TABLE OF CONTENTS
Personal Data Protection and Processing Policy
Definitions
In accordance with Article 20 of the Constitution of the Republic of Turkey, everyone has the right to demand the protection of personal data concerning themselves. This right includes being informed about personal data, accessing such data, requesting their correction or deletion, and learning whether they are being used for their intended purposes. The Personal Data Protection Law No. 6698 ("Law"), which was published in the Official Gazette on April 7, 2016, regulates the protection of fundamental rights and freedoms in the processing of personal data and outlines the obligations and procedures that real and legal persons who process personal data must comply with. The aim of this Policy is to ensure compliance with the obligations set forth by the Law. This KOOSTAR HAVACILIK ANONİM ŞİRKETİ Personal Data Protection and Processing Policy (“Policy”) contains the declarations and explanations of KOOSTAR HAVACILIK ANONİM ŞİRKETİ ("Company") regarding the processing of personal data of individuals, including customers, visitors, suppliers, and other third parties, but excluding our employees, within the scope of the Law. Our Company reserves the right to make changes to this Policy to provide up-to-date information about our practices and legal regulations concerning the protection of personal data. In the case of substantial changes to the Policy, data subjects will be notified through various channels. Definitions related to the concepts used in this Policy, considering the personal data protection legislation, are provided below.
Explicit consent: The consent declared freely by the Data Subjects based on information about a specific subject.
Anonymization: Making personal data unidentifiable or non-attributable to an identifiable real person, even when matched with other data.
Data subject/person concerned: The real person whose personal data is processed.
Personal data: Any information related to an identifiable or identified real person.
Special categories of personal data: Data that require stricter protection under the Law and whose disclosure or loss may cause harm or discrimination against the Data Subject.
Processing of personal data: Any operation performed on personal data, such as collection, recording, storage, alteration, reorganization, disclosure, transfer, acquisition, making it available, classification, or preventing its use, either through automatic or non-automatic means as part of a data recording system.
Data recording system: A system in which personal data is processed according to specific criteria.
Data controller: The person or entity responsible for determining the purposes and means of processing personal data and managing the data recording system.
Data processor: The person or entity processing personal data on behalf of the data controller based on their authorization.
In accordance with Article 3 of the Law, any operation performed on personal data, such as obtaining, recording, storing, retaining, altering, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing its use, is considered the processing of personal data. Our Company complies with the following general principles in its personal data processing activities:
Acting in compliance with the law and good faith: Our Company conducts its personal data processing activities in compliance with the Constitution, the Law, and relevant legislation, adhering to the principles of lawfulness and fairness.
Accuracy and up-to-dateness: Our Company provides Data Subjects with the means to update their personal data and takes the necessary steps to ensure the correct transfer of data to databases.
Processing for specific, clear, and legitimate purposes: Our Company limits its personal data processing activities to specific and legitimate purposes and informs Data Subjects through privacy notices regarding these purposes.
Being relevant, limited, and proportionate: Personal data is processed only to the extent necessary for the purposes stated to the Data Subjects when the data is collected.
Retention for the period stipulated by relevant legislation or required for the purpose: Personal data is stored for the period specified by law or necessary for the purpose of data processing. After this period, the data is deleted, destroyed, or anonymized in accordance with our procedures.
Conditions for Processing Personal Data
In addition to the explicit consent of the data subject, the basis for personal data processing may be one or more of the following conditions. If the data processed is of a special category, the specific conditions below will apply.
(i) The Presence of Explicit Consent of the Data SubjectOne of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be given freely, based on information related to a specific subject. If the following personal data processing conditions exist, personal data may be processed without the explicit consent of the data subject.
(ii) Clearly Foreseen by LawIf the processing of the data subject's personal data is clearly stipulated by law, or if there is a clear provision regarding the processing of personal data in relevant legislation, this data processing condition shall be deemed fulfilled.
(iii) Inability to Obtain Explicit Consent Due to Actual ImpossibilityIf it is impossible to obtain the explicit consent of the data subject due to actual impossibility, or if the consent cannot be legally valid, personal data may be processed to protect the life or physical integrity of the data subject or another person.
(iv) Direct Relevance to the Establishment or Performance of a ContractIf the processing of personal data is necessary for the conclusion or performance of a contract to which the data subject is a party, this condition will be deemed fulfilled.
(v) Company’s Obligation to Fulfill a Legal ObligationIf the processing of personal data is necessary for the Company to fulfill its legal obligations, the data subject’s personal data may be processed.
