Personal Data Protection Policy
ROOF STACKS A.Ş.
PERSONAL DATA PROCESSING AND PROTECTION POLICY
According to Article 20, Paragraph 3 of the Constitution of the Republic of Turkey, “Everyone has the right to the protection of their personal data. This right includes being informed about personal data concerning oneself, accessing such data, requesting its correction or deletion, and learning whether it is being processed in accordance with its intended purpose. Personal data may only be processed in cases provided for by law or with the explicit consent of the individual…”
The right to the protection of personal data is also recognized as a fundamental human right in Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union.
Article 4 of the Law on the Protection of Personal Data (KVKK) outlines the fundamental principles that must be adhered to when processing personal data. These principles are carefully observed and strictly implemented in all personal data processing activities conducted by ROOFSTACKS YAZILIM A.Ş. (hereinafter referred to as "the Company"). The core principles followed by the Company in its data processing activities are as follows:
Processing in Compliance with the Law and Principle of Fairness: The Company fulfills its obligations regarding the processing and protection of personal data in accordance with the general principles of law and the principle of fairness.
Processing Personal Data Accurately and Keeping It Up to Date: The Company acknowledges that maintaining accurate and up-to-date personal data is essential for protecting individuals’ fundamental rights and interests. It exercises the utmost diligence to ensure that the personal data it processes is accurate and current.
Processing Personal Data for Specific, Explicit, and Legitimate Purposes: The Company processes personal data for specific, clear, and legitimate purposes that are required by its business operations.
Processing Personal Data in a Manner That Is Relevant, Limited, and Proportionate to the Purpose of Processing: The Company processes personal data only to the extent necessary for the achievement of the identified purposes within the scope of its activities and in a proportionate manner.
Retaining Personal Data for the Period Stipulated in the Relevant Legislation or for the Time Required for the Purpose of Processing: Personal data processed by the Company is retained only for as long as necessary for the purposes for which it was collected or as required by applicable laws and regulations. Once the relevant purposes cease to exist, the Company will terminate the retention of such data. The Company ensures transparency in all its data processing activities and informs all relevant parties with the necessary documentation.
INTRODUCTION
The Personal Data Protection Law No. 6698 (“KVKK”/Law) was published in the Official Gazette dated 7 April 2016 with the purpose of protecting individuals’ fundamental rights and freedoms, particularly the right to privacy, in the processing of personal data belonging to natural persons. The Law also regulates the obligations of natural and legal persons who process personal data, as well as the procedures and principles to be followed.
PURPOSE OF THE POLICY
The Company’s Personal Data Processing and Protection Policy (“Policy”) has been prepared to ensure that personal data processed during business operations is handled in accordance with applicable legislation, and to safeguard fundamental rights and freedoms—most notably the right to privacy—as guaranteed by the Constitution.
While drafting this “Policy”, the Company first identified which types of personal data are collected by its internal units, the purposes for which such data is collected, and the reasons for transferring it to third parties. Understanding the methods and legal basis for personal data processing has been adopted as a core principle. Additionally, through this Policy, the Company aims to define and explain the administrative and technical measures to be implemented both within and outside the organization to ensure data privacy. It also seeks to inform individuals whose data is processed and raise awareness about the handling of their personal data.
SCOPE OF THE POLICY
This “Policy” applies to all natural persons whose personal data is processed—either directly or indirectly—as a result of the Company’s operations.
The Policy includes detailed information regarding the types of personal data processed, categories of data subjects, data recipient groups, the legal grounds and methods of data collection, third-party recipient groups, data retention periods, and data erasure (deletion) periods, all within the scope of the Company’s organizational activities.
DEFINITIONS
Explicit Consent: Consent that is related to a specific subject, given based on informed understanding, and declared with free will.
Cookie: Small text files stored on users' computers or mobile devices, used to retain preferences and other information related to the websites they visit.
Authorized User: A person who processes personal data within the data controller’s organization or based on the authority and instructions given by the data controller, excluding individuals or units responsible solely for the technical storage, protection, and backup of data.
Destruction: The permanent deletion, erasure, or anonymisation of personal data such that it is no longer accessible, retrievable, or usable.
Contact Person: A natural person notified by the data controller at the time of registration with the Data Controllers’ Registry (VERBİS), for the purpose of establishing communication with the Authority regarding the obligations of legal entities established in Turkey and the representatives of data controllers not established in Turkey, under the Law and the secondary regulations to be issued pursuant to the Law.
(The contact person is not authorized to represent the data controller. As the name suggests, this individual is appointed solely to act as a liaison between the data controller, the data subjects, and the Authority.)
KVKK: The Personal Data Protection Law No. 6698, dated 24 March 2016 and published in the Official Gazette No. 29677 on 7 April 2016.
