As the data controller, Klok Medya, Pazarlama ve Danışmanlık A.Ş. (“Company”), registered with the Istanbul Trade Registry Office (MERSIS No: 0564134304100001) and located at YEŞİLCE MAH. EMİRŞAH SK. NO: 21 İÇ KAPI NO: 2 KAĞITHANE / İSTANBUL, places great importance on protecting the personal data of its employees and other real persons with whom it is in contact. The aim of the processes governed by this Policy and the Company's practices, in line with the Law on the Protection of Personal Data No. 6698 (“KVKK”) and related legislation, is to ensure that the personal data of our employees, employee candidates, interns, visitors, business partners’ employees, and third parties are processed and protected lawfully.
Within this scope, the Company takes the necessary administrative and technical measures as required by the Law No. 6698 and relevant legislation to ensure the protection and processing of personal data.
In this Policy, the natural persons whose personal data are processed are referred to as “Data Subjects.”
Below are the core principles that the Company has adopted in its data processing activities, in line with Article 4 of the KVKK and explained in this Policy:
The main purpose of this Policy is to explain how the Company lawfully processes personal data and the systems it adopts for their protection. In doing so, we aim to inform employees, employee candidates, shareholders/partners, potential product or service buyers, interns, supplier employees, supplier representatives, buyers or recipients of products or services, visitors, and other persons with whom we have business relationships, thereby ensuring transparency.
This Policy applies to all personal data processed by the Company—belonging to our customers, employees, employee candidates, interns, visitors, and the shareholders and employees of corporate bodies with whom the Company collaborates, as well as third parties—through automatic means or by non-automatic means provided that they are part of a data recording system.
CATEGORY
DESCRIPTION
Shareholder/Partner
Real persons who are shareholders of the Company.
Potential Product/Service Buyer / Representative
Real persons (including stakeholders and representatives of legal entities) who have the potential to enter into a business relationship with the Company.
Potential Product/Service Buyer Employee
Real persons who work for real or legal entities that have the potential to enter into a business relationship with the Company.
Product/Service Buyer / Representative
Real persons (including stakeholders and representatives of legal entities) who have any type of business relationship with the Company.
Product/Service Buyer Employee
Real persons who work for real or legal entities that have any type of business relationship with the Company.
Supplier Representative
Real persons (including stakeholders and representatives of legal entities) that provide services to the Company under a contract according to its instructions and orders.
Supplier Employee
Real persons who work for real or legal entities providing supply services to the Company.
Employee/Intern
Real persons employed by the Company under an employment contract.
Employee Candidate
Real persons who have applied for a job by any means or have shared their CVs and related information for the Company’s review.
Visitor
Real persons who enter the Company’s premises for various purposes or visit the Company’s websites for any reason.
Third Party
Real persons other than those in the categories listed above and excluding Company employees.
Company Representative
Members of the Board of Directors and other authorized real persons of the Company.
TERM
DEFINITION
Recipient Group
The category of real or legal persons to whom personal data are disclosed by the data controller.
Explicit Consent
Freely given, specific, and informed consent regarding a particular issue.
Anonymization
Rendering personal data incapable of being associated with an identified or identifiable real person under any circumstances, even when combined with other data.
Enlightenment
Notification provided to the data subject by the data controller or a person authorized by the data controller at the time of collecting personal data, including the identity of the data controller and its representative if any, the purpose for processing personal data, the recipients to whom data may be disclosed and the purposes of disclosure, the method and legal basis for the collection of personal data, and the rights of the data subject.
Obligation to Inform (Aydınlatma Yükümlülüğü)
The obligation of the data controller or a person authorized by the data controller to provide certain information to data subjects at the time of data collection, namely:
– Identity of the data controller and its representative, if any,
– The purpose of personal data processing,
– To whom and for what purposes the processed personal data may be transferred,
– The method and legal basis for personal data collection,
– Other rights of the data subject under Article 11 of the Law.
Electronic Environment
Environments in which personal data can be created, read, changed, and written using electronic devices.
Non-Electronic Environment
All written, printed, visual, etc., other environments outside the electronic environment.
Service Provider
A real or legal person who provides specific services to the Company under a contract.
Data Subject (İlgili Kişi)
A real person whose personal data is processed.
Relevant User
A real or legal person who processes personal data within the organization of the data controller or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for storing, protecting, and backing up the data technically.
Destruction
The process of deleting, destroying, or anonymizing personal data.
Contact Person (İrtibat Kişisi)
A real person notified during registration to the Registry in order to ensure communication with the Authority regarding the obligations under the Law and any secondary regulation, for real and legal persons domiciled in Turkey, or the data controller’s representative for real and legal persons not domiciled in Turkey.
