KVKK (Personal Data Protection Law)
Policy Disclosure Statement

As the data controller, TRSGD SPORTS VOLUNTEERS ASSOCIATION; places great importance on ensuring the protection and processing of personal data belonging to individuals associated with our Company, including our customers and employees, within the framework of relevant legislation, including the Constitution of the Republic of Turkey, international treaties to which our country is a party regarding human rights, and Law No. 6698 on the Protection of Personal Data (KVKK).

Under the scope of KVKK, we would like to inform you as the Data Controller. We kindly request our readers to carefully read and consider this disclosure text and make their acceptance or rejection statements.

Your personal data will be processed for the following purposes within the framework of the relevant legislation, including the Constitution of the Republic of Turkey, international treaties to which our country is a party regarding human rights, and Law No. 6698 on the Protection of Personal Data (KVKK):

Carrying out the necessary work for you to benefit from our services and activities.

Customizing the services and activities offered by TRSGD SPORTS VOLUNTEERS ASSOCIATION to your preferences, usage habits, and needs, and providing the necessary technical support and quality in line with your requests.

Informing you about our new services and activities and providing you with the most suitable products and services accordingly.

Execution of TRSGD’s human resources policies.

Responding to any questions and complaints related to our services and activities.

Taking all necessary technical and administrative measures for data security.

Measuring customer satisfaction.

Developing, improving, and expanding our services and activities.

Enabling fast and unhindered sharing by associating the website with social networks.

In addition, your personal data may be processed in accordance with KVKK Articles 5 and 6, as required by legal regulations such as:

Clearly provided for in the relevant laws.

Being compulsory for TRSGD to fulfill its legal obligations.

Being necessary for the performance of a contract to which the data subject is a party, provided that it is directly related to the performance of the contract.

Being necessary for the legitimate interests of TRSGD, provided that it does not harm the fundamental rights and freedoms of the data subject, and, if necessary, obtaining explicit consent.

The scope of this policy covers all personal data processed by the company, including but not limited to our customers, visitors, business contacts, business partners, employees, members, and third parties.

Our company’s policy is designed to implement the processing of all personal data, taking into consideration the KVKK and all other relevant legislation related to personal data, as well as international standards in this field.

Personal data cannot be transferred without the explicit consent of the data subject, except for the exceptions specified in the KVKK. In order to ensure the execution of our company’s business strategies and the implementation of human resources policies, we may transfer personal data, within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the KVKK, to:

Lawyers, auditors, tax consultants, and other third parties from whom we receive consultancy and services, in order to conduct our business processes in accordance with the law and our legitimate interests, and to exercise our right to defense in a potential legal process.

Your authorized representatives and agents within the scope of the authorization given by you for the execution of transactions covered by the authorization.

Regulatory and supervisory institutions, as well as official institutions such as courts and enforcement offices, and other public institutions or organizations authorized to request your personal data, in order to fulfill our legal obligations.

Your personal data may be collected in oral, written, or electronic form for the purposes and scope specified above. Your personal data is collected orally, in writing, or electronically through various means, including but not limited to the company’s website, various contracts, mobile applications, email, application forms, consumer complaint forms, social media, newsletters, and through written or oral communications with our company, by real or legal persons acting as data processors on behalf of our company.

In this section, specific terms, phrases, concepts, abbreviations, etc., used in the Policy are briefly explained.

Explicit Consent: Consent given with full awareness, based on information and free will, for a specific matter, and limited to that transaction.

Anonymization: Making personal data incapable of being associated with a specific or identifiable natural person in any way, even if it is matched with other data.

Employee: Company personnel.

Data Subject (data subject): The natural person whose personal data is processed.

Personal Data: Any kind of information related to an identified or identifiable natural person.

Sensitive Personal Data: Data concerning individuals’ race, ethnicity, political opinion, philosophical belief, religion, sect, attire, membership in associations, foundations or trade unions, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.

Processing of Personal Data: Any operation performed on personal data such as collection, recording, storage, retention, alteration, reorganization, disclosure, transferring, taking over, making available, classifying, or preventing the use of data, either completely or partially, through automatic means or non-automatic means which form part of a data recording system.

Data Processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller.

Data Controller: A real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

KVKK Board: Personal Data Protection Board.

KVKK Institution: Personal Data Protection Institution.

KVKK: Law on the Protection of Personal Data, published in the Official Gazette dated April 7, 2016, and numbered 29677.

