BABAKAMP TURİZM TARIM VE TİCARET LİMİTED ŞİRKETİ

PRIVACY AND PERSONAL DATA PROTECTION POLICY

In this "Privacy and Personal Data Protection Policy," the company, Babakamp Turizm Tarım ve Ticaret Limited Şirketi, with MERSIS number 0128047537700001, located at Karaağaç Mahallesi, Karaağaç Sokak No:43 Fethiye, Muğla, referred to as the "Company," complies with the Law on the Protection of Personal Data No. 6698, referred to as the "Law."

The Company, in accordance with the principles set forth in the Law, fulfills its obligations arising from the Law regarding the processing, deletion, destruction, anonymization, transfer, informing of the data subject, and ensuring data security.

This Privacy and Personal Data Protection Policy, which is prepared in accordance with the Law, is made accessible to the real persons ("Data Subject") whose personal data is processed.

1. Scope and Purpose of Privacy and Personal Data Protection Policy:

This Privacy and Personal Data Protection Policy includes:

• Methods and legal reasons for collecting personal data,
• Categories of individuals whose personal data is processed (Data Subject Categorization),
• Categories of personal data processed for data subjects (Data Categories) and example data types,
• Purposes for which relevant personal data is used,
• Technical and administrative measures taken to ensure the security of personal data,
• To whom and for what purposes personal data may be transferred,
• Sharing of personal data with public institutions and organizations and official authorities,
• Storage periods of personal data,
• Profiling and segmentation information,
• Details on the rights of data subjects over their personal data and how they can exercise these rights.

a. Methods of Collecting Personal Data and Legal Reasons:

The Company collects personal data through stores, call centers, websites, social media accounts, email, mail, call centers, CCTV, cookies, fax, notifications from administrative and judicial authorities, and other communication channels, in oral, electronic, or written form, in compliance with the personal data processing conditions specified in the Law and the legal reasons stated in this Privacy and Personal Data Protection Policy.

b. Data Subject Categorization:

The Company categorizes the data subjects whose personal data it processes as follows, and the expansion of these groups may be possible in light of the processes and legal reasons specified in this policy.

1. Customer, 
2. Online Customer,
3. Visitor, 
4. Online Visitor, 
5. Business Solution Partner / Supplier

c. Data Categories and Example Data Types: 

d. Purpose of Using Personal Data

The Company utilizes personal data for the following purposes:

• Execution of commercial activities by relevant departments of the Company and the conduct of necessary work for the realization of company operations and related business processes.
• Conducting Efficiency/Productivity and/or Relevance Analyses of Business Activities, Planning, and/or Execution of Activities.
• Planning and/or Execution of Business Continuity Assurance Activities.
• Planning and Execution of Logistics Activities.
• Planning and Execution of Corporate Communication Activities.
• Planning and Execution of Supply Chain Management Processes.
• Planning, Auditing, and Execution of Information Security Processes.
• Monitoring of Company Financial and Accounting Affairs.
• Planning and Execution of Company Operational Processes.
• Planning and Execution of Internal and External Training Activities.
• Management of Relationships with Business Partners and/or Suppliers.
• Planning and Execution of Sales Processes for Products and/or Services.
• Planning and Execution of After-Sales Support Service Activities.
• Planning and Execution of Customer Relationship Management Processes.
• Tracking Customer Requests and/or Complaints.
• Planning and Execution of Market Research Activities for the Sale and Marketing of Products and/or Services.
• Planning and Execution of Marketing Processes for Products and/or Services.
• Planning and/or Execution of Customer Satisfaction Activities.
• Tracking Legal Affairs and Fulfillment of Legal Responsibilities.
• Planning and Execution of Operational Activities Necessary for Ensuring the Conduct of Company Operations in Compliance with Company Procedures and/or Relevant Legislation.
• Providing Information to Authorized Institutions in Accordance with Legal Requirements.
• Planning and Execution of Company Audit Activities.
• Ensuring the Security of Company Sites and/or Facilities.
• Ensuring the Security of Company Operations.
• Ensuring the Security of Company Sites and Movables.
• Ensuring the Security of Company Assets and/or Resources.
• Creation of Visitor Records.

e. Technical and Administrative Measures Taken to Ensure the Security of Personal Data

The Company is committed to taking all necessary technical and administrative measures to ensure the confidentiality, integrity, and security of your personal data. In this context, measures are taken to prevent the unauthorized use of personal data, its unlawful processing, unauthorized access to data, disclosure, alteration, or destruction of data.

