Mata Mimarlık | Personal Data Protection and Processing Procedure

Personal Data Protection and Processing Procedure

Personal Data Protection and Processing Procedure

PURPOSE AND SCOPE

As Mata Mimarlık, we attach the utmost importance to the protection of personal data, which is a constitutional right, of all real persons with whom we come into contact during our activities, including but not limited to our customers, employees, employee candidates, company shareholders, company officials, visitors and business partners, and to comply with the regulations in the Personal Data Protection Law No. 6698.

In this respect, as Data Controller, we take all necessary technical and administrative measures to prevent unlawful processing of personal data, unlawful access to this data and to ensure the protection of personal data.

As Mata Mimarlık, with this Procedure for the Protection and Processing of Personal Data, we aim to inform you about our processes and systems for the collection, use, processing, transfer and storage of personal data and our basic principles.

2. DEFINITIONS

Data Controller	:	Mata Architecture
Explicit Consent	:	Consent based on information on a specific subject and freely given with informed consent.
Anonymization	:	Rendering personal data unable to be associated with an identified or identifiable natural person, even when matched with other data.
Application Form	:	The “Application Form Regarding Applications to be Made to the Data Controller by the Relevant Person (Data Subject) in Accordance with the Law No. 6698 on Protection of Personal Data” containing the application to be made by data subjects to exercise their rights.
Employee	:	Staff of Mata Architecture.
Job Applicant	:	Individuals who have applied for a job with Mata Architecture through any means or have submitted their resume and relevant information for review by our company.
Destruction	:	Deletion, destruction, or anonymization of personal data.
Business Partner	:	Parties with whom Mata Architecture forms partnerships for various projects or to obtain services while conducting its commercial activities.
Law/GDPR	:	Law No. 6698 on Protection of Personal Data
Personal Data	:	Any kind of information related to an identified or identifiable natural person.
Processing of Personal Data	:	Any operation performed on personal data, whether by automated means or not, such as collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, retrieval, classification, or use of data.
Deletion of Personal Data	:	The deletion of personal data, making personal data inaccessible and unusable for the relevant users.
Destruction of Personal Data	:	The destruction of personal data, making personal data inaccessible, irretrievable, and unusable by anyone.
Anonymization of Personal Data	:	Making personal data unable to be associated with an identified or identifiable natural person, even when matched with other data.
Board	:	Personal Data Protection Board
Institution	:	Personal Data Protection Authority
Customer	:	Individuals from whom personal data is obtained through Mata Architecture’s business units’ operations, regardless of whether there is a contractual relationship with Mata Architecture.
Special Categories of Personal Data	:	Data related to individuals’ race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, association, foundation, or union membership, health, sex life, criminal conviction, and security measures, as well as biometric and genetic data.
Periodic Destruction	:	The deletion, destruction, or anonymization process that will be carried out periodically at intervals as specified in the personal data storage and destruction policy when all the processing conditions of personal data specified in the law cease to exist.
Procedure	:	The procedure prepared by Mata Architecture in accordance with the Law for the protection and processing of personal data.
Company Shareholder	:	Individual shareholders of Mata Architecture
Company Representative	:	Members of the board of partners of Mata Architecture and other authorized individuals.
Supplier	:	Parties providing services to Mata Architecture in compliance with Mata Architecture’s orders and instructions, on a contractual basis.
Data Processor	:	Natural or legal person processing personal data on behalf of the data controller based on the authorization granted by them.
Data Recording System	:	The system where personal data is structured and processed according to certain criteria.
Data Controller	:	Natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Subject/Related Person	:	The natural person whose personal data is processed.
Regulation	:	Regulation on Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette dated 28.10.2017.
Visitor	:	Individuals who have entered the physical premises where Mata Architecture operates or visited our websites for various purposes.

3. PROCEDURES AND PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA

3.1. GENERAL PRINCIPLES

Article 20/III of the Constitution guarantees the protection of personal data by stating that personal data can only be processed in cases stipulated by law or with the explicit consent of the person. In line with this right granted to personal data owners, Mata Mimarlık processes personal data in accordance with the principles specified in the relevant legislation or in accordance with the following principles in cases where the person has explicit consent:

3.1.1. Processing in accordance with the Law and the Rule of Honesty:

Mata Mimarlık acts in accordance with all legal regulations and the rule of honesty in the processing of Personal Data.

