Home

About Us

News

Career

Contact

EN

Tims Group Personal Data Protection
and Processing Policy

1. INTRODUCTION

The Personal Data Protection Law No. 6698, which was enacted to regulate the procedures and principles that natural and legal persons who process personal data must adhere to, with the aim of protecting fundamental rights and freedoms, particularly privacy, was published in the Official Gazette on April 7, 2016, and came into effect.

The activities carried out by TİMS Group regarding the processing and protection of your personal data are governed under the “TİMS Group Personal Data Protection and Processing Policy” (hereinafter referred to as the “Policy”). This Policy has been published on our company’s website at www.tims.tv for your access. 

2. PURPOSE

The purpose of this Policy is to:

- Determine the procedures and principles TİMS Group is subject to in the processing of personal data,

- Manage the technical and administrative activities conducted to protect data under a unified policy,

- Ensure the efficient and systematic execution of these activities, and

- Inform the relevant individuals (employees, employee candidates, visitors, suppliers/customers, subcontractors, their employees, and officials).

3. SCOPE

This Policy applies to personal data processed in systems where data is processed either completely or partially through automated means, or non-automated means provided that they form part of a data recording system. Explanations in the Policy regarding “Personal Data” also cover “Special Categories of Personal Data.”

4. DEFINITIONS

TİMS GROUP: Includes TİMS B STÜDYO FİLM VE ORGANİZASYON SAN. VE TİC. A.Ş. and TİMS PRODÜKSİYON FİLM VE ORGANİZASYON SAN. VE TİC. A.Ş.

Explicit Consent: Freely given, specific, and informed consent to a particular matter.

Personal Data: Any information relating to an identified or identifiable natural person.

Special Categories of Personal Data: Data regarding race, ethnicity, political opinion, philosophical beliefs, religion, sect, or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal convictions, security measures, biometric, and genetic data.

Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Relevant Person: A natural person whose personal data is processed.

Employee: Employees working under TİMS Group companies.

Employee Candidate: A natural person who has applied to any TİMS Group company or submitted their CV/information for review.

Intern: Individuals undertaking internships within TİMS Group companies.

Intern Candidate: Individuals applying for internships at TİMS Group companies and who have made their CVs and related information available for review. 

Visitor: Natural persons visiting the physical premises or websites of TİMS Group. 

Supplier: Third parties providing products or services to TİMS Group companies under contractual relationships.

Supplier Company Employee: Employees assigned to projects by suppliers providing workforce to TİMS Group.

Potential Customer: Potential customers interested in receiving services from TİMS Group.

Customer: Third-party legal entities to whom TİMS Group provides products and services under a contractual relationship.

Third Parties: Individuals whose personal data is processed (Actors, Directors, Screenwriters, Musicians, Translators, Employees' relatives, etc.).

Company Representatives and Employees: Representatives and employees of third-party companies with which TİMS Group collaborates.

Data Controller Representative: Representative appointed for TİMS Group companies as per the “Regulation on Data Controllers Registry” published in the Official Gazette dated 30.12.2017 and numbered 30286.

Contact Person: Individuals separately appointed for each TİMS Group company under the Regulation on Data Controllers Registry.

PDPL: Personal Data Protection Law No. 6698, published in the Official Gazette on April 7, 2016, and numbered 29677.

Personal Data Protection Board: The administrative body established to implement the PDPL.

Policy: The TİMS Group Personal Data Protection and Processing Policy.

Application Form: A form to be used by Relevant Persons (Data Owners) to submit requests to the Data Controller (TİMS Group) under the Personal Data Protection Law No. 6698.

5. IMPLEMENTATION AND RESPONSIBILITIES

5.1 TİMS GROUP, as represented by TİMS B STÜDYO FİLM VE ORGANİZASYON SAN. VE TİC. A.Ş. and TİMS PRODÜKSİYON FİLM VE ORGANİZASYON SAN. VE TİC. A.Ş., acts as the “Data Controller” and is responsible for the enforcement of this Policy.

