CLARIFICATIONTEXT ABOUT THE LAW ON PROTECTION OF PERSONAL DATA

This informationis provided in accordance with Article 10 of Law No. 6698 on the “Protection ofPersonal Data” and due to legal obligation. This text, prepared within thescope of companies holding the title of data controller in terms of their legalpersonalities, in all of our facilities which operate within the Özyer Groupand provide services under the Hotel management, has been prepared incompliance with the provisions mentioned in the Law on the Protection ofPersonal Data, adhering to the elements mentioned therein.

Lykia TurizmYatırımları Sanayi ve Ticaret Anonim Şirketi (Liberty Lykia)

Ayfaba TurizmYatırımları İnşaat Anonim Şirketi (Liberty Fabay)

Özyer TurizmSanayi ve Ticaret A.Ş. (Liberty Lara, Liberty Kuşadası, Sundia By LibertySuncity)

ÖlüdenizOtelcilik Turizm Sanayi ve Ticaret A.Ş. (Sundia By Liberty Ölüdeniz)

Fethiye EnerjiSanayi ve Ticaret Anonim Şirketi (Sundia Exclusive By Liberty Fethiye)

Ephesus Golfİşletmeciliği Turizm Sanayi ve Ticaret A.Ş (Ramada Resort By Wyndham Kuşadası,Ramada Suite By Wyndham Kuşadası)

Hez TurizmYatırımları San. Ve Tic. A.Ş (Liberty Signa)

 

From now on, theterm "Affiliates" will be used to refer to all the companiesmentioned above in the continuation of the text.

Affiliates; asdata controllers under the Law, the Regulation, which is the secondaryregulation of the Law, and other legislation.

has preparedthis text for the purposes of processing, protection, determination of themaximum retention period necessary for the purpose of processing, deletion,destruction, or anonymization of personal data at the end of the determinedretention period, and the determination of the process for fulfilling therequests of the individuals related to the processed personal data ofprimarily;

Their guests

Prospectiveguests

Visitors

Employees,

Partners andemployees of other companies in partnership, including but not limited to allof its addressees.

 

The purpose ofthis document and the Liberty Hotels Group Personal Data Retention andDestruction Policy is to inform you who make hotel reservations on ouraffiliates' websites, browse the websites or fill out provided forms about thecommitments undertaken by our Affiliates to ensure the protection of personaldata of such people.

Specifically, weaim to inform you about the personal data we collect from you, how we use,disclose, protect this data, and finally, how you can exercise your rights overthis data.

1.       Purposes of Processing Personal Data

Our affiliatesprocess the personal data provided by you and related to you in the followingsituations:

When you browseour websites.

When you makereservations directly on the website for the following hotels: Liberty Lykia,Liberty Lara, Liberty Fabay, Sundia Exclusive By Liberty Fethiye, Sundia ByLiberty Ölüdeniz, Sundia By Liberty Suncity, Liberty Signa, Liberty Kuşadası,Ramada Resort By Wyndham Kuşadası and Ramada Suite By Wyndham Kuşadası.

When you consentto receiving newsletters and other marketing/commercial content from us.

When you wish tocontact our affiliates to ask questions, file complaints, or apply for a jobthrough our communication form.

The personaldata (such as name, surname, date of birth, identification and passportinformation, work, home and mobile phone numbers, email address, gender,address, occupation, education, marital status, vehicle plate number,accommodation, credit card, spending and flight information, shopping details,invoice information, consumption preferences, etc.) is processed by ourAffiliates for the purposes of:

Carrying out of necessarywork by business units to make their stakeholders benefit from the products andservices offered.

Offering ofproducts and services, ensuring communication regarding the products andservices purchased or to be purchased by stakeholders.

Customizing and offeringproducts and services based on preferences, usage habits, and needs.

Offeringproduct/service proposals (for use in marketing activities).

Modelling,reporting, scoring, and executing human values policies.