3.1.2. Ensuring that Personal Data is Accurate and Updated When Necessary

Necessary measures are taken to ensure that the Personal Data processed by Mata Mimarlık is accurate and in accordance with the current situation and the necessary opportunities are provided to the Data Owners by informing them in order to ensure that the data being processed reflect the actual situation.

3.1.3. Processing for Specific, Explicit and Legitimate Purposes

Mata Mimarlık clearly and precisely determines the legitimate and lawful purpose of personal data processing. Mata Mimarlık processes personal data in connection with and to the extent necessary for the commercial activities it carries out.

3.1.4. Being Relevant, Limited and Proportionate to the Purpose of Processing

Mata Mimarlık processes Personal Data in a manner that is conducive to the achievement of the specified purposes and is responsible for the processing of Personal Data that is not related to the achievement of the purpose or is not needed avoids.

3.1.5. Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

Personal data processed by Mata Mimarlık are retained only for the period stipulated in the relevant legislation or for the period required for the purpose for which they are processed. In this context, Mata Mimarlık complies with this period if there is a period stipulated in the relevant legislation for the storage of data; if there is no such period, it retains the data only for the period required for the purpose for which they are processed.

3.2. PROCESSING PURPOSES OF PERSONAL DATA

Your Personal Data obtained by Mata Architecture may be processed within the scope described below:

Ensuring the fulfillment of legal obligations as required or mandated by legal regulations,
Provision of software services and other outsourcing services for operational activities,
Conducting necessary studies by relevant departments for the fulfillment of commercial activities specified in the Mata Architecture main contract in accordance with legislation and Mata Architecture policies, and conducting activities accordingly,
Determining, planning, and implementing Mata Architecture’s short, medium, and long-term commercial policies,
Customizing the service products and projects offered by Mata Architecture according to the preferences, usage habits, and needs of relevant individuals, and providing information about products, services, and projects,
Providing effective customer service,
Provision of services and offers,
Providing information about any kind of promotions, campaigns, and draws,
Conducting all kinds of marketing and advertising activities,
Identifying visitor profiles,
Ensuring Mata Architecture’s commercial reliability,
Responding to and resolving requests, demands, and complaints,
Providing support services to Customers and Visitors within the scope of the contract and service standards,
Conducting market research and statistical studies,
Establishing contact with individuals in business relationship with Mata Architecture,
Marketing, compliance management, vendor/supplier management,
Planning, auditing, and executing information security processes,
Establishing and managing information technology infrastructure,
Planning and executing access authorizations of employees to Data Subject information,
Tracking financial and/or accounting transactions, including invoicing,
Tracking legal affairs,
Planning and executing corporate communication activities,
Ensuring the accuracy and currency of data.

3.3. CONDITIONS OF PROCESSING PERSONAL DATA

The conditions for processing personal data are regulated by the Law and personal data are processed by Mata Mimarlık in accordance with the conditions stated below.

Except for the exceptions listed in the Law, Mata Mimarlık processes personal data only by obtaining the explicit consent of the data subjects. In the presence of the following cases listed in the Law, personal data can be processed even without the explicit consent of the data owner.

It is explicitly stipulated in the laws,
It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to fulfill its legal obligation,
It has been made public by the data subject himself/herself,
Data processing is mandatory for the establishment, exercise or protection of a right
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.4. MEASURES FOR THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the KVK Law, Mata Mimarlık takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and to carry out or have the necessary audits carried out within this scope.

In this context, necessary (a) administrative and (b) technical measures should be taken by Mata Mimarlık, (c) an audit system should be established within the Company and (d) in case of unlawful disclosure of personal data, measures stipulated in the KVK Law should be taken. Mata Mimarlık takes technical and administrative measures to ensure that personal data is processed in accordance with the law, according to technological possibilities and implementation cost.

3.4.1. Technical Measures Taken to Ensure the Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data and to Store Personal Data in a Secure Environment

Regarding the protection of personal data, technical measures should be taken to the extent that technology allows, and the measures taken should be periodically updated and renewed.
Specialized personnel should be employed in technical matters.
Regular audits should be conducted for the implementation of the measures taken,
Software and hardware should be installed to ensure security,
Authorization to access personal data processed by Mata Mimarlık should be limited to the relevant company employee in line with the determined processing purpose.

3.4.2. Administrative Measures Taken to Ensure Lawful Processing of Personal Data, Prevent Unauthorized Access to Personal Data, and Secure Storage of Personal Data

Mata Architecture informs and educates its employees regarding the protection of personal data law.

