PERSONAL DATA PROTECTION AND PROCESSING POLICY

DEFINITIONS

Explicit Consent: Consent given freely and based on informed knowledge regarding a specific matter.
Candidate Employee, Intern, or Scholarship Candidate
Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.
Sub-Data Processor: A party who performs data processing activities based on the authority given to them by the data processor and in accordance with the instructions of the data processor.
Anonymization: Making personal data impossible to link to an identified or identifiable natural person, even when combined with other data.
Information Text: The requirement for data controllers or their authorized persons to inform the Data Subject (relevant person) during the collection of personal data. Employee: A natural person employed by BSC / Bayirli Swiss Company
Direct identifiers: Identifiers that, individually, directly reveal, disclose, and distinguish the person with whom they are related.
Indirect identifiers: Identifiers that, when combined with other identifiers, reveal, disclose, and distinguish the person with whom they are related.
Electronic Environment: Environments where personal data can be created, read, modified, and written using electronic devices. Non-electronic Environment: All other written, printed, visual, etc. environments outside of electronic environments. Service Provider: A natural or legal person providing services within the framework of a specific contract with the Personal Data Protection Authority.
Data Subject: The natural person whose personal data is processed.
Relevant User: Natural or legal persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Destruction: Deletion, destruction or anonymization of personal data.
Law: Law No. 6698 on the Protection of Personal Data.
Obfuscation: Processes such as crossing out, painting over, or blurring the entirety of personal data in such a way that it cannot be linked to an identified or identifiable natural person.
Recording Medium: Any medium in which the Personal Data is processed, whether wholly or partly automated or non-automated, provided that it is part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person (In this policy, the term “Personal Data” also includes “Special Categories of Personal Data” where appropriate).
Processing of Personal Data: Processing of personal data whether wholly or partly automated. Personal data processing is any operation performed on data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of data, whether through automated means or as part of a data recording system. Personal Data Processing Inventory: An inventory created by data controllers detailing their personal data processing activities related to their business processes; associating these activities with the purposes of processing, data category, recipient group, and data subject group; and specifying the maximum period for which the personal data is necessary for the purposes for which it is processed, the personal data intended for transfer to foreign countries, and the measures taken regarding data security. Personal Data Storage and Destruction Policy: The policy that data controllers use as a basis for determining the maximum period for which personal data is necessary for the purpose for which it is processed, and for deletion, destruction, and anonymization.
KVKK Regulations: Law No. 6698 on the Protection of Personal Data and regulations, communiqués, and related legislation on the protection of personal data, decisions of the Personal Data Protection Board, court decisions, applicable international agreements on data protection, and all other relevant legislation.
KVKK Authority: Personal Data Protection Authority
Masking Personal Data: The process of deleting, crossing out, painting over, and asterisking certain areas of personal data in a way that prevents them from being associated with an identified or identifiable natural person.
Personal Data Storage and Destruction Policy: The policy that data controllers use as a basis for determining the maximum period for which personal data is necessary for the purpose for which it is processed, and for deletion, destruction, and anonymization.
Deletion of Personal Data: The process of making personal data inaccessible and unusable for the relevant users in any way.
Special Categories of Personal Data: Race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing, membership in associations, foundations or trade unions, health, blood type, sexual life, criminal convictions and security measures.Data related to: wet signature, biometric and genetic data
Periodic Destruction Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data
Policy Personal Data Storage and Destruction Policy
Profiling Any form of automated personal data processing that involves the use of personal data to evaluate certain personal characteristics of a natural person, including but not limited to analyzing or predicting aspects relating to a natural person’s performance at work, economic status, health, personal preferences, interests, reliability, behavior, location or movements
Report BSC / Bayirli Swiss Company
Personal Data Protection Law Compliance Project Final Report
Third Party Any natural or legal person other than the data subject, controller, processor and persons authorized to process personal data under the direct authority of the controller or processor, Public institution, organization or body
Data Processor: Natural or legal persons outside the organization of the data controller who process personal data on behalf of the data controller, based on the authority given by the data controller
Data Recording System: Refers to the recording system in which personal data is processed by structuring it according to certain criteria
Data Subject: See Data Subject
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System (VERBIS): An information system created and managed by the Presidency, accessible via the internet, which Data Controllers will use for applications to the Registry and other related transactions.
ABBREVIATIONS

BSC / Bayirli Swiss Company

Due to the entry into force of the Law No. 6698 on the Protection of Personal Data (KVKK), the data processing activities of natural and legal persons not included in the exceptions in the KVKK must be carried out in accordance with the procedures and principles determined in the KVKK. It is mandatory. In addition to the Personal Data Protection Law (KVKK), there are regulations regarding the protection of personal data in the Turkish Constitution, the Turkish Penal Code, the Electronic Communications Law, and many other laws. This “Personal Data Processing and Protection Policy” document has been prepared by BSC / Bayirli Swiss Company (hereinafter referred to as “BSC / Bayirli Swiss Company”) to inform you about how we process, use for what purposes, and protect the personal data we obtain from our customers, potential customers, employees, interns, employee and intern candidates, suppliers and their officials, and all other third parties while conducting our business relationships, in relation to the KVKK which entered into force on April 7, 2016. Both the KVKK and other legal regulations were taken into consideration during the preparation of this document.

Our Personal Data Processing Principles

All personal data processed by BSC GMBH is processed in accordance with the KVKK and relevant legislation. In accordance with Article 4 of the KVKK (Law on Protection of Personal Data), the fundamental principles we adhere to when processing your personal data are explained below:

Processing in Accordance with the Law and the Rule of Fairness: BSC GMBH acts in accordance with the principles established by legal regulations and the general rule of trust and fairness in the processing of personal data. In this context, it takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than those required by the purpose.
Ensuring the Accuracy and Timeliness of Personal Data: BSC GMBH ensures the accuracy and timeliness of the personal data it processes, taking into account the fundamental rights of personal data owners and its own legitimate interests.
Processing for Specific, Clear, and Legitimate Purposes: BSC GMBH clearly and precisely defines the legitimate and lawful purpose of personal data processing. It processes personal data only to the extent necessary and relevant to the products and services it offers.
Being Relevant, Limited, and Proportional to the Purpose for Which They Are Processed: BSC GMBH processes personal data in a manner suitable for achieving the defined purposes and avoids processing personal data that is not related to or needed for the achievement of the purpose. Retaining personal data only for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed: BSC GMBH retains personal data only for the period specified in the relevant legislation or necessary for the purpose for which they are processed.BSC GMBH retains personal data for the period necessary for its processing. In this context, it first determines whether a retention period for personal data is stipulated in the relevant legislation; if a period is determined, it acts in accordance with that period; if no period is determined, it retains personal data for the period necessary for the purpose for which it was processed. Upon the expiration of the period or the cessation of the reasons requiring processing, personal data is deleted, destroyed, or anonymized. Data Subject Categories

The categories of data subjects whose personal data is processed by BSC GMBH, including customers and customer representatives, potential customers, visitors, supplier companies and their employees, are listed in the table below. A separate policy has been created and implemented within BSC GMBH regarding the processing of personal data of our employees and interns. Individuals outside the categories below may also submit requests under the KVKK (Personal Data Protection Law); these requests will also be considered.