Ensuring thelegal and commercial security of individuals in relationships with ouraffiliates.

Determining andimplementing commercial and business strategies.

Existing or newproduct studies of our Affiliates and identifying potential customers, etc.

within the scopeof personal data processing conditions and purposes specified in Articles 5 and6 of the KVKK (Personal Data Protection Law) in relation to tourism, marketing,promotion and advertising activities and due to legal obligations.

2.       General Principles

Our affiliatesact within the framework of the following principles in all processes relatedto personal data including but not limited to obtaining, processing, storing,protecting, deleting, destroying, and anonymizing of personal data:

Compliance withthe law and principles of honesty,

Accuracy andbeing up-to-date when necessary,

Processing forspecific, explicit and legitimate purposes,

Being relevant,limited and proportionate to the purpose of processing,

Preservation forthe period prescribed in the relevant legislation or as long as necessary forthe purpose of processing, and deletion, destruction, or anonymization ofpersonal data at the end of this period, taking into account the requests ofthe data subject or periodic deletion periods,

Responding torequests regarding the rights of data subjects defined in Article 11 of the Lawas soon as possible,

Taking allnecessary technical and administrative measures specified in the Law, LibertyHotels Group Personal Data Retention and Destruction Policy, and all otherrelevant legislation in all processes related to the storage, deletion, destruction,or anonymization of personal data,

Recording allprocesses related to the deletion, destruction or anonymization of the personaldata specified in this document and storing them for at least 3 years, exceptfor other legal obligations.

3.       Transfer of Personal Data

Personal datamay be transferred to business partners, suppliers, shareholders, affiliatedgroup companies, legally authorized public institutions, state security unitsand private individuals within the framework of the personal data processingconditions and purposes specified in Articles 8 and 9 of the Law on Protectionof Personal Data (KVKK) for the purposes of conducting necessary activities bythe business units to make stakeholders benefit from the products and servicesoffered by our affiliates, ensuring the provision of products and services,establishing communication regarding the products and services purchased or tobe purchased, customizing and offering products and services based onpreferences, usage habits and needs (for use in marketing activities), ensuringthe legal and commercial security of individuals in relationships with ouraffiliates, and determining and implementing the commercial and businessstrategies of the affiliates.

3.1.      Personal Data of Guests

3.1.1.     Guest Data Associated with Individuals

Personal datasuch as name, surname, identification or passport number, age, gender, date ofbirth (identity),

Personal datafacilitating communication such as address, telephone number, email address(communication),

Personal datadelivered to ensure payment for the service offered such as the first 6 andlast 4 digits of bank credit cards or the number of bank cards, cardholdername, surname, expiration date (payment),

Information anddocuments containing personal data related to travel products (flight,accommodation, transfer, health tourism, etc.) obtained due to the serviceprovided (service components),

Personal datasuch as IP address, which allows personalization (location),

Personal dataenabling the customization of the provided service according to the guest'spreferences and expectations (soft pillow, jasmine scent, large bathrobe, etc.)(habits),

Statistical datathat does not directly establish a relationship with the individual; anonymousinformation obtained from solution partners providing digital marketingservices for the determination of guest profiles and learning their preferencesand for improving the services offered according to this profile, and guestdata that can be anonymized by the Affiliates.

3.1.2.     Sources of Guest Personal Data

Our affiliatesobtain guest data directly from the relevant individual or theirrepresentative, tour operators, agents, websites, call centres, mobile phoneapplications, social media accounts, and from business and solution partnerswho are third parties, as well as from sources openly disclosed by the relevantindividual.

Personal datatransferred to the Affiliates for the purpose of benefiting from accommodationservices, which are not directly obtained from the relevant individual by ourAffiliates, is considered to be in accordance with the will of the relevantindividual and legal. In case of any doubt in this regard, Affiliates takenecessary measures and precautions without delay. If necessary, theyimmediately delete, destroy or anonymize the personal data according to theprinciples specified in this Liberty Hotels Group Personal Data Retention andDestruction Policy.

