1.1. Giriş

benovip.com (“Company”) attaches utmost importance to the processing and protection of personal data in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”) and acts with this care in all its planning and activities. With this awareness, both to fulfill the disclosure obligation within the scope of Article 10 of the Law. This Policy on Processing and Protection of Personal Data (“Policy”) is hereby submitted for your information in order to fulfill the obligation of disclosure under Article 10 of the Law and to inform you of all administrative and technical measures we have taken within the scope of processing and protection of personal data.

1.2. Politikanın Amacı

The main purpose of this Policy is to provide explanations on the systems for the processing and protection of personal data in accordance with the law and the purpose of the Law, and in this context, to inform the persons whose personal data are processed by our Company, especially Company Stakeholders, Company Authorities, Company Business Partners, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers and Third Parties. In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by our Company and to protect all rights of personal data owners arising from the legislation on personal data.

1.3. Politikanın Kapsamı ve Kişisel Veri Sahipleri

This Policy has been prepared for the persons whose personal data are processed by our Company, especially Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers and Third Parties, by automatic or non-automatic means, provided that they are part of any data recording system, and will be applied within the scope of these specified persons. This Policy shall in no way apply to legal entities and legal entity data.

Our Company informs the Personal Data Owners about the Law by publishing this Policy on its website. For the employees of our Company, the Policy on Processing Personal Data for Employees shall apply. This Policy will not be applied if the data is not included in the scope of “Personal Data” within the scope specified below or if the Personal Data processing activity carried out by our Company is not in the ways specified above.

In this context, the personal data owners within the scope of this Policy are as follows:

Company Stakeholder : Stakeholders of the Company are real persons.

Company Real Person Business Partner : Real persons with whom the Company has any kind of business relationship.

Stakeholder, Official, Employee of the Company’s Business Partners: All real persons, including employees, Stakeholders and officials of real and legal persons (such as business partners, suppliers) with whom the Company has all kinds of business relations.

Company Officials : Members of the Company’s board of directors and other authorized real persons.

Employee Candidate : Natural persons who have applied for a job to the Company by any means or who have opened their resume and related information to the Company’s review.

Company Customer : Natural persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.

Potential Customer : Real persons who have made a request or interest in using the Company’s products and services or who have been evaluated in accordance with the rules of commercial custom and honesty that they may have this interest.

Visitor : All real persons who enter the physical premises owned by the Company for various purposes or visit the websites for any purpose.

Third Person : Other natural persons who are not included in the scope of the Personal Data Protection and Processing Policy prepared for Company Employees and who are not included in any personal data owner category in this Policy.

1.4.Definitions

The terms used in this Policy shall have the meanings set out below:

Companies / Our Companies : Benovip A.S.

Personal Data/Data : Any information relating to an identified or identifiable natural person.

Sensitive Personal Data/Data : Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Processing of Personal Data : It is any operation performed on Personal Data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of Personal Data by fully or partially automatic or non-automatic means provided that it is part of any data recording system.

Personal Data Owner/Related Person : Company Stakeholders and Employees, Company Business Partners, Company Authorities, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers, Third Parties and persons whose personal data are processed by the company.

Data Recording System : Refers to the recording request where personal data is structured and processed according to certain criteria.

Data Controller : The natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system.

Data Processor : A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

Explicit Consent: Consent on a specific subject, based on information and expressed with free will.

Anonymization : It is the process of making the data previously associated with a person impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data.

Law : Law No. 6698 on the Protection of Personal Data.

KVK Board : Personal Data Protection Board.

1.5. Politikanın Yürürlüğü

This Policy, which is issued by the Company and entered into force on the date of its publication, is published on the Company’s website (https://www.benovip.com) and made available to the relevant persons upon the request of the Personal Data Owners.

SECTION TWO – PROCESSING AND TRANSFER OF PERSONAL DATA

2.1. Kişisel Verilerin İşlenmesinde Genel İlkeler

Personal Data is processed by the Company in accordance with the procedures and principles stipulated in the Law and this Policy. The Company acts according to the following principles when processing Personal Data:

Personal Data is processed in accordance with the provisions of the relevant legislation and the requirements of the rule of good faith.

It is ensured that Personal Data is accurate and up-to-date. In this context, issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated are carefully considered. Personal Data is processed for specific, explicit and legitimate purposes. The legitimate purpose means that the Personal Data processed by the Company is related to and necessary for the business or service provided by the Company.