Recording Medium: Any environment in which personal data is processed by automatic means wholly or partially, or by non-automatic means provided that it is part of a data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed on personal data, whether by automated means in whole or in part, or by non-automated means provided that it is part of a data recording system. These operations include obtaining, recording, storing, retaining, altering, re-organizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data.
Anonymisation of Personal Data: The process by which personal data is rendered impossible to associate with an identified or identifiable natural person, even through matching with other data.
Deletion of Personal Data: The process by which personal data is rendered inaccessible and unusable for relevant users.
Erasure of Personal Data: The process by which personal data is rendered completely inaccessible, irretrievable, and unusable by anyone.
Board: The Personal Data Protection Board.
Authority: The Personal Data Protection Authority.
Special Categories of Personal Data: Data concerning an individual’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, membership in associations or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
Periodic Erasure: The process of deleting, destroying, or anonymising personal data at recurring intervals, as stated in the personal data storage and destruction policy, when the legal grounds for processing no longer exist.
Policy: The personal data processing and protection policy established by the Data Controller.
VERBİS: The Data Controllers Registry Information System, in which real and legal persons who process personal data are required to register prior to processing, and must submit categorical information regarding the personal data they process.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authority provided by the data controller.
Data Recording System: A structured system in which personal data is processed according to specific criteria.
Data Subject / Relevant Person: A natural person whose personal data is being processed.
Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
COMPANY'S “KVKK” STRUCTURE
The Company is the data controller for personal data processing activities falling within the scope of this Policy.
As part of its KVKK compliance program, the Company has established a dedicated organizational structure for managing personal data protection processes in order to ensure continuous compliance with the Law. Accordingly, it has implemented the necessary internal procedures and provided the required administrative and technical resources. Within this framework, a Contact Person has been appointed within the Company.
Personal Data Protection Commission
A Personal Data Protection Commission has been established within the Company to demonstrate our commitment to ensuring ongoing compliance with personal data protection legislation and to enhance the effectiveness of our personal data protection system. The Chairperson and members of the Commission are appointed by the Board of Directors and fulfill their responsibilities accordingly.
Contact Person
To fulfil the legal obligation of appointing a contact person as stipulated by the applicable legislation, the Company has appointed an individual who has received the necessary training and possesses the required level of expertise in the Personal Data Protection Law (KVKK). The primary responsibility of the contact person is to facilitate communication between the data controller, the Personal Data Protection Board (the “Board”), and data subjects, as required by law. The contact person is not authorized to represent the data controller. Additionally, the contact person supports the KVKK Commission in fulfilling its duties and responsibilities. The contact person is an ex officio member of the KVKK Commission within the Company and may convene Commission meetings when necessary.
PURPOSES OF PROCESSING YOUR PERSONAL DATA, PERSONAL DATA WE PROCESS, METHODS OF COLLECTION AND LEGAL GROUNDS
Purposes of Processing
Your personal data will be processed for the purposes set out in the applicable legislation, in compliance with the limits specified under the Law on the Protection of Personal Data (KVKK). These purposes include:
Fulfilling obligations related to the Company’s operations and audits as required under the KVKK,
Establishing rights related to Company operations within the scope of the KVKK,
Carrying out necessary operations by relevant departments to enable you to benefit from the services provided by the Company,
Contacting you through the communication channels you have shared with us for the purpose of promoting the Company and its activities,
Recruiting personnel for areas of need within the Company and fulfilling rights and obligations under labour and employment legislation, particularly the Labour Law No. 4857, the Occupational Health and Safety Law No. 6331, and the Social Insurance and General Health Insurance Law No. 5510,
Conducting activities related to salary payments, travel allowances, revolving fund distributions, and internal Company correspondence,
Providing information and documentation to authorised public institutions and judicial authorities in cases prescribed by law,
Managing organisational and event processes (such as seminars, conferences, meetings, trainings, symposiums, etc.) and announcing them to the public,
Maintaining the Company’s visibility and up-to-date presence in the public domain by regularly updating its website and social media accounts, and managing promotion and advertising processes,
Maintaining archives in accordance with legislative procedures for the purpose of managing storage and archiving activities and preparing annual departmental activity reports,
Creating and tracking visitor records,
Ensuring the security of the Company premises, personnel, and visitors,
Using anonymised data in statistical research activities,
Receiving and responding to data subject applications submitted under the KVKK.
Personal Data We Process
The categories of personal data we process may vary depending on the group of data subjects to which you belong. You are advised to review the relevant Information Texts (Clarification Statements) provided to you based on your data subject category.