3.1.3.     Reasons for Obtaining, Processing andTransferring Guest Data

Our affiliatesobtain, process and transfer guest data within the framework of the GeneralPrinciples specified in Article 2 of this document, only for the legitimatepurposes indicated in Articles 5, 6, 8, and 9 of the law. In cases whereexplicit consent of the data subject is not present, our affiliates may obtain,process or transfer personal data stated in Articles 5 and 6 of the law, incase of one or more of the following conditions, to the extent and for theduration required by this condition:

When explicitlyprovided for in the laws,

When it isnecessary for the protection of the life or physical integrity of the datasubject or another person, who is unable to express consent due to physicalimpossibility or whose consent is not legally valid,

When personaldata processing is necessary for the establishment or performance of a contractto which the data subject is a party with the Affiliates, provided that it isdirectly related,

When it isnecessary for the Affiliates, as the data controller, to fulfil its legalobligations,

When thepersonal data has been made public by the data subjects themselves,

When dataprocessing is necessary for the establishment, exercise, or protection of aright,

When dataprocessing is necessary for the legitimate interests of the Affiliates, as datacontroller, provided that it does not harm the fundamental rights and freedomsof the data subject.

Our affiliatesobtain, process or transfer personal data for the following purposes, providedthat they do not contradict the general principles and based on the legaljustifications mentioned above, including but not limited to:

To conductnecessary activities by the business units to make guests benefit from theproducts and services offered by our Affiliates.

To customize andoffer products and services provided by our Affiliates based on guests'preferences, usage habits and needs.

To improve thequality of services provided by our Affiliates and develop the quality policy.

To inform about andbenefit guests and potential guests from the general and specific campaigns,promotions, discounts and similar advantages offered by our Affiliates.

To provide theinformation and services requested by visitors who log in with their usernamesand passwords to the platforms provided by our Affiliates, along with thepersonal data, preferences, transactions, and browsing times obtained fromthese platforms.

To communicatewith guests about any notifications related to loyalty cards issued and/or tobe issued by our affiliates and their related organizations, as well asnotifications related to website memberships of our Affiliates and theirrelated organizations (renewal, expiration, etc.) and to inform about anychanges, innovations or similar matters in personal data policies andmembership conditions about new services and products.

To ensure thelegal and commercial security of our Affiliates and the individuals inrelationships with our Affiliates (administrative operations related tocommunication conducted by Affiliates, ensuring the physical security andcontrol of Affiliate venues, evaluation processes for partners/guests/suppliers(authorized or employees), legal compliance processes, financial affairs,etc.).

To provideinformation about the information, events and services requested by relatedpeople from our Affiliates.

To determine andimplement the commercial and business strategies of our Affiliates.

To ensure theimplementation of Human Values policies by our Affiliates and, if expresslystated in the legislation or if required, to fulfil a legal obligationdetermined by the legislation.

Obtaininginformed consent from guests for the direct and indirect personal data obtainedis essential. However, our Affiliates may process personal data withoutexplicit consent limited to the matters specified in Article 5, paragraph 2 ofthe law, among guests or prospective guests. If this necessity ceases to existand there is no consent from the guest or prospective guest, the data isimmediately deleted, destroyed or anonymized.

Even if theguest's explicit consent is obtained within the framework of the principlesstated above, our Affiliates do not process personal data for purposes otherthan the services provided and legitimate purposes, and they do not use theacquired data for services that violate laws and principles of honesty.

3.1.4.     Transfer of Guest Personal Data

Our affiliatesmay share the data they have obtained to fulfil their purposes and performtheir obligations under the contracts concluded, based on the legaljustifications specified in this document, with business partners, solutionpartners, accommodation and transfer service providers, and other thirdparties.