Personal Data is connected to the purpose in order to realize the purposes determined by the Company, and the processing of Personal Data that is not related to the realization of the purpose or is not needed is avoided. It keeps the processed data limited only to what is necessary for the realization of the purpose. Personal Data processed within this scope are connected, limited and measured for the purpose for which they are processed.

If there is a period stipulated in the relevant legislation for the storage of data, it complies with these periods; otherwise, it retains Personal Data only for the period required for the purpose for which they are processed. In the event that there is no valid reason for further retention of Personal Data, such data shall be deleted, destroyed or anonymized.

2.2. Kişisel Verilerin İşlenme Şartları

The Company does not process Personal Data without the explicit consent of the data subject. In the presence of one of the following conditions, Personal Data may be processed without the explicit consent of the data subject.

The Company may process the Personal Data of Personal Data Owners even without explicit consent in cases expressly stipulated by law. For example; Pursuant to Article 230 of the Tax Procedure Law. Pursuant to Article 230 of the Tax Procedure Law, the explicit consent of the relevant person will not be sought to include the name of the relevant person on the invoice.

Personal Data may be processed without explicit consent in order to protect the life or physical integrity of persons who are unable to disclose their consent due to actual impossibility or whose consent cannot be recognized as valid, or of another person. For example, in a situation where the person is unconscious or mentally ill and his/her consent is not valid, the Personal Data of the Personal Data Owner may be processed during medical intervention in order to protect his/her life or body integrity. In this context, data such as allergies, blood type, previous diseases and surgeries, medications used can be processed through the relevant health system.

Provided that it is directly related to the establishment or performance of a contract by the Company, Personal Data of the parties to the contract may be processed. For example, the account number information of the creditor party may be obtained for the performance of the debt pursuant to a contract.

The Company may process the Personal Data of Personal Data Owners if it is mandatory in order to fulfill its legal obligations as a data controller.

Personal Data made public by the Company by the Personal Data Owners themselves, in other words, Personal Data disclosed to the public in any way, may be processed as the legal benefit to be protected has disappeared.

The Company may process the Personal Data of Personal Data Owners without seeking explicit consent in cases where data processing is mandatory for the exercise or protection of a legitimate legal right.

The Company may process the Personal Data of Personal Data Owners in cases where the processing of Personal Data is mandatory for the provision of legitimate interests, provided that it does not harm the fundamental rights and freedoms of Personal Data Owners protected under the Law and Policy.

The Company shows the necessary sensitivity to comply with the basic principles regarding the protection of Personal Data and to observe the balance of interests of Personal Data Owners.

2.3. Özel Nitelikli Kişisel Verilerin İşlenme Şartları

The Company does not process Sensitive Personal Data without the explicit consent of the data subject. However, Personal Data other than health and sexual life may be processed without the explicit consent of the person concerned in cases stipulated by law. Personal Data relating to health and sexual life are processed by the Company only for the purpose of protecting public health, preventive medicine, medical diagnosis and treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the person concerned under the conditions that we are under the obligation of confidentiality. The Company carries out the necessary procedures to take adequate measures determined by the Board in the processing of Special Categories of Personal Data.

2.4. Kişisel Verilerin Aktarılma Şartları

Our Company may transfer Personal Data and Sensitive Personal Data of Personal Data Owners to third parties in accordance with the Law by establishing the necessary confidentiality conditions and taking security measures in line with the purposes of processing Personal Data. Our Company acts in accordance with the regulations stipulated in the Law during the transfer of Personal Data. In this context, in line with the legitimate and lawful Personal Data processing purposes, our Company may transfer the Personal Data specified in Article 5 of the Law, listed below. based on and limited to one or more of the Personal Data processing conditions specified in Article 5 of the Law

Personal Data to third parties:

If there is explicit consent of the Personal Data owner;

If there is a clear regulation in the laws regarding the transfer of Personal Data, if it is mandatory for the protection of the life or physical integrity of the Personal Data owner or someone else, and if the Personal Data owner is unable to disclose his consent due to actual impossibility or if his consent is not legally valid,

If it is necessary to transfer Personal Data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

If Personal Data transfer is mandatory for our Company to fulfill its legal obligation,

If the Personal Data has been made public by the Personal Data owner,

If the transfer of Personal Data is mandatory for the establishment, exercise or protection of a right,

Provided that it does not harm the fundamental rights and freedoms of the Personal Data owner,

If Personal Data transfer is mandatory for the legitimate interests of our Company, it may transfer.