Data Subject Category Description
Customer Individuals who receive our Customer Services, with whom we have a commercial relationship, and to whom we offer our services, products, promotions and campaigns
Potential Customer Individuals who have requested or shown interest in using our Services, or who are assessed as potentially having this interest, or to whom we promote our services and campaigns
Visitor Individuals who have entered physical facilities (offices, warehouses, stores, etc.) owned by BSC GMBH or where an organization is held, for various purposes, or who visit our websites
Third Party Individuals who are related to these individuals in order to ensure the security of commercial transactions between BSC GMBH and these individuals, or to protect the rights and provide benefits of these individuals (Example: guarantor, representative, family members and relatives) or all individuals whose personal data is processed by BSC GMBH for a specific purpose, even if not explicitly stated in the Policy (Example: former employees)
Job Candidate / Intern Candidate Individuals who have applied for a job/internship for BSC GMBH in any way or who have submitted their resume and related information to BSC GMBH Individuals who have opened their personal data for review
Subcontractor Employees: Employees and representatives of BSC GMBH’s subsidiaries located domestically or abroad.
Employees and Officials of Institutions with Which We Cooperate: Individuals working in institutions and organizations with which BSC GMBH has any kind of business relationship (public institutions, suppliers, etc., but not limited to these), including managers and officials of these institutions.
Collection of Personal Data

We collect your personal data primarily in the following situations:

When you receive or use our services,
When you sell goods or provide services to us,
When you subscribe to newsletters, choose to receive our surveys and marketing communications,
When you contact us via our website, email, social media platforms, other online channels or by telephone with a complaint or feedback,
When you apply for a job/internship at BSC GMBH,
When you participate in BSC GMBH events and organizations,
When you contact us for any purpose as a customer, potential customer/supplier/business partner/subcontractor,
Updates in our services, When we inform you about changes
In the above situations, we will only process the personal data we obtain in accordance with this Policy document.

Personal Data Processed

The personal data we process about you varies depending on the type of business relationship between us (e.g., customer, employee, supplier, business partner, representative, etc.) and the way you contact us (e.g., telephone, email, website, printed documents, etc.). Basically, our methods of processing personal data are through our website, by telephone or email, through customer-specific electronic applications, when you participate in our business events, promotions and surveys, when you fill out documents arising from our labor law obligations, or when you interact with us in any other way. In this context, the personal data we process about you can be described under the following categories:

Data Categories Descriptions
Identity Data Name, surname, maiden name (before marriage), date of birth, country of birth, city of birth, place of birth, gender, marital status, nationality, Turkish Republic Identity Number Identity Number, serial number, wallet number, father’s name, mother’s name, province, district, neighborhood, volume number, family sequence number, sequence number, household number, page number, record number, place of issue, reason for issue, date of issue, validity period, photograph, signature, issuing authority information, document number, license number, class
Contact Data: Workplace address, home address, e-mail, telephone, mobile phone, residence, address registration system records
Personnel Information: Title, company name, payroll information, disciplinary investigation, employment entry-exit records Personal Data: IBAN, other bank account and financial status information, balance sheet information, financial performance information, credit and risk information, financial statements, tax certificate, bank account data, invoice information, financial documents and data
Education, Work and Professional Life Data: Curriculum vitae information, education information (diplomas and certificates), professional competencies, courses attended, in-service training information, certificates, transcript information, employment entry-exit document records, performance evaluation reports
Legal Transaction Information: Information in correspondence with judicial authorities, information in case files, personal data processed within the scope of determining and tracking our legal receivables and rights, fulfilling our debts and complying with our legal obligations and BSC GMBH policies, audit and inspection data
Customer Transaction Information: Service, order and sales records, invoice, signature circular, tax certificate, information in bank statements
Transaction Security Information: IP address information, website login and logout information, password and login ID, password and other security codes
Any other information you voluntarily decide to share with BSC GMBH: Personal data you share on your own initiative, feedback, opinions, requests and complaints, evaluations, comments and our evaluations regarding them that you send to us via social media, online platforms or other channels, uploaded files, areas of interest, information given for our detailed review process before establishing a business relationship with you
Automatically collected electronic data: When you visit or use our website or applications, access our newsletters, interact with us through other electronic channels, in addition to the information you directly provide to us, we may also collect electronic data sent to us by your computer, mobile phone or other access device (e.g., device hardware model, IP address, operating system version and settings, hours and duration of your use of our digital channel or product, links you click, data, etc.)
Customer/Supplier data: Data obtained and generated about data subjects such as customers/suppliers or employees, signatories within the customer/supplier as a result of operations carried out by our units within the scope of our services. Information
Incident management and security information: Information and assessments collected regarding incidents that may potentially affect BSC GMBH employees, managers or directors, vehicle license plate and vehicle information, transportation and travel information.
Personal data collected from other sources: To the extent permitted by applicable laws and regulations, we may also collect your personal data from publicly available databases, social media platforms, etc. For example, before establishing a business relationship with you, we may conduct research on you from publicly available sources to ensure the technical, administrative and legal security of our commercial activities and transactions. In addition, you may transmit certain personal data belonging to third parties to us (Example: personal data of guarantors, companions, family customers, etc.). In order to manage our technical and administrative risks, we may process your personal data through methods used in accordance with generally accepted legal, commercial customs and the rule of honesty in these areas. In addition, we may use telephone, website etc. We record and process the personal data you voluntarily provide to us through platforms for the purpose of resolving your requests and problems.
Special categories of personal data: Health information, religion, blood type, biometric photograph, data related to criminal convictions and security measures, criminal record information, wet signature information.
Visual and Auditory Data: Photographs, video images and audio data processed when you participate in events organized by BSC GMBH.
Processing of Customers’ Personal Data

Personal data belonging to our customers is processed by BSC GMBH within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law, including the necessary work to enable relevant individuals to benefit from the services offered by BSC GMBH, the execution of relevant business processes, the planning and execution of BSC GMBH’s commercial and/or business strategies, and the planning and execution of activities necessary to ensure the legal, technical and commercial security of relevant individuals in a business relationship with BSC GMBH. This data is also shared with our customers, website visitors, e-commerce companies, and public institutions authorized to transfer data based on the law. and may be shared with organizations and private institutions. It is processed and stored to comply with other information retention, reporting, and notification obligations stipulated by legislation and other authorities.

