Personal Data Processing And Protection Policy

Maximum sensitivity is shown by the MELİHA ERCAN FOUNDATION (''Foundation'') regarding the processing of personal data in accordance with relevant legislation and the assurance of its privacy and security. The Foundation processes personal data within the boundaries mandated by the Law on the Protection of Personal Data No. 6698 (''Law'' or ''KVKK''), related secondary regulations, and the Decisions of the Personal Data Protection Board. This Policy has been arranged by the Meliha Ercan Foundation for the purposes of fulfilling the obligation to inform as set forth in Article 10 of the Law and to inform data subjects in the most transparent manner regarding their rights set forth in Article 11 of the Law.

This Policy covers all personal data of Meliha Ercan Foundation employees, employee candidates, scholarship recipients, scholarship candidates, donors, and other third parties, which are processed by fully or partially automatic means or by non-automatic means provided that they form part of any data filing system.

This Policy provides general information about the entirety of personal data processing processes; separate Clarification Texts are arranged specific to the activity subject to personal data processing, and data subjects are informed accordingly. Information regarding the processed personal data, the purpose of processing, collection methods, legal grounds, and to whom and for what purpose it is transferred is included in the Clarification Texts arranged specifically for the data subject.

1. PROCESSING OF PERSONAL DATA

The Meliha Ercan Foundation has adopted the principles listed below as working principles to ensure the processing and protection of personal data in accordance with the procedures and principles stipulated in the Constitution (primarily Article 20), the Law on the Protection of Personal Data No. 6698, other secondary regulations, and the decisions of the Personal Data Protection Board.

1.1. General Principles

Personal Data may be processed by the Foundation in accordance with the principles listed in Article 4 of the Law and the procedures and principles stipulated in other laws.

• Principle of compliance with the law and rules of bona fides (integrity); The Foundation processes the minimum amount of data possible without deviating from the purpose of data processing, taking into account the reasonable expectations of data subjects. It takes care to ensure that the data processing activity is transparent for the person concerned and fulfills its obligation to inform.
• Principle of personal data being accurate and up-to-date; The Foundation attaches importance to personal data being accurate and up-to-date. When necessary, updates to the data and confirmation of their accuracy are ensured.
• Principle of processing personal data for specific, explicit, and legitimate purposes; Personal data is processed for precise, clear, and legitimate purposes. The Foundation strictly does not process personal data for any purpose other than those stated to the person concerned.
• Principle of personal data being connected, limited, and proportional to the purpose for which they are processed; The data processing activity is limited only to the data sufficient and necessary for the realization of the purpose. It avoids data that is not suitable for the realization of the purpose and is not needed.
• Retention of personal data for the period required; The Foundation, in accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the KVKK, retains the personal data it processes only for the period stipulated in the relevant legislation and laws or required by the purpose of personal data processing. In this context, our Foundation first determines whether a specific period is foreseen in the relevant legislation for the storage of the personal data subject to processing. If a legal period is determined, it acts in accordance with this period. If no legal period is determined, the period necessary for the realization of the processing purpose is determined, and personal data is stored limited to this period. At the end of the determined storage periods or upon the request of the person concerned, personal data is destroyed by the Foundation using determined destruction methods (deletion and/or destruction and/or anonymization).

1.2. Method of Collecting Personal Data

Your personal data may be collected verbally, in writing, or electronically by automatic or non-automatic methods, during a physical visit to the Meliha Ercan Foundation, via camera recording, through our business units, verbal communication, hand delivery, paper media, contracts, information collection forms, e-mail, REM (Registered Electronic Mail), fax, telephone, website, and other similar means. As long as you benefit from the Foundation's services, your personal data may be processed and updated when necessary to ensure the accuracy and currency of your data.