2.4.1. Kişisel Verilerin Yurt Dışına Aktarılma Şartları

Our Company may transfer Personal Data and Sensitive Personal Data of Personal Data Owners to third parties abroad by taking necessary security measures in line with the purposes of processing Personal Data. Personal Data may be transferred by our Company to foreign countries declared to have adequate protection by the PDP Board or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the PDP Board has permission.

2.5. Özel Nitelikli Kişisel Verilerin Aktarılma Şartları

By taking due care, taking the necessary security measures and taking adequate measures stipulated by the KVK Board; In line with legitimate and lawful Personal Data processing purposes, the Company may transfer the Personal Data Owner’s Sensitive Personal Data to third parties in the following cases.

(i) in case of explicit consent of the Personal Data Owner or

(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Owner; Personal Data of Special Nature other than the health and sexual life of the Personal Data Owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures and biometric and genetic data), in cases stipulated by law, Personal Data of Special Nature related to the health and sexual life of the Personal Data Owner only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.

2.5.1. Özel Nitelikli Kişisel Verilerin Yurt Dışına Aktarılması

By taking due care, taking the necessary security measures and taking adequate measures stipulated by the KVK Board; In line with legitimate and lawful Personal Data processing purposes, the Company may transfer the Personal Data Owner’s Special Qualified Personal Data to foreign countries where the data controller has adequate protection or undertakes adequate protection in the following cases.

(i) in case of explicit consent of the Personal Data Owner; or

(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Owner; Personal Data of Special Nature other than the health and sexual life of the Personal Data Owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures and biometric and genetic data), in cases stipulated by law, Personal Data of Special Nature related to the health and sexual life of the Personal Data Owner only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.

SECTION THREE – CLASSIFICATION OF PERSONAL DATA, PURPOSES OF PROCESSING AND TRANSFER, PERSONS TO WHOM PERSONAL DATA WILL BE TRANSFERRED

3.1. Kişisel Verilerin Sınıflandırılması

Within the Company; In line with the legitimate and lawful personal data processing purposes of the Company, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law. In line with the legitimate and lawful personal data processing purposes of the Company, based on and limited to one or more of the personal data processing conditions specified in Article 5. In accordance with the legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law and limited to the subjects within the scope of this Policy, the personal data in the following categories are processed by informing the relevant persons in accordance with Article 10 of the Law. In accordance with Article 10 of the Law, the relevant persons are processed by informing them. It is also stated in this section which data subjects the personal data processed in these categories are related to within the scope of this Policy.

PERSONAL DATA CATEGORIZATION PERSONAL DATA CATEGORIZATION DESCRIPTION

Identity Information

Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; containing information about the identity of the person; documents such as driver’s license, identity card and passport containing information such as name-surname, Turkish ID number, nationality information, mother’s name-father’s name, place of birth, date of birth, gender, and information such as tax number, SSI number, signature information, vehicle license plate, etc.

Contact Information

Information such as telephone number, address, e-mail address, fax number, IP address, which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system.

Location Data

Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; information that determines the location of the Personal Data Owner within the framework of the operations carried out by the business units of the Company, during the use of the products and services of the group companies or while using the Company vehicles by the employees of the institutions with which it cooperates; GPS location, travel data, etc.

Transaction Security Information

Personal data processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Company while carrying out the activities of the Company.

Family Members and Relatives

Information about the Personal Data Owner’s family members (e.g. spouse, mother, father, child), relatives and other persons who can be reached in case of emergency within the framework of the operations carried out by the Company’s business units, related to the products and services offered by the group companies or in order to protect the legal and other interests of the Company and the Personal Data Owner, which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system.

Physical Space Security Information

Personal data that clearly belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of a data recording system; records and documents taken at the entrance to the physical space, during the stay in the physical space; camera records, fingerprint records and records taken at the security point, etc.

Financial Information

Data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information and personal data processed in relation to information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Company with the Personal Data Owner, which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system.

Audio/Visual Information

Photographs and camera recordings (excluding recordings within the scope of Physical Space Security Information), voice recordings and data contained in documents that are copies of documents containing personal data, which clearly belong to an identified or identifiable natural person.

Personal Information

Any personal data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; processed to obtain information that will be the basis for the formation of the personal rights of natural persons who are in a working relationship with the Company.

Legal Process Knowledge

Data processed within the scope of the Company’s legal obligations for the determination and follow-up of its legal receivables and rights and the performance of its debts.

