data-protection-hweo-mobile.jpg

Data Protection

DATA PROTECTION POLICY

1. PURPOSE and SCOPE

The protection and privacy of personal data has been adopted as a corporate culture for MAVI GOK HAVACILIK ANONIM SIRKETI (hereinafter 'MGA' or 'Company'). The Company takes utmost care and endeavours within the scope of its activities to process and protect the personal data of natural persons in accordance with the legal norms in force and universal legal principles. Acting in the capacity of data protection officer, the Company processes and protects personal data within the scope of this Policy on Processing and Protection of Special Categories of Personal Data ('Policy').

This Policy on the Protection of Personal Data relates to the personal data of persons other than our employees, which our Company, as the Data Protection Officer, processes in whole or in part by automatic or non-automatic means, provided that it is part of any data recording system. It shows how the principles and guidelines stipulated by the relevant legislation are applied in the Company's processes for the protection of personal data. This Policy describes the Company's general policy and processes regarding the processing and protection of personal data. In this context, the obligation provide information to data subjects under Article 10 of the Personal Data Protection Law is fulfilled with the relevant clarification texts to be presented to the data subjects on a concrete process basis.

The applicable legislation in this field, secondary regulations and universal legal principles shall apply in the protection and processing of personal data in accordance with the law. In the event of a conflict between our Policy on the Protection of Personal Data and the relevant regulations in force, the regulations in force shall prevail.

We may make updates to this Policy as necessary, so make sure you have access to our current Policy at the time you use our services.

2. DEFINITIONS

ABBREVIATIONS

DEFINITIONS

‘Explicit Consent

Refers to freely given, specific and informed consent.

“Obligation to Provide Information”

Refers to the Company's obligation to provide information to the Data Subjects during the collection of personal data via the Data Protection Officer or persons authorised by him/her within the scope of Article 10 of the Law on the Protection of Personal Data and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Provide Information.

“Relevant Person”, “Data Subject”

Refers to natural persons whose personal data are processed by the Company or by persons/institutions authorised by or on behalf of the Company.

“Destruction”

Refers to the deletion, destruction or anonymization of personal data.

“Personal Data”

Refers to any information relating to an identified or identifiable natural person.

“Anonymization of Personal Data”

Refers to rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

“Processing of Personal Data”

Refers to any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.

“Erasure of Personal Data”

Refers to the process of making personal data inaccessible and non-reusable in any way for the relevant users.

“Destruction of Personal Data”

Refers to the process of making personal data inaccessible, irreversible and non-reusable by anyone in any way.

“Board”

Personal Data Protection Board

“Authority”

Personal Data Protection Authority

“Law”, “Law on Protection of Personal Data”

Refers to the Law No. 6698 on the Protection of Personal Data

“Policy on Protection of Personal Data”

Refers to the Policy on Protection and Processing of Personal Data adopted by the Company.

“Special Category of Personal Data”

Refer to personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data.

“Company”

Refers to MAVI GOK HAVACILIK ANONIM SIRKETI

“VERBIS”, “Registry”

Refers to the Data Protection Officers' Registry Information System kept by the Personal Data Protection Authority. Any data declared in the system are open to public access at verbis.kvkk.gov.tr.

“Data Processor”

Refers to the natural or legal person who processes personal data on behalf of the data protection officer upon its authorization.

“Data Protection Officer”

Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

3. GENERAL PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

The Company adheres to the 'General Principles' listed in Article 4 of the Law on the Protection of Personal Data, which must be complied with when processing personal data:

3.1. Processing in accordance with the Law and Good Faith

The Company manages personal data processing processes in accordance with legal norms and universal legal principles and rules of honesty, informs the relevant persons as necessary to ensure the transparency of the processes, and takes into account the interests and reasonable expectations of the relevant person in such processes. In this context, the company prevents the consequences of the data processing activity that the data subject does not expect and does not need to expect.

3.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

As a rule, personal data are processed upon the declaration of the data subjects and in the manner in which they are declared and declared personal data are deemed to be accurate. The Company takes reasonable care and attention to ensure that the personal data within its legal entity are kept accurate and up-to-date and do not contain false information. In the event that the changes in the processed personal data are notified to the Company by the relevant person, it ensures that the necessary administrative and technical mechanism is established to update the personal data in the relevant database.

3.3. Processing for Specified, Explicit and Legitimate Purposes

The Company sets out its legitimate and lawful data processing purposes in a specific and clear manner prior to the commencement of personal data processing and processes personal data in connection with and to the extent necessary for the Company's products and services.

3.4. Being Relevant, Limited and Proportionate to the Processing Purposes

Personal data are processed in a limited and proportionate manner in connection with the purposes determined by the Company and explained to the data subject. The Company takes care to ensure that a reasonable balance is established between the data processing activity and the purpose to be achieved and that the processing is to the extent necessary to achieve the purpose.

3.5. Retention for the Period laid down by Relevant Legislation or the Period required for the Purpose of Rrocessing

The Company retains personal data for the period stipulated by the legislation or required by the purpose of processing. However, it deletes, destroys or anonymizes personal data when the period stipulated by the legislation has expired or when all of the purposes of processing have disappeared. As the Data Protection Officer, the Company has determined the retention periods, destruction periods and technical and administrative measures to be implemented in the storage of personal data in the Personal Data Storage and Destruction Policy and is aware that it is obliged to ensure that personal data is kept in accordance with these principles.

Such principles shall apply regardless of whether the Company processes personal data based on explicit consent or in accordance with other data processing conditions. At this point, the Company processes personal data in accordance with the data processing conditions and general principles and fulfils its obligation to inform the data subjects.

4. INFORMATION ON THE PROCESSING OF PERSONAL DATA

The Company may regulate and update the categories of personal data to be processed, the groups of persons whose data are processed, the purposes of processing personal data, the legal conditions underlying the processing of personal data, the collection channels of personal data, the recipient groups to which they are transferred, the retention periods and destruction processes for expired personal data, and the security measures taken to ensure the security of personal data in all these processes. All this information is publicly published in the VERBIS (verbis.kvkk.gov.tr) registry information system on the website of the Authority and updated on the relevant platform.

4.1. CATEGORIES OF PERSONAL DATA

In order to ensure compliance with legal regulations and to manage personal data processing and protection processes properly, the Company has categorized the personal data to be processed.

All categories of personal data are basically organized under two main categories as 'Personal Data' and 'Special Categories of Personal Data'.

All categories and definitions of personal data processed within our Company are as follows:

CATEGORY OF PERSONAL DATA

DEFINITION

Identity Data

Name and surname, mother's and father's name, mother's maiden name, date of birth, place of birth, marital status, serial number of identity card, T.R. ID No., signature, etc.

Contact Data

Address, e-mail address, contact address, registered electronic mail address (REM), telephone no., etc.

Location Data

Person's current location

Personnel Data

Payroll data, disciplinary proceedings, employment records, property declaration, CV data, performance evaluation reports, etc.

