APG INVESTMENT DANIŞMANLIK ANONİM ŞİRKETİ 

(GLOKEY)

PERSONAL DATA PROTECTION, PROCESSING, STORAGE, AND DELETION POLICY

I. INTRODUCTION

1.1. Purpose of the Policy

In accordance with Article 20 of the Constitution titled “Privacy of Private Life”, Law No. 6698 on the Protection of Personal Data (“Law”), the General Data Protection Regulation (“GDPR”) 2016/679 published in the Official Journal of the European Union on May 4, 2016, and implemented on May 25, 2018, as well as the applicable regulations and communiqués, personal data is obtained by APG Investment Danışmanlık Anonim Şirketi (“Şirket”). The purpose of this Policy is to ensure the processing of the obtained personal data in a manner that protects the fundamental rights and freedoms of data subjects (such as clients, potential clients, visitors, employees, job applicants, former employees, business partners, third-party company employees, etc.), primarily the privacy of their personal lives. It also aims to ensure that the data controller processes personal data in compliance with the law and establishes the principles for the protection, processing, storage, and, if necessary, deletion of the obtained personal data.

1.2. Scope of The Policy 

Any information related to an identified or identifiable natural person is considered personal data. The scope of this policy includes all activities related to the processing of personal data by the Company, whether carried out automatically or non-automatically as part of a data recording system. These activities include obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making accessible, classifying, or preventing the use of personal data. This policy establishes the principles and procedures for the data processing activities carried out by the Company, in accordance with the laws governing the protection of personal data.

1.3. Application of the Policy and Relevant Legislation

This Policy has been prepared in accordance with the applicable laws and regulations, including but not limited to, the Turkish Civil Code No. 6098, the Turkish Commercial Code No. 6102, the Law on the Protection of Personal Data No. 6698, the EU General Data Protection Regulation (GDPR) 2016/679, the Law on Foreigners and International Protection No. 6458, the Regulation on the Data Controllers’ Registry No. 30286, the Regulation on the Deletion, Destruction, or Anonymization of Personal Data No. 30224, the Regulation on the Processing of Personal Health Data and Protection of Privacy, as well as the rules set out in the regulations, communiqués, decisions, and guidelines published by the Board.

In the event of amendments to the Law, GDPR, or any other relevant legislation after the publication of this Policy, and if these changes cause the Policy to become inconsistent with the new provisions, the amended provisions and rules will apply. All communiqués, decisions, and guidelines published by the Board are followed by the Company, ensuring that the rules specified in the Policy are kept up to date.

1.4. Effective Date of the Policy

The Policy has been published on the Company’s website at www.glokey.com.tr and came into effect on the date of its publication.

II. MATTERS RELATED TO THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

According to Article 12 of Law No. 6698, the data controller is obligated to;

• Prevent the unlawful processing of personal data,
• Prevent unlawful access to personal data,
• Ensure the proper storage of personal data.

On the other hand the data controller must take all necessary administrative and technical measures to ensure an appropriate level of security to achieve these goals.

For the reasons outlined above, the Company implements security measures to prevent the unlawful processing, transfer, and disclosure of personal data to third parties, unauthorized access, and other security vulnerabilities. Explanations regarding the administrative and technical measures taken are provided in Section VI, “ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA”.

2.2. Protection of Special Categories of Personal Data

Personal data that is sensitive by nature and could lead to harm or discrimination of the data subject if it falls into the hands of third parties is considered special categories of personal data under the Law. Special categories of personal data include information regarding an individual’s race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data. The processing of special categories of personal data is generally prohibited, but may be processed in limited circumstances as specified by law.

The Company takes all necessary measures to protect special categories of personal data, and it is fundamental to avoid collecting and processing such data whenever possible.

III. MATTERS RELATED TO THE PROCESSING OF PERSONAL DATA

3.1. Processing Personal Data in Compliance with Legal Principles

In accordance with Article 4 of the Law, the principles to be applied in the processing of your personal data are as follows:

• Compliance with the law and the principle of honesty,
• Being accurate and, when necessary, up to date,
• Processing for specific, explicit, and legitimate purposes,
• Being relevant, limited, and proportionate to the purpose for which they are processed,
• Retaining personal data for no longer than the duration necessary for the purposes for which they were processed or as stipulated by the relevant legislation.

