ULUSOY CONSTRUCTION INVESTMENT SAN. TRADE. A.Ş (“ULUSOY İNŞAAT”) , hereinafter referred to as Personal Data Protection Law No. 6698 (“Law”).

ULUSOY İNŞAAT fulfills its obligations arising from the Law regarding the processing, deletion, destruction, anonymization, transfer of personal data, informing the relevant person and ensuring data security, within the scope of the principles stipulated by the Law .

This Privacy and Personal Data Protection Policy, which has been prepared in accordance with the Law, is made available to natural persons whose personal data is processed (“data owner”).

1. Scope and Purpose of the Privacy and Personal Data Protection Policy

This Privacy and Personal Data Protection Policy is ULUSOY İNŞAAT ‘s ;

• Methods and legal reasons for collecting personal data,
• Which groups of people’s personal data are processed (Data Owner Categorization ),
• Which categories of personal data of data owners are processed (Data Categories) and sample data types,
• For what purposes the relevant personal data is used,
• Technical and administrative measures taken to ensure the security of personal data,
• To whom personal data may be transferred and for what purposes,
• Personal data sharing with public institutions and organizations and official authorities,
• Storage periods of personal data,
• Profiling and segmentation
• What are the rights of data owners over their personal data and how can they exercise these rights?

states in detail .

1. Personal Data Collection Methods and Legal Reasons

ULUSOY İNŞAAT uses personal data in stores, call center, Websites, social media accounts, e-mail, mail, call center , CCTV, cookies, fax , notifications from administrative and judicial authorities and other communication channels in audio, electronic or written form, in accordance with the personal data processing conditions specified in the KVK Law and for the legal reasons specified in this Privacy and Personal Data Protection Policy . Collects accordingly.

1. Data Owner Categorization

ULUSOY İNŞAAT groups the data owners whose personal data it processes as follows, and it may be possible for these person groups to expand in light of the process and legal reasons specified in this policy.

1. Customer,
2. Online Customer,

iii. Visitor

1. Online Visitor
2. Business Solution Partner / Supplier
3. Data Categories and Sample Data Types

No.	Data Owner	Data Category	Data Types
one.	Customer	Identity Information	Name- Surname , Gender, TR Identity Number, TR Identity Information (Wallet serial number , family sequence number , etc.), Date of Birth, Place of Birth, Marital Status, Passport Number
		Communication information	Address (home/work), Email, Telephone / Mobile Phone
		Financial Information	Bank Account Information, Financial Transaction Information, IBAN Number, Payment Information
		Customer information	Customer Number, Customer Commercial Relationship Start/End Date and Reason, Customer Requests, Customer Satisfaction Information, Product-Related Complaints and Request Information
		Personnel and Professional Information	Retirement Information, Insurance Information, Educational Status, Graduation Information, Organization Affiliated
		Legal Action and Compliance Information	Official Reports (Police etc.), Power of Attorney
		Special Personal Data	Diopter Information, Hospital Reports
		Transaction Security Information	Call Center Records, Credit Card Number, Credit Card Expiration Date
		Family Members and Relatives Information	Name- Surname , Degree of Relation, Profession, School, Date of Birth, Mobile Phone
		Other	Call Center Records, CCTV
2.	Online Customer	Identity Information	Name- Surname , Gender, Date of Birth, Place of Birth
		Communication information	Address (home/work), Email, Telephone / Mobile Phone
		Financial Information	Bank Account Information, Payment Information
		Customer information	Customer Number, Customer Commercial Relationship Start/End Date and Reason, Customer Requests, Customer Satisfaction Information, Product-Related Complaint and Request Information, Website Usage Habit, Call Details, Customer Instructions and Records
		Personnel and Professional Information	Retirement Information, Insurance Information, Educational Status, Graduation Information, Organization Affiliated
		Marketing Information	Product Preferences, Satisfaction Survey Results
3.	Visitor	Identity Information	Name- Surname , TR Identity Number, Passport Number
		Communication information	Email, Phone / Mobile Phone
		Transaction Security Information	5651 Logs
		Other	Vehicle License Plate, CCTV
4.	Online Visitor	Transaction Security Information	Password, Member Number, Mobile Phone
		Legal Transaction Information	IP Address
5.	Business Solution Partner / Supplier	Identity Information	Name- Surname , Gender, TR Identity Number, TR Identity Information (Wallet serial number , family order number , etc.), Date of Birth, Place of Birth, Marital Status, Professional IDs
		Communication information	Address, Email, Phone / Mobile Phone
		Financial Information	Bank Account Information, Financial Transaction Information, IBAN Number, Payment Information, Letter of Guarantee Copies/Photocopies
		CV and Professional Information	Educational Status, Military Service Status, Sector Information, Organization Affiliated , Work Start/End Date , Title , Insurance Information
		Legal Action and Compliance Information	Signature Circular, Activity Information, Power of Attorney
		Special Personal Data	Criminal Record, Signature, Health Information
		Other	Vehicle License Plate, CCTV, Photo

