This personal data protection policy (“Policy”) explains the policy of GALATAPORT İSTANBUL LİMAN İŞLETMECİLİĞİ VE YATIRIMLARI A.Ş. (“Galataport and/or Company”) as the data controller on the personal data of natural persons, such as suppliers, visitors, agency employees, agency supervisors, visitors of information offices, and users of www.galataport.com (online visitors), whose personal data it processes.

The policy explains the following:

1. methods of collecting personal data, and legal basis,
2. groups of people whose personal data is processed (Data Subject Categorization),
3. categories of personal data processed (Data Categories), and sample data types,
4. work processes where these data are used, and the purpose of using these data,
5. technical and administrative measures taken to protect personal data,
6. recipients to whom personal data may be disclosed, and the purpose of disclosure, and
7. your rights over your personal data processed by Galataport, and how to exercise these rights.

1- Methods of Collecting Personal Data and Legal Basis

Galataport processes your personal data aurally, electronically or in writing through websites, social media accounts, cookies, notices from administrative and judicial authorities, and other communication channels in accordance with the personal data processing requirements specified in the Article 5 and 6 of the Law on the Protection of Personal Data (“Law”) numbered 6698.

2- Data Subject Categorization

Galataport may process the personal data of suppliers, visitors, agency employees, agency supervisors, visitors of information offices, and online visitors as well as other groups (consultant, trainer) for legal reasons specified in this Policy.

3- Data Categories and Sample Types

i. Online Visitor Data

Legal Transaction Information / Risk Management Information: IP address
Legal Transaction and Compliance Information: The start and end time of the service, the type of the service used, and the amount of data transmitted.

ii. Visitor Data

Personally Identifiable Information: Name, Surname, Republic of Turkey Identification Number, Passport number
Visual Information: Video recording,
Physical Environment Safety Data: Visitor’s Book Records
Legal Transaction Information: Signature

iii. Supplier, Supplier Employees or Supplier Supervisors Data

Personally Identifiable Information: Republic of Turkey Identification Number, Name and Surname
Contact Information: E-mail address, Phone number, REM address, Address, Mobile phone number
Employee’s Personal Information: SSI payroll, OHS document,
Professional Experience Data: Education, certificates, CV,
Financial Information: Account number, Tax office, Taxpayer Identification Number, Tax Certificate, IBAN, Invoice information
Legal Transaction Information: Specimen Signatures, Power of Attorney
Visual Information: Photograph, Camera

iv. Agency Employee or Agency Supervisor data

Personally Identifiable Information: Republic of Turkey Identification Number, Name and Surname
Contact Information: E-mail address, Landline and Mobile Phone Number
Employee’s Personal Information: SSI payroll
Legal Transaction Information: Signature

v. Visitors of Information Offices

Personally Identifiable Information: Name and Surname
Contact Information: E-mail address, Phone number
Visual Information: Video recording

4- Purposes of Using Personal Data

Galataport processes your personal data subject to this Policy for following purposes:

1. To ensure compliance with judicial processes and legislation,
2. To respond to information requests from administrative and judicial authorities,
3. To ensure the security of information and processes,
4. To make necessary arrangements to ensure that the data processed is up-to-date and accurate,
5. To carry out accounting and purchasing processes,
6. To ensure the safety of physical environment safety,
7. To carry out marketing activities,
8. To carry out documentary work for project marketing planning,
9. To carry out contract processes,
10. To ensure service reception,
11. To carry out tender processes with companies,
12. To prepare the reports to be submitted within and outside the company,
13. To ensure the legal and commercial safety of the Company and those who have business relationships with the Company,
14. To determine management strategies,
15. To ensure risk management, and
16. To process online visitor data under the Law on the Regulation of Broadcasts via Internet and Combating with the Crimes Committed Through Such Broadcasts numbered 5651.

Within this scope, Galataport processes the data in question in accordance with the law and in good faith for right, up-to-date, specific, clear and legitimate purposes in relation to, limited to and in proportion to the purposes of processing, provided that such data is stored for the time period specified in the relevant legislation or required for the purpose of processing.

5- Technical and Administrative Measures Taken to Protect Personal Data

Personal Data shall be kept confidential in the database of Galataport in accordance with the Article 12 of the Law and shall not be shared with third parties for commercial purposes.

Galataport takes security measures such as hash, encryption, process log, access management, and physical security measures to ensure protect the personal data that it processes, to prevent illegal access and illegal data processing, and to protect information systems containing personal data against unauthorized access and illegal data processing.

In case personal data is damaged as a result of attacks to the website and system or obtained by third parties even though Galataport has taken necessary information security measures, Galataport shall immediately notify those whose personal data has been damaged and the Personal Data Protection Board.

6- Recipients to Whom Personal Data Processed May Be Disclosed and Purpose of Disclosure

Your personal data may be disclosed to the persons/organizations specified below for the purposes explained in detail under the heading “Your Personal Data Processed, and Purpose of Using Personal Data”:

1. Third parties in Turkey or abroad with which Galataport has contractual relationships,
2. In case the personal data on physical visitors is requested, public institutions and organizations authorized to request data,
3. For personal data on suppliers and the goods, products and services provided, companies and subsidiaries within Doğuş Group as well as relevant public institutions, and
4. All institutions and organizations permitted by the provisions of the legislation.

7- Your rights under the Article 11 of the Law on the Protection of Personal Data numbered 6698:

The rights you have under Article 11 of the Law regarding the personal data you have shared with us within the scope of the purposes and personal data processing methods specified in this Policy are as follows:

1. To learn whether personal data is processed,
2. To request information on the process if personal data is processed,
3. To learn the purpose of processing personal data and whether it is used in accordance with this purpose,
4. To know the third parties to whom personal data is disclosed in Turkey or abroad,
5. To request the correction of personal data in case it is processed incompletely or incorrectly,
6. To request the deletion or destruction of personal data in accordance with the requirements specified in the Article 7,
7. To request the notification of processes carried out in accordance with the paragraphs 7.(v) and 7.(vi) to the third parties to whom personal data is disclosed,
8. To object to any unfavourable consequences resulting from analysis of processed data exclusively through automated systems, and
9. In case of a damage due to the processing of personal data in violation of the Law, to request the compensation of the damage.

In order to exercise these rights, you may take the following actions and submit your requests concerning your personal data with information/documents proving your identity in accordance with the Article 11 of the Law:

1. You may submit a petition to our company address.
2. You may send an electronic mail from your Registered Electronic Mail (galataportistanbul@hs03.kep.tr) address to our Company’s REM address specified on our Company’s website.
3. You may use a secured electronic signature or send an e-mail to “info@galataport.com” from your e-mail address that you have provided and that is registered in our system.

8- Deletion, Destruction or Anonymization of Personal Data

When the purpose of processing is no longer valid according to the Article 7(1) of the Law and when the time period specified in the relevant legislation ends according to the Article 17 of the Law and the Article 138 of the Turkish Criminal Code numbered 5237, we shall anonymize and continue to use your personal data processed for the purposes specified in this Policy. When the retention period specified in the relevant legislation or required for the purpose of processing ends, Galataport shall anonymize the processed personal data by using one or several anonymization techniques that are suitable to work processes and activities and specified in the “Guidelines on the Deletion, Destruction or Anonymization of Personal Data” published by the Personal Data Protection Board and continue to use the data for 6 (six) months provided for periodic destruction.

9- Changes to this Policy

Galataport may make changes to this Policy at any time. These changes come into force when the new “Personal Data Protection Policy” is published at www.galataport.com. All necessary information on the changes to this Policy will be available on the website.