IIHSE Personal Data Protection and Processing Policy

AIM

As part of its legal and social responsibility; The International Health Safety Environment Institute (“Institute”) is obliged to act in accordance with the current legislation on the protection of personal data, primarily the Constitution of the Republic of Turkey (“Constitution”) and the Personal Data Protection Law No. 6698 (“PDP Law”), and the Institute carries out the necessary work to protect personal data by making compliance with the said legislation a life cycle. Within the scope of these works, the Institute has prepared the Personal Data Protection, Processing, Storage and Destruction Policy. As part of its legal and social responsibility, the Institute undertakes to comply with national personal data protection regulations. With this Policy, the Institution aims to inform the relevant persons about the processes of protecting and processing, deleting, destroying and anonymizing the personal data of customers, potential customers, job candidates, volunteers, members, Institution officials, visitors, employees, shareholders and officials of institutions with which it cooperates and third parties.

The Institute collects personal data in order to provide better service to its members, primarily real and/or legal persons, in addition to its legal responsibilities. The collected personal data enables the Institute to access the advantages it provides, to provide information about its personalized advantageous suggestions and future activities. In addition, the collected data enables us to receive the most accurate feedback about our services and services by exchanging information with personal data owners. The Institute, which is the data controller in accordance with the Personal Data Protection Law and the relevant legal legislation, determines the basic principles adopted in the processing and protection of personal data, the administrative and technical measures taken for the protection of personal data, and the procedures and principles for determining the maximum period required for the purpose for which they are processed with this Policy. This Policy includes detailed explanations by the Institute regarding which data is personal data, which personal data is stored, the administrative and technical measures taken for the protection of personal data, and the processing, storage, enlightenment and information of personal data owners, transfer to third parties and protection.

2. SCOPE

This Policy is related to all personal data of members, potential customers, job candidates, institution stakeholders, institution officials, visitors, employees, shareholders and officials of institutions we cooperate with and third parties processed automatically or non-automatically provided that it is part of any data recording system. The Institute, which is the data controller in accordance with the Personal Data Protection Law and relevant legislation, determines the basic principles adopted in the processing and protection of personal data, the administrative and technical measures taken for the protection of personal data and the procedures and principles regarding the determination of the maximum period required for the purpose of processing, deletion, destruction and anonymization processes with this Policy. The following entities that process and store personal data within the Institute and all processes related to these entities are within the scope of this Policy;

All printed or written documents, documents, files containing personal data

All applications containing personal data

All databases containing personal data

In this context; it is related to the personal data collected with the consent of the members, potential members, employees, employee candidates, Institute shareholders, authorities, our Institute website, our Institute mobile application, employees, shareholders and authorities of the institutions we are partners with and third parties, which are processed by fully or partially automatic means or non-automatic means provided that they are part of any data recording system. Anonymized and unidentifiable data such as data obtained for statistical evaluations or studies that do not contain personal data and data related to legal entities are not considered personal data and are not subject to this Policy. This Policy also applies to the real person customers of the Institute and its subsidiaries under its control and other real persons who do not have a specific framework agreement with the Institute and its subsidiaries under its control. The Institute expressions in this Policy will also cover the institution and its subsidiaries under its control.

3. ENFORCEMENT AND UPDATES

The Policy has been published on the website by our Company and presented to the public. In case of conflict between the current legislation, especially Law No. 6698, and the regulations included in this Policy, the provisions of the legislation shall apply. The Company reserves the right to make changes to this Policy in line with the legal regulations. The current version of the Policy can be accessed from the Institute website (www.iihse.com).

4. DEFINITIONS

Explicit Consent

Consent based on informed consent and expressed freely on a specific subject.

Personal Data

Any information relating to an identified or identifiable natural person. For example; name-surname, TR ID Number, e-mail address, telephone information, address, date of birth, credit card number, etc.

Special Personal Data

Data regarding race, ethnicity, political views, philosophical beliefs, religion, sect or other beliefs, dress code, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Personal Data Owner

The natural person whose personal data is processed

Anonymization

It is the change of personal data in such a way that it loses its personal data quality and this situation cannot be reversed.

Worker

Institute staff

Employee Candidate

Natural persons who have applied for a job in any way or have made their CV and related information available for review by the Institution.

Constitution

Constitution of the Republic of Türkiye

Personal Data Protection Law

Personal Data Protection Law No. 6698

Personal Data Protection Board

Personal Data Protection Board

Personal Data Protection Authority

Personal Data Protection Authority

Processing of Personal Data

Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.

Customer

Real persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company.

Data Processor

A natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him. For example, a call center that makes calls within the framework of instructions, etc.

Data Recording System

A registration system in which personal data is structured and processed according to certain criteria.

Data Owner

The natural person whose personal data is processed

Data Controller

The data controller is the natural or legal person who determines the purposes and means of processing personal data, establishes and manages the place where the data is systematically kept (data recording system).

Data Controllers Registry

The Data Controllers Registry, which is kept by the Presidency of the KVK LAW Institution under the supervision of the KVK LAW Board and is open to the public.

Visitor

Natural persons who have entered the institution's physical premises or visited its websites for various purposes.

Employees, Shareholders and Authorities of Institutions We Collaborate With

Natural persons who are employees, shareholders and officers of institutions that have a business relationship with the Institute (including, but not limited to, performance assistants, business partners, suppliers, program partners, etc.)

Institute Suppliers

Third parties from whom the Institute purchases products and/or services on a contract basis

Potential Customer

Real persons who have requested or will request to purchase and/or use our products and services and who have been assessed in accordance with commercial practices and rules of integrity.

Policy

Istanbul Sea Buses Industry and Trade Inc. Personal Data Protection, Processing, Storage and Destruction Policy

Institute

International Institute for Health, Security and Environment

Institute Shareholders

Natural persons who are shareholders of the Institute

Company Official

Institute board members and other authorized real persons

Institute Data Owner Application Form

The application form that data owners will use when applying for their rights stipulated in Article 11 of the Personal Data Protection Law.

Third Party

Third parties who are in contact with the above-mentioned parties to ensure the security of commercial transactions between the Institute and the parties or to protect the rights and provide benefits to the said parties.

