PDPP – Netas Mühendislik

Personal Data Processing and Protection (KVKK) Policy

ARTICLE 1 – INTRODUCTION

NETAS ENGINEERING INSPECTION PERIODIC CONTROL SERVICES INC. (“Company” or “NETAS Engineering”) operates in the periodic control sector, and the protection and lawful processing of personal data belonging to our existing and potential customers, suppliers, shareholders, employees or candidates, visitors, and employees or shareholders of other institutions we cooperate with, as well as other third parties, is a critical issue for us. This Personal Data Processing and Protection Policy (“Policy”) regulates the obligations regarding the processing and protection of personal data in accordance with Law No. 6698 on the Protection of Personal Data (“KVKK”) and other secondary legislation, as well as the procedures and principles to be applied in this regard.

ARTICLE 2 – PURPOSE OF THE POLICY

The main purpose of this Policy is to explain the activities of personal data processing and the systems for protecting personal data, which are carried out in accordance with the law within our Company and its subsidiaries, and to inform data subjects regarding the personal data processed by our Company.

ARTICLE 3 – SCOPE OF THE POLICY

This Policy covers all personal data processed by our Company, either fully or partially automated, or through non-automatic methods as part of a data recording system, concerning our existing and potential customers, suppliers, company shareholders, employees, candidates, visitors, employees and shareholders of other institutions with whom we cooperate, or third parties.

ARTICLE 4 – DEFINITIONS

Explicit Consent: Refers to consent expressed voluntarily and based on being informed on a specific subject.
Personal Data: Refers to any information related to an identified or identifiable natural person (e.g., name, surname, ID number, email, address, birthdate, credit card number, etc.).
Processing of Personal Data: Refers to any action performed on personal data, whether fully or partially automated, or through non-automatic means as part of a data recording system. These actions include collecting, recording, storing, retaining, changing, rearranging, disclosing, transmitting, receiving, making accessible, classifying, or preventing its use.
Data Subject/Related Person: Refers to the natural persons whose personal data is processed (e.g., customers, suppliers, employees, visitors, etc.).
Special Categories of Personal Data: Refers to data related to a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data.
Data Processor: Refers to a natural or legal person processing personal data on behalf of the data controller, based on their authorization. For example, suppliers who send information about job applicants.
Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. Our Company is considered the data controller in this regard.

ARTICLE 5 – BASIC PRINCIPLES AND METHODS OF PERSONAL DATA PROCESSING

This Policy aims to concretize the rules foreseen by the KVKK and related secondary legislation, and defines the methods that serve this purpose. In this context, our Company will analyze the data processing activities performed under this Policy, determine necessary actions, and implement the required administrative and technical measures. Once the actions are initiated, internal audit systems will be used to ensure compliance with this Policy, and this compliance will be maintained. Besides the internal audit, awareness-raising activities will be carried out for employees, and necessary compliance processes will be implemented for newly joined employees. Necessary arrangements will also be made in relationships with our affiliates and business partners.

Our Company is aware that personal data processed in compliance with legal regulations must be aligned with the general principles and rules stipulated by KVKK and related legislation. In this regard, the basic principles to be followed in all personal data processing activities are outlined below according to Article 4 of KVKK:

Compliance with the law and principles of good faith.
Accuracy and, when necessary, keeping the data up to date.
Processing for specific, legitimate, and clear purposes.
Being relevant, limited, and proportionate to the purposes for which they are processed.
Retaining data for the duration required by the relevant legislation or for the purposes for which they were processed.

In the processing of personal data, including its collection, recording, storage, retention, modification, disclosure, and transfer, our Company will adhere to all these principles.

ARTICLE 6 – SECURITY OF PERSONAL DATA

According to Article 12 of KVKK, NETAS Engineering is obligated to take all necessary technical and administrative measures to prevent unlawful processing and access to personal data and to ensure its preservation. Furthermore, any security measures determined by the decisions of the Personal Data Protection Authority will also be considered and applied.

Personal data processed in a joint database of NETAS Engineering and its affiliates will be kept confidential and will not be shared with third parties for commercial purposes. Our Company will establish necessary internal control systems to ensure the proper execution of technical and administrative measures. If a breach of personal data security occurs and is detected, it will be reported to the relevant data subject and, if necessary, to the Authority.

ARTICLE 7 – PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Special categories of personal data, as defined in KVKK, include data related to a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, clothing, membership in associations, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data. This data is especially sensitive because its unlawful processing could lead to serious harm or discrimination against individuals.

Our Company applies particular care in the protection of such data and ensures the implementation of technical and administrative measures outlined in Article 6 of this Policy for the protection of special categories of personal data. Special provisions regarding the processing of special categories of personal data are detailed in the Policy, particularly concerning the explicit consent of the data subject.

ARTICLE 8 – OBLIGATION TO INFORM

NETAS Engineering is obliged to inform data subjects when collecting their personal data, explaining the reason and method of processing. The minimum information required for this obligation is regulated under Article 10 of KVKK, and it includes:

The identity of the data controller and its representative (if any).
The purposes of personal data processing.
The recipients to whom personal data may be transferred.
The method and legal basis for data collection.
The rights of data subjects.

ARTICLE 9 – RIGHTS OF THE DATA SUBJECT

Data subjects whose personal data is processed by our Company have the right to make requests under Article 11 of KVKK. These rights include:

To learn whether personal data is processed.
To request information regarding the processing of personal data.
To learn the purposes for which the data is processed and whether it is used accordingly.
To know the third parties to whom personal data is transferred.
To request correction of inaccurate or incomplete data.
To request deletion or destruction of personal data.
To request notification of any changes made to personal data to third parties.
To object to decisions made solely based on automated processing.
To seek compensation for any damage caused by unlawful processing.

