Privacy Policy

1.3. Scope of Policy and Data Subjects

Şirketimiz bu Politikayı internet sitesinde yayımlamak suretiyle bahse konu Kişisel Veri Sahiplerini Kanun hakkında bilgilendirmektedir. Şirketimiz çalışanları için, Çalışanlar için Kişisel Verilerin İşlenmesi Politikası uygulanacaktır. Verinin aşağıda belirtilen kapsamda  “Kişisel Veri” kapsamında yer almaması veya Şirketimiz tarafından gerçekleştirilen Kişisel Veri işleme faaliyetinin yukarıda belirtilen yollarla olmaması halinde de işbu Politika uygulanmayacaktır.
Bu kapsamda işbu Politika kapsamındaki Kişisel Veri sahipleri aşağıdaki gibidir:

1.4.Definitions

The terms used in this Policy have the following meanings:

2. PROCESSING AND TRANSFER OF PERSONAL DATA 

2.1. General Principles for the Processing of Personal Data 

Personal Data shall be processed by the Company in accordance with the procedures and principles stipulated in the Law and this Policy. The Company shall process Personal Data in accordance with the following principles:

• Personal Data shall be processed in accordance with the applicable legal norms and the requirements of the principle of integrity.
• It shall be ensured that Personal Data is accurate and up-to-date. In this context, issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated shall be meticulously taken into consideration.
• Personal Data shall be processed for specific, explicit, and legitimate purposes. For a purpose to be legitimate, any Personal Data processed by the Company must be related to and necessary for the work it has carried out or the service it has provided.
• Personal Data shall be related to the objective in order to achieve the purposes determined by the Company and the processing of Personal Data that is not related to the attainment of the purpose or is not needed shall be avoided. It shall limit processed data only to what is necessary for the achievement of the purpose. Personal Data processed in this context shall be related and limited to and commensurate with the purpose for which it is processed.
• If there is a period stipulated for data storage in the applicable legislation, it shall observe such periods. Otherwise, personal data shall be stored only for the period necessary for the purpose for which it is processed and personal data shall be deleted, destroyed, or anonymized if there is no plausible reason for keeping Personal Data any further.

2.2. Requirements for Processing Personal Data

The Company shall not process Personal Data without the explicit consent of the data subject. In the presence of one of the following conditions, Personal Data may be processed without seeking the explicit consent of the data subject.

• The Company may process the Personal Data of data subjects in cases expressly stipulated by law even without their express consent. For example, in accordance with Article 230 of the Tax Procedure Law, the explicit consent of the person concerned will not be sought in order to include the name of the person on an invoice.
• Personal Data may be processed without explicit consent in order to protect the life or physical integrity of the person or another person who are unable to express their consent or whose consent cannot be validated due to actual impossibility. For example, in a situation where the person’s consent is not valid due to unconsciousness or mental illness, the Personal Data of the data subject may be processed during a medical intervention in order to protect the integrity of his or her life or body. In this context, data such as blood type, diseases, and surgeries, and medications used can be processed through the relevant health system.
• Personal Data belonging to the parties to an agreement may be processed, provided that it is directly related to the execution or performance of an agreement by the Company. For example, the account number of the creditor may be obtained for the payment of money under an agreement.
• The Company may process the Personal Data of a data subject if it is necessary to fulfill its legal obligations as a data controller.
• The Company may process personal data made public or disclosed by the data subject in any manner when the legal benefit to be protected ceases to exist.
• The Company may process the Personal Data of a data subject without seeking his or her explicit consent if processing such data is required for the exercise or protection of a legally legitimate right.
• The Company may process the Personal Data of a data subject if it is necessary to process Personal Data for protecting their legitimate interests, provided that it is not prejudicial to the fundamental rights and freedoms of the data subject protected under the Law and Policy. The Company exercises necessary care to comply with the basic principles regarding the protection of Personal Data and to observe the balance of interests of the data subject.

2.3. Requirements for Processing Sensitive Personal Data

The Company shall not process Sensitive Personal Data without the explicit consent of the person concerned provided that Personal Data other than data related to health and sexual life may be processed without seeking the explicit consent of the person concerned if stipulated by laws. Personal Data regarding health and sexual life may be processed by the Company only for the purposes of protecting public health, performing preventive medicine, medical diagnosis and treatment and care services, planning and managing health services and financing without seeking the explicit consent of the person concerned subject to conditions under which we are required to treat data as confidential. The Company takes required actions in order to take adequate measures determined by the Council for the processing of Sensitive Personal Data.