1.3. Legal Grounds for Processing Personal Data

Pursuant to Article 5, Paragraph 1 of the Law, personal data cannot be processed without the explicit consent of the data subject as a rule. Explicit consent is realized by informing the data subject about the relevant issue and obtaining their free will. However, within the scope of Article 5, Paragraph 2 of the Law, personal data may be processed without seeking the explicit consent of the data subject if one of the following conditions exists:

• Explicitly stipulated in laws: If there is a clear regulation regarding the processing of personal data in the laws, personal data may be processed without the consent of the data subject.
• Failure to obtain explicit consent of the person concerned due to actual impossibility: Personal data of the data subject may be processed if it is mandatory for the protection of the life or physical integrity of the person who is unable to disclose their consent due to actual impossibility or whose consent cannot be granted validity, or of another person.
• Being directly related to the establishment or performance of a contract: It is possible to process personal data belonging to the parties to a contract, provided that it is directly related to the establishment or performance of the contract and that the processing is necessary.
• To fulfill the legal obligation of the Data Controller: If data processing is mandatory for the data controller to fulfill its legal obligations, the personal data of the data subject may be processed.
• Made public by the person concerned: Personal data that has been revealed to the public by the data subject in any way and opened to everyone's knowledge as a result of being made public may be processed limited to the purpose of making it public.
• Data processing being mandatory for the establishment, exercise, or protection of a right: If data processing is mandatory for the establishment, exercise, or protection of a right, the personal data of the data subject may be processed.
• Data processing being mandatory for the legitimate interests of the Data Controller: The Data Controller first determines the legitimate interest it will obtain as a result of processing the personal data and evaluates the possible impact of the processing of personal data on the rights and freedoms of the data subject; if it is of the opinion that the balance of interests is not disturbed, it carries out the processing activity.

1.4. Processing of Special Categories of Personal Data

The Meliha Ercan Foundation shows sensitivity in the processing of Special Categories of Data, as additional precautions must be taken regarding their storage and transfer compared to personal data. Special categories of personal data are data that, if learned, could cause discrimination against or victimization of the person concerned. Special categories of personal data listed exclusively in Article 6 of the Law are; data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Processing of special categories of personal data is prohibited. However, the processing of this data is possible if;

a) The person concerned has explicit consent,

b) It is explicitly stipulated in laws,

c) It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose their consent due to actual impossibility or whose consent is not granted legal validity, or of another person,

ç) It relates to personal data made public by the person concerned and is in accordance with the will to make it public,

d) It is mandatory for the establishment, exercise, or protection of a right,

e) It is necessary for the protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health care services and financing, by persons under the obligation of secrecy or authorized institutions and organizations,

f) It is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,

g) It is processed by foundations, associations, and other non-profit organizations or formations established for political, philosophical, religious, or trade union purposes, provided that it complies with the legislation they are subject to and their purposes, is limited to their fields of activity, and is not disclosed to third parties; and is directed towards their current or former members and members or persons who are in regular contact with these organizations and formations.

In the processing of special categories of personal data, it is also essential to take adequate measures determined by the Board.

1.5. Categories of Personal Data Processed

Personal data in the categories of identity, contact, personnel, legal transaction, customer transaction, transaction security, risk management, finance, professional experience, visual and audio records, physical space security, health information, criminal conviction and security measures, family and relative data may be processed by the Meliha Ercan Foundation within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law. The processed personal data may vary depending on the activity carried out by the Foundation, and data subjects are informed by arranging separate Clarification Texts specific to the activity subject to personal data processing.

1.6. Data Subjects

The Policy on the Processing and Protection of Personal Data covers all personal data of Foundation employees, family members of employees, employee candidates, scholarship recipients, scholarship candidates, donors, and other third parties, which are processed by fully or partially automatic means or by non-automatic means provided that they form part of any data filing system.

1.7. Purposes of Processing Personal Data

Personal Data obtained by the Foundation's business units may be processed within the scope of the Personal Data Processing conditions specified in Articles 5 and 6 of the Law.

