MİNT MÜMESSİLLİK TEKSTİL SANAYİ TİCARET LİMİTED ŞİRKETİ

PERSONAL DATA PROTECTION POLICY (KVKK POLICY)

INTRODUCTION 

According to Article 20 of the Constitution of the Republic of Turkey, all natural persons have the right to the protection of their personal data. As a constitutional right, the protection of personal data is treated with utmost care by Mint Mümessillik, and this Policy outlines the company’s approach to safeguarding the personal data of Employees, Employee Candidates, Shareholders and Partners, Potential Customers or Service Recipients, Supplier Employees, Supplier Representatives, Customers or Service Recipients, Potential Product or Service Providers, Product or Service Providers, and Visitors.

In this regard, Mint Mümessillik implements necessary administrative and technical measures in accordance with applicable legislation to ensure the protection of personal data.

This Policy sets out detailed explanations regarding the fundamental principles adopted by Mint Mümessillik in the processing of personal data, including:

  •  Processing personal data in accordance with the law and principles of honesty,

  •  Ensuring that personal data is accurate and kept up to date when necessary,

  •  Processing personal data for specific, explicit, and legitimate purpose,

  • Processing data in a manner that is relevant, limited, and proportionate to the purpose for which it is process,

  • Retaining personal data only for as long as required by relevant legislation or for the purposes for which it is processed,

  • Informing and enlightening data subjects regarding their personal,

  • Establishing necessary systems to enable data subjects to exercise their rights,

  • Taking appropriate measures for the secure storage of personal data,

  • Ensuring compliance with relevant legislation and Personal Data Protection Board regulations when transferring personal data to third parties in accordance with the processing purpose,

  • Showing particular sensitivity in the processing and protection of special categories of personal data.

PURPOSE OF THE POLICY

The primary purpose of this Policy is to provide clarification regarding the personal data processing activities carried out by the Company in compliance with the law, as well as the systems adopted for the protection of personal data. It has been prepared to ensure that data processing activities and the personal data obtained are handled and protected in accordance with the relevant legislation.

SCOPE

This Policy covers all personal data processed through automated means or by non-automated means provided that they form part of a data recording system, relating to our Employees, Employee Candidates, Shareholders and Partners, Potential Customers or Service Recipients, Supplier Employees, Supplier Representatives, Customers or Service Recipients, Potential Product or Service Providers, Product or Service Providers, and Visitors.

The scope of application of this Policy with respect to the personal data subject groups mentioned above may cover the entire Policy or only certain provisions thereof.

IMPLEMENTATION PRINCIPLES OF THE POLICY

The applicable laws and regulations concerning the processing and protection of personal data shall primarily prevail. In the event of any inconsistency between the current regulations and this Policy, the Company acknowledges that the applicable legal provisions shall take precedence.

This Policy has been prepared by concretizing the principles set forth in the Law on the Protection of Personal Data No. 6698 (KVKK) within the scope of Mint Mümessillik’s practices. Our Company continues to implement the necessary systems and preparations to act in accordance with the timeframes and obligations stipulated in the KVKK.

EFFECTIVENESS OF THE POLICY

In the event that the entire Policy or specific provisions are revised, the effective date and version of the Policy will be updated accordingly. The Policy is published on our Company's official website (www.minttex.com.tr) or made available to data subjects upon request through the Company’s advisory unit.

PRINCIPLES FOR THE IMPLEMENTATION OF PERSONAL DATA PROTECTION

In accordance with Article 12 of the Personal Data Protection Law (KVKK), our Company has taken the necessary technical and administrative measures to prevent the unlawful processing of personal data, to prevent unlawful access to such data, and to ensure an appropriate level of security. In this context, regular audits are conducted.

ENSURING THE SECURITY OF PERSONAL DATA

Our Company takes all necessary legal, technical, and administrative measures regarding data security in the areas outlined below, demonstrating the highest level of care and diligence. The actions and precautions taken by our Company to ensure "data security" in accordance with Article 12 of the Personal Data Protection Law (KVKK) are specified as follows.