5.2 The management boards of TİMS B STÜDYO FİLM VE ORGANİZASYON SAN. VE TİC. A.Ş. and TİMS PRODÜKSİYON FİLM VE ORGANİZASYON SAN. VE TİC. A.Ş. are authorized and responsible for drafting, implementing, and updating this Policy.

5.3 Relevant persons (employees, employee candidates, interns, visitors, potential customers, suppliers, subcontractors, and third parties such as actors, directors, screenwriters, musicians, translators) are required to act in accordance with this Policy, ensure compliance, and report any violations to the TİMS Group Data Controller Representative.

5.4 This Policy is published on the website www.tims.tv and made accessible by uploading it to shared IT systems.

5.5 Updates to this Policy will be made accessible through the TİMS Group website and shared IT systems following approval by the Company Management Boards.

5.6 In case of discrepancies between the provisions of the Policy and applicable laws, the law’s provisions shall prevail. The Company Management Boards will amend the Policy accordingly and make it accessible.

5.7 The cancellation of the Policy is subject to the decision of the management boards of TİMS B STÜDYO FİLM VE ORGANİZASYON SAN. VE TİC. A.Ş. and TİMS PRODÜKSİYON FİLM VE ORGANİZASYON SAN. VE TİC. A.Ş.

6. PRINCIPLES OF PERSONAL DATA PROCESSING

6.1 General Principles for Processing Personal Data Personal data is processed in accordance with the Personal Data Protection Law No. 6698, secondary regulations, and the procedures and principles outlined in this Policy.

TİMS Group adheres to the following principles while processing personal data:

6.1.1 Compliance with Law and Good Faith: Personal data is processed in compliance with applicable laws and principles of good faith. TİMS Group considers proportionality requirements and does not process personal data for purposes other than those specified.

6.1.2 Accuracy and Up-to-Date Processing: Measures are taken to ensure the accuracy of personal data and allow individuals to update their information.

6.1.3 Processing for Specific, Explicit, and Legitimate Purposes: TİMS Group determines the purposes for processing personal data clearly and explicitly, ensuring that data is processed only to the extent required for its services.

6.1.4 Relevance, Limited Use, and Proportionality: Personal data is categorized and processed based on the "Data Inventories" prepared separately for each company within TİMS Group to ensure data is relevant and limited to the intended purposes.

6.1.5 Retention for Necessary Duration: TİMS Group retains personal data only for the duration specified by applicable laws or required for processing purposes. Once the retention period ends or the processing purpose no longer applies, data is deleted or destroyed. Any changes to legal retention periods are duly implemented.

7. CONDITIONS FOR PROCESSING PERSONAL DATA

TİMS Group processes personal data in compliance with the conditions outlined in Article 5 of the Personal Data Protection Law No. 6698. These conditions include:

7.1 Consent of the Relevant Person: Explicit consent is the primary legal basis for processing personal data under PDPL. Explicit consent refers to consent given freely, on a specific matter, and based on sufficient information. Before processing personal data, TİMS Group evaluates whether any of the exceptions listed in Articles 5/2 and 6/3 of PDPL apply. If no exceptions apply, data processing is carried out based on explicit consent.

7.2 Legal Obligations: If processing personal data is explicitly required by laws, explicit consent is not required.

7.3 Protection of Vital Interests: In cases where the data subject is unable to give consent due to physical impossibility or legal incapacity, and their life or physical integrity must be protected, personal data may be processed without explicit consent.

7.4 Contractual Necessity: If the processing of personal data is necessary for the establishment or performance of a contract, explicit consent is not required.

7.5 Legal Obligations of the Data Controller: Personal data may be processed without explicit consent if it is necessary for the data controller to fulfill their legal obligations.

7.6 Public Disclosure by the Data Subject: If the data subject has publicly disclosed their personal data, TİMS Group may process this data.

7.7 Legal Claims: If personal data processing is necessary for the establishment, exercise, or protection of a legal claim, explicit consent is not required.

7.8 Legitimate Interests: Provided that it does not harm the fundamental rights and freedoms of the data subject, personal data may be processed if necessary for the legitimate interests of the data controller.