 

3.2. Conditions for the Processing of Personal Data

Personal data obtained by the Company cannot be processed without the explicit consent of the relevant person, except for the exceptions specified in the Law. Subject to the relevant provisions of the GDPR, your personal data may be processed without explicit consent in the following cases:

• If explicitly foreseen in the laws,
• If it is necessary for the protection of the life or physical integrity of the person who cannot give consent due to physical impossibility or whose consent is not legally recognized,
• If it is necessary to process the personal data of the parties to a contract directly related to the establishment or performance of the contract,
• If it is necessary for the data controller to fulfill its legal obligations,
• If the personal data has been made public by the relevant person,
• If processing is necessary for the establishment, exercise, or protection of a right,
• If it is necessary to process personal data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.

 

3.3. Exceptions to the Obligation to Obtain Explicit Consent

a) Explicitly Provided for by Laws

One of the conditions for data processing is that it is explicitly provided for by laws. Provisions in laws allowing the processing of personal data constitute a data processing condition. In such cases, obtaining the explicit consent of the data subject is not required.

b) Physical Impossibility

In cases where the data subject is unable to express consent due to physical impossibility or where legal validity is not granted to their consent, personal data may be processed without explicit consent if it is necessary to protect the life or physical integrity of the data subject or another person.

c) Direct Relevance to the Establishment or Performance of a Contract

If data processing is necessary for the establishment or performance of a contract to which the data subject is a party, personal data may be processed without explicit consent.

d) Compliance with the Company’s Legal Obligations

Personal data may be processed without explicit consent for the fulfillment of legal obligations that the Company, as a data controller, is required to comply with.

e) Publicly Disclosed by the Data Subject

Personal data that has been publicly disclosed by the data subject—meaning any personal data that has been made publicly available in any way—can be processed without explicit consent. However, even in such cases, publicly disclosed personal data cannot be used for purposes beyond its intended scope.

f) Necessity for the Establishment, Exercise, or Protection of a Right

Personal data may be processed without explicit consent if it is necessary for the establishment, exercise, or protection of a legal right.

g) Necessity for the Legitimate Interests of the Data Controller Without Harming the Fundamental Rights and Freedoms of the Data Subject

If the processing of personal data is necessary for the legitimate interests of the data controller and does not harm the fundamental rights and freedoms of the data subject, personal data may be processed without explicit consent.

The legitimate interest of the data controller refers to the benefit or advantage obtained through the processing activity. The benefit gained must be lawful, sufficiently effective, specific, and currently existing, and it must be capable of competing with the fundamental rights and freedoms of the data subject. Additionally, the processing must be related to the data controller’s ongoing activities and provide them with a foreseeable advantage in the near future.

3.4. Processing of Special Categories of Personal Data

Without prejudice to the relevant provisions of the GDPR, the processing of special categories of personal data is subject to Article 6 of the Law.

Special categories of personal data include information regarding an individual’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, attire, association, foundation, or union membership, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data. The data covered under this scope is limited in number and cannot be expanded through interpretation. Due to their nature, special categories of personal data are those that, if disclosed, could result in discrimination or victimization of the data subject. Therefore, they must be protected with stricter safeguards compared to other types of personal data.

Special categories of personal data may be processed under the following conditions:

• The explicit consent of the data subject is obtained.
• It is explicitly provided for by laws.
• It is necessary to protect the life or physical integrity of a person who is unable to express their consent due to physical impossibility or whose consent is legally invalid.
• The personal data has been made public by the data subject, and processing is in line with the intention of making it public.
• It is necessary for the establishment, exercise, or protection of a legal right.
• It is necessary for public health protection, preventive medicine, medical diagnosis, treatment and care services, as well as the planning, management, and financing of healthcare services, provided that processing is conducted by persons or authorized institutions and organizations bound by a confidentiality obligation.
• It is necessary for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance.
• It is carried out by foundations, associations, or other non-profit organizations established for political, philosophical, religious, or trade union purposes, in compliance with their respective regulations and purposes, limited to their fields of activity, and without disclosing data to third parties, for the benefit of their current or former members or individuals regularly in contact with these organizations.

Additionally, the processing of special categories of personal data is subject to the implementation of adequate measures determined by the Personal Data Protection Authority (KVKK). The relevant provisions of the GDPR remain applicable.