Sensitive Personal Data

Data clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of a data recording system; data specified in Article 6 of the Law (e.g. health data, including blood group, biometric data, religion and association membership information). (e.g. health data, including blood type, biometric data, religion and membership of associations).

Request/Complaint Management Information

Personal data clearly belonging to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; personal data regarding the receipt and evaluation of any request or complaint addressed to the Company.

The types of Personal Data of the Personal Data Subjects specified in Article (1.3.) of Section 1 of the Policy The types of Personal Data of the Personal Data Owners specified in Article (1.3.) of Section 1 of the Policy are specified in the table below:

PERSONAL DATA CATEGORIZATION

DATA SUBJECTS TO WHOM THE RELEVANT PERSONAL DATA RELATES

Identity Information

Company Stakeholders, Company Officials, Company Employees, Company Business Partners, Employee Candidates, Visitors, Company Customers, Potential Customers and Third Parties

Contact Information

Company Stakeholders, Company Officials, Company Employees, Company Business Partners, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers and Third Parties

Location Data

Company Stakeholders, Company Officials, Company Employees

Transaction Security Information

Company Stakeholders, Company Officials, Company Employees, Company Business Partners, Employee Candidates, Visitors, Company Customers, Potential Customers and Third Parties

Family Members and Relatives

Company Stakeholders, Company Officials, Company Employees, Company Business Partners

Physical Space Security Information

Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company Customers, Potential Customers and Third Parties

Financial Information

Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company Customers, Potential Customers and Third Parties

Audio/Visual Information

Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company Customers, Potential Customers and Third Parties

Personal Information

Company Stakeholders, Company Officials, Company Business Partners

Legal Process Knowledge

Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company Customers, Potential Customers and Third Parties

Sensitive Personal Data

Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company Customers, Potential Customers and Third Parties

Request/Complaint Management Information

Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company Customers, Potential Customers and Third Parties

3.2. Kişisel Verilerin İşlenme ve Aktarılma Amaçları

Personal Data; in accordance with the law and the purpose of the Law,

Optimal planning and implementation of human resources policies, proper planning, execution and management of commercial partnerships and strategies,

Ensuring the legal, commercial and physical security of itself and its business partners, Ensuring corporate functioning, planning and execution of management and communication activities, Ensuring that Personal Data Owners benefit from its products and services in the best way possible and recommending them by customizing them according to their demands, needs and requests, Ensuring data security at the highest level,

Creation of databases,

Improvement of the services offered on the website and elimination of errors on the website,

Contacting the Personal Data Subjects who submit their requests and complaints to it and ensuring the management of requests and complaints,

Event management,

Management of relations with business partners or suppliers, execution of personnel recruitment processes,

Supporting the personnel recruitment processes of Group Companies and compliance with the relevant legislation,

Planning and execution of audit activities to ensure that the activities of Group Companies are carried out in accordance with the relevant legislation,

Supporting the planning and execution of the fringe benefits and benefits to be provided to senior executives of the Company and Group Companies,

Supporting Group Companies in the realization of corporate and partnership law transactions,

Execution/follow-up of financial reporting and risk management processes,

Execution/follow-up of the Company’s legal affairs, realization of activities to protect its reputation,

Managing investor relations,

Providing information to authorized institutions due to legislation,

Creation and follow-up of visitor records.

limited to the purposes of the Law 5. and 6. It is processed within the scope of the personal data processing conditions specified in Articles 6. If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Law, your explicit consent is obtained by the Company regarding the relevant processing process.

3.3. Kişisel Verilerin Aktarılacağı Kişiler

Your Personal Data may be transferred to the categories of persons listed below, which are governed by the Policy in accordance with the law and the purpose of the Law, for the following purposes:

Persons to whom data can be transferred

Data Transfer Purpose

Company Partners

While the Company carries out its commercial activities, personal data may be transferred in a limited manner in order to ensure the fulfillment of the purposes of the establishment of the business partnership established for purposes such as carrying out various projects and receiving services personally or together with Group Companies.

Group Companies

It can be transferred limited to ensuring the execution of the Company’s commercial activities that require the participation of companies affiliated to the group to which the Company is affiliated.

Company Stakeholders

In accordance with the provisions of the relevant legislation, it may be transferred limited to the purposes of the activities carried out by the Company within the scope of corporate law, event management and corporate communication processes.

Company Authorities

In accordance with the provisions of the relevant legislation, it may be transferred limited to the purposes of designing strategies regarding the Company’s commercial activities, ensuring the management at the highest level and for audit purposes.

