categories of personal data other than health and sexual life is stipulated by law.
  • Processing of data on health and sexual life by persons under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

The Company has issued and published the "POLICY ON PROCESSING AND PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA" regarding the processing of special categories of personal data separately and in detail.

4.6. COLLECTION CHANNELS FOR PERSONAL DATA

The Company obtains personal data from physical and electronic media in accordance with the legal regulations and the purposes set out in this Policy and based on the processing conditions. Such environments and the channels through which personal data are obtained are as follows:

Physical Posts : E-Mail

Printed Forms: Website, Software and Applications, IT Devices, Corporate Social Media Accounts, Communication Platform

These channels may vary depending on the development and change of business processes and technological developments. In accordance with the principle of transparency, such changes shall be presented through updates to be made in the Policy.

4.7. TRANSFER OF PERSONAL DATA

The Company may transfer personal data and special categories of personal data to third parties in accordance with the regulations stipulated in Articles 8 and 9 of the Law, based on lawful purposes of processing personal data and by taking all necessary administrative and technical measures.

4.7.1   Domestic Transfer

The Company acts in accordance with the law in the transfer of personal data. It shares personal data with third parties to whom personal data are transferred only to the extent required by the service. It instructs the "Transfer Recipient" groups, which are "data processors", appropriately regarding data security through data transfer agreements.

Authorized Public Institutions and Organizations: Personal data are transferred to such organizations in order to fulfil our legal obligations.

Natural persons or private legal entities: Personal data are transferred to them for the purposes of following and conducting legal affairs, obtaining consultancy services, and carrying out activities in accordance with the legislation.

Group / Group Companies: Personal data are transferred to them for the purpose of carrying out accounting transactions, making necessary controls, receiving support services and providing information in this context.

Business Partners: Personal data are transferred to them for the purpose of executing the Contract processes, meeting and monitoring requests and complaints, and ensuring customer satisfaction.

Agencies: Personal data are transferred to them for the purpose of conducting customer relationship management processes, conducting sales processes of products and services, and conducting contract processes.

Suppliers (Product / Service Providers): Personal data are transferred to them for the purpose of supplying goods/ services, ensuring business continuity and the establishment and performance of the contract.

Independent Audit Company: Personal data are transferred to them for the purpose of conducting business activities and ensuring audits.

Bank: Personal data is transferred to them for the purpose of carrying out finance and accounting processes.

Joint Health and Safety Unit : Personal data are transferred to them for the purpose of carrying out Occupational Health / Safety activities in accordance with the legislation.

Customer / Natural Person Purchasing Goods or Services : Personal data are transferred to them for the purpose of conducting communication activities, conducting customer relationship management processes, conducting sales processes of goods and services, and conducting contract processes.

Insurance Companies: Personal data are transferred to them for the purpose of realization of Insurance transactions.

4.7.2.  Overseas Transfer

The Company may transfer personal data abroad only in accordance with the regulations stipulated in Article 9 of the Law on the Protection of Personal Data and by taking the necessary administrative and technical measures. This transfer is only possible if one of the following conditions is met:

To foreign countries that have been declared by the Authority that they have adequate protection or

Without seeking the explicit consent of the data subject in the absence of adequate protection, provided that the data protection officers in Turkey and the relevant foreign country undertake an adequate protection in writing and subject to the permission of the Board,

In the event that either of two conditions is not met, personal data may only be transferred abroad with the explicit consent of the data subject.

Recipient groups to whom personal data are transferred and the purposes of sharing are as follows:

Suppliers: Personal data are transferred to them for the purpose of carrying out product / service sales processes, carrying out goods / service procurement processes.

Authorized Public Institutions and Organizations : Personal data are transferred to them for the purpose of conducting product / service sales processes and making legal notifications.

Agencies : Personal data are transferred to them for the purpose of conducting customer relationship management processes, conducting sales processes of products and services, and conducting contract processes.

Business Partners: Personal data are transferred to them for the purpose of executing the Contract processes, meeting and monitoring requests and complaints, and ensuring customer satisfaction.

Suppliers (Product / Service Providers) : Personal data are transferred to them for the purpose of supplying products/services, ensuring business continuity and the establishment and performance of the contract.

The recipient groups to which personal data are transferred and the categories of personal data transferred abroad may vary. Such changes and updates are publicly announced and published at VERBIS (verbis.kvkk.gov.tr) on the website of the Authority.