DATA PROTECTION AND PROCESSING POLICY
SECTION 1 - PURPOSE OF THE POLICY;
The right to protect personal data is included in Article 20 of the Constitution of the Republic of Turkey as
follows.
"Everyone has the right to demand respect for their private and family life. Privacy and family life cannot be violated
(Additional paragraph: 12/9/2010-5982/2 article). Everyone has the right to demand the protection of personal data
concerning themselves. This right includes being informed about personal data related to oneself, accessing this data,
requesting its correction or deletion, and learning whether it is being used for its intended purposes or not. Personal
data can only be processed in cases envisaged by law or with the explicit consent of the individual. Principles and
procedures regarding the protection of personal data are regulated by law."
The Personal Data Protection Law No. 6698, which aims to protect the fundamental rights and freedoms of individuals
during the processing of personal data, was submitted to the Presidency of the Grand National Assembly of Turkey on
January 18, 2016, with various amendments made to previous texts and was enacted by the Grand National Assembly of
Turkey on March 24, 2016, and published in the Official Gazette numbered 29677 on April 7, 2016 and entered into force.
In the first paragraph of Article 12 of Law No. 6698 on the Protection of Personal Data (Law);
· To prevent the unlawful processing of personal data,
· To prevent unlawful access to personal data,
· To ensure the security of personal data
the data controller is obliged to take all necessary technical and administrative measures to ensure an appropriate
level of security, and in the fifth paragraph, it is stipulated that if personal data processed is obtained by others
through unlawful means, the data controller shall notify this situation to the relevant person and the Personal Data
Protection Board ("Board") as soon as possible, and the Board may, if necessary, announce this situation on its own
website or by any other method it deems appropriate.
Within the scope of the Personal Data Protection Law No. 6698 ("PDPL"), as a Data Controller; This policy has been
prepared to provide explanations about the personal data processing activities carried out by our Company and the
processes related to the protection of personal data, to ensure transparency and compliance with the law in practice,
and to inform the real persons who are data subjects processed by the union.
With this Policy, it is aimed to establish sustainable and auditable system to ensure compliance with the legislation in
all processes and to create awareness about the lawful processing and protection of personal data within the company.
In order to implement the Personal Data Protection Law and additional legislation within the company, necessary policies
and procedures are regulated, information texts are prepared, explicit consents are implemented, confidentiality
agreements are made, job descriptions are revised, administrative and technical security measures suitable for
legislation are taken by our company for the protection of personal data, and necessary audits are conducted or
commissioned within this scope.
SECTION 2 - DEFINITIONS
Below are explanations of some definitions included in the Personal Data Protection Law and our company's 'Personal Data
Protection and Processing Policy'.
Processing of Personal Data: Any operation performed on data such as collection, recording, storage, retention,
alteration, reorganization, disclosure, transfer, takeover, making data available, classification, or prevention of the
use of personal data, whether fully or partially automated or not, as part of any data recording system.
Data Subject: Real persons whose personal data are processed, including customers, employees, job applicants, suppliers
and their employees, partners, and other third-party real persons within the scope of contracts made with the Company.
Personal Data: Any kind of information relating to an identified or identifiable natural person.
For example; name, surname, Turkish Republic Identity Number (TCKN), email address, address, work address, date of
birth, place of birth, credit card number, driver's license number, bank account number, passport number, license
number, diploma, etc.
Sensitive Personal Data: Racial or ethnic origin, political opinion, philosophical belief, religion, sect or other
beliefs, dress and clothing, association, foundation or union membership, health, sexual life, criminal conviction, and
data related to security measures, as well as biometric and genetic data are considered sensitive personal data.
Data Controller: The person who determines the purposes and means of processing personal data, establishes and manages
the data recording system where data is systematically processed and stored.
Data Processor: A real or legal person who processes data on behalf of the data controller within the scope of the
authority given by the data controller.
Explicit Consent: Consent based on information about a specific subject and expressed with free will.
Deletion of Personal Data: Making personal data inaccessible and unusable for the relevant users.
Destruction of Personal Data: Making personal data inaccessible, irretrievable, and unusable by anyone.
Anonymization: Making personal data such that it cannot be associated with an identified or identifiable natural person
under any circumstances, even if matched with other data.