Legally Authorized Public Institutions and Organizations

It may be transferred limited to the purpose requested by the relevant public institutions and organizations within the legal authority.

Legally Authorized Private Law Persons

It may be transferred limited to the purpose requested by the relevant private law persons within its legal authority in accordance with the provisions of the legislation.

SECTION FOUR – METHOD AND LEGAL GROUNDS FOR COLLECTION OF PERSONAL DATA, DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA AND STORAGE PERIOD

4.1. Kişisel Veri Toplamanın Yöntemi ve Hukuki Sebebi

Regulating the purpose of the Law Article 1 regulates the scope of the Law 2. For the purpose of auditing compliance with Article 2, Personal Data; in all kinds of verbal, written, electronic media; It is collected through various means such as technical and other methods, call center, Company website, mobile application, in order to fulfill the responsibilities arising from the law within the framework of legislation, contract, request and request-based legal reasons in order to achieve the purposes set out in the Policy, and is processed by the Company or data processors assigned by the Company.

4.2. Kişisel Verilerin Silinmesi, Yok Edilmesi veya Anonim Hâle Getirilmesi

Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymization of Personal Data, the Company deletes, destroys or anonymizes Personal Data ex officio or upon the request of the data owner in the event that the reasons requiring its processing disappear, although it has processed it in accordance with the provisions of this Law and other laws. With the deletion of Personal Data, this data is destroyed in such a way that it cannot be used and recovered in any way again. Accordingly, Personal Data shall be irreversibly deleted from the documents, files, CDs, diskettes, hard disks, etc. in which they are stored. Destruction of Personal Data, on the other hand, refers to the destruction of materials suitable for storing data such as documents, files, CDs, diskettes, hard disks, etc. in which the data is recorded in such a way that the information cannot be recovered and used again. Anonymization of data means making Personal Data impossible to be associated with an identified or identifiable natural person even if it is matched with other data.

4.3. Kişisel Verilerin Saklanma Süresi

The Company stores Personal Data for the period specified in this legislation, if stipulated in the legislation. If a period of time is not regulated in the legislation regarding how long personal data should be kept, Personal Data is processed for the period required to be processed in accordance with the practices and customs of the Company’s practices and commercial life, depending on the activity carried out by the Company while processing that data, and then deleted, destroyed or anonymized. If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the Company have come to an end; personal data may be stored only for the purpose of constituting evidence in possible legal disputes or for the assertion or defense of the relevant right related to personal data. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the right in question and the examples in the requests previously addressed to the Company on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.

CHAPTER FIVE – ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

The Company, in accordance with Article 12 of the Law In accordance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of the Personal Data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and conducts or has the necessary audits carried out within this scope.

5.1. Kişisel Verilerin Güvenliğinin Sağlanması

5.1.1. Kişisel Verilerin Hukuka Uygun İşlenmesini Sağlamak için Alınan Teknik ve İdari Tedbirler

The Company takes technical and administrative measures to ensure that Personal Data is processed in accordance with the law, according to technological possibilities and implementation cost.

(i) Technical Measures Taken to Ensure Lawful Processing of Personal Data The main technical measures taken by the Company to ensure the lawful processing of Personal Data are listed below: Personal Data processing activities carried out within the Company are audited by the technical systems established. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism. Personnel knowledgeable in technical issues are employed.

(ii) Administrative Measures Taken to Ensure Lawful Processing of Personal Data The main administrative measures taken by the Company to ensure the lawful processing of Personal Data are listed below: Employees are informed and trained on the law on the protection of Personal Data and the processing of Personal Data in accordance with the law. All activities carried out by the Company are analyzed in detail for all business units, and as a result of this analysis, Personal Data processing activities are revealed specific to the activities carried out by the relevant business units. Personal Data processing activities carried out by the business units of the Company; The requirements to be fulfilled in order to ensure that these activities comply with the Personal Data processing conditions required by the Law are determined specifically for each business unit and the detailed activity it carries out. In order to ensure the legal compliance requirements determined on a business unit basis, awareness is raised and implementation rules are determined for the relevant business units; the necessary administrative measures to ensure the supervision of these issues and the continuity of the implementation are implemented through internal policies and trainings. In the contracts and documents governing the legal relationship between the Company and the employees, records that impose the obligation not to process, disclose and use Personal Data, except for the Company’s instructions and exceptions imposed by law, are included in the contracts and documents governing the legal relationship between the Company and the employees, and the obligations arising from the Law are fulfilled by raising employee awareness on this issue and conducting audits.

