info@med-group.com.tr +90 212 356 78 62 – 63 - 64

1. Purpose and Scope

MED Group companies network ("MED Group") includes independent companies with separate legal entities that provide various sections of this website and other websites in the MED Group companies network; and this Personal Data Protection and Processing Policy applies separately for each MED Group member company. You may access our group companies within the MED Group Companies Network via following link. The main objective of this Personal Data Protection Policy (the "Policy") is to provide explanations regarding the personal data processing activities carried out by the Company pursuant to the law and the systems adopted for the protection of personal data and, in this context, to provide transparency by informing the people whose personal data is being processed by our company. This Policy applies to all activities managed by the Company regarding the processing and protection of personal data by the Company along with the relevant detailed data procedures.

2. Definitions

KVKK: Personal Data Protection Law numbered 6698

GDPR: EU General Data Protection Regulation

Data Processor: The natural person or legal entity that process data on behalf of the data controller with the authority given by the data controller

Data Controller: the one who defines the purpose and the means of processing personal data and responsible of the data recording system management

Data Subject: a natural person, includes but not limited to an employee, customer, business partners, stakeholders, authorities, leads, candidate for recruitment, intern, visitors, suppliers, employee of business partners, third parties of the Company and its affiliates with whom they have a commercial relationship, whose data is processed.

Explicit Consent: consent that is related to a specific issue based on information and expressed with free will.

Personal Data: any information related to a natural person whose identity is known or could be identified.

Sensitive Personal Data: Biometric and genetic information related with race, ethnicity, political or philosophical opinions, religion, sect or other believes, appearance, union memberships, health, sex life, convictions and security measures etc.

Processing of Personal Data: Any kind of operation performed on data such as obtaining, recording, storing, preservation, modification, reorganization, disclosure, transfer, takeover, making available, classification or preventing the use of personal data in fully or partially automated or non-automated ways, provided that it is part of any data recording system

Anonymization of Personal Data: to render data in such a way that it can no longer be associated with an identified or identifiable person even when the personal data is matched with other data.

Deleting Personal Data: to delete or to render personal data in such a way that it is no longer accessible or reusable for the users

Destroying Personal Data: rendering the personal data to make it inaccessible, unrecoverable and not useable by anyone

Company: Data controller MED Group companies.

KVK Board: Turkish Personal Data Protection Board

KVK Authority: Turkish Personal Data Protection Authority

3. Policy

The Company has different policies that cover protection of personal data along with the information security as regards certain work activities and functions. Unless this Policy has additional provisions or higher standards for the protection of personal data, the other different data protection provisions of the company shall prevail.

The relevant regulation provisions shall be first to apply in processing and protecting personal data; and if there happens any contradiction between the articles of this Policy and the legislation, then current legislation clauses shall prevail.

Herein this Policy is prepared in accordance with the rules and procedures foreseen in KVKK and related law for the protection of personal data. In his context, as Data Controller is also liable to prevent illegal processing of personal data and access and protect the personal data from being accessed illegally in accordance with KVKK, he/she must take all necessary technical and administrative measures.

4. Principles To be Followed While Processing Data

Our Company acts in accordance with the following general principles in all of its Personal Data Processing activities:

5. Personal Data Collected

Your personal data collected by our company varies according to the quality of the relationship with our company and the legal obligations. Your personal data collected can be listed as follows:

6. The Purposes of Processing Personal Data

Our company informs data subjects during obtaining personal data due to KVKK and related legislation. In this context, the Company makes a notification/information regarding the purpose of data processing, transfer of the data and to whom the data shall be transferred, the method of collecting personal data and the legal purpose of collecting personal data.

The purpose of processing personal data information varies according to the relationship between the company and personal data subject and legal nature of the business.

The purposes of processing personal data by the Company are as follows:

7. Methods of Processing Personal Data and Its Legal Ground

Personal data can be obtained/received by parties who are data subject and/or third parties who have explicit consent from the data subject.

The obtained personal data can be processed by collecting, saving, editing, configuring, storing, adapting, changing, using, transferring, deleting, destroying and anonymizing.

Personal Data may be processed by one or more of the above methods without the explicit consent of the data subject in the presence of one the legitimate reasons listed in Article 5 of KVKK:

8. Retention and Destruction of Personal Data

9. Transfer of Personal Data

a. Local Transfers

Personal data is not transferred to any third party without an explicit consent, unless it is legally required due to KVKK, relevant legislation and cases where it is mandatory to be shared with the external parties due to administrative / juridical cases. However, as per to the Article 5 and Article 6 of KVKK, in case legal grounds are present and it is legally required, on third party transferred, consent / explicit consent will not be observed.

Our Company fulfills its obligation to inform the Data Subject regarding this transfer. Accordingly, the institutions, organizations and / or persons that can be transferred are listed below.

b. Transfers to Abroad

The Company may transfer the personal data abroad by obtaining explicit consent of the data subject along with taking appropriate and necessary security measures foreseen in KVKK and related legislation. For the situations in which the explicit consent of the data subject is not sought, it is considered whether the country that the data will be transferred, is in “adequate country” stature and has enough protection or not. If the Authority considers that the transferee country is not in adequate country statute, the Authority approval should be taken, and a data transfer protocol should be signed to guarantee enough protection.

c. Parties Conducting the Transfers

10.Measures Regarding the Provision of Data Security

Our company takes technical and administrative measures to prevent data breaches to ensure the security of personal data. In this context, our Company;

11. Data Protection Officer (DPO)

12. Data Inventory

MED Group has established a data inventory as part of its approach to address risks and opportunities throughout its KVKK and GDPR compliance project.

13. Rights of The Data Subject

Within the scope of Article 11 of KVKK the data subject has the following rights and if he/she wishes, he/she can use his/her rights by reaching the data controller in the methods determined by him/her:

14.Exercises of Rights of Data Subject

In accordance with KVKK regulations; in cases you have inquiries on your rights, mentioned hereinbelow, by completing the Data Subject Application Form you can send it to the address; MED GROUP Büyükdere Caddesi Polat Han No:87 Kat:5 Mecidiyeköy 34381 Şişli-İstanbul/Türkiye along with ID verification documents either by hand or via postage services or by sending an email to info@med-group.com.tr. All queries will be answered within 30 days of receipt.

If the transaction requires an additional cost, the tariff set by KVKK will be charged.

MED GROUP companies network internet website address is med-group.com.tr/and Moores Rowland International's web address is www.mooresrowland.com.tr where MED GROUP has the exclusive naming rights in Turkey.