Privacy PolicyPrivacy Policy

Dinamik Yatırım Menkul Değerler

Personal Data Protection and Processing Policy

December 20, 2025

1. Introduction

The protection of personal data is one of the most important priorities of Dinamik Yatırım Menkul Değerler Anonim Şirketi ("Company"), and it strives to act in accordance with all applicable legislation in this regard. The most important pillar of this issue is the Dinamik Yatırım Menkul Değerler Anonim Şirketi Personal Data Protection and Processing Policy ("Policy"). This Policy outlines the principles adopted in the execution of personal data processing activities carried out by our Company and the fundamental principles adopted regarding compliance with the regulations set forth in the Law No. 6698 on the Protection of Personal Data ("Law"). Thus, our Company provides the necessary transparency by informing the data subjects regarding personal data. In this context, your personal data is processed and protected under this policy.

2. Scope

This Policy pertains to all personal data processed by automated or non-automated means, provided that they are part of any data recording system.

Detailed information regarding the data subjects is provided in the annex of this Policy. (ANNEX 2 - Data Subjects)

The activities carried out by our Company regarding the protection of our employees' personal data are managed under the Dinamik Yatırım Menkul Değerler A.Ş. Employee Personal Data Protection and Processing Policy, which is drafted in parallel with the principles in this Policy.

3. Matters Related to the Processing of Personal Data

3.1 Principles of Personal Data Processing

Our Company processes personal data in accordance with the procedures and principles stipulated in the Law and other relevant legislation. Accordingly, our Company processes personal data:

  • In compliance with the law and honesty rules,
  • Accurate and, when necessary, up-to-date,
  • For specific, clear, and legitimate purposes,
  • In a manner that is relevant, limited, and proportionate to the purpose for which they are processed,
  • For the duration required by the relevant legislation or necessary for the purpose for which they are processed.

3.2 Processing of Personal Data

The explicit consent of the data subject is only one of the legal bases that allow the lawful processing of personal data. In the presence of one of the conditions listed below, personal data may be processed by our Company without seeking the explicit consent of the data subject. Besides explicit consent, the basis for personal data processing activities may be one or more of the conditions specified below. If the processed data is classified as Sensitive Personal Data, the conditions specified in section 2.2.2 of this Policy ("Processing of Sensitive Personal Data") will apply.

  • i. Existence of Explicit Consent of the Data Subject: One of the conditions for processing personal data is that it is based on the explicit consent of the data subject. The explicit consent of the data subject must be stated freely and based on being informed about a specific matter.
  • ii. Explicitly Stipulated by Laws: Personal data may be processed in cases explicitly stipulated by laws.
  • iii. Inability to Obtain Consent Due to Physical Impossibility: If a person is unable to express their consent due to physical impossibility or if their consent cannot be deemed valid, personal data may be processed if it is necessary to protect the life or bodily integrity of that person or another person.
  • iv. Directly Related to the Establishment or Performance of a Contract: Personal data may be processed if it is necessary for the establishment or performance of a contract directly related to the parties of the contract.
  • v. Fulfillment of Legal Obligation of the Company: Personal data may be processed if it is necessary for our Company to fulfill its legal obligations as a data controller.
  • vi. Publicly Disclosed Personal Data: If the data subject has made their personal data public, such data may be processed by our Company.
  • vii. Necessity for the Establishment or Protection of a Right: Personal data may be processed if it is necessary for the establishment, use, or protection of a right.
  • viii. Necessity for the Legitimate Interests of the Company: Personal data may be processed for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3 Processing of Sensitive Personal Data

Some personal data is regulated separately as 'Sensitive Personal Data' and is subject to special protection. Due to the risk of causing harm to individuals or exposing them to discrimination if processed unlawfully, special importance is attached to this data. Sensitive Personal Data is processed by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including methods determined by the Personal Data Protection Board ("Board"), under the following conditions:

  • i. If the explicit consent of the data subject is available,
  • ii. Sensitive Personal Data regarding the health and sexual life of the data subject may only be processed without seeking explicit consent by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, and planning and managing health services and financing.