5.1.2. Kişisel Verilerin Hukuka Aykırı Erişimini Engellemek için Alınan Teknik ve İdari Tedbirler

The Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and cost of implementation in order to prevent imprudent or unauthorized disclosure, access, transfer or any other unlawful access to Personal Data.

(i) Technical Measures Taken to Prevent Unlawful Access to Personal Data The main technical measures taken by the Company to prevent unlawful access to Personal Data are listed below: Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed. Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a business unit basis. Access authorizations are limited and authorizations are regularly reviewed. The technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism, and the issues that pose a risk are re-evaluated and necessary technological solutions are produced. Software and hardware including virus protection systems and firewalls are installed. Personnel knowledgeable in technical issues are employed. Security scans are regularly performed to identify security vulnerabilities in applications where Personal Data is collected. The vulnerabilities found are closed.

(ii) Administrative Measures Taken to Prevent Unlawful Access to Personal Data The main administrative measures taken by the Company to prevent unlawful access to Personal Data are listed below: Employees are trained on the technical measures to be taken to prevent unlawful access to Personal Data. Personal Data access and authorization processes are designed and implemented within the Company in accordance with the legal compliance requirements for processing Personal Data on a business unit basis. Employees are informed that they cannot disclose the Personal Data they have learned to anyone else in violation of the provisions of the Law and cannot use it for purposes other than processing, and that this obligation will continue after they leave their duties, and necessary commitments are obtained from them in this direction. In the contracts concluded by the Company with the persons to whom Personal Data is transferred in accordance with the law; Provisions are added that the persons to whom Personal Data is transferred will take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organizations.

5.1.3. Kişisel Verilerin Güvenli Ortamlarda Saklanması

The Company takes the necessary technical and administrative measures according to the technological possibilities and the cost of implementation in order to store Personal Data in secure environments and to prevent its destruction, loss or alteration for unlawful purposes.

(i) Technical Measures Taken to Store Personal Data in Secure Environments The main technical measures taken by the Company to store Personal Data in secure environments are listed below: Systems in accordance with technological developments are used to store Personal Data in secure environments. Personnel specialized in technical issues are employed. Technical security systems are installed for storage areas, security tests and researches are conducted to identify security vulnerabilities on information systems, and existing or potential risk issues identified as a result of the tests and researches are eliminated. The technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism. Backup programs are used in accordance with the law to ensure the safe storage of Personal Data. Access to the environments where Personal Data is kept is restricted and only authorized persons are allowed to access this data limited to the purpose of storing personal data, and access to data storage areas where Personal Data is stored is logged and inappropriate access or access attempts are instantly communicated to those concerned.

(ii) Administrative Measures Taken to Store Personal Data in Secure Environments The main administrative measures taken by the Company to store Personal Data in secure environments are listed below: Employees are trained to ensure that Personal Data is stored securely. Legal and technical consultancy services are obtained in order to follow the developments in the field of information security, privacy of private life and protection of personal data and to take necessary actions. In the event that an external service is obtained by the Company due to technical requirements for the storage of Personal Data, the contracts concluded with the relevant companies to which Personal Data is transferred in accordance with the law include provisions stating that the persons to whom Personal Data is transferred will take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organizations.

5.1.4. Kişisel Verilerin Korunması Konusunda Alınan Tedbirlerin Denetimi

In accordance with Article 12 of the Law In accordance with Article 12 of the Law, the Company conducts or has the necessary audits performed within its own organization. The results of these audits are reported to the relevant department within the scope of the internal functioning of the Company and necessary actions are taken to improve the measures taken.

5.1.5. Kişisel Verilerin Yetkisiz Bir Şekilde İfşası Durumunda Alınacak Tedbirler

The Company operates a system that ensures that the Personal Data processed in accordance with Article 12 of the Law In the event that Personal Data processed in accordance with Article 12 of the Law is obtained by others illegally, the Company operates a system that ensures that this situation is notified to the relevant Personal Data Owner and the PDP Board as soon as possible. If deemed necessary by the PDP Board, this situation may be announced on the website of the PDP Board or by another method.

5.2. Kişisel Veri Sahiplerinin Yasal Haklarının Gözetilmesi

The Company observes all legal rights of Personal Data Owners with the implementation of the Policy and the Law and takes all necessary measures to protect these rights. Detailed information on the rights of Personal Data Owners is provided in the sixth section of this Policy.

