Altınçatı PDPL

ALTIN HAYAT SOCIAL SERVICES EDUCATION FOOD CONSTRUCTION CLEANING

TOURISM AND TRADE LIMITED COMPANY PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. INTRODUCTION

The protection of personal data is of great importance to Altın Hayat Social Services Education Food Construction Cleaning Tourism and Trade Limited Company (Hereinafter referred to as the “Company”). Great sensitivity is shown in the protection of the personal data of our employees, employee candidates, interns, company officials, the elderly we provide care services for, their relatives/legal representatives, our suppliers, potential service recipients, visitors, and third parties.

As recognized in Article 20 of the Constitution of the Republic of Turkey, everyone has the right to demand the protection of their personal data. This right includes being informed about personal data concerning oneself, accessing these data, requesting their correction or deletion, and learning whether they are used in accordance with their purposes. Personal data can only be processed in cases stipulated by law or with the person’s explicit consent.

It has been adopted as a corporate policy to protect and develop the right to “Protection of Personal Data,” which is a Constitutional right, for our employees, employee candidates, interns, company officials, the elderly we care for, their relatives/legal representatives, suppliers, potential service recipients, visitors, and third parties whose personal data we process in line with the Company’s activities or requirements. With this Policy, the principles adopted by the Company regarding the processing and protection of personal data are set forth.

2. PURPOSE OF THE POLICY

This Policy has been prepared to ensure that activities across the entire Company are carried out in a compliant manner in order to adapt to the Personal Data Protection Law No. 6698 (Hereinafter referred to as “PDPL”), the decisions of the Personal Data Protection Board, and secondary legislation regarding the processing and protection of personal data.

Furthermore, it aims to inform the data subjects whose personal data are processed in the most transparent manner regarding the activities carried out, the measures taken, and the Company principles for the processing and security of personal data by the Company.

3. SCOPE OF THE POLICY

This policy relates to all kinds of operations performed upon personal data belonging to data subjects, such as obtaining, recording, storing, preserving, altering, re-arranging, disclosing, transferring, taking over, making retrievable, classifying, or preventing the use thereof, fully or partially through automatic means, or provided that the process is a part of any data recording system, through non-automatic means, as well as the administrative and technical measures taken for the security of personal data.

4. DEFINITIONS

In this policy:

• Explicit consent: Consent that relates to a specified issue, declared by free will and based on information.
• Anonymization: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
• Data subject: The natural person whose personal data are processed.
• Relevant user: Persons who process personal data within the data controller’s organization or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backing up of the data.
• Destruction: Deletion, destruction, or anonymization of personal data.
• Law: The Law on the Protection of Personal Data No. 6698 dated 24/3/2016.
• Personal data: Any information relating to an identified or identifiable natural person.
• Processing of personal data: Any operation performed upon personal data such as obtaining, recording, storing, preserving, altering, re-arranging, disclosing, transferring, taking over, making retrievable, classifying, or preventing the use thereof, fully or partially through automatic means, or provided that the process is a part of any data recording system, through non-automatic means.
• Personal data processing inventory: The inventory created by data controllers by associating the personal data processing activities they perform depending on their business processes with the personal data processing purposes, data category, transferred recipient group, and data subject group, and detailing the maximum time required for the purposes for which the personal data are processed, the personal data foreseen to be transferred to foreign countries, and the measures taken regarding data security.
• Personal data retention and destruction policy: The policy upon which data controllers base the process of determining the maximum period required for the purpose for which personal data are processed, as well as the deletion, destruction, and anonymization processes.
• Board: The Personal Data Protection Board.
• Authority: The Personal Data Protection Authority.
• Periodic destruction: The ex officio deletion, destruction, or anonymization process to be carried out at recurring intervals specified in the personal data retention and destruction policy in the event that all the conditions for processing personal data in the Law disappear.
• Registry: The data controllers’ registry maintained by the Presidency of the Personal Data Protection Authority.
• Data processor: The natural or legal person who processes personal data on behalf of the data controller upon their authorization.
• Data recording system: The recording system where personal data are processed by being structured according to specific criteria.
• Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