3.5. Informing and Notifying the Data Subject

At the time of obtaining personal data, the Company, in its capacity as a data controller or through authorized personnel, provides information to data subjects. The procedures and principles regarding this notification are outlined in the Company’s privacy notices related to the processing of personal data. The notification includes, but is not limited to, the following key elements:

• The identity of the data controller and, if applicable, its representative,
• The purposes for which personal data will be processed,
• The recipients to whom personal data may be transferred and the purposes of such transfers,
• The method and legal basis for collecting personal data,
• The rights of the data subject as specified in Article 11 of the Law.

 

a) Identity of the data controller and its representative

Pursuant to Article 10 of the Law, personal data obtained from data subjects (such as clients, potential clients, visitors, employees, job applicants, former employees, business partners, employees of third-party companies, etc.) is processed by the Company in its capacity as the data controller. The Company can be contacted through the communication channels available at www.glokey.com.tr.

b) Purposes of personal data processing

The processing of personal data is carried out for specific, explicit, and legitimate purposes, based on the principle of informing data subjects. The purposes for which the collected data is processed are outlined in Section V: Categorization of Personal Data Processed by the Company and Processing Purposes of the Policy.

c) Recipients of personal data and purposes of transfer

As part of the data controller’s obligation to inform the data subject, the recipients of personal data and the purposes of the transfer must be clearly stated. Personal data cannot be transferred to third parties without the explicit consent of the data subject. The groups of recipients and the purposes of data transfer by the Company are detailed in Section IV: Transfer of Personal Data of the Policy. The relevant provisions of the GDPR remain applicable.

d) Method of collecting personal data and legal basis

In accordance with Articles 5 and 6 of the Law, the data controller must explicitly state the legal basis on which personal data processing is conducted. The method and means of data collection are determined by the data controller. The conditions for lawful processing of personal data are limited and exhaustively listed in the Law (Articles 5-6), meaning they cannot be expanded through interpretation. The relevant provisions of the GDPR remain applicable.

Before processing personal data, the data controller assesses whether the processing activity falls under any of the legal bases other than explicit consent. If the intended processing does not meet any of the legally defined conditions for processing without consent, explicit consent from the data subject is obtained before proceeding.

IV. TRANSFER OF PERSONAL DATA

4.1. Domestic Transfer

Personal data cannot be transferred without the explicit consent of the data subject. However, if one of the conditions specified in Article 5(2) or, provided that adequate measures are taken, Article 6(3) of the Law is met, personal data may be transferred without the explicit consent of the data subject.

Information on the recipient groups to whom the Company transfers personal data is detailed in Annex 4 – Third Parties to Whom Personal Data is Transferred and Purposes of Transfer of this Policy. The relevant provisions of the GDPR remain applicable.

4.2. International Transfer

Personal data may be transferred abroad if at least one of the conditions specified in Articles 5 and 6 of the Law is met and if an adequacy decision exists for the country of transfer, specific sectors within that country, or the international organizations involved. The relevant provisions of the GDPR remain applicable.

V.CATEGORIZATION AND PURPOSES OF PROCESSING PERSONAL DATA BY THE COMPANY

The categorization of data obtained by the Company from data subjects and the purposes of processing personal data for each category of data subjects are detailed in the relevant sections of the privacy notices available on our website.

VI. SECURE STORAGE AND PROTECTION OF PERSONAL DATA

The Company implements administrative and technical measures to ensure the secure storage of personal data, prevent unlawful processing, and restrict unauthorized access.

In accordance with Article 4(2)(b) and (d) of the Law, personal data must be accurate and up to date when necessary and must be retained for the duration specified in the relevant legislation or as long as required for the purpose of processing. In this regard, processed data is handled in compliance with the fundamental principles and rules applicable to data processing activities and is retained only for the necessary period. The relevant provisions of the GDPR remain applicable.

Information regarding the Company’s data retention and disposal procedures and retention periods is provided in Section VIII: Storage and Disposal of Personal Data and Annex 4: Personal Data Retention Periods of this Policy.

To ensure personal data security, the Company identifies all categories of personal data it processes and assesses the likelihood of risks associated with data protection. The following factors are considered when identifying and evaluating these risks:

• Whether the data qualifies as special category personal data,
• The level of confidentiality required based on the nature of the data,
• The type and extent of potential harm to the data subject in the event of a security breach.