Policy

Istanbul Sea Buses Industry and Trade Inc. Personal Data Protection, Processing, Storage and Destruction Policy

5. CATEGORIZATION OF PERSONAL DATA

The categories and explanations of personal data to which the natural person is identified and/or identifiable, which are processed partially or fully automatically or non-automatically as part of the data recording system within the scope of data processing activities carried out by the Institute, are listed below:

PERSONAL DATA CATEGORIZATION

PERSONAL DATA CATEGORIZATION EXPLANATION

Identity Information

All information such as Turkish identity number, nationality, mother's name and father's name, place and date of birth, gender, SSI number, signature information, vehicle plate, etc. in documents such as driver's license, identity card, residence, passport, attorney's ID, marriage certificate.

Contact Information

that clearly belongs to a real person, such as telephone number, address, e-mail , fax number.

Special Information

The data specified as “special personal data” in Article 6 of the Personal Data Protection Law are “race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, association, foundation or union membership information, data regarding health and sexual life, data regarding criminal convictions and security measures, and biometric and genetic data”.

Physical Space Security Information

Personal data such as camera and audio recordings, fingerprint records, records taken at the security point, records taken at the entrance to the physical location, during the stay in the physical location, etc., which are processed to ensure our security in every aspect while conducting our commercial activities, to be kept within the data recording system.

Customer Information

Information obtained and produced from real person customers as a result of our commercial activities and the operations of the relevant units within the scope of these activities.

Customer Transaction Information

Records regarding the purchase of our services belonging to our customers within the data recording system, information obtained within the scope of the instructions required for purchase, and personal data processed for the personalization and marketing of usage and purchasing habits in line with the taste and needs of the personal data owner who purchases and/or uses our products and services, and reports and evaluations generated as a result of this processing.

Request/Complaint Management Information

Personal data regarding the receipt and evaluation of all kinds of requests or complaints directed to the communication channels of the Institute by real persons who are or are not customers of the Institute.

Reputation and Incident Management Information

In order to protect the commercial reputation of the Institute and to ensure that the public is informed correctly, personal data and evaluations (shares made about the Institute, etc.) are collected from social media etc. regarding events that have the potential to affect the Institute's employees and shareholders.

Financial Information

Personal data such as IBAN number, credit card information, financial profile, etc. processed within the scope of records showing all kinds of financial results within the framework of the legal relationship established by the Institute with the personal data owner.

Marketing Knowledge

Personal data processed for the customization and marketing of our products and services in line with the usage habits, tastes and needs of the personal data owner, and reports and evaluations created as a result of this processing.

Risk Management Information

Personal data processed through methods used in accordance with generally accepted legal, commercial practices and the rule of honesty in these areas so that we can manage our commercial, technical and administrative risks.

6. PROCESSING OF PERSONAL DATA

The institution takes technical and administrative measures in accordance with technological possibilities and implementation costs to ensure that personal data is processed in accordance with the law. Employees are informed that they cannot disclose the personal data they learn to anyone else in violation of the provisions of the Personal Data Protection Law and cannot use it for purposes other than the purpose of processing, and that this obligation will continue after they leave office, and the necessary commitments are obtained from them in this regard. The Institute's personal data processing activity covers all actions taken against data using automatic, semi-automatic or non-automatic means, without any restrictions. The Institute has the right to process a data subject's information during the period its services are used and after the termination of the relationship, by complying with the principles set forth below. The Institute may process the personal data of the data subject or third parties specified by the data subject for various purposes, including but not limited to the following:

The Institute raises awareness among data processing institutions, such as business partners and suppliers to whom it transfers personal data, on preventing the unlawful processing of personal data, preventing unlawful access to data, and ensuring the lawful storage of data.

The obligations that the Institute has to comply with when processing personal data as the data controller and the obligation to comply with the legal, administrative and technical measures it has developed in this regard are imposed on the data processing institutions with which the Institute has relations as suppliers, business partners, etc., in accordance with the nature of the activities they carry out in data processing.

The Institute takes the necessary technical and administrative measures, according to technological possibilities and implementation costs, to store personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.

The Institute conducts or has conducted the necessary audits within its own organization in accordance with Article 12 of the Personal Data Protection Law. The results of these audits are reported and necessary activities are carried out to improve the measures taken.

The Institute operates a system that ensures that personal data processed in accordance with the article of the Personal Data Protection Law is notified to the relevant personal data owner and the Personal Data Protection Board as soon as possible in the event that the personal data is obtained by others through illegal means.

Scope of Processing of Personal Data

During the period in which the institution's services are used and after the termination of the relationship, the institution is responsible for this Policy.

A data subject shall have the right to process his/her information, provided that the principles set out in Article 6.3 are complied with.

Personal data processing by the institution covers, without any restriction, any action taken on data using automatic, semi-automatic or non-automatic means. In other words, personal data processing means receiving, collecting, recording, photographing, recording audio, recording video, organizing, storing, changing, restoring, retrieving or disclosing data from the data owner or third parties for the purposes of transferring, disseminating or presenting by different means, grouping or combining, blocking, deleting or destroying, obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, transferring abroad, taking over, making available, classifying or preventing the use of data, in whole or in part, by automatic means or non-automatic means provided that it is part of any recording system.

6.2. Purposes of Processing Personal Data

The Institute may process personal data of the data owner or third parties specified by the data owner for various purposes, including but not limited to the following.

INSTITU has the right to process a data owner's information throughout the period its services are used and after the relationship has ended, in accordance with the principles set out below.

INSTITUTE may process personal data of the data owner or third parties specified by the data owner for various purposes, including but not limited to the following:

To ensure that the Institute's services are carried out properly and properly;

Fulfilling obligations within the scope of legal legislation,

To make our website and applications easier to use,

Information storage, reporting, notification and provision of information to audit companies, the relevant proxy or the proxy, as required by regulatory and supervisory authorities,

Planning, auditing and execution of information security processes,

Preparation and presentation of various reports, research and/or presentations,

Collecting, evaluating and responding to complaints, questions, requests and suggestions of the Data Owner,

Planning and execution of customer relations management processes,

Planning and/or execution of customer satisfaction activities,

Carrying out promotion, marketing, promotion and campaign activities for the services,

Planning and execution of sales processes of products and/or services,

Fulfilling the requirements of the contracts concluded with the customer,

Following up on legal affairs,

Monitoring contract processes and/or legal requests,

To get to know our members and improve our communication,

Providing better and more reliable service to the customer, developing more suitable services and products, and ensuring that these are maintained without interruption,

Recommending products and services offered by the Institute by customizing them according to customers' tastes, usage habits and needs,

Management of relations with business partners and/or suppliers,

Ensuring the security of the company's Head Office, terminals, and warehouse facilities,

Planning and execution of emergency management processes,

Planning and execution of personnel processes for subcontractor employees

Monitoring of finance and/or accounting affairs,

Planning and monitoring of building and/or construction works,

Planning company recruitment and employee processes, planning and execution of market research activities for sales and marketing of services,

Planning and execution of corporate communication activities

Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation

According to Article 5 of the PDP Law, personal data can only be processed in accordance with the procedures and principles stipulated in the PDP Law and other relevant legislation. As an institute , personal data is processed in accordance with the procedures and principles stipulated in the PDP Law and other relevant legislation; Within the scope of the PDP Law, it is clearly regulated that the following principles must be followed in the processing of personal data.