PDPL: Personal Data Protection Law published in the Official Gazette dated April 7, 2016 and numbered 29677.
DPA: Personal Data Protection Authority
Personal Data Storage and Destruction Policy: The 'Company Personal Data Storage and Destruction Policy' based on the
process of determining the maximum period necessary for the purposes for which personal data are processed and the
deletion, destruction, and anonymization processes.
Registry of Data Controllers: The Registry of Data Controllers, which is kept under the supervision of the DPA and made
publicly available under the supervision of the President of the Personal Data Protection Authority.
Communiqué on the Procedures and Principles for Application to the Data Controller: The Communiqué on the Procedures and
Principles for Application to the Data Controller, which entered into force by being published in the Official Gazette
dated March 10, 2018 and numbered 30356.
SECTION 3 - GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
In the General Principles of Processing Personal Data:
"ARTICLE 4 OF THE LAW - (1) Personal data may only be processed in accordance with the procedures and principles
stipulated in this Law and other laws.
(2) The following principles must be complied with in the processing of personal data:
a) Compliance with the law and honesty rules. b) Being accurate and up-to-date when necessary. c) Processing for
specific, clear, and legitimate purposes. ç) Being relevant, limited, and proportionate to the purposes for which they
are processed. d) Being retained for the period prescribed by the relevant legislation or for the period required for
the purpose for which they are processed."
In our company's practices; Personal data processing is carried out in compliance with the principles introduced by
legal regulations and the general principles of trust, honesty, and transparency. Within this framework, personal data
is processed to the extent required by business activities and limited to them.
The purposes of processing personal data are clearly stated, and information texts are included. The data is processed
within the scope of purposes related to business activities.
Necessary measures are taken to ensure that personal data is accurate and up-to-date throughout the processing period.
The company collects personal data only to the extent and nature required by business activities and processes them
limited to the specified purposes.
Our company retains personal data for the period required for the purpose for which they are processed and for the
period stipulated by the legal regulations related to the activity. If a period is specified in the legislation for the
storage of personal data, the company acts in accordance with this period.
If there is no legal period, personal data is retained for the period required for the purpose for which they are
processed. At the end of the personal data retention periods, they are destroyed in accordance with periodic destruction
periods or data subject applications and destruction methods (deletion and/or destruction and/or anonymization)
determined by the data controller.
SECTION 4 - PROCESSED PERSONAL DATA AND PURPOSES OF PROCESSING PERSONAL DATA
Your special category personal data and other personal data processed by the Company can be processed based on the
purposes specified in the information texts in connection with the data categories and in a proportional manner, and the
legal grounds specified in Articles 5 and 6 of the Law. In the Information Texts, each data category is separately
matched with the processing purpose and legal grounds for processing your personal data.
Separate information texts have
been prepared and implemented for company customers, employees and job applicants, consultants, service providers and
suppliers, solution partners, and visitors in order to provide information to all relevant individuals.
Your personal data obtained and processed in compliance with the PDPL legislation will be transferred to physical
archives and/or information systems owned by our Company and will be kept both digitally and physically, and may be
backed up in technological environments outside the Company with security measures taken for control within our Company.
SECTION 5 - INFORMING AND NOTIFYING THE DATA SUBJECT
In accordance with Article 10 of the PDPL, our company informs the data subjects during the collection of personal data.
Within the scope of Article 10, the Company provides information to relevant individuals regarding the identity of the
data controller, if any, the identity of the representative, the purpose for which personal data will be processed, to
whom and for what purpose the processed personal data may be transferred, the method of personal data collection, the
legal basis for data collection, and the rights of the data subject, depending on the nature of the data subject and the
data processing process.
Our company acts in accordance with the principles introduced by legal regulations and the general principles of trust
and honesty in the processing of personal data and does not use personal data for activities beyond the required
purpose.
The company clearly and definitively determines the legitimate and lawful purpose of personal data processing and
transfer. The purpose for which personal data will be processed is determined before the personal data processing
activity begins. Objectives are determined based on data categories, and the legal conditions specified in Articles 5
and 6 of the Law on which the processing is based, to whom the data may be transferred, and the purposes of transfer are
included in the Information Text. Processing of personal data that is not related to the realization of the purpose or
not necessary is avoided.
