GDPR Documents

Membership Agreement

Please read these Terms of Use carefully before using our website.

Customers who use and shop on this website are deemed to have accepted the following terms:

The web pages on this website and all pages linked thereto (“Site”) are owned and operated by Edusama Yazılım Eğitim Hizmetleri Sanayi ve Ticaret LTD ŞTİ (the “Company”), located at Pirireis Mah., 1103 Sokak, No:6A, Yenişehir / Mersin. By using all services offered on the Site, you (“User”) agree that you are subject to the following terms; that you have the legal capacity, authority, and right to enter into a contract under the laws to which you are subject; that you are over the age of 18; and that you have read, understood, and agree to be bound by the terms of this Agreement.

This Agreement imposes rights and obligations on the parties regarding the Site, and by accepting this Agreement, the parties declare that they shall fully, accurately, and timely fulfill these rights and obligations in accordance with the terms set forth herein.

RESPONSIBILITIES
The Company reserves the right to make changes to prices and the products and services offered at any time.
The Company undertakes that the User shall benefit from the services subject to this Agreement, except in cases of technical malfunctions.
The User agrees in advance that they shall not engage in reverse engineering, attempt to discover or obtain source code, or perform any other action for such purposes; otherwise, they shall be liable for any damages arising vis-à-vis third parties, and legal and criminal proceedings may be initiated against them.
The User agrees not to produce or share any content that is contrary to public morality, unlawful, infringing the rights of third parties, misleading, offensive, obscene, pornographic, violating personal rights, infringing intellectual property rights, or encouraging illegal activities. Otherwise, the User shall be solely responsible for any damages arising therefrom, and the Site authorities reserve the right to suspend or terminate such accounts and initiate legal proceedings. In such cases, the Site reserves the right to disclose information to judicial authorities upon request.
The relationships of Site members with each other or with third parties are entirely their own responsibility.
INTELLECTUAL PROPERTY RIGHTS

2.1. All registered or unregistered intellectual property rights on this Site, including titles, trade names, trademarks, patents, logos, designs, information, and methods, belong to the Site owner/operator or the relevant right holder and are protected under national and international law. Visiting this Site or using its services does not grant any rights to such intellectual property.

2.2. The information on the Site may not be reproduced, published, copied, presented, or transferred in any way. The whole or any part of the Site may not be used on another website without permission.

CONFIDENTIAL INFORMATION

3.1. The Company shall not disclose users’ personal information submitted via the Site to third parties. Such information includes name, surname, address, telephone number, mobile phone number, email address, and any other information identifying the User, collectively referred to as “Confidential Information.”

3.2. The User agrees and declares that the Company may share the User’s communication, portfolio, and demographic information with its affiliates or group companies solely for promotional, advertising, campaign, and marketing purposes. Such information may be used to determine customer profiles, offer promotions and campaigns suitable for such profiles, and conduct statistical analyses.

3.3. Confidential Information may only be disclosed to official authorities when duly requested in accordance with legal procedures and when disclosure is mandatory under applicable legislation.

DISCLAIMER OF WARRANTIES

THIS PROVISION SHALL BE VALID TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. THE SERVICES PROVIDED BY THE COMPANY ARE OFFERED ON AN “AS IS” AND “AS AVAILABLE” BASIS, AND NO EXPRESS OR IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE MADE WITH RESPECT TO THE SERVICES OR THE APPLICATION, INCLUDING ALL INFORMATION CONTAINED THEREIN.

REGISTRATION AND SECURITY

The User must provide accurate, complete, and up-to-date registration information. Otherwise, this Agreement shall be deemed violated, and the User’s account may be terminated without notice.

The User is responsible for the security of passwords and accounts on the Site and third-party websites. The Company shall not be held liable for data loss, security breaches, or damage to hardware or devices arising otherwise.

FORCE MAJEURE

Events beyond the control of the parties, including natural disasters, fire, explosions, civil war, war, riots, public unrest, mobilization, strikes, lockouts, epidemics, infrastructure and internet failures, and power outages (collectively referred to as “Force Majeure”), which prevent the fulfillment of contractual obligations, shall relieve the parties from liability. During such periods, the rights and obligations of the parties under this Agreement shall be suspended.

SEVERABILITY

If any provision of this Agreement is deemed partially or entirely invalid, the remaining provisions shall remain in full force and effect.

AMENDMENTS

The Company may amend the services and this Agreement in whole or in part at any time. Amendments shall take effect upon publication on the Site. It is the User’s responsibility to follow such amendments. Continued use of the services constitutes acceptance of such changes.

NOTICES

All notices regarding this Agreement shall be sent via the Company’s known email address and the email address provided by the User during registration. The User agrees that the provided address constitutes a valid notification address and undertakes to notify the other party in writing within 5 days of any change; otherwise, notices sent to that address shall be deemed valid.

EVIDENCE AGREEMENT

In any dispute arising from this Agreement, the Company’s books, records, documents, computer records, and fax records shall constitute evidence pursuant to Law No. 6100 of the Code of Civil Procedure, and the User agrees not to object to such records.

GOVERNING JURISDICTION

All disputes arising from the implementation or interpretation of this Agreement shall be subject to the jurisdiction of the Mersin Courts and Enforcement Offices.

Cookie Information Text

EDUSAMA YAZILIM EGITIM HIZMETLERI SANAYI VE TICARET LTD STI
Website Privacy and Cookie Policy

Protecting the privacy of visitors (Data Subjects) to the website (www.edusama.com), which is operated by Edusama Yazılım Eğitim Hizmetleri Sanayi ve Ticaret LTD ŞTİ (Edusama), is among our primary principles. Through this Website Privacy and Cookie Policy (Policy), explanations are provided regarding the processing of personal data of data subjects, the cookie policy, and the website privacy practices.

Privacy and Cookie Policy

Processing of Personal Data of Data Subjects
Personal data obtained during your visit to our website may be processed by Edusama within the scope specified below, in accordance with the Law on the Protection of Personal Data No. 6698 (Law). Detailed information regarding the processing of your personal data can be accessed at (www.edusama.com).

Purpose of Processing Your Personal Data

Your personal data obtained as a result of your visit to our Website may be processed by Edusama for the purposes listed below, in accordance with Articles 5 and 6 of the Law.

Carrying out the necessary work by our relevant business units and conducting the related business processes in order to perform the commercial activities carried out by Edusama,
• Carrying out the necessary work by our business units and conducting the related business processes to enable relevant individuals to benefit from the products and services offered by Edusama,
• Planning and executing the activities required for recommending and promoting the products and services offered by Edusama by customizing them according to the preferences, usage habits, and needs of the relevant individuals.

Parties to Whom Your Personal Data Is Transferred and the Purpose of Transfer

Your personal data obtained during your visit to our website may be transferred to our business partners, suppliers, legally authorized public institutions, and private entities in line with the purposes of processing your personal data, within the scope of the personal data processing conditions and purposes set out in Articles 8 and 9 of the Law.

Method of Collecting Your Personal Data and Legal Basis

Any information that identifies or makes you identifiable is considered “personal data.” Within the scope of your visit to our website, your personal data is collected through cookies, which are technical communication files, in accordance with the data processing conditions set out in the Law, as a result of your visit to our Website.

Rights of Data Subjects

As a data subject, you are entitled to the following rights:

• To learn whether your personal data is being processed,
• If your personal data has been processed, to request information regarding such processing,
• To learn the purpose of processing your personal data and whether it is used in accordance with that purpose,
• To learn the third parties to whom your personal data is transferred, whether within the country or abroad,
• To request the correction of your personal data if it has been processed incompletely or inaccurately, and to request that the correction be notified to the third parties to whom your personal data has been transferred,
• To request the deletion or destruction of your personal data if the reasons requiring its processing no longer exist, even if it has been processed in accordance with the Law and other relevant legislation, and to request that this deletion or destruction be notified to the third parties to whom your personal data has been transferred,
• To object to any result arising against you through the analysis of processed data exclusively by automated systems,
• To request compensation for damages in case you suffer harm due to the unlawful processing of your personal data.