2. TRANSFER OF PERSONAL DATA

Personal data may be transferred by the Foundation in accordance with the conditions for the transfer of personal data specified in Articles 8 and 9 of the Law, in line with data processing purposes, to:

• Legally authorized public institutions and organizations and legally authorized private law persons for the purpose of fulfilling legal obligations,
• Real persons and private law legal entities (such as CPAs, Law Firms) for the purpose of receiving service support in accounting, law, etc.,
• Banks for the purpose of making scholarship and aid payments,
• Companies from which information technology support is received for the purpose of receiving IT support services,
• Relevant suppliers for the purpose of carrying out purchasing transactions.

Data transfer is carried out in a manner connected with, limited to, and sufficient for the purpose of the transfer.

3. ENSURING THE SECURITY AND PRIVACY OF PERSONAL DATA

The right to request the protection of Personal Data gained Constitutional assurance within the scope of the "right to privacy and protection of private life" by adding an additional paragraph to Article 20 of the Constitution with the constitutional amendment made by Law No. 5982 in 2010.

The Meliha Ercan Foundation, within the scope of Article 12 of the Law, provides the necessary measures to ensure the appropriate security level in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data, in accordance with the nature of the personal data.

4. PROCESS MANAGEMENT REGARDING THE PROTECTION OF PERSONAL DATA

The Meliha Ercan Foundation attaches great importance to the protection of personal data. Care is taken to ensure that employees participate in KVKK training and that awareness is created. KVKK Policies have been arranged for the Foundation, and actions are taken in accordance with the procedures and principles set out in these policies in activities involving personal data. Responsibilities and duty distributions regarding the execution of policies, monitoring the compliance of employee actions with the Policies, publishing and updating the Policy, and carrying out data destruction processes have been determined. The Foundation has the authority to make necessary updates regarding the processing of personal data and information security in accordance with legal amendments and Board Decisions. The Foundation performs/has performed the necessary audits within the scope of KVKK. Service support may be received from experts in the field for the execution of the process.

5. RETENTION AND DESTRUCTION OF PERSONAL DATA

The Foundation retains personal data for the period necessary for the purpose for which they are processed and in accordance with the periods stipulated in the legal legislation to which the relevant activity is subject. In this context, the Foundation primarily determines whether a period is foreseen in the relevant legislation for the retention of personal data, and if a period is determined, it acts in accordance with this period. If no legal period exists, personal data is stored for the period necessary for the purpose for which they are processed. Personal data is destroyed at the end of the determined storage periods or upon the request of the data subject by the destruction methods (deletion and/or destruction and/or anonymization) determined by the Foundation.

6. INFORMING PERSONAL DATA SUBJECTS

This Policy provides general information about the entirety of personal data processing processes. Concerned persons are informed in detail with separate clarification texts specific to the data processing activity, and their explicit consent is obtained where necessary. In this context, separate clarification and explicit consent texts specific to the data subject such as Employee, Employee Candidate, Scholarship Recipient, Scholarship Candidate, Donor are used.

The Foundation informs the concerned persons whose data is processed during personal data processing activities about; the categories of data processed, purposes of data processing, data collection method and legal reason, recipient groups to whom data is transferred and the purpose of transfer, and their rights as a data subject. The Foundation fulfills the obligation to inform mandated in Article 10 of the Law in accordance with the procedures and principles set out in the Guide on the Fulfillment of the Obligation to Inform published by the Authority. Necessary clarifications are published in electronic or physical environments in accordance with the data collection method.

7. RIGHTS OF PERSONAL DATA SUBJECTS AND EXERCISING THESE RIGHTS

7.1. Rights of the Personal Data Subject

• To learn whether your personal data is processed or not,
• To request information if your personal data has been processed,
• To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom your personal data is transferred domestically or abroad,
• To request correction of your personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,
• To request the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist, despite having been processed in accordance with the Law and other relevant legal provisions, and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,
• To object to the occurrence of a result against you by analyzing the processed data exclusively through automated systems,
• To request compensation for the damage in case you suffer damage due to unlawful processing of your personal data.

