POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

I. INFORMATION ON THE LAW
The Protection on Personal Data Law numbered 6698 (the "PPDL") has come into effect on 07.04.2016. The PPDL sets forth the procedures and principles regarding personal data processing by real persons or legal entities classified as "data controller" of personal data and determine the purposes and devices of processing personal data and are responsible for establishing the data recording system.
Within the scope of the PPDL;
- Explicit Consent: It refers to consent on a specific subject, based on the information and expressed in free will,
- Anonymization: It refers to make personal data unassociated to an identified or identifiable real person by any means, even by pairing the same with other data,
- Person concerned: It refers to a real person whose personal data is processed,
- Personal data: It refers to any information related to the identified or identifiable real person,
- Processing of Personal Data: It refers to all kinds of transaction performed on personal data such as obtaining, recording, storing, retaining, changing, re-arranging, disclosing, transmission, taking over, making available, classification, or prevention of use through fully or partially automated ways or non-automated ways provided that these are part of any data recording system,
- Data Processor: It refers to a real person or legal entity who processes personal data on behalf of the data controller by basing on the authority granted by the same,
- Data recording system: It refers to the recording system in which personal data is structured and processed according to specific criteria, ı) Data controller: The real person or legal entity who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
.
The PPDL, other regulations impose the data controllers' obligation to inform/clarify the data owners whose personal data will be processed during personal data acquisition.
According to Article 10 of the PPDL, data controllers shall inform the data owners of the identity of the data controller and its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and other rights listed in Article 11 of the PPDL. Our Policy on Processing and Protection of Personal Data has been prepared within this purpose's scope and this legal responsibility and submitted to the users.

II. PURPOSE OF COLLECTING and PROCESSING PERSONAL DATA
Our Company processes personal data for the purposes of promoting, conducting marketing in the field of activity of the company, improving the website and services, providing services to users, making the website easy to use, providing customer service, providing users with a personalized experience, conducting personalized advertising and marketing,  and in order to determine the information of the transaction owner within the scope of the Law on the Regulation of Electronic Commerce numbered 6563, the Law on the Protection of Consumer Numbered 6502 and the Regulation on Electronic Commerce Service Providers and Intermediary Service Providers, which was published in the Official Gazette dated 26.08.2015 and numbered 29457 prepared on the basis of the aforementioned regulations, the Distance Contracts Regulation, which was published in the Official Gazette dated 27.11.2014 and numbered 29188, and other relevant legislation; to record the identity, address and other necessary information of the transaction owner, to arrange payment systems that are mandatory in the field of banking and electronic payment and all the records and documents that will be the basis of the electronic contract or transaction in paper; to comply with the information storage, reporting and providing information obligations stipulated by the legislation and other authorities, for the purposes of meeting the requests of the competent authorities, fulfilling legal obligations, providing transaction security, preventing illegal activities and by basing on the legal reasons which are "processing personal data belonging to parties of an agreement, is necessary provided that it is directly related to the conclusion or fulfillment of the agreement, processing personal data is mandatory for the data controller to be able to perform its legal obligations; processing personal data is mandatory for the establishment, exercise or protection of any right, processing personal data is mandatory for the legitimate interest of the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data owner" and within the framework of the conditions and purposes of processing personal data set forth under the articles 5 and 6 of the PPDL.  
Providing information on third persons or organizations to which your personal data can be transferred, for the purposes stated above; the persons/organizations to which your personal data that you share with our Company can be transferred to persons and organizations related to the services provided such as especially the company that provides the e-commerce infrastructure of our Company, suppliers, cargo companies, and program partner organizations with which we cooperate in order for us to conduct our activities and/or that we receive services as the Data Controller, domestic/foreign organizations and other 3. persons.
Your personal data is collected in audio, electronic, or written form through websites, mobile applications of websites, social media accounts, cookies, call centers, received notifications sent by administrative and judicial authorities, and other communication channels.