You may submit your applications regarding the rights listed above by completing the “Edusama Yazılım Eğitim Hizmetleri Sanayi ve Ticaret LTD ŞTİ Data Subject Application Form,” which can be accessed via the link (www.edusama.com/kisisel-verilerin-korunmasi). Depending on the nature of your request, your application will be finalized free of charge as soon as possible and, in any case, within thirty days at the latest. However, if the process requires an additional cost, a fee may be charged in accordance with the tariff determined by the Personal Data Protection Board.

About the Cookie Policy

This Policy explains what cookies are, the types of cookies, how we use them, and how cookie preferences can be controlled. After reviewing how we use and store your personal data, you may change or withdraw your consent provided in the Cookie Notice on our website at any time.

Your consent applies to the following domains:

1. edusama.com
2. google.com
3. facebook.com
4. twitter.com
5. instagram.com
6. linkedin.com
7. youtube.com

What Are Cookies?

Cookies are small text files used to store small amounts of information. When a website is loaded in your browser, cookies are stored on your device. These cookies help ensure that the website functions properly, allow us to make the website more secure, provide a better user experience, and enable us to analyze how the website performs, what works well, and what needs improvement.

We use cookies to help you make the most efficient use of our website and to enhance your user experience. If you prefer not to allow the use of cookies, you may delete or block them through your browser settings. However, please note that doing so may affect your ability to use our website. Unless you change your cookie settings in your browser, we will assume that you accept the use of cookies on this website.

How Do We Use Cookies?

Third-party cookies used on our websites are primarily utilized to understand how the website performs, how you interact with our website, to keep our services secure, to provide advertisements relevant to you, and overall to offer you a better and improved service. They help enhance the user experience and speed up your future interactions with our website.

Cookies are small text files stored on your device or network server through your browser by the websites you visit.

The main purposes of using cookies on our Website are listed below:

• To improve the services offered to you by increasing the functionality and performance of the website,
• To enhance the Website, introduce new features through the Website, and personalize the provided features according to your preferences,
• To ensure the legal and commercial security of the Website, of you, and of Edusama.

What Types of Cookies Do We Use?

Like most online services, our website uses both first-party and third-party cookies for various purposes. First-party cookies are primarily necessary for the website to function properly, and they do not collect any personally identifiable information.

Essential Cookies:
These cookies are necessary for you to experience the full functionality of our website. They allow us to maintain user sessions and prevent security threats. They do not collect or store personal information. For example, these cookies enable you to log into your account, add items to your cart, and make secure payments.

Statistics Cookies:
These cookies store information such as the number of visitors to the website, the number of unique visitors, which pages of the website are visited, and the source of the visit. This data helps us understand and analyze how well the website is performing.

Marketing Cookies: Our website displays advertisements. These cookies are used to personalize the ads shown to you so that they are more meaningful and relevant. They also help us track the effectiveness of these advertising campaigns.

Functional Cookies:
These cookies support certain non-essential functionalities on our website. Such functionalities include embedding content such as videos or enabling the sharing of website content on social media platforms.

Preference Cookies:
These cookies help us save your settings and determine your browsing preferences, such as language choices, so that you can have a better and more efficient experience during your future visits to the website.

Cookies Used and Their Purposes

Cookie	Description
name: BIGipServerpool_htb- cluster3 (expiration time: session)	The server cookie enables the core functionality of our website. It is automatically activated during the use of the site. Without this cookie, the website cannot function properly.
name: cfduid	It is used to speed up page load times. It does not contain any user identification information.
ga (expiration time: 2 years) – value: GA1.3.483535045.1552657611	Performance cookies are used to monitor the use of our website.
gid (expiration time: 24 hours) – value: GA1.3.1168408869.1552657611	It helps us understand how people interact with our website.
_fbp fb.2.1569392320520.1063931814 (expiration time: 2 years)	It is used for targeting and advertising.
_gcl_au (expiration time: 24/12/2019 )	It is used for targeting and advertising.

How Can I Control Cookie Preferences?

In addition, different browsers offer different methods for blocking and deleting cookies used by websites. You can modify your browser settings to block or delete cookies. For more information on how to manage and delete cookies, you may visit www.allaboutcookies.org.

Types of Cookies Used on Our Website

Session Cookies

(Session Cookies)

Session cookies are temporary cookies used during the time visitors browse the Website and are deleted once the browser is closed.
The primary purpose of using these types of cookies is to ensure that the Website functions properly during your visit.
For example, they allow you to complete online forms that consist of multiple pages.

Persistent Cookies

(Persistent Cookies)

Persistent cookies are a type of cookie used to enhance the functionality of the Website and to provide visitors with faster and improved service.
These cookies are used to remember your preferences and are stored on your device through your browser.
Some types of persistent cookies may be used to offer personalized recommendations based on factors such as the purpose of your use of the Website.

Thanks to persistent cookies, when you revisit our Website using the same device, it is checked whether a cookie created by our Website exists on your device. If such a cookie is present, it is recognized that you have visited the Website before, and the content presented to you is tailored accordingly, allowing us to provide you with a better service.

Cookies Used on Our Website

Technical Cookies	Technical cookies ensure the operation of the website and help identify non-functioning pages and areas of the site.
Authentication Cookies	When visitors log in to the website using their passwords, these cookies identify the visitor as a site user on each page they visit, preventing the need to re-enter the password on every page.
Flash Cookies	These are cookies used to enable image or audio content on the website.
Customization Cookies	These cookies are used to remember users’ preferences when visiting different pages of different websites. For example, remembering the language preference you have selected.
Analytical Cookies	Analytical cookies are used to generate analytical data such as the number of visitors to the website, the identification of pages viewed on the website, the times at which the website is visited, and scrolling behaviors on website pages.

Can the Use of Cookies Be Restricted by Data Subjects?

You can customize your cookie preferences by changing your browser settings.

Adobe Analytics	http://www.adobe.com/uk/privacy/opt-out.html
AOL	https://help.aol.com/articles/restore-security-settings-and-enable-cookie-settings-on-browser
Google Adwords	https://support.google.com/ads/answer/2662922?hl=en
Google Analytics	https://tools.google.com/dlpage/gaoptout
Google Chrome	http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95647
Internet Explorer	https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies
Mozilla Firefox	http://support.mozilla.com/en-US/kb/Cookies
Opera	http://www.opera.com/browser/tutorials/security/privacy/
Safari	https://support.apple.com/kb/ph19214?locale=tr_TR

Enforcement of the Website Privacy Policy

This Policy entered into force on 15/10/2019. In the event that the Policy in its entirety or certain provisions are updated, the effective date of the Policy will be revised accordingly.

The Policy is published on the Edusama website (www.edusama.com) and is made available to relevant individuals upon request by personal data subjects.

You can access detailed information regarding the processing of your personal data on the “Edusama Yazılım Eğitim Hizmetleri San ve Tic LTD STI Personal Data Protection and Processing Policy” page.

Privacy Notice

EDUSAMA YAZILIM EGITIM HIZMETLERI SANAYI VE TICARET LTD. STI.
PERSONAL DATA PROCESSING INFORMATION NOTICE

As Edusama Yazılım Eğitim Hizmetleri San. ve Tic. LTD ŞTİ (“Edusama”), we attach great importance to the careful processing and protection of your personal data within the scope of the Law on the Protection of Personal Data No. 6698 (“Law”). Acting in the capacity of data controller, we process your personal data within the framework explained below.