8. PURPOSES OF PROCESSING PERSONAL DATA

TİMS Group processes personal data within the framework of the purposes specified in Article 5 and Article 6 of PDPL, which include:

• Managing human resources processes and policies,

• Ensuring compliance with obligations under the Labor Law, Social Security Law, Occupational Health and Safety Law, and other relevant regulations,

• Monitoring employee assignments and entry/exit processes, and managing fringe benefits and entitlements,

• Conducting internal audits and investigations,

• Planning and executing emergency management processes,

• Ensuring compliance with commercial activities as defined in the company’s articles of association,

• Planning and implementing commercial and business strategies, including informing the board of directors,

• Coordinating information/document exchange among TİMS Group companies and third-party legal entities,

• Managing contractual relationships with suppliers and customers,

• Enhancing the visibility and awareness of film and TV productions through media campaigns, including coordination with suppliers providing such services,

• Managing customer and potential customer relationships, addressing complaints and requests,

• Monitoring compliance with applicable legal and regulatory requirements,

• Protecting the physical and digital security of the company’s premises, employees, and assets,

• Fulfilling tax and financial obligations under relevant legislation,

• Protecting intellectual property rights and ensuring compliance with copyright laws.

9. PURPOSES AND METHODS OF PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

9.1 Purposes of Processing Special Categories of Personal Data

Pursuant to Article 6/1 of the Personal Data Protection Law No. 6698, special categories of personal data include information regarding individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, clothing, association, foundation, or union membership, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data.

Special categories of personal data are processed in compliance with the conditions set forth under Article 6 of the Law and the measures determined by the Personal Data Protection Board. Such data are processed only under the following circumstances:

• With the explicit consent of the data subject, or

• Without the explicit consent of the data subject, in cases where:

◦ Personal data not related to health or sexual life are explicitly permitted to be processed by laws.

◦ Personal data related to health and sexual life are processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, or for planning and managing healthcare services and financing, provided that such processing is carried out by individuals or institutions under an obligation of confidentiality as prescribed by law.

9.2 Methods for Protecting Special Categories of Personal Data

In accordance with the decision of the Personal Data Protection Board dated January 31, 2018, and numbered 2018/10, a systematic, clearly defined, manageable, and sustainable policy and set of procedures have been established to ensure the security of special categories of personal data. Measures include:

• Training Employees: Employees involved in the processing of such data receive regular training on applicable laws, regulations, and best practices regarding the security of special categories of personal data.

• Confidentiality Agreements: Employees processing such data are required to sign confidentiality agreements.

• Access Restrictions: Access to such data is strictly limited, with clear definitions of the scope and duration of access rights.

• Periodic Access Reviews: Access rights are periodically reviewed and updated as necessary.

• Immediate Revocation of Access: Access rights of employees who change roles or leave the organization are immediately revoked, and any assigned equipment is retrieved.

For special categories of personal data processed, stored, or accessed in electronic environments:

• Data is stored using cryptographic methods.

• Cryptographic keys are kept secure and stored in separate environments.

• All actions performed on data are securely logged.

• Security updates for environments where data is stored are regularly monitored, and necessary security tests are conducted, with results being documented.

• User access to data through software is authorized, and security tests of such software are conducted regularly, with results documented.

• If remote access to data is required, at least two-factor authentication mechanisms are implemented.

For special categories of personal data processed, stored, or accessed in physical environments:

• Adequate security measures are taken based on the nature of the data to protect against risks such as electrical faults, fires, floods, and theft.

• Physical security measures are implemented to prevent unauthorized access to areas where such data is stored.

When transferring special categories of personal data:

• If data is transferred via email, it is encrypted and sent through corporate email accounts or Registered Electronic Mail (KEP) systems.

• If data is transferred using portable media (e.g., USB drives, CDs, DVDs), it is encrypted, and cryptographic keys are stored in separate environments.

• If data is transferred between servers in different physical environments, secure methods such as VPN or sFTP are used.

• If data is transferred in paper format, precautions are taken to prevent risks such as theft, loss, or unauthorized access, and documents are labeled as “confidential.”

In addition to the measures outlined above, technical and administrative precautions specified in the Personal Data Security Guidelines published on the website of the Personal Data Protection Authority are also implemented to ensure an appropriate level of security.

