1. POLICY, SCOPE, AND OBJECTIVE:

    CAPPADOCIA INNOVATION INSTITUTE TECHNOLOGY LIMITED COMPANY. (hereinafter referred to as the “Company”) commits to adhering to principles and rules set forth by the Constitution of the Republic of Turkey, the Law on the Protection of Personal Data No. 6698 (LPDP) and other related legislation regarding the protection of personal data. The Board of Directors and management pledge to protect the rights and freedoms of individuals whose data are processed by the Company. For this purpose, the Board of Directors has adopted a written personal data protection policy and system to be implemented and developed.

    1.1 Scope

    The provisions of the policy cover all information systems and sub-information, contracts, environmental and physical areas, and the systems and arrangements produced for all of these, involved in the processing of personal data in the fields of activity and work areas of the Company. This policy includes all units of the Company, personnel of firms providing support services, visitors, third parties, interns, and contracted personnel.

    1.2 Objectives of the Personal Data Protection Policy and System

    The purpose of the Personal Data Protection Policy and System is to ensure that the company establishes and achieves its own standards in managing personal data; to determine and support organizational objectives and obligations. The Company establishes control mechanisms in line with an acceptable level of risk. The company ensures compliance with its obligations under international conventions, the Constitution, laws, contracts, and professional rules in the field of personal data protection, and ensures that the interests of individuals are best protected.

    2.DATA PROTECTION PRINCIPLES:

    The Company, in compliance with data protection regulations, adopts the following data protection principles:

     

    • Process personal data to the minimum extent necessary for its purposes and avoid processing excessive data;
    • Provide clear information to individuals about how and by whom their personal data is used;
    • Process only relevant and appropriate personal data;
    • Process personal data in accordance with equity and law;
    • Maintain an inventory of categories of personal data processed by the Company;
    • Keep personal data accurate and update it when necessary;
    • Store personal data only for the duration required by legal regulations, the Company’s legal obligations, or legitimate corporate interests;
    • Respect the rights of individuals, including the right to access, related to their personal data;
    • Keep all personal data secure;
    • Transfer personal data abroad only when adequate protection is in place;
    • Apply exceptions permitted by legislation;
    • Establish and implement a personal data protection system for the enforcement of the policy.
    • Determine internal and external stakeholders involved in the personal data protection system when necessary, and define to what extent they are included in the Company’s personal data protection system;
    • Identify personnel with specific authority and responsibilities related to the personal data protection system.

     

    1. BİLDİRİMLER
    • ​​​​​​​ The Company informs the Personal Data Protection Board (“PDPA Board”) about its status as a data controller and the categories of personal data it processes under this title. The Company identifies all categories of personal data it processes in its personal data inventory.
    • Notifications are made according to the procedures and methods determined by the PDPA Board, and a copy of the notification is stored by the Company’s Personal Data Protection Committee (PDPA Committee).
    • In case it is deemed necessary by the relevant legislation or the PDPA Board, notifications are repeated periodically.
    • The PDPA Committee reviews the Company’s data processing activities and any changes in them on an annual basis to identify potential changes that may occur in the notification made to the PDPA Board and informs the PDPA Board if necessary.

    Any violation of this policy by all units of the Company, personnel of firms providing support services, interns, and contracted personnel will be subject to the Company’s disciplinary regulations. If such a violation constitutes a crime or misdemeanor, the situation will be reported to the relevant authorities in the shortest possible time.

    All solution partners of the Company with access or potential access to personal data and all third parties working in collaboration with the Company are invited to read and adhere to this policy. No third party can access personal data processed by the Company without a written privacy agreement that includes obligations related to the protection of personal data with standards at least as stringent as those of the Company, and the Company’s right to oversight.

    1. DEFINITIONS

    Explicit Consent: Refers to the consent that is based on being informed about a specific subject and is given freely.

    Anonymization: The process of turning personal data into a form in which, even when matched with other data, it can in no way be associated with an identified or identifiable real person.