Method of Collection and Legal Basis of Personal Data

In order to provide high-quality services, your personal data are collected verbally, in writing, visually or electronically through channels such as the Registration Center, internet, mobile applications, physical locations and similar means, depending on the nature of the services provided, and may be processed in accordance with Articles 5 and 6 of the Law.

The legal basis for the collection of your personal data includes:
• Law No. 5580 on Private Educational Institutions
• Regulation on Private Educational Institutions of the Ministry of National Education
• Regulation on Private Tutoring Centers of the Ministry of National Education
• Regulation on Private Courses of the Ministry of National Education
• Regulations of the Ministry of National Education and other relevant legislation

Within this scope, the general and special categories of personal data necessary for the provision of distance education and product sales services include:
• Identity data such as name, surname, Turkish ID number, passport number or temporary Turkish ID number, place and date of birth, marital status, gender, and copies of identification documents submitted
• Contact data such as address, phone number and e-mail address
• Financial data such as bank account and IBAN numbers
• Feedback and comments shared for the evaluation of our services
• CCTV image and audio recordings obtained during visits to Edusama premises
• Voice call recordings created when contacting our Registration Center
• Browsing data, IP address, browser information, and medical documents, surveys, forms and location data voluntarily shared during the use of our website and mobile applications

Purposes of Processing Personal Data

Your personal data and special categories of personal data may be processed for the following purposes:
• Conducting human resources planning and managing planning processes
• Carrying out planning and programming activities to develop distance learning courses and product sales and managing related business processes
• Planning and implementing activities to increase the satisfaction of individuals benefiting from distance education services and product purchases
• Planning and managing educational and product-related commercial relationships and business strategies
• Customizing distance education and product sales services based on participants’ needs, preferences and habits, and promoting new products
• Resolving disputes arising from business relationships and improving technical and commercial relations

The above-mentioned personal data are securely stored and protected in physical and electronic archives of Edusama and its external service providers in compliance with applicable legislation.

Parties to Whom Personal Data May Be Transferred and Purposes of Transfer

In accordance with the relevant legislation and for the purposes stated above, your personal data may be shared with:
• Business partners
• Suppliers
• Legally authorized public institutions and organizations
• Legally authorized private legal entities

Rights of Data Subjects and Exercise of These Rights

Requests regarding the rights listed below will be evaluated and finalized as soon as possible and in any case within thirty (30) days, provided that they are submitted to us using the methods described under this section.

Data subjects have the right to:
• Learn whether their personal data are processed
• Request information if their personal data have been processed
• Learn the purpose of processing and whether data are used in accordance with that purpose
• Know the third parties to whom personal data are transferred domestically or abroad
• Request correction of incomplete or inaccurate personal data and request notification of such corrections to third parties
• Request deletion or destruction of personal data if the reasons requiring processing no longer exist and request notification of such actions to third parties
• Object to unfavorable outcomes resulting from automated processing
• Claim compensation for damages arising from unlawful processing

Cases Where Data Subjects Cannot Exercise Their Rights

Processing is necessary for the prevention or investigation of a crime
• Personal data have been made public by the data subject
• Processing is required for supervisory or regulatory duties carried out by authorized public institutions
• Processing is necessary for the protection of the State’s economic and financial interests

Cases Where Requests Will Not Be Processed

Processing of personal data by real persons solely for activities related to themselves or family members living in the same household
• Processing for statistical or research purposes by anonymization
• Processing for artistic, historical, literary or scientific purposes, provided that rights and freedoms are not violated
• Processing carried out by authorized public institutions for national security or public order
• Processing by judicial authorities for investigation, prosecution or execution

Exercise of Data Subject Rights

Data subjects may submit requests by completing the “Application Form for Data Subjects” available at
https://www.edusama.com/aydinlatma-metni

Applications must be submitted together with documents verifying identity by one of the following methods:
• Submission of a wet-signed copy in person, via notary or registered mail to the address Pirireis Mahallesi, 1103 Sokak, No:6A, Yenişehir, Mersin
• Submission via registered electronic mail signed with a secure electronic signature to edusamayazilim@hs01.kep.tr
• Any other method determined by the Personal Data Protection Board

Requests are processed free of charge; however, a fee may be charged in accordance with the tariff determined by the Personal Data Protection Board if additional costs arise.

Detailed information regarding the processing and protection of your personal data can be found at
https://www.edusama.com/kisisel-verilerin-korunmasi

EXPLICIT CONSENT DECLARATION

I consent to the processing of my personal data collected verbally, in writing or electronically, in a manner that is related, limited and proportionate to the purposes of processing stated above.

I Accept
I Do Not Accept

Edusama Yazılım Eğitim Hizmetleri Sanayi ve Ticaret LTD ŞTİ, Kişisel verilerin işlenmesine ilişkin başvuru formu için Tıklayınız.

KVKK Data Retention and Destruction Policy

EDUSAMA Software Education Services Industry and Trade Ltd. Co.
Data Destruction Policy Regarding the Deletion, Destruction, and Anonymization of Personal Data

1. Purpose of the Data Destruction Policy

The purpose of this Data Destruction Policy (“Policy”) is to set out the procedures and principles regarding the deletion, destruction, or anonymization of personal data by Edusama Software Education Services Industry and Trade Ltd. Co. (“EDUSAMA”), either ex officio or upon the request of the data subject, in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated 28/10/2017 (“Regulation”), in cases where the conditions for processing personal data, as set forth in Articles 4, 5, and 6 of the Law No. 6698 on the Protection of Personal Data (“Law”), cease to exist, provided that such personal data has been processed in compliance with the Law.

Explicit Consent	It refers to consent that is given freely, based on adequate information, and limited to a specific subject.
Relevant User	They are the persons who process personal data within the organization of the data controller or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.
Destruction	The deletion, destruction, or anonymization of personal data.
Recording Medium	Any environment in which personal data processed wholly or partially by automated means, or processed by non-automated means provided that it forms part of a data recording system, is located.
Personal Data	Any information relating to an identified or identifiable natural person.
Personal Data Policy	It refers to the Personal Data Protection and Privacy Policy prepared by Edusama.
Processing of Personal Data	Any operation performed on personal data, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, which is carried out wholly or partially by automated means or by non-automated means provided that it forms part of a data recording system.
Anonymization of Personal Data	The process of rendering personal data impossible to associate with an identified or identifiable natural person under any circumstances, even when matched with other data.
Deletion of Personal Data	Deletion of personal data means rendering personal data inaccessible and unusable for Relevant Users in any manner.
Destruction of Personal Data	The process of rendering personal data inaccessible, irretrievable, and unusable by anyone under any circumstances.
Board	Personal Data Protection Board
Special Categories of Personal Data	It refers to personal data relating to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction	The process of deletion, destruction, or anonymization of personal data, which is carried out ex officio at recurring intervals specified in the personal data retention and destruction policy, in cases where all conditions for the processing of personal data set forth in the Law cease to exist.
Data Subject	A natural person whose personal data is processed.
Data Controller	A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Regulation	The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017

Recording Media Where Personal Data Is Stored

Personal data belonging to data subjects are securely stored by Edusama in the environments listed below, in compliance primarily with the provisions of the Law and other applicable legislation.

Electronic environments:

CRM
LMS
MySQL Server
Email Mailboxes
Microsoft Office Programs
Video Recording Devices

Physical environments:

Department Cabinets
Files
Archives

Explanations Regarding the Reasons Requiring Retention and Destruction

Personal data belonging to data subjects are securely retained by Edusama in the physical and/or electronic environments listed above, within the limits stipulated by the Law and other applicable legislation, primarily for the following purposes:

Ensuring the continuity of educational and commercial activities,
b. Fulfilling legal obligations,
c. Planning and fulfilling employee rights and fringe benefits, and
d. Managing customer relations.

