Personal Data Processing, Protection, Storage and Destruction Policy

INTRODUCTION

According to Article 20 of the Constitution of the Republic of Turkey (https://www.anayasa.gov.tr/tr/mevzuat/anayasa/), everyone has the right to request the protection of their personal data. This right includes being informed about personal data concerning oneself, accessing this data, requesting its correction or deletion, and learning whether it is being used in accordance with its purposes.

Within the scope of the exercise of this constitutional right, the Law on the Protection of Personal Data No. 6698 (“KVKK” or “Law”), which regulates the protection of fundamental rights and freedoms of individuals in the processing of personal data and the obligations and procedures and principles to be followed by real and legal persons processing personal data, has been published and entered into force. (“EKO”) pays the necessary care regarding compliance determined pursuant to the KVKK and makes this a company policy with this Personal Data Protection and Processing Policy (“Policy”).

The subject of the Policy is the protection of personal data belonging to Employee Candidates, Employees, Dealers, Suppliers, Contractors, Visitors, Employees of Institutions with which we cooperate, Customers, and Third Parties (Guarantors, Victims/Rights Holders) by “EKO”. Activities carried out regarding the protection of our employees’ personal data are managed within the framework of EKO’s disciplinary regulations carried out under the Information Security Management System, personnel explicit consent, personnel privacy procedures, and supplier confidentiality agreements.

PURPOSE

The purpose of this Policy is to make explanations regarding the personal data processing activities carried out by EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ in accordance with the KVKK and the principles adopted for the protection of personal data, and in this context, to ensure transparency by informing the persons whose personal data is processed by EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ, primarily Employee Candidates, Dealers, Suppliers, Contractors, Visitors, Employees of Institutions with which we Cooperate, Customers, and rights-holding Third Parties.

SCOPE

Data subjects whose personal data are processed within the scope of this Policy are categorized as follows:

Employee Candidates	Real persons who have applied for a job at EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ or who have made their resume and related information accessible to EKO by any means.
Employees of Institutions We Cooperate With	Employees of institutions that are in a business relationship with EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ.
Dealer	Real and legal persons who make it a profession to mediate the sale of products on behalf and account of EKO permanently within a certain place or region based on a contract with EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ and to do these on behalf of EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ, who carry out preparatory work before the conclusion of the contract and assist in the implementation of the contract.
Suppliers	Legal and real persons from whom planned purchases will be made at EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ or its dealers (within Supplier Confidentiality Agreements).
Contractors	Legal and real persons who undertake to perform a construction or trade-related job on behalf of EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ at EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ or its dealers.
Customers	Real persons whose personal data are obtained due to business relationships within the scope of activities carried out by EKO, regardless of whether there is any contractual relationship.
Visitors	Real persons who have entered the physical facilities of EKO for various purposes or who visit its websites.
Third Parties	Other real persons whose personal data are processed within the framework of this Policy, including but not limited to suppliers, guarantors, victims/rights holders, family members, etc., although not defined in the Policy.

DEFINITIONS

The definitions used in this Policy are as follows:

Explicit Consent		Consent regarding a specific subject, based on information and declared with free will.
Employee		All real persons working for an indefinite or definite period dependent on EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ.
Employee Candidate		Real persons who have applied for a job at EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ or who have made their resume and related information accessible to EKO by any means.
Employee Data Subject Application Form		The application form that EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ employees will use when exercising their rights described in Article 11 of the KVK Law as personal data owners.
Relevant User		Persons who process personal data within the data controller organization or in line with the authority and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.
Personal Health Data		Any kind of health information regarding an identified or identifiable real person.
Personal Data		Any kind of information regarding an identified or identifiable real person.
Processing of Personal Data		Any operation performed upon personal data such as obtaining, recording, storing, retaining, altering, re-arranging, disclosing, transferring, taking over, making available, classifying, or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
KVK Law		Law on the Protection of Personal Data No. 6698.
KVK Board		Personal Data Protection Board.
KVK Authority		Personal Data Protection Authority.
Special Categories of Personal Data (Sensitive Data)		Data regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to associations, foundations or trade unions, health, sexual life, criminal convictions, and security measures, and biometric and genetic data.
TCK		Turkish Penal Code No. 5237.
Data Processor		Real or legal person who processes personal data on behalf of the data controller based on the authority given by them.
Personal Data Owner (Data Subject)		The real person whose personal data is processed, referred to as the “person concerned” in the KVK Law.
Personal Data Owner Application Form		The application form that personal data owners whose personal data are processed within EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ will use when exercising their rights described in Article 11 of the KVK Law.
Deletion of Personal Data		The process of making personal data inaccessible and unusable for relevant users in any way.
Destruction of Personal Data		The process of making personal data inaccessible, unretrievable, and reusable by anyone in any way.
Anonymization of Personal Data	Making personal data incapable of being associated with an identified or identifiable natural person in any way, even if matched with other data.
Data Controller	Real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Visitor	Real persons who have entered the physical facilities of EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ for various purposes or who visit its websites.
Data Controllers Registry	The registry of data controllers kept by the Presidency of the Personal Data Protection Board.
Data Inventory	The inventory that EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ creates and details by associating the personal data processing activities it carries out depending on its business processes with the personal data processing purposes, the recipient group to which the personal data is transferred, and the relevant personal data owner group.

GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

Pursuant to Article 3 of the KVKK, any operation performed upon data such as obtaining, recording, storing, retaining, altering, re-arranging, disclosing, transferring, taking over, making available, classifying, or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system through non-automatic means, falls within the scope of processing personal data.

The following principles must be complied with in the processing of personal data:

Compliance with the Law and Good Faith

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ conducts personal data processing activities in accordance with the Procedure for Compliance with Legal Requirements and Control, the Constitution of the Republic of Turkey, the KVKK, relevant legislation, and the rules of good faith.

Being Accurate and Up-to-Date When Necessary

While carrying out personal data processing activities, all kinds of administrative and technical measures are taken by EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ to ensure the accuracy and currency of personal data.