Our company retains personal data only for the period specified in the relevant legislation or for the period required
for the purpose for which they are processed. If a period is specified, the company acts accordingly, and if no period
is specified, personal data is retained for the period required for the purpose for which they are processed. At the end
of the period or when the reasons requiring processing are eliminated, personal data is deleted, destroyed, or
anonymized. Personal data is not stored for future use.
These principles are communicated to the individuals whose data will be processed through the PDPL Information Text in
accordance with Article 10 of the Law. Information texts for customers, visitors, employees, and job applicants are
communicated to them and are also provided in writing separately in the Company where they can be seen. The General
Information Text and the Information Text for Solution Partners are provided on the company's website. Data subjects are
clearly informed before establishing a business relationship or entering into a contract.
Article 20 of the Constitution establishes everyone's right to be informed about their personal data. Accordingly,
Article 11 of the PDPL includes the right of the data subject to "request information" among the rights of the data
subject.
In accordance with Article 11 of the PDPL, if a data subject requests information, the Company provides the necessary
information to the relevant individual within the specified period. To ensure that the response to the application is
timely and in compliance with the law, a "Application Response Procedure" is established, and responsible persons are
identified and assigned within the company.
SECTION 6 - METHOD OF COLLECTING PERSONAL DATA AND LEGAL BASIS
Personal data is collected through verbal, written, visual, or electronic means, including information transmitted via
call centers, internet channels, e-mail, and PTT (KEP), digital applications made through our websites, tax and
financial data shared with us within the scope of business relationships, information contained in contracts,
information sent via e-mail and PTT, petitions and applications submitted, legal notifications, correspondence with our
company, and personal information made public by you through physical and electronic means, in a manner consistent with
our business activities.
In accordance with the provision in Article 5, paragraph 1 of the Law stating that "Personal data cannot be processed
without the explicit consent of the data subject," our Company applies the requirement of obtaining explicit consent to
process personal data, except for exceptional cases stipulated in Article 5 of the Law.
Within the scope of Article 5, paragraph 2 of the Law, our Company may process the personal data of data subjects
without obtaining explicit consent in the following cases:
• Article 5/2-a of the PDPL: If it is expressly provided for by the laws,
• Article 5/2-b of the PDPL: If it is necessary for protecting life or physical integrity of the data subject or another
person who is physically or legally incapable of giving consent due to the actual impossibility to disclose their
consent,
• Article 5/2-c of the PDPL: If it is necessary for the conclusion or performance of a contract, provided that the
personal data of the parties to the contract are processed,
• Article 5/2-ç of the PDPL: If it is necessary for compliance with a legal obligation,
• Article 5/2-e of the PDPL: If it is necessary for the establishment, exercise, or protection of any right,
• Article 5/2-f of the PDPL: If it is necessary for the legitimate interests pursued by the data controller, provided
that it does not harm the fundamental rights and freedoms of the data subject.
Our Company, in accordance with Article 20 of the Constitution and Article 4 of the PDPL, processes personal data in
compliance with the principles of legality and honesty, accuracy, keeping up-to-date, processing for specific, explicit,
and legitimate purposes, being relevant, limited, and proportionate to the purposes for which they are processed, and
retaining them for the period prescribed by the legislation or for the period necessary for the purposes for which they
are processed, and ensures that personal data processing activities are carried out in accordance with the prescribed
procedures and principles.
Before starting any data processing activity, if at least one of the legal bases specified in Article 5 of the Law and
Article 6 regarding special categories of personal data is not identified, explicit consent is obtained. If explicit
consent cannot be obtained, data processing is not carried out.
SECTION 7 - PROTECTION OF SPECIAL CATEGORY PERSONAL DATA
The PDPL assigns special importance to certain personal data due to the risk of causing harm or discrimination to
individuals when processed unlawfully. These data, as defined in Article 6 of the PDPL, include "race, ethnicity,
political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association,
foundation or union membership, health, sexual life, criminal conviction, and security measures-related data, as well as
biometric and genetic data."
Our company handles with sensitivity the protection of special category personal data, which is determined as "special
category" by the PDPL and processed lawfully. In this context, the technical and administrative measures taken by the
company for the protection of personal data are carefully and specially applied to special category personal data.