The reasons requiring retention are as follows:

Personal data being directly related to the establishment or performance of contracts,
b. Personal data being necessary for the establishment, exercise, or protection of a right,
c. The existence of a legitimate interest of Edusama, provided that such interest does not harm the fundamental rights and freedoms of individuals,
d. Personal data being necessary for Edusama to fulfill any legal obligation,
e. The explicit stipulation in the legislation that personal data must be retained,
f. The existence of explicit consent of the data subjects in cases where retention activities require obtaining such consent.

Pursuant to the Regulation, personal data belonging to data subjects shall be deleted, destroyed, or anonymized by Edusama ex officio or upon request in the following cases:

Amendment or repeal of the relevant legislative provisions that constitute the legal basis for the processing or retention of personal data,
b. The disappearance of the purpose requiring the processing or retention of personal data,
c. The elimination of the conditions for processing personal data as set forth in Articles 5 and 6 of the Law,
d. Withdrawal of consent by the data subject in cases where the processing of personal data is based solely on explicit consent,
e. Acceptance by the data controller of the data subject’s application for the deletion, destruction, or anonymization of personal data within the scope of the rights set forth in Article 11, paragraphs (e) and (f) of the Law,
f. In cases where the data controller rejects the data subject’s request for the deletion, destruction, or anonymization of personal data, provides an insufficient response, or fails to respond within the period stipulated by the Law, and the data subject files a complaint with the Board and such request is deemed appropriate by the Board,
g. The expiration of the maximum retention period stipulated for personal data, provided that no condition exists that would justify retaining the personal data for a longer period.
Measures Taken Regarding the Protection of Personal Data

In accordance with Article 12 of the Law, Edusama takes the necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data it processes, to prevent unlawful access to such data, and to ensure the safeguarding of the data. Within this scope, Edusama conducts or commissions the necessary audits.

All technical and administrative measures taken are also set forth in the Personal Data Policy. In the event that processed personal data is obtained by third parties through unlawful means despite all technical and administrative measures having been taken, Edusama shall notify the relevant authorities as soon as possible.

5.1. Technical Measures

Technical measures appropriate to developments in technology are implemented, and such measures are periodically updated and renewed.
Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a departmental basis.
Access authorizations are restricted, and such authorizations are regularly reviewed.
Implemented technical measures are periodically monitored; matters posing risks are reassessed, and necessary technological solutions are developed.
Software and hardware including antivirus systems and firewalls are installed.
Personnel with expertise in technical matters are employed.
Security scans are regularly conducted to identify vulnerabilities in applications through which personal data is collected, and detected vulnerabilities are remediated.
When necessary, penetration testing services are obtained to control system vulnerabilities.
The destruction of personal data is carried out in a manner that prevents recovery and leaves no audit trail.

5.2. Administrative Measures

Employees are trained on the technical measures to be taken in order to prevent unlawful access to personal data.
In accordance with legal compliance requirements determined on a departmental basis, access and authorization processes for personal data within Edusama are designed and implemented. In restricting access, whether the data is of a special category and its level of importance are also taken into consideration.
Records are included in all documents regulating the relationship between Edusama and its personnel and containing personal data, stating that obligations stipulated by the Law must be complied with for the lawful processing of personal data, that personal data must not be disclosed, that personal data must not be used unlawfully, and that the obligation of confidentiality regarding personal data continues even after the termination of the employment relationship with Edusama.
Employees are informed that they may not disclose personal data they have learned to third parties in violation of the provisions of the Law, may not use such data outside the purpose of processing, and that this obligation continues even after they leave their duties; accordingly, necessary undertakings are obtained from them.
Provisions are included in contracts executed with persons to whom personal data is lawfully transferred by Edusama, stipulating that such persons shall take the necessary security measures to protect personal data and ensure compliance with these measures within their own organizations.
In the event that processed personal data is obtained by others through unlawful means, Edusama notifies the relevant data subject and the Board as soon as possible.
Where necessary, Edusama employs personnel who are knowledgeable and experienced in the processing of personal data and provides its personnel with training within the scope of personal data protection legislation and data security.
Edusama conducts or commissions the necessary audits to ensure the implementation of the provisions of the Law and eliminates any confidentiality and security vulnerabilities identified as a result of such audits.

Measures Taken Regarding the Destruction of Personal Data

Although personal data may have been processed in accordance with the relevant provisions of the Law, Edusama may delete or destroy personal data, either based on its own decision or upon the request of the data subject, in cases where the reasons requiring the processing of such data cease to exist. Following the deletion of personal data, the relevant persons shall not, under any circumstances, be able to access or use the deleted data again.

Edusama shall manage an effective data tracking process for defining and monitoring the destruction processes of personal data. The process carried out shall consist, respectively, of identifying the data to be deleted, identifying the relevant persons, determining the access methods of such persons, and immediately thereafter deleting the data.

Edusama may use one or more of the methods specified below, depending on the recording medium in which the personal data is stored, in order to delete, destroy, or anonymize personal data.

6.1.1. Deletion of Personal Data

Deletion of personal data is the process of rendering personal data inaccessible and unusable for Relevant Users in any manner. As a method for deleting personal data, Edusama may use one or more of the following methods:

Personal data contained in paper media shall be processed by redaction through crossing out, blackening, cutting, or erasing.
Access rights of user(s) to office files located in centralized file systems shall be revoked.
Rows or columns containing personal data in databases shall be deleted using the “Delete” command.
Where necessary, secure deletion shall be carried out with the assistance of a specialist.

6.1.2. Destruction of Personal Data

Destruction of personal data is the process of rendering personal data inaccessible, irretrievable, and unusable by anyone under any circumstances.

Physical Destruction
Destruction Using Paper Shredders
De-magnetization: A method in which data on magnetic media is irreversibly rendered unreadable by exposing it to high magnetic fields using specialized devices.

6.1.3. Anonymization of Personal Data

Anonymization of personal data refers to rendering personal data impossible to associate with an identified or identifiable natural person under any circumstances, even when matched with other data. In order to anonymize personal data, Edusama may use one or more of the following methods:

Masking: A method of anonymization in which the primary identifying elements of personal data are removed from the dataset through data masking.
Record Removal: In this method, data rows containing unique identifiers are removed from the dataset, thereby rendering the remaining data anonymous.
Local Suppression: In cases where a single data point creates a highly identifiable combination, anonymization is achieved by suppressing the relevant data.
Global Coding: Through data derivation, more general information is generated from the content of personal data, ensuring that such data cannot be associated with any individual. For example, indicating age instead of date of birth, or specifying the region of residence instead of a full address.
Noise Addition: In datasets predominantly consisting of numerical data, anonymization is achieved by adding predefined positive or negative deviations to existing values. For example, applying a (+/–) 3 kg deviation to weight values prevents the display of actual values and anonymizes the data. The deviation is applied equally to all values.

In accordance with Article 28 of the Law, anonymized personal data may be processed for purposes such as research, planning, and statistics. Such processing falls outside the scope of the Law, and explicit consent of the data subject shall not be required.

Edusama may decide ex officio on the deletion, destruction, or anonymization of personal data and may freely determine the method to be used based on the selected category. Furthermore, within the scope of Article 13 of the Regulation, if the data subject selects one of the categories of deletion, destruction, or anonymization of their personal data at the time of application, Edusama shall retain discretion regarding the methods to be applied within the selected category.

Retention and Destruction Periods of Personal Data

Edusama retains personal data for the period required for the purpose for which such data is processed. In the event that the primary purpose for collecting personal data, or any secondary processing basis specified in this Policy, ceases to exist, personal data may continue to be retained for the periods specified in Annex 1.

If a retention period is stipulated in the legislation for the relevant personal data, such period shall be complied with. In cases where no period is stipulated in the legislation, personal data shall be retained for the maximum retention periods specified in the table set forth in Annex 1. These periods have been determined by evaluating Edusama’s data categories and data subject groups, in a manner that ensures compliance with statutory obligations, and by taking into account the maximum statute of limitations period stipulated under the Turkish Code of Obligations (10 years).