Law (Kanun)
Law No. 6698 on the Protection of Personal Data.
Recording Environment (Kayıt Ortamı)
Any environment in which personal data processed wholly or partially by automated means or by non-automated means, provided they form part of a data recording system, are kept.
Personal Data
Any information relating to an identified or identifiable real person.
Personal Data Processing Inventory
An inventory prepared by data controllers, detailing the personal data processing activities linked to their business processes; the purposes and legal grounds for processing personal data, data category, recipient group, and group of data subjects; and explaining the maximum period necessary for the purposes for which the personal data are processed, the foreign countries to which personal data are transferred, and the measures taken regarding data security.
Processing of Personal Data
Any operation performed on personal data by fully or partially automated means or by non-automated means, provided that it is part of a data recording system, such as collecting, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making retrievable, classifying, or preventing its use.
Board (Kurul)
The Personal Data Protection Board.
Authority (Kurum)
The Personal Data Protection Authority.
KVKK
Turkish Personal Data Protection Law No. 6698.
Special Categories of Personal Data
Personal data revealing race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction (Periyodik İmha)
Deletion, destruction, or anonymization of personal data to be carried out ex officio at repeated intervals specified in the personal data retention and destruction policy in the event that all conditions for the processing of personal data under the Law cease to exist.
Policies
The Company’s Personal Data Retention and Destruction Policy, Personal Data Protection and Processing Policy, and Special Categories of Personal Data Protection and Processing Policy.
Company
Klok Medya, Pazarlama ve Danışmanlık A.Ş.
Data Processor (Veri İşleyen)
A real or legal person processing personal data on behalf of the data controller based on authority granted by the data controller.
Data Recording System
A recording system in which personal data are structured according to specific criteria.
Data Controller (Veri Sorumlusu)
The real or legal person determining the purposes and means of processing personal data, and responsible for establishing and managing the data recording system.
VERBIS
Data Controllers Registry Information System (Veri Sorumluları Sicil Bilgi Sistemi).
Regulation (YÖNETMELİK)
Regulation on the Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.
In accordance with Article 10 of the KVKK, when collecting personal data, our Company informs the data subjects about:
Depending on the nature of the data subject and the data processing process, such notices are provided. To this end, we have placed “Informative Texts” in areas accessible to visitors within our premises. We have also published this Policy together with the enlightenment texts, cookie policy, and application form on our Company’s websites.
In line with the Company’s legitimate and lawful personal data processing purposes, and in accordance with the personal data processing conditions set out in Article 5 of the KVKK, the Company processes personal data in compliance with the general principles laid down in the KVKK (particularly the principles stated in Article 4) and meets all its obligations under the KVKK. The personal data are processed only as necessary for the relevant data subjects, who have been informed in advance.
The Company has prepared a personal data inventory as required by the Regulation on the Data Controllers Registry issued by the Personal Data Protection Authority. This inventory includes data categories, sources of data, purposes of processing, processing cycles, recipient groups, and retention periods. Within this inventory, and not limited to the examples below, the following data categories are processed:
PERSONAL DATA CATEGORY
DESCRIPTION
Identity
Information such as first name, last name, mother’s and father’s names, mother’s maiden name, date of birth, place of birth, marital status, ID serial number, and Turkish identification number.
Contact
Information such as address, email address, phone number, KEP (registered electronic mail) address, etc.
Location
Information on location data.
Personnel (Employment) Data (Özlük)
Payroll information, disciplinary investigation data, job entry and exit documents, property declaration, CV information, performance evaluations, etc.
Legal Transaction (Hukuki İşlem)
Information included in correspondence with judicial authorities, lawsuit files, etc.
Customer Transaction
Call center records, bills, checks, promissory notes, invoice details, order information, contract information, requests, etc.
Physical Space Security
Employee entry and exit records, CCTV recordings, etc.
Transaction Security
IP address information, website login and log-out information, password and login details, etc.
Risk Management
Information processed for the management of commercial, technical, and administrative risks.
Finance
Information such as balance sheets, financial performance data, credits and risks, asset information, bank details.
Professional Experience
Information such as diplomas, attended courses, in-house training, certificates, transcripts, etc.
Visual and Audio Recordings
Visual and audio recordings.
Health Information
Blood type, health reports, employment health report, forms signed by a physician for employment or periodic health checks, pregnancy status/reports, health and maternity leave information, work accident forms and documents.
Other
Information on military status, spouse and children, vehicle license plate records, etc.