After identifying and prioritizing these risks, control and mitigation strategies are developed. The proposed solutions are evaluated based on cost, feasibility, and effectiveness principles. The necessary technical and administrative measures are then planned and implemented in compliance with the Law and GDPR.

VII. PERSONAL DATA PROCESSING ACTIVITIES AT BUILDING ENTRANCES AND WITHIN THE PREMISES

Camera Surveillance at Building Entrances and Within the Premises

To ensure security at the Company entrance, workspaces, common areas, and surrounding premises, surveillance activities are conducted through security cameras. This monitoring is carried out to protect the safety of the Company, its employees, and other individuals, as well as to safeguard the Company’s legitimate interests.

The camera surveillance activity is conducted in compliance with the GDPR and the Law, adhering to the data processing conditions specified in the Law and this Policy.

VIII. STORAGE AND DISPOSAL OF PERSONAL DATA

8.1. Retention and Disposal of Personal Data

Personal data retained by the Company is stored for the duration necessary for the data processing activity. If an obligation arises to delete, destroy, or anonymize personal data, the relevant data is processed accordingly within the first scheduled periodic disposal cycle following the emergence of this obligation.

The deletion, destruction, or anonymization of personal data is carried out in compliance with the general principles set forth in Article 4 of the Law, the technical and administrative measures specified in Article 12, and the relevant provisions of the GDPR.

The maximum period for periodic disposal has been limited to one year. All actions related to the deletion, destruction, or anonymization of personal data are documented and retained for at least three years as required by legal obligations.

The retention periods for personal data processed by the Company are detailed in Annex 4.

A designated personal data specialist is responsible for overseeing and ensuring compliance with the Company’s personal data retention and disposal policy.

8.2. Obligation to Delete, Destroy, or Anonymize Personal Data

Personal data processed by the Company is deleted, destroyed, or anonymized either ex officio or upon the request of the data subject, if the reasons requiring its processing no longer exist. This is carried out in accordance with Article 7 of the Law, the Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette No. 30224 on October 28, 2017, and the relevant provisions of the GDPR.

a) Deletion of Personal Data

The deletion of personal data refers to making the data completely inaccessible and unusable for relevant employees or any authorized personnel.

All necessary technical and administrative measures are taken to ensure that deleted personal data cannot be accessed or reused in any way. 

b) Destruction of Personal Data

The destruction of personal data refers to permanently eliminating the data so that it cannot be accessed, retrieved, or reused by anyone.

To ensure that destroyed personal data cannot be accessed, recovered, or reused by any means, all technical and administrative measures are strictly implemented. 

c) Anonymization of Personal Data

Anonymization of personal data refers to rendering the data unidentifiable, even when combined with other datasets, ensuring that it can no longer be associated with an identified or identifiable individual.

To achieve anonymization, all necessary technical and administrative measures are implemented, and appropriate anonymization techniques are applied in accordance with the Company’s Data Retention and Disposal Policy.

7.3. Personal Data Recording Environments

A personal data recording environment refers to any medium in which personal data is processed, either wholly or partially by automated means or through non-automated means as part of a data recording system.

Personal data of data subjects is securely stored by the Company in compliance with the Law, GDPR, and other applicable regulations, as well as international data security principles, in the following data recording environments: 

a) Technical Recording Environments: Computer systems, Central servers, Removable storage devices (USB drives, memory cards, etc.), Information security devices and software.

b) Non-Technical Recording Environments: Physical paper documents, Manual data recording systems, Written, printed, and visual media.

7.4. Reasons Requiring the Disposal of Personal Data

Personal data of data subjects is disposed of by the Company for the following reasons, including but not limited to; 

• Compliance with the general principles stated in Article 4 of the Law
• Amendments to the relevant legal provisions that served as the basis for processing
• Withdrawal of explicit consent by the data subject, in cases where data processing was based solely on explicit consent
• A request by the data subject for data deletion or destruction
• Expiry of the legal retention obligations related to the personal data
• Elimination of the purpose that required the processing or retention of personal data
• Expiry of the maximum retention period for personal data, with no legitimate reason to continue storage

 

7.5. Techniques for Deletion, Destruction, and Anonymization of Personal Data

The Company applies the following deletion, destruction, and anonymization techniques to personal data, depending on the nature of the data being processed.