Data on Legal Processes

Information in correspondence with judicial authorities, information in the court file, etc.

Data on Customer Transactions

Call centre records, invoices, bills, checks, information on the payment counter receipts, order information, request information, etc.

Physical Space Security

Entry and exit registration of employees and visitors, such as camera recordings, etc.

Data on Process Security

IP address, website login and logout records, passwords, etc.

Risk Management

Information processed for the management of commercial, technical, administrative risks, etc.

Financial Data

Bank, IBAN, balance sheet details, financial performance details, credit and risk details, asset details, etc.

Data on Professional Experience

Diploma details, attended courses, vocational trainings, certificates, transcripts, etc.

Marketing

Shopping history, surveys, cookie records, information obtained through campaign work

Audio and Visual Recordings

Photographs, videos, audiovisual recordings, etc.

SPECIAL CATEGORIES OF PERSONAL DATA

DEFINITION

Criminal Conviction and Security Measures

Information on criminal convictions, security measures, etc.

Race and Ethnicity

Information on race, ethnicity, etc.

Philosophical Belief, Religion, Sect and Other Beliefs

Information on religious affiliation, philosophical beliefs, sectarian affiliation, other beliefs, etc.

Health Data

Disability status, blood type, personal health status, used devices and prostheses, etc.

4.2. GROUPS OF PERSONS WHOSE PERSONAL DATA ARE PROCESSED

The relevant groups of persons whose personal data are processed by our Company and their definitions are publicly disclosed and published at VERBIS (verbis.kvkk.gov.tr) on the website of the Authority.

4.3. PURPOSES FOR PROCESSING PERSONAL DATA

The Company processes personal data in accordance with the aforementioned 'General Principles for the Processing of Personal Data' set out in Article 4 of the Law and based on and limited to at least one of the personal data processing conditions set out in Articles 5 and 6 of the Law. In accordance with Article 10 of the Law and secondary legislation, the Company informs the relevant groups of persons separately about the categories and purposes of data processing in the relevant clarification texts. The Company's purposes for processing personal data have been declared in the Data Protection Officers' Information System (VERBIS) and are kept open to public access in the system (link:verbis.kvkk.gov.tr)

4.4. CONDITIONS FOR PROCESSING PERSONAL DATA

The Company processes personal data with the explicit consent of the data subject or in the presence of one or more of the other data processing conditions in accordance with these conditions or conditions. In the event that the processed personal data is special categories of personal data, the conditions specified in the heading 'Processing of Special Categories of Personal Data' of this Policy shall apply.

  • Presence of Explicit Consent of the Data Subject

This data processing condition is met in the event that the data subject provides specific, informed and freely given explicit consent. The explicit consent obtained from the data subject is provably maintained by the Company for the required period of time within the scope of the Personal Data Protection legislation. In the presence of the following personal data processing conditions, personal data may be processed without the explicit consent of the data subject.

  • In Cases Where Data Processing is explicitly Stipulated in Laws

In the event that there is a clear provision in the relevant law regarding the processing of that personal data, this data processing condition is met. For example, personal data are processed for the purposes of fulfilling legal obligations under the provisions of the Law on the Protection of Personal Data, Turkish Civil Aviation Law, Consumer Protection Law, Turkish Code of Obligations, Turkish Commercial Code, Tax Procedure Law and other relevant legislation.

Failure to Obtain the Explicit Consent of the Data Subject Due to Physical Impossibility

In the event that it is mandatory to process the personal data of a data subject who is unable to disclose his/her consent due to physical impossibility or whose consent is not legally valid, for the protection of his/her or someone else's life or physical integrity, the personal data of the data subject shall be processed based on this data processing condition.

  • In Cases Where Data Processing is Directly Related to the Establishment or Performance of a Contract

Processing on the basis of this data processing condition shall occur in the event that the processing of personal data is necessary, provided that it is directly related to the establishment or performance of a contract to which the data subject is a party.

  • In cases where data processing is mandatory for the Data Protection Officer to fulfil its legal obligations

In the event that the processing of personal data is mandatory for our Company to fulfil its legal obligations arising from legislation or contract, the data may be processed based on this data processing condition.

  • In cases where the Personal Data has been made public by the Data Subject himself/herself

Personal data made public by the data subject himself/herself shall only be processed limited to the scope of those made public.

  • Where Data Processing is Mandatory for the Establishment, Exercise or Protection of a Right

In the event that data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data subject shall be processed based on this data processing condition.

  • In cases where Data Processing is Mandatory for the Legitimate Interests of the Data Protection Officer

In the event that data processing is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject, processing shall be carried out based on this data processing condition.

4.5. CONDITIONS FOR THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

The Company shall process special categories of personal data in compliance with the additional measures announced by the Personal Data Protection Board and by taking all necessary administrative and technical measures and in the presence of one of the following data processing conditions:

  • Explicit consent of the data subject.

  • In the event that processing of special categories of personal data other than health and sexual life is stipulated by law.

  • Processing of data on health and sexual life by persons under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

The Company has issued and published the 'POLICY ON PROCESSING AND PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA' regarding the processing of special categories of personal data separately and in detail.

 

4.6. COLLECTION CHANNELS FOR PERSONAL DATA

The Company obtains personal data from physical and electronic media in accordance with the legal regulations and the purposes set out in this Policy and based on the processing conditions. Such environments and the channels through which personal data are obtained are as follows:

PHYSICAL COLLECTION OF DATA

ELECTRONIC COLLECTION OF DATA

Physical Posts

E-Mail

Printed Forms

Website

 

Software and Applications

 

IT Devices

 

Corporate Social Media Accounts

 

Communication Platform

These channels may vary depending on the development and change of business processes and technological developments. In accordance with the principle of transparency, such changes shall be presented through updates to be made in the Policy.

4.7. TRANSFER OF PERSONAL DATA

The Company may transfer personal data and special categories of personal data to third parties in accordance with the regulations stipulated in Articles 8 and 9 of the Law, based on lawful purposes of processing personal data and by taking all necessary administrative and technical measures.

4.7.1 Domestic Transfer

The Company acts in accordance with the law in the transfer of personal data. It shares personal data with third parties to whom personal data are transferred only to the extent required by the service. It instructs the 'Transfer Recipient' groups, which are 'data processors', appropriately regarding data security through data transfer agreements.

RECIPIENT GROUPS

PURPOSE OF TRANSFER

Authorized Public Institutions and Organizations

Personal data are transferred to such organizations in order to fulfil our legal obligations.

Natural persons or private legal entities

Personal data are transferred to them for the purposes of following and conducting legal affairs, obtaining consultancy services, and carrying out activities in accordance with the legislation.

Group / Group Companies

Personal data are transferred to them for the purpose of carrying out accounting transactions, making necessary controls, receiving support services and providing information in this context.

Business Partners

Personal data are transferred to them for the purpose of executing the Contract processes, meeting and monitoring requests and complaints, and ensuring customer satisfaction.