Marketing
Purchase history, survey data, cookie records, data obtained from campaign activities, etc.
Within the scope of any commercial, legal, contractual, or other relationships between the Company and the Data Subject, personal data may be collected physically or electronically directly from the data subject to serve the purposes detailed below. Processing is carried out in reliance on one or more of the legal grounds set out in Article 5/2 and subsequent provisions of the KVKK or, if no legal ground is available, on explicit consent. Detailed explanations regarding this matter are included in the informative texts prepared for each relevant Data Subject (e.g., Employee/Intern/Employee Candidate information notice, Visitor Notice, Cookie Policy, etc.).
Possible legal bases for processing data include:
The data subject’s explicit consent is only one of the possible legal bases that make it lawful to process personal data. Even without explicit consent, personal data may still be processed if one of the above conditions applies. Moreover, one or more of the legal grounds above may apply to a single personal data processing activity.
Legal Basis
Scope
Example
Legal Requirement
Requirements set out in tax, labor, trade laws, Law on the Regulation of Broadcasts on the Internet and Combating Crimes Committed by Means of Such Broadcasts, etc.
Retention of personnel data as required by relevant labor regulations.
Performance of Contract
Related to employment contract, service agreement, sales contract, transportation, etc.
Recording a company address for product delivery.
Actual Impossibility
Data subject cannot give consent due to actual impossibility or lacks legal capacity.
Contact or address details of an unconscious person. Location data of a kidnapped individual.
Legal Obligation of Data Controller
Financial audits, security regulations, industry-specific regulations.
Sharing information with regulators in banking, energy, capital markets, etc.
Publicized by Data Subject
Data that has been made public by the data subject themselves.
Publishing contact details publicly for emergency contact purposes.
Establishment/Protection of a Right
Data required for filing lawsuits, registering titles, etc.
Retaining certain data of an employee who leaves, for the duration of legal time limits.
Legitimate Interest
Processing is necessary for the legitimate interest of the data controller, provided fundamental rights of the data subject are not violated.
Collecting data to implement performance-based bonuses aiming to improve employee loyalty.
In line with Articles 20 of the Constitution and 4 of the KVKK, the Company processes personal data lawfully and fairly, ensuring accuracy and—where necessary—currency, pursuing explicit, legitimate objectives, in a manner relevant and proportionate to these objectives, and retaining them for as long as necessary under the relevant legislation or for the purpose for which they are processed.
Below are examples of purposes for which the Company processes personal data:
Within the scope of the Company’s legitimate and lawful personal data processing objectives, personal data of the data subjects may be transferred to third parties by taking the necessary security measures. Reasons for such transfer include:
In accordance with Articles 8 and 9 of the KVKK, the Company informs the data subjects about the categories of recipients of their personal data under Article 10 of the KVKK.
Depending on the conditions outlined in Articles 8 and 9 of the KVKK, the Company may transfer the personal data of the data subjects to the following categories of recipients:
POSSIBLE RECIPIENTS
DEFINITION
PURPOSE OF TRANSFER
Business Partner
Parties with whom the Company has established a partnership for such purposes as carrying out commercial activities.
Limited to purposes for which the business partnership is established.
Service Provider
Real or legal persons providing services to the Company under a contractual framework to carry out the Company’s commercial activities based on the Company’s instructions and orders.
Limited to the services the Company procures from external sources for the fulfillment of its commercial activities (e.g., bank, insurance, travel agency, event agency, transportation, courier, training providers, etc.).
Company Stakeholders
Shareholders of the Company.
Limited to corporate law, event management, and corporate communication purposes.
Company Representatives
Authorized real persons within the Company (e.g., Board members).
Limited to designing and managing commercial strategies and supervising the top-level management of the Company.
Legally Authorized Public Entities
Public institutions and organizations legally authorized to receive information and documents from the Company.
Limited to the scope of their legal authority.
Real or Legal Persons under Private Law
Persons or entities with which the Company shares information and documents for business activities.
Limited to the commercial purposes of the Company’s activities.
In accordance with Article 12 of the KVKK, the Company takes all necessary technical and administrative measures to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the protection of personal data. The Company also conducts and commissions necessary audits.
Some of the main technical measures taken by the Company to ensure lawful processing of personal data include:
Some of the main administrative measures taken by the Company for the lawful processing and protection of personal data are:
The Company takes technical and administrative measures—based on the nature of the data to be protected, the available technological means, and the cost of implementation—to prevent the accidental or unauthorized disclosure, access, or transfer of personal data and any other unlawful access (including data breaches of Company systems).