  • Our Company will take technical and administrative measures, considering technical capabilities and implementation costs, to ensure the lawful processing of personal data. Employees are informed that they cannot disclose personal data they have learned in violation of the provisions of the Personal Data Protection Law (KVKK) or use it for purposes other than processing, and that this obligation continues even after their employment ends. Accordingly, necessary commitments are obtained from them. All employees provide a wet-signed Explicit Consent Form.

  • Our Company takes technical and administrative measures, considering the nature of the data to be protected, technological capabilities, and implementation costs, to prevent the unconscious or unauthorized disclosure, access, transfer, or any other unlawful access to personal data.

  • Our Company raises awareness among data processors such as business partners and suppliers to whom personal data is transferred regarding the prevention of unlawful processing, unlawful access, and ensuring lawful protection of personal data; and takes necessary measures to ensure that business partners and suppliers carry out personal data processing activities in compliance with the Personal Data Protection Law (KVKK).

  • As the data controller, our Company’s obligations and the legal, administrative, and technical measures it has developed for processing personal data are contractually imposed on data processing entities such as suppliers and business partners, with whom the Company has relationships under various capacities, through contract updates aligned with the nature of their data processing activities.

  • Our Company takes necessary technical and administrative measures, considering technological capabilities and implementation costs, to ensure that personal data is stored in secure environments and to prevent unlawful destruction, loss, or alteration of such data.

  • In accordance with Article 12 of the Personal Data Protection Law (KVK), our Company conducts or commissions necessary audits within its organization. The results of these audits are reported to the relevant department within the Company’s internal operations, and necessary actions are taken to improve the measures implemented.

  • In accordance with Article 12 of the Personal Data Protection Law (KVK), our Company operates a system that ensures prompt notification to the relevant personal data owner and the Personal Data Protection Board (KVK Board) in the event that personal data processed by the Company is unlawfully accessed or obtained by third parties.

MONITORING OF DATA SUBJECT RIGHTS AND EVALUATION OF REQUESTS

Our Company acknowledges and respects the rights of data subjects as defined by the Personal Data Protection Law (KVK). We have established procedures to receive, assess, and respond to requests from data subjects regarding their personal data in a timely and compliant manner.

All requests related to access, correction, deletion, or other rights of data subjects are handled in accordance with legal requirements and internal policies, ensuring transparency and protection of individual privacy;

  • To learn whether personal data is being processed,

  • To request information if personal data has been processed,

  • To learn the purpose of processing personal data and whether it is being used in accordance with that purpose,

  • To know the third parties to whom personal data is transferred, whether domestically or internationally.

  • To request the correction of personal data if it has been processed incompletely or inaccurately, and to demand that the correction be communicated to the third parties to whom the personal data has been transferred.

  • To request the deletion or destruction of personal data when the reasons requiring its processing have ceased to exist, despite being processed in accordance with the KVKK and other relevant laws, and to demand that this action be communicated to the third parties to whom the personal data has been transferred.

  • To object to the emergence of a result against the individual by means of the processed data being analyzed exclusively through automated systems.

  • The data subject has the right to request compensation in case of damage caused by the unlawful processing of personal data.

Pursuant to Article 13, Paragraph 1 of the Law on the Protection of Personal Data, personal data subjects are required to submit their requests regarding the exercise of the rights mentioned above to our Company in writing or through other methods determined by the Personal Data Protection Board. Since the Board has not yet specified any other methods, applications must be submitted to our Company in writing, in accordance with the mandatory provision of the Law.

In order for personal data subjects to exercise the rights mentioned above, they must submit their requests to our Company along with the necessary information to identify their identity and explanations regarding the specific rights they wish to exercise, also indicating which of the rights set out in Article 11 of the Law their request relates to. This will ensure that the applications are responded to more quickly and effectively.

Within this framework, the channels and procedures through which applications to our Company, based on Article 13 of the Personal Data Protection Law and within the scope of exercising the rights specified in Article 11 of the same Law, must be submitted in writing are explained below.