 

1. For what purposes is personal data used?

Personal data is used by ULUSOY İNŞAAT for the following purposes;

• Carrying out the necessary work by the relevant business units and carrying out the related business processes in order to realize the commercial activities carried out by the company.
• Planning and/or Execution of Effectiveness/Efficiency and/or Suitability Analyzes of Business Activities
• Planning and/or Execution of Business Continuity Ensuring Activities
• Planning and Execution of Logistics Activities
• Planning and Execution of Corporate Communication Activities
• Planning and Execution of Supply Chain Management Processes
• Planning, Auditing and Execution of Information Security Processes
• Follow-up of Company Finance and Accounting Affairs
• Planning and Execution of Company Operation Processes
• Planning and Execution of External and Internal Training Activities
• Management of Relationships with Business Partners and/or Suppliers
• Planning and Execution of Sales Processes of Products and/or Services
• Planning and/or Execution of After-Sales Support Services Activities
• Planning and Execution of Customer Relationship Management Processes
• Tracking of Customer Requests and/or Complaints
• Planning and Execution of Market Research Activities for Sales and Marketing of Products and Services
• Planning and Execution of Marketing Processes of Products and/or Services
• Planning and/or Execution of Customer Satisfaction Activities
• Following up Legal Affairs and Fulfilling Legal Responsibilities
• Planning and Execution of Operational Activities Necessary to Ensure Company Activities Are Conducted in Compliance with Company Procedures and/or Relevant Legislation
• Providing Information Based on Legislation to Authorized Institutions
• Planning and Execution of Company Audit Activities
• Ensuring the Security of Company Campuses and/or Facilities
• Ensuring the Security of Company Operations
• Provision of Company Premises and Movables
• Ensuring the Security of Company Fixtures and/or Resources
• Creating Visitor Records

1. Technical and Administrative Measures Taken to Ensure the Security of Personal Data

ULUSOY İNŞAAT undertakes to take all necessary technical and administrative measures and to show due care to ensure the confidentiality, integrity and security of your personal data. In this context, it takes the necessary measures to prevent misuse of personal data, unlawful processing, unauthorized access to data, disclosure, modification or destruction of data.

ULUSOY İNŞAAT takes the following technical and administrative measures to prevent unlawful access to the personal data it processes, to prevent unlawful processing of these data, and to ensure the preservation of personal data:

Anti-Virus

Periodically updated anti-virus application is installed on all PCs and Servers in ULUSOY İNŞAAT ‘s information technologies infrastructure.

firewall

ULUSOY İNŞAAT servers are protected by firewalls loaded with periodically updated software, and the relevant new generation firewalls control the internet connections of all personnel and provide protection against viruses and similar threats during this control.

VPN

Stores are connected to server systems via IP-SEC VPN, and traffic between 2 points is transmitted encrypted.

Suppliers can also access ULUSOY İNŞAAT servers or systems via SSL-VPN defined on Firewalls. A separate SSL-VPN definition has been made for each supplier, and with this definition, the supplier only accesses the systems that it needs to use or has been authorized.

User Definitions and Need to Know

ULUSOY CONSTRUCTION and Store employees regarding ULUSOY CONSTRUCTION systems are limited only to the extent necessary by their job descriptions, and in case of any change in authority or duty, their systemic authorities are updated immediately.

Information security Threat and Incident Management

ULUSOY İNŞAAT servers and Firewalls are transferred to the “Information Security Threat and Event Management” system. This system warns responsible personnel when a security threat occurs and provides the opportunity to respond to the threat immediately .

Penetration Test

Periodically, penetration tests on the servers, computers and a sample store in the ULUSOY İNŞAAT system are carried out manually by a supplier company. The security vulnerabilities that arise as a result of this test are closed, and a verification test is performed to verify that the relevant security vulnerabilities are closed. In addition, penetration testing is performed automatically by the Information Security Threat and Incident Management system.

BYGS

The topics included in the control forum at the ISMS meetings established within ULUSOY İNŞAAT are inspected monthly by the Information Technologies Director and CFO. Since [*insert year*], the audit list created in accordance with Cobit standards and GV’s audit standards has been periodically checked.

Fishing Email Tests

ULUSOY İNŞAAT system users, Fishing e-mails are regularly sent to users. According to the results, training is provided to the users through the ULUSOY İNŞAAT User Portal .