Processing of Personal Data in Accordance with Law and the Rules of Integrity,

The Institute carries out the processing of personal data in accordance with the legal regulations, especially the Constitution of the Republic of Turkey, the Personal Data Protection Law and other relevant legal legislation, and the rule of honesty, primarily based on trust.

Ensuring the Accuracy and Up-to-dateness of Processed Personal Data

the Institute has established systems and processes to ensure the accuracy and up-to-dateness of the personal data it processes. In this context, the Institute takes the necessary measures to ensure that personal data owners correct their personal data and confirm its accuracy.

Processing of Personal Data for Specific, Clear and Legitimate Purposes

the Institute clearly and precisely determines the purpose of processing personal data before starting the processing of personal data, and processes it for clear and lawful purposes.

Processing of Personal Data in a Limited and Proportionate Way in Relation to the Purpose

The Institute processes personal data in connection with the purpose of providing the service that it has determined before starting the processing activity and to the extent necessary. The INSTITUTE does not process personal data that is not related to the purpose or is assumed to be needed in the future. The processing of personal data is limited to the Institute's activities and legal obligations.

Preservation of Personal Data for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose of Processing The Institute preserves personal data for the period stipulated in the PDP Law and relevant legislation or necessary for the purpose of processing. Accordingly, if a period is stipulated in the relevant legislation, the Institute stores personal data for the period limited to this period, if no period is stipulated, the Institute stores it for the period necessary for the purpose of processing. The Institute does not store personal data for the possibility of future use. The Institute does not store personal data for the period expiration or

processing are eliminated, personal data is deleted, destroyed or anonymized.

Conditions for Processing Personal Data

The Institute processes personal data only in cases stipulated by law or with the explicit consent of the person. In addition to explicit consent, personal data may also be processed if one of the other conditions listed below is present. The basis for personal data processing activity may be only one of the conditions listed below, or more than one of these conditions may be the basis for the same personal data processing activity. If the processed data is special personal data, the conditions listed below apply.

In accordance with the regulation in Article 5 of the PDP Law, the Institute processes personal data, as a rule, with the explicit consent of the person. However, in accordance with Article 5, Paragraph 2 of the PDP Law; the Legislator has allowed the processing of personal data in the absence of explicit consent. Accordingly; personal data may be processed by the Institute in the presence of one and/or more of the other conditions stated in the following subparagraphs "Explicitly Seen in the Law" and "Data Processing is Mandatory for the Legitimate Interest of the Institute , Provided That It Does Not Harm the Fundamental Rights and Freedoms of the Relevant Person ". Although the existence of only one of the conditions specified below is sufficient for personal data processing activity; the existence of more than one of the conditions in question may also be the basis for the same personal data processing activity. The conditions to be applied in cases where the processed data is special personal data are also mentioned in Section 7.1 of the Policy .

Explicit Consent of the Personal Data Owner

One of the conditions for processing personal data is the explicit consent of the personal data owner. The personal data owner must be sufficiently informed about a specific issue and must declare that they have given their free will and unambiguously given consent to the processing of their personal data based on this information.

Explicitly Provided in Laws

the Institute in accordance with the law without the explicit consent of the data owner , if it is clearly provided for in the law . For example; Personal data is processed while keeping the workplace registration file of employees within the framework of the Labor Law and relevant legislation.

When it is necessary for a person who is unable to express his/her consent due to a physical impossibility or whose consent is not legally recognized to protect his/her own life or the physical integrity of another person

If the data subject is unable to give his/her consent due to a de facto impossibility or if the consent cannot be validated, and if the processing of personal data is necessary to protect the life or physical integrity of the person or another person, the data subject's personal data may be processed. If the personal data subject is unable to give his/her consent or if the consent cannot be validated, and if the processing of personal data is necessary to protect the life or physical integrity of the person or another person, the data subject's personal data may be processed. For example; If the health information of a guest who has an accident at the Institute 's event area is provided to the Institute authorities by his/her family, these personal data are processed.

Processing of Personal Data of the Parties to a Contract is Necessary, Provided That It Is Directly Related to the Establishment or Performance of a Contract

Personal data may be processed by the Institute if it is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract .

Data Processing is Necessary for the Institute to Fulfill its Legal Obligations

If data processing is necessary for the Institute to fulfill its legal obligations, the personal data of the data owner may be processed. For example, in accordance with complaints made to the Public Prosecutor's Office regarding expenses made with credit cards without the knowledge of the credit card holders, the provision of personal data in case of request for service payment data made to the Institute with the decision of the Public Prosecutor's Office.

Personal Data Owner's Making His/her Personal Data Public

If the data owner has made his/her personal data public (publicly disclosed in any way or form, such as social media etc.), the relevant personal data may be processed by the Institute without explicit consent. For example, if a person leaves his/her phone number on the homepage of the Institute's social media account and writes that he/she is looking for a job, this data may now be processed without his/her explicit consent, but only to the extent of this.

Data Processing is Necessary for the Establishment or Protection of a Right

If data processing is necessary for the establishment, exercise or protection of a right, the data owner's personal data may be processed.

Provided that it does not harm the fundamental rights and freedoms of the relevant person. Data Processing is Necessary for the Legitimate Interest of the Institute While the protection of personal data is a constitutional right; personal data of the data owner may be processed if data processing is necessary for the legitimate interests of the Institute , provided that it does not harm the fundamental rights and freedoms of the personal data owner . For example, personal data processing activities in calculations to be made by the financial affairs department.

7. PROCESSING OF SPECIAL NATURE PERSONAL DATA

Conditions for Processing Special Personal Data

Personal data determined as “special nature” within the scope of the Personal Data Protection Law due to the risk of causing victimization or discrimination to individuals when processed unlawfully are also specified in this Policy due to this sensitivity.