Processing for Specific, Explicit, and Legitimate Purposes

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ clearly and precisely determines the purpose of processing personal data before starting the personal data processing activity.

Being Connected, Limited, and Proportionate to the Purpose for which They are Processed

Personal data is processed by EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ for specific, clear, and legitimate purposes, as much as necessary in connection with the relevant purpose. Data processing activity is not carried out with the assumption that it may be used later.

Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which They are Processed

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ retains personal data limited to the period stipulated in the KVK Law and relevant legislation or required by the purposes of the data processing activity.

PROCESSING OF PERSONAL DATA

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ carries out the processing of personal data and special categories of personal data in accordance with the data processing conditions set forth in Articles 5 and 6 of the KVKK.

Conditions for Processing Personal Data

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ may process personal data with the explicit consent of the personal data owner or without explicit consent in the cases stipulated in Article 5 of the KVK Law and listed below:

It is clearly provided for by the laws.
It is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving their consent or whose consent is not deemed legally valid.
Processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfillment of that contract.
It is mandatory for EKO to be able to perform its legal obligation.
The data concerned has been made available to the public by the data subject themself.
Data processing is mandatory for the establishment, exercise, or protection of any right.
It is mandatory for the legitimate interests of EKO, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Processing of Special Categories of Personal Data

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ carries out the processing of special categories of personal data, which carries the risk of discrimination when processed unlawfully, in accordance with the data processing conditions set forth in Article 6 of the KVK Law.

Processing of special categories of personal data without the explicit consent of the personal data owner is prohibited. However, personal data other than health and sexual life may be processed in cases stipulated by laws; personal data relating to health and sexual life may only be processed for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations without seeking the explicit consent of the relevant person.

Measures determined by the KVK Board for the processing of special categories of personal data are effectively implemented by EKO.

Categorization Regarding Personal Data Processed by Our Company

Personal Data Categories Processed by “EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ”

Personal Data Category		Description	Data Subject Category Related to the Relevant Personal Data
Identity Information		Without being limited to Name-Surname, TR Identity number, nationality information, mother-father name, place of birth, date of birth, gender, and SGK (Social Security) number; all information contained in documents such as driver’s license, identity card, residence permit.	Customers, Third Parties, Suppliers, Visitors, Employee Candidates, Employees of Institutions We Cooperate With
Contact Information		Information such as phone number, address, e-mail, fax number.	Customers, Employee Candidates, Visitors, Suppliers
Customer Information		Information obtained and produced about the relevant person as a result of our commercial activities and the operations carried out by our business units in this framework.	Customers
Customer Transaction Information		Records regarding the use of our products and services and information such as instructions and requests necessary for the customer to use the products and services.	Customers
Transaction Security Information		Personal data processed for the provision of technical, administrative, legal, and commercial security during the execution of EKO’s commercial activities.	Customers, Visitors, Suppliers
Risk Management Information	Personal data processed via methods used in accordance with generally accepted legal and commercial customs and rules of good faith in these fields in order to manage our commercial, technical, and administrative risks.			Customers, Visitors, Suppliers, Employee Candidates, Employees
Financial Information	Personal data processed regarding information, documents, and records showing all kinds of financial results created according to the type of legal relationship established with the personal data owner.			Customers, Suppliers, Dealers
Employee Candidate Information	Personal data processed regarding individuals who have applied to become an employee of EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ or who have been evaluated as employee candidates in line with EKO’s human resources needs due to commercial custom and good faith rules or who are in a working relationship with EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ.			Employee Candidates
Legal Transaction and Compliance Information	Personal data processed within the scope of the determination and follow-up of our legal receivables and rights and the fulfillment of our debts.			Customers, Employee Candidates, Suppliers, Third Parties
Audit, Inspection, and Compliance Information	Personal data processed within the scope of EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ’s legal obligations and compliance with company policies.			Customers, Employee Candidate, Visitors, Suppliers
Special Categories of Personal Data	As stated in Article 6 of the KVK Law; data regarding individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.			Customers, Employee Candidates, Third Parties, and Employees of Institutions We Cooperate With
Marketing Information	Personal data processed for the marketing of our products and services by customizing them in accordance with the usage habits, tastes, and needs of the personal data owner, and reports and evaluations created as a result of these processing results.			Customers
Request / Complaint Management Information	Personal data regarding the receipt and evaluation of all kinds of requests or complaints directed to EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ.			Customers, Employee Candidates

ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ takes all necessary technical and administrative measures to ensure the lawful processing and preservation of the personal data it processes and to prevent unlawful access to such personal data, in accordance with Article 12 of the KVK Law.

The Company KVKK unit, which assumes the corporate compliance function from the in-company coordination regarding the sufficient and effective execution of activities within the framework of the KVK Law as a whole within this policy, is responsible. In this context, the said unit is responsible and authorized for;

Submitting this policy to the approval of the Board of Directors within the scope of tracking and updating it when necessary,
Creating policies and procedures other than this policy regarding the protection, processing, and destruction of personal data in coordination with relevant Company units,
Making the necessary distribution of duties for the implementation of policies and procedures and submitting them to the approval of the senior management,
Monitoring the implementation of all kinds of technical and administrative measures taken pursuant to Article 12 of the Law and planning the audit,
Tracking the processes related to applications and requests made by personal data owners and ensuring the necessary coordination for the solution of problems that may arise,
Determining the issues that need to be done to ensure compliance with the KVK Law and relevant legislation and overseeing their implementation,
Conducting relations with the Personal Data Protection Board.

Technical Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access

All kinds of technical security measures have been taken for the protection of personal data, and an adequate level of protection has been provided against possible risks. The main technical measures taken are listed below.

Authority and access controls are periodically applied on systems providing access to personal data within EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ.
Technical measures taken are also overseen independently of executive activities within the scope of risk management, internal control, and internal audit processes.
Personnel with adequate expertise levels are employed.