A.)- PROCESSING AND TRANSFER OF PERSONAL DATA

A1 General Principles in Processing Personal Data

Personal data are processed by our Company in accordance with the procedures and principles stipulated in the Law and this Policy. Our Company acts in accordance with the following principles regulated by Article 4 of the Law while processing personal data:

A1.1 Lawfulness and Conformity with Rules of Bona Fides

Our Company processes personal data in accordance with the relevant legislation and the requirements of the rule of bona fides and uses them within these limits. In this context, our Company takes into account the interests and reasonable expectations of the data subject while processing personal data (e.g., providing a sustainable care service for those receiving service while providing a healthy working relationship for employees) and takes care to make the data processing activity transparent for the data subject.

A1.2 Accuracy and Being Up-to-Date Where Necessary

Our Company ensures that the personal data it processes are accurate and up-to-date by taking into account the fundamental rights and legitimate interests of the personal data owners. In this context, it carefully considers issues such as ensuring the sources from which data are obtained are specific, confirming their accuracy, and evaluating whether they need to be updated. Our Company keeps channels open to ensure that the data subject’s information is accurate and up-to-date.

A1.3 Processing for Specific, Explicit, and Legitimate Purposes

Our Company processes personal data for legitimate purposes and shares the clearly and precisely determined data processing purpose with the data subjects. The purpose being legitimate means that the personal data processed by our Company is connected to and necessary for the business it performs or the services it offers. The purposes for which the data collected from the data subjects are processed are stated clearly and precisely in the clarifications made to the data subjects and the explicit consents obtained.

A1.4 Being Relevant with, Limited to, and Proportionate to the Purposes for Which They are Processed

Our Company ensures that the processed personal data are suitable for the realization of the determined purposes and avoids the processing of personal data that are not related to or not needed for the realization of the said purpose.

A1.5 Being Retained for the Period of Time Stipulated by the Relevant Legislation or the Purpose for Which They are Processed

Our Company complies with the periods foreseen for the retention of data in the relevant legislation, if any; otherwise, it retains personal data only for the period necessary for the purpose for which they are processed. The retention period of personal data varies according to the nature of the business or service carried out by our Company or the data obtained. In the event that all the processing conditions of a personal data disappear, our Company destroys the relevant data during the first 6-month periodic destruction period following the date on which the obligation to destroy arises.

A2. Conditions for Processing General Personal Data

As a rule, our Company does not process personal data without the explicit consent of the data subject. However, in the presence of one of the following conditions stipulated in Article 5/2 of the Law, personal data may be processed without seeking the explicit consent of the data subject.

A2.1. Being Explicitly Stipulated in the Laws

Our Company may process the personal data of personal data owners even without their explicit consent in cases expressly provided for by the laws. For instance, the processing of the personal data of our Employees in accordance with Labor Law legislation, and the processing of the personal data of the elderly receiving care services within the scope of Law No. 2828 will be evaluated within this context.

A2.2 Being Mandatory for the Protection of Life or Physical Integrity of the Person Himself/Herself or of Any Other Person, Who is Unable to Explain His/Her Consent Due to the Physical Disability or Whose Consent is Not Deemed Legally Valid

Personal data may be processed without explicit consent by our Company in cases where the data subject is unable to declare their consent due to a physical impossibility or where their declared consent is invalid, to protect the life or physical integrity of individuals. For example, in a situation where the person we provide care to is unconscious or mentally ill, making their consent invalid, their personal data may be processed during a medical intervention to protect their life or physical integrity. In this regard, our company informs the legal representative of the data subject to the extent deemed necessary. In this context, the processing of personal data over a phone, computer, or other technical tool carried by a person whose freedom is restricted, for the purpose of determining their location, is not subject to the explicit consent of the data subject.