7.2. Exercising the Rights of the Personal Data Subject

You may submit your applications and requests listed above by filling out the Personal Data Owner Application Form published on our website and sending it to our address at Huzur Mahallesi Azerbaycan Cad. Skyflat B Blok No:4 Kat:6 Sarıyer/İSTANBUL in person or via notary public, or by sending it from your electronic mail address to our address at melihaercan@melihaercanvakfi.org.tr. You can access detailed information regarding the points required in your application and the application method from the Personal Data Owner Application Form.

In the application; your name, surname, and if the application is written, your signature, your T.R. identity number for citizens of the Republic of Turkey, nationality, passport number or identity number if any for foreigners, your place of residence or workplace address for notification, your electronic mail address for notification if any, telephone and fax number, and the subject of your request are mandatory. Information and documents related to the subject should be attached to the application. In applications to be prepared without filling out the application form, the matters listed in this paragraph must be submitted to the Meliha Ercan Foundation completely. Otherwise, the application will not be evaluated as a valid application.

In order for third parties to make an application request on behalf of the concerned persons whose personal data is processed, there must be a special power of attorney issued by a notary public on behalf of the person who will make the application by the concerned person.

Verification information may be requested by the Foundation in order to confirm that the applicant is the relevant person and to ensure that the application results are communicated to the correct person. (For example, additional verifications such as sending a message to your registered phone or calling you may be requested.)

Your request included in the application will be concluded free of charge as soon as possible and within 30 days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost for the Foundation, the fee in the tariff determined by the Personal Data Protection Board will be charged by the Foundation. If your request is accepted, it will be fulfilled. However, if your request is rejected as a result of the examination and evaluation made, the reason for rejection will be notified to you in writing or electronically.

You can access detailed information regarding your rights to apply to the data controller and complain to the board from Articles 13, 14, and 15 specified in the Fourth Section of the Law.

7.3. Rejection of the Personal Data Subject's Application

Pursuant to Article 28 of the Law, the Foundation may reject the application of the data subject by explaining the reason in the following cases:

• Processing of personal data by real persons within the scope of activities related completely to themselves or family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with.
• Processing of personal data for purposes such as research, planning, and statistics by making them anonymous with official statistics.
• Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
• Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security.
• Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial, or execution proceedings.

Pursuant to Article 28/2 of the Law, provided that it is appropriate and proportional to the purpose and basic principles of this Law, Article 10 regulating the obligation of the data controller to inform, Article 11 regulating the rights of the person concerned (except for the right to demand compensation for damage), and Article 16 regulating the obligation to register with the Data Controllers Registry shall not apply in the following cases:

• Processing of personal data is necessary for the prevention of a crime or for a criminal investigation.
• Processing of personal data made public by the person concerned themselves.
• Processing of personal data is necessary for the execution of supervision or regulation duties and for disciplinary investigation or prosecution by authorized and assigned public institutions and organizations and professional organizations having the status of a public institution, based on the authority given by the law.
• Processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax, and financial matters.

8. ENTRY INTO FORCE AND EXECUTION OF THE POLICY

This Policy entered into force on the date it was published. The Foundation reserves the right to make changes to the Policy in order to provide up-to-date information regarding practices and legal regulations concerning the Protection of Personal Data. In the event that the entire Policy or certain articles are updated, the updates shall enter into force on the date they are published.

The Meliha Ercan Foundation is responsible for the execution of the Policy, the follow-up of all works and actions regarding the compliance process with the Law, and its coordination and audit. Relevant legal regulations in force regarding the processing and protection of personal data will primarily find application area. In case of inconsistency between the legislation in force and the Policy, the Foundation accepts that the legislation in force shall apply.

Appendix: Table Regulating Definitions