III. PRINCIPLES REGARDING PURPOSE OF USE AND SHARING OF PERSONAL DATA
Under Article 5 of the PPDL;
Personal data cannot be processed without the explicit consent of the person concerned. However, in the event of one of the following conditions, it is possible to process personal data without the explicit consent of the person concerned:
- If it is explicitly stipulated in the laws.
- It is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving her/his consent or whose consent is not deemed legally valid.
Processing personal data belonging to the parties of an agreement is necessary, provided that it is directly related to the conclusion or fulfillment of such agreement.
- It is mandatory for the data controller to be able to perform its legal obligations.
- The person concerned is made available her/his personal data to the public by her/himself.
- The data processing is mandatory for the establishment, exercise, or protection of any right.
- It is mandatory for the data controller's legitimate interests, provided that this processing shall not violate the fundamental rights and freedoms of the person concerned.
Furthermore, as per Article 6 of the PPDL; Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions, and security measures, and the biometric and genetic data are deemed to be personal data of unique nature. It is forbidden to process personal data of unique nature without the explicit consent of the person concerned. However, personal data, excluding those relating to health and sexual life, listed in the first paragraph of the Law may be processed without seeking the person's explicit consent in the cases stipulated in the laws. In this context, our Company can transfer your personal data within the framework of the conditions stated under articles 5 and 6 of the PPDL.
Our Company clarifies the Clarification Text data owners as per Article 10 of the PPDL before collecting personal data from the data owners/users, within the scope of its obligations arising due to its capacity as the data controller PPDL. In the circumstance where any data processing process carried out by our Company does not meet the conditions specified in the PPDL, explicit consent will be obtained from the data owners, and the transactions will be carried out within the framework of explicit consent.
According to the principles of the PPDL; it may be possible to share your personal data to provide content and services such as registration, transaction, and customer support, to detect or prevent fraudulent transactions or transactions that are suspected of being related to deceit, illegal transactions, data security breaches, providing personalized and relevant advertising to our users, to direct the decisions to be made on products, website, applications, services and marketing communications.
We may also share your personal data to comply with legal requirements, fulfill our agreement with users, interfere with claims that any content violates the rights of others, or protect anyone's rights or safety. Data may also be shared with law enforcement or official authorities or authorized third persons in response to an official request regarding criminal investigations or suspected illegal activities and other activities that may expose the Company or users to legal liability.
As per Article 9 of the PPDL, your personal data obtained by any of the methods listed above, to be stored and processed in or outside  Turkey, may also be transferred to the service intermediaries located abroad (countries accredited by the Personal Data Protection Board and where there is adequate protection for the protection of personal data), provided that it is within the scope of the PPDL and per the purposes of the agreement.

IV. PROTECTION OF PERSONAL DATA
Our Company takes all technical and administrative precautions within the scope of the PPDL;
- in order to prevent the illegal processing of personal data,
- to prevent illegal access to personal data,
- to ensure the protection of personal data and to ensure the appropriate level of security.
Our Company takes reasonable technical and administrative measures to prevent unauthorized access risks, possible data loss, deliberate deletion, or damage to personal data to ensure personal data security. In this context, software and hardware security measures are taken per the personal data processed, training and audits are carried out, and in-house authorizations are made according to the principles of the PPDL.
In line with Article 4 of the PPDL, our Company must keep your personal data accurate and up to date. In this context, in order for our Company to fulfill its obligations arising from the current legislation, our customers must share their accurate and up-to-date data or update such data via the website/mobile application.
We will keep your personal data for as long as it is necessary for and related to the Company activities, as required by our storage purpose and our obligations arising from the legislation. The storage period may vary according to the period that we need personal data to provide our services as a Company; however, such a period is usually shorter if the personal data is personal data of unique nature. Additionally, if you give your explicit consent to your personal data storage for a more extended period, your data will be stored for that long period. If we have a legal, contractual or similar obligation to store your personal data, it is possible to store your personal data for a period required to comply with the Law, assist investigations, and carry out other actions required by the legislation. If the circumstances requiring your personal data storage are disappeared, your personal data shall be securely destructed or anonymized.

V. RIGHTS ARISING FROM THE PROTECTION OF PERSONAL DATA LAW
According to Article 11 of the PPDL, users who are data owners have the following rights; When the user demands to exercise one or more of the above-stated rights, s/he shall make a written application to our Company at the address of ŞERİFALİ MAH. TÜRKER CAD. NO: 51/2 ÜMRANİYE- ISTANBUL, and s/he may also reach our Company through our registered e-mail address using a secure electronic signature, mobile signature, or customer services.

E-mail: info@keyway.com.tr
Telephone: +90 (216) 466 20 06