1. Introduction

The Turkish Constitution, with its many provisions, has ensured the protection of individuals' fundamental rights and introduced new safeguards over time. With the amendment to the Constitution in 2010 through Law No. 5982, a paragraph was added to Article 20 of the Constitution, providing constitutional protection to personal data under the "right to privacy and protection of personal data." According to the mentioned paragraph: "Everyone has the right to demand the protection of their personal data. This right includes being informed about personal data, accessing these data, requesting their correction or deletion, and learning whether they are used for their intended purposes. Personal data can only be processed in cases prescribed by law or with the explicit consent of the individual. The principles and procedures for the protection of personal data are regulated by law."

• Everyone has the right to demand the protection of their personal data.
• In this context, individuals primarily have the right to take necessary measures to prevent their personal data from falling into the hands of irrelevant third parties.
• This right includes being informed about personal data, accessing these data, requesting their correction or deletion, and learning whether they are used for their intended purposes. Individuals have the right to know for what purpose and which personal data of theirs is being used, and if there is any inaccuracy in this data, they also have the right to request correction or deletion.
• Personal data can only be processed in cases prescribed by law or with the explicit consent of the individual. Processing personal data is not possible in the absence of a legal regulation or explicit declaration of intent by the individual for the processing of their personal data.

2. Purpose and Scope

Within Polaris Human Resources, all necessary administrative and technical measures will be taken for the processing and protection of personal data, employees and partners will be informed about GDPR processes, and an appropriate and effective audit mechanism will be established.

3. Definitions

• 3.1. Explicit consent: Consent based on information on a specific subject and declared with free will.
• 3.2. Anonymization: Making personal data unidentifiable or non-associable with a real person by matching it with other data.
• 3.3. Data subject: The real person whose personal data is processed.
• 3.4. Personal data: Any information related to an identified or identifiable real person.
• 3.5. Processing of personal data: Any operation performed on the data, including obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making obtainable, classifying, or preventing the use of data, either completely or partially, through automated or non-automated means, as part of any data recording system.
• 3.6. Data processor: The real or legal person who processes personal data on behalf of the data controller based on the authority given by them.
• 3.7. Data recording system: The record system where personal data is structured based on specific criteria.
• 3.8. Data controller: The real or legal person who determines the purposes and means of processing personal data, establishes and manages the data recording system.
• 4. Our Principles of Processing Personal Data Our company processes personal data in compliance with GDPR and relevant legislation. The fundamental principles and principles we adopt in processing your personal data according to Article 4 of the GDPR are as follows: • Processing in accordance with the law and honesty rule • Ensuring that personal data is accurate and up-to-date when necessary • Processing for specific, clear, and legitimate purposes • Keeping personal data for the period required for the purposes for which they are processed, as stipulated by the relevant legislation or required for the purpose they are processed •

5. Conditions for Processing Personal Data

Article 5 of the GDPR regulates the conditions for processing personal data. The processes for processing personal data by our company are carried out in compliance with the conditions specified by the GDPR, even if explicit consent of the relevant individuals is not obtained. In cases where the processing of personal data is compulsory due to legal provisions or other criteria, data processing activities will be considered legal with the fulfillment of other necessary conditions.

• a) Clearly stated in the laws.
• b) It is mandatory for the protection of life or bodily integrity of the person who is unable to express his/her consent due to actual impossibility or whose consent is not legally valid.
• c) It is necessary to process personal data of the parties to the contract, directly related to the establishment or performance of a contract.
• ç) It is mandatory for the data controller to fulfill its legal obligation.
• d) It has been made public by the data subject himself/herself.
• e) Processing is mandatory for the establishment, exercise, or protection of a right.
• f) It is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

6. Conditions for Processing Sensitive Personal Data Special provisions for processing sensitive personal data are regulated by the GDPR. In accordance with the provisions of this article, data such as ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data, are considered as sensitive personal data, and processing these data without the explicit consent of the data subject is prohibited. Our company meticulously identifies and classifies personal data falling under this category.