2.4. Requirements for Transfer of Personal Data

Our company may transfer the Personal Data of data subjects and Sensitive Personal Data to third parties in accordance with the Law by ensuring compliance with required confidentiality requirements and taking security measures in line with the purposes of processing Personal Data. Our company acts in accordance with the regulations stipulated in the Law during the transfer of Personal Data. Our Company may transfer Personal Data to third parties for legitimate and lawful purposes related to the processing of Personal Data processing purposes based on one or more of the following Personal Data processing requirements specified in Article 5 of the Law subject to limitations:

• If the data subject has given his or her express consent;
• If there is a clear provision in the law regarding the transfer of Personal Data or if it is necessary for the protection of the life or physical integrity of the data subject or another person;
• If the data subject is unable to express his or her consent due to actual impossibility or if his or her consent is not legally valid;
• If it is necessary to transfer the Personal Data of the parties to an agreement, provided that it is directly related to the execution or performance of the agreement;
• If transferring Personal Data is mandatory for our company to fulfill its legal obligations;
• If the Personal Data has been made public by the data subject;
• If the transfer of Personal Data transfer is required for establishing, exercising, or protecting a right;
• Personal Data may be transferred if it is required for the legitimate interests of our Company provided that it is not prejudicial to the fundamental rights and freedoms of the data subject.

2.4.1. Requirements for Transferring Personal Data Abroad

Our Company may transfer the Personal Data and Sensitive Personal Data of a data subject to third parties abroad by taking necessary security measures in line with the purposes of processing Personal Data. Our Company may transfer Personal Data to a foreign country that has been determined to have sufficient protection by the KVK Council or, in the absence of sufficient protection, or to any other foreign country where the data controllers in Turkey and the relevant foreign country undertake to provide adequate protection in writing and for which KVK Council has granted permission.

2.5. Requirements for Transferring Sensitive Personal Data

Our company may transfer Sensitive Personal Data of data subjects to third parties in accordance with the Law by ensuring compliance with required confidentiality requirements and taking security measures in line with the purposes of processing Personal Data if:

• If the data subject has given his or her express consent;
• Without the data subject’s express consent if:
• Sensitive Personal Data (data related to race, ethnicity, political views, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or unions, criminal convictions and security measures, and biometric and genetic data) other than data related to the health and sexual life of data subject) if stipulated in-laws;
• Sensitive personal data of a data subject regarding his or her health and sexual life for the purposes of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing by persons who are required to treat such data as confidential or authorized agencies and organizations.

2.5.1. Requirements for Transferring Sensitive Personal Data Abroad

Our Company may transfer the Sensitive Personal Data of a data subject to a data controller that has sufficient protection available or has undertaken to ensure sufficient protection in any foreign country after taking necessary security measures and sufficient measures stipulated by KVK Council for legitimate and lawful purposes to process Personal Data if:

• If the data subject has given his or her express consent;
• Without the data subject’s express consent if:
• Sensitive Personal Data (data related to race, ethnicity, political views, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or unions, criminal convictions and security measures, and biometric and genetic data) other than data related to the health and sexual life of data subject) if stipulated in-laws;
• Sensitive personal data of a data subject regarding his or her health and sexual life for the purposes of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services and planning and managing health services and their financing by persons who are required to treat such data as confidential or authorized agencies and organizations.

3. PURPOSES OF PROCESSING AND TRANSFERRING PERSONAL DATA AND RECIPIENTS

3.1. Purposes of Processing and Transferring Personal Data

Personal data may be exclusively processed for the following purposes in accordance with the law and the purpose of the Law and subject to the requirements for processing Personal Data set forth in articles 5 and 6 of the Law:

• Planning and implementation of human resources policies in the best manner,
• Correct planning, implementation, and management of commercial partnerships and strategies,
• Ensuring the legal, commercial and physical security of itself and its business partners,
• Ensuring corporate functioning; planning and execution of management and communication activities,
• Allowing data subjects to make the best use of its products and services and customizing and offering them depending on their demands, needs, and requests,
• Ensuring the highest level of data security,
• Creation of databases,
• Improving the services offered on the website and fixing errors occurring on the website,
• Communicating with data subjects who have forwarded their requests and complaints to it and ensuring the management of their requests and complaints,
• Effectiveness management,
• Management of relations with business partners or suppliers,
• Handling of employee recruitment processes,
• Supporting Group Companies’ employee recruitment processes and compliance with applicable legislation,
• Planning and performing audits in order to ensure that the activities of the Group Companies are carried out in accordance with the relevant legislation
• Supporting the planning and execution of fringe benefits and benefits to be provided to him and the senior executives of the Group Companies,
• Supporting Group Companies in the performance of transactions under laws governing companies and partnerships,
• Carrying out/following up on financial reporting and risk management transactions,
• Managing/following up on the company’s legal affairs,
• Making efforts to protect its reputation,
• Managing relations with investors,
• Informing competent agencies on legislation,
• Keeping and monitoring visitor records.

by persons who are required to treat such data as confidential or authorized agencies and organizations. If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated in the Law, your explicit consent is obtained by the Company regarding the relevant processing process.

3.2. Recipients of Personal Data

Personal Data may be shared with our business and solution partners, banks and third parties who perform technical, logistics and other similar transactions on our behalf in order to ensure that the services offered to you are complete and flawless and only to the extent commensurate with the nature of the service. Such third parties include persons who need to have access to the relevant information in order to provide the relevant services completely and flawlessly.

In addition, your Personal Data may be transferred only to the relevant person or entity in cases where data has to be shared with other third parties in order to provide the service fully and flawlessly or it is mandatory for the Company to fulfill its legal obligations or it is expressly stipulated in the laws, or there is a judicial/administrative order given in accordance with the law. 

A part of Personal Data may be shared with advertisers in an aggregate anonymized form alongside the information of other users in order to ensure that such advertisements can be tailored for the target audience.

Anonymized data is information that cannot be matched to you or our visitors/customers and does not contain your identity details or makes you identifiable. Your privacy is guaranteed in anonymized data.

4.1. Method of Collection of Personal Data and Its Legal Basis

For the purpose of verifying compliance with Article 1, which sets forth the purpose of the Law, and Article 2, which defines the scope of the Law, Personal Data may be collected verbally, in writing, electronically, by technical and other methods through various channels as stores, points of sale, call centers, Company’s website, mobile applications in order to achieve the purposes stated in the Policy based on legal reasons arising from legislation, agreements, demands, and requests in order to fully discharge obligations arising from laws and processed by the Company or data processors appointed by the Company. 

4.2. Deleting, Destroying, and Anonymizing Personal Data  

Without prejudice to the provisions of other laws regarding the deletion, destruction, or anonymization of Personal Data, the Company deletes, destroys, or anonymizes Personal Data at its sole discretion or the request of the data subject if reasons for its processing have ceased to exist even if it has been processed in accordance with the provisions of this Law and other laws. When Personal Data is deleted, it is destroyed in such a way that it cannot be recovered or used again in any way. Accordingly, Personal Data is deleted from media such as documents, files, CDs, floppy disks, and hard disks in which it is stored in a way that they cannot be recovered. Destruction of Personal Data means the destruction of materials suitable for data storage such as documents, files, CDs, floppy disks, and hard disks, in which the data is recorded so that the information cannot be retrieved or used again. Anonymizing data means that Personal Data cannot be associated with an identified or identifiable natural person even if it is matched with other data.

4.3. Period of Storing Personal Data 

The Company stores Personal Data for the period specified in the legislation if it is stipulated in the legislation. If such a period of time regarding how long Personal Data should be stored is not stipulated in the legislation, Personal Data is processed during the required period in accordance with the Company’s practices and commercial practices depending on the activity carried out while processing that data, and then deleted, destroyed or anonymized.

If the purpose of processing Personal Data has ceased to exist and the retention periods determined by the legislation and the Company have expired, Personal Data may only be stored to provide evidence in potential legal disputes or to assert the relevant right related to Personal Data or to defend against a claim. Retention periods are determined based on the statute of limitations for asserting a right and examples of requests previously submitted to the Company on the same issues after the expiry of the statute of limitations. In such a case, stored Personal Data is not accessed for any other purpose, and Personal Data can be accessed only when it is required to be used in connection with the relevant legal dispute. Personal Data is deleted, destroyed, or anonymized after the expiry of the aforementioned period.