Within the Company, the Human Resources Department is established. Acting on behalf of the Company (as data controller), the Human Resources Department is tasked with ensuring compliance with Article 12 of the Law. This department conducts audits or, if necessary, commissions them. Violations, incidents, and inconsistencies detected in these audits are reported to the relevant units for remedial action.
If, due to technical requirements, the Company entrusts the storage of personal data to third-party services, additional contractual clauses ensuring that those parties take the necessary data security measures and ensure compliance within their organizations will be signed.
The KVKK identifies certain personal data as “special categories” due to the risk of causing victimization or discrimination if processed unlawfully. These are data revealing race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and appearance, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
As these data are particularly sensitive, the Company shows due diligence in their protection. The Company ensures the highest level of security is applied to any lawfully processed special categories of personal data.
For instance, because of the Occupational Physician service provided within the Company, employees’ health data—deemed special category personal data—are processed. Only authorized personnel can access these data. Those personnel receive necessary training, have defined access scopes and durations, and sign confidentiality agreements. If a relevant staff member leaves the Company, their access authority is immediately revoked.
Physical files containing employees’ health information are stored in locked cabinets accessible only to the medical staff. No other department can access employees’ health data.
The Company organizes necessary training programs for employees to raise awareness of the importance of preventing unlawful processing of personal data, unlawful access, and other data security breaches, as well as to ensure the protection of personal data.
Data subjects may submit their requests relating to their rights listed below—by proving their identity—through direct personal application, physical mail, KEP, or a previously registered email address in our systems, or via an online application system specific to such requests. The Company evaluates the request within thirty days, free of charge, in line with the nature of the request. Please see Section 15 of this Policy for more detailed explanations.
Data subjects may request, within the scope of the personal data processing activities, any of their rights indicated in the relevant articles of the Law, including information on the data processing cycle, purposes, transfer details, etc.
Under Article 11 of the KVKK, data subjects have the following rights:
a. To learn whether personal data are processed,
b. To request information regarding the processing,
c. To learn the purpose of processing and whether they are used for the intended purpose,
d. To know the third parties to whom data are transferred in Turkey or abroad,
e. To request correction if the data are incomplete or incorrectly processed, and to request notification of such correction to third parties to whom the data have been transferred,
f. Despite being processed in accordance with the provisions of the KVKK and other relevant laws, to request the deletion or destruction of personal data if the reasons requiring processing no longer exist, and to request notification of such operations to third parties to whom the data have been transferred,
g. To object to negative consequences resulting from the analysis of the processed data solely by automated means,
h. To seek compensation for damages arising from the unlawful processing of personal data.
To exercise any of the rights in Article 11 of the KVKK, you may fill out the Application Form available on our website in accordance with the “Communiqué on the Procedures and Principles of Application to the Data Controller” and send it:
Upon receiving the application, the Company will respond as soon as possible and no later than 30 (thirty) days.
Applications must include name, surname, signature (if in writing), T.R. ID number (for Turkish citizens) or nationality, passport/ID number (for foreigners), a residence or workplace address for notification, and, if applicable, an email address, telephone or fax number, and the subject of the request.
Depending on the nature and method of your request, the Company may seek additional verification to confirm that the request indeed belongs to you, in order to protect your rights.
Pursuant to Article 138 of the Turkish Penal Code, Article 7 of the KVKK, and the “Regulation on the Deletion, Destruction, or Anonymization of Personal Data,” the Company erases, destroys, or anonymizes personal data ex officio or upon request of the data subject in the event that the reasons for processing no longer apply. The Company has prepared a separate policy under the Regulation, determining the method of destruction according to the nature of the data. Additionally, the Company has designated periodic destruction dates; once the obligation to destroy arises, data will be periodically destroyed according to the set schedule.
The principles set out in this Policy are based on other data-related policies within the Company and internal procedures regarding the protection and processing of personal data.
The Company has established a governance structure to ensure compliance with the KVKK and the enforcement of the Personal Data Protection and Processing Policy.
The Human Resources Department is responsible for managing this Policy and related policies on personal data protection and processing.
This Policy was adopted by the Company on __/08/2024. It is published on the Company’s website at https://www.klokist.com/ and made accessible to all relevant parties.
Should any updates or amendments to the Policy be required, the updated document will be promptly published on the above website.
Klok Medya, Pazarlama ve Danışmanlık A.Ş.
Address: YEŞİLCE MAH. EMİRŞAH SK. NO: 21 İÇ KAPI NO: 2 KAĞITHANE / İSTANBULMERSIS No: 0564134304100001
.svg)
