General Data Protection Regulation

Under the Personal Data Protection Law (PDPL) No. 6698, we at OrgInsight, as the Data Controller, will process your personal information as outlined below. The objectives and legal reasons for processing personal data are to ensure that your information is handled in accordance with the law and in good faith, being clear, open, and legitimate.

In line with tax procedures, invoices are issued for goods and services you've acquired. Under the E-Commerce Regulation, we send electronic promotions and advertisements. To enhance the quality of products and services, your usage details on our training platform are processed within legal boundaries and due to mandatory operational needs.

Transfer of Personal Data: Your personal data can be transferred to authorities that legally need them, our affiliated companies, domestic or international business partners, and third parties we work with, within legal constraints.

Collection Method of Personal Data: We collect your personal data from you because you're a user of our online training platform. This collection aids in creating an educational history and providing a service tailored to your needs.

According to PDPL Article 11, you have rights to: a) Know if your data is being processed, b) Request information if it's been processed, c) Understand the purpose of processing and if it aligns with the purpose, d) Know the third parties your data has been shared with domestically/internationally, e) Request correction if it's incomplete/incorrect, f) Request deletion/destruction within the parameters of PDPL Article 7, g) Request notification of actions taken to third parties, h) Object to negative automated decisions, i) Seek compensation if you're harmed due to unlawful processing.

To exercise your rights, complaints made to OrgInsight will be addressed within 30 days. Applications can be made directly, through a notary, or via registered email to inf@orginsight.co after verifying your identity.

OrgInsight PDPL POLICY

Last Updated: May 19, 2020

INTRODUCTION

This policy outlines the administrative, processual, and procedural structure adopted by OrgInsight Ltd. for safeguarding personal data. It aims to internalize the lawful processing and retention of personal data as per PDPL, raising awareness among employees and partners. OrgInsight is committed to meeting the requirements of the law and goes beyond to ensure data security.

OrgInsight has reviewed its practices in light of the law and international regulations and is taking steps to comply. Most steps outlined in this policy reflect the system already in place at OrgInsight, and the company views PDPL compliance as an opportunity to enhance their operations.

This policy ensures OrgInsight processes personal data lawfully, complying with all legal requirements, and regularly checks its internal procedures to ensure they're fair and lawful.

DEFINITIONS

OrgInsight Ltd. will be referred to as "Company".

Data: Refers to information stored electronically or in paper-based filing systems. Personal Data: Any information relating to an identified or identifiable individual. OrgInsight might collect web logs, cookies, etc., to understand customer preferences and offer better services. If these data point towards a specific individual, they'll be subject to this policy.

Sensitive Personal Data: Refers to data on race, ethnicity, political opinions, religious beliefs, affiliations, health, sexual orientation, criminal convictions, and biometric data. These are processed under strict conditions and usually require explicit consent.

Data Subject or Owners: Refers to all individuals whose data OrgInsight processes, including employees. They don't need to be Turkish citizens or reside in Turkey, and they possess legal rights regarding their personal data.

Data Controller: Refers to the entity that determines the purposes and means of processing personal data and is responsible for establishing and maintaining the data recording system...

Policy Objective

PURPOSE OF THE POLICY

The main goal of this Policy is to ensure that each OrgInsight Company adopts the necessary regulations in compliance with the Law. The aim is to structure the policies to be applied and establish uniformity among subsidiaries. In this context, the Policy outlines how the rules set by the Law and related legislation are or will be applied by OrgInsight Companies. It aims to set universal rules and principles for all business units. OrgInsight Companies will align all their internal processes with this Policy.

Measures necessary for adherence to the Policy will be implemented, and the continuous compliance will be maintained through regular audits. All employees will be verified for adherence to the Policy, and stakeholders will be informed about any changes. The company will organize in-house training sessions to ensure a swift adaptation to changing and updating processes, holding all employees accountable for ensuring processes comply with the Law. This Policy intends to institutionalize the processing and retention of Personal Data in accordance with the Law, establishing the necessary administrative structure, processes, and procedures. It also seeks to raise awareness among employees and all business partners.

A. PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA

For OrgInsight, it's paramount that Personal Data is processed in compliance with the general principles outlined in the Law and related legislation. In this regard, when processing Personal Data, OrgInsight Companies must act in accordance with legality and good faith. The main purpose isn't to prevent data processing but to ensure it's done in line with the principles of integrity and legality, without adversely affecting the rights of the Data Subject. Data Subjects should be informed about who the Data Controller is, the purposes for which their data will be processed by OrgInsight, potential recipients of their data, and their rights. For legal processing of Personal Data, certain conditions need to be met, such as the Data Subject's consent or legitimate interests of the Data Controller or third party to whom data is disclosed. In some cases, explicit consent from the Data Subject might be required.

