Data Storage and Security Policy

INSTITUTE FOR BEHAVIORAL SCIENCES PERSONAL DATA PROTECTION AND PROCESSING POLICY

CONTENTS

INTRODUCTION

• Purpose and Scope of the Policy
• Enforcement and Change

DATA SUBJECTS, DATA PROCESSING PURPOSE AND DATA CATEGORIES FOR PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY OUR COMPANY

• Data Subjects
• Personal Data Processing Purposes
• Personal Data Categories

PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA

• Principles Regarding the Processing of Personal Data
• Conditions Regarding the Processing of Personal Data
• Conditions Regarding the Processing Sensitive Personal Data

TRANSFERRING PERSONAL DATA

CLARIFICATION FOR AND RIGHTS OF DATA SUBJECTS

DELETING, DESTROYING OR ANONYMIZING PERSONAL DATA

SCOPE OF THE LAW AND RESTRICTIONS ON ITS APPLICATION

INTRODUCTION

Purpose and Scope of the Policy

Davranış Bilgi Eğitim Araştırma ve Psikolojik Danışmanlık Hizmetleri A.Ş. ('DBE') Personal Data Protection and Processing Policy ('Policy') created in accordance with Law No. 6698, covers the procedures and principles determined by our company within the scope of the Law.

Our company has adopted the principles and essentials determined within the scope of the Law in the protection and processing of personal data. This policy regulates the processing of the data of the candidate, client, potential client, business partner, supplier, and third parties whose data are processed by our company.

Definitions regarding the terms used in the policy are in Appendix-1.

Enforcement and Change

The Policy has entered into force within the scope of the Personal Data Protection Compliance Project carried out by the company. The company reserves the right to make changes in the policy in line with the legal regulations.

DATA SUBJECTS, DATA PROCESSING PURPOSE AND DATA CATEGORIES FOR PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY OUR COMPANY

Data Subjects

Data subjects within the scope of the policy are all natural persons, except for company employees, whose personal data are being processed by the company. In this context, the categories of data subjects are as follows:

Personal Data Processing Purposes

Your personal data and sensitive personal data may be processed by the Company for the following purposes in accordance with the personal data processing conditions in the Law and relevant legislation:

• Managing emergencies
• Execution of information security processes
• Execution of recruitment processes
• Execution of employment application processes
• Managing issues related to audit/ethic
• Execution of training activities
• Execution of Access authorizations
• Execution of activities in accordance with legislation
• Execuiton of finance and accounting tasks
• Ensuring pyhsical environment security
• Execution of assignment processes
• Follow up and execution of legal affairs
• Conducting internal audit/ investigation / intelligence activities
• Execution of communication activities
• Planning human resources processes
• Execution / supervision of business activities
• Receiving and evaluating feedbacks for improvement of business processes
• Execution of business continuity activities
• Execution of goods/services purchasing processes
• Execution of after-sales support services for goods/ services
• Execution of goods/ services sales processes
• Organization and event management
• Execution of storage and archive activities
• Execution of contract processes
• Execution of strategic planning activities
• Follow-up of requests and compliants
• Ensuring the security of movable property and resources
• Execution of wage policy
• Execution of marketing processes of products/ services
• Ensuring the security of data
• Providing information to authorized persons, institutions, and organizations
• Managing executive activities
• Creation and follow-up of visitor records

Personal Data Categories

Your personal data, categorized below, are processed by the company in accordance with the personal data processing conditions in the Law and relevant legislation:

PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA

Principles Regarding the Processing of Personal Data

Your personal data is processed by the Company in accordance with the personal data processing principles set forth in Article 4 of the Law. It is mandatory to comply with these principles for each personal data processing activity:

• Processing personal data in accordance with the law and the rules of honesty: The Company acts in accordance with the laws, secondary regulations and general principles of law in the processing of your personal data; attaches importance to processing personal data limited to the purpose of processing and taking into account the reasonable expectations of data owners.
• Accurate and up-to-date personal data: Company takes care to ensure that your personal data processed by the company is up-to-date and checks are made accordingly. In this context, data owners are given the right to request correction or deletion of their correct and outdated data.
• Processing personal data for specific, clear and legitimate purposes: The Company determines the purposes of data processing before each personal data processing activity and pays attention to the fact that these purposes are not against the law.
• Being connected, limited and measured with the purpose for which personal data is processed: Data processing is limited to the personal data necessary to fulfill the purpose of collection, and necessary steps are taken to prevent the processing of personal data unrelated to this purpose.
•  Keeping personal data for as long as required by the legislation or processing purposes: Personal data is deleted, destroyed or anonymized by the company after the purpose of processing personal data disappears or when the period stipulated in the legislation expires.

