Table of Contents
Personal Data Protection and Privacy Policy
1. Purpose and Scope
This Personal Data Protection and Privacy Policy explains the principles adopted by PAYDAŞ TEKNOLOJİ YATIRIMLARI VE GAYRİMENKUL ANONİM ŞİRKETİ ("Company") regarding the protection of personal data, ensuring its confidentiality, and processing, in order to comply with national and international regulations, primarily the Law No. 6698 on Personal Data Protection.
This Policy applies to the processing of personal data of individuals other than the Company's employees.
Important:
This Policy details the groups of individuals whose personal data are processed, personal data categories, collection methods, processing principles, legal reasons, purposes, profiling activities, transfer conditions, security measures, retention periods, deletion procedures, and individual rights.
2. Definitions
Explicit Consent
Consent given in relation to a specific issue, based on being informed and expressed voluntarily.
Anonymization
The process of making personal data unidentifiable, so that it can no longer be associated with a specific or identifiable person, even when combined with other data.
Personal Data
Any information relating to an identified or identifiable real person.
Data Subject
A real person whose personal data is processed.
Personal Data Processing
Any operation or set of operations performed on personal data, whether by automated means or not, such as the collection, recording, storage, preservation, modification, retrieval, disclosure, transfer, reception, accessibility, classification, or restriction of use.
Data Controller
The person who determines the purposes and means of processing personal data and is responsible for managing the location where the data is systematically stored.
Data Minimization
The principle of collecting and processing personal data only to the extent necessary for the specific purpose of processing, and completely deleting the data once the purpose has been fulfilled.
3. Data Subject Categorization
The Company classifies personal data processed with respect to its core business activities and the related individuals into subcategories based on the following classifications:
Member/User: Online Member/User
Potential Member/User: Potential Online Member/User
Buyer: Member who receives services through the Site
Supplier: Shareholder/Manager of the Service Provider, Employee of the Supplier
Potential Supplier: Shareholder/Manager of the Potential Service Provider, Employee of the Potential Supplier
Visitor: Online Visitor
Third Parties
Note: The groups of data subjects listed above may be expanded based on the specific characteristics of the processing activities.
4. Processed Personal Data
The Company processes various personal data for each processing activity in relation to the relevant individuals based on their relationship with the Company. In this context, the Company processes only the necessary and relevant personal data in proportion to the purposes of managing the Company's activities, conducting the relationship between the parties, and fulfilling legal obligations, in accordance with the principle of data minimization.
For data categorization and example data types, please refer to the explanations under Appendix – 1 of this Policy.
5. Methods of Collecting Personal Data
The Company collects personal data directly from the individuals themselves, their employers, family and close associates, intermediaries, suppliers, emails, postal mail, stores, call centers, websites, mobile applications, social media accounts, security cameras, cookies, faxes, notifications from administrative and judicial authorities, and other communication channels in visual, auditory, electronic, or written form, in compliance with the personal data processing conditions set out in the Law.
6. Principles Regarding Personal Data Processing
Personal data shall be processed in accordance with the principles specified in Article 4 of the Law, as explained below:
Personal data shall be processed in compliance with the law and the principle of honesty; the Company shall observe the legal rules during every processing activity, limit the processing activities to the purpose of processing, and consider the interests and reasonable expectations of the relevant individuals.
Personal data shall be accurate and up-to-date; the Company shall ensure that personal data processed is accurate and up-to-date, and it is the right of the relevant individuals to request corrections or deletion of inaccurate or outdated data.
Personal data shall be processed for specific, explicit, and legitimate purposes; the Company shall ensure that the processing activities are carried out for legitimate purposes, determining every detail of the processing activity in advance, and making sure that the processing activity is clearly understandable by the relevant individual.
Personal data shall be relevant, limited, and proportional to the purpose of processing; the Company shall only collect personal data of the type and extent required for the relevant processing activities, and the data shall be processed only for the defined purposes.
Personal data shall be retained for the period required by the law or the purpose of processing; personal data shall be deleted, destroyed, or anonymized once the purpose of processing no longer exists or once the period specified in the legal regulations expires.