Some of the technical and administrative measures taken by the Company include:

• Anti-Virus: Regularly updated anti-virus applications are installed on all PCs and Servers in the company's IT infrastructure.
• Firewall: Servers hosted in Data Centers and Disaster Recovery Centers are protected by periodically updated firewall software, providing protection against internet threats.
• VPN (Virtual Private Network): Secure communication is established between stores and server systems using IP-SEC VPN.
• User Identifications and Need-to-Know: Employee permissions for accessing company systems are limited based on job descriptions and are promptly updated in case of any changes.
• Information Security Threat and Incident Management: Events occurring in company servers and firewalls are transferred to the "Information Security Threat and Incident Management" system, enabling quick response to security threats.
• Penetration Testing: Periodic penetration testing is conducted by an external firm on company servers, computers, and a sample store. Security vulnerabilities identified are promptly addressed.
• Phishing Email Tests: Regular phishing email tests are conducted to increase awareness among users. Based on results, users are assigned online training through the Company User Portal.
• Training Portal: An active Training Portal is used to increase awareness among employees regarding various information security breaches.
• Clean Table & Clean Desk: Employees are obligated to adhere to the "clean table & clean desk" principle according to internal rules.
• Other: All fields on the website where personal data is collected are secured with SSL. Pseudonymization is used for all secondary data processes not related to the primary processing purpose. Physical records of personal data are stored in locked cabinets and accessed only by authorized personnel. Personal data processed through third-party cookies is deleted from third-party systems upon the termination of membership.

Despite taking necessary information security measures, in the event of a data breach or unauthorized access due to attacks on the platforms operated by the Company or the Company's systems, the Company promptly notifies you and the Personal Data Protection Board and takes the necessary precautions.

f. To Whom and for What Purpose Personal Data May be Transferred

The Company transfers personal data only to third parties and abroad in accordance with the purposes specified in this Privacy and Personal Data Protection Policy and in compliance with Articles 8 and 9 of the Law.

These transfers of personal data are made through secure environments and channels provided by the relevant third party. Depending on the content and scope of the service received from third parties, data subject personal data is transferred using Pseudonymous data when transfer is not necessary.

The personal data subject to domestic and international transfer, in addition to ensuring their security with technical measures, is legally protected through the inclusion of Law-compliant provisions in our contracts, taking into account whether the counterparty of the legal relationship is a data controller or data processor.

h. Duration of Storage of Personal Data The Company retains the personal data it processes in compliance with the Law for the periods envisaged in the relevant legislation or for the durations required by the purpose of processing. In the Personal Data Storage and Destruction Policy, [insert link], these periods are approximately as follows:

i. Profiling and Segmentation The Company, using the personal data it processes for Customer and Online Customers, engages in profiling and segmentation to: i. Customize content, advertisements, promotions, and discounts based on the preferences of Customers and Online Customers who have granted permission for commercial electronic messaging. ii. Perform profiling and segmentation for Customers and Online Customers who have not given consent for commercial electronic messaging, including: • Improving products based on customer preferences, complaints, and suggestions (updating the product catalog by identifying the most and least preferred products), • Organizing special campaigns for customers with a high potential to purchase a product using models created as a result of the analysis of customer product preferences, • Conducting efforts to increase the popularity of products, • Personal data of Customers and Online Customers is not used directly in profiling and segmentation studies; instead, transactions are carried out through unique customer numbers assigned to each member. This ensures the protection of personal data, and these customer numbers are only accessible to the relevant individuals or departments within the scope of the "Need to Know" principle.