    Relevant Person (Data Subject): The real person whose personal data is processed.

    Personal Data: Any information related to an identified or identifiable real person.

    Special Quality (Sensitive) Personal Data: Data concerning race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire, membership in associations, foundations or unions, health, sexual life, convictions and security measures, as well as biometric and genetic data of individuals.

    Processing of Personal Data: Refers to any operation performed upon personal data, whether or not by automatic means, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transferring, taking over, making available, categorization, or blocking its use.

    PDPL (in the context of this text, equivalent to KVKK): Refers to the Law on the Protection of Personal Data No. 6698.

    PDPL Board (equivalent to KVKK Kurulu): Refers to the Personal Data Protection Board.

    PDPL Institution (equivalent to KVKK Kurumu): Refers to the Personal Data Protection Authority.

    Data Processor: Refers to the natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the latter.

    Data Recording System: Refers to the system where personal data is processed according to specific criteria.

    Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

    1. ROLES AND RESPONSIBILITIES
    1. The Company acts as both the data processor and data controller in accordance with KVKK.
    2. Senior Management, including those in managerial and auditor roles, as well as all employees, are responsible for the development and promotion of correct practices in processing personal data within the Company. They are also accountable for other obligations related to this subject as specified in their individual job descriptions.
    3. The KVK Committee has been established as the responsible unit for managing the personal data protection system, ensuring and documenting compliance with the KVKK and other relevant legislation. This committee is accountable to the Board of Directors on these matters.

    ​​​​​​​6. KVK COMMITTEE

    The KVK Committee members are appointed by the Board of Directors, taking into consideration their expertise and experience in the field of personal data protection legislation and practices. The KVK Committee directly reports to the Board of Directors. The Committee is composed of members from the Information Security Committee and is chaired by the General Manager.

    ​​​​​​​ 6.1 KVK COMMITTEE DUTIES AND RESPONSIBILITIES

    • The Committee is responsible for informing the Board of Directors about the Personal Data Protection legislation and its developments.
    • The Committee is responsible for ensuring that the company’s policies and procedures are up-to-date and that data processing audits are carried out in accordance with the planned calendar and that they comply with the relevant legislation.
    • The Committee collaborates with all relevant staff on personal data protection issues.
    • The main duties and responsibilities of the Committee are:

    o Provide information and advice to the company, relevant business partners, and support service providers about personal data protection legislation and compliance issues.

    o Provide information and advice to company staff about their obligations under the personal data protection legislation.

    o Monitor the compliance of the company’s data processing activities with the personal data protection legislation.

    o Contribute to the development and maintenance of the company’s personal data protection policy and related procedures and processes.

    o Designate responsibilities within the Company in the context of compliance with personal data protection legislation.

    o Ensure that necessary training and awareness are provided to all personnel involved in personal data processing processes.

    o Conduct regular audits to monitor compliance with personal data protection legislation and report to the Board of Directors.

    o Collaborate and communicate with the KVK Board.

    o Designate responsible individuals who will function as the company’s contact point and representative before the KVK Board.

    o Develop formal procedures for reporting personal data breach incidents and investigations to the Board.

    o Provide information and advice on the retention of corporate records.

    o Ensure the scale at which personal data is collected, held, and used within the company and ensure their storage conditions comply with the relevant legislation.

    o Monitor and evaluate compliance, reasonability, security practices, and other necessary controls regarding the protection of personal data.

    o Present potential risks concerning personal data within the company and related suggestions to the agenda of the Board of Directors.