5.3. Özel Nitelikli Kişisel Verilerin Korunması

The Law attributes special importance to certain Personal Data due to the risk of causing victimization and/or discrimination when processed unlawfully. These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. The Company shows maximum sensitivity to the protection of special quality Personal Data, which is determined as “special quality” by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of personal data are also implemented with the utmost care in terms of Special Categories of Personal Data and necessary audits are provided within the Company in this regard.

CHAPTER SIX – RIGHTS OF THE PERSONAL DATA OWNER, EXERCISE AND EVALUATION OF RIGHTS

6.1. Kişisel Veri Sahibinin Aydınlatılması

The Company informs Personal Data Owners during the acquisition of Personal Data in accordance with Article 10 of the Law. In accordance with Article 10 of the Law, the Company informs Personal Data Owners during the acquisition of Personal Data. In this context, if any, the identity of the Company representative, the purpose for which Personal Data will be processed, to whom and for what purpose the processed Personal Data can be transferred, the method and legal reason for collecting Personal Data and the rights of the Personal Data Owner.

6.2. Kişisel Veri Sahibi’nin KVK Kanunu Uyarınca Hakları

Pursuant to Article 10 of the Law, the Company informs you of your rights; provides guidance on how to exercise such rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. Pursuant to Article 11 of the Law, the Company informs the persons whose Personal Data is received; to learn whether Personal Data is processed, to request information if Personal Data has been processed, to learn the purpose of processing Personal Data and whether it is used in accordance with its purpose, to know the third parties to whom Personal Data is transferred domestically or abroad, to request correction of Personal Data in case of incomplete or incorrect processing, to request correction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law. To request the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law, To request the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 11 of the Law Article 11 of the Law (d) and (e) to request notification of the transactions made pursuant to subparagraphs (e) to third parties to whom personal data are transferred, to object to the occurrence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems, and to demand the compensation of the damage in case of damage due to unlawful processing of Personal Data.

6.3. Kişisel Veri Sahibi’nin Haklarını İleri Süremeyeceği Haller

Pursuant to Article 28 of the Law As the following cases are excluded from the scope of the Law pursuant to Article 28 of the Law, Personal Data Owners cannot assert their rights listed in Article (6.2.) of this Policy in the following cases:

Processing of Personal Data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that Personal Data is not disclosed to third parties and the obligations regarding data security are complied with. Processing of Personal Data for purposes such as research, planning and statistics by anonymizing them with official statistics.

Processing of Personal Data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.

Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.

Processing of Personal Data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to Article 28/2 of the Law; In the cases listed below, Personal Data Owners cannot assert their rights listed in Article (6.2.) of this Policy, except for the right to demand compensation for damages:

Processing of Personal Data is necessary for the prevention of crime or criminal investigation. Processing of personal data made public by the Personal Data Owner himself/herself.

Personal Data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.

Personal Data processing is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.

6.4. Kişisel Veri Sahibi’nin Haklarını Kullanması

Personal Data Owners will be able to submit their requests regarding their rights listed in Article (6.2.) of this Policy to the Company free of charge by filling out and signing the Application Form, which you can access from the APPLICATION FORM (https://benovip.com/KVKKform.pdf) link, with the information and documents that will identify their identity and by the methods specified below or by other methods determined by the KVK Board:

(i) After the application form is filled in, a wet signed copy of the application form must be delivered to İkitelli OSBM Mahallesi 6. Cadde Beyaz Tower No: 1 Interior Door no: 114 Başakşehir Istanbul address,

(ii) After filling in the application form and signing it with your “secure electronic signature” within the scope of the Electronic Signature Law No. 5070, sending the form with secure electronic signature to the e-mail address [email protected].

In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.

6.5. Şirket’in Başvurulara Cevap Verme Usulü Ve Süresi

The Company shall finalize the requests in the application free of charge as soon as possible, within thirty days at the latest, depending on the nature of the request. However, if the transaction in question requires an additional cost, the fee in the tariff determined by the PDP Board may be charged. The Company may accept the request or reject it by explaining its reasoning; notifies its response in writing or electronically. If the request in the application is accepted, the Company fulfills the requirements of the request.

6.6. Kişisel Veri Sahibinin KVK Kurulu’na Şikâyette Bulunma Hakkı

In cases where the application is rejected, the response is found insufficient or the application is not responded to in due time; the data subject has the right to file a complaint to the PDP Board within thirty days from the date of learning the response and in any case within sixty days from the date of application.

