Personal Data Protection & Processing Policy

1. Purpose

As Kafein Yazılım Hizmetleri Ticaret A.Ş. (“Kafein” or the “Company”), our priority is to ensure that the personal data and special categories of personal data of our employees, employee candidates, interns, intern candidates, supplier representatives, supplier employees, our partners, subcontractors, members of the board of directors, visitors, online visitors, individuals who receive products or services and potential product or service recipients, and other third parties are processed in accordance with the Constitution of the Republic of Turkey, international conventions on human rights to which our country is a party, and primarily the Law on the Protection of Personal Data No. 6698 (“PDPL” or the “Law”) , as well as the relevant primary and secondary legislation, and to ensure that the rights of the data subjects whose data is processed are effectively exercised.

The protection of personal data and the observance of the fundamental rights and freedoms of natural persons whose personal data is collected constitute the core principle and element of our personal data processing policy. Therefore, we carry out all our activities in which personal data is processed by observing the right to the protection of private life, confidentiality of communication, freedom of thought and belief, and the right to access effective legal remedies.

We take all administrative and technical protection measures, suitable to the nature of the relevant data, in accordance with legislation and current technology for the protection of personal data, and we update the measures we have taken when necessary.

This Kafein Personal Data Protection and Processing Policy (“Policy”) explains the procedure we follow to process the personal data collected during our activities in accordance with the PDPL and other relevant legislation.

2. Scope

This Policy applies to all personal data belonging to, but not limited to, our employees, employee candidates, interns, intern candidates, supplier representatives, supplier employees, visitors, shareholders and partners, members of the board of directors, online visitors, individuals who receive products or services and potential product or service recipients, and other third parties, which are subject to data processing activities by Kafein.

Our Policy applies to all personal data processing activities carried out within Kafein, and has been prepared by taking into account the PDPL, other legislation related to personal data, and international standards in this field. In case of any conflict between the applicable legislation and this Policy, the applicable legislation shall prevail.

http://www.mevzuat.gov.tr/MevzuatMetin/1.5.6698.pdf

3. Definitons and Abbreviations

Within the scope of this Policy:

  1. Kafein or the Company: Refers to Kafein Yazılım Hizmetleri Ticaret A.Ş.,
  2. Explicit Consent: Refers to consent that is based on information and given with free will, clearly stated, related to a specific subject, and limited solely to that process,
  3. Anonymization: Refers to rendering personal data impossible to be associated with an identified or identifiable natural person, under any circumstances, even when matched with other data,
  4. Employee: Refers to Kafein personnel,
  5. Employee Candidate: Refers to individuals who have applied for a job at Kafein,
  6. Online Visitors: Refers to visitors of Kafein’s website,
  7. Data Subject: Refers to natural persons whose personal data is processed,
  8. Personal Data: Refers to any information relating to an identified or identifiable natural person,
  9. Special Categories of Personal Data: Refers to data relating to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data,
  10. Processing of Personal Data: Refers to any operation performed on personal data, whether by fully or partially automated means or by non-automated means provided that it is part of any data recording system, such as collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or prevention of use,
  11. Data Processor: Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller,
  12. Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
  13. PDP Board: Refers to the Personal Data Protection Board,
  14. PDP Authority: Refers to the Personal Data Protection Authority,
  15. PDPL or the Law: Refers to the Law on the Protection of Personal Data published in the Official Gazette dated April 7, 2016 and numbered 29677,
  16. Policy: Refers to this Kafein Personal Data Protection and Processing Policy.

4. Roles and Responsibilities

4.1. Human Resources

[Human Resources and/or Quality] are responsible for taking necessary actions in case of non-compliance with this Policy, rules, and regulations.

4.2. Board of Directors

This Policy has been approved by the [Board of Directors], and the[Board of Directors] is the authorized approval mechanism for ensuring the establishment, implementation, and updating of the Policy when necessary. The [Board of Directors] is responsible for taking the necessary measures to ensure compliance with the Policy by the employees within activities they are responsible for and by external service providers, and for examining issues to identify any non-compliance with the Policy.

