1. PURPOSE AND SCOPE

This Privacy and Personal Data Protection Principles ("Principles") of Kriptek Kripto ve Bilişim Teknolojileri Sanayi Ticaret Anonim Şirketi (will be referred to as the "Company" or "Data Supervisor") regulates the principles accepted for the protection and processing of personal data belonging to Visitor, Customer, Potential Customer, Supplier, Employee Candidate & Online Visitor (“Entity Groups”) to determine the personal data processing principles, aims to enlighten these groups of people in accordance with the Personal Data Protection Law No. 6698 of Republic of Turkey. (“Law No. 6698”).

2. PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

As a company, we process your personal data in the capacity of Data Supervisor within the framework of the following principles.

2.1 Processing in Compliance with the Law and the Rules of Good Faith

In the processing of your personal data, the principles of legal regulations and the common trust and honesty rules are followed. In accordance with this principle as Data Supervisor, we take your interests and reasonable expectations into account while trying to achieve our personal data processing purposes. We do not abuse our rights and act in accordance with the principle of transparency in our data processing activities.

2.2 Keeping Personal Data Accurate and Updated When Required

The importance of the accuracy and up to date of personal data are emphasized in accordance with this principle. The necessary measures are taken accordingly by periodic checks and updates are made to ensure that the processed data is accurate and up to date in line with your legitimate interests. In this context, systems for checking the accuracy of personal data and making the necessary corrections are established within the Company. In addition, the legitimacy of the sources of personal data collected is checked and the inquiries about the inaccuracy of personal data are taken into consideration. Therefore, this principle is applied in accordance with your right to request the correction of your personal data under Law No. 6698.

2.3 Processing with Specific, Clear and Legitimate Purposes

Your personal data are processed based on clear, specific and legitimate data processing purposes. In this context, we ensure that our personal data processing activities are perfectly understandable to the relevant people. We determine and clearly state which purposes & legal processing conditions apply based on Articles 5 and 7 of these principles.

2.4 Being related, limited and measured to the purpose of processing.

Your personal data are processed in a measured, relevant and limited manner in order to achieve the anticipated purpose/purposes. The processing of personal data, that is not related to the actual purpose, is avoided. Again, within the scope of this principle, personal data are not collected or processed for purposes that are not present at the moment or assumptions of actualization later.


2.5 The preservation of the processed data is kept according to the relevant legislation stated period or for the period required for the process.

Your personal data are kept only for the period foreseen in the relevant legislation or for the period required for the process. In this regard, as the Data Supervisor, we take and implement relevant administrative and technical measures. In this context, first of all we take into account whether a period is estimated for the storage of personal data in the relevant legislation. If a period is determined in the legislation, personal data are preserved in accordance with the period determined in the legislation but if a period is not determined in the relevant legislation, personal data are stored for the period required for the process. At the end of the period, either way, if there is no legal reason to allow them to be processed for a longer period of time, your personal data will be deleted, destroyed or anonymized in accordance with the relevant legislation.

3. CONDITIONS OF PROCESSING PERSONAL DATA


Your personal data can be processed by the Company under the following conditions.

3.1 Cases where processing of personal data being clearly required by laws

The basic rule is that personal data cannot be processed without the express consent of the relevant people, however there is an exception, your personal data may be processed in cases where processing of personal data is clearly required by laws.

3.2 Failure to obtain explicit consent of the relevant person due to actual impossibility

Personal data may be processed, if it is compulsory, in order to protect the life or body integrity of a person or another person in cases where this person is unable to disclose his consent due to actual impossibility or whose consent cannot be validated. Accordingly, it is foreseen that personal data may be processed in cases where the consent cannot be disclosed or is not valid, provided that it is necessary for the protection of the life or body integrity of the people.

3.3 Being Directly Related to the Establishment or Execution of a Contract

Provided that it is directly related to the establishment or execution of a contract, your personal data may be processed if it is necessary to process the personal data of the parties to the contract. In order to fulfill with the obligations of the contract, explicit consent will not be required in case of processing personal data of the parties of a valid contract.

