MAYA DİJİTAL DANIŞMANLIK LTD. ŞTİ. CORPORATE PERSONAL DATA PROTECTION POLICY

Document Information
Document Name:	Personal Data Protection Policy
Document Purpose:	The purpose of the Personal Data Protection Policy is to plan the processes for the protection of personal data by MAYA DİJİTAL DANIŞMANLIK LTD. ŞTİ. and to determine the principles to be applied in this regard.
Publication Date:	20.04.2026
Version No:	1
Reference / Justification:	Law on the Protection of Personal Data No. 6698 and other relevant legislation
Approval Authority:	MAYA DİJİTAL DANIŞMANLIK LTD. ŞTİ. Board of Directors

1. PURPOSE

The right of every individual to demand the protection of personal data concerning them is a sacred right stemming from the Constitution. As MAYA DİJİTAL DANIŞMANLIK LTD. ŞTİ. (“Maiamarca”), we consider fulfilling the requirements of this right as one of our most valuable duties. Therefore, we attach importance to the lawful processing and protection of your personal data.

This Corporate Personal Data Protection Policy has been prepared to determine the principles we adopt and the procedures we apply while processing and protecting personal data, as a result of the importance we attach to personal data protection.

2. SCOPE

The Policy covers all personal data managed by Maiamarca, and any operation performed on data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, whether wholly or partially automated, or non-automated as part of a data recording system.

The Policy pertains to all processed personal data of Maiamarca's partners, authorities, customers, employees, supplier authorities and employees, and third parties.

Maiamarca may amend the Policy for compliance with legislation and the decisions of the Personal Data Protection Authority and for the better protection of personal data.

3. DEFINITIONS

Abbreviation	Definition
Recipient Group	The category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit Consent	Consent freely given, specific and informed, relating to a particular matter.
Anonymization	Making personal data impossible to link to an identified or identifiable natural person, even by matching it with other data.
Relevant Person	The natural person whose personal data is processed.
Relevant User	These are individuals who process personal data within the data controller's organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of data.
Disposal	Deletion, destruction or anonymization of personal data.
Law/KVKK	Law on Protection of Personal Data No. 6698.
Recording Medium	Any environment where personal data is processed wholly or partly by automatic means, or by non-automatic means as part of any data recording system.
Personal Data	Any information relating to an identified or identifiable natural person.
Data Inventory	An inventory created by data controllers, detailing their personal data processing activities in connection with their business processes; this includes the purposes and legal grounds for processing personal data, data categories, recipient groups to whom data is transferred, and data subject groups. It also specifies the maximum retention period for personal data, personal data intended for transfer to foreign countries, and security measures taken regarding data security.
Processing of Personal Data	Any operation performed on personal data, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or blocking its use, wholly or partly by automatic means or by non-automatic means as part of any data recording system.
Board	Personal Data Protection Board.
Institution	Personal Data Protection Authority
Special Categories of Personal Data	Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data of individuals.
Periodic Disposal	The deletion, destruction or anonymization process of personal data, carried out ex officio at recurring intervals as specified in the personal data retention and disposal policy, when all conditions for processing personal data stated in the Law cease to exist.
Policy	Personal Data Protection Policy
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

 

4. GENERAL PRINCIPLES              

Maiamarca checks the compliance of the data to be processed with the following principles at the preparation stage of each new workflow requiring personal data processing. Workflows found to be non-compliant are not implemented.

When processing personal data, Maiamarca;

 (I) Complies with law and fairness.

(II) Ensures that personal data is accurate and, when necessary, up-to-date.

(III) Ensures that the purpose of processing is specific, explicit, and legitimate.

(IV) Verifies that the processed data is connected to the processing purpose, processed only to the extent necessary, and proportionate.

(V) Retains data only for the period stipulated in relevant legislation or as required by the processing purpose, and destroys it when the processing purpose ceases to exist.

5. MEASURES TAKEN FOR DATA SECURITY

Maiamarca takes all necessary technical and administrative measures to ensure an appropriate level of security in order to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data, and (iii) ensure the protection of personal data.

5.1. Technical Measures

1. Network security and application security are provided.

2. Security measures are taken within the scope of information technology systems procurement, development and maintenance.

3. Access logs are kept regularly.

4. Up-to-date antivirus systems are used.

5. Firewalls are used.

6. Necessary security measures are taken regarding entry and exit to physical environments containing personal data.

7. The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.

8. The security of environments containing personal data is ensured.

9. Personal data is backed up, and the security of backed-up personal data is also ensured.

10. A user account management and authorization control system is implemented and monitored.

11. Log records are kept in a way that prevents user intervention.

12. Intrusion detection and prevention systems are used.

13. Encryption is performed.

5.2. Administrative Measures                  

1. Disciplinary regulations containing data security provisions are in place for employees.

2. Training and awareness activities on data security are regularly conducted for employees.

3. Corporate policies on access, information security, use, storage and destruction have been prepared and put into practice.

4. Confidentiality agreements are made.

5. The authorities of employees whose duties change or who leave their jobs in this area are revoked.

6. Signed contracts include data security provisions.

7. Personal data security policies and procedures have been determined.

8. Personal data security issues are reported quickly.

9. Personal data security is monitored.

10. Personal data is minimized as much as possible.

11. Existing risks and threats have been identified.

12. Protocols and procedures for the security of special categories of personal data have been determined and are being applied.

13. Data processing service providers are made aware of data security.

6. RIGHTS OF THE DATA SUBJECT REGARDING PERSONAL DATA             

The data subject may apply to Maiamarca to request the following:

1. To learn whether their personal data is being processed,
2. To request information if their personal data has been processed,
3. To learn the purpose of processing their personal data and whether it is being used in accordance with its purpose,
4. To know the third parties to whom their personal data has been transferred domestically or abroad,
5. To request the rectification of their personal data if it is incomplete or inaccurate, and to request that the transaction made within this scope be notified to third parties to whom the personal data has been transferred,
6. To request the erasure, destruction, or anonymization of their personal data if the reasons requiring its processing cease to exist, even though it has been processed in accordance with the KVKK and other relevant laws, and to request that the transaction made within this scope be notified to third parties to whom the personal data has been transferred,
7. To object to the occurrence of a result against them by analyzing their processed data exclusively through automated systems,
8. To demand compensation for damages if they suffer damage due to unlawful processing of their personal data.

7. BREACH NOTIFICATIONS

Maiamarca employees report any acts, actions, or facts they believe violate the KVKK provisions and/or the Policy to the Board of Directors. Following this breach notification, the Board of Directors convenes if deemed necessary and creates an action plan regarding the breach.

If the breach occurred through unlawful acquisition of personal data by others, the Board of Directors notifies the relevant party and the Board within 72 hours, in accordance with the Board's decision dated 24.01.2019 and numbered 2019/10.

8. AMENDMENTS               

Changes to the Policy are prepared and approved by the Maiamarca Board of Directors. The updated Policy may be sent to employees via e-mail or published on the website.

9. EFFECTIVE DATE

This version of the Policy came into force upon approval by the Board of Directors on 20.04.2026.