j. Rights of Data Subjects and How to Exercise Them The rights of data subjects under Article 11 of the Law are as follows: (1) Learn whether personal data is being processed, (2) Request information if personal data has been processed, (3) Learn the purpose of processing personal data and whether they are used in accordance with their purpose, (4) Know the third parties to whom personal data is transferred domestically or abroad, (5) Request correction of personal data if it is incomplete or incorrect, (6) Request deletion or destruction of personal data within the framework of the conditions specified in Article 7 of the Law, (7) Request notification of third parties to whom personal data has been disclosed, in cases mentioned in paragraphs (d) and (e), (8) Object to the emergence of a result against the individual by analyzing processed data exclusively through automatic systems, (9) Request compensation for damages in case of harm due to the illegal processing of personal data. To exercise your rights regarding your personal data, you can use the "Personal Data Application Form" available on the Company's website [insert link], or you can perform necessary changes, updates, and/or deletions and submit relevant requests via the email address kvkk@babakamp.com.

1. Conditions for Deletion, Destruction, and Anonymization of Personal Data The Company, within the scope of its business processes, stores and processes personal data collected through channels such as physical, electronic, website, and email for the periods stipulated by the relevant laws and/or the periods required by the processing purpose. Upon the expiration of these periods, the Company will delete, destroy, or anonymize personal data in accordance with the provisions of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data and the Guide on the Deletion, Destruction, or Anonymization of Personal Data. Deletion of personal data by the Company refers to rendering personal data inaccessible and unusable for the relevant users in any way. Destruction of personal data by the Company means making personal data inaccessible, irretrievable, and unusable by anyone. Anonymization of personal data by the Company refers to making personal data unable to be associated with a real person whose identity can be determined, even if matched with other data. The Company, in its Personal Data Storage and Destruction Policy prepared in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, explains in detail the methods, technical, and administrative measures taken for deletion, destruction, and anonymization. You can access the Personal Data Storage and Destruction Policy via the link [insert link]. The Policy also specifies that the interval for periodic destruction, as required by the Regulation, is set at 6 months.
2. Changes to the Privacy and Personal Data Protection Policy The Company may make changes to this Privacy and Personal Data Protection Policy at any time. These changes will take effect immediately upon the publication of the revised Privacy and Personal Data Protection Policy. To be informed of changes to this Privacy and Personal Data Protection Policy, necessary notifications will be provided.

PERSONAL DATA 

STORAGE AND DESTRUCTION POLICY

1. Purpose 

The purpose of this Personal Data Storage and Destruction Policy ("Policy") is to determine the processing periods of personal data processed by Babakamp Turizm Tarım ve Ticaret Limited Şirketi ("Company"), with headquarters at Karaağaç Neighborhood, Karaağaç Street No:43 Fethiye, Muğla, with the Mersis number 0128047537700001, and to establish criteria and methods for the deletion, destruction, or anonymization of personal data whose processing period and/or processing purpose have ceased to exist.

This Policy also includes technical and administrative measures taken to ensure data security, as well as current provisions in relevant legislation, in accordance with Article 6 of the Regulation on Deletion, Destruction, or Anonymization of Personal Data, which came into effect on October 28, 2017. Additionally, the Policy takes into account the Guide on Deletion, Destruction, and Anonymization of Personal Data published by the Personal Data Protection Authority. 

1. Scope 

This Policy covers the processes of deletion, destruction, or anonymization of all personal data processed by the COMPANY as the "Data Controller," either entirely or partially automatically, or non-automatically as part of any data recording system, in electronic and/or paper format, in accordance with Article 7 of Law No. 6698 on the Protection of Personal Data. 

1. Explanation of legal, technical, or other reasons requiring the storage and destruction of personal data 

The COMPANY processes personal data of employees, job applicants, employees' relatives, business partners, suppliers, visitors, and online visitors to carry out business processes and related activities performed by various departments within the company, in line with their job descriptions. These personal data are stored for the periods specified in the legislation or within the framework of the processing purpose determined by the relevant department. All these processes are included in the Personal Data Processing Inventory. When the relevant storage periods expire, personal data for which the processing purpose has ceased are destroyed using the deletion, destruction, or anonymization methods specified in this Policy. 