7. Conditions for Processing Personal Data
Pursuant to Article 5(2) of the Law, personal data shall be processed by the Company in accordance with the following processing conditions:
Explicit consent obtained in cases where required (e.g., processing of personal data for profiling, analysis, marketing, and advertising purposes)
Explicitly provided by law (e.g., the processing of personal data for commercial communication consent, customer identification during remote customer acquisition processes, identity verification under Law No. 5549 for Anti-Money Laundering)
Necessary for the establishment or performance of a contract (e.g., processing of identity information during the establishment phase of a contract)
Necessary for the fulfillment of a legal obligation (e.g., using security cameras to ensure the security of employees or visitors)
Made publicly available by the relevant individual (e.g., contact information shared via public social media platforms for establishing a commercial relationship)
Necessary for the establishment, use, or protection of a right (e.g., retaining personal data that may be necessary for statute of limitations purposes)
Necessary for the legitimate interests of the Company as long as it does not harm the fundamental rights and freedoms of the individual
Necessary for the protection of the life or physical integrity of the individual or another person when the individual is unable to give explicit consent due to physical impossibility or legal incapacity
Special Categories of Personal Data:
The Company, as a general rule, does not process special categories of personal data. However:
Biometric data may be processed within the scope of the Company's activities and services. These data will be collected and processed to ensure identity verification and information security as required by regulations and will be preserved for the durations specified in the relevant laws.
Biometric data shall be processed in accordance with the "Guidelines for the Processing of Biometric Data" published by the Personal Data Protection Authority.
In case unnecessary sensitive personal data is submitted by the data subject, the Company shall destroy or anonymize such data.
Pursuant to Article 6(3) of the Law, sensitive personal data can be processed without explicit consent under the following conditions:
Explicit consent obtained in cases where required (e.g., processing of personal data for profiling, analysis, marketing, and advertising purposes)
Explicitly provided by law (e.g., the processing of personal data for commercial communication consent, customer identification during remote customer acquisition processes, identity verification under Law No. 5549 for Anti-Money Laundering)
Necessary for the establishment or performance of a contract (e.g., processing of identity information during the establishment phase of a contract)
Necessary for the fulfillment of a legal obligation (e.g., using security cameras to ensure the security of employees or visitors)
Made publicly available by the relevant individual (e.g., contact information shared via public social media platforms for establishing a commercial relationship)
Necessary for the establishment, use, or protection of a right (e.g., retaining personal data that may be necessary for statute of limitations purposes)
Necessary for the legitimate interests of the Company as long as it does not harm the fundamental rights and freedoms of the individual
Necessary for the protection of the life or physical integrity of the individual or another person when the individual is unable to give explicit consent due to physical impossibility or legal incapacity
8. Purposes of Personal Data Processing
Personal data may be processed for various purposes in each processing process in accordance with the processing conditions specified in Article 7 of this Policy. In this context, the personal data you have shared may be used by different departments of the Company for different processing purposes in different processing processes.
Example:
The first name/last name information processed by the sales department for the purpose of "planning and execution of service sales processes" in the service sales and operation process may be processed by the finance department for the purpose of "carrying out financial and accounting tasks" during the billing process.
In cases where explicit consent is required, the necessary information will be provided, and the relevant personal data may only be processed if explicit consent is obtained.
For detailed information on the purposes of personal data processing, please refer to the explanations under Appendix 2 of this Policy.
9. Profiling and Segmentation
The Company shall use the personal data it processes to carry out the following profiling and segmentation activities:
For individuals who have given consent for commercial electronic communication:
Preparing content according to the individual's preferences and interests, sending advertisements, promotional materials, and discounts
Sending updates/news on existing services and communications regarding new services
Sending congratulatory, celebratory, and announcement-type content
For individuals who have not given consent for commercial electronic communication:
Improving services based on the individual's preferences, complaints, and suggestions (updating the service catalog by determining the most and least preferred services)
Organizing special campaigns for Members/Users who have a high potential to purchase a service, based on analysis of the individual's service preferences
Conducting efforts to increase the desirability of services
Data Protection in Profiling:
In the profiling and segmentation studies, personal data of the relevant individuals will not be directly used; instead, special codes will be assigned to each member, and processes will be carried out using these codes. This ensures the protection of personal data, and these member/user numbers are accessible only by the relevant individual or department, in line with the "Need to Know" principle.
10. Transfer of Personal Data
The Company transfers personal data only to parties located domestically and internationally in accordance with the purposes specified in this Policy and in compliance with Articles 8 and 9 of the Law.