4.3. Human Resources, Quality, Information Technologies

Human Resources, Quality, and Information Technologies are responsible for the preparation, development, execution, and updating of this Policy. [Human Resources, Quality, Information Technologies] evaluate this Policy in terms of currency when necessary. The responsibility for publishing the prepared document on the company portal belongs to [Quality].

4.4. Quality

The responsibility for internal distribution of the prepared document belongs to Quality.

4.5. Marketing and Sales

Within the scope of this Policy, Marketing and Sales are responsible for ensuring public disclosure by the Company, publishing the prepared document on the website, and sharing it simultaneously with all relevant parties.

5. Legal Obligations

5.1. Our Obligation to Inform

As the data controller, we are obligated to inform the Data Subject, at the time of collecting personal data, regarding:

  • Our identity as the Data Controller,
  • The purposes and legal grounds for processing the personal data,
  • To whom and for what purposes the processed personal data may be transferred,
  • The method of collecting the data, and
  • The rights arising from the PDPL.

As Kafein, we pay attention to ensuring that this publicly accessible Policy is comprehensible and easily accessible. We fulfill our obligation to inform via our website, information boards located at our physical premises, or information texts specific to the relevant categories of data subjects.

5.2. Our Obligation to Ensure Data Security

As the data controller, we take the administrative and technical measures stipulated by the legislation to ensure the security of the personal data we process. Obligations regarding data security and the measures taken are explained in detail in Section 11 of this Policy.

6. Classifications of Personal Data

6.1. Personal Data

The protection of personal data applies only to natural persons, and information pertaining to legal persons that does not include data relating to a natural persons is excluded from personal data protection. Therefore, this Policy does not apply to data relating to legal persons. This Policy applies to directly identifiable personal data such as a person’s name, surname, or Turkish ID number, as well as to information that indirectly identifies the relevant person.

6.2. Special Categories of Personal Data

Data relating to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are classified as special categories of personal data. Special categories of personal data are also subject to the provisions of this Policy.

6.3. Categories of Personal Data

Within the scope of our commercial activities and employment purposes, we process personal data relating to the following categories of individuals and fulfill our obligation to inform the data subjects:

7. Processing of Personal Data

7.1.1. Processing in accordance with law and the rules of honesty

We process personal data in compliance with legislation and the principles of honesty, fulfilling our obligation of information disclosure.

7.1.2. Ensuring the accuracy of personal data and keeping it up-to-date when necessary

We take the necessary administrative and technical measures within our data processing procedures to ensure that the data processed is accurate and up to date. However, since a significant part of the data is processed based on the declarations of the Data Subject, we reflect these declarations as accurately as possible and provide Data Subjects with the opportunity to update their data and correct any errors, if any.

7.1.3. Processing in accordance with law and the rules of honesty

We process personal data in compliance with legislation and the principles of honesty, fulfilling our obligation of information disclosure.

7.1.4. Being relevant, limited and proportionate to the purpose for which they are processed

We process personal data in a manner that is relevant, limited, and proportionate to our stated purposes.

We avoid processing personal data that is not relevant or not necessary for our purposes. Therefore, we do not process special categories of personal data unless legally required or unless we obtain explicit consent when necessary.

7.1.5. Retention of personal data for the period stipulated in the relevant legislation or necessary for the purposes for which they are processed

Numerous regulations require the retention of personal data for a certain period. Accordingly, our Company first determines whether a retention period is stipulated in the relevant legislation, and if so, complies with this period. If no legal period is specified, personal data is retained for as long as required for the purposes for which it was processed. When the retention period stipulated in the legislation expires or the purpose of processing is no longer valid, we delete, destroy or anonymize personal data.

7.2. Our purposes for processing personal data

As Kafein, our purposes for processing personal data are detailed in the Disclosure Texts prepared for each data category and data subject category.

If the processing activity conducted for the purposes listed in the said texts does not meet any of the legal grounds set out in Articles 5 and 6 of the PDPL, Kafein obtains your explicit consent for the relevant processing activity.