Policy: TRSGD SPORTS VOLUNTEERS ASSOCIATION Personal Data Protection and Processing Policy.

Registered Electronic Mail (KEP): A system that protects all types of commercial and legal correspondence and document sharing as you send it, definitively identifies the recipient, ensures that the content remains unchanged, and makes the content legally valid, secure, and indisputable.

Regarding your personal data:

• You have the right to learn whether your personal data is being processed.
• If your personal data has been processed, you have the right to request information about it.
• You have the right to learn the purpose of processing your personal data and whether they are used for their intended purpose.
• You have the right to know the third parties in domestic or foreign locations to whom your personal data have been transferred.
• If your personal data is incomplete or inaccurately processed, you have the right to request their correction.
• You have the right to object to the emergence of a result against you by exclusively analyzing your processed data through automated systems.
• If your personal data is processed unlawfully and this results in harm to you, you have the right to request compensation for the damage.

You can exercise these rights by submitting your request to us in writing or, if a separate method is determined by the Personal Data Protection Board, in accordance with that method.

Board of Directors:

The Board of Directors is responsible for overseeing the establishment and operation of mechanisms for reporting, investigating, and enforcing compliance with policies, rules, and regulations. The Personal Data Protection and Processing Policy has been approved by the Board of Directors. It serves as the authorized approval mechanism for ensuring the creation, implementation, and updating of the policy.

In their areas of responsibility, the Board of Directors, in collaboration with employees in their respective roles, is responsible for taking necessary measures to ensure compliance with the policy by external service providers.

The Board of Directors is responsible for investigating matters related to policy non-compliance and reporting as needed.

The distribution of the prepared document within the organization is the responsibility of the Board of Directors.

Audit Committee:

The Board of Directors and the Audit Committee are responsible for the preparation, development, implementation, and updating of this policy. The Audit Committee evaluates this policy periodically for its currency and improvement needs.

Under KVKK, our legal obligations regarding the protection and processing of personal data are as follows:

Our Obligation to Inform:

As the data controller, when collecting personal data, we are obligated to inform the data subject about:

• The purpose of processing their personal data
• Our identity and, if applicable, the identity of our representative
• To whom and for what purpose their personal data may be transferred
• The method of collecting data and the legal basis for processing it
• Rights under the law

We take care to make this policy open, understandable, and easily accessible to the public.

Our Obligation to Ensure Data Security:

As the data controller, we are obligated to take the administrative and technical measures prescribed by the law to ensure the security of personal data within our organization. The obligations and measures related to data security are detailed in this policy.

Personal Data:

Personal data; any kind of information related to an identified or identifiable natural person.

The protection of personal data is only applicable to natural persons, and information that does not contain identifiable information about a natural person is excluded from personal data protection. Therefore, this Policy is not applicable to data related to legal entities.

Special Categories of Personal Data:

Special categories of personal data include information about a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, dress and clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Processing Principles of Personal Data

We process personal data in accordance with the following principles:

Processing in accordance with the law and fairness: We process personal data in accordance with the law, transparency, and our obligation to inform.

Ensuring the accuracy and keeping up-to-date: We take the necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We also provide individuals with the opportunity to update their data and correct any errors.

Processing for specific, explicit, and legitimate purposes: We process personal data for specific and clearly defined purposes within the framework of our legal obligations and legitimate interests in conducting our activities.

Relevance, limitation, and proportionality of processing: We process personal data in a relevant, limited, and proportionate manner to the purposes clearly specified. We avoid processing personal data that is irrelevant or unnecessary. Special categories of personal data are processed only when required by law or with explicit consent.

Retention of personal data as required by legal regulations and our legitimate interests: Many legal regulations require the retention of personal data for a specific period. Therefore, we retain the personal data we process for the duration required by the relevant laws or for the purposes of data processing.

When the statutory retention period expires or the processing purpose is no longer applicable, we delete, destroy, or anonymize personal data. Our principles and procedures regarding data retention are detailed in this policy.

Processing Purposes of Personal Data

As a company, we process personal data for purposes including but not limited to the following:

Conducting our activities, Providing support services to customers within the framework of contracts and service standards, Identifying customer preferences and needs and shaping and updating our services accordingly, Complying with legal obligations as required by legal regulations, Conducting market research and statistical studies, Surveys, promotions, and sponsorships, Evaluating job applications, Establishing contact with individuals in business relations with the company, Marketing, Compliance management, Supplier/vendor management, Advertising, Legal reporting, Billing.