Education Portal

Portal is actively used to increase the awareness of ULUSOY İNŞAAT employees against various information security violations and to minimize the effect of the human factor in information violation incidents . All employees have received Cyber Security and Information Security training online.

clean Table & Clean Desk

ULUSOY İNŞAAT internal rules , Headquarters and Store employees table & clean is obliged to comply with the ” desk ” principle.

Other

All areas on the website where personal data is collected are protected by SSL.

the Pseudonymization (pseudonymised data) method àfor all secondary data processing other than the primary processing purpose (Example: Ahmet Yılmaz “A… Y…”).

paper form is kept in locked cabinets and can only be accessed by authorized persons.

Personal data processed through cookies belonging to third parties from whom services are received are deleted from third party systems if the membership is terminated.

ULUSOY İNŞAAT takes the necessary information security measures, in the event that personal data is damaged or obtained by unauthorized third parties as a result of attacks on the platforms operated by ULUSOY İNŞAAT or the ULUSOY İNŞAAT system, ULUSOY İNŞAAT immediately notifies you and the Personal Data Protection Board of this situation and takes the necessary precautions.

1. To Whom and For What Purposes Personal Data Can Be Transferred

ULUSOY İNŞAAT transfers personal data to third parties and its shareholders abroad only for the purposes specified in this Privacy and Personal Data Protection Policy and in accordance with Articles 8 and 9 of the Law.

Personal data transfers carried out in this context are carried out through the secure environment and channels provided by the relevant third party. Depending on the content and scope of the service received from third parties; In all cases where there is no need to transfer the data owner’s personal data, the transfer is made using Pseudonymous data.

Personal data subject to domestic and international transfer as mentioned above, in addition to technical measures to ensure their security ; It is also legally protected thanks to the Law-compliant provisions included in our contracts, taking into account whether the other party to the legal relationship is the data controller or data processor.

 

No.	Data Owner	With whom and for what purpose is personal data shared?
one.	Customer / Online Customer	Sharing contact information with the SMS Supplier in order to send SMS to customers with ETK permissions to notify them about commercial or organizational issues such as store opening/closing ; Sharing invoice information with the e-invoice supplier to send the customer’s e-invoice electronically; Sharing personal data with the Call Center for the purpose of resolving customer requests and complaints; Sharing personal data with a lawyer for the purpose of preparing a defense petition in case consumers apply to the Consumer Arbitration Committee; Sharing the information of the person to whom the purchased product will be delivered with the cargo company; Anonymous sharing of personal data with the supplier in order to supply products; Within the scope of reporting and statistical studies, Customer personal data is transferred to ULUSOY İNŞAAT sharing with its shareholders; Sharing physical and electronic customer data with suppliers for storage ; and Website usage preferences and navigation history are shared with third parties for the purpose of segmentation and communicating with the Customer in line with their likes and preferences.
2.	Business Solution Partner / Supplier	ULUSOY CONSTRUCTION Sharing identity data with the shopping mall management in case of any work to be carried out in the stores ; and Sharing physical and electronic business solution partner/supplier data with suppliers for the purpose of storing them.

 

 

 

 

 

 

 

 

1. Personal Data Sharing with Public Institutions and Organizations and Official Authorities

No.	Data Owner	With whom and for what purpose is personal data shared?
one.	Customer / Online Customer	Sharing customer personal data with SSI during the audit of SSI and the Ministry of Health; Reporting any illegal situations occurring in the store to the relevant official institutions, such as the prosecutor’s office ; and processes such as sharing invoices and collection receipts with representatives of the Ministry of Finance during tax audits.
2.	Visitor / Online Visitor	ULUSOY İNŞAAT traffic information such as personal data and navigation information regarding the visit or membership to the electronic commerce platforms it operates; Sharing with public institutions and organizations that are legally authorized to request this information within the scope of legal obligations (in cases where ULUSOY İNŞAAT has a legal or administrative obligation to notify or provide information , such as fighting against crime, threat to state and public security , etc., but not limited to this). ; Sharing log records with official institutions ; and camera recordings are shared with official institutions such as the prosecutor’s office and the court upon request.
3 .	Business Solution Partner / Supplier	Sharing the current cards opened within the scope of relations with Business Solution Partners / Suppliers with the Trade Registry Offices and notary public; Sharing personal data with relevant public institutions and notaries in order to make legal notifications required by accounting; Sharing invoices and collection receipts with representatives of the Ministry of Finance during tax audits; and Processes such as sharing financial data with the bank in order to fulfill the payment obligation arising from the existing commercial relationship.