7.3. Our methods of collecting personal data

Personal data is collected through the Kafein job application form, internship application form, printed communication/complaint forms, online electronic forms (e.g., website contact form), surveys, employment contracts, vocational internship agreements, contracts, CVs, electronic tracking and physical access control systems located in the workplace (e.g., biometric and card access systems, CCTV), information systems and electronic devices (e.g., telecommunications infrastructure, computers, and telephones), online platforms (website, mobile app, etc.), public and private employment agencies (e.g., Kariyer.net, LinkedIn), Cookies created by our online platforms, Tracking Cookies created by third parties, website usage measurement systems (e.g., Google Analytics), and other documents declared by the Data Subject.

7.4. Our Legal Grounds for Collecting Personal Data

Personal data is collected by Kafein and natural or legal persons acting on behalf of Kafein for the purposes stated above specific to each data category, based on one of the legal grounds listed in Article 5 of the Law:

  • Obtaining the Data Subject’s “explicit consent”,
  • “Explicitly stipulated in the laws”,
  • “Being directly related to the establishment or performance of a contract, provided that it is necessary to process the personal data of the parties to the contract”,
  • “It is necessary for the data controller to fulfill its legal obligation”,
  • “It is necessary for the establishment, exercise, or protection of a right”,
  • “Provided that it does not harm the fundamental rights and freedoms of the data subject, it is necessary for the legitimate interests of the data controller”

7.5. Our Legal Grounds for Collecting Personal Data

Special categories of personal data are processed on legal grounds in accordance with Article 6 of the PDPL and as indicated in this policy:

  • The data subject has given explicit consent,
  • Clearly stipulated in the law,
  • Processing is mandatory to protect the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not legally valid,
  • Personal data that the data subject has made public is processed in accordance with their disclosure intent,
  • Processing is necessary for the establishment, exercise, or protection of a right,
  • Processing is necessary by persons or authorized institutions and organizations who are under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, as well as planning, management and financing of health services,
  • Processing is necessary to fulfill legal obligations in the areas of employment, occupational health and safety, social security, social services, and social assistance,
  • Processing is limited to the activities of foundations, associations, and other non-profit organizations established for political, philosophical, religious, or trade-union purposes in accordance with the legislation they are subject to, provided that it is not disclosed to third parties and it is limited to their current or former members or persons in regular contact with them.

7.6. Processing of personal and special categories of personal data

7.6.1. Processing of personal data based on explicit consent

As required by Law, personal data cannot be processed without the explicit consent of the Data Subject. In cases where the processed data is a special category of personal data, the explanations in this Policy shall apply. The necessary informations are provided through our disclosure texts.

7.6.2. Cases Where Explicit Consent is Not Required for Processing Personal Data

We may process personal data without explicit consent in the following cases:

  • Where it is explicitly stipulated in the laws

The personal data of the Data Subject may be processed in accordance with the law in cases where it is clearly stipulated in the laws (For example, keeping the personal information of the employee as required by law).

  • Where the explicit consent of the data subject cannot be obtained due to actual impossibility

Personal data may be processed without explicit consent in the event that the processing is mandatory for the protection of the life or physical integrity of the person or of another person who is unable to disclose consent due to actual impossibility or whose consent is not legally valid.

  • Where it is directly related to the establishment or performance of a contract

Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data without obtaining explicit consent if it is necessary to process personal data belonging to the parties to the contract (For example, recording the address information of the customer company in order to deliver the service to be physically delivered / installe).

  • Where processing is necessary for compliance with a legal obligation

Personal data that must be processed in order to fulfill a legal obligation may be processed without the explicit consent of the Data Subject (For example, fulfillment of legal obligations such as information storage, reporting, informing stipulated by official institutions and authorities; sharing information in audits specific to areas such as banking, energy, capital markets, etc.).

  • Where the data has been made public by the Data Subject

Personal data made public by the Data Subject, in other words, personal data disclosed to the public in any way, may be processed without obtaining explicit consent.

  • Where processing is necessary for the establishment, exercise, or protection of a right

In the event that data processing is mandatory for the establishment, exercise or protection of a right, personal data may be processed without obtaining explicit consent (for example, storing the necessary information of a departing employee during the statute of limitations for lawsuits).

