OUR POLICIES

We build a trust-based future with our corporate principles

As TP-OTC, in all areas where we operate, we adopt transparency, sustainability, occupational health and safety, and quality standards as our foundation.

Personal Data Protection and Processing Policy

SECTION ONE

Introduction, Purpose, Scope and Definitions

1. Introduction

Turkish Petroleum Offshore Technology Center Joint Stock Company (“TP-OTC”) attaches great importance to the protection of privacy and the safeguarding of fundamental rights and freedoms, guaranteed by the Constitution of the Republic of Türkiye, in relation to the security and processing of personal data.

2. Purpose and Scope

The primary purpose of the TP-OTC Personal Data Protection and Processing Policy (the “Policy”) is to provide explanations, in line with the principles adopted, regarding the activities carried out by TP-OTC for the protection and processing of personal data in compliance with the Personal Data Protection Law No. 6698 (the “Law”). The Policy also aims to remind data subjects whose personal data are processed within this scope of the rights granted to them under the Law and to provide the necessary information in this regard.

Within TP-OTC, the procedures related to the matters outlined in this Policy are established; information notices compatible with the Personal Data Processing Inventory are prepared; personal data protection and confidentiality agreements are signed with TP-OTC employees and third parties; job descriptions are updated; and the administrative and technical measures necessary for data security are implemented. In this context, the required audits are conducted and commissioned.

This Policy has been drawn up in relation to all personal data of our current employees, employee candidates, visitors and third parties with whom we cooperate, which are processed by automated means or, provided that they form part of any data recording system, by non-automated means, and shall be applied with respect to such persons.

3. Definitions

  • Explicit Consent: Consent that is specific to the matter, informed and given of free will,

  • Data Subject: The natural person whose personal data is processed,

  • Law: Law No. 6698 on the Protection of Personal Data,

  • Personal Data: Any information relating to an identified or identifiable natural person,

  • Personal Data Processing Inventory: The inventory created by data controllers by associating their personal data processing activities conducted in connection with their business processes with the purposes and legal grounds for processing personal data, the data category, the recipient group to whom data are transferred, and the group of data subjects, and which details the maximum period required for the retention of personal data for the purposes for which they are processed, the personal data envisaged to be transferred to foreign countries, and the measures taken regarding data security,

  • Anonymisation of Personal Data: Rendering personal data incapable of being associated with an identified or identifiable real person under any circumstances, even by matching with other data,

  • Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, altering, reorganising, disclosing, transferring, taking over, making retrievable, classifying or preventing the use thereof, wholly or partly by automated means or, provided they form part of a data recording system, by non-automated means,

  • Deletion of Personal Data: Rendering personal data inaccessible and non-reusable for relevant users,

  • Destruction of Personal Data: Rendering personal data inaccessible, non-recoverable and non-reusable by anyone,

  • Board: The Personal Data Protection Board,

  • Authority: The Personal Data Protection Authority,

  • Special Categories of Personal Data: Data relating to persons’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data,

  • Policy: The TP-OTC Personal Data Protection and Processing Policy,

  • Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

SECTION TWO

General Principles

4. Application of the Policy and Relevant Legislation

The legal regulations in force regarding the processing and protection of personal data shall primarily apply. In the event of any inconsistency between the legislation in force and the Policy, TP-OTC accepts that the legislation in force shall prevail.

5. For What Purposes We Process Your Personal Data

  • Conduct of Emergency Management Processes

  • Conduct of Information Security Processes

  • Conduct of Employee Candidate / Intern / Scholarship Processes

  • Conduct of Application Processes for Employee Candidates

  • Fulfilment of Obligations Arising from Employment Contracts and Legislation for Employees