Detailed regulations on the Company’s technical procedures regarding the storage, deletion, destruction, and anonymization of Personal Data are included in the Company’s Personal Data Retention and Disposal Policy.

5. ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA 

The Company also takes necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the Personal Data, to prevent unlawful access to data, and to ensure the storage of and performs or arranges for the performance of inspections made in accordance with Article 12 of the Law.

5.1. Ensuring the Security of Personal Data 

5.1.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data 

The Company takes technical and administrative measures based on technological capabilities and implementation costs in order to ensure that Personal Data is processed in accordance with the law.

• Technical Measures Taken to Ensure Lawful Processing of Personal Data
  

Main technical measures taken by the Company to ensure the lawful processing of Personal Data are listed below:

• Personal Data processing activities carried out within the company are audited by using established technical systems.
• Technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
• Personnel knowledgeable in technical matters are employed.
• Administrative Measures Taken to Ensure Lawful Processing of Personal Data
  

Main administrative measures taken by the Company to ensure the lawful processing of Personal Data are listed below:

• Employees are informed about and trained in the law on the protection of Personal Data and the lawful processing of Personal Data.
• All activities carried out by the Company are analyzed in detail for all business units and as a result of this analysis Personal Data processing activities carried out by the relevant business units are reported.
• Personal Data processed by the Company’s business units, requirements to be met in order to ensure that such processing activities comply with the Personal Data processing requirements set forth in the Law are determined by each business unit for the specific it carries out.
• In order to meet the legal compliance requirements determined for each business unit, awareness is created within relevant business units and rules of practice are determined and necessary administrative measures are implemented through in-house policies and training to ensure the control of these issues and continuous implementation.
• Except for the Company’s instructions and the exceptions stipulated in laws, provisions that impose the obligation not to process, disclose or use Personal Data are included in agreements and documents governing the legal relationship between the Company and the employees, efforts are made to raise awareness among employees in this regard, and obligations arising from the Law are fulfilled by conducting audits.

5.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities, and the cost of implementation in order to prevent any inadvertent or unauthorized disclosure, access, transfer, or any other unlawful access to Personal Data.

• Technical Measures Taken to Prevent Unlawful Access to Personal Data
  

The main technical measures taken by the Company to prevent unlawful access to Personal Data are listed below:

• Technical measures are taken in accordance with the developments in technology and they are updated and renewed periodically.
• Technical solutions regarding access and authorization are put into practice in accordance with legal compliance requirements determined for each business unit.
• Access authorizations are limited and authorizations are reviewed regularly.
• Technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, the risky issues are reassessed and the required technological solution is produced.
• Software and hardware including virus protection systems and firewalls are installed.
• Personnel knowledgeable in technical matters are employed.
• Security scans are regularly performed to detect security gaps in applications where Personal Data is collected. Any gap so detected is closed.
• Administrative Measures Taken to Prevent Unlawful Access to Personal Data
  

The main administrative measures taken by the Company to prevent unlawful access to Personal Data are listed below:

• Employees are trained in technical measures to prevent unlawful access to Personal Data.
• Access and authorization processes for Personal Data are designed and implemented within the Company in accordance with the legal compliance requirements for the processing of Personal Data for each business unit.
• Employees are informed that the Personal Data that they may learn shall not be disclosed to a third party in violation of the provisions of the Law and cannot be used for purposes other than processing and that this obligation will survive even after they leave their job and necessary deeds of the undertaking are taken from them for that purpose.
• Provisions are included in agreements concluded by the Company with persons to whom the Personal Data is to be transferred in accordance with the law to ensure that persons to whom the Personal Data will be transferred will take necessary security measures for the protection of the Personal Data and ensure that these measures are complied with in their own organizations.

5.1.3. Storage of Personal Data in Safe Media

The Company takes necessary technical and administrative measures based on technological capabilities and implementation costs in order to keep Personal Data in secure media and to prevent its destruction, loss, or alteration for unlawful purposes.