(vi) Personal Data Made Public by the Data SubjectIf the data subject has made their personal data public, such data may be processed without explicit consent but within the scope of the purpose for which the data was made public.
(vii) Necessity of Data Processing for the Establishment, Exercise, or Protection of a RightIf the processing of personal data is necessary for the establishment, exercise, or protection of a right, personal data may be processed.
(viii) Necessity of Data Processing for the Legitimate Interests of the CompanyProvided that it does not harm the fundamental rights and freedoms of the data subject, personal data may be processed when it is necessary for the legitimate interests of the Company.
Special categories of personal data are processed by our Company in compliance with the principles outlined in this Policy and by taking all necessary administrative and technical measures, including the methods determined by the Board, under the following conditions:
(i) Special categories of personal data, except for those concerning health and sexual life, may be processed without the explicit consent of the data subject if such processing is clearly stipulated by law. Otherwise, the explicit consent of the data subject will be required.
(ii) Special categories of personal data concerning health and sexual life may be processed without explicit consent for purposes such as the protection of public health, preventive medicine, medical diagnosis, treatment, and the management of healthcare services and financing, by persons or authorized institutions and organizations that are bound by confidentiality obligations. Otherwise, the explicit consent of the data subject will be required.
Our Company informs the data subjects in accordance with Article 10 of the Law and secondary legislation about who processes their personal data as the data controller, for what purposes the data is processed, to whom the data is transferred, by what methods the data is collected, the legal reasons for processing, and the rights of the data subjects regarding the processing of personal data.
The personal data collected by our Company may vary depending on the nature of the relationship with the Company and legal obligations. The personal data collected are as follows:
Identity Information: Name-surname, parents' names, mother's maiden name, date and place of birth, marital status, ID card serial number, national ID number, etc.
Contact Information: Address number, email address, contact address, registered email address (KEP), phone number, etc.
Employment Data: Payroll information, disciplinary investigation records, employment documents, asset declaration information, resume data, performance evaluation reports, etc.
Legal Transaction Information: Information from correspondence with judicial authorities, data in case files, etc.
Customer Transaction Information: Call center records, invoice, promissory note, check information, order details, request details, etc.
Physical Space Security: Entry and exit records of employees, visitors, and customers, CCTV recordings, etc.
Transaction Security: IP address information, website access logs, passwords, and passcodes, etc.
Risk Management: Information processed for the management of commercial, technical, and administrative risks, etc.
Financial Information: Balance sheet data, financial performance information, credit and risk data, asset information, etc.
Professional Experience: Diploma information, courses attended, in-service training information, certificates, transcript data, etc.
Marketing: Shopping history data, survey responses, cookie records, information obtained through marketing activities, etc.
Visual and Auditory Records: Photos, CCTV recordings, etc.
Special Categories of Personal Data (Health information, clothing, criminal conviction and security measures, biometric data).
The personal data types listed above do not cover all data processed by our Company. Similar types of personal data may also be processed by the Company.
Your personal data collected may be processed by our Company in compliance with the personal data processing conditions specified in Articles 5 and 6 of the Law and for the purposes listed below:
Primary Purpose: Designing, coordinating, developing, and executing company-specific business activities, planning and executing business development activities.
Sub-purposes:
Establishment and execution of contracts, managing and conducting relationships with customers, and providing post-contract services.
Monitoring, planning, and executing activities for receiving external services/consultancy, etc.
Planning, monitoring, and executing financial and accounting activities.
Performing control, data management, analysis, social activities, process improvement activities, and related reporting.
Planning and executing crisis and emergency management activities.
Planning and implementing activities aimed at ensuring the physical/electronic security of the Company.
Primary Purpose: Personalizing products and services, conducting profiling, and organizing marketing and promotional activities.
Sub-purposes:
Planning and executing actions and brand management activities aimed at increasing brand perception by analyzing customers' usage habits and preferences.
Planning and executing advertising, sales, and marketing operations targeting customers.
Organizing, managing, and executing events, meetings, invitations, and activities.
Conducting customer satisfaction, loyalty, profiling, and preference studies and analyses regarding products and services.
Planning and executing market research activities related to products and services.
Primary Purpose: Structuring and/or executing demand and complaint management as well as after-sales processes.
Sub-purposes:
Receiving, evaluating, and resolving requests and complaints and planning and executing activities related to demand and complaint management.
Performing research, analysis, and reporting activities related to operations aiming at entering into a contractual relationship with customers or renewing existing contracts.
Performing and monitoring post-sales services and fulfilling obligations arising from contractual relationships.