A2.3 Processing of Personal Data of the Parties of a Contract is Necessary, Provided That it is Directly Related to the Establishment or Performance of the Contract

Personal data may be processed by our Company in connection with the establishment or performance of a contract. For instance, the account number of the creditor party can be obtained to pay the money as required by a contract.

A2.4 Being Mandatory for Our Company to Fulfill Its Legal Obligation

If the processing of personal data is mandatory for our Company to fulfill its legal obligations, the necessary personal data may be processed by our Company without the explicit consent of the data subjects. For example, some personal data belonging to the personnel employed in our care centers are requested from us by the Provincial/District directorates affiliated with the Ministry of Family and Social Policies. The relevant information may be submitted for the review of relevant public officials.

A2.5 Being Made Public by the Data Subject Himself/Herself

Our Company may process the personal data of the data subject that has been made public by the data subject themselves, in other words, disclosed to the public in any way and thus accessible to everyone, under the assumption that the legal interest requiring protection in the processing of such data has disappeared.

A2.6 Data Processing is Mandatory for the Establishment, Exercise, or Protection of Any Right

Our Company can process the personal data of data subjects without seeking explicit consent in cases where data processing is mandatory for the exercise or protection of a legally legitimate right.

A2.7 Processing of Data is Mandatory for the Legitimate Interests of Our Company, Provided That This Processing Shall Not Violate the Fundamental Rights and Freedoms of the Data Subject

Our Company may process the personal data of data subjects in cases where data processing is mandatory for the provision of legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subjects protected under the Law and the Policy. Our Company shows the necessary sensitivity to comply with the basic principles regarding the protection of personal data and to observe the balance of interests between our Company and the data subjects.

A2.8 Presence of the Explicit Consent of the Personal Data Owner

Obtaining explicit consent for the processing of personal data is a Company priority. For this reason, necessary methods have been developed to obtain the explicit consents of the data subjects whose personal data we process in physical and electronic environments.

Before obtaining the consent of the data subjects for the processing of their personal data, the clarification obligation is fulfilled in line with Article 10 of the PDPL, and their explicit consent, based on information and free will regarding a specific issue, is obtained.

A3. Conditions for Processing Special Categories of Personal Data

The PDPL places special importance on certain personal data, considering their potential for discrimination and the fact that they may lead to the victimization of individuals if processed unlawfully, and these data are named “special categories of personal data.”

Which data constitute special categories of personal data are listed in Article 6 of the Law. Accordingly, data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade unions, health, sexual life, criminal conviction, and security measures, as well as biometrics and genetics, are special categories of personal data.

The Company shows special sensitivity in the processing of the aforementioned “special categories of personal data,” to which the PDPL attributes special importance. Employees involved in the processing of special categories of personal data are trained on the Law, related regulations, and the security of special categories of personal data; confidentiality agreements are signed; data access authorization is restricted; and the authorizations in these areas for employees whose duties change or who leave their jobs are immediately revoked.

The transaction records of all movements carried out in electronic environments where special categories of personal data are stored are securely logged, security updates of the environments where the data are located are constantly monitored, necessary security tests are conducted regularly, and the test results are recorded. Adequate security measures are taken in the physical environments where special categories of personal data are retained, and unauthorized entries and exits to the said environments are prevented.

The explicit consent of the data subjects for the processing of the said data is our company’s priority. By our Company, special categories of personal data can only be processed in the following exceptional cases determined in the PDPL in the absence of the explicit consent of the data subject;

• Personal data other than health and sexual life may be processed without seeking the explicit consent of the data subject in cases provided for by law.
• Personal data relating to health and sexual life may only be processed for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing, by persons under the obligation of secrecy or competent institutions and organizations without seeking the explicit consent of the data subject; however, our company provides services in the capacity of a care center and, in this context, provides care and medical services to the individuals it serves.