    • The KVK Committee has the authority to audit all systems related to the collection, processing, and storage of personal data in the company. While performing its duties, the KVK Committee can request cooperation from all staff, including access to systems and records. If this cooperation is not provided, the Committee reports the situation to the Board of Directors.
    • All personnel of the company who process personal data are responsible for acting in accordance with the Personal Data Protection legislation.
    • The General Manager is responsible for ensuring that all personnel are aware of their responsibilities in the field of personal data protection and for conducting necessary notifications and training.
    • Company staff is obliged to ensure the accuracy and currency of all personal data provided to the company by them or related to them.
      1. DATA PROTECTION PRINCIPLES

    All personal data processing activities must be carried out in accordance with the following data protection principles. The company’s policies and procedures aim to ensure compliance with these principles:

    • Compliance with the law and principles of honesty.
    • Accuracy and being up-to-date when necessary.
    • Processing for specific, clear, and legitimate purposes.
    • Being relevant, limited, and proportionate to the purposes they are processed for.
    • Being retained for the period stipulated in the relevant legislation or required for the purposes for which they are processed.

     

    Personal data is processed in a transparent manner in accordance with the law and the principle of honesty.

    In this context, the Company includes disclosure statements/privacy notices in the data collection channels and related areas regarding its personal data processing activities. The Data Protection Committee (DPC) determines the areas where these notifications, which contain clear and understandable information about which data related to whom is processed by the Company for what purposes, will be placed and announced. These notices include:

    • Identity and contact details of the company as the data controller,
    • Contact details of the DPC,
    • Types of personal data being processed,
    • Purposes of processing personal data,
    • Predicted retention period of the personal data,
    • Rights of the data subject,
    • Third parties with whom the data can be shared.

    Personal data can only be processed for specific, clear, and legitimate purposes.

    • The reasons/purposes for processing personal data are determined in the personal data inventory and personal data cannot be used for purposes other than those specified without another legal basis or the explicit consent of the data subject.
    • If conditions arise that require the use of personal data for purposes other than those specified in the personal data inventory, this situation is reported to the DPC by the relevant personnel/department. The DPC checks the suitability of the new purpose and ensures that the data subject is informed about the new purpose and the new data processing activity if necessary.

    Personal data must be appropriate and relevant and processed to a limited extent for the purpose.

    • The DPC is responsible for ensuring that personal data that is not clearly necessary for the processing purpose is not collected or processed.
    • All electronic and physical data collection forms and data collection mechanisms in information systems are implemented subject to the approval of the DPC.
    • The DPC periodically checks the personal data inventory to ensure that the data processed is appropriate and relevant.
    • The DPC audits the appropriateness and relevance of all data processing methods through an internal/external audit to be carried out annually.
    • The DPC is responsible for stopping the processing of personal data that it has determined to be inappropriate or excessive in terms of the processing purpose and for securely destroying processed data in accordance with the retention and destruction procedure.

    Personal data must be accurate and up-to-date.

    • Data held over a long period must be reviewed for accuracy and currency.
    • The General Manager is responsible for training all personnel on collecting and maintaining personal data accurately and up-to-date.
    • The accuracy and currency of the data held about personnel are the responsibility of the respective personnel.
    • Personnel/customers and other relevant individuals must inform the Company to update the processed personal data. Upon such a notification, the correction and update of the said record is the responsibility of the relevant unit.
    • Based on its assessment of the type, retention period, and amount of the processed data, the DPC may instruct the relevant unit to review the accuracy or currency of certain data.

    Personal data should be processed only if necessary for the data processing purpose.

    • In cases where personal data is stored beyond the necessary period due to backup requirements, etc., to protect the rights and freedoms of individuals in data security vulnerability situations, personal data should be encrypted or anonymized/masked.
    • Processing personal data after the periods specified in the procedure defining the retention and destruction process is subject to the written approval of the DPC.

     

    1. RIGHTS OF DATA SUBJECTS

    Data subjects have the following rights regarding the processing activities and records of the Company:

    • To inquire whether their personal data is processed,
    • If their personal data has been processed, to request related information,
    • To learn the purpose of processing their personal data and whether it is used appropriately for its purpose,
    • To know the third parties in the domestic or foreign countries to whom their personal data is transferred,
    • To request the correction of their personal data if it has been processed incompletely or inaccurately,
    • To request the deletion or destruction of personal data that has no legal basis or justification for processing under the KVKK or this policy,
    • To request that correction or deletion actions be notified to third parties to whom personal data has been transferred,
    • To object to a result against the person due to the exclusive analysis of the processed data by automatic systems,
    • To request compensation for the damage due to the unlawful processing of personal data.