The special personal data defined in Article 6, Paragraph 1 of the PDP Law is also defined in the PDP Law.

As stated in Article 2, Paragraph 1 of the Personal Data Protection Law, processing of personal data without the explicit consent of the data owner is prohibited. Article 6, Paragraph 3 of the Personal Data Protection Law regulates the exceptions to this rule.

The Institute processes special personal data in accordance with the above-mentioned article of the law, provided that adequate measures are taken, as determined by the Personal Data Protection Board.

7.2. Protection of Special Personal Data

Due to the risk of causing victimization or discrimination to individuals when processed illegally, certain personal data are also specified in this Policy in accordance with the Personal Data Protection Law. Processing of Special Personal Data is clearly stated in Article 7.1 of the Policy.

Necessary measures are taken for employees involved in the processing of special personal data; regular training is provided on the Law and related regulations and on special personal data security issues, confidentiality agreements are made, the scope and duration of authorization of users with access to data are clearly defined, periodic authorization checks are carried out, the authorizations of employees who change their duties or leave their jobs are immediately revoked in this area, and in this context, the inventory allocated to them by the data controller is returned.

If the environments where special personal data is processed, stored and/or accessed are electronic environments; the necessary measures are taken to preserve the data using cryptographic methods, to keep cryptographic keys in secure and different environments, to securely log the transaction records of all movements performed on the data, to continuously monitor the security updates of the environments where the data is located, to regularly perform/have the necessary security tests, to record the test results, to provide user authorizations for this software if the data is accessed through software, to regularly perform/have the security tests of this software, to record the test results, and to provide at least a two-stage authentication system if remote access to the data is required.

The physical environment where special personal data is processed, stored and/or accessed is the environment where the special personal data is located, and the appropriate security measures (electrical leakage, fire,

flooding , theft, etc.), and to ensure the physical security of these environments and to prevent unauthorized entry and exit.

8. TRANSFER OF PERSONAL DATA

In order for the Institute to provide the necessary service to the data owner, the transfer/sharing of data related to the data owner and/or third parties indicated by the data owner is necessary within the scope of data processing.

Personal data: The work required for the products and services offered by the Institute to be used is carried out by the business units, and the products and services offered by the institution are recommended by customizing them according to the tastes, usage habits and needs of the customers.

Ensuring the legal and commercial security of the Institute and people who have a business relationship with the Institute (administrative operations for communication carried out by the Institution, ensuring the physical security and control of the locations belonging to the institution, business partner/customer/supplier (authorized persons or employees) evaluation processes, reputation research processes, legal compliance process, auditing, financial affairs, etc.),

It may be transferred to business partners, suppliers, Institution officials, shareholders, affiliates, subsidiaries, legally authorized public institutions and private persons for the purposes of determining and implementing the Institute's commercial and business strategies and ensuring the execution of the institution's human resources policies, within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Personal Data Protection Law.

The Institute may transfer the personal data and special personal data of the personal data owner to third parties (third party companies, group companies, third real persons) by taking the necessary security measures in line with the purposes of processing personal data in accordance with the law. In this regard, the Institute acts in accordance with the regulations stipulated in Article 8 of the Personal Data Protection Law.

The Institute applies the exceptions for the transfer process specified in this Policy article, as specified in Article 8, Paragraph 2 of the Personal Data Protection Law.

The provisions of other laws regarding the transfer of personal data are reserved.

8.1. Transfer of Personal Data Domestically

In accordance with the Institute's purposes such as providing better service to personal data owners, meeting their demands more accurately, improving its services and communication, providing customer satisfaction practices and information, and eliminating technical problems, etc., within the scope of data processing activities, it may be necessary to transfer/share data related to the data owner and/or third parties indicated by the data owner with third parties. In this regard, the Institute acts in accordance with the regulations stipulated in Article 8 of the Personal Data Protection Law and the regulations included in this Policy within the scope of the said article. Namely;

Personal data: The work required for the services provided by the Institute to be used is carried out by the business units, and the products and services offered by the Institute are recommended by customizing them according to the tastes, usage habits and needs of the customers,

Ensuring the legal and commercial security of the Institute and the people who have a business relationship with the Institute (administrative operations for communication carried out by the Institute, ensuring the physical security and control of the Institute's locations, business partner/customer/supplier (authorized or employees) evaluation processes, reputation research processes, legal compliance process, auditing, financial affairs) ,

It may be transferred to business partners, suppliers, Institute officials, affiliates, subsidiaries, legally authorized public institutions and private persons for the purposes of determining and implementing the Institute's commercial and business strategies and ensuring the execution of the institution's human resources policies, within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Personal Data Protection Law.

8.1.1. Domestic Transfer of Special Personal Data

The Institute may transfer the personal data owner's special data to third parties in line with its legitimate and lawful purposes, by taking the necessary care and security measures and taking the necessary precautions and taking the necessary precautions as prescribed by the Personal Data Protection Board, taking into account the conditions set out in Section 7 of this Policy.

8.2. Transfer of Personal Data Abroad

The Institute may transfer the personal data and special personal data of the personal data owner to third parties by taking the necessary security measures in line with its lawful purposes. Personal data processed by the Institute may be transferred in accordance with Article 9 of the PDP Law, provided that sufficient measures are taken in accordance with Article 5, Paragraph 2 of the PDP Law, if one of the conditions specified in Article 6, Paragraph 3 of the PDP Law is met and if the foreign country to which the personal data will be transferred has been declared by the PDP Board as one of the countries with sufficient protection or, in the absence of sufficient protection, if the data controllers in Turkey and the relevant foreign country undertake in writing to provide sufficient protection and if the PDP Board grants its permission.

8.2.1. Transfer of Special Personal Data Abroad

The Institute may transfer the personal data owner's special data, by showing due care, taking the necessary security measures and taking the sufficient measures prescribed by the Personal Data Protection Board, in line with legitimate and lawful personal data processing purposes, to countries that are declared to have adequate protection or to which adequate protection is undertaken by the data controller located in a foreign country, taking into account the conditions set out in Section 7 of this Policy.