Contracts concluded with individuals to whom personal data is lawfully transferred by Mata Architecture include provisions stating that these individuals will take necessary security measures for the protection of personal data and ensure compliance with these measures within their organizations.

The processes carried out by Mata Architecture should be thoroughly examined, and the personal data processing activities carried out within the scope of these processes should be identified for each unit. In this context, steps to ensure compliance of the data processing activities with the personal data processing conditions envisaged in the Law on the Protection of Personal Data should be determined.

Mata Architecture should identify the practices that need to be fulfilled for legal compliance according to company structures and establish necessary administrative measures, internal policies, and training to ensure the audit and continuity of these practices.

Contracts and documents governing the legal relationship between Mata Architecture and its employees include records imposing obligations on not processing, disclosing, or using personal data except for Mata Architecture’s instructions and exceptions provided by law. Employees are made aware of these obligations, and inspections are carried out in this regard.

Employees are informed that they cannot disclose personal data they have learned in violation of the Law on the Protection of Personal Data to others, cannot use it for purposes other than processing, and that this obligation will continue even after they leave their positions. Necessary commitments are obtained from them in this regard.

3.4.3. Audit Activities of Measures Taken for the Protection of Personal Data

In accordance with Article 12 of the KVK Law, Mata Mimarlık conducts or has the necessary audits of the technical and administrative measures taken within the scope of protecting and securing personal data. The results of this audit are reported to the relevant unit within the scope of the internal functioning of Mata Mimarlık and necessary activities are carried out to improve the measures taken.

3.5. PROCESSING CONDITIONS OF SPECIAL CATEGORIES OF PERSONAL DATA

Mata Mimarlık shows special sensitivity in the processing of Personal Data of Special Nature, which is believed to be more critical for the Data Owner in various respects.

In Article 6 of the Law, some personal data that have the risk of causing victimization or discrimination when processed unlawfully are determined as “special quality”. These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Sensitive Personal Data is processed by Mata Mimarlık in accordance with the Law, provided that adequate measures to be determined by the Board are taken, in the presence of the following conditions:

If the Data Owner has explicit consent or
If the Data Owner does not have explicit consent;

(i) Sensitive personal data other than the health and sexual life of the Data Owner, in cases stipulated by law,

(ii) Special categories of personal data relating to the health and sexual life of the Data Subject only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing,

by persons or authorized institutions and organizations under the obligation of secrecy.

3.6. MEASURES FOR THE PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Mata Mimarlık, as the data controller, takes the following measures in accordance with the Board’s decision dated 31.01.2018 and numbered 2018/10 in the processing of Special Categories of Personal Data under Article 6 of the Law:

3.6.1. For Employees involved in the processing of sensitive personal data,

Regular trainings are provided on the Law and related regulations and Special Categories of Personal Data security issues,
Confidentiality agreements are in place,
The scope and duration of authorization of users authorized to access data are clearly defined,
Periodic authorization checks are carried out,
The authorizations of Employees who change their duties or leave their jobs are immediately removed. In this context, the inventory allocated to him/her by the Data Controller is returned.

3.6.2. If the media where Special Categories of Personal Data are processed, stored and/or accessed are electronic media,

Personal Data is stored using cryptographic methods,
Cryptographic keys are kept in secure and discrete environments,
Transaction records of all actions performed on Personal Data are securely logged,
The security updates of the environments where Personal Data are stored are constantly monitored, necessary security tests are regularly performed/conducted, and test results are recorded,
If Personal Data is accessed through a software, user authorizations of this software are made, security tests of these software are regularly performed / made, and test results are recorded,
If remote access to Personal Data is required, at least a two-step authentication system is provided.

3.6.3. If the environments where Sensitive Personal Data are processed, stored and/or accessed are physical environments;

Adequate security measures (against electric leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where Sensitive Personal Data is located,
Unauthorized entry and exit are prevented by ensuring the physical security of these environments.

3.6.4. If Special Categories of Personal Data are to be transferred,

If it is necessary to transfer Personal Data via e-mail, it is transferred encrypted with a corporate e-mail address or using a Registered Electronic Mail (KEP) account,
If it needs to be transferred via media such as Portable Memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept on different media,
If transferring between servers in different physical environments, data transfer is performed by setting up a VPN between servers or by FTP method,
If it is necessary to transfer Personal Data via paper media, necessary measures are taken against risks such as theft, loss or unauthorized viewing of the document and the document is sent in “Confidential” format.
In addition to the above-mentioned measures, technical and administrative measures to ensure the appropriate level of security specified in the Personal Data Security Guide published on the website of the Personal Data Protection Authority should also be taken into account.

