1. DATA PRIVACY COMMITMENT DESTRUCTION AND PROTETION POLICY

1.1. This Personal Data Protection Policy (“Policy”) outlines the principles that Elite Naturel Organic Food Industry and Trade Inc. (“Company” or “Elite Naturel”) follows in accordance with the relevant legal regulations, primarily the Law on Protection of Personal Data No. 6698, while fulfilling its obligations to protect Personal Data and processing Personal Data within the Company and/or adhering to the principles required by the Company.

1.2. The Company commits to adhering to this Policy and the procedures to be applied in accordance with the Policy regarding Personal Data within its own organization.

2. PURPOSE OF THE POLICY

The primary purpose of İŞBU Policy is to establish the principles and procedures for the processing and protection of Personal Data by the Company. It also sets out the processes for the destruction and deletion of Personal Data when it is no longer needed or required by law.

3. SCOPE OF THE POLICY

3.1. İŞBU Policy covers all activities related to the processing, storage, deletion, retention, transfer, and destruction of Personal Data handled by the Company and applies to all such activities.

3.2. İŞBU Policy does not apply to data that does not qualify as Personal Data.

3.3. İŞBU Policy may be amended from time to time with the approval of the Board of Directors, if required by Data Protection Regulations or deemed necessary by the [Company’s Data Protection Officer and/or Committee]. In the event of any conflict between the Data Protection Regulations and İŞBU Policy, the Data Protection Regulations shall prevail.

4. DEFINITIONS
The definitions used in this Policy have the following meanings:

“Explicit Consent” refers to the consent that is given based on being informed about a specific matter and is expressed voluntarily.

“Anonymization” refers to the process of rendering Personal Data in such a way that it cannot be related to an identified or identifiable natural person, even when combined with other data.

“Obligation to Inform” refers to the responsibility of the Data Controller or their authorized representative to provide information to the Data Subject as per Article 10 of the Personal Data Protection Law (KVKK) during the collection of Personal Data.

“Personal Data” refers to any information relating to an identified or identifiable natural person (within the scope of this Policy, the term “Personal Data” will also encompass the “Special Categories of Personal Data” defined below, as applicable).

“Personal Data Processing” refers to any operation or set of operations performed on Personal Data, whether or not by automated means, or as part of any data filing system, including the collection, recording, storage, retention, modification, restructuring, disclosure, transmission, transfer, retrieval, accessibility, classification, or restriction of use of the data.

“Committee” refers to the committee responsible for implementing this Policy and the KVKK Procedures associated with it.

“Board” refers to the Personal Data Protection Board.

“Institution” refers to the Personal Data Protection Institution.

“KVKK” refers to the Personal Data Protection Law No. 6698.

“KVK Düzenlemeleri” refers to the Personal Data Protection Law No. 6698, other relevant legislation regarding the protection of personal data, binding decisions, principle decisions, provisions, instructions issued by regulatory and supervisory authorities, courts, and other official bodies, as well as applicable international agreements and any other relevant legislation related to data protection.

“KVK Prosedürleri” refers to the procedures that define the obligations that the Company, its employees, [the Committee, and/or the Data Protection Officer Representative] must adhere to under this Policy.

“Special Categories of Personal Data” refers to data related to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

“Deletion or Removal” refers to making Personal Data completely inaccessible and unusable for the relevant users.

“Data Processor” refers to a real or legal person who processes Personal Data on behalf of the Data Controller, having been authorized by the Data Controller.

“Data Subject” refers to all natural persons whose Personal Data is processed by the Company or on behalf of the Company.

“Data Controller” refers to the natural or legal person who determines the purposes and means of processing Personal Data and is responsible for establishing and managing the data recording system.

“Data Controller Contact Person” refers to the individual designated by the Data Controller for communication with the Authority, as notified during the registration process.

“Data Controller Representative” refers to the company employee selected from within the Committee, appointed by the board of directors, and responsible for managing and overseeing the company’s relations with the Authority.

“Destruction” refers to the process of making Personal Data completely inaccessible, irretrievable, and unusable by anyone.

5. PRINCIPLES OF PERSONALl DATA PROCESSING


5.1. Processing of Personal Data in Compliance with the Law and Integrity Principles

The Company processes Personal Data in accordance with the law, principles of integrity, and on the basis of proportionality.