The personal data transfers carried out within this scope occur through secure environments and channels. Depending on the content and scope of the services received from third parties, pseudonymous data may be used for transfer in cases where the data subject's personal data does not need to be transferred.
In domestic and international transfers, the Company shall take all administrative and technical measures possible, in line with the available technologies and the cost balance of the related application, and maintain up-to-date security practices in accordance with the relevant legal regulations and decisions of the Board.
International Transfers:
According to Article 9 of the Law, as a rule, personal data shall not be transferred abroad without the explicit consent of the data subject. However, personal data may be transferred abroad without explicit consent, if the conditions described in Article 7 of this Policy are met, to countries where adequate protection exists.
The transfer of personal data is permitted in the following cases:
As explicitly foreseen in the laws
When necessary for the protection of the life or physical integrity of the person or another, in case the person is incapable of expressing their consent due to a physical impossibility or is legally unable to give consent
When the personal data has been made public by the relevant person
When necessary for the establishment, use, or protection of a right
When required by persons or authorized institutions or organizations under the obligation of confidentiality, for the protection of public health, the conduct of preventive medicine, medical diagnosis, treatment and care services, or for the planning, management, and financing of healthcare services
When necessary for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance
For the activities of foundations, associations, and other non-profit organizations established for political, philosophical, religious, or trade union purposes, provided that it is in compliance with their relevant laws and purposes, limited to their areas of activity, and not disclosed to third parties
For detailed information on the purposes and recipients of the transfer of your personal data, please refer to the explanations under Appendix 3 of this Policy.
11. Administrative and Technical Measures Taken to Ensure the Security of Personal Data
The Company undertakes to take the necessary administrative and technical measures to ensure the confidentiality, integrity, and security of your personal data in each processing process. The Company takes necessary steps and conducts oversight by assigning internal authorizations and, when necessary, obtaining professional support from external service providers to prevent the misuse, unlawful processing, unauthorized access, disclosure, modification, or destruction of data.
In this context, the Company prioritizes ensuring compliance with relevant regulations and guidelines and decisions published by the Board.
Administrative Measures include:
Definition of Personal Data Security Policies and Procedures
Identification of Existing Risks and Threats
Employee Training and Awareness Programs
Data Minimization Practices
Data Processor Management
Technical Measures include:
Information Technology Systems Security
Cybersecurity Measures (Anti-Virus, Firewall, VPN)
Personal Data Security Monitoring
Physical Environment Security
Data Backup System
For detailed information about the measures taken to protect your personal data, please refer to the explanations under Appendix 4 of this Policy.
12. Retention Periods of Personal Data
The Company retains personal data in compliance with the Law for the periods prescribed by the relevant legislation or as required for the purpose of processing.
For approximate durations related to the Retention and Disposal of Personal Data, please refer to the explanations under Appendix 5 of this Policy.
13. Conditions for the Deletion, Destruction, and Anonymization of Personal Data
The Company retains personal data collected and processed in the course of its business operations in accordance with the durations specified in Articles 17 and 7 of the Law and Article 138 of the Turkish Penal Code. Once these durations have expired, the Company will delete, destroy, or anonymize personal data in accordance with the provisions of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data and the guidelines published by the Board.
Deletion of Personal Data
The process of making personal data completely inaccessible and unusable for the relevant users.
Destruction of Personal Data
The process of making personal data completely inaccessible, irretrievable, and unusable by anyone.
Anonymization of Personal Data
The process of making personal data unidentifiable, even if combined with other data, and ensuring it cannot be linked to a specific or identifiable person.
The Company, in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, provides detailed explanations of the methods and administrative and technical measures taken for deletion, destruction, and anonymization. The period for periodic destruction specified in the Regulation is set at 6 months.
14. Rights Listed in Article 11 of the Law
As data subjects, you have the following rights under Article 11 of the Law:
Your Rights Include:
a) Learn whether your personal data is processed or not
b) If your personal data is processed, request information about it
c) Learn the purpose of processing your personal data and whether it is used in accordance with the purpose
d) Learn which third parties, within the country or abroad, your personal data has been transferred to
e) Request the correction of your personal data if it has been processed incompletely or incorrectly
f) Request the deletion or destruction of your personal data within the conditions specified in Article 7 of the Law
g) Request that the corrections or deletions of your personal data be communicated to third parties to whom your personal data has been transferred
h) Object to a result that is created against you by exclusively automated systems and the analysis of processed data
i) In case of damage due to the unlawful processing of your personal data, request the compensation of the damage
How to Exercise Your Rights
To exercise your rights, please fill out the Data Subject Application Form and send it to the Company using one of the following application methods:
Personal Application:The application form can be delivered in person to the Company's headquarters. You must present your identity. The envelope should be labeled as "Application Under the Personal Data Protection Law."