     

    Data subjects can request access to their personal data and use the aforementioned rights. These requests are forwarded to the Contact Responsible/KVKK Committee, and the Committee responds within 30 days. Processes related to the receipt, forwarding, and conclusion of requests are carried out according to the request management procedure.

     

    Data subjects can submit their requests by filling out the KVKK Application Form and sending it to CAPPADOCIA INNOVATION INSTITUTE TECHNOLOGY LIMITED COMPANY, Kapadokya Technopark No:13 Nevşehir, either by notary, by registered and return mail after verifying their identity, or via the registered e-mail address at “[email protected]”.

     

    All company staff, regardless of their job description, are obligated to guide data subjects correctly about the application method for access requests directed to them. Company employees should be informed and trained on how to act upon requests coming from data subjects.

     

    To enable data subjects to direct their requests, the contact information of the Contact Person/Committee is included in the disclosure texts/privacy notices and on the Company’s website.

    1. OBTAINING EXPLICIT CONSENT

    The company considers the consent, which is expressed by the data subject for specific data processing activities, based on being informed and with free will, through a written/oral statement or a clear affirmative action, as explicit consent. For sensitive data, explicit consent is always obtained in writing. Explicit consent can always be withdrawn by the data subject.

     

    Explicit consent can be obtained by having the data subject sign the explicit consent form template, or by including the elements found in this template in a contract or electronic form to be made with the data subject. For routine personal data related to employees, prospective employees, and customers, explicit consent is obtained through the relevant contract or forms.

     

    If the data processing activity based on explicit consent will be continuous or repeated, a single list of persons whose explicit consent has been obtained is kept by the relevant unit. The accuracy and currency of this list is the responsibility of the relevant unit. Explicit consent forms or other relevant proof tools related to the data processing activity based on explicit consent are kept by the relevant unit.

    1. DATA SECURITY

    All staff are obligated to ensure that personal data processed by the Company and under their responsibility are securely maintained. Only those who need access to personal data should be able to access it. Accesses are provided in accordance with the Access Management Procedure.

    The security of personal data is ensured in line with the Company’s PDPL (Personal Data Protection Law) Policy and the documents associated with it.

    Incidents related to the security of personal data are reported to the PDPL Committee, the PDPL Board, and the relevant person in the shortest possible time.

    1. DATA SHARING
      • • Personal data can only be shared with third parties in compliance with the law and fairness. Accordingly, for the sharing of personal data, one of the following conditions must be met:
      • o Obtaining the explicit consent of the data subject.
      • o Explicitly stipulated by laws.
      • o A situation where the person is unable to express their consent due to actual impossibility, or where their consent is not legally valid, and it’s imperative to protect their life or physical integrity or that of someone else.
      • o Necessary for the establishment or execution of a contract to which the Company is or will be a party, directly related to processing the personal data of the parties.
      • o Necessary for the Company to fulfill its legal obligation.
      • o The data has been made public by the person concerned.
      • o Necessary for the establishment, exercise, or protection of the Company’s rights.
      • o Necessary for the legitimate interests of the Company, provided that this does not harm the fundamental rights and freedoms of the person concerned.
      • • Personal data can only be transferred abroad if the conditions above are met, adequate protection is in place in the target country, and explicit consent is obtained from the data subject regarding this transfer.
      • • When transferring personal data abroad, the list of countries deemed by the Personal Data Protection Board (KVK Board) to have adequate protection is taken into account.
      • • When the transfer of personal data abroad is in question, the KVK Committee ensures the necessary permissions and notifications with the KVK Board in accordance with the Personal Data Protection Law (KVKK) and relevant legislation.
      • • In the event of a regular data-sharing relationship without a legal basis or legal obligation, a KVKK Commitment Agreement that defines the conditions of data sharing is made with the relevant parties. The KVKK Commitment Agreement includes at a minimum:
      • o Purpose or purposes of sharing;
      • o Potential third-party recipients or type of recipient and conditions of access rights;
      • o Categories of data to be shared (which should be kept to the necessary minimum for these purposes);
      • o General principles regarding data processing;
      • o Data security measures;
      • o Duration of data retention;
      • o Rights of the data owner, access requests, procedures for responding to applications and complaints;
      • o Review of termination of the sharing agreement; and
      • o Responsibilities and penalties for non-compliance with the agreement or individual breaches by staff.
    1. MANAGEMENT OF RECORDS