Requests containing explanations regarding the rights the personal data subject wishes to exercise under Article 11 of the Personal Data Protection Law can be submitted by filling out the form available at www.minttex.com.tr or by delivering a signed copy of the form in person along with identity documents to Mint Mümessillik Tekstil Sanayi Ticaret Limited Şirketi at Akçaburgaz Mahallesi Hadımköy Yolu Caddesi No:100 İç Kapı No:21 Esenyurt/Istanbul. Alternatively, these requests can be sent via a notary or through other methods specified in the Personal Data Protection Law.

For third parties to submit an application on behalf of personal data subjects, a special power of attorney notarized by a notary public, authorized by the data subject for the applicant, must be provided.

PROTECTION OF SPECIAL CATEGORY PERSONAL DATA

Under the Personal Data Protection Law, certain personal data are given special importance due to the risk of causing harm or discrimination to individuals if processed unlawfully.

These data include race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Our Company treats the protection of special category personal data, as defined by the Personal Data Protection Law and processed lawfully, with great sensitivity. In this context, the technical and administrative measures taken by our Company to protect personal data are carefully applied to special category personal data, and necessary audits are conducted. Our Company treats the protection of special category personal data, as defined by the Personal Data Protection Law and processed lawfully, with great sensitivity. In this context, the technical and administrative measures taken by our Company to protect personal data are carefully applied to special category personal data, and necessary audits are conducted..

INFORMING THE PERSONAL DATA SUBJECT

Our Company informs personal data subjects in accordance with Article 10 of the Personal Data Protection Law (KVK Law) at the time of obtaining personal data. In this context, personal data subjects are provided with information regarding our Company’s identity, the purpose of processing the personal data, to whom and for what purpose the processed data may be transferred, the method and legal basis of data collection, and the rights of the data subject under Article 11 of the KVK Law.

Article 20 of the Constitution establishes that everyone has the right to be informed about their personal data. Accordingly, ‘requesting information’ is listed among the rights of personal data subjects in Article 11 of the KVK Law. Within this scope, our Company provides the necessary information when the personal data subject requests information, in compliance with Article 20 of the Constitution and Article 11 of the KVK Law.

In addition, our Company complies with all provisions of the Personal Data Protection Law and conducts personal data processing activities primarily in accordance with the principle of legality and fairness. We inform personal data subjects and relevant parties through this Policy document and various publicly available materials, ensuring accountability and transparency in our data processing activities. Furthermore, our Company provides information to relevant individuals through multiple methods, especially when obtaining their explicit consent, regarding our activities and legal obligations.

PROCESSING OF PERSONAL DATA

Our Company processes personal data in accordance with Article 20 of the Constitution and Article 4 of the Personal Data Protection Law (KVK Law) by adhering to the principles of legality and fairness; ensuring accuracy and updating when necessary; pursuing specific, clear, and legitimate purposes; and processing personal data in a relevant, limited, and proportional manner.

Our Company retains personal data for the duration prescribed by laws or as required by the purpose of data processing.

In accordance with Article 20 of the Constitution and Article 5 of the KVK Law, our Company processes personal data based on one or more of the conditions set forth in Article 5 of the KVK Law concerning the processing of personal data.

Furthermore, our Company acts in compliance with the regulations stipulated for the processing of special category personal data pursuant to Article 6 of the KVK Law.

Our Company complies with the provisions stipulated by law and the regulations set forth by the Personal Data Protection Board regarding the transfer of personal data, in accordance with Articles 8 and 9 of the Personal Data Protection Law (KVK Law).

PROCESSING OF EMPLOYEE DATA

PROCESSING OF DATA FOR THE EMPLOYMENT RELATIONSHIP

In employment relationships, personal data are processed without additional consent when necessary for the establishment, implementation, and termination of the employment contract. Candidates’ personal data are processed at the start of the employment process. If a candidate is rejected, their information is retained for the appropriate data retention period for potential future selection stages and is deleted, destroyed, or anonymized at the end of this period.

