POLICY ON PROCESSING AND PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

1. PURPOSE and SCOPE

The protection and privacy of personal data has been adopted as a corporate culture for MAVI GOK HAVACILIK ANONIM SIRKETI (hereinafter "MGA" or "Company"). The Company takes utmost care and endeavours within the scope of its activities to process and protect the personal data of natural persons in accordance with the legal norms in force and universal legal principles. Acting in the capacity of data protection officer, the Company processes and protects personal data within the scope of this Policy on Processing and Protection of Special Categories of Personal Data ("Policy").

This Policy on Processing and Protection of Special Categories of Personal Data relates to the special categories of personal data of the data subjects, which our Company acting as the data protection officer processes by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. The Policy on Processing and Protection of Special Categories of Personal Data shows how the principles and guidelines set forth by the relevant legislation are applied in the protection of personal data by the Company. This Policy describes the Company's general policy and processes regarding the processing and protection of personal data, and the obligation to provide information under Article 10 of the Law on the Protection of Personal Data is fulfilled by the relevant clarification texts to be provided to the relevant persons on a concrete process basis.

The purpose of the Policy on Processing and Protection of Special Categories of Personal Data is to fulfil the legal obligations arising from the decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 “Adequate Measures to be Taken by Data Protection Officers in the Processing of Special Categories of Personal Data” and to reveal the technical and administrative measures taken in the processing of special categories of personal data.

2. DEFINITIONS

“Explicit Consent”: Refers to freely given, specific and informed consent.

“Obligation to provide information”: Refers to the Company's obligation to provide information to the Data Subjects during the collection of personal data via the Data Protection Officer or persons authorised by him/her within the scope of Article 10 of the Law on the Protection of Personal Data and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Provide Information.

“Relevant Person”, “Data Subject”: Refers to natural persons whose personal data are processed by the Company or by persons/institutions authorised by or on behalf of the Company.

“Destruction”: Refers to the deletion, destruction or anonymization of personal data.

“Personal Data”: Refers to any information relating to an identified or identifiable natural person.

“Anonymization of Personal Data“: Refers to rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

“Processing of Personal Data”:  Refers to any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided  that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.

“Erasure of Personal Data”: Refers to the process of making personal data inaccessible and non-reusable in any way for the relevant users.

“Destruction of Personal Data” : Refers to the process of making personal data inaccessible, irreversible and non-reusable by anyone in any way.

“Board”: Refers to Personal Data Protection Board

“Authority”: Refers to Personal Data Protection Authority

“Law”, “Law on Protection of Personal Data”: Refers to the Law No. 6698 on the Protection of Personal Data.

“Policy on the Protection of Personal Data”: Refers to the Policy on Protection and Processing of Personal Data adopted by the Company.

“Special Categories of Personal Data”: Refer to personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data.

“Company” : Refers to MAVI GOK HAVACILIK ANONIM SIRKETI.

“VERBIS”, “Registry”: Refers to the Data Protection Officers' Registry Information System kept by the Personal Data Protection Authority. Any data declared in the system are open to public access at verbis.kvkk.gov.tr.

“Data Processor”: Refers to the natural or legal person who processes personal data on behalf of the data protection officer upon its authorization.

“Data Protection Officer”: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

3. PRINCIPLES TO COMPLY WITH IN THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

The Company acts in compliance with the “General Principles” specified in the “Policy on the Protection of Personal Data” in the processing of special categories of personal data and specified in Article 4 of the Law on the Protection of Personal Data as mandatory to be complied with in the processing of personal data.

3.1. Processing in accordance with the Law and Good Faith

The Company manages personal data processing processes in accordance with legal norms and universal legal principles and rules of honesty, informs the relevant persons as necessary to ensure the transparency of the processes, takes into account the interests and reasonable expectations of the person concerned in such processes. In this context, it prevents the data processing activity from resulting in consequences that the data subject does not expect and does not need to expect.

3.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

As a rule, personal data are processed upon the declaration of the data subjects and as consented by data subjects, and such declared personal data shall be deemed to be correct. The Company shows reasonable care and attention required to keep the personal data within its legal entity accurate and up-to-date and not to contain false information. In the event that changes in the processed personal data are notified to the Company by the data subject, it ensures that the necessary administrative and technical mechanism is established to update the personal data in the relevant database.

3.3. Processing for Specific, Explicit and Legitimate Purposes

The Company sets out its legitimate and lawful data processing purposes in a specific and clear manner prior to the commencement of personal data processing and processes personal data in connection with and to the extent necessary for the Company's products and services.

3.4. Being relevant, limited and proportionate to the purpose for which they are processed

Personal data are processed in a limited and measured manner in connection with the purposes determined by the Company and explained to the data subject. The Company takes care to ensure that a reasonable balance is established between the data processing activity and the purpose to be achieved and that the processing is to the extent necessary to achieve the purpose.