However, when processing Personal Data under these specific exceptions, Data Subjects will be informed in line with the Law's Article 16 regarding the "Obligation to Inform". They will be assured that their data is processed according to the Law, relevant regulations, and this Policy. OrgInsight will establish necessary processes to ensure compliance with the Law's provisions.

Data should be:

  • Collected for specific, clear, and legitimate purposes and not used for other purposes without informing the Data Subject.
  • Limited, proportionate, and necessary for the purpose: Only data necessary for the disclosed purposes should be collected.
  • Accurate and updated when necessary: Mechanisms to update data should be provided, and Data Subjects should be informed about these mechanisms.
  • Not retained longer than necessary: Personal Data shouldn't be stored or archived longer than the intended purpose requires.

The processing of Personal Data must respect the rights of the Data Subject, be kept secure, and not transferred to individuals or organizations in countries without adequate protection. Currently, OrgInsight Companies do not transfer Personal Data abroad. Even servers owned by third parties where Personal Data is archived are located in Turkey. However, should the company policies change and there's a decision to transfer or store Personal Data abroad, it will be done in line with the provisions of the Personal Data Protection Act and rules set by the Personal Data Protection Board.

B. RIGHTS OF THE PERSONAL DATA SUBJECT

Individuals have the right, as set out in Article 11 of the Law, to inquire whether their Personal Data has been processed, to request information if it has been processed, to understand the purpose of the data processing and whether the data has been used appropriately, to know any third parties to whom the data has been transferred, and to request corrections if the data is incomplete or inaccurately processed. In the event of such inaccuracies, they can also demand that these corrections be communicated to third parties who received the data. If they suffer damages due to unlawful data processing, they have the right to claim compensation. Upon the request of the data subject, OrgInsight Companies will promptly take action to fulfill these rights and provide detailed information on the relevant procedure.

C. SECURITY OF PERSONAL DATA

OrgInsight Companies are obliged to take all necessary technical and administrative measures to prevent unlawful processing of Personal Data, unauthorized access to the data, and to ensure its protection. OrgInsight should ensure that suitable security measures are in place to protect against unauthorized or illegal data processing or accidental loss or damage to the data. If data subjects incur damages from such incidents, they can pursue legal compensation. The Law mandates OrgInsight to adopt various administrative and technical precautions to ensure data security from the moment of collection to deletion. Data security implies ensuring the confidentiality, integrity, and accessibility of the data. Confidentiality means only authorized persons can access the data. Integrity ensures the data is accurate and processed in line with its intended purpose. Accessibility allows authorized users to access the data whenever necessary. Security procedures for personal data will be implemented in consultation with the competent IT department within OrgInsight.

Access permissions for each department in OrgInsight Companies will be limited as necessary. Current restrictions are already in place and will be regularly reviewed to ensure access to Personal Data is strictly as needed. All employees of OrgInsight Companies will be informed and trained on data security procedures. In this context, passwords for systems accessing Personal Data should not be disclosed to any third party or unauthorized personnel. Authorized users must ensure that confidential data isn't visible to passersby and should lock their computer sessions when not present.

Technical measures are already in place to ensure the security of all data held by OrgInsight Companies, including Personal Data. Their existing security systems, antivirus programs, and communication protection systems will be regularly audited, and the latest versions of these systems will be implemented. Technological advancements will be monitored, and a technical team will be allocated to address any emerging risks promptly. In addition, all OrgInsight employees must immediately inform the [OrgInsight Data Protection Committee] if they become aware of any unauthorized acquisition of Personal Data or any potential security risks.

If applicable, contracts with third parties to whom Personal Data has been legally transferred will be amended to ensure they take the necessary security measures to protect the data and guarantee compliance within their businesses/institutions/organizations. OrgInsight will not transfer Personal Data to any third parties that fail to provide the required security measures and do not meet the confidentiality, integrity, and accessibility requirements of the Law.

D. PERSONAL DATA TRANSFER TO THIRD PARTIES

Personal data may be shared with third parties within the country based on the legitimate interests of the Company and as required by the processing purposes of the data and the contracts made with the Data Subjects. The data won't be shared for purposes other than its processing objectives. While it may not always require explicit consent, any new personal data of Data Subjects that the OrgInsight Companies acquire will be shared with their affiliates and partners who have proper security measures, only after obtaining clear consent. When choosing business partners, OrgInsight Companies will ensure due diligence regarding data privacy and will ensure contracts contain clauses satisfying legal requirements on data protection and confidentiality. The personal data isn't transferred outside the country by OrgInsight Companies.