Notification via Notary:The application form can be sent through a notary. The notification subject should be written as "Application Under the Personal Data Protection Law.
Via KEP:The application form can be sent via the Company's registered electronic post address with a "secure electronic signature" as defined by Law No. 5070.
Via E-mail:The application form can be sent to the Company's official e-mail address (info@getpaydas.com). The subject should be "Application Under the Personal Data Protection Law."
Additional documents may be requested for identity verification purposes. In such cases, the application will be considered submitted once the required documents are provided.
If you submit your request through the specified methods, the Company will process your request as soon as possible and no later than thirty days, free of charge. However, if the process incurs an additional cost, the Company will charge the fee determined by the Personal Data Protection Board.
15. Changes to the Personal Data Protection and Privacy Policy
The Company may make changes to this Personal Data Protection and Privacy Policy at any time. These changes will take effect immediately upon the publication of a modified version of the policy. You will be notified of any changes to this Policy.
Document History
Version
Publication Date
Description of Changes
——-
———-
———
Annex 1 - Data Categorization
The personal data categories that the Company processes within the scope of this Policy are generally as follows:
Date Category
Examples
Identity Information
Name-Surname, Date of Birth, ID Number, Nationality, ID Image, ID Document Type and Number, etc.
Contact Information
Phone Number, Mobile Phone Number, Email Address, Address, etc.
Legal Process
Consumer Arbitration Board Applications, Case Files, Notices, etc.
Visual and Auditory Records
Photo, Video, voice call recordings kept by customer service representatives, etc.
Biometric Data
Data collected via facial recognition or fingerprint systems, Liveness Test, Biometric Facial Comparison, e-signature data, etc.
Member/User Transaction Data
Member/User Number, Start/End Date and Reason of Commercial Relationship, Requests, Preferred Service Information, etc.
Risk Management
Data on suspicious or risk-inducing transactions
Security Data
IP Address or Site Login/Logout Records, etc.
Financial Information
Bank Information, IBAN Number, Invoice Information, Bank Account Number, Transfer Number, etc.
Marketing
Preferred Service Information, Purchase History Data, Surveys, Cookie Records, Service Preferences, etc.
Data Categorization Based on Relevant Person
The personal data processed by the Company, categorized based on the relevant person groups, is generally as follows:
Relevant Person Category
Example Processed
Data Categories
Member/User
Identity Information, Contact Information, Personal Data, Legal Process Data, Member/User Transaction Data, Physical Space Security, Transaction Security Data, Risk Management Data, Financial Information, Professional Experience, Marketing, Visual and Auditory Records, Special Categories of Personal Data
Potential Member/User
Identity Information, Contact Information, Personal and Professional Information, Legal Process Data, Member/User Transaction Data, Physical Space Security, Transaction Security Data, Risk Management Data, Professional Experience, Marketing, Visual and Auditory Records
Supplier
Identity Information, Contact Information, Personal Data, Legal Process Data, Supplier Transaction Data, Physical Space Security, Transaction Security Data, Risk Management Data, Financial Information, Professional Experience, Visual and Auditory Records, Special Categories of Personal Data
Potential Supplier
Identity Information, Contact Information, Personal Data, Supplier Transaction Data, Physical Space Security, Transaction Security Data, Risk Management Data, Professional Experience, Visual and Auditory Records
Visitor
Physical Space Security, Visual and Auditory Records
In each legal and commercial relationship, the categories of personal data processed and the personal data involved may vary. To determine which personal data is processed about you, please refer to the privacy notice provided to you.