If sensitive personal data needs to be transferred via e-mail, it should be transferred encrypted using a corporate e-mail address or a Registered Electronic Mail (KEP) account; if it needs to be transferred via portable memory, CD, DVD, it should be encrypted using cryptographic methods and the cryptographic key should be kept in a different environment; if the transfer is made between servers in different physical environments, data transfer should be carried out by establishing a VPN between the servers or using the SFTP method; if the data needs to be transferred via paper, necessary precautions and measures should be taken against risks such as theft, loss or viewing of the document by unauthorized persons and the documents should be sent in the format of “classified documents”.

Third Parties to Which Personal Data is Transferred and the Purposes of Transfer

In accordance with Articles 8 and 9 of the Personal Data Protection Law, the Institute may transfer personal data of customers to the following categories of persons:

To the Institute's business partners,

To the institute suppliers,

To the institute affiliates,

To the Institute Shareholders,

Legally Authorized public institutions and organizations,

To legally authorized private law persons,

To other third parties in accordance with the data transfer terms.

The scope of the persons mentioned above as making the transfer and the purposes of data transfer are specified below; In the transfers made by the Institute, the matters regulated in Section 10 of the Policy are acted upon.

Definition of Persons to Whom Data Can Be Transferred

Business Partner

It defines the parties with which the Institute establishes business partnerships for purposes such as the sale, promotion and marketing of the Institute's services, after-sales support, and the execution of member programs while conducting its commercial activities.

Limited to the purpose of ensuring that the purposes for which the business partnership was established are fulfilled, the Supplier

It defines the parties that provide services to our Company on a contractual basis in accordance with the orders and instructions of our Company while carrying out the Institute's commercial activities.

Limited to the purpose of ensuring that the Institute provides the services that are outsourced to the supplier and necessary for the Institute to carry out its commercial activities.

Our Affiliates

Companies in which the Institute is a shareholder

Our Shareholders are limited to ensuring that the Institute conducts its commercial activities that require the participation of its affiliates.

Our shareholders are authorized to design the strategies and audit activities related to the Institute's commercial activities in accordance with the relevant legislation.

Limited to the design of strategies and auditing purposes regarding the Institute's commercial activities in accordance with the relevant legislation.

Legally Authorized Public Institutions and Organizations

Public institutions and organizations authorized to receive information and documents from the Institute in accordance with the relevant legislation. Limited to the purpose requested by the relevant public institutions and organizations within the scope of their legal authority.

Legally Authorized Private Law Persons

Private law persons authorized to receive information and documents from the Institute in accordance with the relevant legislation. Limited to the purpose requested by the relevant private law persons within their legal authority.

9. RIGHTS AND LIABILITIES REGARDING PERSONAL DATA 9.1. Obligation of the Institute to Inform Owners of Personal Data

In accordance with Article 10 of the Personal Data Protection Law, the Institute is obliged to inform personal data owners during the collection of personal data.

In this context, during the collection of personal data, the Institute informs data owners that their personal data will be processed by the Institute, for what purposes their personal data will be processed, to whom and for what purposes the processed personal data can be transferred, the method and legal reasons for collecting personal data, and the rights of the data owner in accordance with Article 11 of the Personal Data Protection Law, and obtains explicit consent.

9.2. Rights of the Personal Data Owner and Application Method

Personal data owners may apply to the Institute in accordance with Article 11 of the Personal Data Protection Law and make the following requests:

To learn whether your personal data is being processed,

To request information regarding personal data processed,

To learn the purpose of processing personal data and whether it is used in accordance with its purpose,

To know the third parties to whom personal data is transferred domestically or abroad,

Request correction of personal data if it is processed incompletely or incorrectly,

Within the scope of Article 7 of the PDP Law, to request the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though the data has been processed in accordance with the PDP Law and other relevant laws, and to request that the process carried out within this scope be notified to third parties to whom the personal data has been transferred,

Requesting notification of the operations carried out pursuant to clauses (d) and (e) above to third parties to whom personal data has been transferred,

To object to the emergence of a negative result due to the analysis of processed personal data exclusively by automated systems, and

Requesting compensation for damages in case of damages incurred due to unlawful processing of personal data Personal data owners are required to submit their requests to the Institution “in writing”, by filling out the International Health Safety Environment Institute Data Subject Application Form or by other methods determined by the PDP Board, in accordance with the first paragraph of Article 13 of the PDP Law , regarding the exercise of their rights specified above. The contact addresses are as follows;

Address: Hekimzade Neighborhood, Çınarlıçeşme St. No:5/B Edremit / BALIKESİR

9.3. Cases Excluded from the Rights of the Personal Data Owner

in Article 28, Paragraph 1 of the PDP Law , the provisions of the PDP Law will not be applied; within this scope, it is not possible for personal data owners to assert their rights listed in the PDP Law regarding the personal data processed by the Institute.

in Article 28, Paragraph 2 of the PDP Law, personal data owners cannot assert their other rights listed in the PDP Law, except for the right to demand compensation for damages.

9.4. Personal Data Owner's Right to Apply to the Institute

Personal data owners can submit their requests regarding the use of their rights granted to them by law by filling out the application form available at the Institute's website www.iihse.com and sending it to "[email protected]" with a wet signature or secure electronic signature.

It is not possible for third parties to make a request on behalf of personal data owners, and in order for a third party to make a request, the personal data owner must be authorized by a special power of attorney issued on behalf of the third party who will apply.

9.5. Response by the Institute to Applications of Personal Data Owners

Pursuant to Article 13 of the Personal Data Protection Law; the requests included in the application submitted by the personal data owner in accordance with the procedure set out above will be finalized by the Institute free of charge, as soon as possible and within thirty days at the latest, depending on the nature of the request.

If the procedure requires an additional cost, the Institute may charge the applicant a fee as per the tariff determined by the Personal Data Protection Board. If the application is due to an error on the part of the Institute, the fee will be refunded to the applicant.

The Institute may request information from the relevant person in order to determine whether the applicant is the owner of personal data and to clarify the requests included in the application.

of the Policy and/or with a legally valid notification do not reach the Institute.

The Institute may reject the application of the applicant by explaining the reason in the cases mentioned in Article 28 of the Personal Data Protection Law and in the following cases:

The request of the personal data owner may interfere with the rights and freedoms of other persons.

Requests have been made that require disproportionate effort.

The requested information is publicly available information.

9.6. Personal Data Owner's Right to Complain to the Personal Data Protection Board

The personal data owner may lodge a complaint with the board as specified in Article 14 of the Personal Data Protection Law.