5.2. Taking Necessary Measures to Ensure Personal Data is Accurate and, When Necessary, Up-to-Date

The Company takes all necessary measures to ensure that Personal Data is complete, accurate, and up-to-date, and updates the relevant Personal Data if the Data Subject requests changes to their Personal Data in accordance with KVKK Regulations.

5.3. Personal Data Processing for Specific, Explicit, and Legitimate Purposes

Before processing Personal Data, the Company determines the purpose for which the Personal Data will be processed. In this context, the Data Subject is informed in accordance with the KVKK Regulations, and explicit consent is obtained where necessary.

5.4. Personal Data should be relevant, limited, and proportionate to the purposes for which they are processed.

The Company processes Personal Data only for purposes specified under the relevant exceptions of the KVKK Regulations (Article 5.2 and Article 6.3) or within the scope of Explicit Consent obtained from the Data Subject (Article 5.1 and Article 6.2), and in accordance with the principle of proportionality. The Data Controller processes Personal Data in a manner suitable for achieving the defined purposes and avoids processing Personal Data that is irrelevant or unnecessary for the accomplishment of these purposes.

5.5. Personal Data is retained for the period required by the relevant legislation or for the purpose for which it is processed. Upon the expiration of the necessary retention period and in the absence of legal obligations, such unnecessary data is destroyed during the first periodic destruction audit.

5.5.1. The Company retains Personal Data for as long as necessary to fulfill its purpose. If the Company wishes to retain Personal Data for a period longer than required by the KVKK Regulations or the purpose of Personal Data Processing, it will comply with the obligations specified in the KVKK Regulations.

5.5.2. Once the period required for the purpose of Personal Data Processing has expired, the Personal Data will be either deleted or anonymized. In such cases İŞBU, the Company ensures that third parties to whom Personal Data has been transferred also delete, destroy, or anonymize the Personal Data.

5.5.3. The processes of Deletion, Destruction, and Anonymization are managed by the [Data Controller Representative and/or Committee]. In this context, the necessary procedures will be established by the [Data Controller Representative and/or Committee].

6. PROCESSING OF PERSONAL DATA


Personal data can only be processed by the Company within the procedures and principles outlined below.

6.1. Explicit Consent

6.1.1. Personal Data is processed only after informing the Data Subjects in accordance with the Obligation to Inform and obtaining their Explicit Consent.

6.1.2. Before obtaining Explicit Consent, Data Subjects are informed of their rights in accordance with the Obligation to Inform.

6.1.3. The Data Subject’s Explicit Consent is obtained using methods compliant with Data Protection Regulations. The consents are stored by the Company for the required duration in accordance with Data Protection Regulations, and are maintained in a verifiable manner.

6.1.4. The Data Controller Representative and/or Committee is responsible for ensuring the fulfillment of the Disclosure Obligation and, if necessary, obtaining Explicit Consent and maintaining the obtained Explicit Consent for all Personal Data Processing processes. All department employees who process Personal Data are required to comply with the instructions of the Data Controller Representative and/or Committee, İŞBU Policy, and the Data Protection Procedures attached to this Policy.

6.2. Processing of Personal Data Without Obtaining Explicit Consent

6.2.1. In cases where the processing of Personal Data without obtaining Explicit Consent is permitted under the Data Protection Regulations (KVKK Article 5.2), the Company may process Personal Data without obtaining the Data Subject’s Explicit Consent. In such cases, the Company processes Personal Data within the boundaries set by the Data Protection Regulations. This includes:

6.2.1.1. If explicitly provided by laws, Personal Data may be processed by the Company without obtaining Explicit Consent.

6.2.1.2. If a Data Subject is unable to provide consent due to actual impossibility or if their consent is not legally recognized, Personal Data may be processed by the Company without obtaining Explicit Consent, provided that it is necessary for the protection of the life or bodily integrity of the Data Subject or another person.

6.2.1.3. If the processing of Personal Data of the parties to a contract is necessary for the establishment or performance of the contract, Personal Data may be processed by the Company without obtaining Explicit Consent from the Data Subjects.

6.2.1.4. If the processing of Personal Data is necessary for the Company to fulfill its legal obligations, Personal Data may be processed by the Company without obtaining Explicit Consent from the Data Subjects.

6.2.1.5. Personal Data that has been made public by the Data Subject may be processed by the Company without obtaining Explicit Consent.