Administrative Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ employees are trained and raised awareness regarding compliance with the KVK Law.

In cases where personal data transfer is in question, general conditions containing obligations to be fulfilled for the security of personal data in accordance with the KVKK Law are created with the parties to whom personal data is transferred, and these are signed on a counterparty basis.
Implementation rules are determined on a business unit basis to ensure the requirements identified for compliance with the KVKK Law, and necessary administrative measures are provided through internal procedures and training to ensure their continuity.
Clauses imposing the obligation not to process, disclose, or use personal data, except for EKO’s instructions and exceptions brought by the Law, are placed in contracts and documents managing the legal relationship between EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ and counterparties; employee awareness is created on this issue, and audits are conducted.

Measures to be Taken in Case of Unlawful Disclosure of Personal Data

An internal procedure has been developed to ensure that if processed personal data is obtained by others through unlawful means within the framework of requirements for compliance with the KVKK Law, this situation is notified to the relevant data owner and the KVKK Board as soon as possible.

PURPOSES OF PROCESSING PERSONAL DATA AND RETENTION PERIODS

Purposes of Processing Personal Data

Personal data is processed within EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ within the framework of the purposes listed below:

Managing after-sales support processes for goods/services,
Receiving and evaluating suggestions for the improvement of business processes,
Executing customer relationship management processes,
Executing activities aimed at customer satisfaction,
Executing marketing processes of products/services,
Executing advertising/campaign/promotion processes,
Planning and execution of our company’s commercial and/or business strategies,
Execution of Finance and Accounting Affairs,
Follow-up and Execution of Legal Affairs,
Execution of Logistics Activities,
Execution of Goods/Services Purchasing Processes,
Execution of Goods/Services After-Sales Support Services,
Execution of Goods/Services Sales Processes,
Execution of Goods/Services Production and Operation Processes,
Execution of Customer Relationship Management Processes,
Execution of Contract Processes,
Execution of Strategic Planning Activities,
Execution of Marketing Analysis Studies,
Execution of Activities Aimed at Customer Satisfaction,
Execution of Wage Policy.

Retention Periods of Personal Data

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ determines whether a certain period is foreseen in the relevant legislation for the storage of personal data, and in accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the KVKK Law; it ensures that processed personal data is preserved for this period if a period is foreseen in the relevant legislation, or for the period required by the purpose of personal data processing if no period is foreseen in the relevant legislation.

DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

If the purpose of processing personal data has ended and the storage periods determined by the relevant legislation and/or EKO have been reached, personal data is deleted, destroyed, or anonymized by EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ upon the request of the data owner or ex officio.

Procedures and principles regarding this issue have been determined within the framework of the provisions of the KVK Law and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.

Techniques for Deletion and Destruction of Personal Data

It is essential to delete and destroy personal data with methods suitable for the recording media. Possible deletion or destruction techniques to be used by EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ regarding personal data deletion and destruction techniques are listed below:

Physical Destruction

Personal data can also be processed by non-automatic means provided that it is part of any data recording system. While deleting/destroying such data, the system of physically destroying the personal data in a way that it cannot be used later is applied.

Secure Deletion/Destruction from Software

While deleting/destroying data processed by fully or partially automatic means and stored in digital environments; methods regarding the deletion of data from the relevant software in a way that cannot be recovered by specific persons or in any way are used.

Secure Deletion/Destruction by an Expert

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ may agree with an expert to delete/destroy personal data on its behalf in some cases. In this case, personal data is securely deleted/destroyed by the person who is an expert in this field in a way that cannot be recovered.

Techniques for Anonymization of Personal Data

Anonymization of personal data means rendering personal data impossible to link with an identified or identifiable natural person, even through matching with other data.

In accordance with Article 28 of the KVKK Law; anonymized personal data may be processed for purposes such as research, planning, and statistics. Such processing is outside the scope of the KVKK Law, and the explicit consent of the personal data owner will not be sought. Since personal data processed by anonymization will be outside the scope of the KVKK Law, the rights regulated in Section 12 of this Policy will not be valid for this data. The most likely anonymization techniques to be used by EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ are listed below.

Masking

Data masking is the method of anonymizing personal data by removing the basic determining information of the personal data from within the data set.

Aggregation

With the data aggregation method, many data are aggregated, and personal data is rendered unable to be associated with any person.

Data Derivation

With the data derivation method, a more general content is created from the content of the personal data, and it is ensured that the personal data is rendered unable to be associated with any person.

Data Shuffling

With the data shuffling method, the connection between values and persons is broken by mixing the values within the personal data set.

THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED AND TRANSFER PURPOSES

Procedures and principles to be applied in personal data transfers are regulated in Articles 8 and 9 of the KVKK Law. For the purpose of fulfilling the services offered by EKO, personal data is processed within the framework of provisions (including but not limited to the Labor Law, Occupational Health and Safety Law, Law on Consumer Protection No. 6502 and other regulations related to these laws, regulations of supervisory and regulatory institutions and organizations, and cases required by public authorities) and may be transferred to real persons or private legal entities, our business partners, our subsidiaries and affiliates, organizations from which we receive information technology support, and authorized public institutions and persons.

It is not possible to transfer personal data without the explicit consent of the personal data owner, except for the exception cases specified in the KVKK Law.

Domestic Transfer of Personal Data

In accordance with Article 8 of the KVK Law, the domestic transfer of personal data is possible provided that one of the conditions specified in section 6.1 titled “Conditions for Processing Personal Data” of this Policy is met.

Transfer of Personal Data Abroad

In accordance with Article 9 of the KVKK Law, in case personal data is transferred abroad, in addition to the fulfillment of the conditions regarding domestic transfers, the existence of one of the following issues is sought:

The country to which the transfer will be made is counted among the countries with adequate protection declared by the KVKK Board.
In case there is no adequate protection in the country where the transfer will be made, the data controllers in Turkey and in the relevant foreign country undertake adequate protection in writing and the permission of the KVKK Board exists for this.

