WEB PRIVACY AND PERSONAL DATA PROTECTION TERMS

1. PURPOSE AND SCOPE OF THE TERMS
This Web Privacy and Personal Data Protection Principles (hereinafter referred to as "Principles") determine the personal data processing principles adopted by Ünite Bilgi Teknolojileri A.Ş. (hereinafter referred to as "UNITE") regarding the protection of personal data and aims to inform all relevant data subject groups within the scope of the Personal Data Protection Law No. 6698 (hereinafter referred to as "KVKK No. 6698") and, if you are a European Union citizen, the European Union General Data Protection Regulation No. 2016/679 ("GDPR").

2. PRINCIPLES GOVERNING THE PROCESSING OF PERSONAL DATA
UNITE as the Data Controller processes your personal data under the below principles.

2.1. Processing in accordance with Law and Rule of Fairness
The principles brought with legal regulations and the general reliability and fairness rule are complied with in respect of processing your personal data. According to this principle, while the we try to reach its personal data processing purposes, we take into consideration your interest and reasonable expectations, do not abuse our rights, and act in compliance with the principle of transparency in respect of its actions.

2.2. Ensuring that the Personal Data Are Correct and, When Necessary, Up-to-Date
In line with this principle, which emphasizes the importance of the accuracy and up-to-dateness of your personal data, periodical controls, and updating are made to ensure that the personal data, which is processed, is accurate and up-to-date, and in this respect necessary measures are taken by taking into consideration your legitimate interests. To this effect, systems, which are aimed to check the accuracy of the personal data and to make the necessary corrections, are established within the UNITE. Furthermore, the accuracy of the resources, from which the personal data are collected, is checked and requests, which arise due to inaccuracy of personal data, are taken into consideration. Therefore, this principle is applied in harmony with your right to request correction of the personal data, to which you are entitled under the KVKK No. 6698.

2.3. Being Processed for Specified, Explicit, and Legitimate Purposes
Your personal data are processed based on explicit, specified, and legitimate data processing purposes. In this respect, we ensure that our personal data processing activities are clearly comprehensible by the data subject, and determines, and explicitly sets forth the purposes of the personal data processing activities in clause 3 of this Terms.

2.4. Being Relevant, Limited, and Proportioned to the Purposes for Which They Are Processed
Your personal data is processed in a manner, which is proportioned, relevant, and limited to the envisioned processing purpose(s), and the processing of personal data, which is not relevant to achieving the(se) purpose(s) or is not needed, is avoided. Again, under this principle, personal data is not collected or processed for purposes, which do not exist and are deemed to occur later.

2.5. Being Stored for the Period Set Forth by the Legislation or the Period Required for the Purpose for Which They Are Processed
Your personal data is stored only for the period, which is set forth by the relevant legislation or is required for the purpose for which it is processed. For this, the UNITE, takes and applies the organizational and technical measures. In this respect, firstly determined whether a period is foreseen by the relevant legislation for the storing of personal data and if a period is determined, complied with such period of time and if a period is not determined, personal data is stored for the period, which is required for the purpose, for which it is processed. In case the necessity of the relevant processes disappears, access to your personal data by unrelated departments is prevented within the scope of the deletion action specified in the KVKK No. 6698. In the event of expiry of the period or that the reasons for processing cease to exist if there is not any legal basis, which allows for data to be processed for a longer period, your personal data is erased, destructed, or anonymized according to the personal data protection legislation.

3. CONDITIONS FOR PROCESSING PERSONAL DATA

Your personal and sensitive personal data may be processed under the following conditions within the scope of KVKK No. 6698.

3.1. Being Explicitly Stipulated for in Laws
The fundamental rule is that the personal data shall not be processed without the explicit consent of the data subject, but according to this exception, your personal data may be processed without seeking the explicit consent of the data subject only in cases provided for in laws.