Data Categories Examples
Identity Data Name, surname, date of birth, gender, credit cardData No., Validity Period
Contact Data: Workplace address, email, telephone, mobile phone
Personal Data: Company Name, title
Transaction Security: Username, password, IP address, CVC, internet access logs
Financial Data: IBAN
Special categories of personal data: Wet signature
Visual and Auditory Data: Photographs, video images and audio data processed when you participate in events organized by BSC GMBH
If you consent, your Personal Data may be shared with relevant companies in Turkey and/or abroad for the purpose of carrying out customer processes, providing services, and sending mass emails for campaigns, provided that they have taken security measures in accordance with the legislation. All personal data collected and processed will be stored for 10 (ten) years during your customer period and after your customer period ends. In this context, personal data processed based on your explicit consent will be processed for the purposes and methods specified and for the periods specified, unless you withdraw your explicit consent, and will be kept in accordance with the Law. In addition, in the event of any dispute that may arise between BSC GMBH and other parties, your personal data may be stored for a limited period (for the duration of the statute of limitations determined in accordance with the legislation) in order to enable the necessary defenses to be carried out within the scope of the dispute.

Processing of Employees’ Personal Data

Your personal data may be shared with public institutions and organizations and private institutions authorized to transfer data based on the law, in order to ensure the performance of the employment contract, to fulfill the requirements within the scope of laws and regulations, to ensure and manage security within BSC GMBH, to conduct business, to implement policies, to provide fringe benefits and advantages for BSC GMBH employees, to fulfill our legal obligations, and to implement BSC GMBH policies. It is processed and stored to comply with other data retention, reporting, and notification obligations stipulated by legislation and other authorities.

Data Categories Examples
Identity Data Name, surname, maiden surname, date of birth, country of birth, city of birth, place of birth, gender, marital status, nationality, Turkish Republic Identity Number Identity Number, serial number, wallet number, father’s name, mother’s name, province, district, neighborhood, volume number, family sequence number, sequence number, household number, page number, record number, place of issue, reason for issue, date of issue, validity period, photograph, signature, issuing authority information, document number, license number, class
Contact Data Internal company contact information (internal phone number, corporate email address, corporate mobile phone), workplace address, home address, email, phone, mobile phone, residence, address registration system records
Family and Relative Data Number of children, information on dependents, information on relatives to be contacted in case of emergency (name, surname, phone number, mobile phone number, email, address), name, surname, Turkish Republic Identity Number of family members (spouse, mother, father, children and siblings) Identity Number, gender, date of birth, workplace/occupation/title, education status, phone number, mobile phone number, email, address, date of birth, nationality, serial number, family sequence number, volume number, registration number, province/district/village/neighborhood of registration, place of issue, reason for issue, date of issue, religious affiliation, blood type, signature, issuing authority
Financial Data: Financial and salary details, number of working days, leave seniority base date, leave seniority additional days, exit/return date, days, total monthly working hours, severance pay base date, severance pay additional days, payrolls, bonus entitlements, bonus amounts, file and debt information related to enforcement proceedings, bank account statement, IBAN, minimum living allowance information, BES deduction
Education, Work and Professional Life Data: Employment entry document records, resume information, work history, employer name, reference data (name and surname, phone number, mobile number) Personal data includes: phone number, title, email address), educational information (diplomas and certificates), professional skills, work permit, military service status certificate, computer skills and level, education/course/seminar/certificate information, foreign language skills and level, awards/achievements received, performance evaluation reports, appointment/promotion/transfer information, written defense and disciplinary penalty information, employment entry document records, username and password for accessing company systems/equipment, IP address, internet access logs, entry/exit logs, projects worked on, business travel information, authority and other responsibilities as a company official/representative/employee/intern, reason for leave, address/phone number where the employee will be on leave, information provided as a foreign national employee (work permit exemption confirmation document, work visa, residence permit), BES exit permit, passport, visas, certificates.
Special categories of personal data include: Former convict status/criminal record, judicial record information, biometric photograph, wet signature, religion. disability status/description/percentage, health data, blood type, medical reports, on-the-job training.Health report, chest X-ray, hearing test, eye test, pre-employment and periodic examination forms signed by the workplace physician, pregnancy status, pregnancy report, health and maternity leave information, examination results, other health data (blood, urine, respiratory function, hearing function tests and related reports)
Visual and Auditory Data: Photographs, video images and audio data processed when you participate in events organized by BSC GMBH
Other: Smoking and alcohol use status, vehicle license plate, copy of vehicle registration certificate, vehicle mileage information, vehicle location, traffic fine inquiry result, shoe size, clothing size, height, weight, employee daily activity data
Your personal data may be shared with relevant companies in Turkey and/or abroad for communication and travel organization purposes during overseas travel and assignments, provided that they have taken security measures in accordance with the legislation. All personal data collected and processed about you during your employment period will be transferred to your personnel file and will be stored for 10 (ten) years after the termination of the employment contract, subject to the retention periods within the scope of personnel information. In this context, personal data processed based on your explicit consent will be processed for the specified purposes and methods and for the specified periods, and will be kept in accordance with the Law, unless you withdraw your explicit consent. In addition, in the event of any dispute that may arise between BSC GMBH and other parties, your personal data may be stored for a limited period (for the duration of the statute of limitations determined in accordance with the legislation) to enable the necessary defenses to be carried out within the scope of the dispute. After the expiration of this period, your personal data will be deleted, destroyed, and/or anonymized by BSC GMBH or upon your request, using methods within the scope of the Personal Data Protection Law and related regulations.

Processing of Personal Data of Job Applicants

In addition to the personal data categories listed above, we collect personal data such as the applicant’s school of graduation, previous work experience, disability status, etc., to understand the applicant’s experience and qualifications, to evaluate their suitability for the open position, to verify the accuracy of the information provided if necessary, to conduct research on the applicant by contacting third parties whose contact information the applicant has provided, to contact the applicant regarding the job application process, to ensure suitable recruitment for the open position, to ensure compliance with legal regulations, and to implement BSC GMBH’s recruitment rules and human resources policies. Job applicants’ personal data is processed through job application forms in written and electronic formats, applications submitted physically or via email, interviews conducted by employment and consultancy companies, face-to-face or electronic interviews, checks conducted on the applicant, and recruitment tests conducted by human resources specialists to evaluate the applicant’s suitability during the recruitment process. Before submitting their personal data when applying for a job, job applicants are informed in detail in a separate document in accordance with the KVKK (Personal Data Protection Law) and their explicit consent is obtained for the necessary personal data processing activities.