Identity Information: Your name, surname, Turkish identification number, mother’s name, father’s name, place and date of birth, personnel registration number, nationality, and other identity-related information provided to the Company with your explicit consent.
Contact Information: Your residential address, workplace address, telephone number, email address, registered email (KEP) address, and, where applicable, your mobile phone number, fax number, or other contact details you have voluntarily shared with the Company for communication purposes.
Professional and Educational Information: Information you provide via application forms (e.g., job applications or event registrations), registration documents, or through online or physical application channels made available by the Company, including your identity details, employment status, contact information, education background (e.g., university graduate, master’s degree in physics), previous graduation history, information regarding training or seminars attended, certificate details, and national or international exam results.
Financial Information: Bank name and branch details, bank account number, and IBAN number, collected for the purposes of salary and benefit payments, reimbursement of overpayments or undue payments, payments from revolving funds, and compensation for external assignments carried out on behalf of the Company
Visual/Audio Information: Visual and/or audio data may be obtained for the purposes of promoting, publicising, or increasing the visibility of events such as conferences, seminars, theatre performances, exhibitions, debates, and similar activities organized by the Company. This data may include still or moving images and/or sound recordings of the event venue and participants. In addition, visual/audio data may be collected through security cameras installed at the Company’s headquarters, branches, and representative offices for the purpose of ensuring security. The visual/audio data collected during events may be used on the Company’s official website, on social media platforms managed by the Company, and in materials published by the Company—provided that such use remains within the scope of the Company’s activities and is limited to the specific purpose of the event. Such data may also be shared with third parties (such as publishers, printing houses, institutions, or organizations) for publication or broadcasting, with the Company’s prior permission and under its control. This usage does not apply to data obtained through security cameras. Prior to the use of any visual/audio personal data obtained from events, participants will be informed (e.g., at the beginning of the event) and their explicit consent will be obtained.
Special Category Personal Data: The Company processes special categories of personal data, including health information, criminal convictions, and security measures, of individuals who are employed within the scope of legal obligations—such as persons with disabilities or individuals who have been convicted or are subject to security measures.
The Company does not process other special categories of personal data for any direct purpose outside the scope stated above. However, there is a possibility of indirectly obtaining sensitive personal data—such as religion, attire, philosophical belief, political opinion, or health-related data (e.g., visible clothing, medical devices, or prosthetics)—from identity documents, photographs, or still/moving images collected during events. Additionally, such special category personal data may be processed if voluntarily provided by you in documents shared with the Company.
Methods of Collecting Your Personal Data
Your personal data is collected through various means, including membership registration forms, online registration or application forms, receipts and expense-related documents, image and audio recording devices used during events, and security camera footage. It is also collected through communication channels when personal data is sent to the Company’s official email address [email protected], registered email (KEP) address or fax number.
Additionally, personal data may be collected through physical means, such as the delivery of hard copy documents, the completion of forms physically provided by the Company, or through phone calls made to the Company’s official phone numbers.
Furthermore, your personal data is collected automatically through cookies used on our website and its subdomains. These cookies are essential for enabling full functionality of the website and are used solely to remember visitor preferences. They do not collect or provide any additional personal data. You can access our Cookie Policy via our website.
Legal Grounds for Processing Personal Data
Article 5, paragraph 2 of the Law on the Protection of Personal Data (KVKK) sets out the legal grounds for processing personal data. If the purposes for which the Company, as the data controller, processes personal data fall within the scope of these legal grounds, such data is processed in compliance with the law. The Company does not carry out any personal data processing activities that are not based on one of the legal grounds specified in the KVKK.
Legal Grounds for Processing Personal Data under the KVKK
The legal grounds for processing personal data as set out in Article 5(2) of the Law on the Protection of Personal Data (KVKK) are as follows:
The explicit consent of the data subject,
The processing is expressly stipulated by law,
The processing is necessary to protect the life or physical integrity of the data subject or another person, where the data subject is unable to give consent due to physical impossibility or where their consent is not legally valid,
The processing of personal data belonging to the parties to a contract is necessary for the establishment or performance of that contract,
The processing is necessary for the data controller to fulfil its legal obligations,
The data subject has made the data public,
The processing is necessary for the establishment, exercise, or defence of a legal right,
The processing is necessary for the legitimate interests of the data controller, provided that it does not violate the fundamental rights and freedoms of the data subject.
The primary legal ground for processing special category (sensitive) personal data is the explicit consent of the data subject. The Company does not aim to process special category personal data unless required by law or by the nature of its activities. However, where such processing is necessary or based on your explicit consent, the data is processed in a proportionate and lawful manner.
According to the KVKK, special category personal data may be processed under the following conditions:
The explicit consent of the data subject,
For special category personal data other than health and sexual life, the processing must be explicitly stipulated by law.