6.2.1.6. If the processing of Personal Data is necessary for the establishment, exercise, or protection of a right, Personal Data may be processed by the Company without obtaining Explicit Consent.

6.2.1.7. Provided that it does not harm the fundamental rights and freedoms of the Data Subject, if the processing of Personal Data is necessary for the legitimate interests of the Company, Personal Data may be processed by the Company without obtaining Explicit Consent.

7. PROCESSING OF SENSITIVE PERSONAL DATA


7.1. Sensitive Personal Data may only be processed if there is explicit consent from the Data Subject, or if it is explicitly mandated by laws for processing sensitive personal data other than data related to sexual life and personal health.

7.2. Personal Data related to health and sexual life may be processed without explicit consent only by individuals or authorized institutions with a duty of confidentiality (e.g., company doctor) for purposes such as the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.

7.3. When processing Special Categories of Personal Data, measures specified by the Board (Kişisel Verileri Koruma Kurulu) are taken.

7.4. The Company provides training to employees involved in the processing of Special Categories of Personal Data to ensure they are aware of and adhere to the applicable measures and procedures.

7.4.1. The Company will regularly provide training on data protection regulations and the security of Special Categories of Personal Data.

7.4.2. The Company will establish confidentiality agreements.

7.4.3. The Company will clearly define the scope and duration of access rights for users who have access to Special Categories of Personal Data.

7.4.4. The Company will conduct periodic access control reviews.

7.4.5. The Company will immediately revoke the access rights of employees who change roles or leave the company and will promptly retrieve any assigned inventory from the departing employees.

7.5. In cases where Special Categories of Personal Data are transferred to electronic environments, the Company will ensure the following regarding the electronic environments where such data are processed, stored, and/or accessed:

7.5.1. The Company will store Special Categories of Personal Data using encryption methods.

7.5.2. The Company will store cryptographic keys securely and in separate environments.

7.5.3. The Company will securely log all activities performed on Special Categories of Personal Data.

7.5.4. The Company will continuously monitor security updates for environments containing Special Categories of Personal Data, regularly conduct security tests, and record the test results.

7.5.5. If Special Categories of Personal Data are accessed through software, the Company will manage user authorizations for this software, regularly conduct security tests for these applications, and record the test results.

7.5.6. If remote access to Special Categories of Personal Data is available, the Company will provide at least a two-step authentication system.

7.6. In the case of processing Special Categories of Personal Data in physical environments, the Company will ensure the following:

Adequate security measures are taken based on the nature of the environment where the Special Categories of Personal Data are stored or processed, protecting against risks such as electrical faults, fire, water damage, theft, etc.
The physical security of these environments is maintained by preventing unauthorized access and ensuring proper controls are in place.

7.7. Here is the translated text without bullet points or numbering:


In the case of transferring Special Categories of Personal Data, the Data Controller will use encrypted corporate email addresses or a Registered Electronic Mail (KEP) account if transferring Special Categories of Personal Data via email is necessary.

7.7.2. In cases where the transfer of Special Categories of Personal Data is necessary through portable storage devices, CDs, DVDs, or similar media, the Data Controller will encrypt the data using cryptographic methods and will store the cryptographic key in a separate environment.

7.7.3. If the transfer of Special Categories of Personal Data between servers in different physical environments is required, the Data Controller will carry out the transfer using a VPN (Virtual Private Network) or SFTP (Secure File Transfer Protocol) method.

7.7.4. If the transfer of Special Categories of Personal Data via paper is necessary, the Data Controller will take the necessary precautions against risks such as theft, loss, or unauthorized access and will send the documents in a “confidential document” format.

7.8. In addition to the above arrangements, the Company will act in accordance with the KVKK Regulations, including the Personal Data Security Guide published by the Authority, to ensure the security of Personal Data, including Special Categories of Personal Data.

7.9. In any case requiring the processing of Special Categories of Personal Data, the relevant employee will inform the [Data Controller Representative and/or Committee].

7.10. If it is not clear whether a data is Special Categories of Personal Data, the relevant department will seek the opinion of the [Data Controller Representative and/or Committee].

8. RETENTION PERIOD FOR PERSONAL DATA


Personal Data is kept within the Company for the duration of the relevant legal retention periods, and is retained for as long as necessary to fulfill the activities associated with this data and the purposes outlined in this Policy. Once the purpose of use has ended and the legal retention period has expired, Personal Data is deleted, destroyed, or anonymized by the Company in accordance with Article 7 of the KVKK Law.

9. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA


9.1. When the legitimate purpose for processing Personal Data ceases to exist, the relevant Personal Data will be Deleted, Destroyed, or Anonymized. The situations requiring the Deletion, Destruction, or Anonymization of Personal Data will be monitored by the [Data Controller Representative and/or Committee].

9.2. The [Data Controller Representative and/or Committee] is responsible for managing the processes of Deletion, Destruction, and Anonymization. In this context, the necessary procedures will be established by the [Data Controller Representative and/or Committee].

9.3. The Company does not retain Personal Data with the intention of using it in the future.

9.4. All deletion, destruction, and anonymization activities carried out by the Company on Personal Data will be conducted in accordance with the principles outlined in the Personal Data Retention, Destruction, and Anonymization Policy.

9.5. The Company will conduct periodic scans every 6 months to delete, destroy, or dispose of unnecessary personal data. The process that best suits the current conditions and circumstances will be applied to ensure that the data becomes inaccessible.

10. TRANSFER OF PERSONAL DATA AND PROCESSING OF PERSONAL DATA BY THIRD PARTIES


The Company may transfer Personal Data to a third natural or legal person located either domestically or internationally, in accordance with the KVK Regulations, by taking the necessary precautions for the purposes of Personal Data processing. In such cases, the Company ensures that the third parties to whom Personal Data is transferred also comply with this Policy.

In this context, protective provisions are included in the contracts made with third parties. Any clauses to be added to the contracts with third parties involving Personal Data transfers are provided by [Data Controller Representative and/or Committee].

Each employee is required to follow the process outlined in this Policy in cases involving the transfer of Personal Data. If the third party to whom Personal Data is transferred requests changes to the clauses communicated by [Data Controller Representative and/or Committee], the situation must be promptly reported by the employee to [Data Controller Representative and/or Committee].

10.1. Transfer of Personal Data to Third Parties Located in Turkey

10.1.1. Personal Data may be transferred to third parties located in Turkey by the Company without Explicit Consent in the exceptional cases specified in Article 5.2 of the KVKK Law and with sufficient measures, or with the Explicit Consent of the Data Subject in other cases (Article 5.1 and Article 6.2 of the KVKK Law).

10.1.2. Ensuring that the transfer of Personal Data to third parties located in Turkey complies with KVKK Regulations is the joint responsibility of Company employees and the [Data Controller Representative or Company].

10.2. Transfer of Personal Data to Third Parties Located Abroad

10.2.1. Personal Data may be transferred to third parties located abroad by the Company, either without Explicit Consent in exceptional cases specified in Articles 5.2 and 6.3 of the KVKK, or with the Explicit Consent of the Data Subject in other cases (Article 5.1 and Article 6.2 of the KVKK)..

10.2.2. In cases where Personal Data is transferred without Explicit Consent in accordance with KVKK Regulations, the following conditions must be met for the foreign country to which the data will be transferred:

10.2.2.1. The foreign country to which the Personal Data is transferred must be categorized as a country with adequate protection by the Board (for the list, please refer to the latest list provided by the Personal Data Protection Board).

10.2.2.2. In the event that the foreign country to which the transfer will take place is not on the Board’s list of safe countries, the Company and the Data Controllers in the relevant country must obtain permission from the Board by providing a written commitment in accordance with the principles determined by the Board to ensure that adequate protection is provided.

10.2.3. Company employees and the [Data Controller Representative or the Company] are jointly and severally responsible for ensuring that the transfer of Personal Data to third parties abroad complies with Data Protection Regulations.

11.THE COMPANY’S OBLIGATION TO INFORM


11.1. In accordance with Article 10 of the Data Protection Law, the Company informs Data Subjects before processing Personal Data. In this context, the Company fulfills its Obligation to Inform during the acquisition of Personal Data. The notification to be made to Data Subjects under the Obligation to Inform includes the following elements in order:

11.1.1. The identity of the Data Controller and, if applicable, their representative, the purpose for which Personal Data will be processed, the recipients to whom the processed Personal Data may be transferred and for what purpose, the method and legal basis of collecting Personal Data, and the rights of Data Subjects as listed in Article 11 of the Data Protection Law.