  • Where processing is necessary for the legitimate interests of Data Subject

Provided that it does not harm the fundamental rights and freedoms of the Data Subject, personal data may be processed without seeking explicit consent in the event that data processing is mandatory for the legitimate interests of Kafein (For example, monitoring with CCTV equipment in order to ensure Kafein’s workplace security).

7.7. Processing of personal data collected through cookies on our website

We process your personal data through cookies on our website at https://www.kafein.com.tr/

We use cookies to enhance and facilitate the use of our website, ensure its proper operation, and make your time on our website more efficient and enjoyable. We also use some cookies to remember your preferences and provide you with an improved and personalized experience.

The data processed through cookies is not used for identifying your identity, personalized profiling, targeting, or tracking your activities outside of our website.

If you do not want your personal data to be collected and processed through cookies, you can reject cookies on our website at any time.We remind you that if you reject cookies, our website may not function properly and there may be interruptions in the display or provision of services. For detailed information regarding the cookies we use, you can review the Cookie Policy published on our website.

7.8. Processing of personal data collected through wireless network access

Wireless internet service is provided within the Company, and Kafein is defined as a “Public Use Internet Provider” under the relevant legislation.

Wireless network access is carried out within the Company, and the identification of users who want to benefit from this service, their IP address, connection start and end times, and target IP information are recorded electronically, as part of the obligations of the Public Use Internet Provider. In addition to these records, log data is also retained pursuant to Law No. 5651 on Regulating Publications on the Internet and Combating Crimes Committed by Means of Such Publications and related legislation.

7.9. Processing of personal data collected for human resources and employment purposes

During the application process as a job/intern candidate, your personal data shared with us is processed for the purpose of managing the processes of selection and placement of Job / Intern / Student candidates, as well as other purposes stated in the disclosure text, and, if you provide your consent, it is retained for future evaluation for open positions within Kafein. The processing of the personal data you share as a candidate is carried out in accordance with the principles and rules stated in this Policy.

Our employees are also informed about the rules regarding the processing of their personal data.

7.10. Processing of personal data for ensuring general security

As Kafein, we process the personal data of our employees and visitors to ensure physical security of our premises and compliance of our activities with legislation.

In this context, we record the camera footage of individuals on our premises via CCTV (closed-circuit television) and retain such recordings for the period stipulated by the relevant legislation, and delete, destroy, or anonymize the data in accordance with our data retention and destruction policies and procedures.

8. Transfer of Personal Data

8.1 Transfer of Personal Data within the Country

As Kafein, we act in accordance with the regulations stipulated in the PDPL and the decisions taken by the Personal Data Protection Board regarding the transfer of personal data.

Except for the legal grounds stipulated in the legislation, personal data and special categories of personal data are not transferred to third parties without the explicit consent of the Data Subject.

8.2. Transfer of personal data abroad

As a rule, personal data cannot be transferred abroad without the explicit consent of the Data Subject.

Pursuant to Article 9 of the PDPL, personal data may be transferred abroad by us if one of the conditions specified in Articles 5 and 6 of the Law is present and there is a decision of adequacy for the country and the sectors within the country, or the international organizations to which the transfer will be made.

In the absence of an adequacy decision, personal data may be transferred abroad by us if one of the conditions specified in Articles 5 and 6 is present and the data subject has the opportunity to exercise their rights and access effective legal remedies in the country where the transfer will be made, provided that one of the following appropriate safeguards is provided;

a) The presence of a non-international agreement between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations with public institution status in Türkiye and the Board granting permission for the transfer

b) The presence of binding corporate rules containing provisions on the protection of personal data approved by the Board that companies within the same economic group are obligated to comply with

c) The presence of a standard contract published by the Board containing matters such as data categories, purposes of transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures for special categories of personal data

ç) The presence of a written undertaking containing provisions ensuring adequate protection and the Board granting permission for the transfer

In the absence of an adequacy decision and any of the appropriate safeguards stipulated in the fourth paragraph, data controllers and data processors may transfer personal data abroad only under the following conditions, on an occasional basis;

a) The data subject has given explicit consent after being informed about the potential risks

b) The transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the data subject’s request

c) The transfer is necessary for the establishment or performance of a contract concluded in the interest of the data subject between the data controller and another natural or legal person

