I. INTRODUCTION
This Policy sets forth the procedures and principles to be followed byMedyapım Televizyon ve Filmcilik A.Ş. (hereinafter referred to as the “Company”)regarding the protection and processing of personal data.
This Policy aims to align the Company’s operations with the Personal Data Protection Law No. 6698 regarding the protection and processing of personal data, to define the framework for compliance activities planned to be carried out by the Company, and to ensure coordination. In accordance with the Personal Data Protection Law No. 6698, your personal data may be processed by the Company, as the data controller, within the scope described below.
In this context, the goal is to ensure that the Company’s operations are conducted in compliance with the law and regulations, and in accordance with the principles of integrity, transparency, and fairness.
This Policy comprehensively regulates the protection and processing of personal data belonging to the company’s stakeholders, authorized representatives and executives, current and potential customers, employees, job applicants, visitors, and third parties, with the aim of ensuring transparency and accountability in data processing. All personal data processed by non-automated means, provided it forms part of any data recording system, and the data subjects are covered by this Policy.
II. DEFINITIONS
| CONCEPT | DEFINITION |
|---|---|
| Explicit Consent | It refers to consent that is informed, based on a specific subject, and freely given. |
| Anonymization | It refers to the process of rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even when combined with other data. |
| Data Subject | Refers to a natural person whose personal data is processed. For example: customers, employees, job applicants. |
| Personal data | It refers to any information relating to an identified or identifiable natural person. Therefore, the processing of information relating to legal entities is not covered by Law No. 6698. |
| Processing of Personal Data | It refers to any operation performed on personal data, such as the collection, recording, storage, retention, modification, reorganization, disclosure, transfer, acquisition, making available, classification, or restriction of use of such data, whether carried out by fully or partially automated means or by non-automated means provided that it forms part of a data filing system. |
| Special Category Personal Data | Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data. |
| Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. For example, an IT company that stores a company’s customer data falls under this category. |
| Data Controller | The data controller is the person who determines the purposes and means of processing personal data and manages the location where the data is systematically stored (the data record system). |
III. THE COMPANY’S OBLIGATIONS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA
A. The Company’s General Obligations
The Company’s obligations regarding the protection and processing of personal data are as follows:
- The Company’s Obligation to Register with the Data Controller Registry
- The Company’s Obligation to Inform Data Subjects
- Obligation to Ensure the Security of Personal Data
- Obligation to Comply with Legislation Regarding the Protection and Processing of Special Category Personal Data
- Obligation to Comply with the Law in the Event of a Transfer of Personal Data
- The Obligation to Process Personal Data in Accordance with and Within the Limits of the Conditions Set Forth in the Law
B. Duty to Disclose
The company aims to inform data subjects about the following matters:
- The identity of the Company, as the data controller, and, if applicable, its representative,
- The purpose for which personal data will be processed,
- To whom and for what purposes personal data may be transferred,
- The method and legal grounds for collecting personal data, and the rights of the data subject
- rights.
The data subject’s rights under the Company’s obligation to provide information relate to the following:
- To find out whether your personal data is being processed,
- To find out the purpose of the processing and whether it is being used in accordance with that purpose,
- Knowing the recipients of personal data,
- To request corrections in the event of incomplete or incorrect processing, to request the erasure of personal data if the conditions are met, and to have these requests communicated to third parties,
- To object to a decision made solely through the automated processing of personal data that results in adverse consequences for the individual,
- To claim compensation for damages suffered as a result of an action that violates the law.
C. Duty to Take Precautions
The Company considers it its duty to take the necessary technical and administrative measures to ensure an appropriate and sufficient level of security in order to prevent the unlawful processing of personal data it has processed or will process under the Personal Data Protection Law No. 6698 and/or unlawful access to such data, and to ensure the protection of the relevant personal data.
In this context, the company is establishing systems to conduct and arrange for the necessary audits regarding the implementation of the technical and administrative measures to be developed.