Agencies

Personal data are transferred to them for the purpose of conducting customer relationship management processes, conducting sales processes of products and services, and conducting contract processes.

Suppliers (Product / Service Providers)

Personal data are transferred to them for the purpose of supplying goods/ services, ensuring business continuity and the establishment and performance of the contract.

Independent Audit Company

Personal data are transferred to them for the purpose of conducting business activities and ensuring audits.

Bank

Personal data is transferred to them for the purpose of carrying out finance and accounting processes.

Joint Health and Safety Unit

Personal data are transferred to them for the purpose of carrying out Occupational Health / Safety activities in accordance with the legislation.

Customer / Natural Person Purchasing Goods or Services

Personal data are transferred to them for the purpose of conducting communication activities, conducting customer relationship management processes, conducting sales processes of goods and services, and conducting contract processes.

Insurance Companies

Personal data are transferred to them for the purpose of realization of Insurance transactions.

4.7.2 Overseas Transfer

The Company may transfer personal data abroad only in accordance with the regulations stipulated in Article 9 of the Law on the Protection of Personal Data and by taking the necessary administrative and technical measures. This transfer is only possible if one of the following conditions is met:

  • To foreign countries that have been declared by the Authority that they have adequate protection or

  • Without seeking the explicit consent of the data subject in the absence of adequate protection, provided that the data protection officers in Türkiye and the relevant foreign country undertake an adequate protection in writing and subject to the permission of the Board,

  • In the event that either of two conditions is not met, personal data may only be transferred abroad with the explicit consent of the data subject.

Recipient groups to whom personal data are transferred and the purposes of sharing are as follows:

RECIPIENT GROUPS

PURPOSE OF TRANSFER

Suppliers

Personal data are transferred to them for the purpose of carrying out product / service sales processes, carrying out goods / service procurement processes.

Authorized Public Institutions and Organizations

Personal data are transferred to them for the purpose of conducting product / service sales processes and making legal notifications.

Agencies

Personal data are transferred to them for the purpose of conducting customer relationship management processes, conducting sales processes of products and services, and conducting contract processes.

Business Partners

Personal data are transferred to them for the purpose of executing the Contract processes, meeting and monitoring requests and complaints, and ensuring customer satisfaction.

Suppliers (Product / Service Providers)

Personal data are transferred to them for the purpose of supplying products/services, ensuring business continuity and the establishment and performance of the contract.

The recipient groups to which personal data are transferred and the categories of personal data transferred abroad may vary. Such changes and updates are publicly announced and published at VERBIS (verbis.kvkk.gov.tr) on the website of the Authority.

4.8. STORAGE AND DESTRUCTION OF PERSONAL DATA

Acting as Data Protection Officer, the Company has determined the retention periods, destruction periods and technical and administrative measures to be implemented in the preservation of personal data in the 'Personal Data Retention and Destruction Policy' and declared such periods separately for each category of personal data in VERBIS. The Company is aware that it is obliged to ensure that personal data is kept in accordance with such principles.

Pursuant to the Law on the Protection of Personal Data, personal data are retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed. After the expiration of this period, the relevant personal data are deleted, destroyed or anonymized for analytical purposes at the end of the periodic destruction periods specified in the relevant Policy in accordance with the 'Regulation on Deletion, Destruction or Anonymization of Personal Data'. You can request more information through the contact information provided in this Policy on Protection of Personal Data.

5. SECURITY MEASURES REGARDING PERSONAL DATA

The Company takes technical and administrative measures to ensure that personal data are processed in accordance with the law, by taking into account the technological possibilities and the cost of implementation. The technical and administrative measures taken for the protection of personal data are implemented with care and additional measures in terms of special categories of personal data, and the necessary audits are periodically carried out at the highest level within the Company, and such security measures taken are also indicated in VERBIS.

The Company shall take all appropriate security measures to ensure that personal data are only processed within the scope of the specified purposes and to reduce risks such as malicious use, unauthorized access, transfer, destruction or alteration of personal data. Such security measures include other measures such as not transferring personal data to countries that do not provide an adequate level of data protection.

Personal data processed by the Company is confidential and the Company respects this confidentiality. Personal data can only be accessed by persons authorized by the Company. Within this framework, it is ensured that the software is in compliance with the standards, third parties are carefully selected and the Personal Data Protection Policy is adhered to within the Company.

In the event that personal data is damaged as a result of attacks on the platforms operated by the Company or the Company system or seized by unauthorized third parties, despite the Company taking the necessary data security measures, the Company shall take immediate action to remedy the breach in question and minimize the damage to the data subject. The Company immediately shall notify the data subjects and the Board and take the necessary measures. The rules and procedures regarding the breach of personal data are included in the 'Personal Data Breach Management Policy'.

6. OBLIGATION TO PROVIDE INFORMATION

In accordance with Article 10 of the Law on the Protection of Personal Data and the provisions of the 'Communiqué on the Procedures and Principles to be followed in the Fulfilment of the Obligation to Provide Information to Data Subjects', the Company shall inform the data subjects about the identity of the data protection officer, the methods by which their personal data are collected, the legal reason for the processing, the purposes, to whom and for what purposes the personal data are transferred and the rights of the data subjects within the scope of the processing of their personal data through the relevant clarification texts.

7. RIGHTS OF DATA SUBJECTS

According to the Constitution of the Republic of Türkiye, everyone has the right to request the protection of personal data concerning him/her. In this context, the rights of the data subject on personal data are listed below in Article 11 of the Law on the Protection of Personal Data:

  • to learn whether his/her personal data are processed or not,

  • to demand for information as to if his/her personal data have been processed,

  • to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,

  • to know the third parties to whom his personal data are transferred in country or abroad,

  • to request the rectification of the incomplete or inaccurate data, if any,

  • to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,

  • to request reporting of the operations carried out such as erasure, destruction or rectification to third parties to whom his/her personal data have been transferred,

  • to object to the occurrence of a result against the person himself/herself by analysing the data processed solely through automated systems,

  • to claim compensation for the damage arising from the unlawful processing of his/her personal data in violation of the Law on the Protection of Personal Data.

The data subject may submit his/her requests within the scope of the above-mentioned rights in writing to the Company's registered electronic mail (KEP) address by using secure electronic signature, mobile signature or the electronic mail address previously notified to the Company by the data subject and registered in the Company's system. The data subject may use the 'Data Subject Application Form' available on the Company's website for the application. The application must include the following:

  • Name and surname as well as signature in the event that the application is in writing,

  • Turkish ID number for citizens of the Republic of Türkiyeand nationality, passport number or ID number, if any, for foreigners,

  • Residential or workplace address for notification,

  • Electronic mail address, telephone and fax number for notification, if any,

  • Subject matter of the request

In addition, the data subject is required to attach the relevant information and documents to the application. Applications shall be evaluated only if they are in Turkish. In order for third parties to apply on behalf of the data subjects, they must have a special power of attorney issued by the data subject through a notary public on behalf of the person who will make the application.