3.7. PROCESSING OF SECURITY VIDEO RECORDINGS AND WEBSITE VISITOR DATA

3.7.1. Processing of Security Video Recordings Data

In order to ensure security, Mata Mimarlık stores personal data and processes it when necessary in accordance with the provisions of the Law and other legislation and the principles in the Procedure in order to monitor entrances and exits with security cameras in the company headquarters, all buildings and facilities.

3.7.2. Processing of Website Visitor Data

On the websites owned by Mata Mimarlık; In order to ensure that the people who visit these sites perform their visits on the sites in accordance with their visit purposes; In order to show them customized content and to carry out online advertising activities, their internet movements within the site are recorded by technical means (such as Cookies-cookie) (” Cookie Policy “). Detailed explanations regarding the protection and processing of personal data regarding these activities carried out by Mata Mimarlık are included in the Procedure text.

3.8. TRANSFER OF PERSONAL DATA

Mata Mimarlık may transfer the Personal Data and/or Sensitive Personal Data of the Data Owner to third parties by taking the necessary security measures in line with the purposes of data processing. Accordingly, Mata Mimarlık may transfer personal data to third parties in the presence of one of the processing conditions specified in this Procedure and the following conditions.

If the Data Owner has explicit consent,
If there is a clear regulation in the laws regarding the transfer of Personal Data,
If it is mandatory for the protection of the life or physical integrity of the Data Owner or someone else and the Data Owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid;
If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is mandatory for Mata Mimarlık to fulfill its legal obligation,
If the Personal Data has been made public by the Data Subject,
If the transfer of Personal Data is mandatory for the establishment, exercise or protection of a right,
If personal data transfer is mandatory for the legitimate interests of Mata Mimarlık, provided that it does not harm the fundamental rights and freedoms of the Data Owner.

3.9. TRANSFER OF PERSONAL DATA ABROAD

In line with the legitimate and lawful Personal Data processing purposes, Mata Mimarlık will be able to transfer the personal data of the Data Owner to foreign countries where the data controller has adequate protection or undertakes adequate protection in the presence of one of the following situations, if the Data Owner has explicit consent or, if the Data Owner does not have explicit consent:

If there is a clear regulation in the laws regarding the transfer of Personal Data,
If it is mandatory for the protection of the life or physical integrity of the Data Owner or someone else and the Data Owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid;
If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is mandatory for Mata Mimarlık to fulfil its legal obligation,
If the Personal Data has been made public by the Data Subject,
If the transfer of Personal Data is mandatory for the establishment, exercise or protection of a right,
If personal data transfer is mandatory for the legitimate interests of Mata Mimarlık, provided that it does not harm the fundamental rights and freedoms of the Data Owner.

3.10. TRANSFER OF SPECIAL CATEGORY PERSONAL DATA ABROAD

Mata Architecture, with due care, taking necessary security measures and adequate precautions envisaged by the Board, can transfer the Special Category Personal Data of the Data Subject to foreign countries where there is a data controller with sufficient protection or who undertakes to provide adequate protection for the legitimate and lawful purposes of Personal Data processing as follows:

If the Data Subject has explicit consent; or
If the Data Subject does not have explicit consent:

(i) Special category personal data other than the Data Subject’s health and sexual life, in cases envisaged by laws,

(ii) Special category personal data concerning the Data Subject’s health and sexual life are processed by persons or authorized institutions and organizations under the obligation of secrecy, only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing.

PRINCIPLES REGARDING THE STORAGE PERIODS OF PERSONAL DATA

Personal data is stored by Mata Architecture for the periods prescribed by the relevant legislation and in accordance with legal obligations. If there is no period regulated in the legislation regarding how long personal data should be stored, the personal data is processed for the duration required by Mata Architecture’s practices and commercial customs related to the activity carried out by Mata Architecture when processing that data, then it is deleted, destroyed, or anonymized. Personal data whose processing purpose has ended and personal data requested to be deleted/anonymized by the data subjects are stored only if necessary for providing evidence in possible legal disputes or for asserting or defending the related right dependent on personal data when the storage periods determined by the relevant legislation and Mata Architecture are over. Mata Architecture bases its determination of personal data retention periods on the limitation periods envisaged in the relevant legislation. Accordingly, only limited persons are allowed to access the stored personal data for use in relevant legal disputes, and access for any other purpose is prohibited. At the end of this period, personal data is deleted, destroyed, or anonymized.

5. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Although Personal Data has been processed in accordance with Article 7 of the Law and Article 138 of the Turkish Penal Code and the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code, in the event that the reasons requiring its processing disappear, it is deleted, destroyed or anonymized by Mata Mimarlık ex officio or upon the request of the personal data owner.

6. OBLIGATIONS AND RIGHTS

6.1. MATA ARCHITECTURE’S OBLIGATION OF DISCLOSURE AND INFORMATION

In accordance with Article 10 of the Law, Mata Mimarlık enlightens Data Subjects during the acquisition of personal data. In this context, Mata Mimarlık;

The identity of the Data Controller and its representative, if any,
The purpose for which Personal Data will be processed,
To whom and for what purpose the processed Personal Data may be transferred,
The method and legal reason for collecting Personal Data
It informs the Data Subject about the rights of the Data Subject.

Article 20 of the Constitution stipulates that everyone has the right to be informed about personal data concerning him/her. In this direction, “requesting information” is also listed among the rights of the personal data owner in Article 11 of the Law. In this context, Mata Mimarlık provides the necessary information in case the Data Owner requests information in accordance with Article 20 of the Constitution and Article 11 of the Law. You can find detailed information on this subject from the Rights of the Data Subject section of the Procedure and the Clarification text.

6.2. RIGHTS OF THE DATA SUBJECT

Data Subjects have the following rights:

To learn whether their personal data is being processed by Mata Architecture,
If personal data is processed by Mata Architecture, to request information about this data processing activity,
If personal data is processed by Mata Architecture, to learn the purpose of the personal data processing activity and whether it is being used for its intended purpose,
If personal data is transferred to third parties domestically or abroad, to request information about these third parties,
To request the correction of personal data if it is incomplete or incorrect,
If personal data processed by Mata Architecture is incomplete or incorrect, to request that this situation be notified to the third parties to whom the personal data has been transferred,
If the reasons requiring the processing of personal data no longer exist, to request the deletion, destruction, or anonymization of the personal data, even if it has been processed in accordance with the Law and other relevant legislation,
If the reasons requiring the processing of personal data no longer exist, to request that this situation be notified to the third parties to whom the personal data has been transferred,
If personal data processed by Mata Architecture is analyzed exclusively through automated systems and as a result of this analysis, if the data subject (Data Subject) believes that adverse results have emerged, to object to these results,
To request compensation for any damages incurred due to the unlawful processing of personal data.

Data Subjects may submit their requests regarding the implementation of the Law to Mata Architecture in writing, using the “Application Form for Data Subjects (Data Subject) to Data Controller in accordance with the Law No. 6698 on the Protection of Personal Data,” and through other methods determined by the Board.

Sure, here is the translation without altering the HTML tags:

6.3. EXCEPTIONS

Under Article 28 of the Law, since the following cases are excluded from the scope of the Law, Data Subjects cannot assert their rights as stated above:

The processing of personal data by natural persons exclusively for themselves or for activities related to family members living in the same household, provided that the data is not transferred to third parties and the obligations regarding data security are complied with.
The processing of personal data for research, planning, and statistical purposes by anonymizing them through official statistics.
The processing of personal data for artistic, historical, literary, or scientific purposes or for freedom of expression purposes, provided that it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights or constitute a crime.
The processing of personal data by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security through preventive, protective, and intelligence activities.
The processing of personal data by judicial authorities or enforcement authorities concerning investigation, prosecution, trial, or execution procedures.
The obligation of Mata Architecture for disclosure does not apply in the following cases under Article 28/2 of the Law:
The processing of personal data is necessary for the prevention of a crime or for the investigation of a crime.
The processing of personal data that has been made public by the data subject.
The processing of personal data by authorized and competent public institutions and organizations and professional organizations in the form of public institutions, for the purpose of carrying out inspection or regulation tasks or conducting disciplinary investigation or prosecution.
The processing of personal data is necessary for the protection of the State’s economic and financial interests regarding budget, tax, and financial matters.

COMPETENCE AND RESPONSIBILITY

The Procedure for Protection and Processing of Personal Data enters into force with the approval of the Board of Directors. Furthermore, any changes to the Procedure for Protection and Processing of Personal Data also require the approval of the Board of Directors.