Data Categories Examples
Identity Data: Name, surname, maiden surname (before marriage), date of birth, country of birth, city of birth, place of birth, gender, marital status, nationality, Turkish Republic Identity Number Identity Number, serial number, wallet number, father’s name, mother’s name, province, district, neighborhood, volume number, family sequence number, sequence number, household number, page number, record number, place of issue, reason for issue, date of issue, validity period, photograph, signature, issuing authority information, document number, license number, class
Contact Data: home address, work address, email, telephone, mobile phone, residence, address registration system records
Family and Relative Data: number of children
Financial Data: IBAN
Education, Work and Professional Life Data: resume information, work history, employer name, reference data (name and surname, telephone number, mobile phone, address, title, email address), education information (diplomas and certificates), professional skills, work permit, military service status certificate, computer usage knowledge and level, education/course/seminar/certificate information, foreign language knowledge and level, award/achievement information received, performance evaluation reports, foreign language knowledge and level, award/achievement information received
Private Qualified personal data: Status of being a former convict/criminal record, judicial record information, file and debt information regarding enforcement proceedings, ongoing court information, wet signature, religion, blood type, health status
Visual and Auditory Data: Photographs, video images and audio data processed when you participate in events organized by BSC GMBH
Other: Smoking and alcohol use status, shoe size, clothing size, height, weight, ability to work in another city or in BSC GMBH Companies, travelability, start date of employmenti
Processing of Visitors’ Personal Data in Our Offices and Stores

BSC GMBH processes the personal data of visitors to its offices, warehouses, and stores during entry and exit procedures for the purposes of ensuring the physical security of our employees, visitors, and customers, and monitoring workplace rules. Camera recordings are kept in BSC GMBH offices for security purposes. BSC GMBH does not process personal data such as name, surname, and Turkish Republic identity number within this scope. Visitors are informed about the processing of their personal data through an information text located at the security entrance. However, since BSC GMBH has a legitimate interest in this matter, explicit consent from the visitor is not obtained in accordance with Article 5/2/f of the Personal Data Protection Law. This data is not transferred to another medium unless there is a situation that creates suspicion threatening BSC GMBH’s security. However, this information may be used in situations such as crime prevention and ensuring BSC GMBH’s security. In addition, to ensure security and for the purposes stated in this “Policy Document,” internet access is provided to visitors who request it during their stay in the building and office. In this case, log records related to your internet access are recorded in accordance with the mandatory provisions of Law No. 5651 and the legislation regulated thereunder; these records are processed only when requested by authorized public institutions and organizations or to fulfill our relevant legal obligations during audit processes carried out within BSC GMBH. Only BSC GMBH management has access to the log records obtained within this framework. BSC GMBH employees who have access to these records access them only for use in response to requests from authorized public institutions and organizations or during audit processes, and share them with legally authorized persons. Processing Personal Data Through Closed-Circuit Camera Recordings: Security cameras are used by BSC GMBH to ensure the security of our facility, and personal data is processed through this method. Within the scope of security camera monitoring activities, BSC GMBH uses these cameras to improve the quality of the service provided, to ensure the safety of life and property of BSC GMBH’s physical premises and the people within BSC GMBH, The purposes of these activities include preventing abuses and protecting the legitimate interests of data owners. BSC GMBH’s personal data processing activities using security cameras are carried out in accordance with the Constitution, the Personal Data Protection Law (KVKK), Law No. 5188 on Private Security Services, and related legislation. In accordance with Article 4 of the KVKK, BSC GMBH processes personal data in a manner that is relevant, limited, and proportionate to the purpose for which it is processed. Data owners are not subjected to monitoring in a way that could result in an intrusion into their privacy beyond the scope of security purposes. In this context, warning signs are placed in common areas where CCTV recordings are made to inform data owners. However, explicit consent is not obtained from data owners because BSC GMBH has a legitimate interest in maintaining CCTV recordings. Furthermore, in accordance with Article 12 of the KVKK, necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of CCTV monitoring activities. In addition, a procedure has been prepared and implemented regarding areas with CCTV cameras, the monitoring areas of the cameras, and the recording retention periods. This procedure is considered before installing CCTV cameras, and the cameras are installed accordingly. Data owners are not subjected to monitoring that could result in an intrusion into their privacy beyond the scope of security purposes. Camera installations that exceed the limits of privacy are not permitted. Only a limited number of BSC GMBH personnel have access to CCTV camera footage, and these access rights are regularly reviewed. Personnel with access to these recordings sign a commitment to protect personal data in accordance with the law. Security cameras located outside the building, at the entrance, in warehouses, and in stores within BSC GMBH record footage for the purpose of ensuring BSC GMBH’s external and internal security, and this recording process is supervised by BSC GMBH’s senior management.

Purposes of Using Personal Data

Our purposes for using your personal data vary depending on the type of business relationship between us (e.g., customer, supplier, business partner, etc.). Our primary purposes for processing your personal data are listed below:

To manage job/internship application processes.
To fulfill employment contract, personnel rights, and legal obligations for employees.
To manage employee candidate/intern/student selection and placement processes.
To provide employee health services.
To manage the Human Resources process.
To conduct information activities. To conduct.
To ensure corporate communication.
To ensure the security of BSC GMBH’s physical and work environments.
To conduct statistical studies.
To perform tasks and transactions as a result of signed contracts and protocols.
To carry out commercial/business-related activities as determined by laws and regulations.Appendix:

Managing Customer Relations processes.
Managing Supply Chain processes.
Managing Finance and Accounting transactions.
Managing Management processes.
Conducting Promotion and Organization activities.
Ensuring the fulfillment of legal obligations as required or mandated by legal regulations.
Maintaining contact with individuals/legal entities with whom the organization has a business relationship.
Preparing legal reports.
Conducting social responsibility and civil society activities.
Managing contract processes.
Conducting sponsorship activities.
Proof of evidence in future legal disputes.
Conducting Marketing Analysis studies.
Conducting Advertising/Campaign/Promotion activities. Managing Product/Service processes.
Conducting Logistics activities.
Conducting Product/Service Marketing processes.
Conducting activities in line with legitimate and clear objectives.
Conducting Audit/Ethics activities.
Conducting Petition Application activities.
Managing assignment processes.
Managing the process of following up on requests/complaints.
Managing the processes of creating visitor records.
Managing document registration activities.
For example, personal data processing activities related to job applicants are explained under the “Processing Personal Data of Job Applicants” section above. Similar examples are given below.