In the event that personal data processed by the Company in accordance with Law No. 6698, applicable legislation, and this Policy is obtained by others through unlawful means, the Company is obligated to immediately notify the relevant data subject and, if required by law, the Personal Data Protection Board. Furthermore, if the Company identifies a situation that poses a security risk, it must immediately take the necessary measures to eliminate said risk.
IV. PURPOSES OF PROCESSING PERSONAL DATA AND RETENTION PERIODS
A. Purposes of Data Processing
The Company’s data processing purposes are briefly outlined as follows:
- Where the company’s processing of personal data is necessary to protect the life or physical integrity of the data subject or another person, and where, in such a case, the data subject is unable to give consent due to physical or legal incapacity,
- Provided that it does not infringe upon the fundamental rights and freedoms of the data subjects, the necessity of processing personal data for the Company’s legitimate interests,
- With regard to special-category personal data other than that relating to the data subject’s health and sex life, provided that it is stipulated by law,
- The processing of personal data by the Company must be directly related to and necessary for the conclusion or performance of a contract,
- The processing of personal data by the Company is necessary for the establishment, exercise, or protection of the rights of the Company, the data subjects, or third parties,
- Provided that the personal data has been made public by the data subjects, the Company may process such data to the extent necessary for the purpose of such disclosure,
- The Company’s engagement in the relevant activity regarding the processing of personal data must be expressly provided for by law,
- The processing of personal data is necessary for the Company to fulfill its legal obligations,
- With regard to special-category personal data concerning the data subject’s health and sex life, such data may be processed by persons subject to a duty of confidentiality or by authorized institutions and organizations for the purposes of protecting public health, preventive medicine, and the provision of medical diagnosis, treatment, and care services, as well as the planning and management of health services and their financing.
In this context, the Company processes the personal data of data subjects for the following purposes: To ensure compliance with our legal obligations as required or mandated by law; to manage the Company’s employee personnel processes; to ensure that the commercial activities specified in the Company’s articles of association are carried out in accordance with legislation and relevant company policies through the necessary work performed by the relevant departments and the execution of activities in this regard; and to determine, plan, and implement the Company’s short-, medium-, and long-term commercial policies; To provide effective customer service; to carry out the Company’s operations and procedures; to offer services and proposals; and to plan and implement employees’ access permissions to Data Subject information, Conducting the necessary work by our relevant business units to carry out the commercial activities conducted by the Company and executing the associated business processes; conducting financial, accounting, and fiscal transactions, including service-related billing activities; monitoring legal matters; planning and executing corporate communications activities; Ensuring that data is accurate and up-to-date; maintaining business operations; ensuring the legal and commercial security of the services provided by our Company, as well as that of our Company and individuals with whom we have business relationships; fulfilling obligations arising from legislation; monitoring and executing legal proceedings and communication processes with government agencies, and providing services within this scope; and managing the Company’s employee personnel processes.
If the processing activity carried out for the aforementioned purposes does not meet any of the conditions set forth under the Personal Data Protection Law, the Company will obtain the explicit consent of the data subjects regarding the relevant processing process in accordance with this policy.