Conditions Regarding the Processing of Personal Data

Your personal data is processed by the company in the presence of at least one of the personal data processing conditions in Article 5 of the Law. Explanations on these conditions are given below:

• Explicit consent of the personal data owner: In the absence of other data processing conditions, In accordance with the general principles set forth under the title 3.1., the personal data of the data subject may be processed by the Company with the free will of the data subject, provided that he/she gives sufficient information about the personal data processing activity, leaving no room for hesitation, and only limited to that transaction.
• Personal data may be processed by the Company without the explicit consent of the data owner, if the personal data processing activity is expressly stipulated in the law. In this case, the Company will process personal data within the framework of the relevant legal regulation.
• In case the explicit consent of the data owner cannot be obtained due to the actual impossibility and the personal data processing is mandatory, the personal data belonging to the data owner, whose consent cannot be declared by the company or whose consent cannot be validated, shall be deemed mandatory in order to protect the life or physical integrity of the data owner or a third person.
• In the event that the personal data processing activity is directly related to the establishment or performance of a contract, personal data processing will be carried out if it is necessary to process the personal data of the parties to the contract established or already signed between the data owner and the Company.
• In the event that it is necessary to carry out personal data processing activities in order to fulfill the legal obligation of the data controller, the Company processes personal data in order to fulfill its legal obligations under the applicable legislation.
• If the data owner has made his personal data public, the personal data that has been disclosed to the public in any way by the data owner, and that has been made available to everyone as a result of making it public, may be processed by the Company, limited to the purpose of making it public, even without the explicit consent of the data owners.
• In the event that personal data processing is mandatory for the establishment, exercise or protection of a right, the Company may process the personal data of the data subject without the explicit consent within the scope of the obligation.
• Provided that it does not harm the fundamental rights and freedoms of the data owner, if data processing is necessary for the legitimate interests of the data controller, personal data may be processed by the Company, provided that the balance of interests of the Company and the data owner is observed. In this context, in the processing of data based on legitimate interest, the Company first determines the legitimate interest to be obtained as a result of the processing activity. It evaluates the possible impact of the processing of personal data on the rights and freedoms of the data owner, and if it considers that the balance is not disturbed, it performs the processing.

Conditions Regarding the Processing Sensitive Personal Data

In Article 6 of the Law, categories of sensitive personal data are specified in a limited number. These are the data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

The Company can process sensitive personal data in the following cases by taking additional measures determined by the Personal Data Protection Board:

• The processing of sensitive personal data other than health and sexual life can only be conducted if the data owner gives explicit consent or if it is expressly stipulated in the law.
• Personal data related to health and sexual life can only be obtained without the explicit consent of the data owner by persons under the obligation of keeping confidentiality or authorized institutions and organizations for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

TRANSFERRING PERSONAL DATA

In accordance with the additional regulations listed in Articles 8 and 9 of the Law and determined by the Personal Data Protection Board, the company can transfer personal data domestically or abroad, if there are conditions for the transfer of personal data.

• Transfer of personal data to third parties in the country: Your personal data can be transferred by the Company in the presence of at least one of the data processing conditions specified in Articles 5 and 6 of the Law, provided that the basic principles regarding data processing conditions are complied with.
• Transfer of personal data to third parties abroad: In cases where the person does not have his explicit consent, in the presence of at least one of the data processing conditions in Articles 5 and 6 of the Law, your personal data can be transferred abroad by the Company, provided that the basic principles regarding data processing conditions are complied with.

If the country to which the transfer will be made is not one of the safe countries to be announced by the Personal Data Protection Board, upon the written commitment of the company and the data controller in the relevant country, the Personal Data Protection Board allows this process, personal data can be transferred to third parties abroad, provided that at least one of the data processing conditions specified in Articles 5 and 6 of the Law is present

In accordance with the general principles of the law and the data processing conditions in Articles 8 and 9, the Company can transfer data to the parties categorized in the table below:

CLARIFICATION FOR AND RIGHTS OF DATA SUBJECTS

According to Article 10 of the Law, before the processing of personal data or at the latest during the time of processing, data owners must be informed about the processing of personal data. In accordance with the relevant article, the necessary structure within the company to ensure that data owners are enlightened in every situation where personal data processing is carried out by the Company as the data controller was created. In this context, we would like to state that you, as the data owner, have the following rights in accordance with Article 11 of the Law:

• Learning whether your personal data is processed or not,
• If your personal data has been processed, requesting information about it,
• To learn the purpose of processing your personal data and whether they are used in accordance with the purpose,
• Knowing the third parties to whom your personal data is transferred, in the country or abroad,
• Requesting the correction of your personal data in case of incomplete or incorrect processing and requesting the notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,
• Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing have disappeared, although it has been processed in accordance with the Law and other relevant law provisions, and requesting the notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,
• Objecting to a result against you by analyzing the processed data exclusively through automated systems,
• Requesting the compensation of the damage in case you suffer due to unlawful processing of your personal data.

You can forward your applications regarding your listed rights to kvkk@dbe.com.tr. Depending on the nature of your request, your applications will be concluded free of charge as soon as possible and within thirty days at the latest. However, if the transaction requires an additional cost, you may be charged a fee according to the tariff to be determined by the Personal Data Protection Board.

APPENDIX-1: DEFINITIONS