• Technical Measures Taken for Storing Personal Data in Secure Media

The main technical measures taken by the Company to store Personal Data in secure media are listed below:

• Systems suitable for technological developments are used to store Personal Data in secure media.
• Personnel specialized personnel in technical matters are employed.
• Technical security systems for storage areas are established, security tests and research are carried out to detect security vulnerabilities in information systems, and existing or potential risky issues, which have been identified as a result of the tests and research, are eliminated. Technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism.
• Backup programs are used in accordance with the law to ensure that Personal Data is kept securely.
• Access to data is restricted to media where Personal Data is stored and only authorized persons are allowed to access this data exclusively for the purpose of storing Personal Data. Access to data storage areas where Personal Data is stored is logged and unauthorized access or attempts to access are instantly communicated to relevant persons.
• Administrative Measures Taken for Storing Personal Data in Secure Media

The main administrative measures taken by the Company to store Personal Data in secure media are listed below:

• Employees are trained to ensure that Personal Data is kept securely.
• Legal and technical consultancy services are procured in order to follow developments in the field of information security, privacy, and protection of Personal Data and to take necessary actions.
• In the event that external service is outsourced by the Company due to technical requirements regarding the storage of Personal Data, provisions stipulating that persons to whom the Personal Data are to be transferred will take necessary security measures to protect Personal Data and that their organizations will comply with those measures are included in agreements entered into with firms to which Personal Data is to be transferred lawfully.

5.1.4. Supervision of Measures Taken for the Protection of Personal Data

The Company conducts or hires others to conduct required audits within its organization in accordance with Article 12 of the Law. The results of these audits are reported to the relevant department within the scope of the internal operation of the Company and necessary actions are taken to improve measures taken.

5.1.5. Measures To Be Taken in Case of Unauthorized Disclosure of Personal Data

The Company operates a system that ensures that if Personal Data processed in accordance with Article 12 of the Law has been unlawfully obtained by others it is reported to the relevant data subject and the KVK Council as soon as possible. If deemed necessary by the KVK Council, such incidents may be announced on the website of the KVK Council or by any other method.

5.2. Protection of the Legal Rights of Data Subjects

The Company protects all legal rights of data subjects by implementing the Policy and Law and takes all necessary measures to protect their rights. Detailed information about the rights of data subjects is provided in the sixth section of this Policy.

5.3. Protection of Sensitive Personal Data

The Law attaches special importance to certain Personal Data because of the risk of causing victimization and/or discrimination when processed unlawfully. Such data is related to race, ethnicity, political views, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. The Company pays maximum attention to the protection of sensitive Personal Data, which is designated as “sensitive” by the law and processed in accordance with the law. In this connection, technical and administrative measures taken by the Company for the protection of Personal Data are also implemented with the utmost care in terms of Sensitive Personal Data and the necessary audits are conducted within the Company in this regard.

6. RIGHTS OF DATA SUBJECT, EXERCISING AND ASSESSING THEIR RIGHTS

6.1. Enlightening Data Subjects

The Company informs data subjects during the acquisition of Personal Data in accordance with Article 10 of the Law. In this context, it enlightens them on the identity of the Company representative, for what purpose the Personal Data will be processed, to whom and for what purpose the processed Personal Data may be transferred, the method of collecting Personal Data, and its legal reason, and the rights of the data subject.

6.2. Rights of Data Subjects Under KVK Law

The Company informs data subjects of their rights in accordance with Article 10 of the Law and provides guidance on how to exercise these rights and makes required internal functioning, administrative and technical arrangements for that purpose. As per Article 11 of the Law, the Company informs data subjects that they are entitled to:

• Get information if his Personal Data has been processed or not,
• Request information about the Personal Data if it has been processed,
• Get information on the purpose of processing Personal Data and whether it has been used in accordance with its purpose,
• Get information about third parties to whom Personal Data has been transferred in the country or abroad
• Request correction of Personal Data if it is incomplete or incorrectly processed,
• Request the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law,
• Request notification of actions taken pursuant to subparagraphs (d) and (e) of Article 11 of the Law to third parties to whom Personal Data has been transferred,
• Contest any outcome unfavorable to the data subject as a result of the analysis of processed data exclusively through automated systems,
• Request the compensation of the damage in case of damage due to the unlawful processing of Personal Data.

