Privacy and Personal Data Protection Policy

Türkiye Gençlik ve Eğitime Hizmet Vakfı (“TÜRGEV” or the “Foundation”), in line with the principles set forth in the Law on the Protection of Personal Data No. 6698 (“Law”), fulfills its obligations arising from the Law regarding the processing, deletion, destruction, anonymization, transfer of personal data, informing the data subject, and ensuring data security.

This Privacy and Personal Data Protection Policy, prepared in compliance with the Law, is made available to natural persons whose personal data are processed (“data subjects”).

1. Scope and Purpose of the Privacy and Personal Data Protection Policy

This Privacy and Personal Data Protection Policy sets out in detail TÜRGEV’s:

• Methods and legal grounds for collecting personal data,

• The groups of individuals whose personal data are processed (Data Subject Categorization),

• Categories of personal data processed and sample data types,

• The purposes for which personal data are used,

• Technical and administrative measures taken to ensure the security of personal data,

• The parties to whom personal data may be transferred and the purposes of transfer,

• Retention periods of personal data,

• The rights of data subjects over their personal data and how they may exercise these rights.

a. Methods of Collecting Personal Data and Legal Grounds

TÜRGEV collects personal data in audio, electronic, or written form through printed forms, electronic forms, websites, social media accounts, e-mail, post, CCTV, cookies, fax, notifications from administrative and judicial authorities, and other communication channels, in accordance with the personal data processing conditions specified in the Law and the legal grounds set forth in this Policy.

b. Data Subject Categorization

TÜRGEV categorizes data subjects whose personal data are processed as follows, with the possibility of expansion in line with processes and legal reasons:

• Scholarship Holder

• Scholarship Applicant

• Dormitory Student

• Dormitory Student Applicant

• Employee

• Job Applicant

• Donor

• Visitor

• Online Visitor

• Educator / Business Partner / Supplier

c. Data Categories and Sample Data Types

Other
Student certificate, school records, CCTV, and other information specified in the Student Application and Registration Guide.

2. Dormitory Student and Applicant

• Identity Information: Name-Surname, Gender, Turkish ID Number, Turkish ID details (e.g., ID serial number, family sequence number), Date of Birth, Place of Birth, Marital Status, Passport Information (for foreign nationals), Signature

• Contact Information: Address (home/work), E-mail, Phone / Mobile Phone

• Visual and Audio Information: Photograph

• Special Category Personal Data: Criminal Record, Health Report

• Family Members and Relatives Information: Name-Surname, Residence, Degree of Kinship, Occupation, School, Date of Birth, Mobile Phone, Social Security documents, Financial Information

• Other: Student certificate, school records, CCTV, and other information specified in the Student Application and Registration Guide

3. Donor

• Identity Information: Name-Surname, Gender, Turkish ID Number, Signature

• Contact Information: Address

• Financial Information: Donation amount, receipt details, credit card information

4. Visitor

• Identity Information: Name-Surname, Turkish ID Number, Passport Number (for foreign nationals)

• Contact Information: E-mail, Phone / Mobile Phone

• Legal and Compliance Information: IP address and Log Records

• Other: Vehicle Plate, CCTV

5. Online Visitor

• Transaction Security Information: Password, Member Number, Mobile Phone

• Legal and Compliance Information: IP address and Log Records

6. Business Partner / Supplier

• Identity Information: Name-Surname, Gender, Turkish ID Number, ID details (serial no., family sequence no., etc.), Date of Birth, Place of Birth, Marital Status, Professional IDs

• Contact Information: Address, E-mail, Phone / Mobile Phone

• Financial Information: Bank Account Details, Financial Transaction Data, IBAN Number, Payment Information, Copies of Letters of Guarantee

• CV and Professional Information: Education Status, Military Service Status, Sector Information, Affiliated Organization, Employment Dates, Title, Insurance Information

• Legal and Compliance Information: Signature Circulars, Activity Information, Power of Attorney

• Special Category Personal Data: Criminal Record, Signature, Health Information

• Other: Vehicle Plate, CCTV, Photograph

d. Purposes of Processing Personal Data

Personal data are used by TÜRGEV for the following purposes:

• Carrying out necessary work by relevant units to conduct Foundation activities,

• Planning and/or execution of efficiency/productivity and/or appropriateness analyses of Foundation activities,

