1. PURPOSE

This Personal Data Protection and Processing Policy (the “Policy”) of Arksoft Bilişim Teknoloji Tic. San. A.Ş. (“Arksoft”) has been prepared to set out the procedures implemented to ensure that personal data processed within the scope of Arksoft’s activities are protected and processed in compliance with the Law on the Protection of Personal Data No. 6698 (“KVKK”), and to safeguard fundamental rights and freedoms, primarily the right to privacy, as stipulated under the Constitution. This Policy also aims to establish, implement, monitor, and continuously improve privacy management within the scope of the ISO/IEC 27701 Personal Data and Privacy Information Management System.

2. SCOPE

This Policy covers all personal data processing activities carried out by Arksoft Bilişim Teknoloji Tic. San. A.Ş. in its capacity as both Data Controller and Data Processor; all employees, temporary staff, and interns; the Board of Directors and senior management; suppliers, business partners, and sub-processors; all processes including software development, product development, and cloud-based services; and all personal data processed in electronic, physical, and paper-based environments.

All policies and procedures prepared by Arksoft for the purpose of protecting personal data are updated through controlled revision processes to ensure compliance with the decisions of the Personal Data Protection Authority, conformity with the ISO/IEC 27701 PIMS standard, and enhanced protection of personal data.

5.2. General Principles

When processing personal data, Arksoft Bilişim Teknoloji Tic. San. A.Ş.:

1. Acts in accordance with the law and the principles of honesty.
2. Ensures that personal data are accurate and, where necessary, kept up to date.
3. Processes personal data for specified, explicit, and legitimate purposes.
4. Ensures that the processed data are relevant, limited, and proportionate to the purpose of processing.
5. Retains personal data only for the period prescribed by relevant legislation or required for the purpose of processing, and destroys all physical and digital outputs in accordance with legal retention periods once the purpose of processing ceases to exist.
6. Arksoft Bilişim Teknoloji TİC. SAN. A.Ş. processes personal data in compliance with the principles set forth by applicable legislation and the general principles of trust and good faith.
7. Arksoft Bilişim Teknoloji TİC. SAN. A.Ş. makes maximum effort to ensure that personal data are accurate and up to date, taking into account the fundamental rights of data subjects and its own legitimate interests.
8. The purposes for processing personal data are detailed in the Information Notices prepared on a data subject category basis for each data category processed by Arksoft. Where a data processing activity does not meet any of the legal bases set out in Articles 5 and 6 of KVKK, explicit consent is obtained by Arksoft Bilişim Teknoloji TİC. SAN. A.Ş. within the scope of the relevant processing activity.

5.3. Methods Of Collecting Personal Data

• Printed communications,
• Customer surveys,
• Complaint forms,
• Contracts,
• Curriculum vitae,
• Information systems and electronic devices,
• Career portals,
• Cookies,
• API integrations, cloud-based services, and software applications, and documents declared by the data subject. Personal data are collected based on the following legal grounds: “Explicitly stipulated by law”; “Necessity for the establishment or performance of a contract, provided that it is directly related to the contract”; “Necessity for the Data Controller to fulfill its legal obligation”; “Necessity for the establishment, exercise, or protection of a right”; and “Necessity for processing data for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the data subject.”

5.4. Obligations As Data Controller

Where Arksoft Bilişim Teknoloji TİC. SAN. A.Ş. acts as a Data Controller, it:

• Determines the purposes and legal grounds for processing personal data.
• Informs data subjects.
• Obtains explicit consent where required.
• Ensures that data subjects can effectively exercise their rights.
• Implements administrative and technical measures to ensure data security.

5.5. Obligations As Data Processor

Where Arksoft Bilişim Teknoloji TİC. SAN. A.Ş. acts as a Data Processor, it:

• Processes personal data solely in accordance with the instructions of the Data Controller.
• Does not use personal data for purposes other than those specified.
• Informs the Data Controller in case of the use of sub-processors.
• Implements data security measures and promptly notifies data breaches.

5.6. Measures Taken For Data Security

Arksoft Bilişim Teknoloji TİC. SAN. A.Ş. takes all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent unlawful processing of personal data, prevent unlawful access to personal data, and ensure the safeguarding of personal data. Risks relating to the confidentiality of personal data are regularly assessed, appropriate technical and administrative controls are identified for the risks detected, and such controls are implemented. Privacy requirements are taken into account during the design and development phases of software, products, and cloud-based services, and default settings are configured to prioritize the protection of personal data.

5.7. Data Subject Rights

Data subjects whose personal data are processed by Arksoft Bilişim Teknoloji TİC. SAN. A.Ş. may exercise their rights to access, rectification, erasure, objection, and other rights defined under applicable legislation. Requests are received via info@arksoft.com.tr and are concluded in accordance with defined procedures and within statutory time limits. Pursuant to the Communiqué on the Procedures and Principles of Application to the Data Controller, applications by data subjects must include name and surname, signature if the application is in writing, Turkish ID number (or nationality, passport number, or ID number if the applicant is a foreign national), address for service of notification or workplace address, electronic mail address for notification if available, telephone and fax number, and information regarding the subject of the request. Requests are concluded free of charge as soon as possible and no later than thirty (30) days, depending on the nature of the request. However, if the transaction requires additional costs, a fee may be charged in accordance with Article 7 of the Communiqué. Data subject applications are recorded and monitored.

5.8. Breach Notifications

Employees of Arksoft Bilişim Teknoloji TİC. SAN. A.Ş. must immediately report any act, action, or incident that they believe constitutes a violation of KVKK and/or this Policy to the relevant persons and senior management via info@arksoft.com.tr or by using the written “Breach Notification Form.”

5.9. Transfer Of Personal Data Within The Country

Without prejudice to the legal grounds stipulated in the legislation and subject to compliance with the provisions set out in KVKK, personal data and special category personal data are not transferred to third parties without the explicit consent of the data subject.

5.10. Transfer Of Personal Data Abroad

As a rule, the transfer of personal data abroad is carried out based on explicit consent. However, without prejudice to the exceptions stipulated under KVKK and the decisions of the Personal Data Protection Board, other methods permitted by applicable legislation may also be applied.

5.11. Deletion, Destruction, or Anonymization of Personal Data

Personal data collected within the scope of Arksoft’s processing purposes are processed and retained in accordance with such purposes and applicable legislation. Upon the complete cessation of the processing purposes or upon the request of the data subject, personal data are deleted, destroyed, or anonymized.

6. ENTRY INTO FORCE AND REVIEW

This Policy shall enter into force as of the date of its publication following approval by the senior management of Arksoft Bilişim Teknoloji Tic. San. A.Ş. It shall be reviewed at least once a year, or in the event of organizational or technical changes, in coordination with the Quality Specialist. This Policy is maintained and retained in both printed and electronic formats.