6.3. Circumstances in which Data Subject May Not Assert Rights

Since the following cases are excluded from the scope of the Law pursuant to Article 28 of the Law, data subjects may not claim their rights listed in Article (6.2.) of this Policy in the following cases:

• Processing of Personal Data by natural persons within the scope of activities related to themselves or their family members living in the same residence provided that they are not disclosed to third parties and that obligations regarding data security are fulfilled.
• Processing Personal Data for purposes such as research, planning, and statistics by making it anonymous through official statistics.
• Processing of Personal Data for purposes related to fine art, history, literature, or scientific purposes or within the scope of freedom of expression, provided that it is not prejudicial to national defense, national security, public security, public order, economic security, the privacy of private life or personal rights or does not constitute a crime.
• Processing of Personal Data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order, or economic security.
• Processing of Personal Data by judicial authorities or enforcement authorities in connection with an investigation, prosecution, trial, or execution proceedings.

As per Article 28/2 of the Law and in cases listed below, data subjects may not assert their rights listed in the article (6.2.) of this Policy, except for the right to demand compensation for damage:

• The processing of Personal Data is necessary for crime prevention or criminal investigation.
• Processing of Personal Data by the data subject made public by him.
• The processing of Personal Data is required by competent and authorized public institutions and organizations and professional organizations designated as public institutions for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution based on the authority vested by the law.
• The processing of Personal Data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax, and financial matters.

6.4. Exercise of Rights by the Data Subject

Data subjects may submit their requests regarding their rights listed in article (6.2.) of this Policy to the Company by filling out and signing the Application Form, which you can access via www.alpetmadeniyaglari.com with the information and documents that will determine their identity and by using methods specified below or other methods determined by the KVK Council and communicating it to the Company free of charge:

• When the application form has been filled out, a copy bearing a wet signature should be delivered in person or through a notary public to Yeşilköy Mah. Ataturk Cad. No:12 EGS Business Park B2 Blok Kat:10 34149 Bakırköy / İSTANBUL,
• After completing the application form and signing it with a secure electronic signature under the Electronic Signature Law No. 5070, the form bearing a safe electronic signature should be sent to www.alpetmadeniyaglari.com via registered e-mail.
• The applicant may apply in person by presenting documents substantiating his identity and information and documents related to the application and send the application form by using the e-mail address previously notified to the Company and registered in the Company’s system, by applying in person with the document confirming the identity of the applicant and the information and documents related to the subject of the application.

In order for third parties to apply on behalf of data subjects, a special power of attorney issued by the data subject through a notary public on behalf of the person intending to apply must be presented.

6.5. Procedure Followed by Company for Responding to Applications and Term 

The company processes applications free of charge as soon as possible or within thirty days at the latest, depending on the nature of the request. However, if the said transaction requires an additional cost, the fee in the tariff determined by the KVK Board may be charged. The company may accept the request or reject it by explaining the reason and providing an answer in writing or electronically. In case the request in the application is accepted, the Company meets the request accordingly.

6.6. Data Subject’s Right to Lodge a Complaint with KVK Council 

If an application has been rejected or the response is found to be insufficient or the application is not processed in due time, the data subject will be entitled to file a complaint with the KVK Council within thirty days from the date of receipt of the letter of response and in any case within sixty days from the date of application.

7. MANAGEMENT STRUCTURE PURSUANT TO THE COMPANY’S POLICY TO PROCESS AND PROTECT PERSONAL DATA

A Personal Data Committee has been established in accordance with the decision of the Company’s senior management to manage this Policy and other policies related to and associated with this Policy. The Personal Data Committee is authorized and responsible for taking necessary actions for the storage and processing of personal data of data subjects in accordance with the law, this Policy and other related and associated policies. There are detailed regulations in the Personal Data Storage and Destruction Policy published on the Company’s website regarding those assigned to the Personal Data Committee and their duties.

8. UPDATES, CONSISTENCY AND REVISIONS

8.1. Updates and Consistency

The Company reserves the right to make changes to this Policy and other related and associated policies as a result of any amendment to the Law or in accordance with the decisions of the KVK Council or in line with the developments in the sector or in the field of informatics. Revisions to this Policy are immediately entered in the text and explanations regarding the changes are explained at the end of the Policy.