    Personal data cannot be kept longer than necessary for the processing purposes. The classification of records containing personal data and the retention periods for these records are determined in accordance with the Retention and Destruction Policy.

     

    When the necessary retention period for processing purposes expires or upon the justified request of the data subject, personal data is anonymized, deleted, or destroyed in a way that the data subject cannot be identified, in accordance with the Destruction Procedure..

     

    1. UPDATING THE POLICY

    13.1 Document Ownership and Approval

    The owner of this document is the Data Protection Committee, and it is responsible for regularly reviewing this policy in accordance with the aforementioned review requirements.

    The current version of this document has been made accessible to all Company personnel through the shared space and has been published on the company website.

    PROTECTION POLICY OF PERSONAL DATA OF SPECIAL NATURE

    PURPOSE

    The purpose of the Processing Policy for Personal Data of Special Nature (“Policy”) is to determine the principles in all data processing activities, such as the transfer, storage, destruction, and retention of personal data of special nature belonging to current and potential customers, business partners, visitors, shareholders, company executives, prospective employees, personnel, and officers of CAPPADOCIA INNOVATION INSTITUTE TECHNOLOGY Ltd. Co. (Hereinafter referred to as the “Company” or “CAPPINNO”), in accordance with the procedures and principles stipulated by the Law No. 6698 on the Protection of Personal Data (‘’Law’’) and the Decision No. 2018/10 dated 31.01.2018 of the Personal Data Protection Board regarding “Adequate Measures to be Taken by Data Controllers in Processing Special Category Personal Data”.

     

    SCOPE

    The provisions of the Policy cover all information systems, sub-information, contracts, environmental and physical areas, and the systems and arrangements produced for all of these involved in the processes of processing personal data in CAPPINNO’s fields of activity and work areas.

    This policy encompasses a third party working on behalf of CAPPINNO, its current and potential customers, business partners, visitors, shareholders, CAPPINNO executives, staff, prospective employees, related third parties, and third-party personnel and officers.

     

    DEFINITIONS

    Explicit consent: Consent that is based on being informed about a specific subject and declared with free will,

    Anonymization: Rendering personal data in a way that cannot be associated with an identifiable or identifiable real person, even if matched with other data,

    ISPDPC: Information Security and Personal Data Protection Committee appointed by the General Manager for the supervision of the company organization,

    Relevant person: The real person whose personal data is processed,

    Personal data: Any information related to an identified or identifiable real person,

    Special category (sensitive) personal data: Data related to a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data,

    Processing of personal data: Any operation performed on data, such as fully or partially automated acquisition, recording, storage, preservation, modification, reorganization, disclosure, transfer, takeover, accessibility, classification or preventing the use of personal data,

    PDPL: Protection of personal data,

    PPDL: Law No. 6698 on the Protection of Personal Data,

    PDPL Board: Personal Data Protection Board,

    PDPL Institution: Personal Data Protection Institution,

    PDPL Representative: Personal Data Protection Representative appointed by the General Manager for the supervision of the company organization,

    Data processor: The real or legal person who processes personal data on behalf of the data controller based on the authority given by the latter,

    Data recording system: The recording system in which personal data is processed structured according to certain criteria,

    Data controller: Refers to the real or legal person who determines the purposes and means of processing personal data, and who is responsible for the establishment and management of the data recording system.