ç) The transfer is necessary for public interest

d) The transfer of personal data is necessary for the establishment, exercise, or protection of a right

e) The transfer of personal data is necessary to protect the life or physical integrity of the person who cannot express their consent due to actual impossibility or whose consent is not legally valid

f) Transfer is made from a registry that is open to the public or to persons with legitimate interest, provided that the conditions required to access the registry by law are met

In addition, personal data may be transferred abroad, without prejudice to the provisions of international agreements, with the permission of the Board, provided that the opinion of the relevant public institution or organization is obtained in cases where the interests of Türkiye or the data subject would be seriously harmed.

8.3. Third Parties to Whom Personal Data Is Transferred by Kafein

Personal data may be transferred to the recipient/recipient groups listed below within the scope of the rules specified in this Policy:

Suppliers, Affiliates and subsidiaries, Group companies, Authorized public institutions and organizations, Natural persons or private legal entities, Business partners, Shareholders.

8.4. Measures we take to ensure that personal data is transferred in accordance with the law

8.4.1. Technical Measures

We take various technical measures, including but not limited to the following, to protect personal data. Within this scope:

  1. We establish the necessary technical organization within Kafein to process and store personal data in compliance with legislation,
  2. We establish the necessary technical infrastructure to ensure the security of the databases where your personal data is stored,
  3. We monitor the processes of the established technical infrastructure and perform audits,
  4. We periodically update and renew technical measures,
  5. We reassess risky situations and produce technological solutions accordingly,
  6. We use software or hardware security products such as antivirus systems, firewalls, and install security systems appropriate to technological advancements,
  7. We employ personnel specialized in technical matters.
8.4.2. Administrative Measures

We take various administrative measures, including but not limited to the following, to protect personal data. Within this scope:

  1. We establish access policies and procedures regarding personal data, including those for Kafein employees,
  2. We inform and train our employees regarding the lawful protection and processing of personal data,
  3. We include clauses in contracts and/or policies with our employees concerning the actions to be taken in the event of unlawful processing of personal data,
  4. We audit the data processing activities of data processors or their partners that we work with.

9. Storage of Personal Data

9.1. Storage of personal data for the period stipulated in the legislation or required for the purpose for which they are processed

We store personal data for the duration required by the purpose of processing and under our Personal Data Storage and Destruction Policy, provided that the retention periods stipulated by legislation are reserved. For more information, you may visit our website.

In cases where we process data for multiple purposes, if all purposes of processing cease to exist or upon the request of the Data Subject, and provided there is no legal impediment, data is deleted, destroyed, or anonymized. The legislation and the decisions of the PDP Board are complied with in matters of destruction, deletion or anonymization.

9.2. Measures Taken Regarding Data Storage

9.2.1. Technical Measures
  1. We establish technical infrastructures and audit mechanisms for the deletion, destruction, or anonymization of personal data,
  2. We take necessary security measures to ensure secure storage,
  3. We employ technically competent staff,
  4. We develop business continuity and emergency response systems against potential risks,
  5. We implement security systems in line with technological advancements for storage environments.
9.2.2. Administrative Measures
  1. We raise awareness by providing periodic training to employees about the technical and administrative risks of personal data storage,
  2. If we collaborate with third parties for data storage, we include provisions in contracts ensuring that such data is protected and securely stored.

10. Deletion, Destruction, or Anonymization of Personal Data

Personal data collected within the scope of our processing purposes is processed and stored in accordance with our processing purposes and applicable laws.

Personal data is deleted, destroyed, or anonymized in the following cases;

  • When all purposes for processing cease to exist, or
  • Upon the request of the Data Subject.

Such deletion, destruction and anonymization actions are carried out within the scope of our Personal Data Storage and Destruction Policy without prejudice to the provisions of the relevant legislation. You can access the Policy at: https://www.kafein.com.tr/home/kvkk.

Security measures outlined in this Policy are taken during the deletion, destruction, or anonymization of personal data.

Records of the actions taken to delete, destroy or anonymize are stored for a minimum of 3 years, unless otherwise specified by legislation.