Personal data relating to health and sexual life may be processed without the explicit consent of the data subject, only under the following circumstances:
Protection of public health,
Preventive medicine.
Medical diagnosis,
Provision of treatment and care services,
Planning and management of health services and their financing,
By persons or authorised institutions and organisations who are under a legal obligation of confidentiality.
TRANSFER OF PERSONAL DATA
Domestic Transfer: Pursuant to Article 8(2)(a) and (b) of the Law on the Protection of Personal Data (KVKK), personal data may be transferred within Türkiye without obtaining explicit consent, provided that it is processed under the conditions specified in Articles 5(2) and 6(3) of the KVKK. In such cases, the Company transfers personal data to third parties in compliance with these legal provisions. Where the transfer does not fall within these exceptions, the explicit consent of the data subject is obtained.
International Transfer: Your personal data may be subject to international transfer under the conditions specified in Article 9 of the Law on the Protection of Personal Data (KVKK). It is possible that data and documents processed by the Company may be stored on computers located outside the Company, sent via email, or accessed through such external systems. In these cases, the systems and/or the databases of the email service providers in which the data is stored or to which it is transferred may be located abroad. In addition, in the context of international organisations and events—such as hotel accommodations, visa applications, flight ticket purchases, and the planning and execution of overseas activities—the transfer of personal data abroad may be required. In such cases, personal data will be transferred in compliance with Article 9 of the KVKK. The applicable conditions for cross-border data transfer are as follows:
The foreign country to which the personal data is transferred must be designated by the Personal Data Protection Board as a country that provides adequate protection, or
In cases where adequate protection is not available, the data controllers in both Türkiye and the relevant foreign country must provide a written undertaking of adequate protection and obtain the approval of the Board.
Your personal data may be shared—within the scope of the purposes stated in this Policy and by the means described herein—with authorised public institutions and organisations, judicial and enforcement authorities, law enforcement agencies, and contracted suppliers of products and/or services, as well as with the Company’s business partners and shareholders.
A table listing the parties with whom data is shared is provided below.
| Parties to Whom Personal Data May Be Transferred | Parties to Whom Personal Data May Be Transferred | Definition | Purpose |
|---|---|---|---|
| Natural Persons or Private Law Legal Entities | Natural Persons or Private Law Legal Entities | Private law legal entities or individuals authorised to obtain information and documents from our Company within the framework of applicable legislation | Limited to the purpose requested within the scope of their legal authority |
| Business Partners | Business Partners | Parties with whom the Company has established a business partnership in the course of its commercial activities | Limited to the purpose of fulfilling the objectives of the business partnership |
| Shareholders | Shareholders | Shareholders authorised, under applicable legislation, to participate in the design of strategies and audit activities related to the Company’s commercial operations | Limited to the design of strategies and audit purposes related to the Company’s commercial operations |
| Affiliates and Subsidiaries | Affiliates and Subsidiaries | Members of the board of directors and other authorised individuals | Limited to the design of strategies, top-level management, and audit purposes related to the Company’s commercial operations |
| Suppliers | Parties providing services to support the Company’s commercial activities, based on a contractual relationship with the Company | Parties providing services to support the Company’s commercial activities, based on a contractual relationship with the Company | Limited to the provision of outsourced services necessary for the Company’s operations |
| Public Institutions and Organisations Legally Authorised | Public institutions and organisations legally authorised to request information and documents from the Company | Public institutions and organisations legally authorised to request information and documents from the Company | Limited to the purposes of fulfilling legally authorised requests for information by such institutions and organisations |
No data transfer is carried out for purposes unrelated to the Company’s objectives. For example, even if your IP address or vehicle license plate information has been obtained with your explicit consent, such data is not shared with any third party, including the persons and institutions listed above. The only exceptions to this rule are cases where the transfer of such data is mandated by legislation, required for a criminal investigation, or officially requested by a competent authority based on the relevant legislation and with justification.
RIGHTS OF THE DATA SUBJECT
Pursuant to the Law on the Protection of Personal Data (KVKK), the data subject has the following rights:
To learn whether their Personal Data is being processed,
To request information if their Personal Data has been processed,
To learn the purpose of the processing of their Personal Data and whether such data is being used in accordance with that purpose,
To learn the third parties to whom their Personal Data has been transferred domestically or abroad,
To request the rectification of Personal Data if it has been processed incompletely or inaccurately,
To request the erasure or destruction of Personal Data under the conditions set forth in the KVKK,
To request that third parties to whom the Personal Data has been transferred be notified of any rectification or erasure carried out in accordance with the KVKK,
To object to the occurrence of a result against the data subject arising from the analysis of processed Personal Data exclusively through automated systems,
To demand compensation for damages incurred due to the unlawful processing of Personal Data.