A4. Conditions for the Transfer of Personal Data

A4.1 Domestic Transfer of General Personal Data

In line with its personal data processing purposes, our Company may transfer the personal data and special categories of personal data of data subjects to third parties in accordance with the Law by creating the necessary confidentiality conditions and taking security measures. Our Company acts in accordance with the regulations stipulated in the Law during the transfer of personal data. In this context, our Company transfers personal data to third parties for legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law, listed below;

• If there is explicit consent of the data subject,
• If explicitly stipulated in the laws,
• If there is an explicit regulation in the laws that the personal data will be transferred,
• If it is necessary for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving consent or whose consent is not deemed legally valid,
• If it is necessary to transfer the personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of a contract,
• If it is mandatory for the exercise or protection of a right of our Company,
• If data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data subject.

A4.2 Conditions for Domestic Transfer of Special Categories of Personal Data

Our Company can transfer the special categories of personal data of data subjects to third parties in a manner appropriate to the principles adopted in the processing of personal data.

Sensitivity is shown to obtain the consent of the data subject in the transfer of special categories of personal data to third parties, and special categories of personal data are transferred domestically by taking adequate technical and administrative measures. However, in the presence of the situations specified below, special categories of personal data can be transferred without the explicit consent of the data subject by taking sufficient technical and administrative measures;

• Data relating to the race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade unions, criminal conviction and security measures, and biometrics and genetics of individuals, in cases provided for by law,
• Personal data relating to health and sexual life, only for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing, by persons under the obligation of secrecy or competent institutions and organizations.

Conditions for the Cross-Border Transfer of General Personal Data:

• Our Company may transfer the personal data and special categories of personal data of data subjects to third parties abroad by taking the necessary security measures in line with the purposes of processing personal data. If personal data transfer is mandatory for our Company to fulfill its legal obligation,
• If the personal data have been made public by the data subject,
• If the transfer of personal data is for the establishment of a right,

personal data may be transferred by the company to foreign countries declared to have adequate protection by the Board in the light of Article 9 of the Law or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and in the relevant foreign country commit to adequate protection in writing and where the Board has granted permission.

Our Company can transfer the personal data of data subjects abroad in a manner appropriate to the principles adopted in the processing of personal data.

In the absence of explicit consent from the data subject, provided that there is adequate protection in the country to which the data will be transferred or the data controller to whom the personal data will be transferred commits to adequate protection in writing and the permission of the Personal Data Protection Board exists, it is possible to transfer their personal data abroad in the presence of one of the following conditions:

• Being explicitly stipulated in the laws.
• Being mandatory for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
• Being necessary to process the personal data of the parties of a contract, provided that it is directly related to the establishment or performance of the contract.
• Being mandatory for the data controller to fulfill their legal obligation.
• Being made public by the data subject himself/herself.
• Data processing being mandatory for the establishment, exercise, or protection of any right.
• Data processing being mandatory for the legitimate interests of the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

A4.3 Conditions for the Cross-Border Transfer of Special Categories of Personal Data

Our Company can transfer the personal data of data subjects abroad in a manner appropriate to the principles adopted in the processing of personal data.

Provided that there is adequate protection in the country to which the data will be transferred or the data controller to whom the personal data will be transferred commits to adequate protection in writing and the permission of the Personal Data Protection Board exists, it is possible to transfer personal data abroad without the need for the explicit consent of the data subject in the presence of one of the following conditions:

• Data relating to the race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade unions, criminal conviction and security measures, and biometrics and genetics of individuals, in cases provided for by law,
• Personal data relating to health and sexual life, only for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing, by persons under the obligation of secrecy or competent institutions and organizations.

Monitoring of the Building and Care Centers with Security Cameras

Monitoring activities with cameras are carried out by the Company in accordance with the Law on Private Security Services and relevant legal legislation. Personal data recorded through security cameras are processed only for security purposes, and the personal data processing principles and conditions stipulated in the PDPL are observed.

Necessary sensitivity is shown not to violate individuals’ fundamental rights and freedoms and the privacy of private life, and a balance is struck between the aim of ensuring Company security and protecting its legitimate interests and the protection of the rights of the data subjects.