Upon the expiration of these periods, where an obligation to delete, destroy, or anonymize personal data arises, Edusama shall delete, destroy, or anonymize such personal data during the first periodic destruction process following the relevant date.

Company Periodic Destruction Periods

Edusama’s periodic destruction period is 1 year. Personal data whose retention period has expired shall be destroyed in accordance with the destruction periods set forth in Annex 1 of this Policy, at one-year intervals and in compliance with the procedures specified herein.

Within the relevant systems, data shall be deleted in such a manner that it cannot be recovered, and any physical media on which the data is recorded, such as documents, files, CDs, diskettes, or hard disks, shall be destroyed in a non-recoverable manner.

Personnel

Within the scope of the Law, Edusama, in its capacity as the data controller, determines the titles, departments, and job descriptions of the personnel responsible for fulfilling obligations related to the implementation of personal data retention and destruction processes, pursuant to Article 11, paragraph 1 of the Regulation. The relevant information can be found in the list provided in Annex 2 of this Policy.

These designated persons are responsible, within the scope of their respective authorities, for the transactions and actions carried out under the Turkish Commercial Code, the Turkish Code of Obligations, and the Turkish Penal Code. In particular, the Chairperson of the Edusama Personal Data Protection Board has been appointed as the authorized representative of Edusama before law enforcement authorities, public prosecutors’ offices, public institutions, and courts, including the authority to make statements on behalf of Edusama.

Each department manager shall be responsible for supervising whether the Relevant Users within their departments act in compliance with this Policy and the Personal Data Policy prepared within the framework of the Law and the Regulation. All department managers shall report the actions carried out in accordance with this Policy within the specified periodic destruction periods to the Chairperson of the Edusama Personal Data Protection Board. Decisions arising from the results of such reports shall be implemented accordingly.

Application by the Data Subject

Pursuant to Article 13 of the Law and Article 12 of the Regulation, the data subject may apply to Edusama by submitting the application petition, which can be obtained from Edusama upon request in accordance with the Personal Data Policy, and request the deletion or destruction of their personal data.

If all conditions for processing personal data have ceased to exist, the data controller shall delete, destroy, or anonymize the personal data subject to the request. The data controller shall finalize the request within a maximum period of thirty (30) days and inform the data subject accordingly.
If all conditions for processing personal data have ceased to exist and the personal data subject to the request has been transferred to third parties, the data controller shall notify the relevant third party and ensure that the necessary actions are taken by such third party in accordance with the Regulation.
If all conditions for processing personal data have not ceased to exist, the request may be rejected by the data controller by stating the justification, and the rejection response shall be notified to the data subject in writing or electronically within a maximum period of thirty (30) days. Edusama may reject the request for deletion of personal data belonging to the data controller on the following grounds:

Processing of personal data by anonymization for purposes such as research, planning, and statistics as part of official statistics.
b. Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights, and does not constitute a crime.
c. Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security.
d. Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial, or execution proceedings.
e. Processing of personal data being necessary for the prevention of a crime or for a criminal investigation.
f. Processing of personal data that has been made public by the data subject themselves.
g. Processing of personal data being necessary for supervisory or regulatory duties, or for disciplinary investigation or prosecution, carried out by authorized public institutions and organizations or professional organizations having the status of public institutions, based on the authority granted by law.
h. Processing of personal data being necessary for the protection of the economic and financial interests of the State with respect to budgetary, tax, and financial matters.
i. The data subject’s request being likely to impede the rights and freedoms of other individuals.
j. Requests requiring disproportionate effort.
k. The requested information being publicly available.

10.1. Exercise of the Data Subject’s Rights

Data subjects may submit their requests regarding the rights set forth under Section 9 of this Policy to Edusama by completing and signing the application form that can be obtained from Edusama, together with information and documents enabling identification of their identity, through the methods specified below or through other methods determined by the Board.

In order for third parties to submit an application on behalf of a data subject, a special power of attorney issued by a notary public in the name of the person who will submit the application must be provided by the data subject.

10.2. Right of the Data Subject to File a Complaint with the Personal Data Protection Board

Pursuant to Article 14 of the Law, in cases where the application is rejected, the response is deemed insufficient, or no response is provided within the prescribed period, the data subject may file a complaint with the Board within thirty (30) days from the date they learn of Edusama’s response, and in any case within sixty (60) days from the date of application.

Information That the Company May Request from the Applicant Data Subject

Edusama may request information from the applicant in order to determine whether the applicant is the data subject. Edusama may also direct questions to the data subject regarding their application in order to clarify the matters stated therein.

Revision and Repeal

In the event that this Policy is amended or repealed, the amended version of the Policy or the new policy text shall be announced on the Edusama website.

Entry into Force

This Policy entered into force on 20 June 2022.

Annexes

Annex 1: Personal Data Retention and Destruction Periods
Annex 2: Titles, Departments, and Job Descriptions of Personnel Involved in the Personal Data Retention and Destruction Process
Annex 3: Internal Regulation of the Edusama Software Education Services Industry and Trade Ltd. Co. Personal Data Protection Board

EDUSAMA YAZILIM EGITIM HIZMETLERI SANAYI VE TICARET LTD STI PERSONAL DATA PROTECTION AND PROCESSING POLICY

Edusama Yazilim Egitim Hizmetleri Sanayi Ve Ticaret Ltd Sti
Personal Data Protection and Processing Policy Information Form

Document Title: Edusama Yazilim Egitim Hizmetleri Sanayi ve Ticaret LTD STI Personal Data Protection and Processing Policy

Target Audience: All natural persons whose personal data are processed by Edusama Yazilim Egitim Hizmetleri Sanayi ve Ticaret LTD STI, excluding employees of Edusama Yazilim Egitim Hizmetleri Sanayi ve Ticaret LTD STI

Prepared By: Edusama Yazilim Egitim Hizmetleri Sanayi ve Ticaret LTD STI Personal Data Protection Committee

Version: 1.0

Approved By: Approved by Edusama Yazilim Egitim Hizmetleri Sanayi ve Ticaret LTD STI

Effective Date: 20/06/2022

In the event of any inconsistency between the Turkish version of the Edusama Yazilim Egitim Hizmetleri Sanayi ve Ticaret LTD STI Personal Data Protection and Processing Policy and any version translated into a foreign language, the Turkish text shall prevail.

© Edusama Yazilim Egitim Hizmetleri Sanayi ve Ticaret LTD STI., 2022

This document may not be reproduced or distributed without the prior written consent of Edusama Yazilim Egitim Hizmetleri Sanayi ve Ticaret LTD STI.

Edusama Yazilim Egitim Hizmetleri Sanayi ve Ticaret LTD STI Personal Data Protection and Processing Policy

INTRODUCTION

Edusama Yazılım Eğitim Hizmetleri Sanayi ve Ticaret LTD ŞTİ (“Edusama”) attaches great importance to the protection of personal data and considers it among its top priorities.
The Personal Data Protection and Processing Policy of Edusama Yazılım Eğitim Hizmetleri Sanayi ve Ticaret LTD ŞTİ (“Policy”) explains the fundamental principles adopted by Edusama to ensure compliance with the personal data processing principles regulated under the Personal Data Protection Law No. 6698 (“Law”).
In line with these principles, Edusama ensures the necessary transparency by informing personal data subjects. Personal data are processed and protected with the highest level of responsibility and awareness of Edusama, in accordance with the procedures and principles set forth in this Policy.