Even servers owned by third parties, where personal data is archived, are located in Turkey and, currently, there's no transfer of data abroad. If, due to company policy, a decision is made to transfer or store personal data on servers outside the country, and if consent has not been previously acquired, the explicit consent of the data subject will be sought by the concerned OrgInsight Company. As a rule, data won't be transferred to countries without adequate protection as determined by the Board.

Personal data may be transferred to foreign countries without sufficient protection, provided that OrgInsight and the respective data controller in that country offer written assurance of adequate protection, and obtain permission from the Board. OrgInsight will design processes in compliance with Articles 8 and 9 of the Law. By approving this Policy, Data Subjects consent to their data being shared, limited to the purposes of processing and archiving, within the framework of the rights regulated by the relevant legislation, among OrgInsight Companies and/or third-party business partners, public/private institutions, suppliers, affiliates, company officials, banks, funds, and other 3rd parties.

The activities of OrgInsight Companies align with our group's principles, operations, processes, goals, and strategies. For the protection of OrgInsight's rights, interests, and reputation, processing personal data by OrgInsight Companies or business partners, and our dominant company, falls under our legitimate interest. This doesn't mean unlawful data processing. All OrgInsight Companies adhere strictly to the law and will inform all Data Subjects about this matter, obtaining their written consent for data transfer.

E. PROCEDURES FOR DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Procedure for Deletion and Destruction of Personal Data

OrgInsight Companies will delete or destroy Personal Data when the reasons for processing no longer apply, all while abiding by the minimum retention periods prescribed by law and regulations. Techniques employed during deletion or destruction include:

  • Physical Destruction: Personal data can be processed both automatically and manually within any data recording system. Such data is physically destroyed to ensure it cannot be retrieved or reused.
  • Secure Deletion in Software: For data processed either fully or partially automatically and stored digitally, methods are utilized to ensure that the data is irretrievably removed from the respective software.

Procedure for Anonymizing Personal Data

Anonymization refers to transforming personal data such that, even when matched with other data, it cannot be linked to a specific or identifiable individual. Techniques used for anonymization include:

  • Masking: Masking involves removing the primary identifying information from the data set to make the personal data anonymous.
  • Aggregation: Aggregation compiles multiple data points to ensure that personal data cannot be linked to a particular individual.
  • Data Derivation: This method generalizes the content of personal data to ensure it can't be connected to a specific person.
  • Data Shuffling (Permutation): Shuffling involves mixing data values within a set to break any links between the data and the individuals.

Minimum periods for deletion, destruction, and anonymization will be determined by the business units processing the Personal Data. All OrgInsight Company systems will be adapted to these processes. If a decision is made by OrgInsight Companies to retain data beyond the legal obligations, data subjects will be informed about the duration and reasons for the processing.

Above all, OrgInsight Companies must adhere to transparency obligations regarding data retention. If there are minimum retention periods for certain data, any requests to delete, destroy, or anonymize them will be denied, provided that the legal obligations are clarified. If there's no specific duration set by law for data retention, the data will be processed for the duration necessary for OrgInsight's processing purposes, after which it will be deleted, destroyed, or anonymized. Even after processing purposes end, personal data can be archived to serve as evidence in potential legal disputes, provided it's not subjected to regular processing.

When determining archival durations, the statute of limitations will be considered. However, based on OrgInsight Companies' past experiences and prior data requests, durations exceeding these limits might be set. In these cases, without confirming the currentness and acquiring explicit consent, access to personal data for purposes other than resolving legal disputes won't be granted. At the end of the determined archival periods, even the archived data will be deleted, destroyed, or anonymized.

OrgInsight Companies process various types of Personal Data, which include:

  • Individual Customer Data: Data such as name, surname, address, email, mobile number, birthdate, gender, loyalty card number, marital status, and many more, may be processed.

    These data, although not inclusive of all personal data processed, are limited to purposes like creating sales history, billing, delivering products, sending e-newsletters, conducting customer analysis, and similar objectives.

  • Corporate Customers, Suppliers, and Service Providers' Personnel and Authorized Signatories Data: Data like personnel name, signature authority name, email, identification number, bank details, and similar data can be processed.