How to Exercise Your Rights?
Data subjects may exercise the aforementioned rights by completing the request form available at Data Subject Application Form or obtainable from the Company’s headquarters and submitting it to the Company using one of the methods set out below.
Applications must be made in accordance with Article 5 of the Regulation on the Procedures and Principles for Applications to the Data Controller.
The form must be completed in full;
You may submit your questions and requests regarding your personal data in person by delivering a petition prepared in accordance with the conditions specified in the Communiqué on the Principles and Procedures for the Request to the Data Controller to the address Çaydaçira Mah. Prof. Dr. Nuri̇ Orhan Blv. No: 7 İç Kapi No: 107 Merkez/ Elaziğ with identity verification, or you may send it via notary public. Alternatively, you may submit your requests to the e-mail address (…) by using a secure electronic signature or mobile signature, or by using the electronic mail address previously provided to our Company and confirmed in our records.
Applications must contain the following mandatory information:
Full name and signature,
For Turkish citizens: T.R. ID number; for foreign nationals: nationality, passport number, or foreigner ID number (if available),
Residential or business address for service of notifications,
Email address (if any), phone number, and fax number,
The subject matter of the request.
Any relevant information and documentation relating to the request must be enclosed.
For written applications, the application date is the date the document is served to the data controller or their representative.
For other methods, the application date is the date on which the request is received by the data controller.
The Company shall conclude requests submitted by data subjects regarding the rights listed above in writing or through other methods determined by the Board, as soon as possible and in any case within thirty (30) days from the date of receipt. Applications submitted by data subjects may be subject to a fee in accordance with the tariffs published by the Board. Pursuant to Article 7 of the relevant Communiqué, if the response to the application is provided in writing, no fee shall be charged for up to ten (10) pages. A transaction fee of one (1) Turkish Lira may be charged for each page exceeding ten. If the response is provided on a recording medium such as a CD or flash drive, the fee requested by the data controller shall not exceed the cost of the medium.
In order to respond to the requests submitted by data subjects, the Company may request additional information or documents to verify the applicant’s identity, to prevent unlawful disclosure of another person’s personal data to unrelated individuals, and to clarify the nature of the request. If such information or documents are not provided, the Company may not be able to respond to the application.
It is of critical importance to confirm that the application is submitted by the data subject themselves and/or an authorized person. Since the purpose is to protect personal data, failure to verify identity may result in personal data being disclosed to third parties and the rights under Article 11 of the KVKK being exercised by unauthorized persons—thus undermining the legitimate interests of the data subject. We kindly request your understanding and cooperation with our identity verification procedures.
The Company shall conclude the requests as soon as possible and within a maximum of 30 (thirty) days. The outcome of the evaluation shall be notified to the applicant in writing or electronically, and if the request is accepted, necessary actions shall be taken in compliance with the KVKK.
If the application is rejected, or the response is deemed insufficient, or if no response is provided within the legal time frame, the data subject may file a complaint with the Personal Data Protection Board within thirty (30) days from the date they became aware of the Company’s response, in accordance with Article 14 of the KVKK.
LEGAL EXCEPTIONS TO CONSENT AND EXPLANATION REGARDING EXPLICIT CONSENT IN THE PROCESSING OF PERSONAL DATA AND SPECIAL CATEGORIES OF PERSONAL DATA
As a general principle, the Company adopts the approach of obtaining explicit consent from data subjects for the processing of their Personal Data. However, in cases where the purposes and conditions of processing as outlined in this Policy fall within the scope of legal exceptions provided by law, it shall not be necessary to obtain the data subject’s explicit consent. Where required, your explicit consent shall be obtained in due form through consent texts provided to you by the Company.
INFORMATION ON THE PROCESSING OF PERSONAL DATA
Channels Through Which Personal Data is Collected
Our Company primarily obtains personal data through the following channels:
Participation in events, organisations, or conferences as an attendee or invitee,
Personnel file documents of employees and job applicants,
Camera recordings,
SMS/email, telephone, fax,
Website, applications, cookies, and similar tracking technologies,
Mail, cargo, or courier services,
Location tracking devices,
Fingerprint readers,
Other physical and electronic environments.
In line with technological developments, the Company may add new channels to those listed above or discontinue the use of some existing channels. In such cases, to maintain transparency and accountability, the Policy will be updated accordingly to ensure that the data collection methods are accurately reflected.