Affiliates maytransfer personal data domestically and internationally within the framework ofthe principles determined by the board for the purpose of fulfilling theservice provided for the reasons listed in Article 8 of the law. Transfer ofpersonal data outside the reasons specified in Article 8/2 of the law issubject to the consent of the data subject.

When ouraffiliates share data with individuals and organizations to which they transferdata, they adhere to the Law, relevant legislation, and board decisions andtake necessary technical and administrative measures.

Our affiliatesmay transfer personal data to the following individuals and institutions andfor delivery of the services:

To suppliers andsubcontractors from whom Affiliates procure necessary services to provideaccommodation services to their guests and to carry out their commercialactivities.

To relevantairline companies if the guest wishes to benefit from air transportation andaccommodation services as a package.

To suppliers andcarriers providing private transfer services by road from the airport to thehotel where the guest will stay or from the hotel where the guest has stayed tothe airport, if the guest requests such transfer services.

To solutionpartners to ensure the conduct of commercial activities for the accommodationservices provided by our Affiliates.

To publicinstitutions and organizations for the purpose of fulfilling legal obligations.

To third partiesor public institutions and organizations for the elimination of threats toindividuals' lives, bodily integrity, and safety, elimination or prevention ofillegal acts in cases of fraud, intellectual property rights infringements andviolations of data policy.

To lawyers,legal advisors and audit firms to protect legitimate interests, the rights andinterests of our Affiliates against requests both made by them or to beconveyed to them.Formun Üstü

3.2.      Personal Data Regarding Employees and JobApplicants

Our affiliatesmay process the personal data of their employees for the purpose of performingthe established employment contract, fulfilling mutual obligations, andfulfilling the legal obligations incumbent upon the employer, subject toobtaining explicit consent as limited to these purposes. In this case, our Affiliatesadhere to the General Principles specified in Article 2 of this document,inform their employees, and ensure the security of their personal data.

Our Affiliatesmay process the personal data contained in the resumes and relevant documentssubmitted by job applicants during the application process and until theapplications are finalized, subject to obtaining explicit consent. In the eventof an unsuccessful application, upon the expiration of the determined retentionperiod, all personal data is completely deleted, destroyed or anonymized. Inthe event of partial or complete success of the application, the retention andprocessing of the obtained personal data depend on the conditions of the newlegal relationship to be established.

3.3.      Sensitive Personal Data

The sensitivepersonal data listed in Article 6 of the Law includes individuals' race, ethnicorigin, political opinion, philosophical belief, religion, sect or otherbeliefs, appearance and dress, membership in associations, foundations orunions, health, sexual life, criminal record, and data related to securitymeasures, biometric and genetic data.

Our Affiliatestake additional measures regarding the processing, transfer, deletion,destruction or anonymization of sensitive personal data as specified in thistext. Transactions to be carried out due to legal obligations or reasonsforeseen in the laws are reserved.

Our Affiliatesact in accordance with the data processing conditions set forth in Article 6 ofthe Law in the processing of sensitive personal data. In addition to theprocedures and principles specified in this text for the processing ofsensitive personal data, it is also necessary to take sufficient measuresdetermined in the relevant legislation.


Our Affiliates may process the health-related personal data of employees andguests, subject to taking the necessary measures prescribed by the relevantlegislation, processing in accordance with general principles, and beingsubject to confidentiality obligations, provided that one of the followingconditions exists:

Explicit consentof the data subject,

Protection ofpublic health,

Preventivemedicine,

Provision ofmedical diagnosis, treatment and care services,

Planning andmanagement of health services and their financing,

Management ofHuman Values processes for employees.

In cases whereexplicit consent of the data subject is not available:

Sensitivepersonal data other than health and sexual life may be processed only in casesforeseen in the laws,

Personal datarelated to health and sexual life may be processed only by individuals orauthorized institutions and organizations subject to confidentialityobligations, for the purpose of protecting public health, preventive medicine,providing medical diagnosis, treatment and care services, and planning andmanaging health services and their financing.