    Such data are used for purposes like tailoring clothes, wholesale sales, creating sales history, delivering products, sending e-newsletters, conducting customer analysis, opening current accounts, and more.

  • Potential Customer Data: Information such as name, surname, email, gender, mobile number, and birthdate might be processed by OrgInsight Companies.

    These data, again not exhaustive, are processed for purposes like sending gifts, loyalty cards, event invitations, e-newsletters, marketing communications, analysis, and informing about new products.

Potential Customer Data

Information related to potential clients is acquired with the understanding that OrgInsight Companies will process this data for the specified purposes, provided that the potential client consents to the data being shared with third parties. Upon the initial contact with a potential client, they will be informed about this Policy and the associated data processing. Any objections or complaints will lead to immediate deletion, destruction, or anonymization of the related Personal Data.

If a relationship is established with the potential customer, the data processed in this context will be subject to customer data procedures.

Employee Data

While not universally applicable to every OrgInsight Company, details like name, surname, date of birth, contact information, marital status, family details, educational background, and various other personal and professional information are processed for employees.

Employee health data, including sensitive personal data, is processed by the Human Resources division to the extent required by legislation. For more on this, see the (G) section. Some health data is also processed by workplace physicians and safety experts. Access to this health data is highly restricted, and measures, like encryption, are in place to protect it. No third party will have access to this health data.

These data are used for various HR-related functions such as performance evaluations, payroll processing, updating records, and similar objectives, always with the employee's consent.

All employee data files are managed and stored by the central Human Resources division of OrgInsight Ltd. Co. By accepting this policy, all employees agree that their data can be processed by the HR division of any OrgInsight Company.

Candidate Data

For candidates applying to work at OrgInsight Companies, personal and professional information, similar to that of employees, is processed. This data processing is primarily for recruitment purposes. Once a service contract is established, the data of the candidate becomes subject to employee data processes.

Student Data

For students participating in the international fashion school programs of OrgInsight ESMOD, data such as name, contact details, ID numbers, and educational background are processed. This data processing is essential for contractual obligations, issuing certifications, and is executed with the students' consent. OrgInsight will fulfill its duty to inform as required.

Personal Data Processing

The Personal Data in question is processed for specific purposes. These include registering for training, sharing certification and registration procedures with ESMOD, ensuring the continuity of training, fulfilling information and requests related to the training, among others.

Payment Information

For some OrgInsight Companies (but not all), there are provisions to make payments using the mail-order method for wholesale and Educational activities. This involves processing Personal Data such as the student's first and last name, cardholder's first and last name, cardholder's national ID number, bank name, type of card, credit card details, etc. This Personal Data is processed strictly for payment purposes.

Data Security

Measures are taken to ensure the security of these data. Access to the data is restricted only to authorized personnel. To further ensure the security of the processing, practices are in place to prevent misuse, such as deleting security codes after use. If advanced security procedures become available, they will be implemented and updated as needed.

Listener Data

Primarily for OrgInsight's music broadcasting units (e.g., Power, PowerFM, PowerTürk), Personal Data like first and last name, phone number, email, address, city, age, date of birth, gender, profession, education status, mobile phone, and photos (excluding selfies taken by individuals) can be processed for contests and analyses among listeners.

The aforementioned Personal Data is processed for purposes like participating in contests, issuing gift vouchers and prizes, conducting analyses, and, if working with third parties, it also includes sharing the data with them. For information on data sharing with third parties, refer to section (E).

Complaint Data

For certain OrgInsight Companies (but not all), under the Consumer Protection Law No. 6502, Personal Data such as first and last name, gender, email, mobile phone, home phone, date of birth, address, body size, national ID number, etc., can be processed in relation to consumer complaints and requests. This Personal Data is processed to address incoming complaints and requests, conduct analyses, and for similar purposes.

F. SPECIAL CATEGORY PERSONAL DATA PROCESSING

Within the OrgInsight Companies framework, Special Category Personal Data is processed with utmost limited access and security, strictly in accordance with legal, administrative, and judicial requirements and directly related to the operations of OrgInsight Companies. Such data can be processed in full compliance with the Law: (i) when processing is explicitly stated in laws, excluding personal data of special nature concerning health and sexual life, and (ii) for health and sexual life-related data, it can be processed without the Data Subject's consent when done by individuals or institutions obligated to confidentiality, aiming at public health protection, preventive medicine, medical diagnosis, treatment, healthcare management, and planning. However, even if these exceptional conditions arise, OrgInsight Companies will inform Data Subjects about the processing of their Special Category Personal Data and will always seek explicit consent. In cases of doubt about the applicability of exceptions or without explicit consent, such data will immediately be deleted, destroyed, and anonymized. In such situations, immediate steps will be taken to notify the [OrgInsight KVK COMMITTEE] and inform the concerned Data Owner and the Board if applicable.