Data processing carried out due to a clear provision in the law or the Company’s legal obligations can be performed without additional consent, provided that the processing of the employee’s personal data is explicitly stated in the relevant legislation or is necessary to fulfill a legal obligation specified by law.

PROCESSING OF DATA BASED ON LEGITIMATE INTEREST

Personal data of employees may be processed based on the Company’s legitimate interest without obtaining additional consent when necessary. Legitimate interests generally include legal interests (e.g., filing, enforcing, or defending legal rights) or economic interests (e.g., company evaluation). In personal situations where employees’ interests need protection, personal data are not processed for legitimate interest purposes. Before processing, it is determined whether there are interests requiring protection. When employees’ data are processed based on the Company’s legitimate interest, the proportionality of the processing is assessed. The Company ensures that its legitimate interest does not violate the protected rights of the relevant employee and applies the processing only if it is proportional.

DATA PROCESSED EXCLUSIVELY THROUGH AUTOMATED SYSTEMS

If personal data are processed exclusively through automated systems as part of the employment relationship (e.g., as part of personnel selection or evaluation of skill profiles), the employee has the right to object to any outcome that may result to their detriment.

TELECOMMUNICATION AND INTERNET

Telephone devices, email addresses, internal networks including intranet and internet are primarily provided by the Company for work-related tasks. These are work tools and Company resources and must be used in accordance with legal regulations and the Company’s internal policies. There is no general monitoring of telephone, email communication, or intranet and internet usage. However, protective technical measures are implemented to block harmful content and analyze attack patterns during access to the Company network to prevent attacks on IT infrastructure or individual users.Usage data of telephone devices, email addresses, intranet/internet, and/or internal social networks are retained for a limited time for security reasons. Evaluations related to individuals are only conducted if there is concrete suspicion of violation of legal regulations or Mint Mümessillik’s internal policies. Such monitoring is carried out by relevant departments strictly under the principle of proportionality.

PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES PRESCRIBED BY LEGISLATION

PROCESSING IN COMPLIANCE WITH THE PRINCIPLE OF LAWFULNESS AND FAIRNESS

Our Company acts in accordance with the legal principles and the general rule of trust and fairness in the processing of personal data. Within this scope, our Company considers the requirements of proportionality in processing personal data and does not use personal data beyond the purpose for which they were collected.

ENSURING PERSONAL DATA ARE ACCURATE AND UPDATED WHEN NECESSARY

Our Company ensures that the personal data it processes, taking into account the fundamental rights of data subjects and its own legitimate interests, are accurate and up to date. Accordingly, it takes the necessary measures.

PROCESSING WITH SPECIFIC, CLEAR, AND LEGITIMATE PURPOSES

Our Company clearly and explicitly defines its legitimate and lawful purpose for processing personal data. It processes personal data only to the extent necessary and relevant to the services it provides. The purpose for which personal data will be processed is determined by our Company before the data processing activity begins.

Our Company processes personal data in a manner suitable for achieving the specified purposes and avoids processing personal data that are not related to or not needed for the fulfillment of those purposes.

RETAINING FOR THE PERIOD FORESEEN IN THE RELEVANT LEGISLATION OR REQUIRED FOR THE PURPOSE FOR WHICH THEY ARE PROCESSED

Our Company retains personal data only for the period specified in the relevant legislation or for as long as required for the purpose for which they are processed. In this context, our Company first determines whether a specific retention period is stipulated in the applicable legislation and complies with that period if it exists. If no such period is defined, the data are retained for the duration necessary to fulfill the processing purpose. Upon expiration of the retention period or elimination of the reasons requiring processing, the personal data are deleted, destroyed, or anonymized by our Company through appropriate procedures.

LIMITED PROCESSING OF PERSONAL DATA

Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the individual. In line with this and in compliance with the Constitution, our Company processes personal data only in cases provided for by law or with the explicit consent of the individual.

The explicit consent of the personal data subject is only one of the legal bases that make the processing of personal data lawful. In addition to explicit consent, personal data may also be processed if one of the other conditions listed below is present. A personal data processing activity may be based on only one of the conditions below, or it may be based on more than one of them simultaneously. If the data being processed is special category (sensitive) personal data, the conditions listed below apply accordingly.