ANNEX 2 - PURPOSES OF PERSONAL DATA PROCESSING
Conducting Emergency Management Processes
Conducting Archiving and Storage Activities
Conducting Information Security Processes
Conducting Audit/Ethics Activities
Conducting Training Activities
Managing Access Permissions
Ensuring Activities are Conducted in Compliance with Regulations
Managing Finance and Accounting Activities
Managing Company/Service Loyalty Processes
Ensuring Physical Space Security
Managing Assignment Processes
Conducting Internal Audit/Investigation/Intelligence Activities
Conducting Communication Activities
Planning Human Resources Processes
Managing/Monitoring Business Operations
Managing Occupational Health and Safety Processes
Collecting and Evaluating Suggestions for Improving Business Processes
Conducting Business Continuity Activities
Completing Membership Processes
Fulfilling the obligation to record identification, address, and other necessary information for the identification of the transaction owner under the relevant legislation in order to perform the service sale; organizing all records and documents that will serve as the basis for transactions, including payment systems, electronic contracts, or paper-based processing in Banking and Electronic Payment sectors
Conducting Service Purchase Processes
Conducting Post-Sale Support Services
Conducting Service Sale Processes
Conducting Service Production and Operation Processes
Managing Member/User Relationship Processes
Conducting Activities for Member/User Satisfaction
Organizing and Managing Events
Conducting Marketing Analysis Activities
Sending commercial electronic communications as part of the promotion, marketing, and campaign processes for services
Planning and conducting advertising and promotional activities
Conducting Performance Evaluation Processes
Conducting Risk Management Processes
Conducting Storage and Archiving Activities
Managing Contract Processes
Monitoring Requests/Complaints
Ensuring the Security of Data Controller Operations
Providing Information to Authorized Persons, Institutions, and Organizations
Managing Organizational Activities
Creating and Monitoring Visitor Records
Legal Compliance:
Complying with the information storage, reporting, and notification obligations set by regulations and official authorities, providing information to prosecutors, courts, and relevant public officials upon request in cases related to public safety and legal disputes, and sharing this information with persons or institutions within the legal framework, in order to provide various facilities to members/users or those who can provide these facilities.
ANNEX 3 - DOMESTIC/INTERNATIONAL TRANSFER OF PERSONAL DATA
Date Category
Examples
Examples
Ensuring the Security of Information, Transactions, and Personal Data
Name-Surname, Date of Birth, ID Number, Nationality, ID Image, ID Document Type and Number, etc.
Managing Purchase and Post-Sale Support Processes, Conducting Logistics Activities
Phone Number, Mobile Phone Number, Email Address, Address, etc.
Managing Communication Processes
Consumer Arbitration Board Applications, Case Files, Notices, etc.
Service Providers (
Individuals/ Entities)
Managing Marketing, Campaign, and Advertisement Processes
Photo, Video, voice call recordings kept by customer service representatives, etc.
Organization and Event Management
Data collected via facial recognition or fingerprint systems, Liveness Test, Biometric Facial Comparison, e-signature data, etc.
Tracking Legal Processes
Member/User Number, Start/End Date and Reason of Commercial Relationship, Requests, Preferred Service Information, etc.
Members/Users
Managing Purchase and Post-Sale Support Processes
Sharing personal data with service providers for communication, logistics, installation, support, and other processes in sales management. Sharing personal data with authorized vendors (dealers) for addressing requests from individual Members/Users.
Authorized Persons, Institutions, and Organizations
Providing Information to Authorized Persons, Institutions, and Organizations
Sharing personal data with persons, institutions, and organizations authorized by law, as required by relevant legislation.
Transfers to and from domestic or international entities may vary depending on the legal and commercial relationship. For more information on transfers related to your personal data, please review the clarification text provided to you.
ANNEX 4 - ADMINISTRATIVE AND TECHNICAL MEASURES
The Company takes the following technical and administrative measures in accordance with Article 12 of the Law to prevent unlawful access to personal data, prevent unlawful processing of such data, and ensure the safekeeping of personal data:
1. Administrative Measures
1.1 Definition of Personal Data Security Policies and Procedures
The Company has defined policies and procedures for the protection of personal data regarding both general processing activities and specific processing processes. Main policies implemented:
Personal Data Protection and Privacy Policy
Cookie Policy
The Company updates its policies, procedures, and internal guidelines in line with any changes in legislation and new decisions made by the Personal Data Protection Authority.
1.2 Identification of Existing Risks and Threats
The Company identifies all risks and threats that could compromise personal data security before any violations occur. Special attention is given to whether these risks and threats pertain to special categories of personal data.
1.3 Measures for Employees
The Company provides training both internally and through legal and technical consultancy services to raise awareness among employees about various information security violations. Employees receive regular training, informational documents, oral briefings, and internal guidelines throughout their employment.