3.5. Retention for the Period Stipulated in the Relevant Legislation or required for the Purpose for which they are Processed

The Company retains personal data for the period stipulated by the legislation or required by the purpose of processing. However, it deletes, destroys or anonymises personal data when the period stipulated by the legislation expires or when the purpose of processing is no longer applicable. As the Data Protection Officer, the Company has determined the retention periods, destruction periods and technical and administrative measures to be implemented in the storage of personal data in the Personal Data Storage and Destruction Policy and is aware that it is obliged to ensure that personal data is kept in accordance with these principles.

Such principles apply regardless of whether the Company processes personal data based on explicit consent or in accordance with other data processing conditions. In this respect, the Company processes personal data in accordance with the data processing conditions and general principles and fulfils its obligation to inform the data subjects.

4. CONDITIONS FOR THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

The Company processes special categories of personal data in compliance with the additional measures announced by the Personal Data Protection Board and by taking all necessary administrative and technical measures and in the presence of one of the following data processing conditions:

• With the explicit consent of the data subject,
• In cases stipulated by law for personal data other than health and sexual life,
• Personal data relating to health and sexual life may only be processed without seeking the explicit consent of the data subject by persons under the obligation of confidentiality or authorised institutions and organisations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

5. PURPOSES OF PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

The Company processes special categories of personal data in accordance with the "General Principles for the Processing of Personal Data" stated above and set out in Article 4 of the Law and based on at least one of the data processing conditions specified in Article 6 of the Law and in a limited and appropriate manner. In accordance with Article 10 of the Law and secondary legislation, the Company informs the relevant groups of persons separately about the categories and purposes of data processing in the relevant clarification texts. Personal data categories and related processing purposes are declared in the Data Protection Officers' Registry Information System (VERBIS) and the system is kept open to public access at verbis.kvkk.gov.tr.

6. RETENTION AND DESTRUCTION OF SPECIAL CATEGORIES OF PERSONAL DATA

As the Data Protection Officer, the Company has determined the retention periods, destruction periods and technical and administrative measures to be implemented in the retention of the sources of special categories of personal data in the "Personal Data Retention and Destruction Policy" and declared such periods separately for each category of personal data in VERBIS. The Company is aware that it is obliged to ensure that special categories of personal data are kept in accordance with these principles.

In accordance with the Law on the Protection of Personal Data, special categories of personal data are retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed. After the expiration of such period, the relevant personal data are deleted, destroyed or anonymised for analytical purposes at the end of the periodic destruction periods specified in the relevant Policy in accordance with the "Regulation on Deletion, Destruction or Anonymization of Personal Data". You can request more information through the contact details provided in this Policy.

SECURITY MEASURES FOR SPECIAL CATEGORIES OF PERSONAL DATA

The Company takes technical and administrative measures in accordance with the technological possibilities and the cost of implementation in order to ensure that special categories of personal data are processed in accordance with the Law. Such measures are implemented with care and additional precautions in terms of special categories of personal data and the necessary audits are periodically carried out at the highest level within the Company.

Such security measures taken in accordance with the decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 "Adequate Measures to be taken by Data Protection Officers in the Processing of Special Categories of Personal Data" are as follows:

• For Employees involved in the processing of special categories of personal data;
  • Providing regular trainings on the Law and related regulations and security of special categories of personal data
  • Conclusion of confidentiality agreements,
  • Clearly defining the users who are authorised to access data, their scope and duration of authorisation,
  • Carrying out periodic authorisation checks,
  • Immediately cancelling the authorization of the employees who have changed their duties or quit their jobs and ensuring that the inventory allocated by the data protection officer to such employee is returned,
• For electronic environments where special categories of personal data are processed, stored and/or accessed
  • Preservation of data using cryptographic methods,
  • Keeping cryptographic keys in secure and different environments,
  • Secure logging of transaction records of all activities and operations performed on the data,
  • Continuous monitoring of the security updates of the environments where the data are located, conducting / having the necessary security tests conducted regularly, recording the test results,
  • Making user authorizations of the software for the data accessed through a software, conducting / having the security tests of such software conducted regularly, recording the test results,
  • Provision of at least a two-tier authentication system for data for which remote access is required,
• For physical environments where special categories of personal data are processed, stored and/or accessed
  • Ensuring that adequate security measures (against electric leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where special categories of personal data are stored,
  • Ensuring the physical security of these environments and preventing unauthorized entry and exit,
• In the event that special categories of personal data are required to be transferred
  • In the event that the data are required to be transferred via e-mail, they should be transferred encrypted with a corporate e-mail address or using a Registered Electronic Mail (REM) account,
  • In the event that they are required to be transferred via media such as Portable Memory, CD, DVD, they should be encrypted with cryptographic methods and the cryptographic key should be kept in a different medium,
  • In the event that they are required to be transferred between servers in different physical environments, data transfer between servers should be performed by setting up a VPN or using the sFTP method,
  • In the event that they are required to be transferred via paper media, it should be ensured that necessary precautions are taken against risks such as theft, loss or unauthorised access to the documents and that the documents are sent in the format of "confidential documents".