Although the legal bases for the processing of personal data by our Company may vary, all personal data processing activities are carried out in compliance with the general principles set forth in Article 4 of Law No. 6698.

PRESENCE OF THE DATA SUBJECT’S EXPLICIT CONSENT

One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent must relate to a specific subject, be based on informed decision-making, and be given freely. When the processing of personal data depends on explicit consent, such consent is obtained from customers, potential customers, and visitors through appropriate methods.

EXPLICIT PROVISION IN LAWS

The personal data of the data subject may be processed lawfully if explicitly provided for by law.

INABILITY TO OBTAIN THE DATA SUBJECT'S EXPLICIT CONSENT DUE TO FACTUAL IMPOSSIBILITY

If the person is unable to give consent due to factual impossibility or if the consent would not be considered valid, and processing the personal data is necessary to protect the life or physical integrity of the person or another individual, the personal data of the data subject may be processed.

DIRECT RELEVANCE TO THE ESTABLISHMENT OR PERFORMANCE OF A CONTRACT

Personal data may be processed if it is necessary for the parties to a contract, provided that it is directly related to the establishment or performance of the contract.

FULFILLMENT OF THE COMPANY’S LEGAL OBLIGATION

If processing is necessary for our Company, as the data controller, to fulfill its legal obligations, the personal data of the data subject may be processed.

DISCLOSURE OF PERSONAL DATA BY THE DATA SUBJECT

If the data subject has publicly disclosed their personal data themselves, the relevant personal data may be processed.

PROCESSING OF DATA IS NECESSARY FOR THE ESTABLISHMENT OR PROTECTION OF A RIGHT

If processing is necessary for the establishment, exercise, or protection of a right, the personal data of the data subject may be processed.

PROCESSING OF DATA IS NECESSARY FOR OUR COMPANY’S LEGITIMATE INTEREST

Provided that it does not harm the fundamental rights and freedoms of the data subject, personal data may be processed if it is necessary for our Company's legitimate interests.

PROCESSING OF SPECIAL CATEGORY PERSONAL DATA

Our company strictly complies with the provisions set forth in the Personal Data Protection Law (KVK Kanunu) regarding the processing of personal data classified as "special category" under the law.

Article 6 of the KVK Law identifies certain personal data as "special category" due to the risk of causing harm or discrimination to individuals if processed unlawfully. These data include race, ethnic origin, political party membership, philosophical belief, religion, sect or other beliefs, clothing and appearance, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

In compliance with the KVK Law, our company processes special category personal data under the following circumstances, provided that adequate measures determined by the KVK Board are taken:

  1. If the personal data owner has given explicit consent, or
  2. If the personal data owner does not give explicit consent;

Special category personal data, excluding those related to the data subject’s health and sexual life, may be processed in cases explicitly provided for by law,

Special category personal data related to the data subject’s health and sexual life may only be processed for the purposes of protecting public health, medical diagnosis, treatment and care services, planning and management of health services and financing, and only by persons bound by confidentiality or authorized institutions and organizations.

TRANSFER OF PERSONAL DATA

Our company, in line with lawful personal data processing purposes, takes necessary security measures and may transfer the personal data and special category personal data of the data subject to third parties. Accordingly, our company acts in compliance with the provisions stipulated in Article 8 of the Personal Data Protection Law (KVK Law).

TRANSFER OF PERSONAL DATA ABROAD

Our company, in accordance with lawful personal data processing purposes, takes necessary security measures and may transfer the personal data and special categories of personal data of the data subject to third parties abroad. Personal data are transferred by our company to foreign countries declared by the Personal Data Protection Board as having adequate protection ("Foreign Country with Adequate Protection") or, if adequate protection is not available, to foreign countries where the data controllers in Turkey and the relevant foreign country have provided a written commitment to ensure adequate protection and with the permission of the Personal Data Protection Board ("Foreign Country with Data Controller Committing Adequate Protection"). Our company acts in compliance with the regulations stipulated in Article 9 of the Personal Data Protection Law in this regard.

