Personal Data Processing and Protection Procedure

Purpose

This procedure has been prepared to define, implement and sustain the fundamental principles for the processing and protection of personal data by Ones Bilişim Teknolojileri Anonim Şirketi (“Ones Technology”). The procedure complies with the Law on the Protection of Personal Data No. 6698 (KVKK), the Turkish Penal Code No. 5237 (TCK), Law No. 5651 and the ISO/IEC 27001:2022 Information Security Management System standard.

Scope

The procedure covers all Ones Technology employees, interns, contracted personnel, service providers, shareholders, visitors, consultants, customers and every system in which personal data are processed. Third parties that process data on behalf of Ones Technology also fall within the scope of this procedure.

Definitions and Abbreviations

• Personal Data: Any information relating to an identified or identifiable natural person.
• Special Categories of Personal Data: Sensitive data such as race, ethnic origin, political opinion, religious belief, health, sexual life, criminal conviction, biometric and genetic data.
• Data Controller: The legal entity that determines the purposes and methods of processing personal data.
• Explicit Consent: A statement of approval, based on information, relating to a specific matter and given with free will.
• VERBİS: The Data Controllers’ Registry Information System managed by the Personal Data Protection Board.

Duties and Responsibilities

• Senior Management: Supports and oversees implementation of the policy.
• KVKK and VERBİS Officer: Responsible for executing and updating the policy, organising internal-audit processes and performing registrations and updates in VERBİS.
• Department Managers: Implement the policy requirements within their respective areas.

Principles of Personal-Data Processing

• Compliance with Law and Rules of Honesty: Data-processing activities are carried out in accordance with the KVKK, the TCK and other relevant legislation.
• Accuracy and Currency: Data must be accurate and updated when necessary.
• Processing for Specific, Explicit and Legitimate Purposes: Data are processed for clearly defined, legitimate purposes.
• Being Relevant, Limited and Proportionate to the Purpose: Data-processing activities are limited to data that are necessary.
• Limitation by Retention Period: Data are stored only for the period stipulated in Law No. 5651, the KVKK or required for the processing purpose.
• Review of Processes and Assignment of Responsibilities: In accordance with ISO/IEC 27001:2022 control A.5.1.1, information-security roles and responsibilities are defined, communicated to all relevant parties and reviewed periodically.

Conditions for Processing Personal Data

Personal data may be processed without explicit consent in accordance with Articles 5 and 6 of the KVKK when:

• expressly required by law,
• necessary to protect the life or bodily integrity of a person unable to give consent,
• directly related to the conclusion or performance of a contract,
• mandatory for the data controller to fulfil a legal obligation,
• made public by the data subject,
• necessary for the establishment, exercise or protection of a right,
• necessary for the legitimate interests of the data controller.

Special-category data are processed only with explicit consent or in cases prescribed by law.

Informing and Notification of the Data Subject

The data subject is informed through disclosure texts. The content of these texts is prepared in line with Article 10 of the KVKK, the Communiqué on the Obligation to Inform and ISO 27001 control A.5.1.1. Processes related to the obligation to inform are recorded.

Processing of Special Categories of Personal Data

When providing biometric identity-verification solutions, Ones Technology takes the measures stipulated by the Board while processing special-category data. Explicit consent is essential, and technical and administrative measures are applied. Physical and digital security measures, encryption, access control and confidentiality protocols are implemented.

Categories of Personal Data and Purposes of Processing

Data categories and processing purposes include Human Resources Management, Business Continuity, Security, Customer Relationship Management, Product-Service Delivery and Fulfilment of Legal Obligations. All data, including special categories, are processed in line with these purposes.

Retention Periods and Measures

Personal data are deleted, destroyed or anonymised when the processing purpose ends or when the statutory period expires. Periodic destruction is carried out twice a year. During retention, encryption, logging, access controls and physical security measures are applied under ISO 27001.

Data Transfer

Personal data may be transferred domestically or abroad only with explicit consent or within the exceptions in Articles 8 and 9 of the KVKK. Necessary contractual and technical safeguards are provided for transferred data.

Visitor, Guest and Digital-Access Data

Entry-exit, camera and internet-access data obtained from visitors are processed under Law No. 5651 and the KVKK. Visitors are informed, log records are kept and digital-access security is ensured.

Deletion, Destruction and Anonymisation of Data

Data whose processing conditions have ended are destroyed by deletion, destruction or anonymisation techniques. The process is carried out only by authorised personnel. Log records are kept for three years. Periodic destruction takes place in June and December.

Rights of the Data Subject and Application Process

The data subject has the right to access, correct, delete, object to processing and claim compensation for their data. Applications are made via the Ones Technology KVKK application form and are answered within 30 days.

Conditions and Method of Application

Applications under the KVKK must be submitted to the data controller in writing or by the methods determined by the Board.