In the event that the data subjects submit their requests regarding the above-mentioned rights to the Company in accordance with the application procedures stipulated in the 'Communiqué on the Procedures and Principles of Application to the Data Protection Officer' as specified in this Personal Data Protection Policy, the Company shall finalize this request free of charge as soon as possible and within 30 (thirty) days from the date of application at the latest. However, in the event that the transaction requires an additional cost, the Company may charge the fee in the tariff determined by the Board.

For written applications, the date on which the document is notified to the data protection officer or its representative shall be deemed as the date of application. For applications made by other methods, the date the application is received by the data protection officer shall be deemed as the date of application.

8. RELEVANT DOCUMENTS

The Company specifies the implementation principles determined for the protection of personal data in its policies and publishes such policies in public environments to the extent relevant. All company policies and regulations prepared in this regard form a whole and complement each other. In this way, the Company aims to ensure transparency and accountability by informing the data subjects about personal data processing activities.

Other relevant documents referred to in this Policy are as follows:

9. ENTRY INTO FORCE AND AMENDMENTS

This Policy enters into force as of the date of its publication on the Company's website. The Company may amend this Policy at any time. Such amendments become effective on the day the new amended Policy is published.

10. OUR CONTACT DETAILS

If you have any questions about the Personal Data Protection Policy or our approach to the processing and protection of your personal data, or if you wish to exercise any of the rights set out in the Law on the Protection of Personal Data, you can get information in any of the following ways:

MAVI GOK HAVACILIK ANONIM SIRKETI

Address: BARBAROS MAH. SERIK.(E) CAD. E BLOK NO: 419E IC KAPI NO: 2 AKSU / ANTALYA

REM Address: [email protected]

POLICY ON PROCESSING AND PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

1. PURPOSE and SCOPE

The protection and privacy of personal data has been adopted as a corporate culture for MAVI GOK HAVACILIK ANONIM SIRKETI (hereinafter 'MGA' or 'Company'). The Company takes utmost care and endeavours within the scope of its activities to process and protect the personal data of natural persons in accordance with the legal norms in force and universal legal principles. Acting in the capacity of data protection officer, the Company processes and protects personal data within the scope of this Policy on Processing and Protection of Special Categories of Personal Data ('Policy').

This Policy on Processing and Protection of Special Categories of Personal Data relates to the special categories of personal data of the data subjects, which our Company acting as the data protection officer processes by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. The Policy on Processing and Protection of Special Categories of Personal Data shows how the principles and guidelines set forth by the relevant legislation are applied in the protection of personal data by the Company. This Policy describes the Company's general policy and processes regarding the processing and protection of personal data, and the obligation to provide information under Article 10 of the Law on the Protection of Personal Data is fulfilled by the relevant clarification texts to be provided to the relevant persons on a concrete process basis.

The purpose of the Policy on Processing and Protection of Special Categories of Personal Data is to fulfil the legal obligations arising from the decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 Adequate Measures to be Taken by Data Protection Officers in the Processing of Special Categories of Personal Data and to reveal the technical and administrative measures taken in the processing of special categories of personal data.

2. DEFINITIONS

ABBREVIATION

DEFINITION

“Explicit Consent”

Refers to freely given, specific and informed consent.

“Obligation to provide information”

Refers to the Company's obligation to provide information to the Data Subjects during the collection of personal data via the Data Protection Officer or persons authorised by him/her within the scope of Article 10 of the Law on the Protection of Personal Data and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Provide Information.

“Relevant Person”, “Data Subject”

Refers to natural persons whose personal data are processed by the Company or by persons/institutions authorised by or on behalf of the Company.

“Destruction”

Refers to the deletion, destruction or anonymization of personal data.

“Personal Data”

Refers to any information relating to an identified or identifiable natural person.

„Anonymization of Personal Data“

Refers to rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

“Processing of Personal Data”

Refers to any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.

“Erasure of Personal Data”

Refers to the process of making personal data inaccessible and non-reusable in any way for the relevant users.

“Destruction of Personal Data”

Refers to the process of making personal data inaccessible, irreversible and non-reusable by anyone in any way.

“Board”

Refers to Personal Data Protection Board

“Authority”

Refers to Personal Data Protection Authority

“Law”, “Law on Protection of Personal Data”

Refers to the Law No. 6698 on the Protection of Personal Data.

“Policy on the Protection of Personal Data”

Refers to the Policy on Protection and Processing of Personal Data adopted by the Company.

“Special Categories of Personal Data”

Refer to personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data.

“Company”

Refers to MAVI GOK HAVACILIK ANONIM SIRKETI.

“VERBIS”, “Registry”

Refers to the Data Protection Officers' Registry Information System kept by the Personal Data Protection Authority. Any data declared in the system are open to public access at verbis.kvkk.gov.tr.

“Data Processor”

Refers to the natural or legal person who processes personal data on behalf of the data protection officer upon its authorization.

“Data Protection Officer”

Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

3. PRINCIPLES TO COMPLY WITH IN THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

The Company acts in compliance with the “General Principles” specified in the “Policy on the Protection of Personal Data” in the processing of special categories of personal data and specified in Article 4 of the Law on the Protection of Personal Data as mandatory to be complied with in the processing of personal data.

3.1. Processing in accordance with the Law and Good Faith

The Company manages personal data processing processes in accordance with legal norms and universal legal principles and rules of honesty, informs the relevant persons as necessary to ensure the transparency of the processes, takes into account the interests and reasonable expectations of the person concerned in such processes. In this context, it prevents the data processing activity from resulting in consequences that the data subject does not expect and does not need to expect.

3.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

As a rule, personal data are processed upon the declaration of the data subjects and as consented by data subjects, and such declared personal data shall be deemed to be correct. The Company shows reasonable care and attention required to keep the personal data within its legal entity accurate and up-to-date and not to contain false information. In the event that changes in the processed personal data are notified to the Company by the data subject, it ensures that the necessary administrative and technical mechanism is established to update the personal data in the relevant database.

3.3. Processing for Specific, Explicit and Legitimate Purposes

The Company sets out its legitimate and lawful data processing purposes in a specific and clear manner prior to the commencement of personal data processing and processes personal data in connection with and to the extent necessary for the Company's products and services.

3.4. Being relevant, limited and proportionate to the purpose for which they are processed

Personal data are processed in a limited and measured manner in connection with the purposes determined by the Company and explained to the data subject. The Company takes care to ensure that a reasonable balance is established between the data processing activity and the purpose to be achieved and that the processing is to the extent necessary to achieve the purpose.

3.5. Retention for the Period Stipulated in the Relevant Legislation or required for the Purpose for which they are Processed

The Company retains personal data for the period stipulated by the legislation or required by the purpose of processing. However, it deletes, destroys or anonymises personal data when the period stipulated by the legislation expires or when the purpose of processing is no longer applicable. As the Data Protection Officer, the Company has determined the retention periods, destruction periods and technical and administrative measures to be implemented in the storage of personal data in the Personal Data Storage and Destruction Policy and is aware that it is obliged to ensure that personal data is kept in accordance with these principles.