4.       Method of Personal Data Collection and Legal Basis

Personal data isobtained by our Affiliates in any form, whether oral, written, or electronic,with the aim of being able to provide the products and services offered in linewith the purposes mentioned above within the specified legal framework, and to fulfiltheir contractual and legal obligations accurately and completely. Personaldata collected for this legal reason can be processed and transferred for thepurposes specified in the first article of this text within the scope of thepersonal data processing conditions and purposes stated in Articles 5 and 6 ofthe Personal Data Protection Law (KVKK).

5.       Increasing Awareness Regarding the Protection and Processing of PersonalData, Audit

Our Affiliatesensure the organization of necessary trainings for business units to increaseawareness about preventing the unlawful processing of personal data,unauthorized access to data, and ensuring data preservation.

Our Affiliatesestablish necessary systems to raise awareness among existing employees and newrecruits about the protection of personal data and collaborate with consultantswhen needed. Accordingly, our Affiliates evaluate participation in relevanttraining sessions, seminars, and informative sessions, and organize newtrainings in parallel with the updating of relevant legislation.

6.       Conditions for Processing Personal Data

Except for theexplicit consent of the data subject, the basis for personal data processingactivities can be any one of the conditions listed below, and multipleconditions can also serve as the basis for the same personal data processingactivity. If the processed data are sensitive personal data, the conditionswithin the Sensitive Personal Data will be applied.

6.1.      Existence of Explicit Consent of the DataSubject

One of theconditions for processing personal data is the explicit consent of the datasubject. The explicit consent of the data subject must be related to a specificsubject, based on informed and given freely.

6.2.      Explicit Provision in the Law

If the personaldata of the data subject is explicitly provided for in the law, in other words,if there is a clear provision in the relevant law regarding the processing ofpersonal data, then it can be said that this data processing condition exists.

6.3.      Inability to Obtain Explicit Consent of the DataSubject Due to Actual Impossibility

If it isnecessary to process the personal data of the data subject in order to protecttheir own or another person's life or physical integrity, and the data subjectis unable to express their consent due to physical impossibility or theirconsent cannot be considered valid, then the personal data of the data subjectmay be processed.

6.4.      Direct Relatedness to the Establishment orPerformance of a Contract

If theprocessing of personal data is necessary in direct relation to establishment orperformance of a contract to which the data subject is a party, then thiscondition may be deemed to have been fulfilled.

6.5.      Fulfilment of Company's Legal Obligations

If it isnecessary to process the personal data of the data subject for the fulfilmentof our company's legal obligations, then the personal data of the data subjectmay be processed.

6.6.      Public Disclosure of Personal Data by the DataSubject

If the datasubject has made their personal data public, then the relevant personal datamay be processed solely for the purpose of public disclosure.

6.7.      Necessity of Data Processing for Establishing orProtecting a Right

If it isnecessary to process the personal data of the data subject for establishing,exercising or protecting a right, then the personal data of the data subjectmay be processed.

6.8.      Necessity of Data Processing for the LegitimateInterests of Our Company

If it isnecessary to process the personal data of the data subject for the legitimateinterests of our company, provided that it does not harm the fundamental rightsand freedoms of the data subject, then the personal data of the data subjectmay be processed.

7.       Rights of the Data Subjects

According toArticle 11 of the KVKK, Data Subjects have the rights to:

Learn whethertheir personal data is being processed or not,

Requestinformation if their personal data has been processed,

Learn thepurpose of processing personal data and whether they are being used inaccordance with that purpose,

Know the thirdparties to whom personal data are transferred domestically or abroad,

Requestcorrection of their personal data if they are incomplete or incorrect, and torequest notification of the correction made to third parties to whom thepersonal data have been transferred in this context,

Requestthe deletion of their personal data if the reasons requiring their processinghave been eliminated, despite being processed in accordance with the KVKK andrelevant laws, and to request notification of the deletion made to thirdparties to whom the personal data have been transferred in this context,

Object to theoccurrence of a result against them through the analysis of processed dataexclusively by automated systems,

Requestcompensation for damages in case of suffering damages due to the unlawfulprocessing of personal data.