11.2. In accordance with Article 20 of the Constitution of the Republic of Turkey and Article 11 of the Data Protection Law, the Company provides the necessary information to the Data Subject upon request.

11.3. In the event that Data Subjects request it in accordance with Data Protection Regulations, the Company will inform the Data Subject of the Personal Data it has processed.

11.4. The employee overseeing the relevant process and the [Data Controller Representative or the Company] are jointly and severally responsible for ensuring that the necessary Obligation to Inform is fulfilled before the processing of Personal Data. In this context, the necessary Data Protection Procedure is established by the [Data Controller Representative and/or the Committee] to report each new data processing process to the [Data Controller Representative and/or the Committee].

11.5. If the Data Processor is a third party outside the Company, the third party must commit in writing to comply with the aforementioned obligations before processing Personal Data begins. In cases where third parties transfer Personal Data to the Company, a clause to be added to the contracts is obtained from the [Data Controller Representative and/or the Committee]. Each employee is required to follow the process outlined in this Policy when Personal Data is transferred to the Company by a third party. If the third party transferring Personal Data requests changes to the clause provided by the [Data Controller Representative and/or the Committee], the situation must be immediately reported by the employee to the [Data Controller Representative and/or the Committee].

12. RIGHTS OF DATA SUBJECTS


12.1. The Company responds to the requests of Data Subjects regarding their own Personal Data, as listed below, in accordance with Data Protection Regulations:

12.1.1. Learning whether Personal Data is processed by the Company,

12.1.2. Requesting information about the processing of their Personal Data,

12.1.3. Learning the purpose of processing Personal Data and whether it is used in accordance with that purpose,

12.1.4. Knowing the third parties to whom Personal Data is transferred, whether domestically or internationally,

12.1.5. Requesting the correction of Personal Data if it has been processed incompletely or inaccurately by the Company,

12.1.6. Requesting the deletion or destruction of Personal Data by the Company when the reasons necessitating the processing of Personal Data, including purpose, duration, and legality principles, have ceased to exist,

12.1.7. Requesting notification to third parties to whom Personal Data has been transferred, in the event of correction, deletion, or destruction of Personal Data by the Company,

12.1.8. Challenging the result if it is adverse to the Data Subject when Personal Data is analyzed solely through automated systems,

12.1.9. Requesting compensation for damages if Personal Data is processed in violation of the law and as a result, the Data Subject suffers harm.

In cases where Data Subjects wish to exercise their rights and/or believe that the Company is not acting in accordance with this Policy while processing Personal Data, they can submit their requests and applications by filling out the Application Form available on our website or by creating their requests in compliance with the conditions specified by the Personal Data Protection Authority. These can be sent to us in person, by notarized letter, registered mail, or through registered electronic mail (REM), secure electronic signature, mobile signature, or the email address previously notified and registered in our system. Please verify the current application methods with the relevant legislation before applying. The conditions and methods for applying to our Company are also detailed on our website.

Mail address: Mustafa Kemal Mahallesi 2159 Sokak No:6/8
06530 Çankaya / ANKARA

E-mail address: support@elitenaturel.com

Kep address: elitenaturel@hs05.kep.tr

12.2. If Data Subjects submit their requests regarding the rights listed above in writing to the Company, the Company will respond to the request free of charge within thirty days from the date the request is received, depending on the nature of the request. If there is an additional cost for the Data Controller to address the requests, fees determined by the Personal Data Protection Authority may be charged by the Data Controller.

13. DATA MANAGEMENT AND SECURITY


13.1. The Company assigns a [Data Controller Representative and/or establishes a Committee] to fulfill its obligations under Data Protection Regulations, ensure the implementation and oversight of the necessary Data Protection Procedures for the application of this Policy, and make recommendations regarding their operation.

13.2. All employees involved in the process are jointly responsible for the protection of Personal Data in accordance with this Policy and Data Protection Procedures.

13.3. Personal Data processing activities by the Company are monitored through technical systems based on technological capabilities and implementation costs.

13.4. Staff knowledgeable in technical aspects of Personal Data processing activities are employed.

13.5. Company employees are informed and trained on the protection of Personal Data and its lawful processing.

13.6. A Data Protection Procedure is established to enable employees who need access to Personal Data to obtain the necessary access.