Such principles apply regardless of whether the Company processes personal data based on explicit consent or in accordance with other data processing conditions. In this respect, the Company processes personal data in accordance with the data processing conditions and general principles and fulfils its obligation to inform the data subjects.

4. CONDITIONS FOR THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

The Company processes special categories of personal data in compliance with the additional measures announced by the Personal Data Protection Board and by taking all necessary administrative and technical measures and in the presence of one of the following data processing conditions:

  • With the explicit consent of the data subject,

  • In cases stipulated by law for personal data other than health and sexual life,

  • Personal data relating to health and sexual life may only be processed without seeking the explicit consent of the data subject by persons under the obligation of confidentiality or authorised institutions and organisations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

5. PURPOSES OF PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

The Company processes special categories of personal data in accordance with the 'General Principles for the Processing of Personal Data' stated above and set out in Article 4 of the Law and based on at least one of the data processing conditions specified in Article 6 of the Law and in a limited and appropriate manner. In accordance with Article 10 of the Law and secondary legislation, the Company informs the relevant groups of persons separately about the categories and purposes of data processing in the relevant clarification texts. Personal data categories and related processing purposes are declared in the Data Protection Officers' Registry Information System (VERBIS) and the system is kept open to public access at verbis.kvkk.gov.tr.

6. RETENTION AND DESTRUCTION OF SPECIAL CATEGORIES OF PERSONAL DATA

As the Data Protection Officer, the Company has determined the retention periods, destruction periods and technical and administrative measures to be implemented in the retention of the sources of special categories of personal data in the 'Personal Data Retention and Destruction Policy' and declared such periods separately for each category of personal data in VERBIS. The Company is aware that it is obliged to ensure that special categories of personal data are kept in accordance with these principles.

In accordance with the Law on the Protection of Personal Data, special categories of personal data are retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed. After the expiration of such period, the relevant personal data are deleted, destroyed or anonymised for analytical purposes at the end of the periodic destruction periods specified in the relevant Policy in accordance with the 'Regulation on Deletion, Destruction or Anonymization of Personal Data'. You can request more information through the contact details provided in this Policy.

7. SECURITY MEASURES FOR SPECIAL CATEGORIES OF PERSONAL DATA

The Company takes technical and administrative measures in accordance with the technological possibilities and the cost of implementation in order to ensure that special categories of personal data are processed in accordance with the Law. Such measures are implemented with care and additional precautions in terms of special categories of personal data and the necessary audits are periodically carried out at the highest level within the Company.

Such security measures taken in accordance with the decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 'Adequate Measures to be taken by Data Protection Officers in the Processing of Special Categories of Personal Data' are as follows:

  • For Employees involved in the processing of special categories of personal data

    • Providing regular trainings on the Law and related regulations and security of special categories of personal data

    • Conclusion of confidentiality agreements,

    • Clearly defining the users who are authorised to access data, their scope and duration of authorisation,

    • Carrying out periodic authorisation checks,

    • Immediately cancelling the authorization of the employees who have changed their duties or quit their jobs and ensuring that the inventory allocated by the data protection officer to such employee is returned

  • For electronic environments where special categories of personal data are processed, stored and/or accessed

    • Preservation of data using cryptographic methods,

    • Keeping cryptographic keys in secure and different environments,

    • Secure logging of transaction records of all activities and operations performed on the data,

    • Continuous monitoring of the security updates of the environments where the data are located, conducting / having the necessary security tests conducted regularly, recording the test results,

    • Making user authorizations of the software for the data accessed through a software, conducting / having the security tests of such software conducted regularly, recording the test results,

    • Provision of at least a two-tier authentication system for data for which remote access is required,

  • For physical environments where special categories of personal data are processed, stored and/or accessed

    • Ensuring that adequate security measures (against electric leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where special categories of personal data are stored,

    • Ensuring the physical security of these environments and preventing unauthorized entry and exit,

  • In the event that special categories of personal data are required to be transferred

    • In the event that the data are required to be transferred via e-mail, they should be transferred encrypted with a corporate e-mail address or using a Registered Electronic Mail (REM) account,

    • In the event that they are required to be transferred via media such as Portable Memory, CD, DVD, they should be encrypted with cryptographic methods and the cryptographic key should be kept in a different medium,

    • In the event that they are required to be transferred between servers in different physical environments, data transfer between servers should be performed by setting up a VPN or using the sFTP method,

    • In the event that they are required to be transferred via paper media, it should be ensured that necessary precautions are taken against risks such as theft, loss or unauthorised access to the documents and that the documents are sent in the format of 'confidential documents'.

The security measures taken other than the security measures listed are declared in the 'Personal Data Protection Policy' and VERBIS at verbis.kvkk.gov.tr.

In the event that personal data is damaged as a result of attacks on the platforms operated by the Company or the Company's system or seized by unauthorised third parties although the Company has taken the necessary data security measures, the Company shall take immediate action to remedy the breach in question and minimise the damage to the data subject. The Company immediately shall notify the relevant persons and the Board and take the necessary measures. The rules and procedures regarding the breach of personal data are included in the “Personal Data Breach Management Policy”.

8. RIGHTS OF DATA SUBJECTS

According to the Constitution of the Republic of Türkiye, everyone has the right to request the protection of personal data concerning him/her. The rights of the data subject on personal data are listed in Article 11 of the Law on the Protection of Personal Data as follows:

  • to learn whether his/her personal data are processed or not,

  • to demand for information as to if his/her personal data have been processed,

  • to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,

  • to know the third parties to whom his personal data are transferred in country or abroad,

  • to request the rectification of the incomplete or inaccurate data, if any,

  • to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,

  • to request reporting of the operations carried out such as erasure, destruction or rectification to third parties to whom his/her personal data have been transferred,

  • to object to the occurrence of a result against the person himself/herself by analysing the data processed solely through automated systems,

  • to claim compensation for the damage arising from the unlawful processing of his/her personal data in violation of the Law on the Protection of Personal Data.

The data subject may submit his/her requests within the scope of the above-mentioned rights in writing to the Company's registered electronic mail (REM) address by using secure electronic signature, mobile signature or the electronic mail address previously notified to the Company by him/her and registered in the Company's system. The data subject may use the 'Data Subject Application Form' available on the Company's website for application. The application must include the following:

  • Name, surname and signature if the application is made in writing,

  • R. Identity No for Turkish citizens, or nationality, passport number and identification number for foreigners, if any,

  • Residential or workplace address for notification,

  • Electronic mail address, telephone and fax number for notification, if any,

  • Subject matter of the request

In addition, it is a prerequisite for the evaluation that the relevant information and documents are attached to the application and the language of the application is Turkish. Third parties may apply on behalf of the data subject only in the presence of a special power of attorney issued by a notary public.