  • Determination of Equipment to be Provided to Employees

  • Conduct of Training Activities

  • Management of Access Authorisations

  • Conduct of Finance and Accounting Affairs

  • Ensuring Physical Space Security

  • Monitoring and Conduct of Legal Affairs

  • Conduct of Internal Audit / Investigation / Intelligence Activities

  • Conduct of Communication Activities

  • Planning of Human Resources Processes

  • Conduct of Occupational Health / Safety Activities

  • Conduct of Performance Evaluation Processes

  • Conduct of Retention and Archiving Activities

  • Conduct of Travel Organisations

  • Conduct of Contractual Processes

  • Conduct of Insurance Processes

  • Work and Residence Permit Procedures for Foreign Personnel

  • Provision of Information to Authorised Persons, Institutions and Organisations

  • Creation and Monitoring of Visitor Records

  • Other Activities That May Subsequently Fall Within Our Personal Data Processing Purposes

6. Matters Relating to the Protection of Personal Data

Pursuant to Article 12 of the Law, TP-OTC is obliged to take the necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to such data and to ensure the safekeeping of the data, and to carry out or have carried out the necessary audits within this scope.

In line with the guidelines published by the Personal Data Protection Board (“Board”), TP-OTC takes the necessary technical and administrative measures within its own organisation to ensure an appropriate level of security and carries out or commissions the relevant audits.

6.1 Technical and Administrative Measures

  • Network and application security are ensured.

  • A closed system network is used for personal data transfers over the network.

  • Security measures are taken in the procurement, development and maintenance of information technology systems.

  • Necessary authorisation and role allocations exist for access to our information systems.

  • Employees sign confidentiality agreements; a disciplinary process is implemented, in accordance with the TP-OTC Human Resources Directive, for employees who do not comply with security policies and procedures.

  • Access logs are kept regularly.

  • Accesses are recorded, and inappropriate access is kept under control.

  • Data masking measures are applied when necessary.

  • Authorisations in this area are revoked for employees who change roles or leave employment.

  • Up-to-date anti-virus systems are used.

  • Security vulnerabilities are monitored, appropriate security patches are installed, information systems are kept up to date, strong passwords are used in electronic media where personal data is processed, secure logging systems are used, and backup programmes that ensure the secure storage of personal data are used.

  • Firewalls are used.

  • Executed contracts include data security provisions.

  • Necessary measures are taken for the physical security of TP-OTC information systems equipment, software and data; risks aimed at preventing unlawful processing are identified and technical measures appropriate to these risks are taken. Necessary security measures are taken with regard to entries to and exits from physical environments containing personal data.

  • The security of environments containing personal data is ensured.

  • Personal data are backed up and the security of backed up personal data is ensured.

  • Backup applications entirely closed to external environments, with the required encryption standards for the secure storage of personal data in electronic media, are used.

  • A user account management and authorisation control system is implemented and monitored. Log records are kept in a manner that prevents user intervention.

  • Secure encryption/cryptographic keys are used for special categories of personal data.

  • Intrusion detection and prevention systems are used.

  • For server room security, the cabinets in which servers are located are kept locked.

  • Cyber security measures have been taken and their implementation is monitored continuously.

  • The information network on which our systems are located is protected against external access to the highest security standards.

  • The main system room where our servers are located has a gas-type fire extinguishing system and climate control system.

  • Our servers are protected by redundant software and physical firewalls; server-specific anti-virus software, logging software that logs all activities, and a two-factor authentication system for server access are in place, and there is a specific authorisation and role allocation for server access.

  • All of our information systems are regularly tested through penetration tests, and where any vulnerability is identified, remedial measures are taken and the system is isolated from external access.

  • All our information systems operate redundantly.

  • Data loss prevention software is used.

7. Provisions on the Processing of Personal Data

TP-OTC carries out personal data processing activities in compliance with Article 20 of the Constitution and Article 4 of the Law, in accordance with the law and the principle of good faith, ensuring that personal data are accurate and, where necessary, kept up to date, processed for specific, explicit and legitimate purposes, and are relevant, limited and proportionate to the purposes for which they are processed, and it retains personal data for the period stipulated in the legislation or required for the purpose of processing.

Pursuant to Article 20 of the Constitution and Article 5 of the Law, TP-OTC processes personal data on the basis of one or more of the conditions set out in Article 5 of the Law regarding the processing of personal data.

In accordance with Article 20 of the Constitution and Article 10 of the Law, TP-OTC informs data subjects and, where data subjects request information, provides them with the necessary information.

