1- SCOPE AND DEFINITIONS

This policy pertains to Special Categories of Personal Data within systems where data is processed either fully or partially automatically, or through non-automatic means as part of any data recording system.

2- PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

According to Article 6/1 of the Personal Data Protection Law No. 6698, "special categories of personal data" include data regarding a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data.
Special categories of personal data are processed in accordance with the conditions set forth in Article 6 of Law No. 6698, under the following conditions:

• If the explicit consent of the Data Subject is given,

• If the explicit consent of the Data Subject is not given; personal data other than health and sexual life may be processed in cases provided by law, while personal data related to health and sexual life may only be processed when necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, and in situations where confidentiality obligations apply, in accordance with the law.

3- TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA DOMESTICALLY

Special categories of personal data, in accordance with the provisions of Article 8 of the Personal Data Protection Law, may be transferred domestically:

1. With explicit consent, in cases where explicit consent is required, according to the first paragraph of Article 8,

2. Without the need for explicit consent, if one of the conditions specified in the second paragraph of Article 5 applies,

3. With adequate precautions, as stated in the third paragraph of Article 6:

• Personal data other than health and sexual life (including race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, criminal convictions, security measures, and biometric and genetic data) may be processed in cases provided by law,

• Personal data related to health and sexual life may be processed, but only in cases involving the protection of public health, preventive medicine, medical diagnosis, treatment and care services, management and planning of health services and financing, and by persons or authorized institutions and organizations that are bound by confidentiality obligations,
  without the need for explicit consent for domestic transfer by the COMPANY.

4- MEASURES FOR THE PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

In accordance with the Personal Data Protection Authority's Decision No. 2018/10 dated 31/01/2018:

1. A separate policy and procedure have been established for the security of special categories of personal data, which is systematic, clearly defined with rules, manageable, and sustainable.

2. For employees involved in the processing of special categories of personal data: 

   1. Regular training is provided on the law, regulations, and the security of special categories of personal data,

   2. Confidentiality agreements are made,

   3. The scope and duration of access permissions for users with access to data are clearly defined,

   4. Periodic access control checks are carried out,

   5. Employees who change positions or leave the company have their access rights immediately revoked, and the inventory assigned by the COMPANY is returned.

3. If the environment where special categories of personal data are processed, stored, and/or accessed is electronic: 

   1. Data is stored using cryptographic methods,

   2. Cryptographic keys are securely kept in separate environments,

   3. All actions performed on the data are securely logged,

   4. Security updates for the environments containing the data are continuously monitored, and necessary security tests are conducted regularly. Test results are documented,

   5. If access to the data is done through software, user authorizations for this software are performed, and regular security tests of these software systems are conducted, with test results documented,

   6. If remote access to the data is required, a two-factor authentication system is implemented.

4. If the environment where special categories of personal data are processed, stored, and/or accessed is physical: 

   1. Sufficient security measures are taken according to the nature of the environment containing the special categories of personal data (such as protection against electrical leakage, fire, flooding, theft, etc.),

   2. Physical security of these environments is ensured, and unauthorized access and exit are prevented.

5. If special categories of personal data are to be transferred: 

   1. If data needs to be sent by email, it is sent in an encrypted form using corporate email addresses or via Registered Electronic Mail (KEP) accounts,

   2. If data is to be transferred through portable storage devices like USBs, CDs, or DVDs, it is encrypted using cryptographic methods, and the cryptographic key is kept in a separate environment,

   3. If data is transferred between servers in different physical environments, data is transferred via a VPN or using the sFTP method,

   4. If data needs to be transferred on paper, necessary precautions are taken to prevent risks such as theft, loss, or unauthorized viewing by individuals, and documents are sent in the “confidential documents” format.

6. In addition to the measures mentioned above, technical and administrative precautions to ensure an appropriate level of security, as outlined in the Personal Data Security Guide published on the Personal Data Protection Authority's website, are also considered.