PURPOSES OF PROCESSING AND RETENTION PERIODS OF PERSONAL DATA PROCESSED BY OUR COMPANY

Our company, in accordance with Article 10 of the Personal Data Protection Law (KVK), informs personal data owners about which personal data groups are processed, the purposes of processing their personal data, and the retention periods of their data, fulfilling the obligation to provide transparency.

CATEGORIZATION OF PERSONAL DATA

Our Company processes personal data limitedly and based on one or more of the personal data processing conditions stated in Article 5 of the KVKK, in line with our legitimate and lawful personal data processing purposes. This processing complies with the general principles set forth in the KVKK, especially those in Article 4 regarding personal data processing principles, and all obligations under the KVKK, within the retention periods specified in this Policy.Personal data of the following groups are processed after informing the relevant individuals as per Article 10 of the KVKK: Employees, Job Applicants, Shareholders and Partners, Potential Customers, Supplier Employees, Supplier Representatives, Customers, Potential Sellers, Sellers, and Visitors.

PURPOSES OF PERSONAL DATA PROCESSING

The Company processes personal data limited to the purposes and conditions specified within the personal data processing requirements set forth in Articles 5 and 6 of the KVKK Law. These purposes and conditions include;

  • The clear legal requirement for Mint Mümessillik to carry out the related activity concerning the processing of personal data.

  • The processing of personal data by Mint Mümessillik is directly related to and necessary for the establishment or performance of a contract

  • The processing of personal data is necessary for Mint Mümessillik to fulfill its legal obligations.

  • Provided that the personal data has been made public by the data subject; the data may be processed by the "Company" solely for the purpose of this public disclosure.

  • Processing of personal data by the “Company” is necessary for the establishment, exercise, or protection of the rights of the “Company,” data subjects, or third parties.

  • Processing personal data for the legitimate interests of the “Company,” provided that it does not harm the fundamental rights and freedoms of the data subject, is necessary

  • The processing of personal data by the “Company” is necessary to protect the life or physical integrity of the data subject or another person, and in such cases, the data subject is unable to give consent due to actual or legal incapacity.

  • In the case of special categories of personal data, excluding data related to the health and sexual life of the data subject, the processing is allowed when it is stipulated by law.

  • In the case of special categories of personal data related to the health and sexual life of the data subject, processing is carried out by persons under confidentiality obligations or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and financing.

Within this scope, the "Company" processes your personal data for the following purposes:

  • Emergency Management Processes,

  • Management of Employee Candidate Application Processes,

  • Fulfillment of Employment Contract and Legal Obligations for Employees,

  • Management of Employee Benefits and Perquisites,

  • Conducting Finance and Accounting Operations,

  • Ensuring Physical Security of Facilities,

  • Creation and Monitoring of Visitor Records,

  • Monitoring and Execution of Legal Affair,

  • Execution of Occupational Health and Safety Activities,

  • Controlling Entry and Exit to the Corporate Building and Preventing Unauthorized Access,

  • Assisting in the Preparation of Timesheets,

  • Conducting Goods/Services Procurement Processes,

  • Carrying Out Logistics Activities,

  • Managing After-Sales Support Services for Goods/Services,

  • Managing Customer Relationship Processes,

  • Conducting Marketing Processes for Products/Services,

  • Ensuring Security of Movable Assets and Resources,

  • Ensuring Security of Data Controller Operations

  • Conducting Management Activities,

If the data processing activity carried out for the mentioned purposes does not meet any of the conditions stipulated under the KVKK Law, the explicit consent of the data subject is obtained by the "Company" for the relevant processing process.

PERSONAL DATA RETENTION PERIODS

Mint Mümessillik retains personal data for the duration specified in the relevant laws and regulations when such retention periods are prescribed.

If the legislation does not specify a retention period for personal data, the data is processed only as long as necessary according to the Company’s practices and commercial customs related to the activity for which the data is processed. After this period, the data is deleted, destroyed, or anonymized.