Processing of Special Categories of Personal Data

Special categories of personal data, such as health and sexual life data, may be processed with explicit consent if required by laws and regulations and with the implementation of administrative and technical measures prescribed by the Personal Data Protection Authority. Data concerning race, ethnicity, political opinions, philosophical beliefs, religion, sect, or other beliefs, dress code, association, foundation, or trade union membership, criminal convictions, and security measures, as well as biometric and genetic data, may be processed without your explicit consent only when required by laws and regulations.

Processing of Personal Data in the Context of Other Memberships: When you become a member of one of our programs, we collect, process, and transfer your personal data through membership forms for similar purposes.

Processing of Personal Data Collected through Cookies on Our Website: We use cookies to improve the functionality and user experience of our website and to make the time you spend on our website more efficient and enjoyable. We may collect, process, transfer, and store your personal data through the cookies used on our website.

For detailed information about the cookies used on our website, you can review our “Cookie Policy.”

Processing of Personal Data for Human Resources and Employment Purposes: We process, store, and transfer your personal data, including resumes, diplomas, etc., that you share with us during the job application process for the purpose of evaluating job applications. The processing, transfer, and storage of personal data shared as a job applicant are within the scope of this Policy.

Personal data concerning employees is collected, processed, and stored within the framework of TRSGD Human Resources Policy, beyond the scope of this Policy.

Exceptional Cases Where Explicit Consent Is Not Required for Processing Personal Data

In the following exceptional cases required by law, we may process personal data without obtaining explicit consent:

When it is explicitly prescribed by the laws, When it is necessary for the establishment or performance of a contract with the data subject, When it is necessary for the exercise or protection of a right, When processing is mandatory for the legitimate interests pursued by the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Retention of Personal Data for the Period Specified in the Relevant Legislation or Required for the Purpose of Processing:

Subject to the retention periods prescribed by the relevant legislation for personal data, we retain personal data for the duration required by the purpose of processing.

In cases where we process personal data for more than one purpose, when there is no legal obstacle under the relevant legislation for the erasure of data upon the cessation of the processing purposes or at the request of the Data Subject, the data is erased, destroyed, or anonymized. Destruction, deletion, or anonymization is carried out in accordance with legal provisions and decisions of the Personal Data Protection Board (KVK Board).

Measures Taken for the Storage of Personal Data:

Technical Measures:

• We establish technical infrastructure and audit mechanisms for the deletion, destruction, and anonymization of personal data.
• We take necessary measures to securely store personal data.
• We employ personnel with technical expertise.
• We develop systems for business continuity and emergency plans against potential risks.
• We install security systems in line with technological developments for the storage areas of personal data.

Administrative Measures:

• We raise awareness among our employees regarding technical and administrative risks related to the storage of personal data.
• In cases where collaboration with third parties is required for the storage of personal data, we include provisions in contracts with the companies to which personal data is transferred, specifying security measures necessary for the protection and secure storage of the transferred personal data.

Our Obligations Regarding the Security of Personal Data:

To prevent the unlawful processing of personal data, we take the following measures:

1. Internal Audits: We conduct necessary internal audits and assessments to ensure compliance with data protection regulations.

2. Employee Training: Our employees receive training and information about the lawful processing of personal data.

3. Evaluation of Activities: We assess all activities conducted by our company to determine their impact on the processing of personal data.

4. Contracts with Data Processors: In cases where we collaborate with third parties for the processing of personal data, we include clauses in contracts that require these third-party data processors to take necessary security measures.

5. Reporting to KVK Board: In the event of data breaches or data leaks, we promptly report the situation to the Personal Data Protection Authority (KVK Board) and take necessary actions as required by the law.

To prevent unauthorized access to personal data, we implement technical and administrative measures:

1. Employing Technical Experts: We employ personnel with technical expertise in data security.

2. Regular Updates: We keep our technical measures up-to-date and periodically renew them.

3. Access Authorization Procedures: We establish access authorization procedures within our company.

4. Reporting and Documentation: We establish procedures for reporting and documenting our technical measures and audit processes.

5. Data Systems Compliance: We ensure that the data recording systems used within our company are in compliance with the law and conduct regular audits.

6. Emergency Response Plans: We develop emergency response plans to address potential risks and ensure their implementation.

7. Employee Training: We provide training and information to our employees regarding access and authorization to personal data.