ARTICLE 10 – OBLIGATION TO REGISTER IN THE DATA CONTROLLERS’ REGISTRY

Our Company is required to register in the Data Controllers’ Registry in accordance with the KVKK and related regulations. Necessary documentation and information will be provided to the registry as required.

ARTICLE 11 – TRANSFER OF PERSONAL DATA

Personal data transfer will generally require the explicit consent of the data subject or will be in compliance with the exceptions foreseen in Article 5 of KVKK. In cases where personal data is transferred abroad, our Company will ensure that appropriate measures are taken, or the data subject’s explicit consent will be obtained.

ARTICLE 12 – APPLICATION OF THE POLICY AND RELATED LEGISLATION

This Policy will be applied in compliance with the laws and regulations on personal data protection and processing. If there is any inconsistency between this Policy and the applicable legislation, the applicable law will take precedence.

ARTICLE 13 – EFFECTIVENESS OF THE POLICY

This Policy is accessible to anyone whose personal data is processed by our Company through our website (www.netasmuhendislik.com.tr).

Personal Data Disclosure Text

This notification is made in accordance with Article 10 of the Law No. 6698 on the Protection of Personal Data (“KVKK”) to inform the data subject about the process related to the collection, storage, transfer, sharing, and processing of personal data shared with NETAS ENGINEERING INSPECTION PERIODIC CONTROL SERVICES INC. (“Company” or “NETAS Engineering”). This disclosure is a legal requirement. NETAS ENGINEERING reserves the right to make changes to this disclosure text due to changes in regulations or methods determined by the Personal Data Protection Authority. NETAS ENGINEERING attaches great importance to the confidentiality of personal data and the non-sharing of this information with third parties. In the processes of processing and transferring personal data, NETAS ENGINEERING takes the necessary administrative and technical measures in accordance with Article 12 of KVKK and other relevant provisions to prevent the unlawful use and ensure the preservation of data and data security. We would like to present the following matters regarding the personal data shared with or to be shared with NETAS ENGINEERING:

a) Data Controller
In accordance with the Protection of Personal Data Law, your personal data can be processed by NETAS ENGINEERING as the “data controller” within the scope described below.

b) Purpose of Processing Personal Data
The collected personal data is processed in accordance with the conditions of personal data processing specified in Articles 5 and 6 of KVKK, for purposes such as ensuring customers’ benefit from services in the field of mediation services, carrying out human resources policies, ensuring employment, conducting commercial activities, ensuring legal and commercial security for persons in business relationships with NETAS ENGINEERING, determining and implementing commercial and business strategies, and fulfilling legal obligations.

c) Transfer of Processed Personal Data
The collected personal data may be transferred to business partners, suppliers, customers, direct or indirect shareholders of NETAS ENGINEERING, domestic and foreign affiliates, subsidiaries, legally authorized public institutions and private individuals, administrative and official authorities, within the scope of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law No. 6698, for purposes such as ensuring customers’ benefit from services, executing human resources policies, providing employment, ensuring the legal and commercial security of persons in business relations, determining and implementing commercial and business strategies, and fulfilling legal obligations.

ç) Method and Duration of Personal Data Collection
Personal data is collected by NETAS ENGINEERING through various channels and for different legal reasons, including developing products and services, ensuring customers’ benefit from services in the mediation service, ensuring employment, and conducting commercial activities. The collected personal data may be processed and transferred for the purposes mentioned in paragraphs (b) and (c) of this Disclosure Text, in accordance with the personal data processing conditions and purposes specified in Articles 5 and 6 of KVKK.

Among other methods, NETAS ENGINEERING collects and processes personal data in the following ways:

Job applications made through the netasmuhendisik.com.tr website
Applications or resumes prepared through career internet portals
Email
References
Personal application forms

Personal data is checked by NETAS ENGINEERING consultants either automatically or manually and stored on servers provided by a domestic hosting company.

NETAS ENGINEERING processes personal data in accordance with legal requirements and stores personal data in accordance with the Personal Data Deletion, Destruction, or Anonymization Regulation, the Company’s Personal Data Retention, Anonymization, and Destruction Policy, and other relevant legislation. In case a contractual relationship is established, the data is retained during the contract period and for the periods allowed by the law. If no contract is established, the data is retained for 6 months from the date of the application to NETAS ENGINEERING, or for the duration required by the purpose of personal data processing if no period is specified by the legislation. The data will be deleted, destroyed, or anonymized once the reasons for processing the data cease to exist, in accordance with Article 7 of KVKK.

d) Rights of the Data Subject under Article 11 of KVKK
Data subjects have the following rights:

To learn whether personal data is being processed.
To request information about the processing of personal data.
To learn the purpose of processing personal data and whether it is being used in accordance with its purpose.
To learn about third parties to whom personal data has been transferred, whether domestically or internationally.
To request the correction of personal data if it is incomplete or incorrect.
To request the deletion or destruction of personal data if the reasons for processing no longer exist and to ask for this action to be communicated to third parties to whom personal data has been transferred.
To object to any decisions made based solely on automated processing of personal data that have a negative impact on the individual.
To request compensation for damages in case personal data is processed unlawfully.

To exercise the above rights, data subjects must submit their requests in writing or by other methods specified by the Personal Data Protection Authority. Data subjects can communicate their requests to exercise these rights using the “Application Form” available on the website www.netasmuhendislik.com.tr, along with the necessary identification details and a description of the rights they wish to exercise. Detailed information about the application methods can be found in the application form published on the website.