Groups of Persons to Whom Personal Data is Transferred by Our Company

EKO may transfer the personal data of personal data owners within the scope of this Policy to the groups of persons specified below within the framework of the specified purposes in accordance with Articles 8 and 9 of the KVKK Law:

PERSON GROUPS	DEFINITION	TRANSFER PURPOSE
Public Institutions and Organizations	Public institutions and organizations that request information and documents from EKO in accordance with the provisions of the relevant legislation.	Limited to the purpose requested by the relevant public institutions and organizations.
Private Law Persons	Private law persons with whom EKO shares information and documents in accordance with the provisions of the relevant legislation.	Limited to the purpose of continuing its service in the fields where EKO operates within the framework of the relevant legislation provisions.

OUR COMPANY’S OBLIGATION TO INFORM

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ informs personal data owners during the collection of personal data in accordance with Article 10 of the KVKK Law. In this context, EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ fulfills its obligation to inform by providing the following information to personal data owners:

The title of EKO as the data controller,
For what purpose personal data will be processed,
To whom and for what purpose processed personal data can be transferred,
The method and legal reason for collecting personal data,
The rights of the personal data owner.

RIGHTS OF PERSONAL DATA OWNERS AND EXERCISE OF THESE RIGHTS

In accordance with Article 13 of the KVK Law, if personal data owners submit their requests regarding their rights listed under heading 12.1 of this section to EKO by filling out and signing a form via the methods specified below or other methods determined by the KVKK Board, the said request will be concluded free of charge depending on the nature of the request.

After filling out the form found on the EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ corporate website (https://metropolsaglik.com/);

A wet-signed copy must be sent personally or via a notary to the address of EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ MİMAR SİNAN MAH. DR. MUSATAF ENVER BEY CAD. NO:37-1A KONAK/İZMİR or

After being signed with a “secure electronic signature” within the scope of the Electronic Signature Law No. 5070, the secure electronic signed form must be sent to the registered electronic mail address mesutlimra@gmail.com.

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ may request information from the relevant person to determine whether the applicant is the personal data owner and may direct questions to the personal data owner regarding their application to clarify the issues in the personal data owner’s application.

Right of Application

Personal data owners have the right to request the following from EKO regarding the issues listed below pursuant to Article 11 of the KVKK Law:

To learn whether their personal data is processed,
To request information if their personal data has been processed,
To learn the purpose of processing their personal data and whether their personal data is used in accordance with its purpose,
To know the third parties to whom their personal data is transferred domestically or abroad,
To request correction of their personal data if it is incomplete or incorrectly processed and to request that the transaction made within this scope be notified to third parties to whom personal data has been transferred,
To request the deletion, destruction, or anonymization of their personal data in the event that the reasons requiring its processing have ceased to exist, and to request that the transaction made within this scope be notified to third parties to whom personal data has been transferred,
To object to the occurrence of a result against the data owner by analyzing the processed data exclusively through automated systems,
To request compensation for damages in case of damage due to unlawful processing of personal data.

Situations Excluded from the Scope of the Right of Application

Pursuant to Article 28 of the KVKK Law, it is not possible for personal data owners to assert their rights of application since the following cases are excluded from the scope of the KVKK Law:

Processing of personal data for purposes such as research, planning, and statistics by anonymizing it with official statistics.
Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights or constitute a crime.

Pursuant to paragraph 2 of Article 28 of the KVKK Law, except for the right to demand compensation for damages, it is not possible for personal data owners to assert their rights in the following cases:

Personal data processing is necessary for the prevention of crime or for criminal investigation.
Processing of personal data made public by the relevant person themselves.

Procedure for Responding

In accordance with Article 13 of the KVKK Law, EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ concludes the application requests made by the personal data owner free of charge as soon as possible and within 30 (thirty) days at the latest depending on the nature of the request. However, if the transaction requires an additional cost, it is possible to charge the fee in the tariff determined by the KVKK Board.

EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ may accept the application request of the personal data owner or reject it by explaining its reason for the reasons listed below and notify the relevant person of its response in writing or electronically.

Hindering the rights and freedoms of other persons,
Requiring disproportionate effort,
Information being publicly available information,
Endangering the privacy of others,
Existence of one of the cases excluded from the scope pursuant to the KVK Law.

In cases where the application is rejected, the response given is found insufficient, or the application is not answered within the period, the personal data owner has the right to file a complaint to the KVKK Board within thirty days from the date of learning the data controller’s response and in any case within sixty days from the date of application.

PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITHIN THE COMPANY AND DATA PROCESSING ACTIVITIES CARRIED OUT ON THE WEBSITE

Monitoring via Camera

Monitoring via camera is carried out inside the buildings where EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ Headquarters and Dealers are located.

In line with the regulations in the KVKK Law, a notification letter regarding the said activities is posted at the entrances of the areas where monitoring via camera is carried out by EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ regarding the camera monitoring activity, and the necessary information is provided on our website with this Policy.

Monitoring does not take place in areas that may result in interference with the privacy of the person. Only a limited number of Company employees and, if needed, security company employees in the position of suppliers can access security camera recordings. The said persons who have access to the recordings declare that they will protect the confidentiality of the data they access with the confidentiality undertaking they signed.

Customer Entries – Exits Visiting the Company

Personal data processing activity is carried out for tracking the entries and exits of our guests visiting EKO. Identity information of persons coming to EKO is processed only for the purpose of tracking entries and exits, and the relevant personal data is recorded in the recording system electronically.

Website Visitors

Internet movements of persons visiting the website belonging to EKO within the site are recorded (via technical means, e.g., cookies) in order to show them customized content and engage in online advertising activities.