3.4 Fulfillment of the Company's Legal Obligation

Your personal data may be processed if processing is obligatory in order to fulfill legal obligations as a data supervisor.

3.5 Making Personal Data Public

Your personal data can be processed if it is made public by you, that means, if it is shared with the public by you. At these cases, it is accepted that the legal protection is no longer necessary.

3.6 Requirement of Data Processing for Establishment or Protection of a Right

If data processing is mandatory for the establishment, use or protection of a right of your personal data may be processed.

3.7 Processing of Data Based on Legitimate Interest

If data processing is required for the legitimate interests of the Company, your personal data may be processed. Accordingly, the Company may process personal data for the purposes of promoting employees, salary increases or regulating their social rights, as long as fundamental rights and freedoms of the employee are not harmed. On the other hand, even in such cases, the basic principles regarding the protection of personal data will be followed and the interests of the relevant person will be protected.

3.8 Processing Based on Explicit Consent

Although the main rule is processing of personal data based on explicit consent, in the presence of other conditions specified in this article, the explicit consent of the relevant persons is not required. Otherwise, the abuse of the right can be mentioned. In this context, in cases where your personal data is not processed based on any of the conditions specified in this article, they are processed based on explicit consent.
DATA OWNERDATA CATAGORIE
Customer Identity Information
Financial Information
Legal Transaction Information
Visual and Audio Information
Transaction Security Information
Customer Transaction Information
Physical Establishment Security Information
Marketing Knowledge
Employee Candidate Identity Information
Communication information
Physical Establishment Security Information
Professional Experience Information
Personal Information
Visual and Audio Information
Transaction Security Information
Potential Customer Identity Information
Communication information
Transaction Security Information
Marketing Knowledge
Physical Establishment Security Information
Visitor Identity Information
Physical Establishment Security Information
Transaction Security Information
Supplier / Business Partner Official Identity Information
Communication information
Risk Management Information
Physical Establishment Security Information
Legal Transaction Information
Financial Information
Transaction Security Information
Online Visitor / Member Identity Information
Communication information
Transaction Security Information
Third Parties Identity Information
Communication information
Legal Transaction Information
Visual and Audio Information
Transaction Security Information
5. PURPOSE OF PROCESSING PERSONAL DATA

Within the Company and according to the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law No.6698, personal data can be processed for the following purposes according to the relevant groups of people.

5.1 CUSTOMER

Customer personal data can be processed within the scope of personal data processing conditions specified in Republic of Turkey Article 5 of Law No. 6698 in the following cases.
To enable the benefits and use of the product.
Services offered by the Company to comply with the operational procedures.
Works & execution of the contract.
Follow-up of financial & accounting affairs.
Planning & execution of customer relationship management and customer satisfaction activities processes.
Follow-up of contractual processes and customer demands and complaints.
Planning of information security processes.
Creating & managing infrastructure, supervision and execution.

5.2 EMPLOYEE CANDIDATE

Personal data of the Employee Candidate can be processed within the scope of the personal data processing conditions specified in Republic of Turkey Article 5 of the Law No.6698, for the purposes of planning and execution of human resources processes & personnel activities. Also, fulfillment of obligations arising from legislation, planning and execution of benefits and personnel recruitment processes are in the scope of personal data processing conditions.

5.3 POTENTIAL CUSTOMER

The personal data of the Potential Customer can be processed within the scope of the personal data processing conditions specified in Republic of Turkey Article 5 of the Law No.6698, for the purposes of:
Recommending and advertising of the products & services offered by the company according to the preferences,
Usage habits and needs of the potential customer,
Planning & execution of the activities required for the promotion of the products,
The company, carrying out the necessary work for the realization of the commercial activities of the company and related business processes,
Carrying out the necessary works and related business processes to benefit from the products and services offered by the company,
Planning and performing the activities required for the customization and promotion of the products and services offered by the company,
Planning and execution of customer relationship management processes.