3.4 Purposes of Processing Personal Data

The Personal Data collected by our Company is processed primarily based on one or more of the lawful grounds specified in Articles 5/2 and 6/3 of the Law, in line with legitimate purposes required by our activities and operations. Therefore, our purposes for processing personal data are primarily evaluated according to the lawful grounds regulated in these articles, and only when necessary, the explicit consent of the data subject is sought in accordance with Articles 5/1 and 6/2 of the Law. Detailed information regarding the purposes of processing personal data and Sensitive Personal Data, as specified in this Policy, is provided in the annex of this Policy. (ANNEX 3 - Purposes of Processing Personal Data)

3.5 Categories of Personal Data Processed by Our Company

Our Company processes the personal data of data subjects in accordance with the purposes and conditions specified in this Policy, in compliance with the Law and other relevant legislation. This includes identity, contact, financial, professional experience and education, legal transaction, visual and auditory records, physical security, transaction security, transaction data of customers and suppliers, request and complaint data, marketing data, risk management data, as well as biometric data included in the special categories of personal data and personal data that may be collected and recorded by our Company during interviews or from resumes submitted by job applicants.

Detailed information regarding these categories of personal data is provided in the annex of this Policy. (ANNEX 4 - Categories of Personal Data)

4. Matters Related to the Transfer of Personal Data

Our Company may transfer personal data and Sensitive Personal Data to third parties ("Third Parties") in Turkey and/or abroad, taking necessary security measures in accordance with the lawful purposes of personal data processing. In this regard, our Company acts in compliance with the regulations stipulated in Articles 8 and 9 of the Law.

4.1 Transfer of Personal Data

In the case where the explicit consent of the data subject is available, our Company may transfer personal data to Third Parties in Turkey or abroad in accordance with the purposes of personal data processing, taking all necessary security measures, including methods stipulated by the Board. However, personal data may be transferred to Third Parties without seeking the explicit consent of the data subjects under the following conditions:

  • The relevant activity regarding the transfer of personal data is explicitly stipulated by laws,
  • The transfer of personal data by the Company is directly related and necessary for the establishment or performance of a contract,
  • The transfer of personal data is necessary for the Company to fulfill its legal obligations,
  • The transfer of personal data is limited to the purpose of public disclosure made by the data subject,
  • The transfer of personal data is necessary for the establishment, use, or protection of the rights of the Company or the data subject or third parties,
  • The transfer of personal data is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject,
  • The transfer of personal data is necessary for the protection of the life or bodily integrity of the data subject or another person, and in this case, the data subject is unable to express their consent due to physical impossibility or legal invalidity.

If personal data is to be transferred abroad, in addition to the existence of any of the above conditions, our Company may transfer personal data to foreign countries that have been declared to have adequate protection by the Board or to foreign countries where the data controllers in the country to which the transfer will be made have provided written commitments regarding adequate protection.

4.2 Transfer of Sensitive Personal Data

In the case where the explicit consent of the data subject is available, our Company may transfer Sensitive Personal Data in accordance with the purposes of data processing and taking all necessary security measures, including methods stipulated by the Board, to third parties in Turkey or abroad. However, personal data may be transferred to Third Parties without seeking the explicit consent of the data subjects under the following conditions:

  • i. Sensitive Personal Data other than health and sexual life may be processed in cases stipulated by laws,
  • ii. Sensitive Personal Data regarding the health and sexual life of the data subject may only be transferred without seeking explicit consent by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services.

If Sensitive Personal Data is to be transferred abroad, in addition to the existence of any of the above conditions, our Company may transfer Sensitive Personal Data to foreign countries that have adequate protection or to foreign countries where data controllers have provided written commitments regarding adequate protection.

4.3 Categories of Persons to Whom Personal Data is Transferred

Our Company may transfer the personal data of data subjects to the following categories of persons in accordance with Articles 8 and 9 of the Law:

  • i. Public Institutions Authorized by Law
  • ii. Private Institutions Authorized by Law
  • iii. Business Partners
  • iv. Suppliers

Detailed information regarding the third parties to whom personal data is transferred is provided in the annex of this Policy. (ANNEX 5 - Categories of Third Parties to Whom Personal Data is Transferred)

5. Storage and Destruction of Personal Data

In accordance with the obligation to destroy personal data stipulated in the Turkish Penal Code, the Law, and other relevant legislation, personal data processed by our Company in accordance with the Law and other legal provisions will be deleted, destroyed, or anonymized upon the decision made by our Company or upon the request of the data subject when the reasons for processing cease to exist.

6. Ensuring the Security and Confidentiality of Personal Data

Our Company takes all necessary measures to prevent the unlawful disclosure, access, transfer, or other security deficiencies that may occur regarding personal data, depending on the nature of the data to be protected. In this context, all necessary administrative and technical measures are taken by our Company, an audit system is established within our Company, and in the event of unlawful disclosure of personal data, actions are taken in accordance with the measures stipulated in the Law.