10. TRANSFER OF PERSONAL DATA

10.1 Domestic Transfer of Personal Data

TİMS Group may transfer personal data to third parties within the country in accordance with the lawful and legitimate purposes outlined in Section 8 of this Policy and based on one or more of the personal data processing conditions specified in Article 5 of the Personal Data Protection Law (PDPL). Such transfers are carried out under the provisions of Article 8 of the PDPL and may occur in the following circumstances:

• If the data subject has provided explicit consent;

• If there is a specific legal provision mandating the transfer of personal data;

• If it is necessary to protect the life or physical integrity of the data subject or another person, and the data subject is unable to give consent due to actual impossibility;

• If the transfer is directly related to the establishment or performance of a contract;

• If the transfer is necessary for TİMS Group to fulfill its legal obligations;

• If the data has been made public by the data subject;

• If the transfer is necessary for the establishment, exercise, or protection of a legal right;

• If the transfer is necessary for TİMS Group’s legitimate interests, provided that the fundamental rights and freedoms of the data subject are not harmed.

10.2 International Transfer of Personal Data

10.2.1 Explicit Consent for International Data Transfer

Pursuant to Article 9 of the PDPL, personal data cannot be transferred abroad without the explicit consent of the data subject. If TİMS Group needs to transfer personal data internationally, it first evaluates whether any of the conditions specified in Article 5/2 of the PDPL are met. If none of these conditions apply, the transfer is carried out based on the explicit consent of the data subject.

10.2.2 Conditions for International Data Transfer Without Explicit Consent

Under Article 5/2 of the PDPL, personal data may be transferred internationally without explicit consent if one of the following conditions is met:

• If it is explicitly provided for by laws;

• If it is necessary to protect the life or physical integrity of the data subject or another person, and the data subject is unable to give consent due to actual impossibility;

• If the transfer is directly related to the establishment or performance of a contract;

• If the transfer is necessary for TİMS Group to fulfill its legal obligations;

• If the data has been made public by the data subject;

• If the transfer is necessary for the establishment, exercise, or protection of a legal right;

• If the transfer is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

In such cases, the following additional requirements must also be met:

• The foreign country to which the data will be transferred must ensure an adequate level of protection as determined by the Personal Data Protection Board, or

• If the foreign country does not provide adequate protection, data controllers in Turkey and the recipient country must commit to adequate protection in writing, and the transfer must be approved by the Personal Data Protection Board.

10.3 Transfer of Special Categories of Personal Data

10.3.1 Domestic Transfer of Special Categories of Personal Data

Special categories of personal data are transferred domestically in compliance with Article 8 of the PDPL as follows:

• If explicit consent is required, data is transferred with the explicit consent of the data subject in accordance with Article 8/1;

• If one of the conditions specified in Article 5/2 is met, data is transferred without explicit consent;

• If sufficient measures are taken, data is transferred without explicit consent in the following cases outlined in Article 6/3:

◦ For personal data not related to health or sexual life (e.g., race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, clothing, association, foundation, or union membership, criminal convictions, security measures, biometric, and genetic data), if explicitly permitted by laws;

◦ For personal data related to health and sexual life, only for purposes such as protecting public health, preventive medicine, medical diagnosis, treatment, and care services, or planning and managing healthcare services and financing, provided that the data is processed by individuals or institutions under an obligation of confidentiality.

10.3.2 International Transfer of Special Categories of Personal Data

In accordance with Article 9 of the PDPL, special categories of personal data are transferred internationally as follows:

• If explicit consent is required, data is transferred with the explicit consent of the data subject;

• If one of the conditions specified in Article 5/2 is met, data is transferred without explicit consent;

• If sufficient measures are taken, data is transferred without explicit consent in the cases outlined in Article 6/3;

• The foreign country to which the data will be transferred must ensure an adequate level of protection as determined by the Personal Data Protection Board, or

• If the foreign country does not provide adequate protection, data controllers in Turkey and the recipient country must commit to adequate protection in writing, and the transfer must be approved by the Personal Data Protection Board.