7. Transfer of Personal Data

• 7.1. Transfer of Personal Data within the Country Personal data cannot be transferred to third parties within the country without the explicit consent of the data subject. Various conditions must be met for the transfer of personal data to third parties. The main rule is the explicit consent of the data subject, but in cases where there is no clear consent of the data subject for the transfer of personal data within the country, the transfer of personal data to third parties is possible under the conditions regulated by Article 5, paragraph 2 of the GDPR.
• 7.2. Transfer of Personal Data Abroad According to Article 9 of the GDPR, personal data cannot be transferred abroad without the explicit consent of the data subject. Therefore, the basic principle applied by our company for the transfer of personal data abroad is to obtain the explicit consent of the data subject. In cases where there is no explicit consent of the data subject for the transfer of personal data abroad, the transfer of personal data to third parties abroad is possible under the conditions regulated by Article 5, paragraph 2 of the GDPR. In addition, for the transfer of personal data abroad according to Article 9 of the GDPR, it is necessary to consider the list of secure countries published by the Personal Data Protection Board and ensure that there is sufficient protection in the country where the data will be transferred.

8. Deletion of Personal Data Destruction or Anonymization of Personal Data Article 7 of the Personal Data Protection Law No. 6698 states: "Although it has been processed in accordance with this Law and other relevant laws, personal data are deleted, destroyed, or anonymized by the data controller upon the elimination of the reasons requiring processing, either ex officio or upon the request of the data subject." Accordingly; deletion, destruction, or anonymization of personal data is carried out by our company based on the situations of personal data processing determined by the company's personal data processing inventory.

• 8.1. Methods for Deleting Personal Data
•  8.1.2. Personal Data in Paper Format Personal data in paper format is deleted using the redaction method. The redaction process involves cutting the personal data to be redacted, or if that is not possible, making the relevant data invisible to users by using permanent ink so that it cannot be read with technological solutions.
• 8.1.3. Office Files on Central Server The file is deleted with the delete command in the operating system or by removing the access rights of the relevant user on the directory where the file or files are located.
• 8.1.4. Personal Data on Flash-Based Media Personal data on flash-based storage media is deleted using appropriate software for these media.
•  8.2. Methods of Destroying Personal Data
•  8.2.1. Demagnetization The data in magnetic media is made unreadable and corrupted by using the demagnetization method. This process is used to destroy personal data stored by the company on magnetic media.
• 8.2.2. Paper Formats Personal data in paper format is shredded into small pieces, horizontally or vertically, making it incomprehensible, non-reversible, and unrecognizable.

9. Rights of the Data Subject

According to Article 11 of the Law, everyone has the right to apply to the data controller and request information about their personal data, request information if their personal data has been processed, learn the purpose of processing and whether personal data are used for their intended purposes, know the third parties to whom personal data are transferred within or outside the country, request correction of personal data if it is incomplete or incorrectly processed, request the deletion or destruction of personal data within the framework of the rights of the data subject specified in Articles 11 and 12, request notification of the transactions made pursuant to subparagraphs (d) and (e) of Article 11 to third parties to whom personal data are transferred.

• a) Learning whether personal data is processed or not,
• b) If personal data has been processed, requesting information regarding this,
• c) Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
• ç) Knowing the third parties to whom personal data are transferred domestically or abroad,
• d) Requesting correction of personal data if it is incomplete or incorrectly processed,
• e) In cases where the reasons requiring the processing of personal data are eliminated, although it has been processed in accordance with the Law and other relevant laws, requesting the deletion, destruction, or anonymization of personal data by the data controller,
• f) (d) and (e) objects, processed data, or (d) and (e) notification of the transactions made pursuant to the articles of this Law to third parties to whom personal data are transferred.
• g) Objecting to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
• ğ) In case of suffering damage due to the unlawful processing of personal data, demanding the compensation of the damage, have these rights.