6.1 Administrative Measures Taken by Our Company to Ensure the Lawful Processing of Personal Data and Prevent Unlawful Access to Personal Data

  • The Personal Data processed in our Company has been identified and analyzed based on our business processes and relevant subunits, and a "Personal Data Processing Inventory" has been created.
  • Our Company provides training to its employees regarding the processing and protection of personal data and ensures their awareness.
  • Data in paper format is transferred while maintaining confidentiality by recording it in the document registration book and obtaining signatures within the Company.
  • When personal data is transmitted in written, visual, or auditory environments, the environment and infrastructure used for the data must comply with our Company's information security policies and procedures; all parties using the data and third parties participating in the activities (such as partners, suppliers) are informed about these rules.
  • In cases where personal data is subject to transfer, records are ensured to be added to the contracts made with the parties to whom personal data is transferred, stating that the party to whom the personal data is transferred will fulfill its obligations to ensure data security.
  • The personal data processing activities carried out by our Company are examined in detail, and in this context, the steps to be taken to ensure compliance with the personal data processing conditions stipulated in the Law are identified.
  • Our Company identifies the practices that need to be fulfilled to ensure compliance with the Law and regulates these practices with internal policies, and necessary audits are conducted to ensure the implementation of these policies.
  • Files and folders containing personal data are stored in cabinets, drawers, and/or archives of the relevant unit in a manner that unauthorized persons cannot access; these cabinets and archive rooms are kept locked.
  • In the protection of Sensitive Personal Data, actions are taken in accordance with the administrative measures stipulated in the Law and other relevant legislation.
  • Our Company has an active Data Breach Response Plan. If our employees detect or suspect a risky situation regarding any confidentiality or security breach, they will immediately notify the Chairperson of the Internal Committee for the Protection of Personal Data or the nearest member.

6.2 Technical Measures Taken by Our Company to Ensure the Lawful Processing of Personal Data and Prevent Unlawful Access to Personal Data

  • Our Company takes technical measures regarding the processing and protection of personal data to the extent permitted by technology, and these measures are updated and improved in parallel with developments.
  • Regular audits are conducted to ensure the implementation of the measures taken.
  • Access rights to personal data processed within our Company are designed in accordance with the job descriptions of relevant employees based on the determined processing purpose.
  • Network security and application security are ensured to establish and provide the security of personal data.
  • Closed system networks (intranet) are used for personal data transfers over the network.
  • Key management is implemented.
  • Security measures are taken regarding the procurement, development, and maintenance of information technology systems.
  • To ensure the security of personal data stored in the cloud, access to the cloud technology used by our Company is provided through usernames, passwords, and two-factor authentication.
  • A permission matrix has been created for employees. Access rights of employees who change positions or leave the job are revoked.
  • Access logs are kept regularly.
  • Corporate policies have been prepared and implemented regarding access, information security, usage, storage, and destruction.
  • Data masking measures are applied when necessary.
  • Current antivirus systems are used.
  • Firewalls are used.
  • Issues regarding personal data security are reported promptly.
  • Monitoring of personal data security is conducted.
  • Necessary security measures are taken regarding the entry and exit of physical environments containing personal data, and the security of these environments against external risks (fire, flood, etc.) is ensured.
  • Personal data is backed up, and the security of the backed-up personal data is also ensured through authorization methods.
  • User account management and access control systems are implemented, and their monitoring is done through Active Directory.
  • Periodic and/or random data security audits are conducted and carried out within the Company.
  • Log records are kept in a manner that does not allow user intervention.
  • Intrusion detection and prevention systems are used.
  • Penetration testing is conducted.
  • Cybersecurity measures have been taken and their implementation is continuously monitored.
  • Encryption is applied.
  • In the protection of Sensitive Personal Data, actions are taken in accordance with the technical measures stipulated in the Law and other relevant legislation.

Measures to be Taken in Case of Unlawful Disclosure of Personal Data

In the event that personal data is unlawfully obtained by unauthorized persons during the personal data processing activities carried out by our Company, the situation will be reported to the Board and the relevant data subjects without delay.

7. Information of Data Subjects

In accordance with Article 10 of the Law, our Company informs the data subjects during the collection of personal data. In this context, information is provided regarding the identity of our Company and its representative, the purposes for which personal data will be processed, to whom and for what purposes the processed personal data may be transferred, the method of collecting personal data and the legal basis, as well as the rights of the data subjects.