Classification of Personal Data
In order to ensure compliance with the legislation, it is of utmost importance to categorise personal data. Under our legislation, personal data is primarily classified into two categories: personal data and special category (sensitive) personal data. Within these categories, we carry out a further classification based on the types of data processed. The types of personal data we process may vary depending on the group to which you, as a data subject, belong. Therefore, it is important that you read the relevant Information (Clarification) Texts provided to you.
| Personal Data Category | Description |
|---|---|
| Identity Data | Name, surname, date of birth, country and city of birth, gender, marital status, Turkish ID card information, tax number, professional identification data |
| Special Category Personal Data | Race, ethnic origin, health data, biometric data, criminal conviction and security measures, religion and sect, philosophical beliefs, union/foundation/association memberships, attire |
| Financial Data | Bank name, branch, IBAN and account number information, financial status reports, salary details, payroll and other financial data |
| Contact Data | All types of personal data that may be used to contact individuals are included in this category (address, email address, communication address, registered electronic mail [KEP] address, phone number) |
| Educational Data | Education level, certificates and diplomas, foreign language proficiency, national or international exam results |
| Physical Space Data | Data obtained during workplace or showroom visits, such as camera footage and vehicle information records |
| Transaction Security Data | IP address information, website login/logout records, log files, system and device access credentials such as usernames and passwords |
| Location Data | Location data related to vehicles assigned by the Company to employees, limited to the purpose of the assignment; route and location data used for logistics services |
| Employment Data | Personnel information such as job application forms submitted for employment at the Company, qualification documents, and assignment details regarding the performed work |
| Leave of Absence Data | Leave entitlement start date, additional leave days, leave type, departure/return dates, number of days, and reason for leave |
| Family and Relatives Information | Information obtained from the Family Registry document, names and phone numbers of relatives to be contacted in emergencies |
| Customer Transaction Data | Data necessary for the use and provision of products and services, such as call center records, invoices, promissory notes, cheques, order details, and request information |
| Legal Transaction Data | Data required within the scope of legal obligations, information contained in correspondence with judicial authorities and court files |
| Visual and Audio Data | Visual and audio recordings of individuals obtained through phone calls, emails, or other communication channels |
Data Subject Classification
The Company’s classification of data subjects is presented in the table below:
| Data Subject Categories | Description |
|---|---|
| Customer | Refers to natural persons who benefit from the products and services offered by the Company. |
| Job Applicant | Refers to natural persons who apply for a job with the Company by submitting a CV or through other methods. |
| Visitor | Refers to natural persons who physically visit the Company or its website and/or are potential recipients of the Company's products and services. |
| Employee | Natural persons who have an employment relationship with the Company. |
| Intern | Natural persons who undertake voluntary or compulsory internships within the Company. |
| Company Officials | Refers to natural persons who serve in senior management of the Company and/or are authorized to represent the Company, as well as natural person representatives of legal entities. This includes members of the board of directors and shareholders. |
| Supplier Representatives and Employees | Refers to natural person representatives of legal or natural person suppliers with whom the Company has a commercial relationship, and all natural persons employed by such suppliers. |
| Third Parties | Refers to natural and legal persons other than the data subject categories listed above and the Company’s employees. |
Classification of Processed Personal Data by Data Subject Category
| Personal Data Category | Description / Relevant Data Subject Categories |
|---|---|
| Identity Data | Customers, Employees, Job Applicants, Interns, Visitors, Supplier Representatives and Employees, Company Officials |
| Special Category Personal Data | Employees, Job Applicants, Interns, Company Officials |
| Financial Data | Customers, Employees, Job Applicants, Interns, Supplier Representatives and Employees, Company Officials |
| Contact Data | Customers, Employees, Job Applicants, Interns, Supplier Representatives and Employees, Company Officials, Visitors |
| Education Data | Employees, Job Applicants, Interns, Company Officials |
| Physical Space Data | Customers, Employees, Job Applicants, Interns, Supplier Representatives and Employees, Company Officials, Visitors |
| Transaction Security Data | Customers, Employees, Job Applicants, Interns, Supplier Representatives and Employees, Company Officials, Visitors |
| Location Data | Customers, Employees, Job Applicants, Interns, Supplier Representatives and Employees, Company Officials, Visitors |
| Employment Data | Employees, Job Applicants, Interns, Supplier Representatives and Employees, Company Officials |
| Leave of Absence Data | Employees, Job Applicants, Interns, Supplier Representatives and Employees, Company Officials |
| Family and Close Contact Information | Employees, Job Applicants, Interns, Supplier Representatives and Employees, Company Officials |
| Customer Transaction Data | Customers, Visitors |
| Legal Transaction Data | Customers, Employees, Supplier Representatives and Employees, Company Officials |
| Visual and Audio Data | Customers, Employees, Job Applicants, Interns, Supplier Representatives and Employees, Company Officials, Visitors |
STORAGE AND DESTRUCTION OF PERSONAL DATA
The Company stores personal data of data subjects, which it processes, in both electronic and physical environments by taking the necessary technical and administrative security measures.
