WAT Motor Industrial and Commercial Inc.
Personal Data Protection Policy
1. PURPOSE AND SCOPE
This WAT Motor Personal Data Protection Policy ("Policy"), which is part of WAT Motor Industrial and Commercial Inc. ("WAT Motor"), aims to determine the framework of compliance activities to be conducted within the scope of WAT Motor in order to ensure compliance with Legislation regarding the protection and processing of personal data and to provide coordination. In this context, the purpose is to ensure the continuity of personal data processing activities being conducted in accordance with the principles of lawfulness, fairness and transparency as WAT Motor.
WAT Motor employees and managers are obliged to act in accordance with this Policy. Business Partners are also expected to act in accordance with the principles and fundamentals in this Policy to the extent that it is applicable to the relevant transactions.
2. DEFINITIONS
"Explicit Consent" Consent regarding a specific matter, based on being informed and declared with free will.
"Anonymization" Making personal data unable to be associated with any identifiable or identifiable natural person, even when matched with other data.
"Data Subject" Natural person whose personal data is processed (customers, visitors, employees and job candidates, etc.).
"Business Partners" Suppliers, distributors, dealers, authorized service companies, all kinds of representatives, subcontractors and consultants acting on behalf and for the account of the company.
"Personal Data" Any information relating to an identified or identifiable natural person.
"Processing of Personal Data" Any operation performed on personal data, whether fully or partially automated or non-automated, provided that it is part of a data recording system, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, acquiring, making retrievable, classifying or preventing the use of data.
"Koç Group" All companies controlled directly or indirectly by Koç Holding Inc., alone or jointly, and joint-ventures included in the consolidated financial report of Koç Holding Inc.
"Legislation" All relevant legislation in force in Turkey and relevant countries regarding the protection of personal data, primarily Law No. 6698 on Protection of Personal Data.
"Special Categories of Personal Data" Data concerning race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and attire, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special categories of data.
"VERBIS" Data Controllers Registry Information System.
"Data Processor" Natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
"Data Controller" Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
3. GENERAL PRINCIPLES
Violation of this Policy may result in severe consequences, including legal, administrative and criminal sanctions depending on the Legislation in the region where activities are conducted, for WAT Motor, its relevant managers and employees, and most importantly, it may cause serious damage to the reputation of Koç Group and WAT Motor.
One of the matters of primary importance for WAT Motor is acting in compliance with Legislation and general principles stipulated in Legislation in the processing of personal data. In this context, WAT Motor is expected to act in accordance with the principles listed below in processing personal data in compliance with Legislation.
WAT Motor conducts personal data processing processes within the scope of its activities in accordance with Koç Holding Inc. Personal Data Protection and Processing Policy.
3.1. Engaging in Personal Data Processing Activities in Compliance with Law and Fairness Rules
Regarding the processing of personal data, actions must be taken in accordance with general trust and fairness rules in compliance with Legislation. In this framework, personal data must be processed in accordance with general legal principles, good faith and general morality, to the extent required by business activities and limited thereto.
3.2. Ensuring Personal Data is Accurate and Up-to-Date When Necessary
Taking into account the fundamental rights of data subjects, it must be ensured that processed personal data is accurate and up-to-date; systems must be established to ensure this by taking necessary measures in this direction.
3.3. Processing for Specific, Clear and Legitimate Purposes
Personal data must be processed for legitimate and lawful reasons. WAT Motor must process personal data in connection with the activities it carries out and to the extent necessary. The purpose for which personal data will be processed must be determined before personal data processing activity begins.
3.4. Being Connected, Limited and Proportionate to the Purpose for Which They are Processed
Personal data must be processed in a manner suitable for achieving the determined purposes, and processing of personal data that is not needed for achieving the purpose must be avoided.
3.5. Keeping for the Period Stipulated in Relevant Legislation or Necessary for the Purpose for Which They are Processed
Personal data must be kept only for the period stipulated in relevant Legislation or required by the purpose of personal data processing.
In this context, first it must be determined whether a specific period is stipulated in relevant Legislation for storing personal data, if any period is determined, it must be acted in accordance with this period, if no period is determined, it must be stored for the period necessary for achieving the purpose of processing personal data. Upon expiration of the period or elimination of reasons requiring processing, personal data must be deleted, destroyed or anonymized. Personal data must not be stored with the possibility of future use.
4. IMPLEMENTATION OF THE POLICY
4.1. PROCESSING PERSONAL DATA IN COMPLIANCE WITH DATA PROCESSING CONDITIONS
4.1.1. Conducting Personal Data Processing Activities Based on Personal Data Processing Conditions Determined in Legislation
Personal data must, as a rule, be processed in compliance with at least one of the conditions determined in Legislation. It must be determined whether personal data processing activities conducted by WAT Motor business units are based on at least one of these conditions, and personal data processing activities that do not meet these conditions must not be included in processes.
4.1.2. Conducting Special Categories of Personal Data Processing Activities Based on Special Categories of Personal Data Processing Conditions Determined in Legislation
Special categories of personal data must, as a rule, be processed in accordance with conditions determined in Legislation. It must be ensured that special categories of personal data processing activities conducted by WAT Motor business units act in accordance with these conditions, and administrative and technical measures to be taken regarding processing of special categories of personal data and the existence of the following conditions must be ensured:
(i) Special categories of personal data other than health and sexual life can be processed without seeking explicit consent of the data subject if clearly stipulated in laws, in other words, if there is a clear provision regarding processing of personal data in the relevant law. Otherwise, explicit consent of the data subject must be obtained.