Unless otherwise decided by the PDP Board, Kafein selects the appropriate method among deletion, destruction, or anonymization. In case of a request from the Data Subject, the selected method is justified and explained.

11. Security of Personal Data

11.1. Our Obligations Regarding Data Security

As Kafein, we take administrative and technical measures according to technological capabilities and implementation costs in order to:

  • Prevent unlawful processing of personal data,
  • Prevent unlawful access to personal data,
  • Ensure lawful storage of personal data.

11.2. Measures to Prevent Unlawful Processing

We:

  • Ensure network and application security,
  • Use closed network systems for data transfers,
  • Implement key management practices,
  • Take necessary measures for the procurement, development, and maintenance of Information Technology systems,
  • Conduct periodic data security training and awareness activities for employees
  • Create an authorization matrix for employees,
  • Apply corporate policies on access, security, use, storage, and destruction,
  • Sign confidentiality agreements,
  • Revoke permissions of employees upon job change or resignation,
  • Use up-to-date antivirus systems,
  • Use firewalls,
  • Include data security provisions in contracts,
  • Develop policies and procedures for data security,
  • Report data security incidents promptly,
  • Monitor data security practices,
  • Take the necessary security measures for entering and exiting physical environments containing personal data,
  • Secure environments containing personal data against external risks (e.g., fire, flood),
  • Ensure the security of environments containing personal data
  • Reduce the personal data wherever possible,
  • Back up data and ensure the security of backups,
  • Implement and monitor user account management and authorization control systems
  • Use intrusion detection and prevention systems,
  • Conduct penetration tests,
  • Take cybersecurity precautions and perform regular audits,
  • Audit data processors periodically
  • Raise data processors’ awareness on data protection.

11.3. Measures Taken in Case of Unlawful Disclosure

We take and update administrative and technical measures to prevent unlawful disclosure. In the event we detect unauthorized disclosure, we establish systems and infrastructures to notify the Data Subject and PDP Board.

Despite all administrative and technical measures taken, such disclosures may also be announced on the Board’s website or via other means If required by the PDP Board.

12. Right of the Data Subject

We inform the Data Subject as part of our disclosure obligation and establish the necessary systems and infrastructure. We make the required technical and administrative arrangements to ensure the exercise of the rights of the Data Subject.

The Data Subject has the following rights in relation to his/her personal data:

  • Learn whether personal data is processed,
  • Request information if personal data has been processed,
  • Learn the purpose of processing and whether it is used accordingly,
  • Know the third parties to whom personal data is transferred domestically or abroad,
  • Request correction of incomplete or inaccurate personal data,
  • Request deletion or destruction of personal data if the conditions for processing cease to exist,
  • Request notification of correction or deletion to third parties,
  • Object to the occurrence of an unfavorable result by analyzing the processed data exclusively through automated systems
  • Claim compensation in case of damages due to unlawful processing.

12.1. Exercising rights regarding personal data

As a Data Subject, you may submit your requests regarding the processing of your personal data, if a separate method is determined by the Personal Data Protection Board, by using this method or in writing and with wet signature to Kafein Data Subject Application Form or to our e-mail address info@kafein.com.tr signed with secure electronic signature or mobile signature as defined in the Electronic Signature Law No. 5070.

Pursuant to the Communiqué on the Procedures and Principles of Application to the Data Controller (“Communiqué”), the application of the Data Subject must include the name, surname, signature (if the application is in writing), Turkish ID number, (if the applicant is a foreigner, nationality, passport number or ID number, if any), residential or workplace address for notification, e-mail address for notice, telephone number and fax number, and information on the subject of the request.

You must clearly and understandably specify the requested right and attach supporting documents.

The Data Subject must explicitly and comprehensibly specify the matter requested in the application to exercise the above-mentioned rights and containing explanations regarding the right they request. Information and documents related to the application must be attached to the it.

In case of the information regarding your requests you submit within the scope of your application is not accurate and up-to-date, misleading or unauthorized, your request will be rejected and legal action will be taken against the person who has made an irregular process.