1. Technical and administrative measures taken to securely store and prevent the unlawful processing and access of personal data 

The Company commits to taking all necessary technical and administrative measures to ensure the confidentiality, integrity, and security of your personal data. In this context, the Company takes measures to prevent the misuse, unlawful processing, unauthorized access, disclosure, alteration, or destruction of data. The Company implements the following technical and administrative measures to prevent the unlawful processing and access of personal data:

Anti-Virus: The Company has periodically updated anti-virus software installed on all PCs and servers in its information technology infrastructure.

Firewall: Data centers hosting the Company's servers are protected by periodically updated software firewalls. These new-generation firewalls control internet connections for all staff members, providing protection against viruses and similar threats.

VPN: Stores connect to server systems using IP-SEC VPN, ensuring encrypted transmission of traffic between two points.

Suppliers can access the Company's servers or systems via SSL-VPN defined on firewalls. Separate SSL-VPN definitions are made for each supplier, allowing them access only to the systems they need or are authorized to use.

User Identifications and Need to Know: The Company limits the permissions of its employees and store staff related to Company systems only to the extent necessary based on their job descriptions. In case of any changes in authorization and duties, system permissions are promptly updated.

Information Security Threat and Incident Management: Events occurring on the Company's servers and firewalls are transferred to the "Information Security Threat and Incident Management" system. This system warns responsible personnel in case of a security threat, enabling an immediate response to the threat.

Penetration Test: Periodically, a penetration test is manually conducted by an external company on the Company's system servers, computers, and a sample store. Security vulnerabilities identified during the test are closed, and a verification test is conducted to confirm that the relevant security vulnerabilities have been addressed. Additionally, an automatic penetration test is performed by the Information Security Threat and Incident Management system.

Phishing Email Tests: Regularly, phishing emails are sent to Company system users to increase awareness. Based on the results, users are assigned training through the Company User Portal.

Training Portal: The Training Portal is actively used to increase the awareness of Company employees about various information security breaches and minimize the impact of the human factor in information breach incidents. All employees have received Cyber Security and Information Security training online.

Clean Table & Clean Desk: According to internal rules, both central and store employees are obliged to adhere to the "clean table & clean desk" principle.

Others:

• All fields on the website where personal data is received are secured with SSL.
• For all secondary data processing beyond the primary processing purpose, the Pseudonymization method is used (Example: Ahmet Yılmaz → "A… Y…").
• Personal data in paper format must be stored in locked cabinets and accessed only by authorized personnel.
• Personal data processed through cookies belonging to third parties are deleted from third-party systems when the membership ends.

Despite all these technical and administrative measures taken by the Company, if personal data is damaged due to attacks on the website and/or system or if it falls into the hands of unauthorized persons, the Company will inform the relevant persons and the Personal Data Protection Authority as soon as possible, take all necessary corrective actions, and provide all necessary support for the investigation and prevention of the incident. This obligation will not be valid if the relevant personal data is anonymized and the anonymization process is successful.

1. Methods for deletion, destruction, or anonymization of personal data 

Personal data for which the processing period has expired and/or the processing purpose no longer exists are deleted, destroyed, or anonymized by the methods specified in this Policy.

Deletion: Personal data are deleted from the Company's system by marking them as "deleted" on the database. Once deleted, personal data cannot be accessed or used by the relevant departments.

Destruction: Physical destruction is applied to personal data in paper format. The destruction process is carried out using a shredder machine that provides cross-cutting and disposes of the data in a way that it cannot be reconstructed.

Anonymization: Personal data that is anonymized is processed in a way that it cannot be associated with an identified or identifiable natural person, even through additional data. The anonymization process is carried out by the relevant department that processed the personal data.

1. Deletion, destruction, or anonymization of personal data ex officio or upon the data subject's request 

Personal data are deleted, destroyed, or anonymized by the relevant department or data processor ex officio or upon the data subject's request within the periods specified in the legislation or within the framework of the processing purpose determined by the relevant department. To exercise the right to deletion, destruction, or anonymization, data subjects must submit their requests in writing to the Company's data controller, using the methods specified in Article 7 of the Policy on the Processing and Protection of Personal Data. The relevant department or data processor will fulfill the request as soon as possible and no later than 30 days.