Within the scope of special category data, health data and sometimes criminal record certificates obtained are processed
with explicit consent. Special category personal data stored in digital format are protected with strong encryption
parameters. Access to special category data is restricted, and permissions are regulated in compliance with the
legislation. Data protection and privacy training are provided to relevant personnel. Privacy agreements are signed with
individuals accessing special category data.
Physically stored personal health data in health records are kept in locked files accessible only to healthcare
personnel in restricted areas. No department other than the healthcare personnel has access to employee health records.
CHAPTER 8 - TRANSFER OF PERSONAL DATA
Our company, in line with the purposes of processing personal data, can transfer the personal data and special
categories of personal data of the data subject to third parties and institutions by taking necessary security measures
in accordance with the law.
Below are the provisions regarding the transfer of personal data according to the KVKK:
ARTICLE 8 - (1) Personal data cannot be transferred without the explicit consent of the data subject. (2) Personal data
can be transferred without the explicit consent of the data subject if one of the conditions specified in subparagraphs
(a) and (b) of the second paragraph of Article 5 or the third paragraph of Article 6, provided that adequate measures
are taken. (3) The provisions regarding the transfer of personal data in other laws are reserved. Data is not
transferred abroad without the explicit consent of the data subject.
Under Article 5 - paragraph 2, if one of the following conditions specified in the article exists, it is possible to
transfer personal data without the explicit consent of the data subject:
a) Clearly provided for in the laws.
b) It is necessary to protect the life or physical integrity of the data subject or another person who is unable to express consent due to actual impossibility or whose consent is not legally valid.
c) Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract.
ç) It is necessary to fulfill the legal obligation of the data controller.
d) Disclosed by the data subject himself/herself.
e) Necessary for the establishment, exercise, or protection of a right.
f) It is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
In order to transfer special categories of personal data, except for the exceptions specified in Article 6 of the Law,
it is mandatory to obtain the explicit consent of the data subject. For example, special categories of personal data
related to the health and sexual life of the data subject can be transferred without explicit consent only for specific
legal reasons such as protecting public health, preventive medicine, medical diagnosis, treatment, and care services,
and planning and managing healthcare services, and while under the obligation of confidentiality by authorized
individuals or institutions without obtaining explicit consent.
CHAPTER 9 - ENSURING THE SECURITY OF PERSONAL DATA
The company has implemented secure infrastructure and security controls to preserve the integrity and ensure the
continuous availability of information. To prevent the unauthorized disclosure, access, transfer, or other unlawful
access of personal data, as well as against other technical threats, the following technical and administrative measures
have been implemented.
Technical Measures:
Among information security threats, internal threats, which can be defined as conscious or unconscious threats posed by
employees within the organization, are of great importance.
To address conscious or unconscious threats posed by employees within the organization, security controls have been
implemented across all relevant areas to control access to information and prevent unauthorized access.
Real-time analysis of information security incidents is conducted through information security incident management, and
risks and threats that may affect the continuity of information systems are continuously monitored.
Necessary measures are taken for the physical security of the information systems infrastructure, software, and data.
Regular checks are conducted by the institution's information system unit to ensure that employees' daily activities are
in line with their authorization profiles.
Access to information systems and user authorization are managed through identity management policies based on access
and authorization matrices.
Risks related to the unlawful processing of personal data are identified, appropriate technical measures are taken to
mitigate these risks, and technical controls are implemented to monitor the measures taken. Passwords used by personnel
or third parties to access personal data sources are arranged in compliance with the password setting rules defined for
the relevant systems, consisting of combinations of numbers, uppercase letters, lowercase letters, and punctuation
marks, creating complex passwords that are memorable and unlike previous passwords.
Layered network security measures have been implemented against threats from external networks in the company. Antivirus
software and firewalls are used in computer systems.
Measures to prevent data breaches are reviewed by the Data Protection Officer.
In the event of personal data being unlawfully obtained by others, the company has established a Data Breach
Notification procedure to notify the relevant individual and the Authority, and an applicable system and intervention
team have been established.
Adequate security measures are taken in physical environments where special categories of personal data are processed,
stored, and/or accessed, and unauthorized entries and exits are prevented. Special category data is encrypted when
stored in digital environments.
Backups of critical systems and software are taken periodically, and backups are transferred to external environments at
regular intervals. Backup recovery tests are performed.