The personal data owner cannot lodge a complaint with the Personal Data Protection Board without exercising the right of application regulated in Article 13 of the Personal Data Protection Law and in section 9.4 of this Policy.

and Administrative Measures Taken to Securely Store Personal Data and Prevent Unlawful Processing and Access

In accordance with Article 12 of the Personal Data Protection Law, the Institute takes all necessary technical and administrative measures to ensure the level of security, and carries out the necessary inspections within this scope or has them carried out within the framework of contracts made with third party companies.

10.1. Confidentiality in the Processing of Personal Data

takes all necessary technical and organizational measures to ensure the confidentiality and security of your special personal data and personal data collected through our websites and/or other applications .

It is prohibited for any employee of the Institute to access these data without authorization, to process these data or to use them for private or commercial purposes, to share these data with unauthorized persons or to make these data accessible by any other means. Employees of the Institute may only access personal data appropriately within the scope and type of their duties. Roles and responsibilities are detailed and separated for this purpose. Any employee of the Institute who is not authorized to process these data within the scope of their legitimate duty is considered an unauthorized transaction.

Managers must inform their employees of the obligation to maintain data confidentiality at the beginning of the employment relationship. This obligation continues after the termination of employment.

10.2. Security in the Processing of Personal Data

Personal data is protected by the Institute against unauthorized access, unlawful data processing or disclosure, and accidental loss, alteration or destruction of data. Your personal data is stored in secure working environments that are not available to the public and can only be accessed by authorized Institute employees (under the Privacy Agreement with our employees), our agents and contractors.

Before accessing personal data, the identity of the data owner whose personal data is stored is verified via the website or application.

This provision shall apply whether data is processed electronically or on paper. Until new data processing methods, in particular new information technology systems, emerge, technical and administrative measures are defined and implemented below to protect personal data. These measures have been designed to take into account the current state of the art technology, data processing risks and the need to protect data.

10.3. Technical Measures

Within the Institute, personal data processing activities and safe storage are carried out with technical systems and technical solution applications are carried out. Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.

The technical measures taken are periodically reported to the relevant party as required by the internal audit mechanism, and the issues that pose a risk are re-evaluated and the necessary technological solutions are produced.

Personnel knowledgeable in technical matters are employed.

Software and hardware including virus protection systems and firewalls are used. For example, Secure Sockets Layer (SSL) encryption is used on online services such as the Institute website and Institute mobile application and on all web pages where personal data is collected. In order to benefit from these services, an SSL-supported browser such as Safari, Firefox, Chrome or Internet Explorer must be used. In this way, the confidentiality of your personal data transmitted over the internet can be protected.

Payment Card System) to ensure data security in card payment systems. Card It complies with the regulations of the Industry Data Security Standard and ensures secure data transmission and processing in card payment systems. The credit card number is encrypted by the Institute's online credit card application and transmitted to the bank and is never shared with third parties. Credit card information is not stored by the Institute.

Backup programs are used in accordance with the law to ensure the safe storage of personal data.

In addition, the data classification system used within the institution is integrated with the data leakage prevention (DLP) system. Thus, all electronic documents containing personal data within the Institute must be classified and their removal outside the institution is kept under control by the DLP system.

10.4. Administrative Measures

Employees are informed and trained about the law on the protection of personal data and the lawful processing of personal data, that they cannot be disclosed to others in violation of the legislation and that they cannot be used for purposes other than those for which they are processed.

Records and commitments are added to the contracts and documents between the Institute and its employees, which impose obligations not to process, disclose or use personal data, except for the Institute's instructions and exceptions provided by law.

Necessary administrative measures are taken to ensure the supervision of employees' compliance with the obligation not to process, disclose or use personal data and to ensure the continuity of the application.

In cases where the Institute receives technical services from third parties regarding the storage of personal data and the persons to whom personal data is transferred in accordance with the law, provisions are added to the contracts concluded with these persons regarding the prevention of the unlawful processing of personal data, prevention of unlawful access to data and ensuring the lawful storage of data, and ensuring that these measures are complied with in their own organizations.

The Institute organizes training and seminars for business partners on preventing the unlawful processing of personal data, preventing unlawful access to data, and ensuring the preservation of data.

10.5. Conducting Audit Activities

In accordance with Article 12 of the Personal Data Protection Law, the Institute conducts the necessary audits within itself and its business partners or has them conducted within the framework of contracts made with third party companies. The results of these audits are reported to the relevant department within the scope of the internal functioning of the company and the necessary activities are carried out to improve all measures taken.

10.6. Measures to be taken in case of unlawful disclosure of personal data

In case personal data processed in accordance with the PDP Law and relevant legislation are obtained by others through illegal means, the Institute is obliged to do what is specified in accordance with Article 12, Paragraph 5 of the PDP Law; the necessary system is established to ensure that the necessary detection and notification are made.

Following the notification made to the KVK Board, the KVK Board may announce this situation as specified in Article 12, Paragraph 5 of the KVK Law.

11. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Principles Regarding the Lawful Destruction of Personal Data

All operations regarding the deletion, destruction and anonymization of personal data are recorded and the records in question are kept for at least three years, excluding other legal obligations.

The Institute complies with the following principles in the storage and destruction of personal data.

In accordance with law and rules of honesty

Accurate and up to date when necessary

Processing for specified, explicit and legitimate purposes.

c ) Being connected, limited and proportionate to the purpose for which they are processed.

The Institute destroys personal data for the period stipulated in the relevant legislation or necessary for the purpose for which it is processed, for the following reasons;

Expiration of the periods determined by law regarding the storage of personal data

Expiration of the destruction period determined by the Institute

Expiration of the periodic destruction period determined by the Institute

Amendment or repeal of relevant legislative provisions that form the basis for processing personal data

The relevant contract has never been established, the contract is not valid, the contract automatically ends, the contract is terminated or the contract is withdrawn,

Elimination of the purpose requiring the processing of personal data

Processing personal data is against the law or the rule of honesty.

In cases where personal data is processed only on the basis of explicit consent, the person concerned may withdraw his/her consent.

The Institute accepts the application of the relevant person regarding the processing of personal data within the framework of his/her rights,

In cases where the Institute rejects the application made by the relevant person to delete or destroy his/her personal data, the response is found insufficient or does not respond within the period stipulated by law; a complaint should be made to the Personal Data Protection Board and this request should be approved by the Board.

Although the maximum period for which personal data must be stored has passed, there are no circumstances that would justify storing personal data for a longer period.

of the Personal Data Protection Law are eliminated.