In the event that the data subjects submit their requests regarding the above-mentioned rights to the Company in accordance with the application procedures stipulated in the 'Communiqué on the Procedures and Principles of Application to the Data Protection Officer', as specified in this Personal Data Protection Policy, the Company shall finalise this request free of charge as soon as possible and within 30 (thirty) days from the date of application at the latest, depending on the nature of the request. However, in the event that the transaction requires an additional cost, the Company may charge the fee in the tariff determined by the Board.

For written applications, the date on which the document is notified to the data protection officer or its representative is the date of application. For applications made by other methods, the date the application is received by the data protection officer is the date of application.

9. RELEVANT DOCUMENTS

The Company sets out the implementation procedures and principles determined for the protection of personal data in its policies, and publishes such policies in publicly available media to the extent relevant. All company policies and regulations prepared in this regard form a whole and complement each other. In this way, the Company aims to ensure transparency and accountability by informing the data subjects about personal data processing activities.

Other related documents referred to in this Policy are as follows:

10. ENTRY INTO FORCE AND AMENDMENTS

This Policy enters into force as of the date it is published on the Company's website. The Company may amend this Policy at any time. Such amendments become effective on the day the new amended Policy is published.

11. OUR CONTACT DETAILS

If you have any questions about the “Policy on the Processing of Special Categories of Personal Data” or our approach to the processing and protection of your special categories of personal data, or if you want to exercise any of the rights set out in the Law on the Protection of Personal Data, you can get information in any of the following ways:

MAVI GOK HAVACILIK ANONIM SIRKETI

Address: BARBAROS MAH. SERIK.(E) CAD. E BLOK NO: 419E IC KAPI NO: 2 AKSU / ANTALYA

REM-Address: [email protected]

POLICY FOR PERSONAL DATA PROCESSING BREACH MANAGEMENT

1. PURPOSE AND SCOPE

Policy for Personal Data Processing Breach Management ('Policy') regulates the methods and rules to be applied in case of a potential breach of personal data in accordance with Article 12(5) of the Law on the Protection of Personal Data No. 6698 by MAVİ GÖK HAVACILIK ANONİM ŞİRKETİ (hereinafter referred to as the 'Company') in its capacity as the data controller. Article 12(5) states, 'In the event that the processed personal data is unlawfully obtained by others, the data controller shall notify this situation to the relevant person and the Board as soon as possible. The Board may, if necessary, announce this situation on its official website or by any other means it deems appropriate.

2. DEFINITIONS

ABBREVIATIONS

DEFINITIONS

“Relevant Person”, “Data Subject”

Refers to natural persons whose personal data are processed by the Company or by persons/institutions authorised by or on behalf of the Company.

'The Contact Person'

The real person notified by the Company during the registration to the Data Controllers Registry for communication with the Personal Data Protection Authority regarding the Company's obligations under the Law on Protection of Personal Data No. 6698 and secondary regulations to be issued based on this Law.

“Personal Data”

Refers to any information relating to an identified or identifiable natural person.

“Processing of Personal Data”

Refers to any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.

“Board”

Personal Data Protection Board

“Authority”

Personal Data Protection Authority

“Law”, “Law on Protection of Personal Data”

Refers to the Law No. 6698 on the Protection of Personal Data

“Policy on Protection of Personal Data”

Refers to the Policy on Protection and Processing of Personal Data adopted by the Company.

“Policy”

Policy For Personal Data Processing Breach Management

“Sorumlu Birim”

Kişisel Verilerin Korunması hakkında KVK Kanunu başta olmak üzere ilgili diğer mevzuata, idari kararlara, yargı kararlarına ve Şirket tarafından konuyla ilgili kabul edilen politikalara ve diğer iş yeri düzenlemeleri tam bir uyumla hareket edilmesi amaçlarıyla kurulan ve bu amaçları Şirkette gerçekleştirmekten sorumlu birimdir.

“Company”

MAVİ GÖK HAVACILIK ANONİM ŞİRKETİ

“VERBIS”, “Registry”

Refers to the Data Protection Officers' Registry Information System kept by the Personal Data Protection Authority. Any data declared in the system are open to public access at verbis.kvkk.gov.tr.

'Data Controller'

A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

3. RESPONSIBLE UNITS AND DISTRIBUTION OF DUTIES

The responsible Company units and their duty descriptions in the relevant individual application processes are as follows:

TITLE

UNIT

JOB DESCRIPTION

Data Protection Committee Chairman and Members

Data Protection Committee

Responsible for the preparation, development, implementation, publication, and updating of the Policy in relevant environments.

Contact Person

Data Protection Committee

Responsible for managing the process in case of a breach and ensuring communication between units. Prepares and submits the notification to the Authority.

Data Protection Committee Chairman and Members

Data Protection Committee

Responsible for identifying the incident causing the breach, determining the extent of impact, and identifying the affected individuals.

Data Protection Committee Chairman and Members

Data Protection Committee

Responsible for ending the incident causing the breach, determining the causes of the breach, and rectifying the process.

Data Protection Committee Chairman and Members

Data Protection Committee

After rectifying the breach, responsible for identifying and implementing relevant actions and updates to prevent recurrence.

Formun Üstü

Formun Üstü

 

4. PERSONAL DATA SECURITY MEASURES

The Company takes technical and administrative measures, taking into account technological capabilities and application costs, to ensure the lawful processing of personal data. Technical and administrative measures taken for the protection of personal data are applied meticulously, and additional measures are taken, especially for special categories of personal data. Within the Company, necessary audits are periodically conducted at the highest level to ensure the effectiveness of these security measures, and these security measures are also documented in the VERBIS system.

The Company takes every necessary security measure to ensure that personal data is processed only for specified purposes and to reduce risks such as malicious use, unauthorized access, transmission, destruction, or alteration of personal data. These security measures also cover other precautions taken regarding issues such as not transferring personal data to countries that do not provide an adequate level of data protection.The personal data processed by the Company is confidential, and the Company respects this confidentiality. Only individuals authorized by the Company can access personal data. In this context, compliance with standards for software, careful selection of third parties, and adherence to the Company's Data Protection Policy within the Company are ensured.Despite the necessary data security measures taken by the Company, in the event of personal data being compromised or falling into the hands of unauthorized third parties as a result of attacks on platforms operated by the Company or the Company's systems, the Company takes immediate action to remedy the breach and minimizes the damage to the affected individuals.

5. COMPANY'S OBLIGATIONS IN CASE OF PERSONAL DATA BREACH

In accordance with Article 12/5 of the Personal Data Protection Law, the Company shall notify the relevant person and the Personal Data Protection Board ('Board2) as soon as possible when personal data processed by the Company is unlawfully obtained by others. The Board may, if necessary, announce this situation on its official website or by any other means it deems appropriate. Accordingly, the Company shall report the personal data breach to the Board by completing the form available on the Authority's official website (https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/e0413853-cd8c-428f-9315-2e8b3d874b46.pdf) as soon as possible and within 72 hours at the latest.