10.4 Categorization of Personal Data

TİMS Group, in accordance with Article 10 of the PDPL, provides information to data subjects regarding the categories of personal data processed for each group of data subjects. Details are outlined below:

CATEGORIZATION AND TRANSFER OF PERSONAL DATA

10.5 PERSONAL DATA CATEGORIZATION

Identity Information Information that explicitly pertains to an identified or identifiable natural person and is processed either partially or completely through automated systems or non-automated systems forming part of a data recording system. Examples include: Name-Surname, National ID Number, Nationality, Mother’s Name, Father’s Name, Place of Birth, Date of Birth, Marital Status, Gender, Registered Residence Address, Volume Number, Family Serial Number, Sequence Number, Social Security Number, Religion, Tax Number, Signature Specimen Information, Vehicle License Plate, etc.

Contact Information Information explicitly related to an identified or identifiable natural person, such as telephone numbers, addresses, email addresses, etc.

Family Members and Emergency Contact Information Information about the personal data subject’s family members (spouse and children), close relatives, and other individuals to be contacted in emergencies. This is processed by TİMS Group companies to protect the legal and other interests of the data subject. Examples include: Name-Surname, Mobile Phone Number.

Financial Information Data obtained based on the legal relationship between TİMS Group companies and the personal data subject, such as bank account numbers, IBAN numbers, invoices, checks, promissory notes, etc.

Personnel Information Data processed for establishing the employment relationship with individuals employed by TİMS Group companies, including all types of personal data required for establishing personnel rights. This also includes the personnel information of third parties.

Professional Experience Information related to the professional qualifications of an identified or identifiable natural person, such as diploma details, attended courses, in-service training details, certifications, etc.

Special Categories of Personal Data Information explicitly categorized under Article 6 of PDPL as sensitive personal data, including but not limited to health data, genetic data, clothing details, criminal record data, and security measures-related information.

Visual/Audio Information Data such as photographs, video recordings, audio recordings, and information included in copies of personal documents.

Transaction Security Information Data such as IP address information, website access logs, passwords, and authentication credentials.

Legal Process Information Data related to legal correspondences, case files, and similar legal documents.

Criminal Record and Security Measures Information related to criminal records and security measures obtained from employees working at TİMS Group companies.

Customer Transactions Data such as invoices, checks, and requests related to customers receiving products or services from TİMS Group companies.

Complaint/Request Management Information Information regarding any complaints/requests submitted to TİMS Group companies, processed either partially or completely through automated systems or non-automated systems forming part of a data recording system.

10.6 CATEGORIZATION OF PERSONAL DATA SUBJECTS PROCESSED BY TİMS GROUP

Employee Individuals employed within TİMS Group companies.

Employee Candidate Individuals who have applied to any TİMS Group company or provided their resumes/information for evaluation.

Intern Individuals undertaking internships within TİMS Group companies.

Intern Candidate Individuals applying for internships at TİMS Group companies and who have made their resumes and related information available for evaluation.

Production Team (Supplier Company Employees) Employees assigned by supplier companies to projects and working on TİMS Group production sets under contractual agreements.

Potential Customer Potential customers seeking services from TİMS Group companies.

Customer Company Representatives/Employees Representatives and employees of third-party legal entities to whom TİMS Group provides products and services under a contractual relationship.

Supplier Company Representatives/Employees Representatives and employees of supplier companies providing goods or services to TİMS Group companies, including subcontractors.

Supplier Entities providing services to TİMS Group companies under contractual agreements in compliance with TİMS Group’s instructions and directives.

Company Representatives and Employees Representatives and employees of third-party legal entities with whom TİMS Group collaborates.

Third Parties Individuals whose personal data is processed, including actors, directors, screenwriters, musicians, translators, employee relatives, and family members (spouse and child information).

Visitors Individuals visiting the physical premises or websites of TİMS Group.

10.6 CATEGORIES OF PERSONS TO WHOM TİMS GROUP TRANSFERS PERSONAL DATA

In accordance with Articles 8 and 9 of the PDPL, TİMS Group informs data subjects about the categories of individuals or entities to whom personal data is transferred. These include:

• TİMS Group Customers/Subcontractors

◦ For fulfilling obligations regarding the transfer of financial rights from authors in film or television productions, promoting films or series, monitoring contract processes, and managing corporate communication.