PERSONAL DATA RETENTION AND DESTRUCTION POLICY

Purpose of the Policy

The purpose of this policy is; to determine all rules and roles and responsibilities to be applied throughout EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ for the purpose of fulfilling the obligations regarding the retention and destruction of personal data pursuant to Articles 5 and 6 of the Regulation on the Deletion, Destruction or Anonymization of Personal Data (Regulation) published in the Official Gazette dated 28.10.2017 and numbered 30224 and issued based on the Law on the Protection of Personal Data No. 6698 (Law), and other obligations specified in the Regulation.

Scope of the Policy

The Policy covers personal data and special categories of personal data defined by Law No. 6698 held within EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ, all its employees, managers, consultants, and in all cases where personal data sharing is in question, its subsidiaries, external service providers, and real and legal persons with whom EKO enters into other legal relationships.

The Policy covers personal data contained in systems where data is processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system, as stated in the Law.

Unless otherwise stated in this Policy, personal data and special categories of personal data will be generally referred to as “Personal Data”.

Definitions

- Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even if matched with other data,
- Destruction: Deletion, destruction of personal data,
- Personal Data: Any kind of information regarding an identified or identifiable real person,
- Personal Data Retention Table (Periods): The table showing the periods personal data will be held within EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ,
- Personal Data Processing Inventory: The inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with personal data processing purposes, data category, transferred recipient group, and data subject person group, and detail by explaining the maximum period necessary for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries, and measures taken regarding data security,
- Deletion of Personal Data: The process of making personal data inaccessible and unusable for relevant users in any way,
- Destruction of Personal Data: The process of making personal data inaccessible, unretrievable, and reusable by anyone in any way,
- Special Categories of Personal Data (Sensitive Data): Data regarding individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to associations, foundations or trade unions, health, sexual life, criminal convictions, and security measures, and biometric and genetic data,
- Periodic Destruction: The deletion, destruction, or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all of the personal data processing conditions in the law cease to exist,
- Data Recording System: The recording system where personal data is structured and processed according to certain criteria,
- Direct Identifiers: Identifiers that reveal, disclose, and make distinguishable the person they are related to on their own,
- Indirect Identifiers: Identifiers that reveal, disclose, and make distinguishable the person they are related to by coming together with Other Identifiers,
- Law: The Law on the Protection of Personal Data No. 6698 published in the Official Gazette dated 07.04.2016 and numbered 29677,
- Regulation: The Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224,
- Board: The Personal Data Protection Board,
- RECORDING MEDIA: Any environment containing personal data processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,
- Personal Data Protection and Processing Policy: The policy accessible at https://metropolsaglik.com/, determining the procedures and principles regarding the management of personal data held by “EKO”,
- Data Recording System: The recording system where personal data is structured and processed according to certain criteria.

Refers to.

Recording Media Regulated by the Policy

Any medium containing personal data processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system falls within the scope of recording media.

Environments Where Personal Data is Stored

Personal data stored within “EKO ” is kept in a recording environment suitable for the nature of the relevant data and our legal obligations.

Recording environments used for storing personal data are generally listed below. However, some data may be present and kept in an environment different from the environments shown here due to their special qualities or our legal obligations. “EKO” acts as a data controller and processes and protects in accordance with the KVK Law, Personal Data Protection, Processing, Storage, and Destruction Policy.

a) Printed media	Environments where data is printed on paper or microfilms.
b) Local digital media	Digital media such as servers, fixed or portable disks, optical disks located within “EKO”.
c) Cloud media	Environments where internet-based systems encrypted with cryptographic methods are used, which are in the use of “EKO” although not located within “EKO”.

Ensuring the Security of Environments

“EKO” takes all necessary technical and administrative measures suitable for the qualities of the relevant personal data and the environment where it is kept to prevent unlawful processing and access to personal data along with safe storage.

These measures include, but are not limited to, the following administrative and technical measures to the extent suitable for the nature of the relevant personal data and the environment where it is kept.

Technical Measures

“EKO ” takes the following technical measures for all environments where personal data is stored, suitable for the qualities of the relevant data and the environment where the data is kept:

Only up-to-date and secure systems suitable for technological developments are used in environments where personal data is kept; security systems are used for environments where personal data is kept.
Security tests and research are conducted for the detection of security vulnerabilities on information systems, and issues constituting existing or potential risks detected as a result of tests and research are eliminated.
Access to data in environments where personal data is kept is restricted, and only authorized persons are allowed to access this data limited to the purpose of storing personal data.
“EKO” employs sufficient technical personnel to ensure the security of environments where personal data is kept.

Administrative Measures

“EKO” takes the following administrative measures within the scope of the KVKK Law for all environments where personal data is stored, suitable for the qualities of the relevant data and the environment where the data is kept:

Studies are carried out to increase awareness and consciousness of all “EKO ” employees who have access to personal data regarding information security, personal data, and privacy of private life.
Legal and technical consultancy services are received to follow developments in the field of information security, privacy of private life, and protection of personal data and to take necessary actions.
In case personal data is transferred to third parties due to technical or legal requirements, protocols are signed with relevant third parties for the purpose of protecting personal data, and all due care is shown for relevant third parties to comply with their obligations in these protocols.

Internal Audit

“EKO ” conducts internal audits suitable for the KVKK Law regarding the implementation of the provisions of the Law and the provisions of this Personal Data Protection, Processing, Storage, and Destruction Policy pursuant to Article 12 of the Law.

If deficiencies or defects regarding the implementation of these provisions are detected as a result of internal audits, these deficiencies or defects are immediately remedied.

If it is understood during the audit or otherwise that personal data under the responsibility of “EKO” has been obtained by others through unlawful means, “EKO” notifies this situation to the concerned person and the Board as soon as possible.

Duties and Powers of the Personal Data Protection Committee

The Personal Data Protection Committee is responsible for announcing the Policy to relevant business units and tracking the fulfillment of requirements by “EKO” units.

The Personal Data Protection Committee makes necessary announcements and notifications for relevant business units to follow situations such as legislative changes regarding the protection of personal data, regulatory acts and decisions of the Board, court decisions or changes in processes, applications, and systems, and to update business processes if necessary.