The data subjectmust submit their request to exercise the rights specified above under Article13, paragraph 1 of the KVKK "in writing" to our Affiliates throughthe methods listed below or through other methods determined by the PersonalData Protection Board. In this context, the channels and procedures throughwhich written applications are submitted to our Affiliates under Article 11 ofthe KVKK are explained below. For the exercise of the rights mentioned above,the request, which includes identifying information and explanations regardingthe rights requested to be exercised as specified in Article 11 of the KVKK,can be sent to our email addresses "kvkk@libertyhotels.com,kvkk@libertyhospitality.com, kvkk@sundiabyliberty.com,kvkk@sundiahotels.com" by filling out the Application Form and sendinga signed copy of the form with identification documents, can be deliveredpersonally to the addresses of Liberty Hospitality Group hotels, can be sent  through a notary, by registered mail withreturn receipt requested or other methods specified in the KVKK.

7.1.      Responding to Requests by Our Affiliates

Our affiliatestake necessary administrative and technical measures to handle the requestsmade by the data subjects in accordance with the Law and secondary legislation.

If the datasubject submits their request regarding the rights listed in section 7("Rights of the Data Subject") to our Affiliates in accordance withthe procedure, our Affiliates will promptly and within a maximum period of 30(thirty) days from the receipt of the request, conclude the relevant requestfree of charge, depending on the nature of the request. However, if thetransaction requires an additional cost, a fee may be charged in accordancewith the tariff determined by the Board.

8.       Personal Data Record Mediums

Our Affiliatesstore the personal data mentioned above in the following record mediums:

ElectronicMediums and Physical Mediums

9.       Deletion, Destruction, and Anonymization of Personal Data

In the eventthat the purposes and legal grounds for processing the personal data obtained inaccordance with the principles and procedures specified in this document andthe Law cease, our Affiliates delete, destroy or anonymize personal dataobtained, in accordance with the Law, relevant legislation, decisions of theBoard, and guidelines, either ex officio or upon the proper application of therelevant individual during periodical destruction periods. 

The processes ofdeletion, destruction or anonymization are documented, and records of theseprocesses are kept by our Affiliates as the data controller for a minimumperiod of 3 years, subject to other obligations.

During theprocess of deletion, destruction or anonymization of personal data, our Affiliatestake all necessary technical and administrative measures.

Theprocess of rendering personal data inaccessible and unusable for relevant usersis carried out.

Entitiesprocessing data on behalf of our Affiliates verify that there is no access tothe data and document this situation.

9.1.      Techniques for Deletion of Personal Data

Personal Data inPaper Format: Deleted using the method of blackening.

Office FilesLocated on Central Servers: Deleted using the delete command in the operatingsystem.

Personal Data onPortable Media: Deleted using appropriate software.

Databases:Relevant rows containing personal data are rendered unreadable using databasecommands.

9.2.      Destruction of Personal Data

The process ofmaking personal data inaccessible to any individual, ensuring that the datacannot be retrieved under any circumstances and rendering it unusable again.

Personal Data onLocal Systems: Destroyed using appropriate methods such as demagnetization,physical destruction or overwriting.

Personal Data onEnvironmental Systems:

Network Devices(switches, routers, etc.): Ensuring data becomes inaccessible through physicaldestruction methods like burning or breaking into small pieces.

SIM cards andmemory cards: Making data inaccessible by processes such as melting or burningoptical or magnetic media.

Optical Discs:Ensuring data becomes inaccessible through physical destruction methods likeoverwriting, burning, breaking into small pieces or melting.

Fixed PeripheralDevices with Data Recording Media: Ensuring data becomes inaccessible throughphysical destruction methods like overwriting, burning, breaking into smallpieces or melting.