During these processes, the Company takes all necessary administrative and technical measures, including:

• Informing employees about data security and disposal procedures
• Selecting the most appropriate deletion, destruction, or anonymization method based on the nature of the data storage environment
• Performing regular and periodic maintenance and monitoring of data security

• Utilizing the latest technological and technical disposal systems

• Implementing automated deletion commands
• Revoking access, retrieval, and re-use permissions for deleted data.

 

To ensure secure deletion, destruction, or anonymization, the following steps are taken:

1. Identification of the personal data to be deleted, destroyed, or anonymized
2. Determination of the relevant employees with access to such data using an access control matrix or similar system
3. Analysis of the employees’ authorization for access, retrieval, and reuse of the relevant data
4. Revocation of employees’ access, retrieval, and reuse authorizations for the relevant data

IX. RIGHTS OF THE DATA SUBJECT AND EXERCISE OF RIGHTS

9.1. Rights of the Data Subject

Pursuant to Law No. 6698, as a data subject, you have the following rights:

• To learn whether personal data is processed or not,
• If personal data has been processed, to request information about it,
• To learn the purpose of processing personal data and whether it is used in accordance with its purpose,
• To know the third parties to whom personal data has been transferred, whether within the country or abroad,
• To request the correction of personal data if it is inaccurate or incomplete, and to request that the correction be communicated to third parties to whom the personal data has been transferred,
• To request the deletion or destruction of personal data if the reasons for processing no longer exist, and to request that the process be communicated to third parties to whom the personal data has been transferred,
• To object to a result arising from the exclusively automated processing of personal data, which leads to negative consequences for the person,
• To request the compensation of damages in case of damage caused by the unlawful processing of personal data.

 

9.2. Exercising the Rights of the Data Subject

As personal data owners, you may submit your requests regarding your rights by filling out the Data Subject Application Form published on the website www.glokey.com.tr or by submitting it in writing with another document that includes the mandatory information as specified in the application form. Alternatively, you may also send it by using registered electronic mail (KEP), secure electronic signature, mobile signature, or the electronic mail address that the relevant person has previously provided to the Company and is recorded in the Company’s system, in a way that allows your identity to be verified. The Company will respond to your request as soon as possible and no later than thirty days, free of charge, based on the nature of the request. If processing your request incurs an additional cost, the Company may charge a fee in accordance with the tariff determined by the Personal Data Protection Board.

9.3. Company’s Response to Applications

The Company will evaluate and respond to your request within 30 days at the latest from the date of receipt.

If your request contains missing information or unclear statements, the Company may ask for additional details. In such cases, the response period will be paused until the required additional information is received.

If the request involves an additional cost, the Company may charge a fee in accordance with the tariff set by the Personal Data Protection Board.

ANNEX – 1: Definitions

Explicit Consent: Consent given regarding a specific subject, based on information and expressed freely.

Anonymization: The process of rendering personal data impossible to associate with an identified or identifiable individual, even when combined with other data.

Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.

General Data Protection Regulation (GDPR): The EU Regulation 2016/679, published in the Official Journal of the European Union on May 4, 2016, and effective as of May 25, 2018.

Data Subject: The natural person whose personal data is processed.

Destruction: The deletion, destruction, or anonymization of personal data.

Law: The Personal Data Protection Law No. 6698, dated March 24, 2016.

Redaction: The blurring, crossing out, or blacking out of personal data to ensure it cannot be linked to an identified or identifiable person.

Recording Medium: Any environment in which personal data is processed, whether fully or partially automated or through non-automated means as part of a data recording system.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed on personal data, including but not limited to collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, retrieval, classification, or restriction of use, whether fully or partially automated or processed as part of a data recording system.

Personal Data Protection Law (“KVKK”): The Personal Data Protection Law No. 6698, which was published in the Official Gazette on April 7, 2016, and entered into force on the same date.

Board: The Personal Data Protection Board.

Authority: The Personal Data Protection Authority.

Data Processor: A natural or legal person who processes personal data on behalf of the data controller, based on the data controller’s authorization.

Data Recording System: A system in which personal data is structured and processed according to specific criteria.

Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.