1.1. Purpose

The purpose of this Policy is to ensure that Edusama is aligned with the Law and that the Policy is effectively implemented in its operations.
In line with “ANNEX 1 – Purposes of Personal Data Processing” below, all necessary administrative and technical measures regarding the processing and protection of personal data shall be taken by Edusama, required internal procedures shall be established, and all necessary training activities shall be conducted to raise awareness.
All necessary measures shall be taken to ensure the compliance of shareholders, authorized persons, employees, and business partners with the processes stipulated under the Law, and appropriate and effective audit mechanisms shall be established.

1.2. Scope

This Policy covers all personal data of individuals other than Edusama employees, which are processed either by fully automated means or by non-automated means provided that they form part of any data recording system.
Information regarding personal data subjects is listed in “ANNEX 2 – Personal Data Subjects”, which is attached to this Policy.

The protection of personal data of Edusama employees is carried out under the Edusama Yazılım Eğitim Hizmetleri Sanayi ve Ticaret LTD ŞTİ Employee Personal Data Protection and Processing Policy, which has been prepared in accordance with the principles set forth in this Policy.

1.3. Legal Basis

This Policy shall be applied together with the applicable legislation currently in force regarding the processing and protection of personal data.
In the event of any inconsistency between the applicable legislation and this Policy, the provisions of the applicable legislation shall prevail.
The regulations prescribed by the relevant legislation are reflected in this Policy and incorporated into Edusama’s practices.

1.4. Terms and Definitions

Relevant User
• Except for the person or unit responsible for the technical storage, protection, and backup of data, individuals who process personal data within the data controller’s organization or in accordance with the authority and instructions received from the data controller.

Disposal
• The deletion, destruction, or anonymization of personal data.

Recording Medium
• Any environment in which personal data processed wholly or partially by automated means or by non-automated means provided that it forms part of any data recording system is stored.

Personal Data
• Any information relating to an identified or identifiable natural person.

Processing of Personal Data

Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, whether wholly or partially by automated means or by non-automated means provided that it forms part of a data recording system.

Anonymization of Personal Data

Rendering personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Deletion of Personal Data

The process of rendering personal data inaccessible and unusable for Relevant Users in any manner.

Destruction of Personal Data

The process of rendering personal data completely inaccessible, irretrievable, and unusable by anyone under any circumstances.

Board

Personal Data Protection Board.

Special Categories of Personal Data

Personal data relating to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Periodic Disposal

The deletion, destruction, or anonymization of personal data carried out ex officio at recurring intervals as specified in the personal data retention and disposal policy, in cases where the conditions for processing personal data stipulated in the Law have completely ceased to exist.

Data Subject / Relevant Person

A natural person whose personal data is processed.

Data Controller

A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

MATTERS RELATING TO THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

Edusama takes the necessary measures stipulated under Article 12 of the Law, in accordance with the nature of the data, in order to prevent unlawful disclosure, access, transfer, or any other security breaches that may occur with respect to personal data.
In line with the guidelines published by the Personal Data Protection Board, Edusama implements appropriate safeguards and carries out audits to ensure the required level of personal data security.

2.2. Protection of Special Categories of Personal Data

The measures taken to protect special categories of personal data, including data relating to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data, are implemented with due diligence and are subject to necessary audits.

Detailed information regarding the processing of special categories of personal data is provided under Article 3.3 of this Policy.

2.3. Raising Awareness on the Protection and Processing of Personal Data

Edusama provides the necessary training to relevant persons in order to raise awareness regarding the lawful processing of personal data, access to such data, data retention, and the exercise of data subject rights.

To enhance employees’ awareness of personal data protection, Edusama establishes the required business processes and, where necessary, seeks support from external consultants. Any deficiencies encountered in practice and the outcomes of training programs are evaluated by Edusama’s management. Based on these evaluations and any changes in applicable legislation, additional training programs may be organized when deemed necessary.

PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Compliance with Legislation

Personal data are processed in compliance with the applicable legislation in accordance with the principles set out below.

Processing in Accordance with the Law and the Principle of Good Faith

Edusama processes personal data to the extent required by its fields of business activities, limited thereto, in a manner that does not infringe upon individuals’ fundamental rights and freedoms, and in accordance with the principles of good faith and trust.

Ensuring That Personal Data Are Accurate and Up to Date

Edusama takes the necessary measures and operates the required systems to ensure that the personal data it processes are accurate and kept up to date.

III. Processing for Specific, Explicit, and Legitimate Purposes

Edusama processes personal data in connection with its business activities solely for specific, explicit, and legitimate purposes that have been determined and disclosed.

Being Relevant, Limited, and Proportionate to the Purpose of Processing

Edusama collects and processes personal data in a manner that is relevant to, limited to, and proportionate with the purposes for which they are processed and the requirements of its business activities.

Retention for the Period Necessary for the Purpose

Edusama retains personal data for the minimum period stipulated under the relevant legislation or, if no such period is specified, for the period necessary for the purposes for which the personal data are processed.
Upon the expiration of the applicable retention periods, personal data are disposed of in accordance with periodic disposal schedules or data subject requests, using appropriate methods such as deletion, destruction, or anonymization.

3.2. Conditions for Processing Personal Data

Except where the data subject has given explicit consent, personal data may be processed based on one or more of the conditions listed below. The processing of special categories of personal data is subject to the conditions set out in Article 3.3 of this Policy (Processing of Special Categories of Personal Data).
Explicit Consent of the Data Subject
Personal data may be processed based on the explicit consent of the data subject. Explicit consent means consent that is informed, specific, and freely given.
In the presence of any of the conditions listed below, personal data may be processed without obtaining explicit consent from the data subject.
Explicitly Stipulated by Law
Where personal data processing is explicitly stipulated by law, personal data may be processed without obtaining the consent of the data subject.
Inability to Obtain Explicit Consent Due to Actual Impossibility
Where it is not possible to obtain consent due to actual impossibility, and processing is necessary to protect the life or physical integrity of the data subject or another person, personal data may be processed.
Directly Related to the Establishment or Performance of a Contract
Where personal data processing is directly related to the establishment or performance of a contract to which the data subject is a party, personal data may be processed.
Fulfillment of Edusama’s Legal Obligations
Where processing personal data is mandatory for Edusama to fulfill its legal obligations, personal data may be processed.
Public Disclosure of Personal Data by the Data Subject
Where the data subject has made their personal data public, such data may be processed, limited to the purpose of disclosure.
Mandatory Processing for the Establishment or Protection of a Right
Where processing is mandatory for the establishment, exercise, or protection of a right, personal data may be processed.
Mandatory Processing for Edusama’s Legitimate Interests
Provided that it does not harm the fundamental rights and freedoms of the data subject, personal data may be processed where processing is mandatory for Edusama’s legitimate interests.

3.3. Processing of Special Categories of Personal Data

When processing special categories of personal data, Edusama processes such data in accordance with the principles set out in the Law and this Policy, by taking all necessary administrative and technical measures using the methods to be determined by the Board, under the following conditions:

Special categories of personal data other than health and sexual life may be processed without obtaining the explicit consent of the data subject where there is an explicit provision in the law permitting such processing. In cases where there is no explicit legal provision, the explicit consent of the data subject shall be obtained.
Special categories of personal data relating to health and sexual life may be processed without obtaining the explicit consent of the data subject by persons under the obligation of confidentiality or by authorized institutions and organizations, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing. In other cases, the explicit consent of the data subject shall be obtained.

3.4. Informing the Personal Data Subject

Edusama informs personal data subjects, in accordance with the applicable legislation, about the purposes for which their personal data are processed, the purposes and parties with whom such data are shared, the methods by which personal data are collected, the legal grounds for processing, and the rights of data subjects regarding the processing of their personal data.

3.5. Transfer of Personal Data

In line with its personal data processing purposes, Edusama may transfer personal data and special categories of personal data to third parties (including third-party companies, group companies, and third-party natural persons) in a lawful manner by taking the necessary security measures.
Edusama carries out data transfer operations in accordance with the regulations set forth in Article 8 of the Law, based on the document titled “ANNEX 4 – Third Parties to Whom Personal Data Are Transferred and Purposes of Transfer,” which is attached to this Policy.