5.4 VISITORS

Personal data of visitors can be processed within the scope of personal data processing conditions specified in Article 5 of Law No. 6698, for the purposes of; ensuring the safety of the; buildings and/or establishments, of immovables and/or resources, technical and commercial work, company operations, creating and tracking visitor records and to provide information to the authorized institutions and organizations based on the relevant actual legislation.

5.5 SUPPLIER / BUSINESS PARTNER OFFICIAL

The personal data of the Supplier/Business Partner Official can be processed within the scope of the personal data processing conditions specified in Republic of Turkey Article 5 of the Law No.6698, for the purposes of, performing the necessary business and operational processes in order to benefit from the products and services offered by the company, carrying out the necessary works for the realization of the commercial activities and the execution of affiliated business processes, the execution of necessary studies and related business processes to benefit from the products and services offered by the company.

5.6 ONLINE VISITOR / MEMBER

Online Visitor / Member personal data can be processed within the scope of the personal data processing conditions specified in Republic of Turkey Article 5 of the Law No.6698, for the purposes of, carrying out marketing analysis studies, conducting advertising campaigns and promotion processes, conducting communication activities, carrying out studies for developing products and services, to fulfill legal obligations.

5.7 3rd PARTIES

Third Party personal data may be processed within the scope of personal data processing conditions specified in Republic of Turkey Article 5 of Law No.6698, for the purposes of executing of personnel recruitment processes, carrying out the necessary business and operational processes in order to benefit from the services offered by the company, to fulfill with the obligations of the contract.

6. TRANSFER OF PERSONAL DATA

Your personal data can be transferred limited within the framework of conditions specified by the principles and purposes set out in Articles 3 and 5 of this Privacy and Protection of Personal Data Principles and article 8th and 9th of the Law No.6698, to our group companies, business partners, our suppliers, legally authorized public institutions and private people in Turkey and abroad.

7.METHOD AND LEGAL REASON OF COLLECTING PERSONAL DATA

Your personal data transmitted to the Company electronically are processed as follows according to the relevant groups.

7.1 CUSTOMER

Customer personal data obtained in physical and electronic environments, via written or verbal data transfer tools and as part of the data recording systems, from the person itself or third parties, is processed automatically based on the legal reasons included in Republic of Turkey Article 5 of Law No.6698, " It is mandatory to process personal data belonging to the parties of the contract provided that it is directly related to the establishment or execution of a contract ", "It is mandatory for the data supervisor to fulfill its legal obligation", "Provided that it does not harm the fundamental rights and freedoms of the person, it is compulsory to process data for the legitimate interests of the data supervisor’’.

7.2 POTENTIAL CUSTOMER

Potential customer personal data obtained in physical and electronic environments, via written or verbal data transfer tools and as part of the data recording systems, from the person itself or third parties, is processed automatically based on the legal reasons included in Republic of Turkey Article 5 of Law No.6698, "to be made public by the person concerned", "data processing is mandatory for the establishment, exercise or protection of a right", ""Provided that it does not harm the fundamental rights and freedoms of the person, it is compulsory to process data for the legitimate interests of the data supervisor’’, “ It is mandatory for the data supervisor to fulfill its legal obligation ”.

7.3 EMPLOYEE CANDIDATE

Employee candidate personal data obtained from physical and online application forms filled by the person, and as part of the data recording systems, is processed automatically based on the legal reasons included in Republic of Turkey Article 5 of Law No.6698, "It is mandatory to process personal data belonging to the parties of the contract provided that it is directly related to the establishment or execution of a contract", "It is necessary for the data supervisor to fulfill its legal obligation", " Provided that it does not harm the fundamental rights and freedoms of the person, it is compulsory to process data for the legitimate interests of the data supervisor ".

7.4 VISITORS

Visitor Personal Data, is obtained from the security cameras placed in entrance door of our building, face of the building, meeting rooms, activity areas, food zones, cafeteria, entrance waiting area, car park, elevators and service aisles is processed automatically based on the legal reasons included in Republic of Turkey Article 5 of Law No.6698, "It is necessary for the data supervisor to fulfill its legal obligation", " Provided that it does not harm the fundamental rights and freedoms of the person, it is compulsory to process data for the legitimate interests of the data supervisor ".