• TİMS Group Suppliers/Subcontractors

◦ For introducing actor candidates to production teams, obtaining approvals, monitoring contract processes, fulfilling contractual obligations, and managing corporate communication.

• Third-Party Legal Entities Collaborating with TİMS Group

◦ For ensuring coordination, exchange of information, and documentation between companies involved in collaborative projects.

• TİMS Group Companies

◦ For ensuring coordination and workflow, supporting personnel recruitment processes, maintaining compliance with TİMS Group’s procedures and applicable regulations, planning and executing audit activities, and facilitating commercial activities requiring participation from TİMS Group companies.

• Authorized Private Legal Entities

◦ For purposes within their legal authority and based on their requests.

• Authorized Public Institutions and Organizations

◦ For fulfilling requests within their legal authority.

• TİMS Group Board Members

◦ For planning commercial and business strategies, executing audit activities, and managing administrative processes.

METHODS AND LEGAL REASONS FOR COLLECTING PERSONAL DATA

11. Methods and Legal Reasons for Collecting Personal Data

Your personal data may vary depending on your relationship with our companies and may be collected through automated or non-automated methods, including the company headquarters, departments where the companies operate (e.g., sets), websites, call centers, and third-party real or legal entities providing products/services. These data may be collected verbally, in writing, or electronically. Personal data may be generated, updated, and processed throughout your relationship with our company, and may be stored in both digital and physical formats.

OBLIGATIONS OF TİMS GROUP AS THE DATA CONTROLLER

12. Obligations of TİMS Group as the Data Controller

During the collection of personal data, TİMS Group provides the following information to data subjects through authorized personnel:

• The identity of the data controller and its representative, if any;

• The purposes for which personal data will be processed;

• The parties to whom processed personal data may be transferred and the purposes of such transfers;

• The methods and legal reasons for collecting personal data;

• Other rights specified under Article 11 of PDPL.

RIGHTS OF THE DATA SUBJECT

13.1 Informing the Data Subject

TİMS Group informs data subjects through the “Clarification Text” about the following:

• The methods and legal reasons for collecting personal data;

• The purposes for which personal data will be processed;

• The parties to whom processed personal data may be transferred and the purposes of such transfers;

• The rights of the data subject as specified under Article 11 of PDPL.

13.2 Rights of the Data Subject under PDPL

Unless otherwise provided under the exceptions outlined in Article 28 of PDPL, data subjects may submit requests to TİMS Group concerning the following rights under Article 11 of PDPL:

• To learn whether personal data has been processed;

• To request information if personal data has been processed;

• To learn the purpose of processing personal data and whether it has been used in accordance with its purpose;

• To know the third parties to whom personal data has been transferred within or outside the country;

• To request the correction of incomplete or inaccurate personal data;

• To request the deletion or destruction of personal data within the framework of the conditions set forth in Article 7 of PDPL;

• To request notification to third parties to whom personal data has been transferred about any rectifications or deletions made pursuant to the above rights;

• To object to decisions made exclusively based on automated processing that have adverse effects on them;

• To claim compensation for damages arising from unlawful processing of personal data.

13.3 Exercising the Rights of the Data Subject

TİMS Group provides guidance on how data subjects can exercise their rights. Applications may be submitted by completing the “Data Subject Application Form” available at TİMS Group’s website (www.tims.tv), using the following methods:

• For written applications:

◦ A signed hard copy of the “Data Subject Application Form” can be personally delivered to the address: Levent Mah. Levent Cad. Lale Sokak No:11 Levent, Istanbul, along with an identity-confirming document.

◦ Alternatively, applications may be submitted by a legal representative with notarized power of attorney or sent via notarized or registered mail to the same address.

• For electronic applications:

◦ The “Data Subject Application Form” can be signed with a secure electronic signature or mobile signature defined under the Electronic Signature Law No. 5070 and sent to the relevant company’s Registered Electronic Mail (KEP) address listed in the appendix or emailed to info@tims.tv.