The company takes necessary security measures to ensure that deleted personal data is inaccessible and unusable for
relevant users.
Administrative Measures:
The company fulfills its obligation to inform the relevant individuals before starting the processing of personal data.
Employees receive data security training to prevent the unlawful processing and unauthorized access of personal data,
and to ensure the protection and storage of personal data in accordance with the law.
All employees and data processors are required to sign commitments to ensure data privacy and compliance with security
measures.
Disciplinary procedures containing punitive measures are implemented for employees who do not comply with security
policies and procedures.
Confidentiality agreements regarding data protection are added to contracts with employees, consultants, information
system support companies, and other third parties or companies.
The 'Risk and Threats Table,' addressing conscious or unconscious threats posed by employees within the organization and
threats from external networks, is periodically reviewed by the Data Protection Officer, and measures are updated
accordingly.
Technical control systems are established for applications. Regular systematic periodic audits are conducted by the Data
Protection Officer within the organization. When deemed necessary, audits will be conducted by expert companies or
independent audit firms.
Access control and prevention of unauthorized access, ensuring data security, and implementing procedures for lawful
storage and destruction of data are managed through the 'Access and Authorization Procedure' and the 'Personal Data
Storage and Destruction Policy' in relevant areas. In case of detection of a data breach, the Data Protection Board is
informed, and the Data Intervention Plan is put into effect to ensure that preventive measures are taken immediately,
and personnel assignments are made.
The company establishes necessary systems and provides training to raise awareness among current employees and new
employees regarding the protection of personal data. It collaborates with consultants if needed for the subject.
CHAPTER 10 - STORAGE PERIODS OF PROCESSED PERSONAL DATA
Accordingly, within the scope of its activities, the Company stores personal data for a duration prescribed by the
relevant legislation or for a period suitable for the purposes of processing.
The legal retention periods for personal data on a personal data basis related to activities carried out depending on
the processes are included in the company's 'Personal Data Storage and Destruction Policy.'
The Regulation on Deletion, Destruction, or Anonymization of Personal Data, which entered into force on October 28,
2017, sets out the procedures and principles regarding the deletion, destruction, or anonymization of personal data for
which the processing purposes have ceased.
Pursuant to Article 4 of the Law, personal data is stored for a period prescribed by the relevant legislation or for a
period necessary for the purposes for which they are processed, and personal data is deleted, destroyed, or anonymized
ex officio or upon the request of the data subject if all processing conditions for personal data stated in Articles 5
and 6 of the Law cease to exist.
The Company stores personal data for the duration specified in the relevant laws and regulations if prescribed by the
relevant laws and regulations. If there is no period specified in the legislation for how long personal data should be
stored, personal data is processed for the period required for the purposes for which the company processes the data
within the scope of company practices, and then deleted, destroyed, or anonymized.
In this context, the Company first determines whether there is a period specified in the laws and relevant regulations
for the storage of personal data, acts in accordance with this period if one is specified, and stores personal data for
the period necessary for the purposes for which they were processed if no period is specified. If the purpose of
processing personal data has ceased and the end of the retention periods determined by the relevant legislation and the
Company has been reached, personal data may only be stored for the statutory periods, taking into account possible legal
disputes, or for the assertion or establishment of related rights depending on the personal data. The Company does not
store personal data for future use.
CHAPTER 11 - OBLIGATION TO DELETE, DESTROY, AND ANONYMIZE DATA
Article 7 of the Law regulates the deletion, destruction, and anonymization of personal data. Accordingly, even if
personal data has been processed lawfully, if the reasons requiring its processing cease to exist, such data shall be
deleted, destroyed, or anonymized by the data controller ex officio or upon the request of the data subject.
In particular, the following cases are considered to indicate the cessation of the conditions for processing personal
data:
• Amendment or removal of the relevant legislation provisions constituting the basis for processing personal data,
• Non-existence, invalidity, automatic termination, termination, or cancellation of the contract between the parties,
• Cessation of the purpose requiring the processing of personal data,
• Contravention of the lawfulness or fairness principle in the processing of personal data,
• Withdrawal of consent by the data subject in cases where the processing of personal data is based solely on explicit
consent,
• Acceptance by the data controller of the application made by the data subject within the framework of the rights
specified in Article 11 (e) and (f) of the Law regarding the processing of personal data,
• In case the data controller rejects the request for deletion or destruction of personal data or does not respond
within the period prescribed by the Law, if the response is found to be inadequate, or if the response is not provided
within the specified period, filing a complaint with the Board and the approval of this request by the Board,
• Even though the maximum period requiring the retention of personal data has elapsed, the absence of any condition
justifying the extension of the storage period of personal data,
• The cessation of the conditions specified in Articles 5 and 6 of the Law requiring the processing of personal data.