• Planning and/or execution of business continuity activities,

• Planning, auditing, and execution of information security processes,

• Monitoring Foundation finance and accounting operations,

• Planning and execution of operational processes,

• Planning and execution of internal and external training activities,

• Managing relationships with business partners and/or suppliers,

• Monitoring requests and/or complaints,

• Following legal affairs and fulfilling legal obligations,

• Ensuring compliance of Foundation activities with Foundation procedures and/or relevant legislation,

• Providing information to authorized institutions as required by law,

• Planning and execution of auditing activities,

• Ensuring the security of campuses and/or facilities,

• Ensuring operational security of the Foundation,

• Ensuring security of campuses, movables, and resources,

• Creating visitor records.

e. Technical and Administrative Measures for Ensuring Data Security

TÜRGEV undertakes to adopt all necessary technical and administrative measures and exercise due diligence to ensure the confidentiality, integrity, and security of personal data. Measures include:

• Antivirus

• Firewall

• Access authorization

• Password management

All PCs and servers have regularly updated antivirus software installed. Data Centers and Disaster Recovery Centers are protected by updated firewalls that also monitor staff internet connections and protect against viruses and threats.

User access is restricted to job requirements, with immediate updates made in cases of changes in duties or authorizations.

Events on servers and firewalls are transferred to an “Information Security Threat and Incident Management” system, which alerts responsible staff and ensures quick response.

Penetration tests are periodically conducted manually by an external supplier, with vulnerabilities fixed and verification tests performed. Automatic penetration testing is also carried out by the system.

Regular ISMS meetings are held, and compliance with standards such as Cobit is audited.

An Education Portal is used to raise awareness among employees regarding information security and reduce human error risks. All employees complete online cybersecurity and information security training.

Other measures include:

• SSL protection of all website data entry areas,

• Pseudonymization for secondary data processing,

• Storing physical personal data in locked cabinets accessible only to authorized personnel,

• Deletion of third-party cookie data upon termination of membership.

In case of a cyberattack or unauthorized access leading to damage or disclosure of personal data, TÜRGEV will immediately notify affected persons and the Personal Data Protection Board.

f. Transfer of Personal Data

TÜRGEV transfers personal data only for the purposes stated in this Policy and in compliance with Articles 8 and 9 of the Law. Transfers are conducted through secure channels. Where possible, pseudonymized data are used. Legal safeguards are ensured through compliance provisions in contracts with third parties.

h. Retention Periods of Personal Data

TÜRGEV retains personal data only for the duration required by law or the purpose of processing, in compliance with its Personal Data Retention and Destruction Policy [insert link]. Examples include:

• Visitor CCTV records: 3 months (security)

• Online visitor logs: 2 years (Law No. 5651)

• Accounting and financial records: 10 years (relevant legislation)

• Supplier data: 10 years after the end of the legal relationship (Commercial and Obligations Law)

j. Rights of Data Subjects

Under Article 11 of the Law, data subjects have the right to:

1. Learn whether personal data are processed,

2. Request information regarding processing,

3. Learn the purpose of processing and whether data are used accordingly,

4. Know third parties to whom data are transferred domestically or abroad,

5. Request correction of incomplete or inaccurate data,

6. Request deletion or destruction of data under Article 7,

7. Request notification of corrections/deletions to third parties,

8. Object to outcomes against them from automated analysis,

9. Claim compensation for damages due to unlawful processing.

These rights may be exercised via the KVKK Application Form available on the TÜRGEV website, or by contacting the official e-mail ([email protected]) and phone line (+90 212 532 1996).

2. Conditions for Deletion, Destruction, and Anonymization of Personal Data

TÜRGEV retains personal data for legally required periods or as long as necessary for the purpose of processing, in accordance with Article 7 and 17 of the Law and Article 138 of the Turkish Penal Code. After these periods expire, data are deleted, destroyed, or anonymized in accordance with the relevant regulation and guidelines.

• Deletion: Making data inaccessible and unusable by any user.

• Destruction: Making data permanently inaccessible, irretrievable, and unusable.

• Anonymization: Making data unrelatable to an identified or identifiable natural person, even if matched with other data.

Details on the methods and safeguards for deletion, destruction, and anonymization are included in the Personal Data Retention and Destruction Policy [insert link]. Periodic destruction is carried out every 6 months.

3. Amendments to the Privacy and Personal Data Protection Policy

TÜRGEV may amend this Privacy and Personal Data Protection Policy at any time. These amendments shall become effective immediately upon the publication of the revised Privacy and Personal Data Protection Policy. In order to ensure that you are informed of such changes, the necessary notifications will be provided to you.