Privacy Statement for Sestek

1. Purpose

The purpose of this Privacy Policy (“Policy”) is to provide explanations regarding the personal data processing activities carried out lawfully by SESTEK SES VE İLETİŞİM TEKNOLOJİLERİ A.Ş (“Company” or “Sestek”) and the systems adopted for the protection of personal data. Within this scope, transparency is ensured by informing the data subjects whose personal data are processed by Sestek, including but not limited to our employees, job candidates, customers, visitors, suppliers, employees, and officials of institutions we cooperate with, and third parties.

 

2. Scope

 

 This Policy covers all personal data processed by the Company, whether automatically or by non-automatic means as part of any data recording system, relating to our employees, job candidates, customers, visitors, suppliers, employees and officials of cooperating institutions, and third parties.

 

3. Definitions

 

Explicit Consent: Consent given freely, based on information, and expressed clearly on a specific subject.

Anonymization: The modification of personal data in such a way that it loses its personal data characteristics and cannot be reverted, e.g., masking, aggregation, data distortion, etc.

Data Subject: The real person whose personal data is processed.

Processing of Personal Data: Any operation performed on personal data, whether wholly or partly by automatic means or otherwise, including acquisition, recording, storage, retention, alteration, reorganization, disclosure, transfer, retrieval, classification, or prevention of use.

Personal Data: Any information relating to an identified or identifiable real person, e.g., Name-Surname, Turkish ID number, Email, Address, Date of Birth, Credit Card Number, etc.

Destruction of Personal Data: Deletion, erasure, or anonymization of personal data.

PDPL: Turkish Law No. 6698 on the Protection of Personal Data.

Deletion of Personal Data: The process by which personal data becomes inaccessible and unusable by the relevant users.

Erasure of Personal Data: The process by which personal data becomes inaccessible, unrecoverable, and unusable by anyone.

Board: Refers to the Turkish Personal Data Protection Board.

Authority: Refers to the Turkish Personal Data Protection Authority.

Special Categories of Personal Data: Data require stricter protection due to their nature, which may lead to discrimination or unfair treatment, including but not limited to racial or ethnic origin, political opinion, philosophical belief, religion, sect, dress code, membership of associations, health, sexual life, criminal convictions, biometric and genetic data.

Data Controller: The person who determines the purposes and means of processing personal data and manages the data recording system.

Data Processor: The real or legal person who processes personal data on behalf of the data controller based on an authorization.

 

4. Implementation

 

 The applicable legislation concerning the processing and protection of personal data will primarily apply. The PDPL and related secondary legislation, guidelines published by the Authority, decisions and principles issued by the Board, etc. (collectively “Legislation”) will be evaluated within the scope of the relevant Legislation and will serve as a guide on personal data protection.
If there is a conflict between the current legislation and this Policy, Sestek accepts that the applicable legislation shall prevail.

 

4.1. General Principles Regarding the Processing of Personal Data

 Sestek processes personal data in accordance with the procedures and principles stipulated by the PDPL and related secondary legislation. Within this framework, Sestek fully complies with the following general principles set forth in the PDPL when processing personal data as part of its business processes.

• Compliance with Lawfulness and Fairness: Under this principle, Sestek’s data processing activities are conducted within the framework of all relevant legislation, primarily the Constitution of the Republic of Turkey and the PDPL, as well as the rules of fairness.

• Accuracy and Keeping Data Updated When Necessary: Sestek takes the necessary measures to ensure that the personal data it processes is accurate and up to date. Furthermore, to ensure the data reflects the actual situation, Sestek provides information and grants the relevant individuals the means to keep their personal data accurate and current.

• Processing for Specific, Explicit, and Legitimate Purposes: Sestek processes personal data only for clear and legitimate purposes that are explicitly defined and does not engage in data processing activities beyond these purposes. Within this scope, Sestek processes personal data solely in connection with the relationship established with the relevant individuals and only when necessary.

• Relevance, Limitation, and Proportionality to the Purpose of Processing: Data processed by Sestek is handled in accordance with the PDPL and other relevant legislation, in a manner suitable for achieving the purposes determined for each data category. The processing is limited, relevant, and proportionate to the purpose, and unnecessary personal data processing is avoided.

• Retention for the Period Prescribed by Applicable Legislation or Necessary for the Purpose of Processing: Personal data processed by Sestek is retained only for the period prescribed by the relevant legislation or for as long as necessary to fulfill the purpose for which it is processed. If the applicable legislation sets a retention period, Sestek complies with it; if not, data is retained only for the duration necessary for the purpose of processing.