The security measures taken other than the security measures listed are declared in the "Personal Data Protection Policy" and VERBIS at verbis.kvkk.gov.tr.

In the event that personal data is damaged as a result of attacks on the platforms operated by the Company or the Company's system or seized by unauthorised third parties although the Company has taken the necessary data security measures, the Company shall take immediate action to remedy the breach in question and minimise the damage to the data subject. The Company immediately shall notify the relevant persons and the Board and take the necessary measures. The rules and procedures regarding the breach of personal data are included in the “Personal Data Breach Management Policy”.

7. RIGHTS OF DATA SUBJECTS

According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of personal data concerning him/her. The rights of the data subject on personal data are listed in Article 11 of the Law on the Protection of Personal Data as follows:

• to learn whether his/her personal data are processed or not,
• to demand for information as to if his/her personal data have been processed,
• to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,
• to know the third parties to whom his personal data are transferred in country or abroad,
• to request the rectification of the incomplete or inaccurate data, if any,
• to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,
• to request reporting of the operations carried out such as erasure, destruction or rectification to third parties to whom his/her personal data have been transferred,
• to object to the occurrence of a result against the person himself/herself by analysing the data processed solely through automated systems,
• to claim compensation for the damage arising from the unlawful processing of his/her personal data in violation of the Law on the Protection of Personal Data.

The data subject may submit his/her requests within the scope of the above-mentioned rights in writing to the Company's registered electronic mail (REM) address by using secure electronic signature, mobile signature or the electronic mail address previously notified to the Company by him/her and registered in the Company's system. The data subject may use the "Data Subject Application Form" available on the Company's website for application. The application must include the following: 

• Name, surname and signature if the application is made in writing,
• T.R. Identity No for Turkish citizens, or nationality, passport number and identification number for foreigners, if any,
• Residential or workplace address for notification,
• Electronic mail address, telephone and fax number for notification, if any,
• Subject matter of the request

In addition, it is a prerequisite for the evaluation that the relevant information and documents are attached to the application and the language of the application is Turkish. Third parties may apply on behalf of the data subject only in the presence of a special power of attorney issued by a notary public.

• In the event that the data subjects submit their requests regarding the above-mentioned rights to the Company in accordance with the application procedures stipulated in the "Communiqué on the Procedures and Principles of Application to the Data Protection Officer", as specified in this Personal Data Protection Policy, the Company shall finalise this request free of charge as soon as possible and within 30 (thirty) days from the date of application at the latest, depending on the nature of the request. However, in the event that the transaction requires an additional cost, the Company may charge the fee in the tariff determined by the Board.

  For written applications, the date on which the document is notified to the data protection officer or its representative is the date of application. For applications made by other methods, the date the application is received by the data protection officer is the date of application

8. RELEVANT DOCUMENTS

The Company sets out the implementation procedures and principles determined for the protection of personal data in its policies, and publishes such policies in publicly available media to the extent relevant. All company policies and regulations prepared in this regard form a whole and complement each other. In this way, the Company aims to ensure transparency and accountability by informing the data subjects about personal data processing activities.

Other related documents referred to in this Policy are as follows:

• PERSONAL DATA PROCESSING AND PROTECTION POLICY
• PERSONAL DATA STORAGE AND DESTRUCTION POLICY
• PERSONAL DATA BREACH MANAGEMENT POLICY
• DATA SUBJECT APPLICATION FORM

9. ENTRY INTO FORCE AND AMENDMENTS

This Policy enters into force as of the date it is published on the Company's website. The Company may amend this Policy at any time. Such amendments become effective on the day the new amended Policy is published.

10. OUR CONTACT DETAILS

If you have any questions about the “Policy on the Processing of Special Categories of Personal Data” or our approach to the processing and protection of your special categories of personal data, or if you want to exercise any of the rights set out in the Law on the Protection of Personal Data, you can get information in any of the following ways:

MAVI GOK HAVACILIK ANONIM SIRKETI

Address: BARBAROS MAH. SERIK.(E) CAD. E BLOK NO: 419E IC KAPI NO: 2 AKSU / ANTALYA

REM-Address: mavigokhavacilikas@hs01.kep.tr