If the purpose of processing personal data has ended and the retention periods set by the relevant legislation and the Company have expired, personal data may only be retained for the purpose of serving as evidence in possible legal disputes or for asserting or defending a right related to the personal data. In determining these retention periods, statute of limitations periods for asserting the mentioned rights and examples from previous requests made to the Company in similar matters, even after the statute of limitations expired, are taken into account. During this time, the stored personal data is not accessed for any other purpose and is only accessed when needed for the relevant legal dispute. After this period expires, personal data is deleted, destroyed, or anonymized. Access to these personal data during this period is granted only to authorized personnel designated by the Data Controller who manage user permissions in Information Technologies as Data Processors.

THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY MİNT MÜMESSİLLİK AND PURPOSES OF TRANSFER

The "Company" notifies the data subject of the groups of recipients to whom personal data is transferred, in accordance with Article 10 of the Personal Data Protection Law (KVK).

The "Company" may transfer the personal data of data subjects, managed under this Policy, to the following categories of recipients in accordance with Articles 8 and 9 of the Personal Data Protection Law (KVK):

  • Shareholders

  • Suppliers

  • Authorized Public Institutions and Organizations

VISITOR-RELATED KVKK INFORMATION PRACTICES

PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED AT MINT MÜMESSİLLİK LOCATIONS

The personal data processing activities carried out by the “Company” at the Headquarters and Istanbul Branch are conducted in compliance with the Constitution, the Personal Data Protection Law (KVK), and other relevant legislation.

For the purpose of ensuring security, our Company processes personal data through security camera monitoring and guest entry-exit tracking activities at the Company’s Headquarters and Istanbul Branch locations.

By using security cameras and recording guest entry and exit, our Company carries out personal data processing activities.

The Company’s security camera monitoring activity aims to protect the interests related to the safety of the Company and others, and in this context, our Company acts in accordance with the Constitution, the KVKK Law, and other relevant legislation.

Our Company records images of visitors through a camera monitoring system at building and facility entrances and inside the premises. Within the scope of security camera monitoring, our Company aims to enhance service quality, ensure reliability, protect the safety of the Company, customers, and others, and safeguard the interests of customers regarding the services they receive.

Our Company conducts camera monitoring activities for security purposes in compliance with the regulations set forth in the Personal Data Protection Law (KVK Law).

The camera surveillance activity carried out by our Company is conducted in compliance with the Law on Private Security Services and relevant legislation. Access to the digitally recorded and stored footage is restricted to a limited number of Company employees. In accordance with Article 12 of the Personal Data Protection Law (KVK Kanunu), our Company takes the necessary technical and administrative measures to ensure the security of the personal data obtained through camera monitoring.

In addition to the camera recordings mentioned above, our Company also processes personal data for the purpose of ensuring security and for the purposes stated in this Policy by tracking visitor entries and exits at our Company’s buildings and facilities.

When individuals enter our Company buildings as visitors, their names and surnames are collected, and they are informed about the processing of their personal data through texts posted or otherwise made accessible to them by the Company. The data collected for the

purpose of tracking visitor entries and exits is processed solely for this purpose and is recorded in the data recording system in physical format.

For security purposes and the objectives stated in this Policy, our Company may provide internet access to visitors during their stay at our locations. In such cases, internet access logs are recorded in accordance with Law No. 5651 and the applicable regulations issued under this law. These records are processed only if requested by authorized public institutions and organizations or within the scope of internal audits to fulfill our legal obligations.

Within this scope, access to the collected log records is restricted to a limited number of Company employees. These employees may only access the records for responding to requests from authorized public institutions or during audit processes and share them solely with legally authorized parties. The limited number of personnel with access are required to sign a confidentiality agreement, declaring their commitment to protect the confidentiality of the data they access.

INTERNET SITE VISITORS

On our Company’s websites, internet activity of visitors is recorded through technical means (e.g., cookies) to ensure that visits are carried out in line with their intended purpose, to provide personalized content, and to conduct online advertising activities. Consent for the use of cookies is obtained from all users upon entering our website. Detailed explanations regarding the protection and processing of personal data related to these activities are provided in the "Privacy and Security" statements available on our website.