    DUTIES and RESPONSIBILITIES

    CAPPADOCIA INNOVATION INSTITUTE TECHNOLOGY Ltd. Co. is the data processor and data controller as per the PPDL (Protection of Personal Data Law).

    All staff, especially those in senior management, administrative, and auditor positions, are responsible for the development and promotion of correct practices in the processing of personal data of special nature within CAPPADOCIA INNOVATION INSTITUTE TECHNOLOGY Ltd. Co. and also for other obligations related to this issue specified in their individual job descriptions.

    The Information Security and Personal Data Protection Committee is responsible for the supervision of units in charge of managing the personal data protection system, ensuring and documenting compliance with the PPDL and other relevant legislation, and reporting to the Senior Management in these matters.

     

    DUTIES AND RESPONSIBILITIES OF STAFF:

    In addition to the responsibilities stated in the Personal Data Protection Policy, those who process personal data of special nature are also responsible for the following matters:

    • To act in compliance with the Processing Policy of Personal Data of Special Nature and other related policies and procedures,
    • To fulfill their duties and responsibilities in accordance with the instructions provided in the Processing Policy of Personal Data of Special Nature.
    1. DUTIES AND RESPONSIBILITIES OF BGKVK

    The Information Security and Personal Data Protection Committee, in addition to the responsibilities specified in the Personal Data Protection Policy, is responsible for the following:

     

    • Ensuring the creation and updating of the Processing Policy of Personal Data of Special Nature,
    • Organizing special-natured personal data processing procedures in accordance with this policy and coordinating their application by relevant business units,
    • Creating and maintaining a framework for the development, implementation, and updating of the processing principles of special nature personal data within the company, working with related units to take necessary measures and trainings,
    • Supporting staff in implementing processes established under this policy,
    • Reporting violations related to this policy to management every six months,
    • Communicating topics and developments related to special-natured personal data processing, policies/standards, and/or other internal regulations to the company staff in an appropriate manner,
    • Taking a lead role in reporting, responding to, and coordinating solutions regarding complaints about violations of special-natured personal data processing,
    • Participating in the development process of new products and services where processing of special-natured personal data is involved; giving opinions and suggestions before the implementation of the new product or service production environment,
    • Improving and ensuring the application of administrative, technical, and physical security controls of systems containing special nature personal data,
    • Collaborating with competent business units to facilitate enhancements and security assessments for systems that contain special-natured personal data,
    • Implementing procedures and technology to monitor and evaluate the protection and usage of special-natured personal data in company systems or distributed systems.

     

    1. DATA SECURITY

    All staff members are obliged to ensure that data processed by CAPPADOCIA INNOVATION INSTITUE TECHNOLOGY Ltd. Co. and under their responsibility are securely stored and not disclosed to any third party unless a KVK (Data Protection) Commitment is signed.

     

    Access to personal data should only be available to those who need it. Access is provided in accordance with the access management procedure.

     

    Data security is provided in accordance with the CAPPADOCIA INNOVATION INSTITUE TECHNOLOGY Ltd. Co. KVK (Data Protection) Policy and the related documents.

     

    Security incidents related to personal data are reported to the KVK (Data Protection) Board and the concerned person by the Information Security and Personal Data Protection Committee as soon as possible.

     

    When processing specially qualified personal data, the data controller, which is CAPPADOCIA INNOVATION INSTITUE TECHNOLOGY Ltd. Co., must also fulfill the adequate security measures determined by KVKK (Personal Data Protection Law).

     

    1. IMPLEMENTATION OF SECURITY MEASURES FOR STAFF

     

    For personnel in business units that carry out their business processes by processing specially qualified personal data, such as the Consulting unit, Sales unit, IT Security unit, Cybersecurity unit, and Finance and Accounting unit:

     

    Confidentiality agreements should be made, and the Specially Qualified Personal Data Policy should also be included in its annex.