Examples of Our Purposes for Personal Data Processing
Employee Processing: Fulfilling obligations arising from employment contracts and legislation for BSC GMBH employees, performance evaluation, fringe benefits and advantages, training, access rights, compensation and talent/career development activities.
Establishing and managing customer relations: Conducting business and transactions within the scope of services to be provided and/or orders to be delivered, conducting activities aimed at customer satisfaction, product/service promotion, follow-up of requests/complaints, e-commerce, marketing analysis studies and conducting advertising/campaign/promotion activities.
Managing and finalizing the contract process with our suppliers/business partners: Conducting business and transactions to be carried out with suppliers/business partners, organizing promotions and meetings, performing services offered by BSC GMBH, supplying goods, invoicing, establishing and fulfilling contracts, ensuring legal security after contracts, ensuring the shipment of goods and samples, managing logistics processes, developing products and services, evaluating new technologies and applications, determining and implementing commercial and business strategies, managing operations (request, offer, evaluation, Organization of business processes as a result of product/service quality processes and operations (ordering, budgeting, contracting), internal BSC GMBH system and application management operations, financial operations, management of financial affairs, procurement of goods and services, management of the registration process for website applications
Execution of direct promotion and training processes: Making promotional and marketing notifications about our services via email and telephone, conducting satisfaction surveys, evaluating and responding to opinions, complaints and comments you make through social media, online platforms or other channels, informing our customers about BSC GMBH innovations, making promotions, conducting campaign activities, designing special promotional activities for customer profiles and conducting advertising, promotion and marketing activities to prevent the transmission of unwanted emails through customer “classification” and personal information
Communication and support (upon your request): Responding to requests for information about our services, providing support for requests received through our communication channels, updating our records and database
Compliance with legal obligations: Law No. 5651 and other legislation, Law No. 6563 on Electronic Commerce The fulfillment of our legal obligations arising from the relevant legislation, primarily the Law on the Regulation of the Data Protection Act and other legislation, the Turkish Penal Code No. 5237 and the Law on the Protection of Personal Data No. 6698, the execution of processes with official institutions, primarily the Ministry of Labor of the Republic of Turkey, the preparation of capacity reports arising from activities, record keeping and information obligations, compliance and auditing, audits and inspections by official authorities, the follow-up and conclusion of our legal rights and lawsuits, the execution of necessary processes within the scope of compliance, ensuring the fulfillment of legal obligations specified in the Data Protection Act as required or mandated by regulatory and supervisory institutions and legal regulations, within the scope of the determined requirements and obligations,
the protection and security of BSC GMBH’s interests, the execution of necessary audit activities to protect BSC GMBH’s interests and benefits, the umbrella of interestsThe company’s activities include: conducting controls, ensuring the legal and commercial security of individuals in business relationships, taking technical and administrative security measures, carrying out necessary studies to improve the services we provide, implementing and monitoring workplace rules, managing work and quality processes, planning and executing social responsibility activities, protecting its reputation and the trust it has built, reporting all incidents, accidents, complaints, losses, thefts, etc. occurring within the facility and building, taking necessary action and precautions, conveying the rules to be followed for hazardous situations that may arise during maintenance and repair, measuring the professional competence of subcontractors, ensuring the order of entry and exit of company employees and obtaining necessary information for security purposes, conducting our necessary quality and standard audits, or fulfilling our reporting obligations determined by laws and regulations, etc.
Planning and executing BSC GMBH’s commercial activities: Budgeting, determining, planning and implementing short, medium and long-term commercial policies, determining and implementing commercial and business strategies; BSC GMBH’s activities include communication, market research, purchasing, and social responsibility activities.
Reporting and auditing: Conducting internal audits, external audits, and reporting processes for BSC GMBH’s activities.
Protection of rights and interests: Defending against legal claims such as lawsuits and investigations filed against BSC GMBH.
Use of Personal Data for Campaign and Promotion Purposes

Since campaign and promotion activities are not considered within the scope of the exceptions regulated in Articles 5/2 and 6/3 of the KVKK (Personal Data Protection Law), we generally always obtain your consent to process your personal data within the scope of campaign and promotion activities. BSC GMBH may send you promotional communications about products, services, and campaigns at regular intervals. These promotional communications may be sent to you through different channels such as email, telephone, SMS text messages, and BSC GMBH’s corporate social networks. Based on your consent, we may conduct promotional activities for the purpose of offering opportunities related to our services, conducting studies, creating new product and service models, and providing information about them. Where applicable legislation requires, we will request your consent before commencing the above activities. You will also have the option to withdraw (stop) your consent at any time. Specifically, you can always stop receiving promotional and training notifications by following the unsubscribe instructions included in each email and SMS message. You can always contact us to stop receiving communications about campaigns and promotions (you can find contact details in the “What Are Your Rights Regarding Your Personal Data?” section below).

Legal Grounds for Processing Personal Data

We process your personal data primarily under the following legal grounds stipulated in Article 5 of the KVKK (Personal Data Protection Law), including the Turkish Commercial Code, the Turkish Code of Obligations, the Tax Procedure Law, and electronic commerce legislation:

Examples of Legal Grounds

We process your data based on your explicit consent in cases where we are required to obtain it under the KVKK and other legislation (we would like to remind you that you can withdraw your consent at any time in this case). We obtain your consent to conduct our sales, marketing, and promotional activities. Including the name of the relevant person on the invoice in accordance with Article 230 of the Tax Procedure Law in any situation permitted by applicable legislation
Providing the health information of an employee who has fainted to a doctor when there is a necessity to protect the vital interests of any person
Obtaining the supplier’s bank account information within the scope of the contractual relationship with the supplier in situations where we need to establish a contract with you, perform the contract and fulfill our obligations within the scope of a contract
Fulfilling our legal obligations, fulfilling tax obligations, providing information requested by a court order to the court
Using the personal data you have made public within the scope of the purpose for which it was made public, such as sending us an email to contact you, a job applicant writing their contact information on the website where job applications are collected, or through social media channels
Processing data when it is necessary for the establishment or protection of a right, exercising our legal rights and defending against legal claims filed against us, storing and using documents that are of a evidentiary/proof nature when necessary
Using our communication networks and information in situations required by our legitimate interests, provided that it does not harm your fundamental rights and freedomsTo ensure the security of our data, to conduct BSC GMBH’s activities, to detect suspicious transactions and to conduct research in order to comply with our risk rules, to utilize storage, hosting, maintenance, and support services for the provision of IT services in terms of technical and security, and to utilize cloud technology to ensure the efficiency of BSC GMBH’s activities and to benefit from the possibilities of technology.
We would like to emphasize that in cases where your Personal Data is processed with your explicit consent, if you withdraw this explicit consent, you will be removed from the application program where the processing based on said explicit consent is necessary, and you will no longer be able to benefit from the advantages you have enjoyed thanks to said processing as of the relevant date.

Sharing Personal Data

Transfer of Personal Data Within Turkey

BSC GMBH is responsible for acting in accordance with the provisions of the KVKK (Personal Data Protection Law), primarily Article 8, and the decisions and relevant regulations taken by the Board regarding the transfer of personal data. As a rule, personal data and special categories of data belonging to data subjects cannot be transferred to other natural persons or legal entities without the explicit consent of the data subject. Furthermore, data transfer is possible without the consent of the data subject in the situations stipulated in Articles 5 and 6 of the KVKK (Law on Protection of Personal Data). BSC GMBH may transfer personal data to third parties located in Turkey and to units under the BSC GMBH umbrella in accordance with the conditions stipulated in the KVKK and other relevant legislation, and by taking the security measures specified in the legislation; (if there is an existing signed contract with the data subject, this must be stated in the contract) unless otherwise stipulated in the Law or other relevant legislation.