Although the subject of the request must be related to the applicant’s person, if acting on behalf of someone else, the applicant must be specifically authorized in this regard and this authority must be documented (notarized power of attorney or authorization certificate is required.) Otherwise, requests made by unauthorized third parties will not be evaluated. In addition, in order to prevent unauthorized access to personal data by third parties by making a Data Subject application and to ensure the security of your personal data, identity-verifying documents (e.g. copy of ID or driver’s license ) must be attached for identification and authorization.

12.2. Evaluation of Applications

12.2.1. Response time of the application

In accordance with the first paragraph of Article 13 of the PDPL; applications to Kafein as the Data Controller regarding these requests must be forwarded to Kafein. According to Article 6 of the Communiqué, your request will be finalized free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request, from the date of receipt by us. However, if the process requires an additional cost, a fee may be charged in accordance with Article 7 of the Communiqué.

12.2.2. Our right to reject application

Applications may be rejected in cases including but not limited to:

  • Data processed for purposes such as research, planning and statistics by anonymizing them with official statistics,
  • Data processed for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate the right to privacy or personality rights of the Data Subject or does not constitute a crime,
  • Data processed that has been disclosed by the Data Subject,
  • Unjustified application,
  • Requests contrary to legislation and
  • Noncompliance with application procedures.

12.3. Application Evaluation Procedure

In order to initiate the response period specified in Article 12.2.1. of this Policy, the applications must be submitted to Kafein in writing and with wet signature via the Data Subject Application Form by hand delivery or via notary, via e-mail with electronic signature or by using the e-mail address previously notified to the Data Controller by the Data Subject and registered in the system of the Data Controller.

If the request is accepted, the necessary procedures will be carried out and the applicant will be notified in writing or electronically. In case the request is rejected, the applicant will be informed in writing or electronically, with the reasons for the rejection explained.

12.4. Right to Lodge a Complaint to PDP Board

In cases where the application is rejected, the response is deemed insufficient, or no response is provided within the prescribed period, the applicant has the right to file a complaint with the PDP Board within 30 (thirty) days from the date of becoming aware of the response, and in any event, within 60 (sixty) days from the date of the application.

13. Specific Cases in Which Your Personal and Sensitive Personal Data is Processed

13.1. Personal Data Processing Activities at the Main Building, Facility Entrances, and Within the Building/Facility; Website Visitors and Guest/Third Party Visits

For the legitimate purpose of ensuring security, Kafein carries out personal data processing activities through surveillance camera monitoring at Kafein buildings and facilities, as well as tracking the entries and exits of visitors and guests.

In accordance with Article 10 of the Law, Data Subjects are informed of the camera monitoring activity by multiple means, and personal data is processed for the legitimate purpose of security, in compliance with Article 4 of the Law in a manner that is relevant, limited, and proportionate to the purpose for which it is processed.

Kafein’s video surveillance activity is conducted solely for the purposes outlined in this Policy. Accordingly, monitoring area, number, and timing of the security cameras are implemented in a manner sufficient to achieve and limited to the security purpose. Surveillance does not extend to areas that may result in an invasion of individuals’ privacy beyond the intended security purpose and does not include areas outside of common areas.

Only a limited number of Kafein employees have access to video footage recorded and stored digitally. These limited number of persons with access to the records declare, through a confidentiality agreement, that they will maintain the confidentiality of the data they access.

When collecting the first and last names of individuals entering Kafein premises as guests/visitors or third parties, Data Subjects are informed through notices posted within Kafein premises or otherwise made accessible to visitors. The data obtained for the purpose of monitoring entry and exit is processed solely for this purpose, recorded in a data filing system in physical form, and made accessible only to a limited number of Kafein employees. To ensure data security, confidentiality agreements are signed with the employees who have access to this information.

14. Publication and Storage of the Policy

The Policy is stored in [quality management system documentation] in electronic format and is published in an environment accessible to employees.

15. Update Frequency

This Policy is reviewed at least once a year without prior notice and updated when deemed necessary.

16. Enforcement

This Policy is deemed effective as of its publication on Kafein’s website (https://www.kafein.com.tr) in 06.2024.

Table of Contents