7.5 SUPPLIER / BUSINESS PARTNER OFFICIAL

The personal data of the Supplier / Business Partner official personal data obtained in physical and electronic environments, via written or verbal data transfer tools and as part of the data recording systems, from the person itself or third parties, is processed automatically based on the legal reasons included in Republic of Turkey Article 5 of Law No.6698, "It is mandatory to process personal data belonging to the parties of the contract provided that it is directly related to the establishment or execution of a contract", "It is necessary for the data supervisor to fulfill its legal obligation", " Provided that it does not harm the fundamental rights and freedoms of the person, it is compulsory to process data for the legitimate interests of the data supervisor ".

7.6 ONLINE VISITOR / MEMBER

Online Visitor / Member, personal data, is processed automatically based on the Law No. 5651 on the Regulation of Publications Made on the Internet and the Fight Against Crimes Committed Through These Publications and on the legal reasons included in Article 5 of the Law No. 6698, " Provided that it does not harm the fundamental rights and freedoms of the person, it is compulsory to process data for the legitimate interests of the data supervisor ", "It is necessary for the data supervisor to fulfill its legal obligation".

7.7 THIRD PARTIES

Third Party personal data obtained in physical and electronic environments, via written or verbal data transfer tools and as part of the data recording systems, from the person itself or third parties, is processed automatically based on the legal reasons included in Article 5 of Law No.6698, "It is necessary for the data supervisor to fulfill its legal obligation", " Provided that it does not harm the fundamental rights and freedoms of the person, it is compulsory to process data for the legitimate interests of the data supervisor ".

8. SECURITY OF PERSONAL DATA

The company takes reasonable measures to prevent unauthorized access, accidental data loss, deliberate deletion of data or damage to the data in order to ensure the security of personal data and to prevent unlawful processing.
All necessary technical and physical measures are taken in order to prevent access to personal data by other persons than authorized personnel. In this context, the authorization system is designed in such a way that it will not be possible for individuals and systems to access more personal data than necessary. The company carries out the necessary inspections in its own institution or organization in order to ensure that the provisions of Law No. 6698 are implemented. 9. COMMITMENTS REGARDING THIRD-PARTY PERSONAL DATA

Personal data about third parties transmitted by Groups of People, can be processed by the Company, and is accepted & consented by the Group of Persons. The Related People also states about the transmitted information, that it provided the necessary information and obtained the permissions in accordance with the Law No.6698 regarding the people and their information.

10. APPLICATION PROCEDURE AND PRINCIPLES

As a related person, if you have a request regarding your rights stated in the 11th article of the Law numbered 6698; You can send your inquiries by filling the form ‘’Application Form for the Protection of Personal Data’’ available in our website https://www.crypttech.com/tr/ in line with the procedures and principles indicated in the form, and send it to KEP address ‘’kriptekkripto@hs01.kep.tr’’, ‘’kvkk@crypttech.com’’ e-mail address, signed with mobile signature or e-signature, or, you can apply personally or through notary by filling & wet signing the relevant form and sending it to the following address, Yıldız Teknik Üniversitesi Davutpaşa Kampüsü, Teknoloji Geliştirme Bölgesi B2 Blok No: 207 Esenler / İstanbul. Depending on the nature of your request, we will conclude your application free of charge as soon as possible and within thirty days at the latest. However, if the transaction requires an additional cost, Kriptek Kripto ve Bilişim Teknolojileri Sanayi Ticaret Anonim Şirketi will charge the fee in the tariff determined by the Personal Data Protection Authority.
In this context, you have the following rights as a related person.

• Learning whether personal data is processed,
• Requesting information if personal data has been processed,
• Learning the purpose of processing personal data and whether they are used appropriately for their purpose,
• To know the third parties to whom personal data are transferred domestically or internationally,
• To request correction of personal data in case of incomplete or incorrect processing,
• Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in the relevant legislation,
• Request notification of third parties to whom personal data are transferred,
• Object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
• To request the compensation of the damage in case of damage due to the processing of personal data that is not legitimate.