Personal Data Protection Law

Information on Personal Data Protection Legislation

Türk Telekom A.Ş. (TT), TTNET A.Ş. (TTNET) and TT Mobil İletişim Hizmetleri A.Ş. (TT Mobil)hereinafter referred to as “Türk Telekom”) for their subscribers/customers within the scope of the Law on the Protection of Personal Data No. 6698 (“Law No. 6698” ) has been updated in accordance with the amendments made to Law No. 6698 in June 2024. This text;

a) The identity of the data controller,

b) The purpose for which personal data will be processed,

c) To whom and for what purposes personal data can be transferred,

d) It contains all the details regarding the method and legal reason for collecting personal data and other rights of the person listed in Article 11 of Law No. 6698.

In addition, information texts are designed and published for relevant person categories such as employees, visitors, etc. and for Türk Telekom Subsidiary sites.

The rights of the relevant person in Law No. 6698

ARTICLE 11 - (1) Everyone may apply to the data controller and obtain information regarding himself/herself;

a) Learning whether personal data is being processed,

b) Requesting information regarding the processing of personal data,

c) To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

ç ) To know the third parties to whom personal data is transferred, either domestically or abroad,

d) Request correction of personal data if it is processed incompletely or incorrectly,

e) Request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 (personal data shall be deleted, destroyed or made anonymous by the data controller ex officio or upon the request of the relevant person if the reasons requiring processing are eliminated),

f) To request that the operations carried out in accordance with clauses (d) and (e) be notified to third parties to whom personal data has been transferred,

g) To object to the emergence of a result to the detriment of the person himself/herself, by means of analysis of the processed data exclusively through automatic systems,

h) In case of damages due to unlawful processing of personal data, the person has the right to demand compensation for the damages.

 

Parties processing data on behalf of Türk Telekom

Türk Telekom has authorized dealers who process customer data on its behalf as third parties. All dealer employees are informed about personal data protection legislation with announcements and information guides, and this information is updated every year. In addition, there are updated subscriber/customer information texts with QR codes in visible areas in all dealers. For workflows that require explicit consent, detailed information texts on the subject addressed to subscriber and dealer employees and customer explicit consent texts have been prepared.

All contracts to which Türk Telekom is a party are reviewed and revised in accordance with Law No. 6698 and its secondary regulations. In addition, within the scope of the administrative precaution obligation to ensure the security of personal data, trainings, announcements and audits are carried out especially for business partners and dealers, and these activities are continued by making necessary updates according to the changes in the legislation.

Responsibility of the Company's management regarding personal data protection legislation

Pursuant to Law No. 6698, the legal entity is responsible for all obligations arising from this law and related legislation. In terms of Türk Telekom, the Türk Telekom Board of Directors/Executive Committee is directly responsible for Personal Data Privacy and Security as the management body of the data controller company.

This context, the Board of Directors decided to establish supreme and subcommittees consisting of Deputy General Managers and Directors to monitor and manage Türk Telekom's compliance with the legislation and the Data Protection Supreme and Subcommittees were established by the decision of the Board of Directors.

With the said decision, the Committees were assigned on behalf of the Company within the scope of fulfilling their obligations arising from Law No. 6698 and in accordance with Article 11 of the Regulation on Data Controllers Registry ("Regulation").

The General Manager/CEO of Türk Telekom is authorized to determine and change the persons who will serve on the committees and the working principles and duties of the committees.

The purpose of the said committees is to coordinate and organize the activities carried out on the governance of personal data protection throughout the Company, to monitor and report the actions to ensure full compliance with the requirements, to support the governance structure, to take and monitor strategic decisions, to identify resource needs, and to set the agenda at the Board of Directors/Executive Committee level.

Members of the Supreme and Subcommittee Committees

i. Members of the Supreme Committee

1- Main Members

  • Deputy Director General for Legal and Regulation
  • Deputy General Manager of Technology
  • Deputy General Manager of Marketing and Customer Services (Representative Marketing and Customer Services Director)

2- Advisory Members

  • Regulation and Compliance Director ( permanent )
  • Cyber Security Director (where necessary)

II. Subcommittee Members

  • Regulation and Compliance Director
  • Cyber Security Director
  • Director of Legal Services
  • Director of Employee Experience and Compensation Management
  • Director of Facilities Management
  • Business Intelligence and Data Governance
  • Director of Data Science Analytics
  • Purchasing Director
  • Individual Sales Operations and Control Group Manager
  • IT Architecture and Quality Assurance Director

Employee training on personal data security and privacy

Personal data security and privacy trainings were assigned to Türk Telekom employees online; regional classroom trainings were also provided to teams such as sales teams, regional employees, dealer employees, etc.

Regular training includes information on the following topics:

  • History and legal basis regarding the European Union Data Protection Regulation and Turkish Legislation on the protection of personal data
  • The Company's main responsibilities in this regard
  • Personal Data Processing Inventory and VERBIS (Data Controllers Registry Information System)
  • Rights of the person concerned
  • Data storage periods and deletion/destruction
  • Penalties included in relevant laws and regulations
  • Special measures to be taken in the company's business processes,
  • Actions to be taken specifically for special personal data
  • Information security awareness

 

“Regulation on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector” published by BTK on December 4, 2020 and entered into force on June 4, 2021. As Türk Telekom, in order to fully comply with the regulation and increase our data protection standards; we have updated our disclosure texts and explicit consent texts within the scope of reviewing all our processes regarding the processing of personal data in accordance with the requirements of the regulation and transparently informing our customers about the purpose of processing their personal data, their sharing status and rights. We have shaped our projects with a risk-based approach.

 

European Union General Data Protection Regulation Compliance Activities

TTNET and TT Mobil are conducting a comprehensive compliance process in order to fully comply with data protection standards under the European Union (“EU”) General Data Protection Regulation (“GDPR”). During this process, we have meticulously implemented the necessary work on many topics, from the creation of the personal data inventory held for individuals resident in the EU to the adaptation of explicit consents to the GDPR , from the assessment of data subject rights to the creation of privacy impact analysis and data protection strategy. Regarding the appointment process of a Data Protection Officer (DPO) and a Data Protection Representative (DPR), 12.03.2024 According to the decision taken at the Board of Directors meeting dated, Deputy General Manager of Legal and Regulation, KVKK Governance Manager affiliated to the Regulation Compliance Directorate was appointed as DPO and Türk Telekom International HU Kft was appointed as DPR. TTNET and TT Mobil continue their compliance processes and take their understanding of transparency and trust towards their stakeholders and customers one step further by integrating their sensitivity regarding data protection and security into all business processes.