Accordingly, when determining the positioning, number, and recording time of the security cameras, planning is done to be sufficient to provide security. Monitoring activity with security cameras is not carried out in areas that could constitute the privacy of private life.

Data subjects are informed about the data processing process by hanging notices in visible areas of the Company’s buildings and facilities, stating that 24/7 monitoring is performed with a security camera and that the images are recorded.

The Company takes the necessary administrative and technical security measures to ensure the security of personal data recorded by security cameras. Access to recorded images can only be provided by a limited number of Company employees.

Visitor Entries to Company Buildings and Care Centers

For the purpose of ensuring security, the Company carries out data processing activities at the entrances of the company building and care centers in order to track visitor entries and exits. In this context, personal data such as visitors’ names-surnames, vehicle license plate information, etc., can be stored for a certain period to ensure the security of the building and care centers and can only be used for this purpose.

In accordance with Article 10 of the PDPL, the Company fulfills its obligation to clarify as a data controller and informs the relevant persons about this matter. By posting notifications in visible areas in buildings and facilities that visitors’ personal data are processed for security purposes, data subjects are ensured to be clarified about the data processing process.

PERSONAL DATA OF WEBSITE VISITORS

On some of the internet sites belonging to the Company, the information of the people visiting these sites can be recorded by technical means (like cookies) or by sharing them by the visitor during the membership stage.

On the websites belonging to the Company, the “Clarification Text on the Protection and Processing of Personal Data” has been published within the scope of Article 10 of the PDPL regarding how and for what purpose personal data are obtained, and visitors have been informed about this issue.

1. CLARIFICATION REGARDING THE PROCESSING OF PERSONAL DATA AND THE RIGHTS OF THE DATA SUBJECT SPECIFIED IN THE LAW
2. Clarification of the Data Subject

Our Company clarifies personal data owners – data subjects during the collection of personal data in accordance with Article 10 of the Law and the provisions of the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Clarify published in the Official Gazette dated 10.03.2018. To access detailed information regarding the processing of personal data, you can review the Clarification Text located at the address [WEBSITE ADDRESS TO BE INSERTED]. In this context, as stated above, it provides clarification regarding the identity of the data controller, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal reason for collecting personal data, and the rights of the data subject.

2. Rights of the Data Subject Stipulated in the Law

Our Company informs you of your rights under Article 11 of the Law and the provisions of the Communiqué on the Procedures and Principles of Application to the Data Controller published in the Official Gazette dated 10.03.2018; guides you on how to exercise the said rights and carries out the necessary internal operations, administrative and technical arrangements for all these. In accordance with Article 11 of the Law, our Company explains to data subjects that they have the right to;

• Learn whether personal data is processed or not,
• Request information if personal data has been processed,
• Learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• Know the third parties to whom personal data is transferred domestically or abroad,
• Request the correction of personal data if they are incomplete or incorrectly processed,
• Request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
• Request notification of the operations carried out pursuant to subparagraphs (d) and (e) of Article 11 of the Law to third parties to whom personal data have been transferred,
• Object to the occurrence of a result against the person themselves by analyzing the processed data exclusively through automated systems,
• Demand the compensation of the damage in case of incurring damage due to the unlawful processing of personal data.

Your requests regarding the implementation of the Law will be submitted using the methods explained in the application form by using the Personal Data Protection Law Data Subject Application Form, which you can access from the address [WEBSITE ADDRESS]. In accordance with Article 13/2 of the Law, our Company concludes the requests submitted to it free of charge as soon as possible and at the latest within thirty days, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.

Our Company may accept your request or reject it by explaining its reasoning; it notifies its response in writing or electronically. In cases where your application is rejected, you find the response insufficient, or your application is not responded to in time; you have the right to file a complaint to the Board within thirty days from the date you learned of our response and, in any case, within sixty days from the date of application.

SECURITY OF PERSONAL DATA

The Company takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the retention of personal data.