 

1. Storage Periods of Personal Data

ULUSOY İNŞAAT preserves the personal data it processes in accordance with the Law for the periods stipulated in the relevant legislation or required by the purpose of processing. In the Personal Data Storage and Destruction Policy [*insert link*] these times are approximately as follows:

 

Data Type	Storage Period	Legal Basis
Personal Data Regarding Customers	10 years from the end of the legal relationship; 3 years in accordance with Law No. 6563 and relevant secondary legislation	Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502,
Personal Data Regarding Business Solution Partners / Suppliers	10 years from the end of the legal relationship	Law No. 6102, Law No. 6098 and Law No. 213
CV and Personnel Information Received During Job Application	2 years	Communicating with Candidates Who Have Applied in the Past About New Positions
Call Center Voice Recordings	3 years	Law No. 6563 and relevant secondary legislation
Personal Data Regarding Online Customers	10 years after the legal relationship ends; 3 years in accordance with Law No. 6563 and relevant secondary legislation	Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502,
Personal Data Regarding Potential Customers	1 year	Performing Retrospective Analysis
Personal Data About Visitors (Camera Recordings)	3 months	Ensuring Security
Personal Data Regarding Online Visitors	2 years	Law No. 5651
All Records Regarding Accounting and Financial Transactions	10 years	Law No. 6098

 

1. Profiling and Segmentation

by ULUSOY İNŞAAT regarding its Customers and Online Customers;

1. Regarding the Customer and Online Customer who have given permission for commercial electronic messages, it carries out profiling and segmentation in order to prepare content, advertisement, promotion and discounts according to the tastes and preferences of the Customer and Online Customer .
2. Profiling and segmentation is also carried out in terms of Customers and Online Customers who have not given commercial electronic message approval ;

• of customers’ preferences, complaints and suggestions (updating the product catalog by determining the most and least preferred products),
• Organizing special campaigns for customers with high potential to purchase a product, with special models created as a result of analyzing customers’ product preferences,
• Conducting studies to increase the preferability of products,
• of profiling and segmentation studies, personal data of Customers and Online Customers are not used directly, and transactions are carried out through special customer numbers determined for each member. In this way, it ensures the protection of personal data and these customer numbers are also to Within the scope of the “Know ” principle, it is accessible only to relevant persons or departments.

1. What are the rights of data owners over their personal data and how can they exercise these rights?

The rights that data owners have in accordance with Article 11 of the Law are stated below:

(1) Learning whether personal data is being processed or not,

(2) Requesting information if personal data has been processed,

(3) Learning the purpose of processing personal data and whether they are used for their intended purpose,

(4) Knowing the third parties to whom personal data are transferred domestically or abroad,

(5) Requesting correction of personal data if they are incomplete or incorrectly processed,

(6) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVK Law,

(7) To request that the transactions carried out in accordance with paragraphs (d) and (e) be notified to third parties to whom personal data is transferred,

(8) Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automatic systems,

(9) Request compensation for damage in case of damage due to unlawful processing of personal data.

In order to exercise your rights over your personal data; Necessary changes, updates and/or changes can be made via the “Contact Form” that you can access from the ULUSOY İNŞAAT Website, ULUSOY İNŞAAT’s official e-mail address musterihizmetleri@ ULUSOY İNŞAAT .com.tr and the official telephone line “[*phone number*]”. You can perform operations such as deletion and related requests.

2. Conditions for Deletion, Destruction and Anonymization of Personal Data

ULUSOY İNŞAAT stores the personal data it collects and processes within the scope of its business processes from channels such as physical, electronic, Website and E-mail, for the periods stipulated by the relevant laws and/or the periods required by the purpose of processing, in accordance with Articles 7, 17 of the Law and Article 138 of the Turkish Penal Code. If these periods expire, it will delete, destroy or anonymize it in accordance with the provisions of the Regulation on Deletion, Destruction or Anonymization of Personal Data and the Guide on Deletion, Destruction or Anonymization of Personal Data.

ULUSOY İNŞAAT refers to the process of making personal data inaccessible and unusable for the relevant users in any way.

ULUSOY İNŞAAT refers to the process of making personal data inaccessible, irretrievable and unusable by anyone.

Anonymization of personal data by ULUSOY İNŞAAT means that personal data cannot be associated with an identified or identifiable natural person in any way, even if they are matched with other data.

ULUSOY İNŞAAT explains in detail the methods for deletion, destruction and anonymization and the technical and administrative measures taken within the scope of the Personal Data Storage and Destruction Policy prepared in accordance with the Regulation on Deletion, Destruction or Anonymization of Personal Data. You can access the Personal Data Storage and Destruction Policy via the [*insert link*] link. In this Policy , the time period for the periodic destruction stipulated by the Regulation is determined as 6 months.

3. Changes to the Privacy and Personal Data Protection Policy

ULUSOY İNŞAAT may make changes to this Privacy and Personal Data Protection Policy at any time. These changes take effect immediately upon the publication of the new amended Privacy and Personal Data Protection Policy . Necessary information will be provided to you so that you can be informed about the changes in this Privacy and Personal Data Protection Policy .