13.4 Response Time to Applications

Requests submitted to TİMS Group will be responded to in writing or electronically within the shortest time possible and no later than thirty days, depending on the nature of the request. Responses are provided in accordance with Article 7 of the Communiqué on Procedures and Principles of Application to the Data Controller, and any applicable fees may be charged as specified. 

ENSURING THE SECURITY OF PERSONAL DATA

14.1 Technical Measures to Ensure the Lawful Processing of Personal Data

• TİMS Group takes all necessary technical measures to prevent the unlawful processing and access of personal data and to ensure the proper storage of personal data, as required under the Personal Data Protection Law (PDPL). These measures include regular audits and assessments.

• In accordance with Article 11/3 of the Regulation on the Registry of Data Controllers, published in the Official Gazette dated December 30, 2017 (No. 30286) and effective January 1, 2018, TİMS Group assigns a “Data Controller Representative” within each affiliated company. This role involves identifying data processing purposes and methods, monitoring and auditing data processing activities, ensuring compliance with PDPL and related regulations, and establishing the necessary technical and administrative measures to ensure data security.

• Technical staff are employed in addition to existing personnel to address specific technical requirements.

• Data processing activities are monitored via technical systems, and audit reports are reviewed by the Data Controller Representative. Any additional technical measures identified are promptly implemented.

• The data security infrastructure is analyzed, and any deficiencies or areas for improvement are identified. Necessary improvements are implemented to prevent unauthorized access from external sources. To achieve this, TİMS Group collaborates with third-party experts for technical support and enters into agreements with them to ensure the installation and testing of required software and hardware.

• Internal procedures are promptly developed to address obligations arising from decisions of the Personal Data Protection Board and related regulations. Relevant technical measures are implemented and communicated to employees. 

14.2 Administrative Measures to Ensure the Lawful Processing of Personal Data

TİMS Group implements the following administrative measures to ensure the lawful processing of personal data:

• Employees receive periodic training and awareness programs on the Personal Data Protection Law No. 6698 and related regulations.

• Employees are required to sign confidentiality agreements, committing to handle personal and sensitive data in accordance with PDPL provisions. These agreements stipulate that employees:

◦ Will not process data beyond the scope, extent, and duration specified in the relevant regulations or TİMS Group policies.

◦ Will not disclose data to third parties domestically or internationally without the explicit consent of the data subject, except where legally mandated.

◦ Will notify the Data Controller Representative immediately if they become aware of any unlawful data processing.

◦ Will adhere to these obligations even after the termination of their employment.

• Contracts with data processors include clauses that require the processor to:

◦ Process personal data solely for the purposes specified in the agreement.

◦ Take appropriate technical and administrative measures to ensure data security and prevent unauthorized access or unlawful processing.

◦ Avoid disclosing data to third parties in violation of the agreement.

• A “Data Inventory” is maintained for each department’s data processing activities, ensuring that employees’ access to personal and sensitive data is restricted based on their departmental roles. These access controls are audited by the Data Controller Representative.

• Administrative measures are implemented to securely store personal data and prevent its unlawful processing, destruction, alteration, or deletion.

14.3 Technical Measures to Prevent Unlawful Access to Personal Data

• Technical measures are regularly updated and revised to prevent unauthorized access, negligence, or unlawful disclosure of personal data, taking into account the associated costs.

• Internal procedures are promptly developed in line with decisions of the Personal Data Protection Board and related regulations, and technical measures are communicated to employees.

• Antivirus software and firewalls are installed to safeguard data systems.

• Access permissions are restricted based on clearly defined administrative and technical policies, ensuring employees access data only within their authorized scope.

14.4 Administrative Measures to Prevent Unlawful Access to Personal Data

The following administrative measures are implemented by TİMS Group to prevent unlawful access to personal data:

• Administrative decisions regarding access and authorization processes are established and enforced. Employees are informed of these decisions, which are monitored by the Data Controller Representative assigned to each affiliated company.

• Employees are informed that they are prohibited from disclosing personal data they learn during their employment to unauthorized individuals, using such data outside its intended purpose, or violating these obligations even after their employment ends. These commitments are formalized in employment contracts, which include penalties for breaches.