In this context, first of all, a study has been carried out to determine what personal data are processed by our Company, risks that may arise regarding the protection of these data have been identified by considering whether the processed personal data are special categories of personal data, and necessary technical and administrative measures for reducing or eliminating the risks have been put into practice.

In order to ensure personal data security, regular training is provided to personnel and managers to prevent the unlawful disclosure and sharing of personal data and to raise awareness about the PDPL.

Furthermore, employees involved in personal data processing processes are asked to sign confidentiality agreements as a part of their business processes, and the necessary disciplinary process is carried out in the event that employees are found to act contrary to security policies and procedures.

The Company has limited access on a personnel basis to personal data included in the data processing processes, and a limited number of personnel have been granted access authorization to personal data related to the business processes they execute. Data processing activities performed by the personnel are recorded.

Technical systems have been established for monitoring and auditing the processes related to the processing of personal data to prevent the unlawful processing of personal data and unlawful access to personal data. Regular internal audits are carried out to prevent the unlawful processing of personal data and unlawful access to personal data.

Technical methods with an appropriate level of security are used to prevent unlawful access to personal data and to ensure they are stored in secure environments. In the event of an internal or external attack on the Company data recording system, software and services running on the IT networks and whether there is any infiltration or inappropriate movement on the IT networks are regularly checked, and the transaction movements of all users are regularly kept so that this situation can be noticed early and intervened early.

DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Pursuant to Article 7 of the PDPL, despite having been processed in accordance with the provisions of the legal legislation, in the event that the reasons for processing disappear or the period stipulated in the legislation expires, the Company deletes, destroys, or anonymizes personal data ex officio or upon the request of the data subject.

Personal data preserved in physical environments are deleted, destroyed, or made anonymous ex officio or upon the request of the relevant person in the event that the purpose of data processing is achieved or the period foreseen in the legislation expires.

Personal data recorded in digital data recording systems are deleted, destroyed, or made anonymous ex officio or upon the request of the relevant person in the event that the purpose of data processing is achieved or the period foreseen in the legislation expires.

Personal data anonymized pursuant to the PDPL fall outside the scope of the PDPL. Making personal data anonymous means rendering personal data impossible to link with an identified or identifiable natural person under any circumstances, even through matching them with other data.

In the event that the reasons for processing the personal data disappear or the period foreseen in the legislation expires, the personal data can be anonymized ex officio or following the request of the data subject. Anonymized personal data can be used for purposes such as research, statistics, and planning, can be stored indefinitely, and can be transferred domestically and abroad.

Regarding the destruction of personal data, the “Personal Data Retention and Destruction Policy” has been prepared and announced on the Company’s website.

 CASES WHERE THE POLICY AND THE LAW WILL NOT BE APPLIED FULLY OR PARTIALLY

Pursuant to Article 28/1 of the Law, the provisions of this Policy and the Law shall not apply in the following cases:

• Processing of personal data by natural persons within the scope of activities completely related to themselves or family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with.
• Processing of personal data for purposes such as research, planning, and statistics by making them anonymous with official statistics.
• Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights or constitute a crime.
• Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations granted duty and authority by law to ensure national defense, national security, public safety, public order, or economic security.
• Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial, or execution proceedings.

Provided that it is in accordance with and proportionate to the purpose and fundamental principles of this Policy and the Law, Article 10 regulating the data controller’s obligation to clarify, Article 11 regulating the rights of the data subject (excluding the right to demand compensation for damages), and Article 16 regulating the obligation to register with the Data Controllers’ Registry shall not apply in the following cases pursuant to Article 28/2 of the Law:

• Personal data processing is necessary for the prevention of committing a crime or for a criminal investigation.
• Processing of personal data made public by the data subject themselves.
• Personal data processing is necessary for the execution of auditing or regulatory duties and for disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations having the nature of a public institution, based on the authority granted by the law.
• Personal data processing is necessary for the protection of the economic and financial interests of the State with regard to budget, tax, and financial matters.