11.2. Techniques for Deletion and Destroying Personal Data

Deletion or destruction of personal data is the process of making personal data inaccessible and non-reusable for the relevant users in any way.

The Institute deletes or destroys personal data using the techniques given below.

The Institute takes all necessary technical and administrative measures to ensure that deleted personal data cannot be accessed and reused by the relevant users.

If the deletion of personal data will result in the inability to access and use other data within the system, the Institute will apply the following rules;

Archiving personal data by making it impossible to associate it with the relevant person,

It is not accessible to any other institution, organization and/or person.

Taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons.

In case of a direct request for deletion by a natural person, the personal data of the relevant person will be deleted from the Institute systems.

Erasure of personal data that forms part of any data recording system and is processed by non-automatic means;

Blacking out unnecessary personal data,

It is carried out by masking unnecessary personal data in paper form that is transferred to electronic media by scanning or without digitization. The above-mentioned deletion conditions are provided by the following methods;

11.2.1. Physical Destruction

Personal data can also be processed by non-automatic means, provided that it is part of any data recording system. When such data is deleted/destroyed, a system of physical destruction of personal data is applied in a way that it cannot be used later.

11.2.2. Securely Deleting Software

When data processed by fully or partially automatic means and stored in digital environments is deleted/destroyed, methods are used to delete the data from the relevant software in a way that it cannot be recovered again.

11.2.3. Secure Deletion by Expert

In some cases, the Institute may contract with an expert to delete personal data on its behalf. In this case, the personal data will be securely deleted/destroyed by the expert in this matter in a way that it cannot be recovered again.

11.3. Techniques for Anonymizing Personal Data

Anonymization of personal data is the process of making personal data in a way that it cannot be associated with an identified or identifiable natural person, even if it is matched with other data. The Institute may anonymize personal data if the conditions for processing personal data processed in accordance with the law are no longer present. Thus, anonymized personal data may be processed for purposes such as research, planning and statistics in accordance with Article 28 of the Personal Data Protection Law. Such processing is outside the scope of the Personal Data Protection Law and the explicit consent of the personal data owner will not be required. Since personal data processed by anonymizing will be outside the scope of the Personal Data Protection Law, the rights regulated in Section 9 of this Policy will not apply to this data.

The Institute uses the following techniques to anonymize personal data.

11.3.1. Masking

Data masking is a method of anonymizing personal data by removing the basic identifier information of personal data from the data set. For example, removing information such as name, surname, TR ID Number, etc. that allows the identification of the personal data owner.

11.3.2. Consolidation

With the data aggregation method, many data are aggregated and personal data is rendered incapable of being associated with any person. For example, stating that there are Y customers of X age without specifying their ages

11.3.3. Data Generation

With the data generation method, a more general content is created from the content of personal data and personal data is made in a way that it cannot be associated with any person. For example, age is specified instead of date of birth.

11.3.4. Data Hashing

With the data hashing method, the values in the personal data set are mixed and the connection between the values and the individuals is broken.

11.4. Storage and Destruction Periods of Personal Data and Periodic Destruction Periods

The Institute deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises. The time period for periodic destruction is six months. The storage periods for personal data are determined in accordance with the Personal Data Protection Law and business processes.

The KVK Board may shorten the periods specified in this article in case of damages that are difficult or impossible to compensate and in case of a clear violation of the law.

the data owner natural person applies to the Institute pursuant to Article 13 of the Personal Data Protection Law and requests the deletion or destruction of his/her personal data;

If all the conditions for processing personal data are eliminated; the Institute deletes, destroys or anonymizes the personal data subject to the request. The Institute finalizes the request of the natural person who owns the data within thirty days at the latest and informs the natural person who owns the data.

If all the conditions for processing personal data have been eliminated and the personal data in question has been transferred to third parties, the Institute notifies the third party of this situation and ensures that the necessary procedures are carried out by the third party.

If all the conditions for processing personal data have not been eliminated, this request will be processed by the Institute in accordance with the Personal Data Protection Law.

It may be rejected by explaining the reason in accordance with the third paragraph of its article, and the rejection shall be notified to the relevant person in writing or electronically within thirty days at the latest.

11.4.1. Periods for Ex-Officio Deletion, Destruction or Anonymization of Personal Data

The Institute takes into account the following periods within the scope of its obligation to delete, destroy or anonymize personal data:

In the first periodic destruction process following the date on which the obligation arose

Periodic destruction period shall not exceed 180 days in any case.

11.4.2. Periods for Deletion and Destruction of Personal Data in Case of Request by the Relevant Person

the relevant person applies to the Institute and requests the deletion or destruction of his/her personal data;

If all the conditions for processing personal data have been eliminated; the Institute may delete, destroy or anonymize the personal data subject to the request. The Institute will finalize the erasure or destruction requests of the relevant persons within thirty days at the latest.

If all the conditions for processing personal data have not been eliminated, this request may be rejected by the Institute, explaining the reason, and the rejection response shall be sent to the relevant person in writing or electronically within thirty days at the latest.

11.5. Internal Management of Personal Data Processing, Storage and Destruction Processes

In the Institute's compliance process with the provisions of the Personal Data Protection Law and relevant legislation, and in all transactions related to personal data to be carried out after the completion of the compliance process, this Policy and the management of the processes related to this Policy are carried out as follows:

A customer who wants their personal data to be deleted from the Institute's systems can request the deletion of their personal data by applying through the Corporate Website or in person. The request received from all channels is recorded in the call system and the customer is called back by the call center for verification. After it is clarified which of the Institute's systems the Institute member will have their data deleted from, the deletion processes in the relevant systems are run and the customer data is deleted.

12. RECORDING MEDIA

The Institute records and stores personal data, which it processes in accordance with the procedures and principles stipulated in the Personal Data Protection Law and other laws, either fully or partially automatically or non-automatically, provided that it is part of any data recording system, in the Institute's data warehouse.

In accordance with Article 12 of the Personal Data Protection Law, the institution takes the necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring activities.

Log records related to internet access are recorded in accordance with the mandatory provisions of Law No. 5651 and the legislation prepared pursuant to this Law; these records are processed only when requested by authorized public institutions and organizations or in order to fulfill the relevant legal obligation in the audit processes to be carried out within the Institution.