The Company determines the storage period for personal data by taking into consideration the periods stipulated in the relevant legislation.
If the purposes for processing personal data, which form the basis for the processing conditions under the KVKK, cease to exist, the Company will destroy such personal data. These destruction processes are carried out ex officio at 6-month intervals in accordance with the provisions of the relevant legislation or, where applicable, upon justified requests from data subjects. Unless a different period is stipulated in the legislation, the Company shall fulfil data subjects’ requests for the deletion and/or destruction of their personal data within 30 days at the latest and inform the data subject accordingly.
Destruction records relating to the deletion, anonymization, or destruction of personal data shall be retained by the Company for a period of 3 years. Periods stipulated in special legislation are reserved, and in the event of any changes to these periods due to amendments in the KVKK or related legislation, the updated periods shall apply.
The Company uses deletion, anonymization, or destruction techniques in the destruction of personal data.
Processes related to destruction are carried out and finalized by the Personal Data Protection Commission.
11. INFORMATION OBLIGATION
Pursuant to Article 10 of the Law on the Protection of Personal Data (KVKK), the Company shall fulfil its obligation to inform data subjects by providing the following information at the time personal data is obtained:
The identity of the data controller and, if applicable, its representative,
The purpose for which personal data will be processed,
To whom and for what purposes the processed personal data may be transferred,
The method and legal basis for collecting personal data,
Other rights of the data subject listed in Article 11.
In carrying out its activities, the Company prepares appropriate information texts (privacy notices) to fulfil its obligation to inform and makes these available to the relevant data subjects.
12. MEASURES REGARDING THE SECURITY OF PERSONAL DATA
The Company, with a strong sense of responsibility stemming from being a well-established organization, exercises all reasonable care and diligence to ensure the confidentiality and security of the personal data it processes. In addition to the requirements of the relevant legislation, the Company takes reasonable technical and administrative measures to ensure data privacy and security within the framework of Article 12 of the Law on the Protection of Personal Data (KVKK). These administrative and technical security measures aim to prevent the unlawful processing of personal data, unauthorized access to personal data, and to ensure that personal data is stored at an appropriate level of security.
In cases where personal data is processed on behalf of the Company by another natural or legal person (data processor), the Company shall take the necessary measures to ensure that such data processors also implement the aforementioned measures.
In the event that personal data is unlawfully acquired by third parties, the Company shall notify the data subjects, the Board, and other relevant public institutions and organizations in accordance with the provisions of the applicable legislation.
While taking measures regarding the security of personal data, the Company takes into consideration the “Guidelines on Personal Data Security (Technical and Administrative Measures)” published by the Board, as well as its decisions.
Administrative Measures
Signing undertakings and confidentiality agreements with Company personnel and relevant parties,
Conducting risk analyses on business processes,
Creating personal data inventories,
Organizing and evaluating training programs on information security and personal data processing activities,
Ensuring that tools and equipment such as employee computers are used only by authorized persons to prevent unauthorized access,
Reviewing activities through internal or independent audits within the Compan
Technical Measures
• Penetration tests are conducted to identify risks, threats, vulnerabilities, and any existing exposures in the Company’s information systems, and necessary measures are taken accordingly.
• Through information security incident management, risks and threats that may affect the continuity of information systems are continuously monitored based on real-time analyses.
• Access to information systems and user authorizations are managed through access and authorization matrices and corporate Active Directory security policies.
• When software changes and/or updates are to be made on systems, tests are first conducted in a test environment, any security vulnerabilities are identified and addressed, and the final version of the changes is approved only after these procedures. (This is a requirement stated in the Authority's decision.)
• Necessary precautions are taken to ensure the physical security of the Company’s information system equipment, software, and data.
• To ensure the security of information systems against environmental threats, both hardware (e.g., access control systems allowing only authorized personnel into system rooms, physical security of edge switches in the local network, fire suppression systems, climate control systems, etc.) and software (e.g., firewalls, intrusion prevention systems, network access control, anti-malware systems, etc.) measures are implemented.
• Risks related to the unlawful processing of personal data are identified, appropriate technical measures are taken to mitigate such risks, and technical controls are carried out regarding the implemented measures.
• Access procedures are established within the Company, and reporting and analysis activities are conducted regarding access to personal data.
• The Company ensures that deleted personal data is rendered inaccessible and unrecoverable for relevant users.
• The Company has made preparations to notify the data subjects, the Authority, and other relevant public bodies in the event that personal data is unlawfully obtained by third parties.