1.4 Data Minimization
In line with the principles outlined in Article 4 of the Law, the Company ensures that it does not process any personal data that is not necessary for the processing activity at hand.
1.5 Measures for Data Processors
When the Company receives support from a sub-processor for processing activities, it first analyzes the sub-processor's competence and adequacy regarding the protection of personal data.
2. Technical Measures
2.1 Information Technology Systems
The Company collaborates with expert service providers for information technology systems to ensure the security of personal data.
2.2 Cybersecurity Measures
The Company takes cybersecurity measures to ensure the security of personal data processed in electronic environments:
Anti-Virus: Licensed antivirus software, which is periodically updated, is installed on all computers and servers
Firewall: Servers are protected by firewalls with regularly updated software in Data Centers and Disaster Recovery Centers
VPN: Servers are connected via IP-SEC VPN, ensuring encrypted traffic between two points
User Definitions and Need to Know: Company employees' access to systems is limited to the extent necessary for their job descriptions
2.3 Monitoring Personal Data Security
The Company regularly audits the physical security of personal data and conducts tests to ensure the security of personal data processed in electronic environments:
Phishing Email Tests: Regular phishing emails are sent to increase awareness among system users
Penetration Tests: Periodic penetration tests are conducted manually by a third-party firm
Information Security Threat and Incident Management: System alerts responsible personnel when a security threat arises
2.4 Securing Environments Containing Personal Data
The Company applies special security measures to protect personal data stored in physical environments:
Physical environments where personal data is stored are kept under lock and key
Necessary precautions are taken against risks such as fire, floods, and theft
For personal data transferred by paper, closed and sealed envelope methods are used
Access to server or archive rooms is protected by additional security measures
2.5 Data Backup
In case of any loss, damage, theft, or disappearance of personal data, the Company uses backed-up personal data to eliminate the risk of loss. The security of the backed-up personal data is also ensured at the highest level.
2.6 Other Examples
All areas of the website where personal data is collected are protected by SSL
Personal data in paper form is always stored in locked cabinets and can only be accessed by authorized personnel
Personal data processed via cookies from third-party services are deleted from third-party systems when the membership ends
User definitions and authorization matrices are available on networks and software
Software systems and cloud storage systems are used with encryption based on the user's access rights
Log records are maintained without any user intervention
Data masking techniques are used when necessary
3. Specific Measures for Sensitive Personal Data
In accordance with the Decision of the Personal Data Protection Authority dated 01/01/2018 and numbered 2018/10:
Employees are provided with training on the processing of special categories of personal data
In contract processes where special categories of personal data are processed, confidentiality agreements and declarations specific to special categories of personal data are signed
Employees with access to special categories of personal data have their access scope and duration clearly defined
The security of electronic environments where special categories of personal data are stored is ensured with cryptographic keys
Log records are kept regularly
Software containing special categories of personal data is continuously updated
If remote access to special categories of personal data is required, access is provided through two-factor authentication keys
The transfer of special categories of personal data is done electronically using encrypted portable memory, KEP addresses, VPNs, or sFTP methods
ANNEX 5 - RETENTION PERIODS OF PERSONAL DATA
Personal data shall be retained in accordance with the following durations unless a longer retention period is required by relevant regulations or company practices.
Data Type
Retention
Period
Legal Basis
Destruction
Period
Personal Data of Members/Users
10 years after the end of the legal relationship
Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502
At the first periodic destruction after the retention period ends
Personal Data of Suppliers
10 years after the end of the legal relationship
Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502
At the first periodic destruction after the retention period ends
Personal Data of Potential Members/Users/Suppliers
2 Years
Based on the legitimate interest of the data controller under Article 5/2-f of the KVKK
At the first periodic destruction after the retention period ends
Personal Data of Online Members/Users
10 years after the end of the legal relationship
Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502
At the first periodic destruction after the retention period ends
Personal Data of Online Visitors (Log Records)
2 years
Law No. 5651 and secondary legislation
At the first periodic destruction after the retention period ends
Records of Commercial Electronic Communication
3 years after the invalidation date of the consent for commercial electronic communication; 3 years from the collection date for other commercial electronic communication records
Law No. 6563; Regulation on Commercial Communication and Commercial Electronic Messages
At the first periodic destruction after the retention period ends
Personal Data of Visitors (Camera Records)
1 month
For security purposes
At the first periodic destruction after the retention period ends