8. Contracts with Data Access Providers: In cases where we collaborate with third parties that require access to personal data, we include clauses in contracts requiring these parties to take necessary security measures.

In the event of the unlawful disclosure of personal data, we take the following measures:

To prevent the unlawful disclosure of personal data, we take administrative and technical measures and update these measures according to our established procedures. If we detect that personal data has been disclosed without authorization, we have systems in place to report this to the relevant individuals and the Personal Data Protection Authority (KVK Board) as required by law.

Despite all the administrative and technical measures we have in place, in the event of an unlawful disclosure, the KVK Board may announce this situation on its website or through other means, if deemed necessary.

Under our obligation to inform, we inform the Data Subject and establish systems and infrastructure related to this information. We have made the necessary technical and administrative arrangements for the Data Subject to exercise their rights regarding their personal data.

The Data Subject has the following rights over their personal data:

1. To learn whether personal data is being processed.
2. If personal data is processed, to request information about it.
3. To learn the purpose of the processing of personal data and whether they are used in accordance with that purpose.
4. To know the third parties to whom personal data is transferred, whether domestically or internationally.
5. To request the correction of personal data in case it is incomplete or incorrectly processed.
6. To request the deletion or destruction of personal data in case the reasons requiring their processing no longer exist.
7. To request that the procedures for the correction, deletion, or destruction mentioned above be notified to third parties to whom personal data has been transferred.
8. To object to the occurrence of a result against the individual as a result of analyzing personal data exclusively through automated systems.
9. In the event of damage due to the unlawful processing of personal data, to request the compensation of the damages.

Exercise of rights related to personal data:

The Data Subject can exercise their rights regarding personal data through the method determined separately by the Personal Data Protection Authority (PDPA) or by sending a written and wet-signed application to the address: Büyükdere Cad. No:255 Nurol Plaza A Blok Kat:8 Maslak / Sarıyer / İstanbul / Turkiye

In the application for exercising the above-mentioned rights, the following requirements must be met: The subject of the request must be clear and comprehensible, the request must relate to the Data Subject’s own person, or if acting on behalf of someone else, the requestor must have a specific authorization, which should be documented, the application must contain the identity and address information of the applicant, and identity verification documents should be attached to the application.

These requests must be made individually, and requests made by unauthorized third parties regarding personal data will not be considered. If the Data Subject is under the age of 18, the rights mentioned above can be exercised on behalf of the Data Subject by their parent or legal guardian. In this case, identity verification documents of the parent or legal guardian must also be attached to the application.

Response Time for Applications:

Requests related to personal data will be processed and responded to as quickly as possible and no later than 30 (thirty) days, depending on the nature of the request, and will be provided free of charge. However, if the process requires an additional cost, a fee determined by the Personal Data Protection Authority may be charged.

During the application process or while evaluating the application, additional information and documents may be requested.

Our Right to Reject Applications:

Applications related to personal data, without being limited to the following:

Processing personal data for research, planning, and statistical purposes by anonymizing the data,
Processing personal data for art, history, literature, or scientific purposes, or within the scope of freedom of expression, without violating the privacy of private life or personal rights or constituting a crime,
Processing personal data that has been made public by the data subject,
If the application does not have a justifiable reason,
If the application contains a request that is contrary to the relevant legislation,
If the application procedure is not followed properly,

In such cases, the application may be rejected with reasons provided.

Right to Complain to the Personal Data Protection Board:

In cases where the application is rejected, the response is found to be insufficient, or no response is provided within the specified time, the applicant has the right to file a complaint with the Personal Data Protection Authority within 30 (thirty) days from the date of learning the response, and in any case, within 60 (sixty) days from the application date.”

The document appears to discuss the publication and storage of a policy. Here is the English translation:

PUBLICATION AND RETENTION OF THE DOCUMENT

This Policy is stored in two different formats: printed paper and electronic media. The current version of the document is available on the corporate portal and the website.

Hard copies with wet signatures are kept by the Board of Directors and, when necessary and under the supervision of the Audit Committee, are destroyed with the written approval of the Department Manager.

UPDATE PERIOD

This Policy is reviewed at least once a year and updated as needed.

EFFECTIVE DATE

This policy becomes effective on the date of approval by the Executive Board.

REMOVAL FROM EFFECT

If a decision is made to remove it from effect, the hard copies of this Policy with wet signatures will be canceled (by stamping or in writing) and signed by the Board of Directors with the written approval of the Department Manager and stored by the Audit Committee for a period of 5 years.