Article 20 of the Constitution of the Republic of Turkey states that everyone has the right to be informed about their personal data. Accordingly, the right to "request information" is also included among the rights of data subjects in Article 11 of the Law. In this context, our Company provides the necessary information upon the request of the data subject in accordance with Article 20 of the Constitution of the Republic of Turkey and Article 11 of the Law. Detailed information regarding the rights of data subjects is provided in section 8.1 of this Policy (Rights of Data Subjects).

8. Rights of the Data Subject and the Use of These Rights

8.1 Rights of the Data Subject

The legal rights that the data subject can exercise regarding personal data are listed below:

  • To learn whether their personal data is being processed,
  • To request information regarding their processed personal data,
  • To learn the purpose of processing their personal data and whether it is used in accordance with that purpose,
  • To learn the third parties to whom their personal data is transferred, both domestically and abroad,
  • To request the correction of their personal data if it is incomplete or incorrectly processed and to request that the operation performed in this context be notified to the third parties to whom their personal data has been transferred,
  • To request the deletion, destruction, or anonymization of their personal data when the reasons for processing cease to exist, even though it has been processed in accordance with the Law and other relevant legal provisions, and to request that the operation performed in this context be notified to the third parties to whom their personal data has been transferred,
  • To object to the emergence of a result against them by analyzing their processed data exclusively through automated systems,
  • To request compensation for damages in case they suffer damage due to the unlawful processing of their personal data.

8.2 Situations Where the Data Subject Cannot Assert Their Rights

In the cases specified in Article 28 of the Law, data subjects will not be able to assert the rights listed in section 8.1 ("Rights of the Data Subject"). This is because these situations are excluded from the scope of data protection specified in the Law.

The situations listed in the mentioned article are as follows:

  • Processing of personal data for research, planning, and statistics purposes by anonymizing it with official statistics,
  • Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy, or personal rights,
  • Processing of personal data by public institutions and organizations authorized by law for preventive, protective, and intelligence activities conducted to ensure national defense, national security, public safety, public order, or economic security,
  • Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial, or execution processes.

According to the second paragraph of Article 28 of the Law, in the situations listed below, data subjects cannot assert their other rights listed in section 8.1 ("Rights of the Data Subject") except for the right to request compensation for damages:

  • Processing of personal data is necessary for the prevention of a crime or for the investigation of a crime,
  • Processing of personal data that has been publicly disclosed by the data subject,
  • Processing of personal data is necessary for the execution of monitoring or regulatory duties by public institutions and organizations authorized by law based on the authority granted by the law, or for disciplinary investigations or prosecutions.
  • Processing of personal data is necessary for the protection of the state's economic and financial interests regarding budget, tax, and financial matters.

8.3 Exercising the Rights of Data Subjects

Data subjects can submit their requests regarding their rights listed in section 7.1 ("Rights of the Data Subject") to our Company in writing or by using the registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the electronic mail address previously notified by the data subject to our Company and registered in our system.

In their applications, data subjects must provide their name, surname, and (if the application is written) signature, Turkish ID number; for foreigners, nationality, passport number, or if available, ID number; address for notification; if available, electronic mail address, phone number, and the subject of the request.

It is possible for a third party to submit an application on behalf of the data subject only if the third party has been authorized by the data subject with a special power of attorney regarding this matter.

8.4 Our Company's Response to Applications

Our Company takes all necessary administrative and technical measures to conclude applications made by data subjects effectively, lawfully, and in accordance with the principle of honesty. Our Company may accept or reject the applications made by the data subjects, providing justification for the rejection; the response may be communicated in writing or electronically.

If the data subject submits their request regarding the rights listed in section 7.1 ("Exercising the Rights of Data Subjects") in accordance with the mentioned procedures, our Company will conclude the request free of charge as soon as possible and within a maximum of 30 (thirty) days. However, if the transaction requires an additional cost, a fee may be charged. If our Company provides a written response, no fee will be charged for up to ten pages; for each page exceeding ten pages, a processing fee of one (1) Turkish Lira may be charged as specified in the Law and relevant legislation.