Ensuring compliance with the Law, protection, and continuity by Mata Architecture, coordination among relevant departments, and determining the compliance of company activities with the Law are the responsibilities of the board member duly authorized by the Board of Directors for this purpose.

CATEGORIZATION OF PERSONAL DATA

Within Mata Architecture; in line with the legitimate and lawful purposes of processing personal data of Mata Architecture, based on one or more of the conditions for processing personal data specified in Article 5 of the Law, and limited to the principles specified in Article 4 regarding the processing of personal data, general principles regulated in the Law, and all obligations regulated in the Law, and with the subjects within the scope of the Procedure (Customers, Visitors, Employee Candidates, Company Officials, Suppliers, Business Partners, etc.), personal data in the following categories are processed in accordance with Article 10 of the Law by informing the relevant individuals.

PERSONAL DATA CATEGORIZATION	DESCRIPTION
Identity Information	Data containing information about the identity of a specific or identifiable natural person; processed partially or completely automatically or non-automatically as part of a data recording system; includes information about the identity of the person such as name, ID number, gender, date of birth, tax number, tax certificate, etc.
Contact Information	Data containing information about the identity of a specific or identifiable natural person; processed partially or completely automatically or non-automatically as part of a data recording system; includes information such as phone number, address, email address, IP address, etc.
Location Data	Information that determines the location of the personal data subject within the scope of operations conducted by Mata Architecture’s business units, during the use of Mata Architecture’s products and services, or when employees of collaborating institutions use Mata Architecture’s tools; includes information such as IP location, etc.
Financial Information	Data containing information about the identity of a specific or identifiable natural person; processed partially or completely automatically or non-automatically as part of a data recording system; includes data such as bank account number, IBAN number, etc., depending on the type of legal relationship established between Mata Architecture and the data subject (in case of refund request, etc.).
Employment Information	Any personal data processed to obtain information necessary for the establishment of the employment rights of individuals who are in an employment relationship with Mata Architecture.
Sensitive Personal Data	Data specified in Article 6 of the Law on Protection of Personal Data, processed partially or completely automatically or non-automatically as part of a data recording system, and clearly identifying or identifiable a natural person’s racial or ethnic origin, political opinion, philosophical belief, religion, sect or other belief, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Request/Complaint Management Information	Any personal data processed for the reception and evaluation of any request or complaint directed to Mata Architecture.

Mata Architecture may transfer the personal data of data subjects managed by the Procedure, in accordance with the matters regulated in the Procedure and Articles 8 and 9 of the Law, to the following categories of individuals:

Mata Architecture business partners,
Mata Architecture suppliers,
Companies within the Mata Architecture Group,
Shareholders of Mata Architecture,
Authorized officials of Mata Architecture,
Legally authorized public institutions and organizations,
Legally authorized private legal entities.

The scope and purposes of data transfer to the individuals mentioned above are specified below.

Recipients of Data Transfer	Definition	Purpose of Data Transfer
Business Partner	Refers to the parties with whom Mata Architecture establishes partnerships for various projects or services, either directly or jointly with Group Companies, while conducting its commercial activities.	Limited to ensuring the fulfillment of the purposes of the partnership.
Supplier	Refers to the parties who provide services to Mata Architecture based on contracts in accordance with Mata Architecture’s orders and instructions while Mata Architecture conducts its commercial activities.	Limited to ensuring the provision of services to Mata Architecture that are obtained from external sources and necessary for the performance of Mata Architecture’s commercial activities.
Shareholders	Individuals who are shareholders of Mata Architecture and Group Companies.	Limited to the purposes of Mata Architecture’s company law, activity management, and corporate communication processes as carried out in accordance with the relevant legislation.
Company Officials	Members of the Mata Architecture board of partners and other authorized individuals.	Limited to designing strategies related to Mata Architecture’s commercial activities, ensuring the highest level of management, and for audit purposes as per the relevant legislation.
Legally Authorized Public Institutions and Organizations	Public institutions and organizations authorized to receive information and documents from Mata Architecture according to the relevant legislation.	Limited to the purposes requested by the relevant public institutions and organizations within their legal authority.
Legally Authorized Private Legal Entities	Private legal entities authorized to receive information and documents from Mata Architecture according to the relevant legislation.	Limited to the purposes requested by the relevant private legal entities within their legal authority.