• Interns working within TİMS Group are also informed that they are prohibited from disclosing, accessing, or using personal data outside its intended purpose during their internships. Written commitments are obtained from interns.

• All confidential documents are marked with the phrase “CONFIDENTIAL” on every page.

• Service agreements define “confidential information” and include clauses requiring employees to:

◦ Handle confidential information with care and keep it secure.

◦ Refrain from copying or storing such information without written consent from affiliated companies.

◦ Avoid sharing confidential information with third parties, except as legally required.

◦ Immediately report any unauthorized disclosure of confidential information by another employee.

◦ Return all materials containing confidential information to the company upon termination of their employment.

14.5 Technical Measures for Secure Storage of Personal Data

The following technical measures are implemented to ensure the secure storage of personal data:

• Backup programs are used to ensure the secure storage of personal data in compliance with applicable laws.

• Technical personnel with expertise in data security are employed.

• Servers are stored in physically secure environments. Access to these environments is limited to designated technical personnel, and unauthorized access is prevented.

• Employees are required to log into company systems using usernames and passwords. Employees are trained to avoid sharing their login credentials with others.

• Operating systems, software, and security tools on servers are continuously updated.

• Server logs are regularly audited and monitored.

• Database servers, modems, central systems, antivirus programs, and bulk email software access credentials are maintained exclusively by the IT Manager.

14.6 Measures for Handling Unauthorized Disclosure of Personal Data

• TİMS Group ensures compliance with Article 12 of PDPL by implementing administrative measures to promptly report incidents of unlawful access to personal data. Such incidents are immediately reported to the “Data Controller Representative,” the data subject, and the Personal Data Protection Board.

15. CAMERA MONITORING ACTIVITIES AT TİMS GROUP HEADQUARTERS

In compliance with the Private Security Services Law and relevant regulations, camera monitoring activities are conducted at the TİMS Group headquarters. The purpose of these activities is limited to ensuring the safety of life and property for employees, visitors, suppliers, customers, and other individuals or entities associated with TİMS Group; monitoring entry and exit points; and maintaining the physical security and surveillance of the building.

Pursuant to Article 10 of the Personal Data Protection Law (PDPL), multiple methods are used to inform data subjects about camera monitoring activities. No surveillance is conducted in areas that could violate personal privacy beyond security purposes. Live camera footage and digitally recorded images are stored securely, and access to these recordings is limited to a restricted number of employees. Individuals with access to such recordings are required to sign confidentiality agreements, affirming their commitment to maintain the confidentiality of the data.

16. RETENTION PERIODS FOR PERSONAL DATA

Personal data is processed and retained in accordance with applicable laws and secondary regulations to fulfill legal obligations. Retention periods comply with statutes of limitation and processing durations outlined in the legislation. In the event of changes to legal requirements regarding data retention, the newly prescribed durations are implemented.

17. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

TİMS Group implements administrative measures and continues to develop technical infrastructure to ensure the deletion, destruction, or anonymization of personal data when the purposes for processing such data no longer exist, either automatically or upon the request of the data subject. These actions are carried out in compliance with PDPL and other relevant legal provisions.

18. POLICY UPDATES

The responsibility for updating this Policy lies with the Boards of Directors of TİMS Group-affiliated companies. Updates are enacted based on decisions made by the Boards of Directors of the affiliated companies.

TİMS Group reserves the right to review and revise the Policy in accordance with changes in legislation.

APPENDIX: TİMS GROUP COMPANIES AND KEP ADDRESSES

• TİMS B STÜDYO FİLM VE ORGANİZASYON SANAYİ VE TİCARET A.Ş.
timsbstudyo@hs03.kep.tr

• TİMS PRODÜKSİYON FİLM ORGANİZASYON SANAYİ VE TİCARET A.Ş.
timsyapim@hs03.kep.tr

Home

About Us

Investments

News

Career

Contact

© 2025 Tims Group. All Rights Reserved.

Legal Texts

Home

About Us

Investments

News

Career

Contact

© 2025 Tims Group. All Rights Reserved.

Legal Texts

Home

About Us

Investments

News

Career

Contact

© 2025 Tims Group. All Rights Reserved.

Legal Texts