The Personal Data Protection Committee determines the processes for the examination, evaluation, tracking, and conclusion of the decisions and regulations of the Board with the Law and secondary regulations, court decisions, and decisions and/or requests of other competent authorities, and announces them to relevant units.

What to Do in Case Personal Data Processing Conditions Cease to Exist

In the event that the purpose element for the processing of personal data ceases to exist, explicit consent is withdrawn, or all of the personal data processing conditions in Articles 5 and 6 of the Law cease to exist, or a situation arises where none of the exceptions in the mentioned articles can be applied, personal data whose processing conditions have ceased to exist are deleted, destroyed, or anonymized by the relevant business unit, taking into account business needs, within the scope of Articles 7, 8, 9, or 10 of the Regulation, by also explaining the justification for the method applied. However, in the event of a finalized court decision, the destruction method ruled by the court decision must be applied.

All users processing or storing personal data and data owner “EKO” units will review whether the conditions related to processing have ceased to exist in the data recording media they use within periods of at most four months. Upon the application of the personal data owner or the notification of the Board or a court, the relevant user and units will perform this review in the data recording media they use regardless of the periodic inspection period.

When it is detected as a result of periodic reviews or at any time that data processing conditions have ceased to exist, the relevant user or data owner will decide to delete, destroy, or anonymize the relevant personal data from the recording medium in their possession according to this policy. In cases of hesitation, action will be taken by obtaining the opinion of the relevant data owner business unit. When a decision needs to be taken regarding the destruction of personal data with multi-stakeholder data ownership located in Central Information Technologies, the opinion of the Personal Data Protection Committee will be obtained, and the decision to store or delete, destroy, or anonymize the data according to this policy regarding the said personal data will be made by the relevant data owner business unit.

All transactions regarding the deletion, destruction, or anonymization of personal data are recorded, and said records are kept for at least three years, excluding other legal obligations.

Pursuant to Article 7.4 of the Regulation, methods applied regarding the deletion, destruction, anonymization process of personal data will be published and announced after the Policy enters into force.

In the deletion, destruction, or anonymization of personal data, it is mandatory to act in accordance with the general principles in Article 4 of the Law and technical and administrative measures to be taken within the scope of Article 12, relevant legislation provisions, Board decisions, and court decisions.

When a real person owner of personal data applies to “EKO” pursuant to Article 13 of the Law and requests the deletion, destruction, or anonymization of personal data belonging to them, the relevant data owner business unit examines whether all of the personal data processing conditions have ceased to exist. If all processing conditions have ceased to exist; it deletes, destroys, or anonymizes the personal data subject to the request.

In this case, as detailed in the Data Destruction Procedure; the request is concluded within thirty days at the latest from the application date, and information is given to the relevant person through the KVKK contact person appointed by the KVKK Officer. If all personal data processing conditions have ceased to exist and the personal data subject to the request has been transferred to third parties, the relevant data owner business unit immediately notifies this situation to the third party to whom the transfer was made and ensures that necessary transactions are carried out within the scope of the Regulation at the third party.

In cases where all personal data processing conditions have not ceased to exist, requests of personal data owners for the deletion or destruction of their data may be rejected by “EKO” by explaining the reason pursuant to paragraph 3 of Article 13 of the Law. The rejection response is notified to the relevant person in writing or electronically within 30 days at the latest.

Requests for the deletion or destruction of personal data will only be evaluated provided that the identity of the relevant person has been determined. For requests made outside of said channels, relevant persons will be directed to channels where identity determination or verification can be made.

Enforcement of the Policy, Violations, and Sanctions

This Policy will enter into force by being announced to all employees and Personal data owners from the “EKO” Website, and as of its enforcement, it will be binding for all business units, consultants, customers, insurance companies, external service providers, and everyone processing personal data at “EKO”.

Tracking whether “EKO” employees fulfill the requirements of the Policy will be the responsibility of the supervisors of the relevant employees. When behavior contrary to the policy is detected, the issue will be immediately reported to a higher supervisor to whom they are affiliated by the supervisor of the relevant employee. In case the violation is significant, the Personal Data Protection Committee will be informed by the higher supervisor without losing time.

Necessary administrative action will be taken regarding the employee acting contrary to the Policy after the evaluation to be made by the Human Values and Corporate Communications Directorate.

For the fulfillment of Policy requirements, all necessary security measures within the scope of the KVKK Law are taken by “EKO”.

Persons to Take Part in Personal Data Storage and Destruction Processes and Their Responsibilities

All employees, customers, insurance companies, consultants, external service providers, and everyone storing and processing personal data at “EKO” are responsible for fulfilling these requirements in the fulfillment of requirements regarding the destruction of data specified by the Law, Regulation, and Policy within “EKO”.

Each business unit is obliged to store and protect the data it produces in its own business processes; however, if the produced data is only in information technologies outside the control and authority of the business unit, said data will be stored by units responsible for information technologies.

Periodic destructions that will affect business processes and cause disruption of data integrity, data loss, and results contrary to legal regulations will be carried out by relevant information technologies departments considering the type of relevant personal data, systems it is included in, and the data owner business unit.

Personal Data Protection Committee

“EKO” establishes a Personal Data Protection Committee within its body. The Personal Data Protection Committee is authorized and tasked with performing/having performed necessary transactions for the storage and processing of relevant persons’ data in accordance with the law and the Personal Data Protection, Processing, Storage, and Destruction Policy and auditing the processes.