3.2. Physical Impossibility of Getting Data Subject’s Explicit Consent
Your personal data may be processed to protect the life or physical integrity of the data subject or any other person, if the data subject is unable to express his/her consent due to an actual impossibility or the data subject’s consent cannot be deemed valid.

3.3. Being Directly Related to the Establishment or Performance of a Contract
On the condition that it is directly related to the establishment or performance of a contract, your personal data may be processed if the processing of the personal data of the parties to the contract is required.

3.4. Compliance with any Legal Obligation of the Company
Your personal data may be processed if it is necessary for compliance with a legal obligation to which the UNITE is subject.

3.5. Publicized Personal Data
Your personal data may be processed if your personal data has been made public by you; in other words, if they are disclosed to the public by you may be processed in connection with the purpose of making it public and in a measured manner.

3.6. Data Processing is Mandatory for Establishment, Exercise, or Protection of Right
Within the scope of the execution and management of the processes regarding the legal and commercial rights of UNITE, your personal data may be processed if data processing is mandatory for the establishment, use or protection of the right in question.

3.7. Processing Personal Data Based on Legitimate Interests
Your personal data may be processed if processing of data is necessary for the legitimate interests pursued by the UNITE. If the UNITE is required to process personal data depending on the processing condition in question, an evaluation is made by considering your fundamental rights and freedoms, and a decision is made according to the result of the evaluation.

3.8. Processing Personal Data Based on Explicit Consent
Although the main rule is that the personal data is processed based on explicit consent, in the event the other conditions outlined in this clause exist, the explicit consent of the data subject is not sought. Otherwise, it will be an abuse of rights. In this respect, your personal data is processed based on explicit consent if they are not processed based on one of the conditions, which are set forth in this Terms.

3.9. Processing of Special Categories of Personal Data
We process your special categories of personal data based on your explicit consent in accordance with Article 6 of the KVKK No. 6698. In the same article, special categories of personal data other than health and sexual life may only be processed in cases stipulated in the laws without your explicit consent. Special categories of personal data regarding health and sexual life may only be processed for the protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of healthcare services as well as their financing without your explicit consent by paying attention to the issues regarding the processing by persons or authorized institutions and organizations under the obligation of confidentiality.

4. TRANSFER OF PERSONAL DATA
Your personal data may be transferred to our domestic business partners, public institutions, organizations etc. within the scope of principles and purposes forth outlined in clause 2 of these terms under the conditions. During such transfers compliance stipulated for in laws is observed. If necessary, your explicit consent is obtained, and the transfer is provided within this framework.

5. PERSONAL DATA SECURITY
UNITE takes reasonable measures to prevent unauthorized access risks, data losses by accident, deliberate deletion of data, or data from being damaged for the purpose of ensuring the security of the personal data and prevention of unlawful processing thereof.
All reasonably required technical and physical measures are taken to prevent persons other than those who are authorized to access personal data from accessing personal data. In this context, especially the authorization system is set up in a way which makes it impossible for persons and systems to access more personal data than it is necessary.
UNITE carries out the required audits and has such audits carried out in its institutions and establishments for the purpose of execution of the provisions of the KVKK No. 6698.
The measures taken are as follows.

• The network and application security is ensured.
• Close system network is used to transfer data through a network path;
• Security measures are taken, in the scope of supply, development and maintenance of information technologies systems.
• There are disciplinary regulations, involving data security provisions for employees.
• Data security and awareness themed periodical trainings for employees are arranged.
• Authorization matrix for employees is formed.
• Corporate policies are created and started to be executed in fields of access, information security, retention and destruction.
• Confidentiality agreements are made.
• Mission based authorization of employees, who change positions or quit their jobs, are taken back.
• Concluded agreements contain data security provisions.
• Additional security measures are taken for personal data that are transferred in printed form, and the relevant papers are sent as classified documents.
• Personal data security policies and procedures are set.
• Personal data security issues are reported without delay.
• Personal data security is monitored continuously.
• Necessary security measures are taken for access to physical media containing personal data.
• Physical media containing personal data is secured.
• Personal data is minimized as much as possible.
• User account management and authorization control system is implemented, and these are also followed.
• Periodical/random in-house inspections are conducted.
• Current risks and threats are determined.
• Policies and procedures for ensuring the security of sensitive personal data are specified and executed.
• Cyber security measures have been taken, and their implementation is constantly monitored.
• Sensitive private data is encrypted before being transferred on a flash disk, CD or DVD.
• Data processing service providers are periodically inspected for data security purposes.
• Data processing service providers’ awareness on data security is raised.