CHAPTER SEVEN – THE COMPANY’S MANAGEMENT STRUCTURE IN ACCORDANCE WITH THE POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

A Personal Data Committee has been established within the Company in accordance with the decision of the Company’s senior management to manage this Policy and other policies related and related to this Policy. The Personal Data Committee is authorized and tasked with taking the necessary actions for the storage and processing of Personal Data Owners’ data in accordance with the law, this Policy and other policies related and related to this Policy.

CHAPTER EIGHT – UPDATES, HARMONIZATION AND AMENDMENTS

8.1. Güncelleme ve Uyum

The Company reserves the right to make changes in this Policy and other policies related and related to this Policy due to amendments to the Law, in accordance with the decisions of the PDP Board or in line with developments in the sector or in the field of informatics. Changes made to this Policy are immediately incorporated into the text and explanations regarding the changes are explained at the end of the Policy.

8.2. Değişiklikler

16/11/2019 : Personal Data Processing and Protection Policy has been published. *there is no older dated amendment*.

CLARIFICATION TEXT ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

As benovip.com (“Company”), we attach importance to the processing and preservation of all kinds of personal data belonging to all persons associated with the Company, including those who benefit from our products and services, in accordance with the Personal Data Protection Law No. 6698 (“KVK Law”). As Data Controller, we process your personal data as explained below and within the limits prescribed by the legislation.

Purposes of Processing and Transferring Personal Data

Personal Data; planning, execution and management of the Company’s human resources policies, commercial partnerships, management and communication activities and strategies in accordance with the law and the purpose of the Law, ensuring that the Personal Data Owners benefit from its products and services in the best way possible and recommending them by customizing them according to their demands, needs and requests, limited to the purposes of ensuring data security at the highest level, improving the services offered on the website and eliminating errors on the website, communicating with Personal Data Owners who submit requests and complaints to it and ensuring request and complaint management, event management, providing information to authorized institutions arising from the legislation, creating and tracking visitor records. 5. and 6. of the Law and processed within the scope of the personal data processing conditions specified in Article 6 of the Law 8. and 9. Within the scope of the personal data transfer conditions specified in Articles 9, personal data is obtained by or shared with, recorded, transferred to electronic systems by the Company’s partners-business partners, successors and/or third parties/organizations to be determined by them, If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Law, your explicit consent is obtained by the Company regarding the relevant processing process.

Method and Legal Grounds for Collecting Personal Data

Regulating the purpose of the Law Article 1 regulates the scope of the Law 2. For the purpose of auditing compliance with Article 2, Personal Data; in all kinds of verbal, written, electronic media; It is collected through various means such as technical and other methods, call center, Company website, mobile application, in order to fulfill the responsibilities arising from the law within the framework of legislation, contract, request and request-based legal reasons in order to achieve the purposes set out in the Policy, and is processed by the Company or data processors assigned by the Company.

Rights of the Personal Data Owner Pursuant to the KVK Law

Pursuant to Article 10 of the Law, the Company informs you of your rights; provides guidance on how to exercise such rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. Pursuant to Article 11 of the Law, the Company informs the persons whose Personal Data is received; to learn whether Personal Data is processed, to request information if Personal Data has been processed, to learn the purpose of processing Personal Data and whether it is used in accordance with its purpose, to know the third parties to whom Personal Data is transferred domestically or abroad, to request correction of Personal Data in case of incomplete or incorrect processing, to request correction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law. To request the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law Article 11 of the Law (d) and (e) subparagraphs, to request notification of the transactions made pursuant to subparagraphs (e) to third parties to whom personal data are transferred, to object to the occurrence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems, and to request compensation for damages in case of damage due to unlawful processing of Personal Data.

Personal Data Owners will be able to submit their requests regarding their rights to the Company free of charge by filling out and signing the Application Form, which can be accessed from the link below, with the information and documents that will identify their identity and the methods specified below or other methods determined by the PDP Board:

(i) After the application form is filled in, a wet signed copy of the application form must be delivered to İkitelli OSBM Mahallesi 6. Cadde Beyaz Tower No: 1 Interior Door no: 114 Başakşehir Istanbul address,

(ii) After filling out the application form and signing it with your “secure electronic signature” within the scope of the Electronic Signature Law No. 5070, sending the form with secure electronic signature to [email protected] by e-mail.

(iii) Filling in the application form and sending it by e-mail to [email protected] e-mail address by using mobile signature or the e-mail address previously notified to the data controller by the data subject and registered in the system of the data controller.

In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.