The Personal Data Protection Committee consists of at least three people: a manager, an administrative expert, and a technical expert. The titles and job descriptions of “EKO” employees serving on the Personal Data Committee are specified below:

Title	Job Description
Personal Data Protection Committee Manager	Is obliged to direct all kinds of planning, analysis, research, risk determination studies in projects carried out in the process of compliance with the Law; to manage processes that need to be carried out pursuant to the Law, Personal Data Protection, Processing, Storage, and Destruction Policy, and to decide on requests coming from relevant persons.
KVK Expert (Contact Person) (Technical and Administrative)	Is responsible for examining the requests of relevant persons and reporting them to the Personal Data Committee Manager for evaluation; for fulfilling transactions regarding relevant person requests evaluated and decided by the Personal Data Committee Manager pursuant to the decision of the Personal Data Committee Manager; for auditing storage and destruction processes and reporting these audits to the Personal Data Committee Manager; for executing storage and destruction processes.

Reasons for Storage and Destruction

Reasons for Storage

Personal data held within “EKO” is stored for the purposes and reasons specified here pursuant to the Law and our Personal Data Policy (you can access the relevant policy at “https://metropolsaglik.com/”).

Reasons for Destruction

Personal data present within “EKO” is deleted, destroyed, or anonymized ex officio pursuant to this destruction policy upon the request of the relevant person or in case the reasons listed in Articles 5 and 6 of the Law cease to exist. The reasons listed in Articles 5 and 6 of the KVKK Law consist of the following:

It is clearly provided for by the laws.
It is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving their consent or whose consent is not deemed legally valid.
Processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfillment of that contract.
It is mandatory for the data controller to be able to perform its legal obligation.
The data concerned has been made available to the public by the data subject themself.
Data processing is mandatory for the establishment, exercise, or protection of any right.
Data processing is mandatory for the legitimate interests of the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Destruction Methods

“EKO” deletes, destroys, or anonymizes personal data it stores in accordance with the Law and other legislation and the Personal Data Protection, Processing, Storage, and Destruction Policy, upon the request of the relevant person or ex officio within the periods specified in this Personal Data Protection, Processing, Storage, and Destruction Policy in case the reasons requiring the processing of data cease to exist.

The deletion, destruction, and anonymization techniques most used by “EKO” are listed below:

Deletion Methods

Deletion Methods for Personal Data Kept in Printed Media
Blacking Out (Redaction)	Personal data in printed media is deleted using the blacking out method. The blacking out process is done by cutting personal data on the relevant document where possible, and where not possible, by making it invisible using fixed ink in a way that cannot be reversed and cannot be read with technological solutions.
Deletion Methods for Personal Data Kept in Cloud and Local Digital Media
Secure deletion from software	Personal data kept in cloud media or local digital media is deleted with a digital command in a way that cannot be recovered. Data deleted in this way cannot be accessed again.

Destruction Methods

Destruction Methods for Personal Data Kept in Printed Media
Physical destruction	Documents kept in printed media are destroyed with document shredders in a way that they cannot be put back together.
Destruction Methods for Personal Data Kept in Local Digital Media
Physical destruction	It is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning, or pulverizing. Data is made inaccessible by processes such as melting, burning, pulverizing, physically cutting and/or drilling optical or magnetic media, or passing it through a metal grinder.
De-magnetizing (Degaussing)	It is the process of corrupting data on magnetic media in an unreadable way by exposing it to a high magnetic field.
Overwriting	Reading and recovering old data is prevented by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media.
Destruction Methods for Personal Data Kept in Cloud Media
Secure deletion from software	Personal data kept in cloud media is deleted with a digital command in a way that cannot be recovered, and when the cloud computing service relationship ends, all copies of encryption keys necessary to make personal data usable are destroyed. Data deleted in this way cannot be accessed again.

Anonymization Methods

Anonymization is rendering personal data impossible to link with an identified or identifiable natural person, even through matching with other data.

Removing Variables	It is the removal of one or several direct identifiers included in the personal data belonging to the relevant person that serve to identify the relevant person in any way. This method can be used for anonymizing personal data, as well as for deleting information that does not comply with the data processing purpose within personal data.
Regional Masking	It is the process of deleting information that may be distinctive regarding data that is in an exceptional situation within the data table where personal data is located anonymously in bulk.
Generalization	It is the process of bringing together personal data belonging to many people and turning it into statistical data by removing distinctive information.
Lower and Upper Bound Coding / Global Coding	Ranges belonging to that variable are defined and categorized for a certain variable. If the variable does not contain a numerical value, data close to each other within the variable are categorized. Values remaining within the same category are combined.
Micro-Aggregation	With this method, all records in the data set are first arranged in a meaningful order, and then the whole set is divided into subsets in a certain number. Then, by taking the average of the value belonging to the determined variable of each subset, the value belonging to that variable of the subset is replaced with the average value. Since indirect identifiers within the data will be corrupted in this way, it is made difficult to associate the data with the relevant person.
Data Shuffling and Corruption	Direct or indirect identifiers within personal data are mixed with other values or corrupted to break their relationship with the relevant person and ensure they lose their descriptive qualities.

“EKO” uses one or several of these listed anonymization methods according to the nature of the relevant data for anonymizing personal data. “EKO” may use K-Anonymity, L-Diversity, and T-Closeness statistical methods while using these anonymization methods.

Personal Data Retention and Destruction Periods

The table showing Personal Data Retention and Destruction Periods is located below. In periodic destruction or destruction processes to be carried out upon request, the said storage and destruction periods will be taken into account. The Table Showing Personal Data Retention and Destruction Periods will be updated by business units owning the processes to be included in the personal data inventory, by also obtaining Personal Data Protection Committee evaluations in case of hesitation.