 

4.2. Conditions for Processing Personal Data

Except for the exceptions listed in the PDPL, Sestek processes personal data only by obtaining the explicit consent of the relevant individuals. However, in the presence of the following conditions specified in the PDPL, personal data may be processed without the explicit consent of the relevant individual:

• Explicitly stipulated by laws,
• Necessary for the protection of the life or physical integrity of the data subject or another person in cases where the data subject is physically or legally incapable of giving consent,
• Processing personal data belonging to the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract,
• Necessary for the data controller to fulfill a legal obligation,
• Made public by the data subject themselves,
• Necessary for the establishment, exercise, or protection of a right,
• Necessary for the legitimate interests of the data controller, if it does not harm the fundamental rights and freedoms of the data subject.

 

4.2.1. Conditions for Processing Special Categories of Personal Data

Except for the exceptions listed in the PDPL, Sestek processes special categories of personal data only by obtaining the explicit consent of data subjects. However, in the presence of the following conditions specified in the PDPL, special categories of personal data may be processed without the explicit consent of the data subject:

• Clearly stipulated by law,
• Mandatory for protecting the life or physical integrity of a person who is unable to express consent due to factual impossibility or whose consent is not legally valid,
• Related to personal data made public by the data subject and in accordance with the data subject’s intention to make it public,
• Necessary for the establishment, exercise, or protection of a right,
• Necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, as well as planning, management, and financing of health services by persons under confidentiality obligations or authorized institutions and organizations,
• Necessary for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,
• Pertaining to foundations, associations, and other non-profit organizations or formations established for political, philosophical, religious, or trade union purposes, provided that they comply with the relevant legislation and purposes, are limited to their fields of activity, are not disclosed to third parties, and relate to their current or former members and affiliates or those who regularly communicate with these organizations and formations.

 

4.3. Purposes of Processing Personal Data

Personal data obtained by Sestek may be processed within, but not limited to, the scopes described below:

• Conducting Recruitment and Personnel Processes
• Managing Onboarding and Offboarding Processes
• Managing Employee Health Processes
• Conducting Audit Activities
• Managing Travel Planning Processes
• Workplace Management
• Managing R&D Processes for Voice Technologies
• Conducting TÜBİTAK Reporting Processes
• Supplier Management
• Conducting Information Security Processes
• Managing Financial and Administrative Affairs
• Managing Customer Relationship Processes
• Conducting Training and Development Processes
• Managing Performance and Employee Satisfaction
• Planning and Executing Emergency Operations
• Managing Events and Organizational Activities
• Legal Notifications and Compliance with Legal Obligations
• Conducting Storage and Archiving Activities
• Conducting Social Responsibility Activities
• Managing Complaints and Requests
• Managing Employee Fringe Benefits and Welfare Processes

 

4.4. Transfer of Personal Data

Sestek, regarding sharing personal data with third parties, considers the transfer conditions set forth in the PDPL, without prejudice to the provisions of other applicable laws, and carefully complies with these conditions. In line with its lawful personal data processing purposes, and by taking the necessary administrative and technical measures, Sestek may transfer personal and special categories of personal data of data subjects, when necessary, to third parties located within Turkey (e.g., authorized public institutions and organizations, third-party companies, or natural persons).

In this context, the Company transfers personal data within Turkey by obtaining the explicit consent of the data subjects, except in cases specified as exceptions under the PDPL. However, if one of the processing conditions specified in Article 5(2) or Article 6(3) of the PDPL is met, personal data may be transferred within Türkiye without the explicit consent of the data subject.

If it becomes necessary for our Company to transfer personal data abroad, the transfer conditions set forth in the PDPL are taken into consideration, and personal data may be transferred abroad accordingly. In this context, our Company may transfer personal data abroad under the following conditions:

(i) The existence of one of the data processing conditions specified in Articles 5 or 6 of the PDPL, and the presence of an adequacy decision for the country to which the personal data will be transferred, or for sectors within that country or international organizations;

(ii) In the absence of an adequacy decision, the existence of one of the data processing conditions under Articles 5 or 6 of the PDPL, along with the availability of mechanisms for the data subject to exercise their rights or seek legal remedies in the destination country, and the provision of the safeguards stipulated in the law.

(iii) In the absence of an adequacy decision or the provision of appropriate safeguards by the parties to the transfer, personal data may be transferred abroad only under exceptional circumstances.

 

4.5. Storage of Personal Data

Personal data is securely stored by Sestek in physical or electronic media for an appropriate period, to fulfill its business operations. Within the scope of these activities, Sestek complies with the obligations set forth in the PDPL and other applicable legislation regarding the storage of personal data.

Except for mandatory retention periods stipulated by relevant legislation or permissible regulations concerning the storage of personal data, personal data will be destroyed once the purpose for processing has ended, or in line with the data subject's request specified in the Data Subject Application Form, and in accordance with the "Personal Data Retention and Destruction Policy."

Depending on the data subject’s request or based on Sestek’s own decision, the appropriate method of destruction—anonymization, deletion, or destruction—will be selected in compliance with the nature of the data and applicable regulations.