B. Categorization of Personal Data
The personal data processed within the company can be categorized as follows:
| Category | Description |
|---|---|
| Credentials | The personal identification information of the relevant individual falls under this category. This includes first and last name, parents’ names, mother’s maiden name, date of birth, place of birth, marital status, national ID card serial and sequence numbers, Turkish ID number, driver’s license information, and similar data. |
| Contact Information | The data in question includes the individual’s phone number, address, email address, registered email address (KEP), mailing address, and similar information. |
| Employee/Personal Information | This scope includes information that forms the basis for the employment rights of our company’s employees and/or individuals who have an employment relationship with the company. This includes payroll records, disciplinary investigations, hire and termination records, asset disclosure information, resume information, performance evaluation reports, and similar data. |
| Legal Information | Data processed in connection with the legal determination of our claims and rights, the fulfillment of our obligations, and the discharge of our legal responsibilities falls within this scope. This also includes information held by judicial authorities and case file information. |
| Customer Information | This scope covers the personal data of our customers who are data subjects, which is processed as a result of our business activities. This includes data such as call center recordings, order information, and invoice and bill of exchange information. |
| Venue Safety Information | Personal data related to records and documents collected within the physical premises falls under this scope. This includes entry and exit logs for employees and visitors, camera footage, and similar data. |
| Transaction Security Information | This includes IP address information, website login and logout information, password information, and similar data. |
| Risk Management Knowledge | Data processed in connection with the management of commercial, technical, and administrative risks falls within this scope. |
| Financial Information | Personal data processed regarding the data subject’s financial information, documents, and records falls within this scope. This includes balance sheets, financial asset information, credit and risk information, and financial performance information. |
| Professional Experience Information | This includes information on professional experience that will serve as the foundation for individuals’ fields of work. This includes information on diplomas, on-the-job training, certificates, transcripts, etc. |
| Visual and Audio Recordings | Visual and audio recordings fall under this category. This includes camera recordings, audio recordings, etc. |
| Health Data (Sensitive) | Health data retained for the purpose of enabling the data controller to fulfill its legal obligations falls under this scope. This includes information on disability status, blood type, personal health information, and details regarding medical devices and prosthetics used. |
| Criminal Record (Special Category) | Personal data processed in connection with the relevant individual’s criminal record and security background check falls within this scope. This includes criminal records, prior convictions, information regarding the status of sentence execution, and other judicial records obtained to the extent permitted by law. |
C. Retention Periods for Personal Data
The Company retains personal data for the period specified in the relevant legislation, if such retention is required by that legislation. In cases where no retention period is specified in the applicable laws, personal data is retained for as long as necessary to process the data in accordance with the Company’s practices and the requirements of its business operations, and is subsequently deleted, destroyed, or anonymized.
V. TRANSFER OF PERSONAL DATA TO THIRD PARTIES
In accordance with applicable laws and regulations, the Company may transfer customers’ personal data to the categories of recipients listed below: Transfers to authorized public institutions and organizations, Company officials, and authorized private entities may be made within the framework of relevant legislation. In this context;
| PERSONS AND ORGANIZATIONS TO WHOM DATA MAY BE TRANSFERRED | EXPLANATION |
|---|---|
| Administrative Bodies/Authorized Public Institutions and Organizations | Public institutions and organizations authorized to obtain information and documents from the Company in accordance with the relevant legislation are included in this scope. Data may be transferred to the aforementioned institutions and organizations solely for the purpose specified in their requests and within the limits of their legal authority. |
| Authorized Private-Sector Entities / Suppliers | Private entities authorized to obtain information and documents from the Company in accordance with the relevant legal provisions fall within this scope. Data may be transferred to such authorized private entities solely for the purpose specified in their request and within the limits of their legal authority. |
| Company Representative | In accordance with the relevant legal provisions, data may be transferred solely for the purposes of designing strategies related to the Company’s commercial activities, ensuring management at the highest level, and conducting audits. |
VI. CONDITIONS FOR THE DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
Although personal data has been processed in accordance with the relevant provisions of the law, if the grounds for its processing no longer exist, the Company may, at its own discretion or upon the request of the data subject, delete, destroy, or anonymize such personal data.
In cases where the Company has the right and/or obligation to retain personal data in accordance with the Personal Data Protection Law, it reserves the right not to comply with the data subject’s request. This is because, under the Personal Data Protection Law, personal data may be processed without the data subject’s explicit consent if any of the following conditions are met:
- Explicit provision in the laws.
- It is necessary to protect the life or physical integrity of a person who, due to actual impossibility, is unable to express consent, or whose consent is not legally valid, or that of another person.
- The processing of personal data belonging to the parties to a contract is necessary, provided that such processing is directly related to the conclusion or performance of the contract.