• Security vulnerabilities are monitored, appropriate patches are installed, and information systems are kept up to date.
• Strong passwords are used in electronic environments where personal data is processed.
• Secure logging systems are used in electronic environments where personal data is processed.
• Data backup programs that ensure the secure storage of personal data are utilized.
• Access to personal data stored in electronic or non-electronic media is restricted based on access principles.
• Secure protocols (HTTPS) are used for accessing the Company website, and encryption is performed using the SHA-256 Bit RSA algorithm.
• A separate policy has been established to ensure the security of special category personal data. (To be further detailed below.)
• Employees involved in the processing of special category personal data receive specific training on its security, sign confidentiality agreements, and are granted clearly defined access rights.
• Special category personal data that is processed, stored, and/or accessed in electronic environments is protected using cryptographic methods, cryptographic keys are kept in secure environments, all transaction logs are recorded, security updates for these environments are continuously monitored, and necessary security tests are regularly conducted and documented.
• Sufficient physical security measures are taken for physical environments where special category personal data is processed, stored, and/or accessed; unauthorized access is prevented by securing the physical area.
• If it is necessary to transfer special category personal data via email, it is transferred using encrypted corporate email accounts or KEP accounts. If transferred via portable media (USB, CD, DVD, etc.), the data is encrypted using cryptographic methods, and cryptographic keys are kept in a separate environment.
• If data is transferred between servers in different physical locations, a VPN is established or the data is transferred via sFTP.
• If personal data must be transferred in physical (paper) form, necessary precautions are taken against risks such as theft, loss, or unauthorized access, and the document is sent in a “confidential” format.
13. RETENTION OF RECORDS REGARDING INTERNET SERVICES PROVIDED IN COMMON AREAS
For the purposes of ensuring security and fulfilling the objectives set out in this Policy, the Company may provide internet access to visitors who request it during their stay at the Company premises. In order to provide such access, visitors are required to provide their full name and Turkish ID number. Additionally, internet access log records are kept in accordance with Law No. 5651 and the applicable secondary legislation. These records are processed only upon the request of competent public authorities or for the purpose of fulfilling legal obligations during internal audit processes.
Company employees with access to these records may only access and transfer them to legally authorized individuals during such requests or audit processes. Prior to such data processing activities, the obligation to inform the relevant individuals is duly fulfilled.
14. PROCESSING OF PERSONAL DATA COLLECTED THROUGH COOKIES
Our Company uses cookies to improve the functionality and usage of our websites and mobile applications and to make the time spent on our digital platforms more efficient and enjoyable.
We also use certain cookies to remember your preferences on our websites and mobile applications, enabling us to provide you with an enhanced and personalized experience tailored to your choices. Your personal data is processed and transferred via cookies on our digital platforms.
In accordance with Article 12 of the Personal Data Protection Law (KVKK), our Company takes the necessary technical and administrative measures to ensure the security of personal data collected through cookies.
For more detailed information, please refer to our Cookie Policy at Cookie Policy
15. TRAINING AND MONITORING OF EMPLOYEES AND DATA PROCESSORS REGARDING PERSONAL DATA PROTECTION
In order to fulfill its legal obligations under personal data protection legislation and to safeguard the rights of data subjects, the Company provides its employees with necessary awareness trainings. Newly hired employees are also required to complete such training. The Company receives professional support in both internal and external training and audit processes.
Furthermore, the Company carefully selects its data processors, makes compliance with personal data protection requirements a condition of business processes, and regularly evaluates the compliance status of data processors. Within this scope, the Company enters into relevant contracts and undertakings with data processors and monitors their implementation. If a data processor fails to meet the necessary requirements, the Company terminates its contractual relationship with such processor.
16. DATA CONTROLLER IDENTITY
The following information relates to the identity of the data controller for all personal data processing activities falling within the scope of this Policy.
| Data Controller | ROOF STACKS YAZILIM A.Ş. |
|---|---|
| Address | ÇAYDAÇIRA MAH. PROF. DR. NURİ ORHAN BLV. NO: 7 İÇ KAPI NO: 107 MERKEZ/ ELAZIĞ |
| Phone: | +90 (850) 225 23 23 |
| Registered Email (KEP) | [email protected] |
| Website | https://roofstacks.com/ |
17. ENFORCEMENT
This Policy was issued by the Company and entered into force on 22/07/2025 having been made publicly available. In the event of any conflict between the provisions of this Policy and the applicable legislation—particularly the Law—the provisions of the legislation shall prevail.
The Company reserves the right to amend this Policy in accordance with legal regulations. The current version of the Policy is available at https://roofstacks.com.
Last Updated: 22/07/2025