 

4.6. Security of Personal Data

Sestek takes the necessary administrative and technical measures to ensure the secure storage of personal data, and to prevent unlawful processing and unauthorized access. These measures are reviewed periodically to maintain effectiveness. In addition to personal data, special categories of personal data are also safeguarded in accordance with Article 12 of the PDPL and the fourth paragraph of Article 6. The necessary administrative and technical measures are implemented in line with the precautions determined and announced by the Authority to ensure the security of such data.

Accordingly, the administrative and technical measures adopted by our Company include, but are not limited to, the following:

 

Administrative Measures

1. Disciplinary regulations, including data security provisions, are in place for employees.
2. Regular training and awareness programs on data security are conducted for employees.
3. An authorization matrix has been established for employees.
4. Corporate policies on access, information security, usage, storage, and destruction have been prepared and implemented.
5. Confidentiality agreements are signed.
6. Authorizations related to data access are revoked for employees who change roles or leave the company.
7. Contracts include data security provisions.
8. Additional security measures are taken for personal data transferred via paper, and such documents are sent in a classified document format.
9. Policies and procedures regarding personal data security have been established.
10. Personal data security issues are reported promptly.
11. Internal periodic and/or random audits are conducted.
12. Existing risks and threats have been identified.
13. Protocols and procedures for the security of special categories of personal data have been defined and implemented.
14. Data processors are audited at regular intervals concerning data security.
15. The amount of personal data collected is minimized as much as possible.
16. Other.

 

Technical Measures

1. Network and application security are ensured.
2. A closed system network is used for transferring personal data via network.
3. Key management is implemented.
4. Security measures are taken during the procurement, development, and maintenance of IT systems.
5. Security of personal data stored in the cloud is ensured.
6. Access logs are maintained regularly.
7. Data masking measures are applied when necessary.
8. Up-to-date antivirus systems are used.
9. Firewalls are used.
10. Monitoring of personal data security is carried out.
11. Security measures are in place for access to physical environments containing personal data.
12. Physical environments containing personal data are secured against external risks (e.g., fire, flood).
13. Security of environments containing personal data is ensured.
14. Personal data is backed up, and the security of these backups is ensured.
15. User account management and authorization control systems are in place and monitored.
16. Log records are kept in a way that prevents user intervention.
17. If special categories of personal data are sent via email, they are encrypted and sent through KEP (Registered Electronic Mail) or a corporate email account.
18. Secure encryption/cryptographic keys are used for special categories of personal data and are managed by separate units.
19. Intrusion detection and prevention systems are used.
20. Penetration tests are conducted.
21. Cybersecurity measures are implemented and continuously monitored.
22. Encryption is applied.
23. Special categories of personal data transferred via portable media (e.g., USB, CD, DVD) are encrypted.
24. Data loss prevention (DLP) software is used.
25. Other.

 

4.7. Personal Data Breach Procedures

Sestek takes the necessary administrative and technical measures to ensure the secure processing and storage of personal data. However, in the event of a potential data breach within the Company, Sestek will carry out the notification procedures to inform the relevant data subjects and competent authorities within no later than 72 hours from the detection of the breach.

For more detailed information regarding the procedures in the event of a breach, you may contact: privacy@sestek.com.

 

4.8. Your Rights as a Data Subject

Under Article 11 of the PDPL, you have certain rights as a data subject. These rights are:

• To learn whether your personal data is being processed,
• If personal data has been processed, to request information regarding such processing,
• To learn the purpose of processing personal data and whether it is used in accordance with its intended purpose,
• To know the third parties to whom personal data is transferred, whether domestically or abroad,
• To request the correction of personal data if it is incomplete or incorrectly processed,
• To request the deletion or destruction of personal data within the framework of the conditions set out in Article 7 of the PDPL,
• To request notification of the actions taken in accordance with subparagraphs (d) and (e) to third parties to whom the personal data has been transferred,
• To object to the emergence of a result against the data subject by analyzing the processed data exclusively through automated systems,
• To request compensation in the event of damage due to unlawful processing of personal data.

 If you wish to exercise your rights under the PDPL, you may contact SESTEK using one of the methods listed below, in accordance with Article 11 and the first paragraph of Article 13 of the PDPL and the Communiqué on the Procedures and Principles of Application to the Data Controller:

• By visiting SESTEK in person at “Vadistanbul Bulvar Ayazağa Mah. Cendere Cad. 109B 1B Ofis Blok No:4 Sarıyer-İstanbul”,
• Via our registered electronic mail (KEP) address: sestek@hs03.kep.tr,
• By sending a written request through a notary or by registered mail, to verify your identity and avoid disclosing information to unauthorized persons,
• By sending an email to privacy@sestek.com using a secure electronic signature, mobile signature, or your email address previously provided to SESTEK and registered in our systems.

 

4.9. Policy Updates

This Policy enters into force on the date of its publication. If SESTEK determines it is necessary to make changes to its business processes or the regulations specified within the scope of the policy, the required updates will be made and shared accordingly.