The Institute records the internet movements within the site using technical means (e.g. cookies ) to ensure that visitors to these sites visit the sites in accordance with the purposes of their visit, to be able to show them customized content and to engage in online advertising activities .

Detailed explanations regarding the protection and processing of personal data related to these activities are included in the “International Institute for Health Security Environment Privacy and Data Security Policy” texts of the relevant websites.

Privacy Policy

All documents on the International Institute for Health, Safety and Environment (“Institute”) website are the property of the Institute. No information on this site, including code and software, may be modified, copied, reproduced, republished, uploaded to another computer, posted, transmitted or distributed. Printouts of the website pages may be taken for your personal use.

Although measures have been taken to ensure that the Institute's website is free from viruses and similar software, the user is responsible for providing his/her own virus protection system and ensuring the necessary protection on his/her personal computer in order to ensure ultimate security. In this context, the user accepts that he/she is responsible for all errors that may occur in his/her own software and operating systems and their direct or indirect consequences due to entering the Institute's website.

All information on the Institute's website is for promotional and informative purposes only. The user cannot claim that the ' information ' on the website is incorrect or that he/she has suffered damages based on this information. The user accepts that he/she is responsible for obtaining final and reliable information from the Institute when he/she intends to make a transaction by referring to the information and that the Institute has no responsibility due to the information published on the website being out of date.

The Institute reserves the right to change the content of the site at any time, to change or terminate any service provided to users, and to delete user information and data registered on the Institute's website, at its own discretion. Although every precaution has been taken to ensure that the Institute's website is error-free, the Institute cannot be held responsible for any existing or potential errors on the website.

Due to the nature of the Internet (WWW), information can travel on the Internet without adequate security measures and can be obtained and used by unauthorized persons. The International Institute for Health, Safety and Environment is not responsible for this use and any damages arising from this use.

The Institute has the right to change, renew or cancel any provision of the terms of use of the website without notice. Any changed, renewed or repealed provision will be effective for all users on the date of publication.

This agreement will be executed in accordance with the laws of the Republic of Turkey, without any legal conflict . If any provision of this agreement is illegal, invalid or legally unenforceable for any reason, then that provision will be deemed removable from this agreement and will not affect the validity and legal enforceability of the remaining provisions.

What Information Do We Collect and How?

In our Privacy and Security Policy, information that identifies you personally and/or is used to communicate is defined as personal data. The International Health Safety Environment Institute is very meticulous in protecting the personal data of its members. By visiting our website and/or making online transactions, you accept the following terms: The Institute may collect your personal information such as your name, surname, address, telephone numbers, e-mail addresses, identification information, tickets and travels.

The process of gathering information generally goes as follows:

When you receive service via website, mobile applications, call center,

When you register/member on the website or applications

When you participate in surveys/polls

When you send feedback via the “Write to Us” form

When you enter job-related information (e.g. resume submission, media requests)

Whenever you have any request that requires the entry of personal data

Mobile applications developed by the International Institute for Health, Safety and Environment may automatically collect some information from users. This information;

Mobile phone brand-model,

Your phone's Internet Protocol address (IP),

Your phone's operating system,

It contains location information (based on the permission you have given to use location information on your phone). You can stop this data flow at any time by uninstalling the app from your phone (you can adjust the data collected via your phone from the app settings and permissions section on your phone).

The International Institute for Health Safety Environment social media program covers platforms such as Facebook, Twitter, Youtube, Linkedin , Pinterest and Instagram. Social media content and features used are subject to the privacy policy of the relevant platform. Please read the privacy policies of the companies mentioned (Facebook, Twitter, Youtube, Linkedin , Pinterest and Instagram etc.) to learn about social media privacy policies.

Cookies and Other Technologies

Cookies may be used when collecting data to be processed for the purposes described in our Privacy and Security Policy. Cookies are small text files that are saved on your computer or mobile device when you visit a website and hold various information about your visit. Today, many internet browsers have a cookie blocking mode when visiting websites. If you have activated the cookie blocking mode in your internet browser, you will not be able to benefit from some of the features we have developed for you on our website.

As is true of most websites, some information is collected and recorded automatically, such as Internet Protocol (IP) addresses, browser type and language, Internet service provider (ISP), referring and exit pages, operating system, date/time stamp and clickstream data.

Some of our email messages use click-through URLs that link to content on the Institute's website. When customers click on one of these URLs, they pass through a separate web server before reaching the destination page on our website. This click-through data is tracked to determine interest in particular topics and to measure the effectiveness of our customer communications.

How Do We Use the Information We Collect?

This information collected is used to provide you, the service recipient, with better service, product and selection opportunities, to organize our website; to organize your transactions regarding your International Health Safety Environment Institute membership account; to create a database, to receive support from commissions, to receive training, to create and process reports, analysis, verification and statistical information for campaigns and promotions, and to comply with the privacy conditions.

At the same time, this information can be used via e-mail, SMS and telephone to inform you about promotions, campaigns, advertisements, marketing and other opportunities offered by companies and partners we cooperate with. The Institute may share your personal information with other companies it receives service from or cooperates with and/or with judicial and administrative authorities in case of legal obligation, provided that the procedures specified for the purposes specified above and the conditions for ensuring confidentiality are also met.

In addition, your personal and/or demographic information may be used for analysis studies. In this way, the products and services provided to you can be continuously improved, personalized and customized. These include combining, updating or otherwise expanding your personal data collected through our websites and/or applications with data obtained from external sources or third parties.

The Institute may share cumulative (aggregate) customer statistics with third parties such as business partners (including investors) and the press, without including individual personal data.

Accessing and Updating Information

By accessing your account from our websites and/or applications, you can ensure that your contact information, preferences and other personal data are accurate, complete and up-to-date. If this information is incomplete or incorrect, the necessary process will be carried out for you to update or delete it (unless we need to keep it for a valid business-related or legal purpose). You can use the International Health Safety Environment Institute membership page, this link or our service below to query your information registered in our database or to correct/update your personal data:

Our Call Center: +90 551 052 00 33

Exit from the Information and Announcement List

If you do not want to be included in our announcement and information list, you can leave at any time by updating your preferences. You have the authority to access and control commercial-electronic messages sent by the Institute for notification and communication purposes. If you do not want us to contact you while your membership to our services continues, you can use your "CANCEL" right in digital media and cancel by contacting our call center. You will not be contacted until you receive a confirmation that invalidates this. If you want to stop using our services and choose to leave your membership, you can call our customer service line.