If the breach notification by the Company cannot be made within the specified period, it shall be made as soon as possible, with the reasons for the delay also being stated. The individuals affected by the breach shall be identified, and the breach incident shall be announced through official communication channels as deemed appropriate by the Company.

6. MANAGEMENT PROCESS OF THE BREACH INCIDENT

The Company manages personal data breach incidents by assigning responsible units as specified in this Policy and, if necessary, other departments. When fulfilling these responsibilities, at a minimum:

  • Ensures monitoring of environments containing personal data and processing activities,
  • Implements necessary physical and technological detection methods for breach detection,
  • Takes necessary administrative and technical security measures to end the breach incident as soon as possible,
  • Identifies the extent of the individuals affected by the breach and the affected personal data,
  • Investigates the causes of the breach and conducts necessary investigations,
  • Ensures the updating of assessments, risks, and measures,
  • If the breach is caused by an employee or employees of the Company, initiates the necessary disciplinary processes against them.

7. EFFECT AND AMENDMENTS

This Policy is published on the Company's website and enters into force as of the date of publication. The Company may make changes to this Policy at any time. These changes will take effect on the date the modified new Policy is published.

DATA SUBJECT APPLICATION FORM WITHIN THE SCOPE OF THE LAW ON PROTECTION OF PERSONAL DATA
SUPPLIER CLARIFICATION ON THE PROCESSING OF PERSONAL DATA
  • SUPPLIER CLARIFICATION ON THE PROCESSING OF PERSONAL DATA

    Dear Suppliers,

    This Clarification Text provides information on the third parties with whom your personal data are shared, your rights and how you can contact MAVI GOK HAVACILIK ANONIM SIRKETI (hereinafter referred to as the 'Company'), especially which of your personal data and for what purposes such data are processed. The Clarification Text has been prepared in accordance with Article 10 of the Personal Data Protection Law No. 6698 and the European Union General Data Protection Regulation ('GDPR') for the transparent processing of personal data for the purposes of carrying out the supply chain processes of our Company and performing contract transactions within this scope.

    • IDENTITY OF THE DATA PROTECTION OFFICER

    MAVI GOK HAVACILIK ANONIM SIRKETI acts in the capacity of 'Data Protection Officer' for the personal data included in this clarification text according to Article (3)(1)(i) of the Law on the Protection of Personal Data.

    Our Company acting in its capacity as data protection officer takes all necessary measures to prevent unlawful use of data, to ensure its preservation and to ensure the appropriate level of security in accordance with the legislation during the processing and transfer of personal data. Your personal data are processed primarily in accordance with the provisions of the Law on the Protection of Personal Data, the Law on Consumer Protection, the Turkish Code of Obligations, the Turkish Commercial Code and other relevant legislation.

    Your personal data are processed in accordance with the principles written below pursuant to Article 4 of the Law on the Protection of Personal Data, although they may vary depending on the service, product or commercial activity provided by our Company,

a.Lawfulness and fairness

b.Being accurate and kept up to date where necessary.

c.Being processed for specified, explicit and legitimate purposes.

d.Being relevant, limited and proportionate to the purposes for which they are processed.

e.Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

  • 1. PURPOSE and LEGAL REASON FOR PROCESSING YOUR PERSONAL DATA

    Processed Personal Data

    Data Processing Purposes

    Legal Reason for Data Processing

    Data Category

    Type of Data

    Identity

    Name & Surname, T.R. ID No, Name of Mother / Father, Place and Date of Birth, Identity Details, Passport Details, Signature

    · Execution of Activities in Accordance with Legislation

    · Execution of Finance and Accounting Affairs

    · Opening Current Accounts and Execution of Reconciliation Processes

    · Making payments after procurement and payment monitoring

    · Execution of Communication Activities

    · Ensuring Business Continuity and Execution of Activities

    · Monitoring and Execution of Legal Affairs in Possible Disputes

    · Execution of Product Delivery Processes

    · Purchase of Goods / Services

    · Quality Control Procedures of the Supplied Goods / Services

    · Execution of Storage and Archive Activities

    · Receipt of Bids and Execution of Contract Processes

    · Internal Audit and Contract Control Procedures

    · Execution of Supply Chain Management Processes

    · Security of our Company's Operations within the Scope of Supplied Goods and Services

    · Providing Information to Authorised Persons, Institutions and Organisations

     

    · Where it is necessary to process personal data of the parties to a contract, provided that such processing is directly related to the conclusion or performance of the contract

    · Where it is mandatory for the data protection officer to fulfil its legal obligation

    · Where data processing is mandatory for the establishment, exercise or protection of a right.

    · Where data processing is mandatory for the legitimate interests of the data protection officer, provided that it does not harm the fundamental rights and freedoms of the data subject.

    Contact

    Address, Phone Number, E-mail

    Financial

    Payment Details, IBAN No, Account Number, Bank Details, Receivable / Payable Details, Receipt Information

    Customer Trans-actions

    Tax ID No., Tax Office, Business Name, Invoice Details, Current Account Details, Business Information, Information on Position/ Job Title / Expertise

    Special Category of Personal Data

    Health Information (Blood Type), Information on Religious / Philosophical Belief

    · Your special categories of personal data contained in documents such as copy of identity card or driver’s licence, copy of passport requested by us in accordance with the contract processes may be processed. Our Company carries out data processing activities in accordance with the principle of proportionality and destroys your data that does not need to be processed as required by the process.

    · Explicit consent

    2. METHOD OF COLLECTING PERSONAL DATA

    Your personal data are collected by our Company from the contracts concluded with you in commercial processes and the relevant declaration forms, copies of documents such as identity cards, passports and driving licences, signature circulars, certificates of authority, trade registry documents, through written communication channels such as e-mails, messages, etc., from verbal interviews, documents such as invoices, delivery notes, delivery documents, business cards, order forms, physically or electronically from you personally or from third parties that you have disclosed to our Company for the purpose of providing information to our Company, by informing and, where necessary, obtaining explicit consent, in compliance with the general principles within the scope of Article 4 of the Law on the Protection of Personal Data.

    3. TRANSFER OF YOUR PERSONAL DATA

    Your collected personal data may be transferred within the framework of the personal data processing conditions regulated in Articles 8 and 9 of the Law on the Protection of Personal Data.

    1. Based on the legal reason of “establishment and performance of the contract” regulated in Article 5/2(c) of the Law on the Protection of Personal Data: Your personal data may be transferred to the relevant banks for the necessary payment and collection transactions, and to the authorised public institutions and organisations for the purposes of fulfilling the obligations arising from legislation in accordance with the purchased product.

    2. Based on the data processing condition that 'data processing is mandatory for our Company to fulfil its legal obligation' regulated in Article 5/2 (ç) of the Law on the Protection of Personal Data: Your personal data may be transferred to courts and public institutions and organisations requesting information in order to make legal notifications, to financial accounting firms and independent auditors in order to fulfil legal obligations arising from the legislation, and to the General Directorate of State Airports Authority and civil aviation authorities requesting information in order to carry out airspace entry and exit operations as well as permission procedures in accordance with security measures.