In line with Article 6 of the Law, TP-OTC acts in compliance with the regulations laid down regarding the processing of special categories of personal data.

In accordance with Articles 8 and 9 of the Law, TP-OTC complies with the provisions set forth in the Law and by the Board regarding the transfer of personal data.

7.1 Processing in Compliance with Law and the Principle of Good Faith

In processing personal data, TP-OTC acts in accordance with the principles introduced by legal regulations and with the general principle of trust and good faith. In this context, TP-OTC considers the principle of proportionality in the processing of personal data and does not use personal data for purposes other than those specified.

7.2 Ensuring Personal Data Is Accurate and, Where Necessary, Up to Date

Considering the fundamental rights of data subjects and its own legitimate interests, TP-OTC ensures that the personal data it processes are accurate and, where necessary, kept up to date, and takes the necessary measures in this regard.

7.3 Processing for Specific, Explicit and Legitimate Purposes

TP-OTC clearly and precisely identifies the legitimate and lawful purpose of processing personal data. TP-OTC processes only the personal data that is relevant and necessary to the service it provides.

7.4 Relevant Processing, Limited and Proportionate to the Purpose

TP-OTC processes personal data in a manner suitable for achieving the purposes identified and pays maximum attention to not processing personal data that are not related to or not needed for the realisation of the purpose.

7.5 Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for Which They Are Processed

TP-OTC retains personal data only for the period stipulated in the relevant legislation or required for the purposes for which they are processed. In this context, TP-OTC first determines whether a retention period has been prescribed for personal data in the relevant legislation; if a period has been determined, it acts in compliance with such period, and if no period has been determined, it retains the personal data for as long as is necessary for the purposes for which they are processed. Upon expiry of the period or elimination of the reasons requiring their processing, the personal data are erased, destroyed or anonymised by TP-OTC.

8. Method of Collecting Personal Data

Personal data are collected by TP-OTC via e-mail, fax, career websites, social media, printed forms, consultancy firms, camera recordings and other channels. In light of the principles set out in Article 4(2) of the Law, personal data may be processed and transferred with explicit consent, or, in the presence of the circumstances set out in Article 5(2) and Article 6(3), without obtaining explicit consent.

9. Transfer of Personal Data

In line with its lawful purposes of processing personal data and by taking the necessary security measures, TP-OTC may transfer the personal data and special categories of personal data of data subjects to third parties in accordance with Article 8 of the Law. In the common database established by TP-OTC, personal data may be stored, processed, used and transferred by TP-OTC and/or by the data processor appointed by TP-OTC.

Provided that the protection of personal data is ensured, such data may, where necessary and/or upon the request of the Personnel, be transferred to third parties to whom TP-OTC provides or from whom it receives services, to group companies, shareholders, subsidiaries and affiliates, and to banks and institutions, and the personal data may also be processed by such companies, banks, institutions and organisations.

Personal data lawfully processed by TP-OTC may be disclosed and transferred to companies from which support services are obtained, to independent audit firms and, due to various legal obligations, to other third parties for the purpose of carrying out its activities.

For all of these purposes, the Personnel may be contacted from within Türkiye and from abroad by means of text message, telephone, internet, e-mail and other communication methods.

In order to meet security, statutory, regulatory and 27001 Information Security Management System requirements, TP-OTC may, by means of CCTV systems, record images of the Personnel in indoor and outdoor areas throughout the time they spend at the workplace.

10. Deletion, Destruction and Anonymisation of Personal Data

Personal data processed within the scope of the Law are automatically erased, destroyed or anonymised upon expiry of the retention periods stipulated in the applicable legislation. In addition, where the reasons requiring their processing cease to exist, personal data are erased, destroyed or anonymised by TP-OTC, either on its own initiative or upon the request of the Data Subject.