CONDITIONS FOR DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Mint Mümessillik, in accordance with Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law (KVK), despite personal data being processed in compliance with the relevant legal provisions, deletes, destroys, or anonymizes the personal data upon the company’s own decision or at the request of the data subject, if the reasons necessitating the processing no longer exist.

MINT REPRESENTATION'S OBLIGATION TO DELETE, DESTROY, AND ANONYMIZE PERSONAL DATA

Pursuant to Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law (KVK), although personal data has been processed in accordance with the relevant legal provisions, if the reasons requiring its processing cease to exist, personal data shall be deleted, destroyed, or anonymized based on the decision of "Mint Mümessillik" or upon the request of the personal data owner. In this context, our Company fulfills this obligation by taking necessary technical and administrative measures within the Company; it has developed the required operational mechanisms and trains, assigns, and raises awareness among relevant departments to ensure compliance with these obligations.

TECHNIQUES FOR DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

TECHNIQUES FOR DELETION AND DESTRUCTION OF PERSONAL DATA

Although personal data has been processed in accordance with the relevant legal provisions, Mint Mümessillik may delete or destroy personal data based on its own decision or upon the request of the data subject if the reasons requiring the processing no longer exist. The most commonly used deletion or destruction techniques by Mint Mümessillik are listed below:

PHYSICAL DESTRUCTION

Personal data can also be processed manually, provided it is part of a data recording system. When such data is deleted or destroyed, the system of physically destroying the personal data in a way that it cannot be used afterwards is applied.

SECURE DELETION FROM SOFTWARE

When data processed fully or partially by automated means and stored in digital environments is deleted or destroyed, methods ensuring the data is permanently removed from the relevant software and cannot be recovered are used.

SECURE DELETION BY AN EXPERT:

The “Company” may, in certain cases, contract with an expert to delete personal data on its behalf. In such cases, the personal data is securely deleted/destroyed by the expert in a way that it cannot be recovered.

TECHNIQUES FOR ANONYMIZING PERSONAL DATA

Anonymization of personal data refers to the process by which personal data is transformed so that it can no longer be associated with an identified or identifiable natural person, even when combined with other data. Mint Mümessillik may anonymize personal data when the lawful reasons requiring the processing of the personal data no longer exist.

In accordance with Article 28 of the Personal Data Protection Law (KVK), anonymized personal data may be processed for purposes such as research, planning, and statistics. Such processing is outside the scope of the KVK Law and does not require the explicit consent of the personal data owner. Since anonymized personal data is excluded from the scope of the KVK Law, the rights regulated in Section 2 of this Policy will not apply to these data. The most commonly used anonymization techniques by Mint Mümessillik are listed below.

MASKING

Data masking is a method of anonymizing personal data by removing the key identifying information from the data set, making the personal data anonymous.

CONSOLIDATION

The data aggregation method involves combining multiple data points so that personal data can no longer be associated with any individual.

DATA DERIVATION

Using the data derivation method, a more general content is created from the personal data, ensuring that the personal data cannot be associated with any specific individual.

DATA MIXING

Using the data mixing method, the values within the personal data set are shuffled to break the link between the values and the individuals.

DEFINITIONS

If the trace of personal data cannot be tracked by anyone, or if the personal identity can only be recreated with unreasonable time, cost, and effort, the data is considered anonymized.

  • Data breaches are incidents where there is reasonable suspicion of unlawful acquisition, collection, alteration, copying, distribution, or use of personal data. These may involve third parties and individuals.

  • The data subject is the natural person whose personal data is processed.

  • Special categories of personal data include information relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

  • Personal data refers to any information relating to an identified or identifiable natural person. A person is considered identifiable if they can be identified directly or indirectly, even through the combination of that data with other information, including data related to personal relationships.

  • The processing of personal data refers to any operation performed on personal data, whether wholly or partly by automatic means, or by non-automatic means as part of a data recording system. This includes actions such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making data available, classification, or prevention of use.