9. Management Structure for the Protection and Processing of Personal Data

A "Personal Data Protection Committee" has been established within the Company to manage this Policy and other related policies as per the decision of the Company's top management. The duties of this committee are as follows:

  • To prepare and submit for approval by the top management the fundamental policies regarding the protection and processing of personal data,
  • To decide how the implementation and monitoring of the policies regarding the protection and processing of personal data will be carried out and to submit for approval by the top management for internal assignments and coordination,
  • To identify the necessary actions to ensure compliance with the Law and other relevant legislation, submit them for approval by the top management, monitor their implementation, and ensure coordination,
  • To raise awareness regarding the protection and processing of personal data within the Company and among institutions with which the Company collaborates,
  • To identify risks that may arise in the Company's personal data processing activities, ensure that necessary measures are taken, and submit improvement proposals for approval by the top management,
  • To design and ensure the implementation of training programs regarding the protection and processing of personal data,
  • To make the final decisions regarding the applications of data subjects,
  • To coordinate the implementation of information and training activities to ensure that data subjects are informed about personal data processing activities and their legal rights,
  • To prepare and submit for approval by the top management any changes to the fundamental policies regarding the protection of personal data,
  • To follow developments and regulations regarding the protection of personal data and provide recommendations to the top management regarding necessary actions to be taken within the Company in accordance with these developments and regulations,
  • To coordinate relations with the Board and the Personal Data Protection Authority,
  • To carry out other duties assigned by the top management regarding the protection of personal data.

ANNEX 1 - Definitions

  • Explicit Consent: Consent that is informed and expressed freely regarding a specific matter.
  • Data Subject: The real person whose personal data is processed.
  • Personal Data: Any information relating to an identified or identifiable natural person (e.g., name-surname, TCKN, email, address, date of birth, credit card number). Therefore, the processing of information related to legal entities is not covered by the Law.
  • Sensitive Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
  • Processing of Personal Data: Any operation performed on personal data, whether by automated means or not, such as collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or prevention of use.
  • Data Processor: A real or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
  • Data Controller: A real or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
  • KEP Address: An electronic address that provides legal evidence regarding the use of electronic communications, including sending and delivery.
  • Mobile Signature: An electronic signature created using a mobile device.
  • Secure Electronic Signature: An electronic signature created using a secure electronic signature creation tool that is solely under the control of the signatory, based on a qualified electronic certificate, which allows the identification of the signatory and detects any subsequent changes made to the signed electronic data.

ANNEX 2 - Categories of Data Subjects

  • Job Candidate: Real persons who have applied for a job with our Company in any way or have opened their resumes and relevant information for our Company's review.
  • Corporate Customer Representative/Employee/Shareholder: Real persons who are employees and/or shareholders and/or representatives of institutions and organizations that use or have used the products and services offered by our Company.
  • Corporate Customer Candidate Representative/Employee/Shareholder: Real persons who are employees and/or shareholders and/or representatives of institutions and organizations with whom discussions are held to benefit from the products and services offered by our Company.
  • Individual Customer: Real persons (individuals) who use or have used the products and services offered by our Company.
  • Individual Candidate: Real persons (individuals) who are discussed to use the products and services offered by our Company.
  • Supplier: Real persons with whom our Company has a commercial relationship and who provide products/services to our Company.
  • Supplier Representative/Employee/Shareholder: Real persons who are employees and/or representatives and/or shareholders of public and private institutions and organizations with whom our Company has a commercial relationship and who provide products/services to our Company.
  • Visitor: Real persons (individuals) who have come to our Company's physical premises for various purposes, who connect to our wireless internet network, or who visit our website www.dinamikyatirim.com.tr.
  • Business Partner Representative/Employee/Shareholder: Real persons who are employees and/or shareholders and/or representatives of public and private institutions and organizations with whom our Company has a commercial relationship and with whom our Company maintains necessary relations within the framework of applicable legislation.
  • Third Parties: Third real persons (individuals) whose data is processed in any way due to their relationship with our Company.

ANNEX 3 - Purposes of Processing Personal Data

  • Conducting information security processes
  • Conducting employee candidate selection and placement processes
  • Conducting application processes
  • Conducting audit/ethical activities
  • Managing access rights
  • Conducting activities in accordance with the legislation
  • Conducting finance and accounting operations
  • Ensuring physical security
  • Monitoring and conducting legal affairs
  • Conducting internal audit/investigation/intelligence activities
  • Conducting communication activities
  • Conducting business activities/audits
  • Conducting occupational health and safety activities
  • Ensuring business continuity
  • Procurement processes for goods/services
  • Post-sale support for goods/services
  • Sales processes for goods/services
  • Production and operation processes for goods/services
  • Customer relationship management
  • Activities aimed at customer satisfaction
  • Advertising/campaign/promotion processes
  • Risk management processes
  • Storage and archiving activities
  • Contract processes
  • Tracking requests/complaints
  • Marketing processes for products/services
  • Ensuring operational security of the data controller
  • Providing information to authorized persons/institutions/organizations
  • Management activities
  • Creating and tracking visitor records.