Transfer of Personal Data Abroad

BSC GMBH may transfer personal data to third parties in Turkey, as well as to be processed in Turkey or processed and stored outside of Turkey, including outsourcing, in accordance with the conditions stipulated in the Law and other relevant legislation, and by taking the security measures specified in the legislation. To ensure the most efficient operation of our activities and to take advantage of technological possibilities, BSC GMBH transfers your personal data abroad using cloud computing technology, taking the necessary technical and administrative measures. In accordance with Article 9 of the Personal Data Protection Law (KVKK), as a rule, we require the explicit consent of data subjects for the transfer of personal data abroad. However, in accordance with Article 9 of the KVKK, if one of the conditions stipulated in Article 5/2 or Article 6/3 of the KVKK exists and the foreign country to which the personal data will be transferred has adequate protection,

If adequate protection does not exist, data controllers in Turkey and the relevant foreign country must provide a written commitment to adequate protection and obtain the permission of the Board, then data transfer abroad can be made without the explicit consent of the data subject.
Accordingly, in the exceptional cases where explicit consent is not required for the transfer of personal data as mentioned above, in addition to the conditions for processing and transfer without consent, the condition of adequate protection in the country to which the data will be transferred in accordance with the KVKK is required. The Personal Data Protection Board will determine whether adequate protection is provided; if adequate protection does not exist, both the data controllers in Turkey and the relevant foreign country must provide a written commitment to adequate protection and obtain the permission of the Personal Data Protection Board.
Parties with Whom We Share Data Domestically and Internationally

We only share your personal data for the purposes listed below, when necessary. We take special care not to share your personal data outside of these circumstances. The parties with whom we share personal data are listed below:

Service providers and business partners: This defines the parties with whom BSC GMBH establishes business partnerships for purposes such as providing products/services, promoting and campaigning for its products/services, etc., while conducting its business and services. Like many businesses, we may work with reliable third parties such as information and communication technology providers, financial and accounting service providers, consulting service providers, shipping companies, and travel agencies to ensure that functions and services are carried out in the most efficient way and in accordance with current technologies within the scope of some data processing activities, and we may share data with them to carry out our activities. This sharing is limited to ensuring the fulfillment of the purposes of establishing and performing the business partnership. In order to carry out its activities in the most efficient way and to benefit from the possibilities of technology to the maximum extent, BSC GMBH may process your personal data domestically and internationally through companies that provide services to foreign-based application software companies. The marketing services support company we share information with may be based abroad, and in this context, pursuant to Articles 8 and 9 of the Turkish Personal Data Protection Law (KVKK),Data sharing with foreign countries is carried out in accordance with the provisions regarding data sharing abroad.
Official authorities: In cases required by law or when we need to protect our rights, we may share your personal data with relevant official, judicial and administrative authorities (Examples: Social Security Institution, tax offices, law enforcement agencies, courts and enforcement offices).
Private legal entities: Personal data may be shared with private legal entities authorized to obtain information and documents in accordance with the relevant legislation, within the scope of their legal authority and limited to the purpose requested (Example: Occupational Health and Safety Company).
Professional consultants: We may share your personal data with professional consultants such as banks, insurance companies, auditors, lawyers, financial advisors and other consultants.
Other parties connected with corporate transactions: We may occasionally share your personal data that BSC GMBH possesses due to legal proceedings carried out by BSC GMBH and uses for the execution of corporate transactions.
Our Policy Regarding Cookies and Social Plugins

A cookie is a small text file necessary for a website to recognize you later. This text file is unique to you and can only be read by the web server that defined this code. It is absolutely not a virus. It saves you time and, if you are registered, automatically remembers your answers on subsequent logins. In general, a “cookie” is the name given to information sent to and stored on a user’s computer by an internet service provider. The information contained in cookies can be used when the user returns to the website. Cookies can contain various information, including how many times the user has visited the site. By using individual session cookies for each user, we can track how you use the site during a single session. Thanks to cookies, we can determine which browser you are using and offer you certain special services. In general, BSC GMBH uses cookies on our site for various purposes and processes your personal data through these cookies. These purposes mainly include:

Performing the basic functions necessary for the operation of the Site
Analyzing the Site and improving the Site’s performance. For example, integrating different servers on which the Site operates, determining the number of visitors to the Site and adjusting performance settings accordingly, or making it easier for visitors to find what they are looking for.
To increase the functionality and ease of use of the Site. For example, sharing content from the Site to third-party social media platforms, remembering the username or search queries of a visitor on their next visit.
For more information about how we use cookies and other tracking technologies, please read our BSC GMBH Cookie Policy at BSC GMBH.com.tr.

Personal Data Retention Period

We retain your personal data only for the period necessary to fulfill the purpose for which it was collected. We determine these periods separately for each business process, and at the end of the relevant periods, if there is no other reason why we need to retain your personal data, we destroy your personal data in accordance with the KVKK (Personal Data Protection Law). When determining the deletion periods for your personal data, we consider the following criteria:

The period generally accepted as a matter of custom in the sector in which the data controller operates, within the scope of the processing purpose of the relevant data category;
The period during which the legal relationship established with the data subject, necessitating the processing of the personal data in the relevant data category, will continue;
The period during which the legitimate interest that the data controller will obtain, depending on the processing purpose of the relevant data category, will be valid in accordance with the law and principles of good faith;
The period during which the risks, costs, and liabilities arising from the retention of the relevant data category, depending on the processing purpose, will legally continue;
Whether the maximum period to be determined is suitable for keeping the relevant data category accurate and up-to-date when necessary;
The period during which the data controller is legally obliged to retain the personal data in the relevant data category;
The statute of limitations determined by the data controller for asserting a right related to the personal data in the relevant data category. Destruction of Personal Data

In accordance with Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law, personal data, even if processed in accordance with the relevant legal provisions, shall be deleted, destroyed, or anonymized at the discretion of the data subject or upon their request, if the reasons requiring its processing cease to exist. In this context, a Personal Data Storage and Destruction Policy has been prepared. BSC GMBH reserves the right to retain personal data in accordance with the relevant legislation.BSC GMBH reserves the right to refuse the data owner’s request in cases where it has an obligation to do so. When personal data is processed non-automatically, provided it is part of a data recording system, a system is applied to physically destroy the personal data so that it cannot be used later. When BSC GMBH contracts with an individual or organization to process personal data on its behalf, the personal data is securely deleted by these individuals or organizations in a way that prevents its recovery. BSC GMBH may anonymize personal data when the reasons requiring the processing of legally processed personal data cease to exist.

Protection of Personal Data

To protect your personal data and prevent unlawful access, BSC GMBH takes the necessary administrative and technical measures in accordance with the Personal Data Security Guide published by the Personal Data Protection Authority (KVKK). BSC GMBH establishes procedures within its organization, prepares information and explicit consent texts, and conducts audits to ensure the implementation of KVKK provisions in accordance with Article 12/3 of the KVKK, or outsources these audits. The results of this audit are evaluated within BSC GMBH’s internal operations, and necessary activities are carried out to improve the measures taken. Your personal data and/or that of our suppliers may be transferred to physical archives and information systems and kept under safekeeping in both digital and physical environments. The technical and administrative measures taken to ensure the security of personal data are explained in detail below under two headings:

Technical Measures

We use generally accepted standard technologies and operational security methods, including the standard technology called Secure Socket Layer (SSL), to protect the collected personal information. However, due to the nature of the Internet, unauthorized persons can access information over networks without the necessary security measures. Depending on the current state of technology, the cost of technological implementation, and the nature of the data to be protected, we take technical and administrative measures to protect your data from risks such as destruction, loss, falsification, unauthorized disclosure, or unauthorized access. In this context, we conclude data security agreements with the service providers we work with.