Transfer of Personal Data

Although the explicit consent of the personal data subject is required for the transfer of personal data, personal data may be transferred to third parties by taking all necessary security measures, including the methods prescribed by the Board, based on one or more of the conditions listed below:

Where it is explicitly stipulated by law,
b. Where it is directly related to and necessary for the establishment or performance of a contract,
c. Where it is mandatory for Edusama to fulfill its legal obligations,
d. Where the personal data have been made public by the data subject, limited to the purpose of disclosure,
e. Where it is mandatory for the establishment, exercise, or protection of the rights of Edusama, the data subject, or third parties,
f. Where it is mandatory for the legitimate interests of Edusama, provided that it does not harm the fundamental rights and freedoms of the data subject,
g. Where processing is mandatory to protect the life or physical integrity of the data subject or another person who is unable to express consent due to actual impossibility or whose consent is not legally valid.

Personal data may be transferred to foreign countries that have been declared by the Board as having “Adequate Protection”, provided that at least one of the conditions listed above is met.
In cases where adequate protection is not available, personal data may be transferred, in accordance with the conditions stipulated in the legislation, to foreign countries where the data controllers have provided a written undertaking to ensure adequate protection and where the approval of the Board has been obtained, referred to as “Foreign Countries Where the Data Controller Undertakes Adequate Protection.”

Transfer of Special Categories of Personal Data

Special categories of personal data may be transferred by taking all necessary administrative and technical measures, including the methods determined by the Board, in accordance with the principles set out in this Policy, under the following conditions:

Special categories of personal data other than health and sexual life may be transferred without obtaining the explicit consent of the data subject where there is an explicit legal provision permitting such processing; otherwise, they may be transferred with the explicit consent of the data subject.
Special categories of personal data relating to health and sexual life may be transferred without obtaining explicit consent by persons under the obligation of confidentiality or by authorized institutions and organizations, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing; otherwise, the explicit consent of the data subject shall be obtained.

Personal data may be transferred to countries classified as “Foreign Countries with Adequate Protection” where any of the above conditions are met, or, in the absence of adequate protection, to “Foreign Countries Where the Data Controller Undertakes Adequate Protection,” in accordance with the data transfer conditions stipulated in the applicable legislation.

CATEGORIZATION OF PROCESSED PERSONAL DATA AND PURPOSES OF PROCESSING

The purpose of Edusama in processing personal data is to inform the relevant persons in accordance with Article 10 of the Law and other applicable legislation, and to process personal data in a limited manner based on at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, in compliance primarily with the principles set out in Article 4 of the Law and the general principles stipulated therein.

Edusama processes the personal data of its shareholders and authorized persons in order to fulfill its legal obligations arising from the Turkish Commercial Code, Tax Procedure Law, Labor Law, and other relevant legislation.

Edusama records the personal data of persons conducting activities with Edusama for the purposes of ensuring compliance with the determined rules, enabling the issuance of warning notices in case of breach of obligations, initiating enforcement and legal proceedings, and taking other necessary measures to ensure performance in accordance with contracts. The personal data of branches are obtained through lease agreements, addenda, supplementary contracts, protocols, and email correspondence.

Edusama records the information of suppliers providing goods and/or services in order to verify whether they fulfill their responsibilities and to ensure the orderly conduct of activities. Personal data of suppliers are obtained through emails sent and received as a result of communication established with them, telephone conversations, business cards, and information shared via their websites.

Edusama requests and processes the personal data of its employees and job candidates for the purposes of completing mandatory documents required to be included in personnel files within the scope of the Labor Law and Occupational Health and Safety Law in force, and for the registration of employees with the Social Security Institution. Such personal data are obtained through resumes and job application forms submitted with explicit consent during recruitment and job application stages, resume viewing methods provided by human resources software platforms offering job postings and candidate pool services (such as Kariyer.net and LinkedIn), and responses given with consent to questions asked during interviews. Edusama requests and processes personal data from individuals applying for employment for the purpose of establishing communication for interview processes and determining whether the individual’s qualifications and experience are compatible with the vacant position. These personal data are obtained through resumes voluntarily submitted by applicants, answers provided voluntarily during interviews, or resume viewing methods offered by job posting and candidate pool service platforms (such as Kariyer.net and LinkedIn).

Edusama records the personal data of employees and authorized representatives of its business partners within the scope of the purposes of establishing business partnerships.

Edusama records supplier personal data for the purpose of procuring and supervising the goods and/or services required to carry out its commercial activities. Such personal data are obtained through signed contracts, issued invoices, equipment delivery reports, email correspondence, telephone communications, other communication channels, and business cards.

Edusama processes the information contained in complaint and request forms submitted to it for the purpose of ensuring service quality. Images of individuals registered at Edusama premises are obtained through 24/7 security camera recording systems.

Detailed information regarding the categories of processed personal data is provided in the Policy annex “ANNEX 3 – Personal Data Categories,” and detailed information regarding personal data processing purposes is provided in the Policy annex “ANNEX 1 – Personal Data Processing Purposes.”

MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

In accordance with the conditions stipulated under the Law, Edusama takes the necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data it processes, to prevent unlawful access to such data, and to ensure the preservation of personal data. Within this scope, Edusama conducts or commissions the necessary audits.

In the event that processed personal data is obtained by third parties through unlawful means despite all technical and administrative measures having been taken, Edusama shall notify the relevant authorities as soon as possible.

5.1. Technical Measures

Technical measures in line with technological developments are implemented, and such measures are periodically updated and renewed.
Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a departmental basis.

III. Access authorizations are restricted, and authorization rights are regularly reviewed.

Implemented technical measures are periodically monitored, and technological solutions are developed by reassessing issues that may pose risks.
Software and hardware including antivirus systems and firewalls are installed.
Personnel knowledgeable in technical matters are employed, and system vulnerabilities are monitored and controlled.

VII. Applications through which personal data are collected are regularly subjected to security scans in order to detect security vulnerabilities, and identified vulnerabilities are remedied.

VIII. Personal data are destroyed in a manner that prevents recovery and leaves no audit trail.

5.2. Administrative Measures

Employees are trained on the technical measures to be taken in order to prevent unlawful access to personal data.
Employees are provided with training regarding the Law.

III. Within Edusama, access and authorization processes for personal data are designed and implemented in accordance with legal compliance requirements on a departmental basis.

Edusama has included provisions in all documents regulating its relationship with its personnel and containing personal data, stating that obligations stipulated by the Law must be complied with for the lawful processing of personal data, that personal data must not be disclosed, that personal data must not be used unlawfully, and that the obligation of confidentiality regarding personal data shall continue even after the termination of the employment contract with Edusama. Failure to comply with these obligations may result in sanctions up to and including termination of the employment contract.
Employees are informed that they may not disclose personal data they have learned to third parties in violation of the provisions of the Law, nor use such data outside the purpose of processing, and that this obligation shall continue after the termination of their employment; necessary undertakings are obtained from employees accordingly.
Provisions are included in contracts concluded with persons to whom personal data are lawfully transferred by Edusama, requiring such persons to take the necessary security measures for the protection of personal data and to ensure compliance with such measures within their own organizations.

VII. In the event that processed personal data are obtained by third parties through unlawful means, Edusama notifies the relevant data subject and the Board as soon as possible.

VIII. Edusama employs personnel who are knowledgeable and experienced in the processing of personal data and provides its personnel with the necessary training within the scope of personal data protection legislation and data security.