ANNEX 4 - Categories of Personal Data

  • Identity Information: All information that is clearly related to an identified or identifiable natural person, processed partially or fully automatically or as part of a data recording system, such as name-surname, date and place of birth, Turkish ID number, maiden name, nationality, professional registration number, signature, signature declaration, driver's license, identity card, and marriage certificate photocopies.
  • Contact Information: All information that is clearly related to an identified or identifiable natural person, processed partially or fully automatically or as part of a data recording system, such as phone number, address, email, fax, and similar contact information.
  • Financial Information: All information that is clearly related to an identified or identifiable natural person, processed partially or fully automatically or as part of a data recording system, such as bank and account information, monthly income information, customer transaction amounts, products involved in transactions, transaction frequency and volume, and similar financial information.
  • Professional Experience Information: All information that is clearly related to an identified or identifiable natural person, processed partially or fully automatically or as part of a data recording system, such as the institution where the person worked, duration of employment, sector, title, and personal data related to job and education level.
  • Legal Transaction Information: All personal data related to the determination, tracking, and execution of our legal claims and obligations, such as deductions made by legal and administrative authorities, transaction records, information contained in notifications received from official, administrative, and judicial authorities, and information regarding enforcement files or lawsuits, processed partially or fully automatically or as part of a data recording system.
  • Visual/Auditory Records: All data that is clearly related to an identified or identifiable natural person, processed partially or fully automatically or as part of a data recording system, such as photographs, audio recordings, etc.
  • Risk Management Information: All information that is clearly related to an identified or identifiable natural person, processed partially or fully automatically or as part of a data recording system, such as information regarding the purpose and nature of the relationship assigned to our Company, suspicious transactions, measures, the amount of yield due, whether there is a transaction ban, collateral shares, position information, etc.
  • Marketing Information: All information that is clearly related to an identified or identifiable natural person, processed partially or fully automatically or as part of a data recording system, such as information regarding campaigns and commercial electronic communication permissions used to customize the marketing of our products and services according to the usage habits, preferences, and needs of the relevant person, and reports and evaluations created as a result of this processing.
  • Customer Transaction Information: All information that is clearly related to an identified or identifiable natural person, processed partially or fully automatically or as part of a data recording system, such as customer number, request-complaint-suggestion information, transaction amount, collateral, portfolio information, etc.
  • Family Members and Relatives Information: All information that is clearly related to an identified or identifiable natural person, processed partially or fully automatically or as part of a data recording system, such as reference person information.
  • Transaction Security Information: All information that is clearly related to an identified or identifiable natural person, processed partially or fully automatically or as part of a data recording system, such as customer user account and system and application user account information, log records and transaction status, internet access log records, IP address monitoring and records, login/logout dates, visited site information, cookies, and pixel tags for IP address records.
  • Physical Space Security: All information that is clearly related to an identified or identifiable natural person, processed partially or fully automatically or as part of a data recording system, such as records and documents taken during entry to the physical space and during the stay within the physical space.
  • Location Information: All information that is clearly related to an identified or identifiable natural person, processed partially or fully automatically or as part of a data recording system, such as location data.

ANNEX 5 - Categories of Third Parties to Whom Personal Data is Transferred

  • Business/Solution Partners: Parties with whom our Company collaborates in conducting its commercial activities and companies with which our Company conducts joint activities due to shareholder partnerships.
  • Suppliers: Parties that provide the products/services needed by our Company based on contracts while conducting its commercial activities.
  • Public and Private Institutions/Organizations Authorized by Law: Official and administrative institutions established according to relevant legislation, such as the Capital Markets Board, Turkey Capital Markets Association, Central Registry Agency, Borsa Istanbul A.Ş., Istanbul Settlement and Custody Bank A.Ş., Financial Crimes Investigation Board (MASAK), Ministry of Finance, Ministry of Trade, Ministry of Labor and Social Security, Turkey Employment Agency (İş-Kur), Information Technologies and Communications Authority, and similar public institutions and organizations.
  • Real Persons and Private Law Legal Entities: Other real persons and private enterprises, institutions, and organizations not defined within the scope of this Policy.