G. OBLIGATION TO INFORM ABOUT PERSONAL DATA

OrgInsight Companies are obliged to inform individuals when collecting their Personal Data. The scope of this notification includes: The identity of the data controller and any representatives, the purpose of processing, to whom and for what reasons the data may be transferred, how data collection is conducted, and the legal reasons, as well as the rights of the Data Subject as stated in section (C). OrgInsight Companies will provide necessary information through tools used to gather data from Third Parties and will obtain documented consent from data owners to prove that the obligation to inform has been fulfilled. Personal Data can be collected through all sales channels of OrgInsight Companies, including e-commerce, retail, wholesale stores, branches, websites, call centers, or any other channels, using verbal, written, or electronic methods. Written Data Collection: During written data collection, references will be made to this Policy, ensuring the use of updated forms and meeting the obligation to inform. Additionally, all forms and contracts, even if considered exceptions under the Law, will be revised to clearly show the Data Subject's explicit consent.

In customer relations, new forms, documents, and notifications that prove compliance with the Law will be used; all relevant employees will be trained to provide detailed information and references to the real person. It is essential to obtain Personal Data through written forms containing informed consents. Verbal Data Collection: Any new data obtained verbally, beyond the existing data of current customers processed as per the Permission Communication Forms or collected via Call Centers, will be accompanied by information about the obligation to inform. During verbal data collection, it will be reminded that the conversation is recorded, given prior notification, and it will be confirmed that the personal data is processed in line with this Policy and the existing Permission Communication Forms.

Both the workforce and the Call Center's operational procedures will be re-evaluated and implemented accordingly. Electronic Data Collection: Data obtained through e-commerce channels and other online channels of OrgInsight will be revised to fulfill the obligation to inform, including this Policy, all contracts, and documents related to distance sales, web pages, and link addresses. This Policy will be accessible from all web pages, and systems requiring OrgInsight Companies' approval for data collection will be established at every link address. Unless explicitly marked as consented, no entered information or document will be automatically recorded in any OrgInsight Company system or processed in any manner.

Any complaints made by individuals regarding the processing of their personal data by OrgInsight Companies will be addressed as promptly as possible, and definitely within 30 days. Data subjects can submit their requests and complaints to the OrgInsight Data Protection Committee of OrgInsight Ltd. either in person (with an identity check) or through a notarized power of attorney. Applications can also be made through notary channels or securely signed electronic emails to KVKK@orginsight.co. Employees dealing with email and phone inquiries must be cautious about revealing any personal information stored by OrgInsight. They must verify the identity of the caller and, if unsure or unable to verify, should advise the caller to submit their request in writing.

In challenging situations, they should seek guidance from their managers. No one should be pressured into disclosing personal data. If an employee receives a notification/request from a data subject, this should be promptly reported in writing to the OrgInsight Data Protection Committee. This committee will liaise with relevant departments to address complaints/requests. All requests from data subjects must be diligently recorded and reviewed, and the OrgInsight Data Protection Committee will respond within a maximum of 30 days without any extra charges, provided the requests are feasible.

The process for examining all data subject requests, including deletion, destruction, or anonymization of personal data, is as follows: The OrgInsight Data Protection Committee will conduct an initial assessment to determine the validity of the request/complaint and decide if identity verification or additional information is needed. This committee will communicate in writing with the individual to confirm receipt of their access request and, if necessary, ask for identity confirmation or additional information, or decline the request if there's an exception related to access.

Searches will be organized across all electronic and paper filing systems. The OrgInsight Data Protection Committee might refer complicated cases, especially those involving third-party information or where the disclosure might harm trade secrets or legal processes, to internal departments or third-party consultants for support. The committee will organize the requested information in an easily readable format and can accept or deny the data subject's request on behalf of the relevant OrgInsight Company. However, particularly if an exception under the Law or Policy applies, the request can be denied.

If the data subject's request is approved, the relevant units of OrgInsight will immediately execute it. The complainant can fully or partially contest the response given by OrgInsight Companies and inform the concerned OrgInsight employee. In such cases, the complaint will be reevaluated and finally addressed. The same procedures and timelines will apply, and this won't cut off or pause the timelines stipulated by the Law. Requests for second evaluations aren't a legal obligation but are reevaluated solely for customer satisfaction. As per the Law, data subjects have the right to appeal to the Board within 30 days of learning the initial response from OrgInsight and at most 60 days from the date of the initial application, and adhering to these timelines is crucial.