Edusama conducts or commissions the necessary audits within its own legal entity to ensure compliance with the provisions of the Law and remedies any confidentiality and security vulnerabilities identified as a result of such audits.
Pursuant to Article 12 of the Law, Edusama is responsible for ensuring that third parties to whom personal data are transferred also fulfill their obligations to lawfully process, store, and access personal data in accordance with the Policy and the Law. Accordingly, Edusama shall obtain undertakings in contracts and all related arrangements regarding data transfers to third parties, ensuring compliance with these requirements and granting Edusama the right to conduct audits. Edusama shall also specifically inform all its personnel of the responsibilities arising from the processes of transferring personal data to third parties.
RETENTION AND DESTRUCTION OF PERSONAL DATA

Edusama retains personal data for the minimum period required by the relevant legislation or for the period necessary for the purpose of processing. Primarily, if a retention period is stipulated under the applicable legislation, Edusama retains personal data in accordance with such period; if no statutory retention period is prescribed, personal data are retained for the period necessary for the purpose for which they are processed. Upon the expiration of the determined retention periods, personal data are destroyed by the specified methods (deletion, destruction, or anonymization) in accordance with periodic destruction periods or upon the request of the data subject.

RIGHTS OF DATA SUBJECTS AND EXERCISE OF SUCH RIGHTS

7.1. Rights of the Data Subject

Data subjects have the following rights:

To learn whether personal data are processed,
II. To request information if personal data have been processed,
III. To learn the purpose of the processing of personal data and whether they are used in accordance with such purpose,
IV. To know the third parties to whom personal data are transferred domestically or abroad,
V. To request the correction of personal data if they are processed incompletely or inaccurately and to request notification of such correction to third parties to whom the personal data have been transferred,
VI. To request the deletion or destruction of personal data where the reasons requiring their processing no longer exist, even though they have been processed in accordance with the Law and other applicable legislation, and to request notification of such action to third parties to whom the personal data have been transferred,
VII. To object to the occurrence of a result against the data subject arising from the analysis of processed data exclusively through automated systems,
VIII. To request compensation for damages in case personal data are processed unlawfully

7.2. Exercise of the Data Subject’s Rights

Data subjects may submit their requests regarding the rights listed in Article 6.1 to Edusama by using the methods determined by the Board. Applications may be submitted to Edusama by completing the “Edusama Yazılım Eğitim Hizmetleri Sanayi ve Ticaret LTD ŞTİ Data Subject Application Form” available at
www.edusama.com/kisisel-verilerin-korunmasi.

7.3. Edusama’s Response to Applications

Edusama shall conclude applications submitted by data subjects in accordance with the Law and other applicable legislation. Requests duly submitted to Edusama shall be finalized as soon as possible and no later than thirty (30) days, free of charge. However, if the processing of the request requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

7.4. Rejection of the Data Subject’s Application by Edusama

Edusama may reject the application of the applicant by stating the justification, in the following cases:

Where personal data are processed for purposes such as research, planning, or statistics by rendering them anonymous for official statistical purposes,
II. Where personal data are processed for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, the right to privacy, or personal rights, and does not constitute a crime,
III. Where personal data are processed within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security,
IV. Where personal data are processed by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial, or execution proceedings,
V. Where the processing of personal data is necessary for the prevention of a crime or for a criminal investigation,
VI. Where personal data have been made public by the data subject themselves,
VII. Where the processing of personal data is necessary for the performance of supervisory or regulatory duties, or for disciplinary investigation or prosecution, carried out by authorized public institutions and organizations or professional organizations having the status of public institutions, based on the authority granted by law,
VIII. Where the processing of personal data is necessary for the protection of the State’s economic and financial interests relating to budgetary, tax, and financial matters,
IX. Where the request of the data subject may restrict the rights and freedoms of other individuals,
X. Where the request requires disproportionate effort,
XI. Where the requested information is publicly available.
IMPLEMENTATION

The Board of Directors of Edusama, as the data controller, is responsible for the implementation of the Law and this Policy. Department managers are responsible for monitoring, coordinating, and supervising all procedures and processes within this scope.

EFFECTIVE DATE AND PUBLICATION

This Policy entered into force on 20/06/2022. Any amendments to the Policy shall be published on Edusama’s website (www.edusama.com) and made accessible to data subjects and relevant parties. Amendments to the Policy shall take effect as of the date of their publication.

ANNEXES

ANNEX 1 – Purposes of Personal Data Processing

ANNEX 2 – Categories of Data Subjects

ANNEX 3 – Categories of Personal Data

ANNEX 4 – Third Parties to Whom Personal Data Are Transferred and Purposes of Transfer

KVKK – Explicit Consent
EDUSAMA YAZILIM EGITIM HIZMETLERI SANAYI VE TICARET LTD STI
Customer Information Services

– Explicit Consent / Approval Form for Personal Data Processing and Commercial Communications –

Within the scope of marketing/commercial activities related to discounts, campaigns, products/services, and events, as well as the fulfillment of legal obligations, the communication channels permitted and the consents granted in accordance with the reviewed INFORMATION NOTICE are indicated below as marked.

I give my consent/approval for EDUSAMA LTD. ŞTİ. to send SMS (Short Message) to me.
I give my consent/approval for EDUSAMA LTD. ŞTİ. to send e-mails to me.
I give my consent/approval for EDUSAMA LTD. ŞTİ. to contact me via phone and voice messages.

Within the scope of granting explicit consent for the processing of my personal data, I hereby give my explicit consent and approval for my personal data collected within the activities provided by EDUSAMA LTD. ŞTİ., shared by me in any manner, obtained through cookies placed on the website, provided by me through this consent form, including the products I have purchased, product categories and my shopping preferences, as well as all personal information I have declared, to be processed by EDUSAMA LTD. ŞTİ. for the following purposes:

sharing campaign notifications, new product announcements and cross-shopping opportunities
• promotion and advertisement of products and services
• personalized campaigns, advertising, targeting and analysis
• verifying the identity of the person who performs or is directed to perform purchases through the website or mobile applications
• recording addresses and other necessary contact information for communication
• providing necessary information notices
• preparing all records and documents that constitute the basis of transactions in electronic or physical formats
• fulfilling obligations arising from the distance sales contract and the relevant provisions of the Consumer Protection Law
• providing information to public authorities upon request in matters concerning public security and as required by legislation
• fulfilling legal obligations and exercising legal rights
• performing commercial activities and commercial purposes carried out by EDUSAMA LTD. ŞTİ. in accordance with applicable legislation
• transferring such information within the country or abroad to its own systems or to service providers for storage purposes
• storing such data on properly protected servers in compliance with legislation

In accordance with the Information Notice and as defined therein, I hereby give my explicit consent for the processing of my personal data within the scope of the Law on the Protection of Personal Data No. 6698 and the relevant regulatory legislation.

I have read the Information Notice and received a copy. I acknowledge that I am aware of my rights and that I may submit a request at any time regarding these data within the scope of Article 11 of the Law on the Protection of Personal Data, as stated in the Information Notice.

If the Customer wishes to partially or completely cancel the permissions, approvals or consents granted to EDUSAMA LTD. ŞTİ. under this consent/authorization form, or if the Customer wishes to obtain information regarding their personal data, they may write to the WhatsApp line at +90 551 154 85 17, or send an e-mail to info@edusama.com, or use the section titled Protection of Personal Data available at edusama.com, or contact the data controller representative, or submit their request directly to our headquarters in writing, or send a written application to the contact address available on the website, or use other communication/request methods that may be specified by the Personal Data Protection Board.

A copy of this form and the Information Notice has been provided to me.

Services for Individuals

Online Japanese Courses

Application to Japanese Language Schools

Student Visa Consultancy

Japanese Language Education Books

Japanese Translation and Interpretation

Japanese Education Services

Online Japanese N5 Course

Online Japanese N4 Course

Online Private Japanese Lessons

Online Japanese Conversation Club

GDPR Documents

3.3. Processing of Special Categories of Personal Data

Quick Menu

Legal Documents

Contact Information