Primary Purpose: Planning, executing, and managing corporate relationships.
Sub-purposes:
Managing, developing, planning, and executing relationships with suppliers/dealers/business partners.
Planning and executing operations related to vehicle users, including the establishment and execution of vehicle rental contracts and ensuring compliance with requirements.
Planning and executing activities to ensure business continuity.
Planning and executing external training/scholarship/support activities.
Executing strategic planning activities.
Primary Purpose: Ensuring the legal, technical, and commercial security of the Company and relevant individuals, as well as fulfilling legal obligations.
Sub-purposes:
Planning and executing health and/or safety processes in the workplace.
Ensuring organizational structures, monitoring, and planning compliance with the Company’s policies, directives, main agreements, and applicable regulations.
Providing information to authorized institutions and organizations due to legal obligations and performing activities related to audits and legal requirements.
Ensuring the security of the Company’s facilities and relevant parties in both physical and/or electronic environments.
Recording participants attending Company events and activities.
Recording and planning activities related to the Company’s interactions with business partners.
Ensuring the lawful management of all operations and activities related to individuals visiting the Company’s premises.
Our Company determines the retention periods for personal data by taking into account applicable laws and the purposes for which the data is processed. In this context, legal obligations and statutes of limitations related to personal data processing activities are strictly observed. If the purpose of processing personal data ceases to exist and there are no other legal grounds for retaining the data, the data will be deleted, destroyed, or anonymized. Detailed information on this subject can be found in the Personal Data Retention and Disposal Policy available at https://afa.aero/tr/kurumsal/kisisel-verilerin-korunmasi-kanunu.
Your personal data may be shared, in line with the purposes outlined above, under the conditions specified in Articles 8 and 9 of Law No. 6698 regarding the transfer of personal data. In cases where your personal data is shared, our Company takes necessary measures to ensure that the third party processing the data adheres to the rules set forth in this Policy and the relevant legislation. Your personal data may also be transferred in cases of partial or complete ownership transfer of the Company through share sales, mergers, spin-offs, or transformations. In such cases, the party receiving the data is also required to comply with the rules for processing and transfer outlined in this Policy.
The transfer of your personal data abroad will only take place under the following conditions:
If your explicit consent is obtained, or
If one or more of the data processing conditions stipulated in the Law is met;
If there is sufficient protection in the country where the data is transferred, or
If there is insufficient protection in the country, provided that the Company and the data controller in the relevant foreign country guarantee adequate protection in writing, and approval is obtained from the Personal Data Protection Board.
Our Company takes reasonable technical and administrative measures to protect your personal data against risks such as unauthorized access, accidental loss, deliberate deletion, or damage. Detailed information on this matter can be found in the Personal Data Retention and Disposal Policy.
Rights of Data Subjects
Data subjects have the following rights under Article 11 of the Law:
To learn whether their personal data is being processed.
To request information if their data has been processed.
To learn the purpose of data processing and whether their data is used for the intended purpose.
To know the third parties, both in the country and abroad, to whom their personal data is transferred.
To request the correction of incomplete or inaccurate personal data.
To request the deletion or destruction of personal data under the conditions prescribed in relevant legislation.
To request notification of corrections, deletions, or destruction to third parties to whom the data has been transferred.
To object to the analysis of personal data by automated systems that result in unfavorable consequences for the individual.
To request compensation for any damages incurred as a result of the unlawful processing of personal data.
In order to effectively exercise your rights, you can submit your request, including the necessary information to verify your identity and details about which rights under Article 11 of the Law you wish to exercise, by filling out the form available at https://afa.aero/tr/iletisim. You can then submit the signed form, along with identity verification documents, to our address at Barbaros Hayrettin Pasa Mah. 1994 Sok. No:2, Çebi Natura Plaza, Floor 3, 34522 Esenyurt/Istanbul in person or by sending it via registered mail or through a notary. You can also send the signed form with a secure electronic signature to the email address [email protected].
In the event that a third party submits a request on your behalf, you will need to provide a notarized special power of attorney to that third party. Our Company reserves the right to request additional information to verify the identity of the applicant and to clarify the issues raised in the application. We may also ask additional questions to clarify the request related to your personal data processing.
KOOSTAR HAVACILIK ANONİM ŞİRKETİ is committed to complying with the obligations under Law No. 6698 on the protection of personal data and ensures that all personal data processing activities are carried out in accordance with the relevant laws and principles. We continuously work to update and improve our practices related to data protection and processing and will notify data subjects of any significant changes to this policy.