13.7. Company employees can access Personal Data only within the scope of the permissions granted to them and in accordance with the relevant Data Protection Procedure. Any access or processing beyond the employee’s authorized scope is considered unlawful and may be grounds for termination of employment for just cause.

13.8. If a Company employee suspects that the security of Personal Data is not adequately ensured or identifies such a security breach, they must immediately report the situation to the [Data Controller Representative and/or Committee].

13.9. A detailed Data Protection Procedure for the security of Personal Data is created by the [Data Controller Representative and/or Committee].

13.10. Every individual assigned a Company device is responsible for the security of the device assigned to their use.

13.11. Every Company employee or person working within the Company is responsible for the security of physical files within their area of responsibility.

13.12. In the event that additional security measures are requested or required for the security of Personal Data under Data Protection Regulations, all employees are obligated to comply with these additional security measures and ensure their continuity.

13.13. To ensure the security of Personal Data within the Company, software and hardware that include virus protection systems and firewalls are installed, in line with technological advancements.

13.14. Backup programs are used in the Company to prevent the loss or damage of Personal Data, and adequate security measures are implemented.

13.15. Measures will be taken to protect documents containing Personal Data using encrypted systems. In this context, Personal Data will not be stored in shared areas or on desktops. Files and folders containing Personal Data will not be moved to desktops or shared folders, and information on Company computers cannot be transferred to external devices such as USBs or removed from the Company.

13.16. The [Data Controller Representative and/or Committee] is responsible for implementing technical and administrative measures to protect all Personal Data within the Company, continuously monitoring developments and administrative activities, preparing and announcing the necessary Data Protection Procedures within the Company, ensuring compliance with these procedures, and overseeing them. In this context, the [Committee and/or Data Controller Representative] will organize the necessary training to raise employee awareness.

13.17. If a department within the Company processes Sensitive Personal Data, that department will be informed by the [Committee and/or Data Controller Representative] about the significance, security, and confidentiality of the Personal Data they handle. The relevant department will act in accordance with the instructions of the [Committee and/or Data Controller Representative]. Access to Sensitive Personal Data will be granted only to a limited number of employees, and the list and monitoring of these employees will be managed by the [Committee and/or Data Controller Representative].

13.18. All Personal Data processed within the Company is considered ‘Confidential Information’ by the Company.

13.19. Company employees have been informed that their obligations regarding the security and confidentiality of Personal Data continue even after the termination of their employment, and commitments have been obtained from employees to adhere to these rules.

14. EDUCATION


14.1. The Company provides its employees with the necessary training on Personal Data protection through the Policy and accompanying Data Protection Procedures, in accordance with Data Protection Regulations.

14.2. Training sessions specifically address the definitions and protection practices of Sensitive Personal Data.

14.3. If a Company employee accesses Personal Data either physically or in a computer environment, the Company provides specific training to the employee regarding those access points (e.g., the accessed software).

15. AUDIT


The Company has the right to regularly audit, without prior notice, to ensure that all employees, departments, and contractors of the Company comply with İŞBU Policy and Data Protection Regulations. The Company conducts the necessary routine audits in this context. The [Committee and/or Data Controller Representative] will create a Data Protection Procedure for these audits, present it to the Board of Directors for approval, and ensure the implementation of the procedure.

16. BREACHES


16.1. Each employee of the Company reports any work, transaction, or action they believe to be contrary to the procedures and principles specified in Data Protection Regulations and İŞBU Policy to the [Data Controller Representative and/or Committee]. In this context, the [Data Controller Representative and/or Committee] will create an action plan in accordance with this Policy and Data Protection Procedures for the related breach.

16.2. Following the notifications, the [Data Controller Representative and/or Committee] prepares the notification regarding the breach to the Data Subject or the Authority, taking into account the applicable legal provisions, including Data Protection Regulations. In this case, the Data Controller Contact Person manages the correspondence and communication with the Authority.

17. CHANGES TO THE POLICY


17.1. İŞBU Policy may be amended from time to time by the Company with the approval of the Board of Directors.

17.2. The Company will share the updated Policy text with its employees via email or make it available for review by employees and Data Subjects through the following website address.

17.3 In addition to publishing the Company’s policies on its website, the Company will keep a written and stamped copy of the policies for the duration of their validity and for two years after they expire.

18. DATE OF EFFECTIVENESS OF THE POLICY
This version of the Policy was approved by the Company’s Board of Directors on 01/01/2020 and came into effect.