I. COMMUNICATION WITH THE DATA PROTECTION AUTHORITY

OrgInsight Companies are obliged to provide any information and documents requested by the Authority related to its investigations, excluding state secrets, within 15 days. Moreover, they must allow on-site examinations when necessary. The [OrgInsight Data Protection Committee] has been designated as the unit responsible for correspondences with the Authority. All employees should direct any communication related to personal data protection towards the [OrgInsight Data Protection Committee]. OrgInsight and all its employees will comply with the decisions rendered by the Authority, either proactively or upon complaint, without delay and no later than 30 days from the notice. All OrgInsight Companies will register with the Public Data Controllers Registry, maintained openly by the Data Protection Authority's Presidency, once it's actively operational, unless they are exempt from the mandatory registration by the Authority.

J. MANAGEMENT STRUCTURE OF PERSONAL DATA PROTECTION AND PROCESSING POLICY

OrgInsight Ltd has established the Supreme Board of Personal Data Management to ensure adherence to the Data Protection Act provisions and to implement the Personal Data Protection and Processing Policy. They've also set up the Committee for Personal Data Protection.

The duties of this committee include making decisions about the protection and processing of personal data, presenting these decisions to senior management, making amendments to the policy, overseeing its implementation, identifying necessary actions within the framework of the Data Protection Act and related regulations, evaluating applications from personal data owners, monitoring developments in personal data protection, ensuring its application by informing stakeholders, and taking the necessary precautions.

K. EXCEPTIONS REGARDING THE IMPLEMENTATION OF THE POLICY

As stipulated in Article 28 of the Law, this Policy will not be applied in the following cases: processing of personal data by individuals solely for their own or their cohabiting family members' activities, provided it's not shared with third parties and complies with data security obligations; processing for official statistical purposes or anonymized for research, planning, and statistics; processing for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, without violating national defense, national security, public safety, public order, economic security, privacy, or individual rights; processing within the context of preventive, protective, and intelligence activities carried out by public institutions and organizations tasked by law to maintain national defense, national security, public safety, public order, or economic security; processing by judicial authorities or execution offices related to investigation, prosecution, trial, or execution processes.

Excluding the obligation to inform, Data Owners will not exercise their rights regulated in the Law and this Policy under the presence of the following exceptions: if processing personal data is necessary to prevent a crime or for a crime investigation; if the personal data that's processed has been publicized by the Data Owner; if processing is essential for the oversight or regulatory duties of competent public institutions and organizations or professional organizations of public institution status; if processing is necessary to protect the state's economic and financial interests regarding budgetary, tax, and financial matters.

PERSONAL DATA NOT COVERED BY THIS POLICY

Personal data that is either entirely or partly obtained automatically or, even if non-automatically, is a part of any data recording system, isn't covered by this Policy. Hence, for any data not part of a recording system within OrgInsight Companies, this Law and the given Policy will not be applied. Any responsibilities OrgInsight has regarding this data will be bound by the Constitution of the Republic of Turkey and the Turkish Penal Code.

L. IMPROVEMENTS AND AMENDMENTS

Should any employee have queries or issues about this Policy or the Law, they should consult the [OrgInsight Personal Data Committee]. It will be ensured that all employees have a deep understanding of the Law and this Policy's requirements. By adopting this Policy, all employees affirm, declare, and commit that their business processes are compliant with the Policy. If any employee or other data subjects believe there's a breach in adhering to this Policy concerning personal data, the matter should be referred to the [OrgInsight Personal Data Committee]. This Policy might be subject to change and updates in line with upcoming regulations and other secondary legislation.

OrgInsight Companies and all their employees commit, declare, and promise to swiftly bring all their processes into full alignment with any modifications in the Law, this Policy, and any future secondary legislation concerning personal data protection. If any changes are made to this Policy, all affected data subjects will be notified, and they will be informed about how to access the updated Policy and how to obtain further information.

CONCLUSION AND LIABILITY

OrgInsight is enhancing its procedures to manage all its processes in compliance with the Law and to meet the Law's requirements. Currently, OrgInsight is in line with the Constitution of the Republic of Turkey, the Turkish Penal Code, and the general principles of international personal data protection. As per this general Policy prepared to be applied across all business units, the principles for the processing of Personal Data by OrgInsight Companies are binding for all business units and employees.