6. LEGAL RIGHTS OF DATA SUBJECT

6.1. Rights on personal data under the KVKK No. 6698
Article 11 of the KVKK No. 6698 lists the rights that may be exercised by groups of persons as follows:

• Get information on whether or not personal data has been processed;
• Ask for information on how personal data has been processed;
• Get information on the purpose of processing personal data, and check whether or not personal data has been duly processed for this purpose;
• Learn the identity of third parties to whom personal data has been transferred in Turkey or abroad;
• Request the correction of any missing or incorrect personal data;
• Ask for the deletion or destruction of personal data in accordance with the conditions set forth in Article 7 of the KVKK, and the notification of the action taken under the said Article to any and all third parties to whom personal data has been transferred;
• Object to any unfavorable consequence of the analysis of personal data exclusively by automated systems;
• Claim damages arising from unlawful processing of personal data.

6.2. Rights over Personal Data under the GDPR
Data subjects’ rights on their personal data are set forth in the 3rd Chapter of the GDPR (from Article 12 to Article 23) as follows:

• You may withdraw your consent if your personal data is being processed based on your express consent;
• You may demand the restriction of the processing of your personal data where one of the following applies:
• You contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of your personal data;
• The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• Your personal data are no longer needed for the purposes of the processing, but you require such data for establishment, exercise or defense of legal claims;
• You have objected to processing pursuant to Article 21 (1) of the GDPR pending the verification whether our legitimate interests override your rights.
• You may object to the processing of your personal data if your personal data are processed for protecting public interests or based on the data controller’s authority under the applicable law or the legitimate interests of the data controller or a third party, including by way of profiling;
• You have the right to access the following:
• The verification of the processing of your personal data, the purposes of the processing and the categories of personal data concerned;
• The recipients or categories of recipients to whom your personal data have been or will be disclosed; where possible, the envisaged period for which the personal data will be stored, or oif not possible, the criteria used to determine that period;
• The existence of the right to request the rectification or erasure of personal data or restriction of processing of personal data, and the existence of the right to lodge a complaint with a supervisory authority;
• Any available information as to the source of your personal data, if not directly collected from you; and
• The existence of automated decision making mechanisms that we use, including profiling, meaningful information about the lgic involved as well as the envisaged consequences of such processing for you, and the significant information.
• You may have your personal data transferred to you or another data controller, if that it technically possible, in an organize, usable and machine readable format, if your personal data are processed based on your express consent, or a contractual provision, by using automated mechanisms.
• You may get information on the existence of automated decision making processes, including profiling, the logic involved and their possible consequences and significance for you.

7. APPLICATION PROCEDURES AND PRINCIPLES
As the data subject, you can make your requests relating to the rights by filling out the Data Subject Application Form, which you can get from our website or with your application that meets the minimum conditions stipulated in the Communiqué on Application Procedures and Principles to the Data Controller by the following methods. UNITE shall conclude demand in the request within the shortest time by taking into account the nature of the demand and at the latest within thirty days and free of charge. However, if the action requires an extra additional costs, a fee in the amount determined by the Turkish Personal Data Protection Board shall be charged by the UNITE.

8. ENTRY INTO FORCE; UPDATES
This Terms entered into force upon its announcement. This Terms are updated from time to time in order comply with the changes in the circumstances and applicable legislation. Updated as required by the relevant Board resolutions and the circumstances, are followed by UNITE.