Cybersecurity: We use cybersecurity products to ensure the security of personal data, but our technical measures are not limited to this. Measures such as firewalls and gateways form the first line of defense against attacks from environments like the internet. Furthermore, almost all software and hardware undergoes a series of installation and configuration processes. Considering that some widely used software, especially older versions, may have documented security vulnerabilities, unused software and services are removed from devices. Therefore, deleting unused software and services is preferred over keeping them updated due to its ease of use. Patch management and software updates ensure that software and hardware function properly and that the security measures taken for the systems are regularly checked. Access Restrictions: Access permissions to systems containing personal data are restricted and regularly reviewed. In this context, employees are granted access permissions only to the extent necessary for their work, tasks, authority, and responsibilities, and access to the relevant systems is provided using usernames and passwords. When creating passwords, combinations of uppercase and lowercase letters, numbers, and symbols are preferred over easily guessable sequences of numbers or letters associated with personal information. A Password Policy has been prepared and its use has been widespread. Accordingly, an access authorization and control matrix is created. Responsibility matrices have also been prepared on a unit basis. In addition to the use of strong passwords, access is restricted by limiting the number of password entry attempts to protect against attacks, ensuring that passwords are changed at regular intervals, opening administrator accounts and administrator privileges only when necessary, and immediately deleting accounts or closing access for employees whose relationship with the data controller has been terminated. Antivirus Software: To protect against malicious software, antivirus and antispam products that regularly scan the information system network and detect threats are used, and these are kept up-to-date, and necessary files are scanned regularly. If personal data is to be obtained from different websites and/or mobile application channels, the connection…BSC GMBH reserves the right to refuse the data owner’s request in cases where it has an obligation to do so. When personal data is processed non-automatically, provided it is part of a data recording system, a system is applied to physically destroy the personal data so that it cannot be used later. When BSC GMBH contracts with an individual or organization to process personal data on its behalf, the personal data is securely deleted by these individuals or organizations in a way that prevents its recovery. BSC GMBH may anonymize personal data when the reasons requiring the processing of legally processed personal data cease to exist.

Protection of Personal Data

Technical Measures

Cybersecurity: We use cybersecurity products to ensure the security of personal data, but our technical measures are not limited to this. Measures such as firewalls and gateways form the first line of defense against attacks from environments like the internet. Furthermore, almost all software and hardware undergoes a series of installation and configuration processes. Considering that some widely used software, especially older versions, may have documented security vulnerabilities, unused software and services are removed from devices. Therefore, deleting unused software and services is preferred over keeping them updated due to its ease of use. Patch management and software updates ensure that software and hardware function properly and that the security measures taken for the systems are regularly checked. Access Restrictions: Access permissions to systems containing personal data are restricted and regularly reviewed. In this context, employees are granted access permissions only to the extent necessary for their work, tasks, authority, and responsibilities, and access to the relevant systems is provided using usernames and passwords. When creating passwords, combinations of uppercase and lowercase letters, numbers, and symbols are preferred over easily guessable sequences of numbers or letters associated with personal information. A Password Policy has been prepared and its use has been widespread. Accordingly, an access authorization and control matrix is created. Responsibility matrices have also been prepared on a unit basis. In addition to the use of strong passwords, access is restricted by limiting the number of password entry attempts to protect against attacks, ensuring that passwords are changed at regular intervals, opening administrator accounts and administrator privileges only when necessary, and immediately deleting accounts or closing access for employees whose relationship with the data controller has been terminated. Antivirus Software: To protect against malicious software, antivirus and antispam products that regularly scan the information system network and detect threats are used, and these are kept up-to-date, and necessary files are scanned regularly. If personal data is to be obtained from different websites and/or mobile application channels, the connection…All activities carried out have been analyzed in detail for each business unit, and as a result of this analysis, a process-based personal data processing inventory has been prepared. Risky areas in this inventory are identified, and necessary legal and technical measures are continuously taken. (For example, documents required under the Personal Data Protection Law are prepared taking into account the risks in this inventory). Personal data processing activities carried out by BSC GMBH are monitored through information security systems, technical systems, and legal methods. Policies and procedures regarding personal data security are determined, and regular checks are carried out within this scope. BSC GMBH may occasionally use external service providers to meet its information technology needs. In this case, it is ensured that the external service providers provide at least the security measures provided by the data processor. In this case, a written contract is signed with the Data Processor, and this contract includes at least the following points:

The Data Processor shall act only in accordance with the instructions of the Data Controller, in line with the data processing purposes and scope specified in the contract, and in compliance with the KVKK (Personal Data Protection Law) and other relevant legislation;
The Data Processor shall act in accordance with the Personal Data Storage and Destruction Policy;
The Data Processor shall be subject to an indefinite confidentiality obligation regarding the personal data it processes;
In the event of any data breach, the Data Processor shall be obliged to immediately notify the Data Controller;
The Data Processor shall conduct or have conducted the necessary audits on its systems containing personal data, and may examine the reports resulting from the audit and the service provider company on-site;
The Data Processor shall take the necessary technical and administrative measures for the security of personal data;
The categories and types of personal data transferred to the Data Processor shall also be specified in a separate clause, as far as the nature of the relationship between the Data Processor and BSC GMBH allows. As emphasized in the Institution’s guidelines and publications, personal data is minimized as much as possible within the framework of the data minimization principle, and unnecessary, outdated, and non-purposeful personal data is not collected. If collected before the KVKK (Personal Data Protection Law), it is destroyed in accordance with BSC GMBH’s Personal Data Storage and Destruction Policy.
Expert personnel are employed in technical matters.
The Institution has established provisions regarding confidentiality and data security in the Seafarer/Service/Employment Contracts to be signed during the recruitment process of its employees and requires employees to comply with these provisions. Employees are regularly informed and trained on personal data protection law and the necessary measures to be taken in accordance with this law. The roles and responsibilities of employees have been reviewed and job descriptions revised within this scope.
Technical measures are taken in line with technological developments, and these measures are periodically checked, updated, and renewed.
Access permissions are restricted, and permissions are regularly reviewed. The technical measures taken are regularly reported to the relevant authority, and issues posing risks are reviewed and efforts are made to produce the necessary technological solutions.
Software and hardware including virus protection systems and firewalls are installed.
Backup programs are used to ensure the secure storage of personal data.
Security systems are used for storage areas, the technical measures taken are periodically reported to the relevant authority as required by internal controls, issues posing risks are re-evaluated, and necessary technological solutions are produced. Files/outputs stored in physical environments are stored through the supplier companies we work with and subsequently destroyed in accordance with the determined procedures.
The issue of Personal Data Protection is also embraced by senior management, and a special Committee (PDP Committee) has been established and has started its work on this issue. A management policy regulating the working rules of the BSC GMBH PDP Committee has been implemented within BSC GMBH, and the duties of the PDP Committee have been explained in detail. Protection of Special Categories of Personal Data