    3. Based on the condition of data processing 'for the establishment, exercise or protection of a right' regulated in Article 5/2 (e) of the Law on the Protection of Personal Data: Your personal data may be transferred to law offices and other consultants for the purposes of providing evidence in possible disputes, obtaining legal consultancy and technical support, executing the contract, auditing whether the parties comply with their obligations.

    4. Based on the legal reason of 'legitimate interest of the data protection officer' regulated in Article 5/2 (f) of the Law on the Protection of Personal Data: Your personal data may be transferred to accounting programmes for the purposes of ensuring commercial security, storing your personal data securely, making use of accounting programmes and archive services, to domestic suppliers and/or archive companies that render services for the provision of electronic storage, infrastructure server services, backup services or systems, and to group/group companies in order to carry out accounting activities together, to carry out the necessary audit and control procedures as well as information activities in this context.

    5. Based on the data processing condition of 'explicit consent' regulated in Article 9/1 of the Law on the Protection of Personal Data: Your personal data and special categories of personal data may be transferred to our Company's overseas-based suppliers and business partners for the purposes of carrying out communication activities, carrying out storage and archive processes, using cloud services, ensuring business continuity.

    4. STORING YOUR PERSONAL DATA

    Your personal data shall be stored based on one of the data processing conditions specified in Article 5 of the Law on the Protection of Personal Data and in accordance with the general principles specified in Article 4 of the Law on the Protection of Personal Data, in particular for the period stipulated in the relevant legislation or required for the purpose, taking into account the periods specified in the Retention and Destruction Policy issued in accordance with Article 7 of the Law on the Protection of Personal Data, and shall be disposed of within the destruction period.

    5. YOUR RIGHTS AS DATA SUBJECT

    As a data subject, you have the right

    1. to learn whether your personal data are processed or not,

    2. to demand for information as to if your personal data have been processed,

    3. to learn the purpose of the processing of your personal data and whether these personal data are used in compliance with the purpose,

    4. to know the third parties to whom your personal data are transferred in country or abroad,

    5. to request correction of your personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,

    6. to request the deletion or destruction of your personal data in the event that the reasons requiring the processing of the data disappear, although they have been processed in accordance with the provisions of the Law on the Protection of Personal Data and other relevant laws, and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,

    7. to object to the occurrence of a result to your detriment by analysing the data processed solely through automated systems,

    8. to claim compensation for the damage arising from the unlawful processing of your personal data.

    6. APPLICATION TO THE DATA PROTECTION OFFICER

    In the event that you as data subject submit your requests regarding your rights to the Company in writing or by the methods regulated in the Communiqué on the Procedures and Principles of Application to the Data Protection Officer (https://www.resmigazete.gov.tr/eskiler/2018/03/20180310-6.htm) in accordance with paragraph 1 of Article 13 of the Law on the Protection of Personal Data, our Company will finalise the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, in the event that the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Authority shall be charged by the Company.

    Our Contact Details;

    MAVI GOK HAVACILIK ANONIM SIRKETI

    Address: BARBAROS MAH. SERIK.(E) CAD. E BLOK NO: 419E IC KAPI NO: 2 AKSU / ANTALYA

    REM Address: [email protected]

COOKIE POLICY

COOKIE POLICY

The purpose of this Cookie Policy is to inform you about the processing of personal data obtained during the use of cookies by Platform users / members / visitors ('Data Owner') during the operation of the http://www.mga.aero website ('Site') and mobile application (all together referred to as the 'Platform') operated by Mavi Gök Havacılık Anonim Şirketi (MGA) ('Company'). The term 'personal data' in this policy includes the following information:

  • Customer Information
  • Device Information
  • Behaviors
  • Demographic Information
  • Marketing Knowledge
  • Behavioral Advertising
    You can visit the Platform without providing any personal information. During your visits, cookies are used to collect information about the use of the Platform, to make the most efficient use of the Platform and to improve the user experience.

By visiting the Platform, you consent to the use of cookies and the information collected through cookies in accordance with the Personal Data Protection and Processing Policy available at http://www.mga.aero. If you do not want cookies to be used in this way, you should adjust your browser settings or not use the Platform. Disabling the cookies we use may affect your user experience on the Platform.

What Cookies Are and Why They Are Used?

Cookies are small text files that are stored on your device or network server through browsers by websites you visit. Cookies cannot collect any information, including your personal data stored on your computer or files. For more detailed information on cookies, please visit www.aboutcookies.org and www.allaboutcookies.org.

  • The main purposes of using cookies on the Platform are listed below:
  • To improve the services offered to you by enhancing the functionality and performance of the Platform,
    To improve the Platform, to offer new features through the Platform and to personalize the features offered according to your preferences;
    To ensure the legal and commercial security of the Platform, you and our Company.
    To use within the scope of direct and indirect marketing activities.

Categories of the Platform Cookies

Technical Cookies

Technical cookies are used to ensure the operation of the Website and to identify pages and areas of the website that are not working.

Analytical Cookies

Analytical cookies are cookies that enable the production of analytical results such as the number of visitors to the Site, the detection of pages viewed on the Site, visiting hours of the Site, scrolling movements of website pages.

Platform Cookies

Cookies

Description, Duration and Preferences

Technical Cookies

 

Mandatory Cookies

Technical cookies are used to ensure the operation of the Website and to identify pages and areas of the website that are not working.

 

Analytical Cookies

 

Google Analytics

Such cookies enable the collection of all statistical data, thereby improving the presentation and usage of the Site. By adding social statistics and data on interests to these statistics, Google enables us to better understand users.

Our website uses Google Analytics cookies. The data collected with these cookies are transferred to Google servers located in the USA and the data in question are stored in accordance with Google's data protection principles. You can click here to learn more about Google's analytical data processing activities and principles on the protection of personal data.

https://tools.qooqle.com/dlpaqe/qaoptout

Can the Use of Cookies be Blocked by Data Owners?

Data owners have the possibility to customize their preferences regarding cookies by changing their browser settings. If the browser used offers this possibility, it is possible to change the preferences regarding cookies through the browser settings. Thus, although it may vary depending on the possibilities offered by the browser, data owners have the opportunity to prevent the use of cookies, prefer to receive a warning before the cookie is used, or disable or delete just some cookies.

Preferences regarding cookies may need to be made separately for each device on which the user accesses the Platform.

Adobe Analytics

http://www.adobe.com/uk/privacy/opt-out.html

AOL

https://help.aol.com/articles/restore-security-settings-and-enable-cookie-settings-on-browser

Google Adwords

https://support.google.com/ads/answer/2662922?hl=en

Google Analytics

https://tools.google.com/dlpage/gaoptout

Google Chrome

http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95647

Internet Explorer

https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies

MozillaFirefox

http://support.mozilla.com/en-US/kb/Cookies

Opera

http://www.opera.com/browser/tutorials/security/privacy/

Safari

https://support.apple.com/kb/ph19214?locale=tr_TR