In the mentioned cases, personal data is deleted, destroyed, or anonymized by the data controller ex officio or upon the
request of the data subject.
consent,
The process of deleting personal data is defined as "making the relevant personal data inaccessible and unusable by any
means by the relevant users." In this context, if the reasons requiring the processing of data cease to exist, the
permanent deletion of the data from all environments, including backups, is ensured.
The decision on whether to apply techniques for deleting and destroying personal data or techniques for anonymizing
personal data is made by the Data Controller, including the technical details.
The personal data subject to deletion is determined. Deletion operations are carried out by designated personnel. The
powers of this personnel are specially regulated. The access rights of the personnel performing the deletion process to
retrieve, reuse, or access the deleted data are revoked.
The Data Protection Officer verifies the accuracy of the information recorded regarding whether the deletion,
destruction, or anonymization of the data to be deleted is carried out in accordance with the law, regulations, and
company policies and procedures.
CHAPTER 12 - RIGHTS OF THE DATA SUBJECT AND EXERCISING THESE RIGHTS
The Company informs the data subjects of their rights in accordance with Article 10 of the Personal Data Protection Law
and guides them on how to exercise these rights. The Company has implemented administrative and technical arrangements
related to internal processes to assess the rights of data subjects and provide the necessary information to them.
Data subjects have the following rights under Article 11 of the Personal Data Protection Law:
a) To learn whether personal data is being processed,
b) To request information if personal data has been processed,
c) To learn the purpose of processing personal data and whether they are being used in accordance with their purpose,
d) To know the third parties to whom personal data is transferred, domestically or abroad,
e) To request the correction of personal data if it is incomplete or incorrect,
f) To request the deletion or destruction of personal data within the framework of the conditions set forth in Article 7,
g) To object to the occurrence of a result against the person by means of exclusively automated systems,
ğ) To claim compensation in case of damage due to the unlawful processing of personal data.
Exercising the Rights of the Data Subject:
The data subject can exercise the rights mentioned in Article 11, as per Article 13 of the Personal Data Protection
Law's first paragraph.
It is not possible for third parties to make requests on behalf of the data subject.
A special power of attorney issued by the data subject must be available for another person to make a request on behalf
of the data subject.
The application to the data controller is regulated as follows in Article 13:
ARTICLE 13 - (1) The data subject submits his requests to the data controller in writing or by other methods determined
by the Board.
(2) The data controller concludes the requests in the shortest time and within thirty days at the latest, free of
charge, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the
tariff determined by the Board may be charged.
(3) The data controller accepts or rejects the request with an explanation and notifies the data subject in writing or
electronically. If the request is accepted, the data controller fulfills it. If the request is due to the fault of the
data controller, the fee is refunded to the person concerned.
Your requests in the application will be concluded within a maximum of thirty (30) days free of charge, depending on the
nature of the request. The methods of application are stated in the Information Texts sent to the relevant individuals.
The Company may request additional information and documents from the data subject to determine whether the applicant is
the data subject and may ask questions about the issues included in the application.
The data subject, in case of the rejection of the application, finding the response insufficient, or not receiving a
response within the specified period, may file a complaint with the Personal Data Protection Authority within thirty and
in any case within sixty days from the date of learning the response.
CHAPTER 13 - IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION
The relevant legal regulations regarding the processing and protection of personal data will primarily be applied. In
case of any inconsistency between the current legislation and the Company Policy, our Company acknowledges that the
current legislation will prevail.
CHAPTER 14 - EFFECTIVENESS OF THE POLICY
This Policy, prepared by the data controller, is dated 01/01/2024. In case of renewal of the entire Policy or certain
articles of the Policy, the effective date of the Policy will be updated. The Policy is published on the Company's
website, and the review and updating of this policy are carried out by the Data Protection Officer. The Policy is
reviewed at least once a year