11. Rights of Personal Data Subjects

11.1 Rights of the Data Subject

  • To learn whether personal data are processed,

  • If personal data have been processed, to request information regarding this,

  • To learn the purpose of processing personal data and whether they are used in accordance with the purpose of processing,

  • To know the third parties to whom personal data are transferred domestically or abroad,

  • To request the correction of personal data if they have been processed incompletely or inaccurately,

  • To request the deletion or destruction of personal data under the conditions stipulated in the relevant legislation,

  • To request that the correction, deletion and destruction operations carried out in accordance with the legislation be notified to third parties to whom personal data have been transferred,

  • To object to the emergence of a result to the detriment of the person concerned by analysing processed data exclusively through automated systems,

  • To request the compensation of damages in case of suffering damage due to the unlawful processing of personal data.

11.2 Circumstances Where the Data Subject May Not Assert Their Rights

  • Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that the data are not given to third parties and data security obligations are complied with,

  • Processing of personal data for purposes such as research, planning and statistics, by anonymising them with official statistics,

  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime,

  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organisations authorised by law to ensure national defence, national security, public security, public order or economic security,

  • Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, adjudication or execution procedures.

Pursuant to Article 28/2 of the Law, in the cases listed below, data subjects may not exercise the other rights set out in Article 11.1 of this Policy, except for the right to claim compensation for damages:

  • Where the processing of personal data is necessary for the prevention of crime or for criminal investigation,

  • Processing of personal data made public by the data subject himself/herself,

  • Where the processing of personal data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by public institutions and organisations and professional organisations like public institutions, based on the authority granted by law,

  • Where the processing of personal data is necessary to protect the State’s economic and financial interests concerning budgetary, tax, and financial matters.

11.3 Procedure and Time Limit for Responding to Applications

Data subjects may submit their applications regarding the rights set out under Section 11.1 of this Policy by completing the Data Subject Application Form available at www.tp-otc.com and, together with documents identifying their identity, delivering it in writing by hand to the address “Finanskent Mah. Finans Cad. No: 4 İç Kapı No: 11 Ümraniye/İstanbul” or by sending it electronically to kvkk@tp-otc.com. TP-OTC will conclude application requests free of charge, in accordance with Article 13 of the Law, as soon as possible and in any case within a maximum of thirty (30) days, depending on the nature of the request. However, if the transaction requires any additional cost, the fee set out in the tariff determined by the Board may be charged. If the request is rejected, the reason(s) for rejection will be notified to the data subjects in writing or electronically together with their justifications.

11.4 Information That May Be Requested from the Data Subject Submitting the Application

TP-OTC may request information from the relevant person in order to determine whether the person submitting the application is the data subject. In order to clarify the matters set out in the data subject’s application, TP-OTC may address questions to the data subject regarding their application.

11.5 TP-OTC’s Right to Reject the Data Subject’s Application

  • Processing of personal data for purposes such as research, planning and statistics, by anonymising them with official statistics,

  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime,

  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organisations authorised by law to ensure national defence, national security, public security, public order or economic security,

  • Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, adjudication or execution procedures,

  • Where the processing of personal data is necessary for the prevention of crime or for criminal investigation,

  • Processing of personal data made public by the data subject himself/herself,

  • Where the processing of personal data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by public institutions and organisations and professional organisations in the nature of public institutions, based on the authority granted by law,

  • Where the processing of personal data is necessary to protect the State’s economic and financial interests with regard to budgetary, tax and financial matters,

  • Where the data subject’s request may hinder the rights and freedoms of others,

  • Where disproportionate effort is required,

  • Where the requested information is public information,

  • Where one of the circumstances excluded from scope under the Law exists.

SECTION THREE

12. Other Provisions

This Policy is published on the TP-OTC website at www.tp-otc.com and disclosed to the public on the website.

This Policy shall be updated in the event of changes made to the Law, decisions of the Board and/or where required by changes and developments in the sector, and/or as needed. You may send any questions and opinions regarding this policy to kvkk@tp-otc.com.

13. Entry into Force

This Policy shall enter into force on the date on which it is approved by the TP-OTC Board of Directors.

14. Execution

The provisions of this Policy shall be executed by the TP-OTC Board of Directors.

Cookie Disclosure Statement

Review

Personal Data Protection Law Data Subject Application Form

Review