Personal Data Retention Table (Periods)

DATA OWNER	DATA CATEGORY	DATA RETENTION PERIOD
Employee	Recruitment documents and personnel data that are the basis for notifications regarding service period and wages made to the Social Security Institution, personnel data other than essential personnel data, and data in workplace personal health files.	Retained for the duration of the employment contract and for 10 (ten) years from its termination. Retained for 15 (fifteen) years from the termination of the employment contract within the scope of occupational health and safety legislation.
Business Partner/Solution Partner/Consultant	Identity information, contact information, financial information, voice recordings taken in phone calls regarding the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and “EKO”, Business Partner/Solution Partner/Consultant employee data.	Retained during the business/commercial relationship of the Business Partner/Solution Partner/Consultant with “EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ” and for 10 (ten) years from its termination pursuant to Turkish Code of Obligations Art. 146 and Turkish Commercial Code Art. 82.
Visitor	Name, surname, vehicle license plate belonging to the Visitor taken at the entrance to the physical space belonging to “EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ” and camera recordings.	Retained for 1 (one) year. Wifi network connection information is retained for 2 (two) years.
Website Visitor	Name, surname, e-mail address, browsing movement information belonging to the Website Visitor.	Retained for 2 (two) years.
Employee Candidate	Resume belonging to the Employee Candidate and information in the job application form.	Retained for the period the resume loses its currency, being a maximum of 2 (two) years.
Customer	Identity information, contact information, payment information and methods, browsing movement information, voice recordings taken in phone calls, product/service preferences, transaction history information belonging to the Customer.	Retained for 10 (ten) years pursuant to Turkish Code of Obligations Art. 146 and Turkish Commercial Code Art. 82 from the provision of each product/service purchased by the Customer.
Customer, Employee, Employee Candidate, Visitor, Supplier, Business Partners	Camera images, Switchboard call information.	Retained for 1 (one) month. Switchboard call information is retained for 2 (two) years.
Potential Customer	Identity information, contact information, financial information taken during contract negotiations regarding the establishment of a commercial relationship between the Potential Customer and “EKO”.	Retained for 10 (ten) years.
Institution/EKO with which “EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ” Cooperates (Supplier, Subcontractor, Dealer/Franchise)	Identity information, contact information, financial information regarding the execution of the commercial relationship between Institutions/Firms with which “EKO” Cooperates and “EKO”, employee data of Institutions/Firms with which “EKO” Cooperates.	Retained during the business/commercial relationship of Institutions/Firms with which “EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ” Cooperates with “EKO” and for 10 (ten) years from its termination pursuant to Turkish Code of Obligations Art. 146 and Turkish Commercial Code Art. 82.

* If a longer period is regulated pursuant to legislation or if a longer period is foreseen for statute of limitations, forfeiture periods, retention periods, etc., pursuant to legislation, periods in legislation provisions are accepted as the maximum retention period.

Destruction Periods

“EKO” deletes, destroys, or anonymizes personal data in the first periodic destruction process following the date when the obligation to delete, destroy, or anonymize personal data for which it is responsible pursuant to the Law, relevant legislation, Personal Data Protection, Processing, Storage, and Destruction Policy arises.

When the relevant person applies to “EKO” pursuant to Article 13 of the Law and requests the deletion or destruction of personal data belonging to them;

If all personal data processing conditions have ceased to exist; “EKO” deletes, destroys, or anonymizes the personal data subject to the request with the appropriate destruction method by explaining its reason within 30 (thirty) days from the day it receives the request. For “EKO” to be deemed to have received the request, the relevant person must have made their request in accordance with the Personal Data Protection and Processing Policy. “EKO ÖZEL SAĞLIK İNŞAAT TURİZM SANAYİ TİCARET LİMİTED ŞİRKETİ” informs the relevant person about the transaction made in any case.
If all personal data processing conditions have not ceased to exist, this request may be rejected by “EKO” by explaining its reason pursuant to the third paragraph of Article 13 of the Law, and the rejection response is notified to the relevant person in writing or electronically within thirty days at the latest.

Periodic Destruction Periods

In the event that all of the personal data processing conditions in the KVKK Law No. 6698 cease to exist; “EKO” deletes, destroys, or anonymizes personal data whose processing conditions have ceased to exist with a process to be carried out ex officio at recurring intervals specified in this Personal Data Protection, Processing, Storage, and Destruction Policy.

AUDIT OF LEGAL COMPLIANCE OF THE DESTRUCTION PROCESS

“EKO” performs destruction transactions carried out ex officio in periodic destruction processes as well as upon request in accordance with the Law, other legislation, and the Personal Data Protection, Processing, Storage, and Destruction Policy.

“EKO” takes a number of administrative and technical measures to ensure that destruction transactions are carried out in accordance with these regulations.

Technical Measures

- “EKO” provides technical tools and equipment suitable for each destruction method included in this policy.
- “EKO” ensures the security of the place where destruction transactions are carried out.
- “EKO” keeps access records of persons performing the destruction transaction.
- “EKO” employs competent and experienced personnel to perform the destruction transaction or receives service from competent third parties when necessary.

Administrative Measures

- “EKO” conducts studies to increase awareness and consciousness of its employees who will perform the destruction transaction regarding information security, personal data, and privacy of private life.
- “EKO” receives legal and technical consultancy services to follow developments in the field of information security, privacy of private life, protection of personal data, and secure destruction techniques and to take necessary actions.
- In cases where “EKO” has the destruction transaction done by third parties due to technical or legal requirements, it signs protocols with relevant third parties for the purpose of protecting personal data and shows all due care for relevant third parties to comply with their obligations in these protocols.
- “EKO” regularly audits whether destruction transactions are carried out in accordance with the law and the conditions and obligations specified in this Personal Data Protection, Processing, Storage, and Destruction Policy, and takes necessary actions.

All transactions regarding the deletion, destruction, and anonymization of personal data are recorded, and said records are kept for at least two years, excluding other legal obligations.

EFFECTIVENESS

The Policy will enter into force as of the date of publication.

Announcing the Policy throughout “EKO” and making necessary updates is under the responsibility of the Personal Data Protection Committee.

UPDATE AND COMPLIANCE

“EKO” reserves the right to make changes to the Personal Data Protection, Processing, Storage, and Destruction Policy due to amendments made to the Law, pursuant to Institution decisions, or in line with developments in the sector or in the field of informatics.

Changes made to this Personal Data Protection, Processing, Storage, and Destruction Policy are incorporated into the text without delay, and explanations regarding the changes are explained at the end of the policy.