    The units mentioned above should be provided training on the security of personal data once a year.

    The authority scopes and periods of users with access to specially qualified personal data must be clearly defined, and periodic authority checks should be performed.

    The permissions in this area of staff who change positions or leave their jobs should be immediately revoked, and their current accounts should be immediately closed. In this context, it should be ensured that the personal data-containing inventories (computer, hard disk, file, folder, etc.) allocated by the data controller are returned.

    1. TAKING SECURITY MEASURES IN ELECTRONIC ENVIRONMENTS

     

    If the environments where such data is processed, stored, and/or accessed are electronic:

     

    Data should be stored using cryptographic methods.

    Cryptographic keys should be stored securely in different environments.

    All operations performed on the data should be securely logged.

    Security updates related to the environments where data is located should be continuously monitored, necessary security tests should be performed regularly or outsourced, and test results should be recorded.

    If access to the data requires software, user authorizations for this software should be made, security tests for these programs should be carried out regularly or outsourced, and test results should be recorded.

    If remote access to the data is necessary, at least a two-step authentication system should be provided..

    1. SECURITY MEASURES IN PHYSICAL ENVIRONMENTS

    If the environments where the data is processed, stored, and/or accessed are physical:

     

    Ensure that adequate security measures are in place for the environment containing specially qualified personal data, against situations like electric leakage, fire, flood, theft, etc.

    These environments must be physically secured to prevent unauthorized entry and exit.

    1. DATA SHARING

    Specially Qualified Personal Data can only be shared with third parties in accordance with the law and equity, either with the explicit consent of the person concerned or within the exceptions provided in paragraph 3 of Article 6 of Law No. 6698.

     

    For personal data to be shared, one of the following conditions must be met:

    • Obtaining explicit consent from the data owner.
    • Except for personal data regarding health and sexual life, situations where personal data processing is clearly foreseen in the laws.
    • Specially qualified personal data concerning health and sexual life can be processed by individuals or authorized institutions and organizations under the obligation of confidentiality, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and its financing.

     

    When sharing specially qualified personal data, the following measures will be taken, and the transmission activities will be performed accordingly:

    Specially Qualified Personal Data:

     

    If it needs to be transferred via email, it should be encrypted and transferred using a corporate email address or a Registered Electronic Mail (KEP) account.

    If transfer via portable memory, CD, DVD, or similar mediums is required, it should be encrypted with cryptographic methods and the cryptographic key should be stored in a different environment.

    If transferring between servers in different physical environments, data transfer should be made by setting up a VPN between the servers or using the SFTP method.

    If data needs to be transferred in paper form, necessary precautions against risks such as documents being stolen, lost, or viewed by unauthorized persons should be taken. The document should be sent in a “confidentially graded documents” format.

    POLİTİKANIN GÜNCEL TUTULMASI

    Document Ownership and Approval

    The owner of this document is the Information Security and Personal Data Protection Committee and is responsible for regularly reviewing it in accordance with the review requirements mentioned above.

    The current version of this document is made accessible to all our employees via https://www.cappinno.com.

    This policy document was approved and published on July 14, 2023.

     

    1. DISTRIBUTION

    All our employees.

     

    1. HISTORY

    Version | Revision Date | Reason for Change | Prepared/Updated by | Approved by

    V.0 | July 14, 2023 | Creation | General Manager | Board of Directors

     

foto

+ Service Agreement - Delivery and Return

+ Information Security and Privacy Policy

+ Public Disclosure Statement

+ Our Personal Data Protection Policy

+ E-mail Clarification Notice

+ Business Card

CAPPADOCIA INNOVATION INSTITUTE Transparency Register No by EC: REG 270902896721-83

© 2023 Copyright Cappadocia Innovation Institute All Right Reserved.
foto
Contact Form Ticket Form