1. Implementation of the Policy 

This Policy enters into force on the date of approval by the COMPANY. The provisions of the Policy will be monitored and reviewed by the COMPANY annually. Necessary updates and changes will be made in case of changes in legislation, the processing of personal data, and technological developments.

1. İletişim 

For your questions and requests regarding the processing and protection of personal data, you can contact the Company using the following contact information:

Babakamp Tourism Agriculture and Trade Limited Company Karaağaç Mahallesi, Karaağaç Caddesi No:43 Fethiye, Muğla 

Phone: +90 (252) 614 00 10 

Email: info@babakamp.com.tr

1. Duration for Deletion and Destruction of Personal Data 

Upon the Data Subject's Request When the data subject requests the deletion or destruction of their personal data by applying to the COMPANY: a) If all processing conditions of personal data have ceased to exist, the COMPANY deletes, destroys, or anonymizes the personal data subject to the request. The COMPANY concludes the deletion or destruction requests of the data subjects within "thirty days" at the latest. b) If all processing conditions of personal data have ceased to exist, and the personal data subject to the request has been transferred to third parties, the COMPANY notifies this situation to the third party and requests the deletion or destruction of the relevant personal data. If all processing conditions of personal data have not ceased to exist, this request may be rejected by the COMPANY with an explanation of the reasons, in accordance with the third paragraph of Article 13 of the Law on the Protection of Personal Data. The rejection response is communicated to the data subject in writing or electronically within "thirty days" at the latest.

1. Updates to the Personal Data Storage and Destruction Policy 

The Company has the right to make updates to this Policy, revise the articles, and publish the revised version along with the revision and approval date. 

Document Date Revision Date / Number

PERSONAL DATA APPLICATION FORM

UNDER THE LAW ON PROTECTION OF PERSONAL DATA

Individuals defined as relevant persons in Law No. 6698 on the Protection of Personal Data ("Law") have been granted specific rights regarding the processing of their personal data in Article 11 of the Law. In accordance with the first paragraph of Article 13 of the Law; applications related to these rights to the data controller, Babakamp Turizm Tarım ve Ticaret Limited Şirketi with central address at Karaağaç Mahallesi, Karaağaç Sokak No:43 Fethiye, Muğla, and Mersis number 0128047537700001 ("Company") must be submitted in writing or through other methods specified by the Personal Data Protection Board ("Board"). 

In this context, "written" applications to our Company must be submitted by taking the printout of this form, either in person by the applicant or through a notary, or by being signed by the applicant with the "secure electronic signature" defined in the Law No. 5070 on Electronic Signature and sent to our Company's registered email address. Below are the details regarding how written applications will be delivered to us in terms of specific information channels for written applications. 

Applications submitted to us will be responded within thirty (30) days from the date the application reaches us, in accordance with the second paragraph of Article 13 of the Law, depending on the nature of the request. Our responses will be sent to the applicant in writing or electronically in accordance with the provision of Article 13 of the Law. If the request involves a cost, according to the "Communiqué on Application Procedures and Principles to the Data Controller" published by the Board; a processing fee of 1 Turkish Lira per page for each page exceeding ten pages; if the response to the application is provided on a recording medium such as a CD, flash drive, the cost of the recording medium may be requested by the data controller, provided that it does not exceed its cost. 

I. Information for the Recognition of the Applicant and Communication Regarding the Application: 

Full Name: 

Turkish ID / Passport Number: 

Address: 

Phone Number: 

Email Address:

II. Explanations about your relationship with our Company (e.g., candidate, employee, supplier, customer, visitor, etc.):

III. Please specify in detail your request under the Personal Data Protection Law, including the type of data you want information about, the transfer method, application, and process:

IV. Please choose the notification management for the response to your application 

I want it to be sent to my address. 

I want it to be sent to my email address. 

I want to receive it in person. (If received on behalf of someone else, a notarized power of attorney or authorization document is required.) 