A separate policy has been prepared and implemented regarding the processing and protection of special categories of personal data. Article 6 of the KVKK (Law on Protection of Personal Data) stipulates that data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are classified as special categories of personal data because their unlawful processing carries the risk of causing harm or discrimination to individuals, and therefore their processing is subject to more sensitive protection. BSC GMBH, in accordance with Article 10 of the KVKK, processes special categories of personal data…BSC GMBH informs the Data Subjects during the process of obtaining their information. Special categories of personal data are processed in accordance with the KVKK (Personal Data Protection Law) by taking appropriate measures and conducting/having conducted the necessary audits. As a rule, another condition for processing special categories of personal data is the explicit consent of the data subject. Data subjects are given the opportunity to give their explicit consent freely and based on informed knowledge regarding a specific matter. As a rule, BSC GMBH obtains the explicit consent of the Data Subjects in writing for the processing of special categories of personal data. However, in accordance with Article 6/3 of the KVKK, the explicit consent of the Data Subject is not required if any of the conditions specified in Article 5/2 of the KVKK exist. In addition, Article 6/3 of the KVKK stipulates that personal data relating to health and sexual life may be processed by persons or authorized institutions and organizations under the obligation of confidentiality without seeking the explicit consent of the data subject, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing. Regardless of the reason, general data processing principles are always taken into account in the processing processes, and compliance with these principles is ensured. BSC GMBH takes special measures to ensure the security of sensitive personal data. In accordance with the principle of data minimization, sensitive personal data is not collected unless it is necessary for the relevant business process and is only processed when necessary. In cases where sensitive personal data is processed, the necessary technical and administrative measures are taken to comply with legal obligations and the measures determined by the Personal Data Protection Board.

Data Subject Rights

In accordance with Article 11 of the KVKK (Law on Protection of Personal Data), as data subjects, you have the following rights regarding your personal data:

To learn whether your personal data is being processed,
To request information regarding the processing of your personal data if it has been processed,
To learn the purpose of the processing of your personal data and whether it is being used in accordance with its purpose,
To know the third parties to whom your personal data has been transferred, domestically or abroad,
To request the correction of your personal data if it is incomplete or inaccurate, and to request that the correction be notified to the third parties to whom your personal data has been transferred,
To request the deletion or destruction of your personal data if the reasons requiring its processing have ceased to exist, even if it has been processed in accordance with the KVKK and other relevant laws, and to request that the third parties to whom your personal data has been transferred be notified of this action,
To object to a result that is detrimental to you arising from the analysis of processed data exclusively through automated systems,
To demand compensation for damages you have suffered if you have suffered damage due to the unlawful processing of your personal data. You can submit your requests to the relevant BSC GMBH unit free of charge using the following methods, in accordance with the Application Notice:

Filling out the form available at BSC GMBH.com.tr, signing it with a wet signature, and delivering it in person to Ahlatlıbel Mah. Şehit Savcı Mehmet Selim Kiraz Bulvarı No:88/ Çankaya/Ankara (please note that you will need to present your ID).
Sending the form available at BSC GMBH.com.tr, signing it with a wet signature, via a notary public to Ahlatlıbel Mah. Şehit Savcı Mehmet Selim Kiraz Bulvarı No:88/ Çankaya/Ankara.
Submitting it in writing to the BSC GMBH corporate unit using the e-mail address you previously provided and registered in the BSC GMBH system. You can access the relevant Information Request Form via this link. The application must include: Name, surname, and signature (if the application is in writing), and for Turkish citizens, Turkish Republic Identity Number (T.C. Kimlik No.). The following information is mandatory for the application: Identity Number, for foreigners their nationality, passport number or identity number if available, residential or business address for notification purposes, email address for notification purposes if available, telephone and fax numbers, and the subject of the request. Information and documents related to the subject must also be attached to the application. It is not possible for third parties to make requests on behalf of personal data owners. For a person other than the personal data owner to make a request, a copy of a special power of attorney, signed and notarized by the personal data owner and issued in the name of the person making the request, must be provided. In your application to exercise your rights as a personal data owner, as stated above, and which includes your explanation of the right you wish to exercise, the following must be present: the matter you are requesting must be clear and understandable; the matter you are requesting must relate to you personally, or if you are acting on behalf of someone else, you must be specifically authorized to do so and provide documentation of your authorization; the application must include your identity and address information; and documents verifying your identity must be attached to the application.It is necessary. If the personal data owner submits their request in accordance with the prescribed procedure, BSC GMBH will process the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the process requires additional costs, BSC GMBH will charge the applicant a fee according to the tariff determined by the Personal Data Protection Board. BSC GMBH may request information from the relevant person to determine whether the applicant is the personal data owner. BSC GMBH may ask the personal data owner questions regarding their application to clarify the matters included in the application. In accordance with Article 14 of the Personal Data Protection Law, if your application is rejected by BSC GMBH, if you find our answer insufficient, or if we do not respond to your application within the specified time; you may file a complaint with the Personal Data Protection Board within thirty days from the date you learn of BSC GMBH’s answer, and in any case within sixty days from the date of your application.

Situations Where Data Subjects Cannot Assert Rights

In accordance with Article 28 of the KVKK (Law on Protection of Personal Data), data subjects cannot assert their rights in the following cases, as these situations are excluded from the scope of the KVKK:

Processing of personal data for purposes such as research, planning, and statistics through official statistics and anonymization.
Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights, or constitute a crime.
Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security.
Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial, or execution proceedings.
In accordance with Article 28/2 of the KVKK; Except for the right to claim compensation for damages, personal data owners cannot exercise their other rights in the following cases:

When the processing of personal data is necessary for the prevention of crime or for criminal investigation. When the processing of personal data is based on personal data made public by the data owner themselves. When the processing of personal data is necessary for the performance of supervisory or regulatory duties, or for disciplinary investigations or prosecutions, by authorized and competent public institutions and organizations, and professional organizations with the status of public institutions, based on the authority granted by law. Personal data processing is necessary for the protection of the State’s economic and financial interests in relation to budget, tax, and financial matters.
Other Considerations

As explained in detail above, your personal data may be stored and maintained, classified for market research, financial and operational processes, and sales, marketing, and promotional activities; updated at different intervals; and, to the extent permitted by legislation, transferred to third parties and/or suppliers and/or service providers and/or our foreign shareholders as required by the service, in accordance with our policies and for reasons foreseen by other authorities; information may be transferred, stored, processed by reporting, and records and documents may be prepared in electronic or paper form to serve as the basis for processing. In case of any inconsistency between the provisions of the Personal Data Protection Law (KVKK) and other relevant legislation and this Policy, the provisions of the KVKK and other relevant legislation shall apply first. This Policy, prepared by BSC GMBH, has entered into force in accordance with the decision taken by the BSC GMBH Board of Directors. We would like to remind you that we may make updates to this notice due to changes in legislation and BSC GMBH policies that may occur over time. We will publish the most up-to-date version of this Notice on our website. The User(s) irrevocably accept, declare, and undertake that before accessing the website, they have read this Personal Data Protection and Processing Policy, that they will comply with all matters stated herein, and that the content on the website and all related electronic media and computer records will be considered conclusive evidence pursuant to Article 193 of the Code of Civil Procedure.

Shopping Cart

PERSONAL DATA PROTECTION AND PROCESSING POLICY