- It is necessary for the data controller to fulfill its legal obligation.
- The fact that the information was made public by the individual in question.
- Data processing is necessary for the establishment, exercise, or defense of a legal claim.
- Provided that it does not infringe upon the fundamental rights and freedoms of the data subject, the processing of data is necessary for the legitimate interests of the data controller.
VII. RIGHTS OF DATA SUBJECTS
A. In General
Data subjects have the following rights under applicable law:
- The right to know whether personal data is being processed,
- To request information regarding the processing of personal data,
- The right to learn the purpose of the processing of personal data and whether it is being used in accordance with that purpose,
- The right to know which third parties, whether within the country or abroad, personal data is transferred to,
- In the event that personal data has been processed incompletely or incorrectly, the right to request the correction of such data and, in this context, to request that the third parties to whom the personal data has been disclosed be notified of the action taken,
- Although personal data has been processed in accordance with applicable laws, the right to request the erasure or destruction of such data if the grounds for its processing no longer exist, and to request that third parties to whom the personal data has been disclosed be notified of such action,
- The right to object to a decision made solely through the automated processing of personal data that results in adverse consequences for the individual,
- To request compensation for damages suffered as a result of the unlawful processing of personal data.
B. The Data Subject’s Right to File a Request with the Company
If data subjects wish to exercise any of the rights listed above, they may do so by using the contact form available on the Company’s corporate website; however, should the Personal Data Protection Board decide that requests may be submitted through methods other than those listed above, the methods by which such requests may be submitted will be announced separately.
The company will review and resolve requests from data subjects within thirty days at the latest, depending on the nature of the request. Responses to requests from data subjects, whether positive or negative, may be communicated to the data subjects in writing or electronically.
While data subjects’ requests will generally be processed free of charge, if responding to a request entails additional costs, a fee may be charged in the amounts specified under applicable legislation. The procedures and guidelines for paying this fee will be outlined in the Application Form. It should be noted that applications will not be considered if the fee is not paid in accordance with the procedures and guidelines described. If the request arises from an error on the part of the Company, the fee collected will be refunded to the relevant party.
C. Special Circumstances Under Which Data Subjects Cannot Exercise Their Rights
Since the situations listed below are excluded from the scope of the Personal Data Protection Law, data subjects cannot exercise the rights described above in these matters:
- The processing of personal data for purposes such as research, planning, and statistics by anonymizing it through official statistics,
- The processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public order, economic security, the privacy of private life, or personal rights, or constitute a crime,
- The processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations that have been assigned duties and authorities by law to ensure national defense, national security, public safety, public order, or economic security,
- The processing of personal data by judicial authorities or enforcement authorities in connection with investigations, prosecutions, trials, or enforcement proceedings.
D. The Company’s Right to Reject a Data Subject’s Request
The company may reject an applicant’s application in the following cases, providing an explanation of the grounds for the rejection:
- The processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations that have been granted duties and authority by law to ensure national defense, national security, public safety, public order, or economic security,
- The processing of personal data for purposes such as research, planning, and statistics by anonymizing it through official statistics,
- The processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public order, economic security, the privacy of private life, or personal rights, or constitute a crime,
- The processing of personal data by judicial authorities or enforcement authorities in connection with investigations, prosecutions, trials, or enforcement proceedings,
- The fact that the requested information is publicly available,
- The processing of personal data is necessary for the prevention of crime or for a criminal investigation,
- The processing of personal data by public institutions and organizations, as well as professional associations with the status of public institutions, acting within the authority granted by law, when such processing is necessary for the performance of their supervisory or regulatory duties, or for disciplinary investigations or prosecutions,
- The processing of personal data is necessary to protect the State’s economic and financial interests in matters related to the budget, taxes, and financial issues,
- The processing of personal data that has been made public by the data subject,
- The possibility that the data subject’s request may infringe upon the rights and freedoms of others,
- The fact that requests were made that required a disproportionate amount of effort