Personal Data onPaper and Microfilm Formats: Destroyed using paper shredders.

Personal datatransferred to electronic environments through scanning from the original paperformat is deleted using appropriate software depending on the environment theyare in.

CloudEnvironment: Personal data stored and used in these systems are accessed withpasswords. Access by external personnel coming for purposes such as maintenanceor repair is conducted under the supervision of authorized personnel. Disks ofexpired servers are destroyed by being broken into small pieces.

9.3.      Anonymization of Personal Data

Anonymization ofpersonal data involves removing or altering all direct and/or indirectidentifiers in a dataset to prevent the identification of individuals or tolose the distinguishable characteristic within a group that cannot beassociated with a real person.

Techniques forAnonymizing Personal Data: During the anonymization process of personal data,one of the methods shown in the relevant legislation provisions or in the textis used.

9.4.      Periods for Deletion, Destruction andAnonymization of Personal Data

Subject to theabsence of any legal obligation to retain the personal data of the data subjectfor the period prescribed by law, the data processed with the consent of thedata subject is deleted, destroyed or anonymized, upon the request of therelevant person, within a maximum period of 30 days from the submission of therequest to our Affiliates.

In cases wherepersonal data are processed for reasons listed in Article 5 of the Law that donot require explicit consent, the data is deleted, destroyed or anonymized atthe end of the first periodic deletion, destruction or anonymization periodfollowing the cessation of the reason and legal grounds.

In cases wherepersonal data are processed for reasons listed in Article 5 of the Law withoutrequiring explicit consent, but the data subject requests deletion, thepersonal data are separated from the data processed with consent, preserved ina manner accessible only by units related to legal obligations, withauthorization and control matrices limited, and are immediately destroyed oranonymized upon cessation of the legal grounds specified in Article 5 of theLaw.

10.     Technical and Administrative Measures

10.1.    Administrative Measures

Our Affiliates,within the scope of administrative measures:

Consider jobdescriptions in company-wide access to processed and stored personal data andlimit authorization and control matrices.

In the event ofunauthorized access to processed personal data by others, they promptly notifythe relevant individual.

Employknowledgeable and experienced personnel regarding the processing of personaldata and provide necessary training and warnings.

Conduct orcommission necessary audits on data security within its legal entity and allgroup companies and take necessary measures regarding the findings of theaudits.

10.2.    Technical Measures

They conductnecessary internal controls within the established systems.

They oversee theprocesses of information technology risk assessment and business impactanalysis within the established systems.

They ensure theprovision of technical infrastructure to prevent personal data from leaving theinstitution and establish authorization and control matrices.

They ensurecontrol of system vulnerabilities by obtaining penetration testing servicesperiodically and when needed.

They ensurecontrol over access permissions of personnel in the information technologydepartments to personal data.

The environmentswhere personal data is stored are protected with high-security encryptiontechnology or cryptographic methods, and measures such as firewalls and SSLProtocol (Secure Socket Layer) are implemented to prevent misuse. Physicallyheld data is stored only in archives with access granted to authorizedpersonnel from Affiliates.

They takenecessary measures to ensure cybersecurity in environments where personal datais stored. In this context, they obtain DDoS services from internet serviceproviders to defend against cyberattacks.

They also usesecurity software to ensure the security of virtual servers.

All operationsand activities occurring in the record mediums where personal data is locatedare monitored, and vulnerabilities are immediately addressed by conducting riskanalysis in case of security breaches.

The physicalsafeguarding of record mediums containing personal data, cyber systems andservers is ensured through special security devices and authorization controls.

Personal databackup disks and servers are protected against external risks such as fire andflood in locked vaults.

Data stored inthe ISP server room is backed up daily via point-to-point lines.

Authorizationcontrols are implemented for entries into record mediums.

A Data LossPrevention (DLP) solution is utilized to prevent the risk of data loss.

External mediaports are kept closed to mitigate the risk of loss by authorized personnel.