V. Explanations: This application form is prepared to determine your relationship with our Company, identify your personal data processed by our Company, and respond correctly and within the legal period to your relevant application. In order to eliminate legal risks that may arise from unauthorized and unlawful data sharing, especially for the security of your personal data, our Company reserves the right to request additional documents and information (such as a copy of an ID card or driver's license) for identity and authorization verification. Our Company does not accept responsibility for requests arising from incorrect information or unauthorized applications. The personal data you share in this form will be processed limited to the purposes of evaluating, finalizing your application under the Law, managing the entire relevant process, and communicating with you for these purposes. Your request may be transferred to our lawyers, business partners providing services in complaint management, quality control, auditing, and risk analysis fields, and service providers, as well as legally authorized public institutions and private individuals, depending on the nature of the request. 

VI. Declaration: I request that my application made under the Personal Data Protection Law be concluded within the framework specified above. I acknowledge, declare, and undertake that the information and documents I have provided in this form are correct, up-to-date, and belong to me. 

Name: 

Date: 

Signature:

CLARIFICATION/INFORMATION FORM FOR

PERSONAL DATA PROCESSING (ALL CANDIDATE CUSTOMERS)

1. Data Controller 

In accordance with the Law on the Protection of Personal Data No. 6698 ("Law"), your personal data is processed by Babakamp Turizm Tarım ve Ticaret Limited Şirketi ("Company"), with the central address at Karaağaç Mahallesi, Karaağaç Sokak No:43 Fethiye, Muğla, and Mersis number 0128047537700001, as the data controller, as explained below. 

1. Methods of Collecting Personal Data and Legal Grounds 

Our company processes personal data directly obtained from you, our customers, through the contract relationship between us, our website, our mobile applications, email, mail, fax, notifications from administrative and judicial authorities, and other communication channels, in audio, electronic, or written form, in accordance with the personal data processing conditions specified in the Law. The processing of your personal data is necessary for the performance of the contract relationship between us or directly related to our obligation arising from this contract, ensuring compliance with legal obligations (such as approval and registration processes for commercial electronic messages), and, where necessary, with your explicit consent.

1. Purpose of Processing Personal Data 

Your personal data will be processed for purposes such as establishing a contractual relationship with you, managing all stages of this contract process, planning and executing end-to-end marketing processes, preparing and presenting the most suitable offers to you, ensuring information security and legal transaction security, and conducting activities in compliance with the legislation. Other purposes include managing communication activities, ensuring the accuracy of your data, conducting statistical evaluations and market research, managing customer relationship processes, conducting activities for customer satisfaction, conducting marketing processes for products/services, managing risk management processes, and organizing and managing events. 

1. Transfer of Processed Personal Data 

Our company processes your personal data with due care, in accordance with the principles of "need to know" and "need to use," ensuring the necessary data minimization and taking the required technical and administrative security measures. Due to the necessity of continuous data flow with different stakeholders for the conduct and supervision of business activities, maintenance of business continuity, and operation of digital infrastructures, we are obliged to transfer processed personal data to third parties for specific purposes. Additionally, working with various business partners and service providers is necessary for fulfilling contractual and legal obligations and ensuring the accuracy and currency of your personal data. Your personal data, within the framework of the purposes mentioned above and limited to the fulfillment of these purposes, may be transferred to our service providers who provide our information technology infrastructure, our solution partners in communication and electronic communication, our service providers and business partners for communication based on customer preferences, Trade Ministry and its authorized company in terms of registration in the message management system (IYS) context, authorized commercial message infrastructure provider for message transmission, our business partners, consultants, and service providers for managing financial processes, detecting and evaluating risks, preventing fraud, our business partners in the field of organization and events, our business partners in quality control, complaint management, and risk analysis services, lawyers, auditors, and experts to fulfill legal obligations, and regulatory and supervisory authorities, courts, and execution offices, as limited to these purposes. 

1. Rights of the Data Subject 

As the data subject whose personal data is processed, you may contact kvkk@babakamp.com or use the form available at www.babakamp.com/kvkk to exercise your rights under Article 11 of the Law, including the right to learn about the processing of personal data, request information about the processing, learn the purpose of processing, know the recipients of transfers, request correction of incomplete or incorrect processing, request deletion or destruction, object to automated decision-making, and request compensation for damages.