(ii) Special categories of personal data concerning health and sexual life can be processed without seeking explicit consent for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, by persons or authorized institutions and organizations under confidentiality obligation. Otherwise, explicit consent of the data subject must be obtained.
Processing of special categories of personal data, their transfer to third parties domestically and abroad must be carried out taking into account regulations stipulated in Legislation regarding processing of special categories of personal data; in addition to the matters specified above, personal data processing activities must be carried out by fulfilling the special requirements sought by Legislation in these cases.
4.2. REQUIREMENTS TO BE COMPLIED WITH IN TRANSFER OF PERSONAL DATA
Personal data of data subjects must be transferred to third parties in accordance with personal data processing purposes and legal reasons and by taking necessary security measures. Accordingly, necessary processes must be designed to act in accordance with conditions stipulated in Legislation.
4.3. OBLIGATIONS REGARDING PROTECTION AND PROCESSING OF PERSONAL DATA
4.3.1. Obligation to Register with VERBIS
WAT Motor, which is obliged to register with VERBIS according to criteria determined in Legislation, must register with VERBIS as Data Controller. In case of changes in registered information, information must be updated in VERBIS within seven days from the date the change occurs.
Information about updates made by WAT Motor in VERBIS must be provided to WAT Motor Legal and Compliance Advisory twice a year in 6-month periods (June-December) and reports must be sent to Koç Holding Legal and Compliance Advisory.
4.3.2. Obligation to Inform Data Subjects
When obtaining personal data, data subjects must be informed in accordance with Legislation.
In this context, personal data collection channels must be identified for WAT Motor to fulfill its obligation to inform; data subjects must be informed with information texts having the scope and conditions required by Legislation specific to these collection activities; appropriate processes must be designed accordingly.
Personal data collection channels must be kept up-to-date in a list format by WAT Motor and must be shared twice a year in 6-month periods (June-December) by WAT Motor Legal and Compliance Advisory and with Koç Holding Legal and Compliance Advisory.
4.3.3. Obligation to Ensure Security of Personal Data
Within WAT Motor, with awareness of the importance of ensuring data security in all aspects, appropriate and necessary technical and administrative measures must be taken to prevent unlawful processing of processed personal data or access to them and to ensure lawful storage of data, and necessary audits must be conducted by the company and/or commissioned to a third party in this context.
Training on Legislation must be provided to employees by WAT Motor within the scope of measures. Information about training conducted in this context must be provided to WAT Motor Legal and Compliance Advisory and Koç Holding Legal and Compliance Advisory.
4.3.4. Auditing of Measures Taken Regarding Protection of Personal Data
Systems must be designed to conduct and commission necessary audits regarding the functioning of measures taken in terms of technical and administrative measures. This audit must be reported to WAT Motor Legal and Compliance Advisory and necessary activities must be conducted to improve measures taken. Additionally, audit reports prepared by WAT Motor annually and measures taken must be shared with Koç Holding Legal and Compliance Advisory.
4.3.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
In case processed personal data is obtained by others through illegal means, this situation must be reported to the data subject and relevant authorities as soon as possible in accordance with Legislation. In this context, necessary internal structure including the department or officer responsible for compliance within WAT Motor must be established. Additionally, in such cases, Koç Holding Legal and Compliance Advisory must be informed immediately.
4.3.6. Obligation to Inform Data Subjects
Data subjects have the right to apply to data controllers and request information about their personal data when they need to.
In this context, necessary application channels must be designed in accordance with Legislation for evaluating the rights of data subjects and providing necessary information to data subjects, evaluating applications, responding to applications within periods stipulated in Legislation, and necessary procedures and processes must be established and implemented within the company.
When data subjects submit requests regarding their rights to the company, the relevant request must be concluded as soon as possible and at the latest within thirty days.
When concluding the relevant application, information must be provided in a language and format that the person can understand. Necessary warnings must be made within the company and awareness must be raised about the fact that the data subject has the right to complain to relevant authorities in cases where their application is rejected, the response given is found insufficient, or no response is given to the application within the time limit.
Data subject applications and response processes must be kept in a list format by WAT Motor and must be submitted to WAT Motor Legal and Compliance Advisory twice a year in 6-month periods (June-December) and shared with Koç Holding Legal and Compliance Advisory. Additionally, regarding all kinds of information and document requests coming to the company from relevant authorities and all kinds of applications to be made by the company to these authorities, the opinion of WAT Motor Legal and Compliance Advisory must be obtained before taking action.
5. AUTHORITY AND RESPONSIBILITIES
All WAT Motor employees and managers are obliged to comply with this Policy. WAT Motor expects Business Partners to act in compliance with this Policy to the extent that it is applicable to the relevant party and transaction, and takes necessary steps for this.
WAT Motor Legal and Compliance Advisory is the unit responsible for implementing this Policy.
In case of becoming aware of any action that is thought to be contrary to this Policy, current Legislation, or WAT Motor Ethical Principles or Koç Group Ethical Principles, contact can be made with WAT Motor Legal and Compliance Advisory.
For your questions or matters you have doubts about, please contact the departments or persons listed above. As an alternative method, you can make all your reports regarding ethical violations through the "koc.com.tr/ihbarbildirim" link.
Violation of this Policy may result in significant disciplinary penalties including dismissal. In case this Policy is violated by third parties, the legal relationship between such parties and WAT Motor may be terminated immediately.
6. EFFECTIVE DATE
This Policy is effective from September 15, 2023, and WAT Motor Legal and Compliance Advisory is responsible for implementing the Policy.
| Amendment | Date | Notes |
| 1 | September 15, 2023 | Initial text |